Need Help Please - FBI Ransomware With No Safe Mode Access

redskns21 · April 22, 2013

Hello, I have a user with the lovely FBI Ransomware virus and we get a white screen while trying to access Safe Mode. I had her download Farbar and below are the results of her scan. I would really appreciate some help with getting this back to where I can run Malwarebytes to remove this infection. Thanks in advance for your help.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-04-2013 02

Ran by SYSTEM on 22-04-2013 13:48:02

Running from F:\

Windows 7 Professional (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-29] (Advanced Micro Devices, Inc.)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1791272 2012-07-31] (Synaptics Incorporated)

HKLM\...\Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe" [153640 2009-06-03] (ActivIdentity)

HKLM\...\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" [400936 2009-06-03] (ActivIdentity)

HKLM\...\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start [354360 2009-07-30] (Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule [24848 2009-07-23] (Bioscrypt Inc.)

HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [288312 2009-07-27] ( Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)

HKLM\...\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe [11227136 2009-07-06] (Hewlett-Packard)

HKLM\...\Run: [AT&T Communication Manager] "C:\Apps\AT&T\Communication Manager\ATTCM.exe" -a [883272 2009-10-09] (ATT)

HKLM\...\Run: [LogMeIn GUI] "C:\Apps\LogMeIn\x86\LogMeInSystray.exe" [63048 2008-08-11] (LogMeIn, Inc.)

HKLM\...\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)

HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [37232 2008-06-12] (Adobe Systems Incorporated)

HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2008-06-11] (Adobe Systems Inc.)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2011-12-08] (Apple Inc.)

HKLM\...\Run: [ToolboxFX] "C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on [58936 2010-10-25] (Hewlett-Packard Company)

HKLM\...\Run: [HP LaserJet Professional M1530 MFP Series Fax] C:\Program Files\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe "HP LaserJet Professional M1530 MFP Series Fax" [2459192 2010-08-24] (Hewlett-Packard Company)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [495708 2012-01-19] (IDT, Inc.)

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1573576 2012-12-10] (Ask)

HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-03-24] (Hewlett-Packard)

HKLM\...\Run: [] [x]

HKLM\...\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot [296096 2012-09-27] (RealNetworks, Inc.)

HKLM\...\Run: [sSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe [105120 2012-08-21] (PC Tools)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)

HKLM\...\runonceex: [ContentMerger] C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\ContentMerger10.exe [19952 2009-06-13] (Sonic Solutions)

Winlogon\Notify\DeviceNP: DeviceNP.dll (Hewlett-Packard Limited)

HKU\Admninistrator\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2009-06-17] (Hewlett-Packard Company)

HKU\Admninistrator\...\RunOnce: [avg_spchecker] "C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe" /start [x]

HKU\itmanager\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2009-06-17] (Hewlett-Packard Company)

HKU\itmanager\...\RunOnce: [avg_spchecker] "C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe" /start [x]

HKU\mjones\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2009-06-17] (Hewlett-Packard Company)

HKU\mjones\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]

HKU\mjones\...\Run: [HP Officejet Pro 8600 (NET)] "C:\Program Files\Hp\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN1A31S37R05KC:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1 [ 2011-05-25] (Hewlett-Packard Co.)

HKU\mjones\...\Winlogon: [shell] C:\Users\mjones\AppData\Roaming\mcafee.ini,explorer.exe [x]

Lsa: [Notification Packages] scecli ASWLNPkg

Startup: C:ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk

ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (No File)

Startup: C:ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)

========================== Services (Whitelisted) =================

S2 ac.sharedstore; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [207400 2009-06-03] (ActivIdentity)

S2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-07-27] (LSI Corporation)

S2 ASBroker; C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [192784 2009-07-23] (Bioscrypt Inc.)

S2 ASChannel; C:\Program Files\Hewlett-Packard\IAM\Bin\AsChnl.dll [150288 2009-07-23] (Bioscrypt Inc.)

S2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1201400 2009-07-29] (AuthenTec, Inc.)

S3 ATTRcAppSvc; C:\Apps\AT&T\Communication Manager\RcAppSvc.exe [121416 2009-10-09] (SmithMicro Inc.)

S3 CAATT; C:\Apps\AT&T\Communication Manager\ConAppsSvc.exe [125512 2009-10-09] (SmithMicro Inc.)

S3 FLCDLOCK; C:\Windows\system32\flcdlock.exe [362040 2009-06-29] (Hewlett-Packard Ltd)

S2 HP LaserJet Service; C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe [145920 2010-10-25] (HP)

S3 HP ProtectTools Service; C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [45056 2009-07-30] (Hewlett-Packard Development Company, L.P)

S2 HpFkCryptService; C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [256544 2009-07-29] (McAfee, Inc.)

S2 HPFSService; C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe [77824 2009-07-06] (Hewlett-Packard)

S2 iWinTrusted; C:\Program Files\iWin Games\iWinTrusted.exe [78104 2010-04-14] (iWin Inc.)

S2 LMIGuardianSvc; C:\Apps\LogMeIn\x86\LMIGuardianSvc.exe [374704 2012-11-09] (LogMeIn, Inc.)

S2 LMIMaint; C:\Apps\LogMeIn\x86\RaMaint.exe [137136 2012-11-09] (LogMeIn, Inc.)

S2 LogMeIn; C:\Apps\LogMeIn\x86\LogMeIn.exe [390528 2010-11-08] (LogMeIn, Inc.)

S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)

S2 PCToolsSSDMonitorSvc; C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe [794272 2012-08-21] (PC Tools)

S2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [254034 2012-01-19] (IDT, Inc.)

==================== Drivers (Whitelisted) ====================

S3 btwampfl; C:\Windows\System32\drivers\btwampfl.sys [294952 2010-08-29] (Broadcom Corporation.)

S3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv.sys [32312 2009-06-29] (Hewlett-Packard Development Company L.P.)

S2 LMIInfo; C:\Apps\LogMeIn\x86\RaInfo.sys [12856 2008-08-11] (LogMeIn, Inc.)

S2 LMIRfsDriver; C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2008-08-11] (LogMeIn, Inc.)

S3 MREMP50; C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2010-01-28] (Printing Communications Assoc., Inc. (PCAUSA))

S3 MRESP50; C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2010-01-28] (Printing Communications Assoc., Inc. (PCAUSA))

S3 PCTINDIS5; C:\Windows\system32\PCTINDIS5.SYS [32408 2009-10-09] (Smith Micro Inc.)

S1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [12528 2009-07-29] (SafeBoot International)

S0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [109216 2009-07-29] (SafeBoot International)

S0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [51408 2009-07-29] (SafeBoot N.V.)

S0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [12960 2009-07-29] (SafeBoot International)

S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1763968 2010-06-03] ()

S3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [26760 2008-08-22] ()

S3 SWNC8U80; C:\Windows\System32\DRIVERS\swnc8u80.sys [190080 2009-03-31] (Sierra Wireless Inc.)

S3 SWUMX80; C:\Windows\System32\DRIVERS\swumx80.sys [148096 2009-05-04] (Sierra Wireless Inc.)

S3 btwaudio; system32\drivers\btwaudio.sys [x]

S3 btwl2cap; system32\DRIVERS\btwl2cap.sys [x]

S4 LMIRfsClientNP; No ImagePath

S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]

S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-04-22 13:47 - 2013-04-22 13:47 - 00000000 ____D C:\FRST

2013-04-22 11:13 - 2013-04-22 11:13 - 00000000 ____D C:ProgramData\ewplm

2013-04-22 11:09 - 2013-04-22 11:09 - 00155128 ____A (Hilgraeve, Inc.) C:\Users\mjones\Desktop\mala.tmp

2013-04-16 08:42 - 2013-04-16 08:42 - 00230278 ____A C:\Users\mjones\Desktop\Store List 04.12.13 SH.xlsx

2013-04-09 14:03 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-04-09 14:03 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-04-09 14:03 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-04-09 14:03 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-04-09 14:03 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-04-09 14:03 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-04-09 14:03 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-04-09 14:03 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-04-09 14:03 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-04-09 14:03 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-04-09 14:03 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-04-09 14:03 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-04-09 14:03 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-04-09 14:03 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-04-09 14:03 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-04-09 14:03 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-04-09 12:01 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2013-04-09 12:01 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2013-04-09 12:01 - 2013-03-18 20:48 - 00038912 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll

2013-04-09 12:01 - 2013-03-18 18:49 - 00069632 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe

2013-04-09 12:01 - 2013-02-28 19:09 - 02347008 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-04-09 12:01 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll

2013-04-09 12:01 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll

2013-04-09 12:01 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll

2013-04-09 12:01 - 2013-01-23 20:47 - 00196328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys

2013-04-09 12:00 - 2013-03-01 21:07 - 01212264 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-03-28 14:26 - 2013-03-28 14:26 - 00009448 ____A C:\Users\mjones\Documents\Notes on University and 52nd Location.xlsx

2013-03-26 09:59 - 2013-02-11 19:32 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys

==================== One Month Modified Files and Folders ========

2013-04-22 13:47 - 2013-04-22 13:47 - 00000000 ____D C:\FRST

2013-04-22 12:09 - 2010-01-08 16:25 - 00029316 ____A C:\Windows\PFRO.log

2013-04-22 12:00 - 2009-12-30 18:28 - 01912325 ____A C:\Windows\WindowsUpdate.log

2013-04-22 12:00 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-04-22 12:00 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-04-22 11:56 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-04-22 11:56 - 2009-07-13 20:39 - 00554406 ____A C:\Windows\setupact.log

2013-04-22 11:26 - 2012-11-13 18:00 - 00000274 ____A C:\Windows\Tasks\RMAutoUpdate.job

2013-04-22 11:26 - 2012-11-09 14:16 - 00000000 ____D C:\Program Files\PC Tools Registry Mechanic

2013-04-22 11:26 - 2010-02-01 09:25 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-04-22 11:22 - 2009-12-30 11:26 - 00000187 ____A C:ProgramData\HPWALog.txt

2013-04-22 11:13 - 2013-04-22 11:13 - 00000000 ____D C:ProgramData\ewplm

2013-04-22 11:09 - 2013-04-22 11:09 - 00155128 ____A (Hilgraeve, Inc.) C:\Users\mjones\Desktop\mala.tmp

2013-04-22 11:02 - 2010-02-01 09:25 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-04-22 10:37 - 2012-07-31 08:30 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-04-22 08:27 - 2012-07-31 08:30 - 00691592 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-04-22 08:27 - 2011-06-30 14:48 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-04-22 08:27 - 2010-01-08 13:51 - 00000000 ____D C:ProgramData\Adobe

2013-04-22 08:23 - 2013-02-15 09:42 - 00000324 ____A C:\Windows\Tasks\HPCeeScheduleFormjones.job

2013-04-22 08:23 - 2010-01-08 16:54 - 00000000 ____D C:ProgramData\LogMeIn

2013-04-19 13:16 - 2012-09-27 13:39 - 00000404 ___AH C:\Windows\Tasks\Norton Security Scan for mjones.job

2013-04-19 11:14 - 2010-02-19 14:11 - 00000052 ____A C:\Windows\System32\DOErrors.log

2013-04-19 11:13 - 2011-11-03 12:39 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt

2013-04-19 11:05 - 2010-07-07 20:17 - 00000000 ___AD C:ProgramData\TEMP

2013-04-16 08:42 - 2013-04-16 08:42 - 00230278 ____A C:\Users\mjones\Desktop\Store List 04.12.13 SH.xlsx

2013-04-15 12:01 - 2012-10-12 09:49 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared

2013-04-12 15:40 - 2010-04-28 12:05 - 00000000 ____D C:\Users\mjones\Documents\Forms

2013-04-12 13:34 - 2010-04-07 14:49 - 00000000 ____D C:\Users\mjones\Documents\Tier 3

2013-04-11 10:03 - 2011-09-07 09:31 - 00002129 ____A C:\Users\Public\Desktop\Google Chrome.lnk

2013-04-09 15:28 - 2009-07-13 20:33 - 00470432 ____A C:\Windows\System32\FNTCACHE.DAT

2013-04-09 14:04 - 2010-01-08 09:40 - 00000000 ____D C:ProgramData\Microsoft Help

2013-04-09 14:00 - 2010-01-08 09:27 - 70490256 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-03-28 14:26 - 2013-03-28 14:26 - 00009448 ____A C:\Users\mjones\Documents\Notes on University and 52nd Location.xlsx

2013-03-26 15:29 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore

==================== Known DLLs (ALL) =========================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 18%

Total physical RAM: 2812.87 MB

Available physical RAM: 2285.46 MB

Total Pagefile: 2811.14 MB

Available Pagefile: 2292.62 MB

Total Virtual: 2047.88 MB

Available Virtual: 1960.7 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:296.07 GB) (Free:234.88 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Drive d: (HP_TOOLS) (Fixed) (Total:2 GB) (Free:1.93 GB) FAT32

Drive f: () (Removable) (Total:7.45 GB) (Free:6.86 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 8 MB

Disk 1 Online 7633 MB 0 B

Partitions of Disk 0:

===============

Disk ID: 95AA95AA

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 296 GB 31 KB

Partition 2 Primary 2055 MB 296 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C NTFS Partition 296 GB Healthy

=========================================================

Disk: 0

Partition 2

Type : 0C

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D HP_TOOLS FAT32 Partition 2055 MB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: 00000000

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7633 MB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT32 Removable 7633 MB Healthy

=========================================================

============================== MBR & Partition Table ==================

====================================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 95AA95AA)

Partition 1: (Active) - (Size=296 GB) - (Type=07) (NTFS)

Partition 2: (Not Active) - (Size=2 GB) - (Type=0C)

====================================================================

Disk: 1 (Size: 7 GB) (Disk ID: 00000000)

Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

Last Boot: 2013-04-15 11:55

==================== End Of Log ============================

FRST Scan - Melissa.txt

MrCharlie · April 22, 2013

Looking at it now.....MrC

redskns21 · April 22, 2013

Thank you sir.

MrCharlie · April 22, 2013

This should get you going...

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

redskns21 · April 22, 2013

Thank you MrC. While I was posting this, I had the user download MBAM to a flash drive, boot to command prompt through recovery options and type explorer.exe which then got us a GUI. I had her install the latest version and ran a scan. It said the DB was out of date by 18 days but wouldn't update so we ran the can anyways and it found trojan.fakems and hijack shell gen. I had her reboot normally and it appears to be gone. I've had her do a subsequent update to MBAM and she's running a scan now.

Would you still like for us to run your fix and post the log?

I really appreciate your quick reply, I didn't expect that or I wouldn't have had her try this last ditch effort. I just want to make sure it's completely gone.

MrCharlie · April 22, 2013

No, don't run the fix, but do this after scanning with MB (post the log):

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Make sure you're subscribed to this topic:

Click on the

Follow This Topic Button

(at the top right of this page), make sure that the

Receive notification

box is checked and that it is set to

Instantly

Removing malware can be unpredictable

...things can go very wrong!

Backup

any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>

Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

redskns21 · April 22, 2013

Results of the RogueKiller scan. BTW, I have 3 MBAM logs as well, one from the 1st scan that found 2, 1 from another scan after the update which found one and a clean scan. Do you need any of those log files?

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : mjones [Admin rights]

Mode : Scan -- Date : 04/22/2013 16:59:53

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9320423AS ATA Device +++++

--- User ---

[MBR] c7ece7e29994ea9214c268f804b6b1ed

[bSP] 6cc8b66dcb99ee5a5e444df68528afb2 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 303179 Mo

1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 620928315 | Size: 2055 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: SanDisk Cruzer Switch USB Device +++++

--- User ---

[MBR] abb3bb1a9b50906ea13e716405c1e297

[bSP] 2f5891d7453139f5a9c7e80997760056 : MBR Code unknown

Partition table:

0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7632 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_04222013_02d1659.txt >>

RKreport[1]_S_04222013_02d1659.txt

MrCharlie · April 23, 2013

Yes, please attach any that show malware.

--------------------

Please do this:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

redskns21 · April 23, 2013

Here are the 2 logs, the one with 2 found was the first scan 18 days out of date done from Safe Mode w/ Command Prompt, 2nd was done inside Windows and 1 was found. She's working on your last post as we speak.

Again, we thank you for your help.

mbam-log-2013-04-22 (16-05-40).txt

MBAM-log-2013-04-22 (16-32-53).txt

redskns21 · April 23, 2013

ComboFix 13-04-22.01 - mjones 04/22/2013 17:51:09.1.2 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2813.1767 [GMT -7:00]

Running from: c:\users\mjones\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39WF5WC5\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\iWin Games\iWinGamesHookIE.dll

c:\users\mjones\AppData\Roaming\.#

c:\users\mjones\Copy of 2010 CARRY FORWARD LV Co-op budget vs actual .xls

c:\users\mjones\g2mdlhlpx.exe

.

((((((((((((((((((((((((( Files Created from 2013-03-23 to 2013-04-23 )))))))))))))))))))))))))))))))

.

2013-04-23 00:59 . 2013-04-23 00:59 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-04-23 00:59 . 2013-04-23 00:59 -------- d-----w- c:\users\itmanager\AppData\Local\temp

2013-04-23 00:59 . 2013-04-23 00:59 -------- d-----w- c:\users\Admninistrator\AppData\Local\temp

2013-04-23 00:53 . 2013-04-23 00:53 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{83AB8063-0907-446C-B7FC-972E4844DFFB}\offreg.dll

2013-04-22 23:04 . 2013-04-22 23:04 -------- d-----w- c:\users\mjones\AppData\Roaming\Malwarebytes

2013-04-22 23:03 . 2013-04-22 23:03 -------- d-----w- c:\users\mjones\AppData\Local\Programs

2013-04-22 21:47 . 2013-04-22 21:47 -------- d-----w- C:\FRST

2013-04-22 19:13 . 2013-04-22 19:13 -------- d-----w- c:\programdata\ewplm

2013-04-19 19:06 . 2013-04-10 03:08 6906960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{83AB8063-0907-446C-B7FC-972E4844DFFB}\mpengine.dll

2013-04-09 20:01 . 2013-03-01 03:09 2347008 ----a-w- c:\windows\system32\win32k.sys

2013-04-09 20:01 . 2013-01-24 04:47 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys

2013-04-09 20:01 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-04-09 20:01 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-04-09 20:01 . 2013-03-19 04:48 38912 ----a-w- c:\windows\system32\csrsrv.dll

2013-04-09 20:01 . 2013-03-19 02:49 69632 ----a-w- c:\windows\system32\smss.exe

2013-04-09 20:01 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\system32\mstscax.dll

2013-04-09 20:01 . 2013-02-15 04:34 131584 ----a-w- c:\windows\system32\aaclient.dll

2013-04-09 20:01 . 2013-02-15 03:25 36864 ----a-w- c:\windows\system32\tsgqec.dll

2013-04-09 20:00 . 2013-03-02 05:07 1212264 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-03-26 17:59 . 2013-02-12 03:32 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-22 16:27 . 2012-07-31 16:30 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-04-22 16:27 . 2011-06-30 22:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-04 21:50 . 2010-01-08 21:34 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-12 08:10 . 2009-12-30 20:31 237088 ------w- c:\windows\system32\MpSigStub.exe

2013-02-12 04:48 . 2013-03-13 16:47 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-02-12 04:48 . 2013-03-13 16:47 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-12-11 1520840]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-21 39408]

"HP Officejet Pro 8600 (NET)"="c:\program files\Hp\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-05-26 1801064]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2012-07-31 1791272]

"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-04 153640]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-04 400936]

"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2009-07-30 354360]

"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2009-07-23 24848]

"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-07-27 288312]

"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]

"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2009-07-06 11227136]

"AT&T Communication Manager"="c:\apps\AT&T\Communication Manager\ATTCM.exe" [2009-10-10 883272]

"LogMeIn GUI"="c:\apps\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]

"ToolboxFX"="c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936]

"HP LaserJet Professional M1530 MFP Series Fax"="c:\program files\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2010-08-24 2459192]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-01-19 495708]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-12-11 1573576]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]

"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2012-09-27 296096]

"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2012-08-21 105120]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [N/A]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]

2009-06-30 00:09 75320 ----a-w- c:\windows\System32\DeviceNP.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\HEWLET~1\IAM\Bin\APSHook.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]

R3 ATTRcAppSvc;AT&T RcAppSvc;c:\apps\AT&T\Communication Manager\RcAppSvc.exe [x]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]

R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]

R3 CAATT;AT&T Con App Svc;c:\apps\AT&T\Communication Manager\ConAppsSvc.exe [x]

R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [x]

R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [x]

R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [x]

R3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [x]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [x]

R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [x]

R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]

R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S0 SafeBoot;SafeBoot; [x]

S0 SbAlg;SbAlg; [x]

S0 SbFsLock;SbFsLock; [x]

S1 RsvLock;RsvLock; [x]

S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [x]

S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [x]

S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [x]

S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [x]

S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [x]

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]

S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]

S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [x]

S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]

S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]

S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [x]

S2 LMIGuardianSvc;LMIGuardianSvc;c:\apps\LogMeIn\x86\LMIGuardianSvc.exe [x]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\apps\LogMeIn\x86\RaInfo.sys [x]

S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [x]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc

Cognizance REG_MULTI_SZ ASBroker

Bioscrypt REG_MULTI_SZ ASChannel

GPSvcGroup REG_MULTI_SZ GPSvc

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService

FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-06-17 20:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-04-11 18:03 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-04-23 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-31 16:27]

.

2013-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 17:25]

.

2013-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 17:25]

.

2013-04-22 c:\windows\Tasks\HPCeeScheduleFormjones.job

- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]

.

2010-03-24 c:\windows\Tasks\Install_NSS.job

- c:\windows\System32\Adobe\Shockwave 11\nssstub.exe [2010-03-23 02:41]

.

2013-04-19 c:\windows\Tasks\Norton Security Scan for mjones.job

- c:\progra~1\NORTON~2\Engine\372~1.5\Nss.exe [2012-09-27 10:30]

.

2013-04-23 c:\windows\Tasks\RMAutoUpdate.job

- c:\program files\PC Tools Registry Mechanic\SULauncher.exe [2012-11-27 19:53]

.

2013-02-22 c:\windows\Tasks\RMSchedule.job

- c:\program files\PC Tools Registry Mechanic\RegMech.exe [2012-11-27 19:53]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-ygamesbar&type=yahoo_oberon_ygames_ytb

mStart Page = hxxp://www.yahoo.com/?fr=fp-ygamesbar&type=yahoo_oberon_ygames_ytb

uInternet Settings,ProxyOverride = *.local

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-LSI Soft Modem - c:\windows\agrsmdel

AddRemove-RealPlayer 15.0 - c:\program files\real\realplayer\Update\r1puninst.exe

AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(1320)

c:\program files\Hewlett-Packard\IAM\Bin\ItClient.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\IDT\WDM\STacSV.exe

c:\windows\system32\atieclxx.exe

c:\windows\system32\WLANExt.exe

c:\windows\system32\conhost.exe

c:\program files\LSI SoftModem\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\apps\LogMeIn\x86\RaMaint.exe

c:\apps\LogMeIn\x86\LogMeIn.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\servicing\TrustedInstaller.exe

c:\windows\system32\taskhost.exe

c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe

c:\windows\system32\conhost.exe

c:\windows\system32\sppsvc.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2013-04-22 18:06:47 - machine was rebooted

ComboFix-quarantined-files.txt 2013-04-23 01:06

.

Pre-Run: 251,693,662,208 bytes free

Post-Run: 254,921,289,728 bytes free

.

- - End Of File - - 4FB3E4832A146C60932B7FBE30A8D0A1

MrCharlie · April 23, 2013

That looks OK...lets check for any rootkits:

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Put a checkmark beside loaded modules.
A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
Then click on Change parameters in TDSSKiller.
Check all boxes then click OK.
Click the Start Scan button.
The scan should take no longer than 2 minutes.
If a suspicious object is detected, the default action will be Skip, click on Continue.

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
If in doubt about an entry....please ask or choose Skip
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

MrC

redskns21 · April 23, 2013

Here is the TDSSKiller Log.

TDSSKiller.2.8.16.0_22.04.2013_18.35.40_log.txt

MrCharlie · April 23, 2013

Looks OK....no rootkits.

Lets check for any adware while you're here.....

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.
AdwCleaner is a tool that deletes :
· Adwares (software ads)
· PUP/LPI (Potentially Undesirable Program)
· Toolbars
· Hijacker (Hijack of the browser's homepage)
It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.

Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
Now click on the Search tab.
Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.
You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:
/DisableAskDetection - This option disables Ask Toolbar detection.

MrC

redskns21 · April 23, 2013

# AdwCleaner v2.202 - Logfile created 04/22/2013 at 19:08:13

# Updated 23/04/2013 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (32 bits)

# User : mjones - WINDOWS-7

# Boot Mode : Normal

# Running from : C:\Users\mjones\Desktop\MJones Back Up\Downloads\adwcleaner (1).exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\Program Files\Ask.com

Folder Found : C:\Program Files\Conduit

Folder Found : C:\ProgramData\Ask

Folder Found : C:\ProgramData\Trymedia

Folder Found : C:\Users\mjones\AppData\Local\APN

Folder Found : C:\Users\mjones\AppData\LocalLow\AskToolbar

Folder Found : C:\Users\mjones\AppData\LocalLow\Conduit

Folder Found : C:\Users\mjones\AppData\LocalLow\iWin

Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Found : HKCU\Software\APN

Key Found : HKCU\Software\AppDataLow\Software\AskToolbar

Key Found : HKCU\Software\AppDataLow\Software\Conduit

Key Found : HKCU\Software\AppDataLow\Software\iWin

Key Found : HKCU\Software\AppDataLow\Toolbar

Key Found : HKCU\Software\Ask.com

Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Found : HKLM\Software\APN

Key Found : HKLM\Software\AskToolbar

Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{CB613033-4A78-4D07-B435-0603C9C26F94}

Key Found : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Found : HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}

Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT1678857

Key Found : HKLM\Software\Conduit

Key Found : HKLM\Software\iWin

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CB613033-4A78-4D07-B435-0603C9C26F94}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B5BAE2ED018083A4C8DA86D6E3F4B024

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}]

Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\mjones\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [7642 octets] - [22/04/2013 19:08:13]

########## EOF - C:\AdwCleaner[R1].txt - [7702 octets] ##########

MrCharlie · April 23, 2013

Lots of adware found....lets clear it out.....

Please re-run AdwCleaner
Click on Delete button.
Confirm each time with OK if asked.
Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please Post the contents of that document.
Do Not Attach It!!!

MrC

redskns21 · April 23, 2013

# AdwCleaner v2.202 - Logfile created 04/22/2013 at 19:14:20