Infected w/ FBI/MoneyPak Ransom Trojan - No Safe Mode

oasis · April 29, 2013

I seem to have a particularly difficult version of the Moneypak trojan that locks up the PC with a white overlay screen claiming to be from the FBI or DOJ and demanding payment to unlock the computer.

I am also unable to run Windows in Safe mode. I get a brief blue screen of death, followed by a reboot, followed by the ransom screen again.
Logging into Windows as a different user delays the ransom screen by a few minutes, but it quickly returns.
I have tried USB boots and scans using Windows Defender and Anvisoft. Both identified and deleted various malware, but the ransom lockup screen still returns upon normal boot.
The infected machine is a desktop PC running Windows XP SP3.
This data is being sent from a separate "clean" notebook.

I downloaded OTLPE and burned a boot CD. Results are below. Any help or advice would be much appreciated.

OTL logfile created on: 4/28/2013 8:48:13 PM - Run

OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free

3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free

Paging file location(s): J:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 931.50 Gb Total Space | 869.77 Gb Free Space | 93.37% Space Free | Partition Type: NTFS

Drive D: | 931.51 Gb Total Space | 726.01 Gb Free Space | 77.94% Space Free | Partition Type: NTFS

Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

Using ControlSet: ControlSet002

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (LiveUpdate Notice Ex)

SRV - [2012/09/20 14:28:48 | 030,785,672 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)

SRV - [2012/08/23 12:37:16 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)

SRV - [2012/07/13 14:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)

SRV - [2012/06/15 22:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Norton 360\Engine\6.4.1.14\ccSvcHst.exe -- (N360)

SRV - [2012/05/24 22:29:20 | 002,152,720 | ---- | M] (Lavasoft Limited) [Auto] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2011/05/25 15:14:34 | 000,053,248 | ---- | M] (NOS Microsystems Ltd.) [On_Demand] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®

SRV - [2011/05/21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)

SRV - [2010/08/23 20:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)

SRV - [2010/07/28 14:39:22 | 001,156,440 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)

SRV - [2009/03/03 14:53:08 | 000,033,176 | ---- | M] (NOS Microsystems Ltd.) [On_Demand] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®

SRV - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)

SRV - [2008/12/11 15:14:26 | 004,318,560 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe -- (Norton Ghost)

SRV - [2008/11/13 15:43:49 | 000,204,800 | ---- | M] () [Auto] -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe -- (LinksysUpdater)

SRV - [2008/08/07 17:31:32 | 001,558,000 | ---- | M] (Symantec) [On_Demand] -- C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe -- (SymSnapService)

SRV - [2008/05/07 14:14:36 | 000,212,992 | ---- | M] (IDT, Inc.) [Auto] -- C:\Program Files\IDT\IntelXPV_v83\WDM\stacsv.exe -- (STacSV)

SRV - [2008/01/29 18:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service)

SRV - [2007/09/12 19:27:24 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)

SRV - [2007/09/12 19:27:24 | 000,554,352 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)

SRV - [2006/03/09 16:30:34 | 000,630,905 | ---- | M] (Diskeeper® Corporation) [Auto] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)

SRV - [2004/03/18 16:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

SRV - [2004/03/01 03:40:52 | 000,077,824 | R--- | M] (Hewlett-Packard Company) [On_Demand] -- C:\WINDOWS\system32\hpbpro.exe -- (HP Port Resolver)

SRV - [2004/03/01 03:40:52 | 000,073,728 | R--- | M] (Hewlett-Packard Company) [On_Demand] -- C:\WINDOWS\system32\hpboid.exe -- (HP Status Server)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand] -- -- (swmsflt)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | On_Demand] -- -- (PCTINDIS5)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | System] -- -- (NCPro)

DRV - File not found [Kernel | On_Demand] -- -- (MagicTune)

DRV - File not found [Kernel | System] -- -- (lbrtfdc)

DRV - File not found [Kernel | System] -- -- (i2omgmt)

DRV - File not found [Kernel | System] -- -- (Changer)

DRV - [2013/04/23 04:42:57 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)

DRV - [2013/04/12 19:53:06 | 001,000,024 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20130412.001\BHDrvx86.sys -- (BHDrvx86)

DRV - [2013/03/04 02:47:00 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20130421.007\NAVEX15.SYS -- (NAVEX15)

DRV - [2013/03/04 02:47:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2013/03/04 02:47:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2013/03/04 02:47:00 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20130421.007\NAVENG.SYS -- (NAVENG)

DRV - [2013/03/01 19:27:26 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20130419.001\IDSXpx86.sys -- (IDSxpx86)

DRV - [2012/07/05 22:17:57 | 000,574,112 | ---- | M] (Symantec Corporation) [File_System | On_Demand] -- C:\WINDOWS\System32\Drivers\N360\0604010.00E\SRTSP.SYS -- (SRTSP)

DRV - [2012/07/05 22:17:57 | 000,032,928 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\N360\0604010.00E\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)

DRV - [2012/06/07 00:43:43 | 000,132,768 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\N360\0604010.00E\ccSetx86.sys -- (ccSet_N360)

DRV - [2012/05/21 21:37:12 | 000,924,320 | ---- | M] (Symantec Corporation) [File_System | Boot] -- C:\WINDOWS\system32\drivers\N360\0604010.00E\symefa.sys -- (SymEFA)

DRV - [2012/04/20 18:20:10 | 000,141,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2011/11/16 23:38:00 | 000,388,216 | R--- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\System32\Drivers\N360\0604010.00E\SYMTDI.SYS -- (SYMTDI)

DRV - [2011/11/16 23:17:48 | 000,149,624 | R--- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\N360\0604010.00E\Ironx86.SYS -- (SymIRON)

DRV - [2011/11/03 13:06:56 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot] -- C:\WINDOWS\system32\drivers\Lbd.sys -- (Lbd)

DRV - [2011/11/03 13:06:56 | 000,015,232 | ---- | M] () [Kernel | On_Demand] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)

DRV - [2011/08/16 02:51:40 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\N360\0604010.00E\symds.sys -- (SymDS)

DRV - [2010/09/07 14:26:52 | 000,028,160 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PcaSp50.sys -- (PcaSp50)

DRV - [2009/08/23 21:00:00 | 000,274,624 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\V0610Vid.sys -- (V0610Vid)

DRV - [2009/08/21 11:33:14 | 000,143,936 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CtClsFlt.sys -- (CtClsFlt)

DRV - [2009/03/24 05:53:50 | 000,160,256 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\V0610Afx.sys -- (V0610Afx)

DRV - [2008/12/12 19:05:20 | 000,025,264 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)

DRV - [2008/12/12 19:05:18 | 000,023,984 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)

DRV - [2008/08/13 17:07:20 | 000,038,112 | ---- | M] (Symantec Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\v2imount.sys -- (v2imount)

DRV - [2008/08/07 17:31:38 | 000,138,080 | ---- | M] (StorageCraft) [File_System | Boot] -- C:\WINDOWS\system32\drivers\symsnap.sys -- (symsnap)

DRV - [2008/05/07 14:16:22 | 001,271,032 | ---- | M] (IDT, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)

DRV - [2008/04/14 08:00:00 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbintel.sys -- (DCamUSBIntel)

DRV - [2008/01/19 20:12:42 | 000,128,104 | ---- | M] (Microsoft Corporation) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\WimFltr.sys -- (WimFltr)

DRV - [2008/01/19 19:40:16 | 000,015,088 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\vproeventmonitor.sys -- (VProEventMonitor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Bob_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKU\Bob_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\Bob_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\Bob_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Bob_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKU\Kristen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKU\Kristen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\Kristen_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E8 8E 6F 57 11 43 CB 01 [binary data]

IE - HKU\Kristen_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Michael_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Michelle_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\Michelle_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKU\Michelle_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\Michelle_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 29 D7 40 91 BF 2B CC 01 [binary data]

IE - HKU\Michelle_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\UpdatusUser_ON_C\..\URLSearchHook: Disable Script Debug - Reg Error: Key error. File not found

IE - HKU\UpdatusUser_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)

FF - HKLM\Software\MozillaPlugins\@ei.MapsGalaxy_39.com/Plugin: C:\Program Files\MapsGalaxy_39EI\Installr\1.bin\NP39EISb.dll (MapsGalaxy)

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: J:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\IPSFFPlgn\ [2012/04/20 18:23:02 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: J:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\coFFPlgn\ [2013/04/23 22:23:25 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/02/06 19:05:01 | 000,429,788 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts:

O1 - Hosts: 192.168.1.2 HP000E7FD4E88F

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 14797 more lines...

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\6.4.1.14\coieplg.dll (Symantec Corporation)

O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\6.4.1.14\ips\ipsbho.dll (Symantec Corporation)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)

O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\6.4.1.14\coieplg.dll (Symantec Corporation)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKU\Bob_ON_C\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\6.4.1.14\coieplg.dll (Symantec Corporation)

O3 - HKU\Kristen_ON_C\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\6.4.1.14\coieplg.dll (Symantec Corporation)

O3 - HKU\Michael_ON_C\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\6.4.1.14\coieplg.dll (Symantec Corporation)

O3 - HKU\Michelle_ON_C\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\6.4.1.14\coieplg.dll (Symantec Corporation)

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [bCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)

O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)

O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)

O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper® Corporation)

O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe (HP)

O4 - HKLM..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)

O4 - HKLM..\Run: [isrml] C:\Documents and Settings\Bob\Application Data\isrml.dll (Axacalto)

O4 - HKLM..\Run: [Live! Central 2] C:\Program Files\Creative\Creative Live! Cam\Live! Central 2\CTLVCentral2.exe (Creative Technology Ltd)

O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)

O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)

O4 - HKLM..\Run: [Norton Ghost 14.0] C:\Program Files\Norton Ghost\Agent\VProTray.exe (Symantec Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()

O4 - HKLM..\Run: [rkbcob] C:\Documents and Settings\Bob\Application Data\rkbcob.dll (Interactive, Inc.)

O4 - HKLM..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)

O4 - HKLM..\Run: [soundDrivers] C:\Documents and Settings\All Users\Application Data\f34rfcdsfwe.exe (Hilgraeve, Inc.)

O4 - HKLM..\Run: [symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)

O4 - HKLM..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)

O4 - HKLM..\Run: [V0610Mon.exe] C:\WINDOWS\V0610Mon.exe (Creative Technology Ltd.)

O4 - HKLM..\Run: [zzzHPSETUP] File not found

O4 - HKU\Bob_ON_C..\Run: [Akamai NetSession Interface] C:\Documents and Settings\Bob\Local Settings\Application Data\Akamai\netsession_win.exe (Akamai Technologies, Inc.)

O4 - HKU\Bob_ON_C..\Run: [gStart] C:\Garmin\gStart.exe (GARMIN Corp.)

O4 - HKU\Bob_ON_C..\Run: [NortonUtilities] C:\Program Files\Norton Utilities 14\nu.exe (Symantec Corporation)

O4 - HKU\Bob_ON_C..\Run: [sansaDispatch] C:\Documents and Settings\Bob\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk = C:\Program Files\SEC\Natural Color Pro\NCProTray.exe (Samsung)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\ present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoShellSearchButton = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = [binary data]

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = [binary data]

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskBar = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = [binary data]

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = [binary data]

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MaxRecentDocs = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewContextMenu = [binary data]

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWinKey = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = -1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanle = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\P present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: 몭몭몭몭몭 = Reg Error: Value error. File not found

O7 - HKU\Bob_ON_C\Software\Policies\Microsoft\Internet Explorer\ present

O7 - HKU\Bob_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Kristen_ON_C\Software\Policies\Microsoft\Internet Explorer\\ present

O7 - HKU\Kristen_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\\ present

O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Michael_ON_C\Software\Policies\Microsoft\Internet Explorer\H present

O7 - HKU\Michael_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Michelle_ON_C\Software\Policies\Microsoft\Internet Explorer\\ present

O7 - HKU\Michelle_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\\ present

O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\H present

O7 - HKU\UpdatusUser_ON_C\Software\Policies\Microsoft\Internet Explorer\H present

O7 - HKU\UpdatusUser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1362367763146 (MUWebControl Class)

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} http://212.42.54.136...activex/AMC.cab (AxisMediaControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://images3.pnime...veX_Control.cab (Photo Upload Plugin Class)

O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} http://www.ritzpix.c...PUploader57.cab (Image Uploader Control)

O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://77.105.97.97:...activex/AMC.cab (AxisMediaControlEmb Class)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} http://www.cvsphoto....veX_Control.cab (Photo Upload Plugin Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)

O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKU\Bob_ON_C Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKU\Bob_ON_C Winlogon: Shell - (J:\Documents and Settings\Bob\Application Data\skype.dat) - File not found

O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O33 - MountPoints2\{1bb1cc14-2f45-11e0-92bb-001cc0a0be8b}\Shell\AutoRun\command - "" = O:\InstallSeagateManager.exe

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2013/04/23 22:02:50 | 000,000,000 | ---D | C] -- C:\$Anvi Rescue Disk$

[2013/04/23 20:59:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kristen\My Documents\My Albums

[2013/04/23 15:54:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft Antimalware

[2013/04/23 04:47:53 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites

[2013/04/23 04:46:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Sun

[2013/04/23 04:42:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Malwarebytes

[2013/04/23 04:42:16 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Michael\PrivacIE

[2013/04/23 04:42:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Google

[2013/04/23 04:42:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Google

[2013/04/23 04:41:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\IsolatedStorage

[2013/04/23 04:41:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\HP

[2013/04/23 04:41:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\ApplicationHistory

[2013/04/23 04:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Apple Computer

[2013/04/23 04:41:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Share-to-Web Upload Folder

[2013/04/23 04:40:47 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Michael\IETldCache

[2013/04/23 04:40:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Identities

[2013/04/23 04:39:50 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Michael\My Documents\My Pictures

[2013/04/23 04:39:50 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Michael\My Documents\My Music

[2013/04/23 04:39:33 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Michael\Application Data\Microsoft

[2013/04/23 04:39:33 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Michael\Application Data

[2013/04/23 04:39:33 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Michael\Favorites

[2013/04/23 04:39:33 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Michael\Cookies

[2013/04/23 04:39:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Macromedia

[2013/04/23 04:39:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Desktop

[2013/04/23 04:39:32 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Michael\SendTo

[2013/04/23 04:39:32 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Michael\Recent

[2013/04/23 04:39:32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Michael\Start Menu\Programs\Startup

[2013/04/23 04:39:32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Michael\Start Menu

[2013/04/23 04:39:32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Michael\My Documents

[2013/04/23 04:39:32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Michael\Start Menu\Programs\Accessories

[2013/04/23 04:39:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Michael\Templates

[2013/04/23 04:39:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Michael\PrintHood

[2013/04/23 04:39:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Michael\NetHood

[2013/04/23 04:39:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Michael\Local Settings

[2013/04/23 04:39:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft Help

[2013/04/23 04:39:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft

[2013/04/23 03:57:37 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2013/04/23 03:57:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michelle\Application Data\Malwarebytes

[2013/04/23 03:57:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2013/04/23 03:56:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2013/04/23 03:56:54 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2013/04/23 03:56:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2013/04/23 03:56:18 | 010,285,040 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Michelle\Desktop\mbam-setup-1.75.0.1300.exe

[2013/04/23 03:40:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2013/04/23 03:40:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2013/04/23 03:39:14 | 000,093,696 | ---- | C] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\f34rfcdsfwe.exe

[2013/04/23 03:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\2C533BF2BA1AC45700002C530FA4C976

[2013/04/23 03:35:53 | 000,458,752 | ---- | C] (Axacalto) -- C:\Documents and Settings\Bob\Application Data\isrml.dll

[2013/04/23 03:35:48 | 000,696,320 | ---- | C] (Interactive, Inc.) -- C:\Documents and Settings\Bob\Application Data\rkbcob.dll

[2013/04/14 22:55:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TurboTax 2012

[2013/04/10 17:04:56 | 000,061,440 | ---- | C] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\System32\ASIW32N50.dll

[2013/04/10 17:04:56 | 000,041,280 | ---- | C] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\System32\drivers\PCASp50a64.sys

[2013/04/10 17:04:56 | 000,028,160 | ---- | C] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\System32\drivers\PcaSp50.sys

[2013/04/10 17:04:56 | 000,016,302 | ---- | C] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\System32\ASINDIS5.sys

[2013/04/10 17:04:55 | 000,000,000 | ---D | C] -- C:\Program Files\ASUS

[2013/04/10 17:04:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ASUS Utility

[2013/04/08 09:59:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\My Documents\Golf Car

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/04/23 23:23:04 | 000,006,491 | ---- | M] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\659d9545-abe8-11e2-8274-b8ac6f996f26.crx

[2013/04/23 23:22:34 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2013/04/23 23:22:31 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2013/04/23 22:31:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2013/04/23 22:23:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2013/04/23 20:54:43 | 000,006,491 | ---- | M] () -- C:\Documents and Settings\Kristen\Local Settings\Application Data\659d9545-abe8-11e2-8274-b8ac6f996f26.crx

[2013/04/23 04:52:40 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2013/04/23 04:42:57 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2013/04/23 04:41:50 | 000,000,130 | ---- | M] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\fusioncache.dat

[2013/04/23 04:40:45 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\Michael\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2013/04/23 04:40:40 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Michael\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

[2013/04/23 04:22:56 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\skype.ini

[2013/04/23 04:21:18 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2013/04/23 04:03:19 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp

[2013/04/23 04:03:04 | 000,302,806 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg

[2013/04/23 03:57:02 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2013/04/23 03:57:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2013/04/23 03:56:25 | 010,285,040 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Michelle\Desktop\mbam-setup-1.75.0.1300.exe

[2013/04/23 03:39:09 | 000,093,696 | ---- | M] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\f34rfcdsfwe.exe

[2013/04/23 03:35:53 | 000,458,752 | ---- | M] (Axacalto) -- C:\Documents and Settings\Bob\Application Data\isrml.dll

[2013/04/23 03:35:48 | 000,696,320 | ---- | M] (Interactive, Inc.) -- C:\Documents and Settings\Bob\Application Data\rkbcob.dll

[2013/04/22 10:14:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2013/04/21 22:29:59 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat

[2013/04/21 22:29:59 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat

[2013/04/21 12:19:06 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX

[2013/04/20 17:52:11 | 000,471,576 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2013/04/19 22:41:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2013/04/14 23:33:49 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2012.lnk

[2013/04/14 22:57:29 | 000,000,744 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc

[2013/04/14 22:55:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\TurboTax 2012

[2013/04/14 16:11:09 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2011.lnk

[2013/04/11 10:27:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2013/04/10 17:04:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\ASUS Utility

[2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/04/23 21:24:59 | 000,006,491 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\659d9545-abe8-11e2-8274-b8ac6f996f26.crx

[2013/04/23 20:47:37 | 000,006,491 | ---- | C] () -- C:\Documents and Settings\Kristen\Local Settings\Application Data\659d9545-abe8-11e2-8274-b8ac6f996f26.crx

[2013/04/23 04:41:50 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\fusioncache.dat

[2013/04/23 04:40:45 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\Michael\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2013/04/23 04:40:45 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\Michael\Start Menu\Programs\Internet Explorer.lnk

[2013/04/23 04:40:40 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Michael\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

[2013/04/23 04:40:27 | 000,000,758 | ---- | C] () -- C:\Documents and Settings\Michael\Start Menu\Programs\Outlook Express.lnk

[2013/04/23 04:39:33 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Michael\Start Menu\Programs\Remote Assistance.lnk

[2013/04/23 04:39:33 | 000,000,808 | ---- | C] () -- C:\Documents and Settings\Michael\Start Menu\Programs\Windows Media Player.lnk

[2013/04/23 04:03:19 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp

[2013/04/23 04:03:03 | 000,302,806 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg

[2013/04/23 03:57:02 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2013/04/23 03:40:00 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Bob\Application Data\skype.ini

[2013/04/14 22:55:53 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2012.lnk

[2013/04/10 17:04:56 | 000,015,577 | ---- | C] () -- C:\WINDOWS\System32\ASINDIS3.vxd

[2012/04/20 18:20:38 | 000,418,470 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat

[2012/04/20 18:20:38 | 000,418,470 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-57989841-1078081533-682003330-1003-0.dat

[2012/04/17 01:51:13 | 000,000,744 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc

[2012/03/13 22:18:16 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin

[2012/03/13 22:18:16 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin

[2012/03/13 22:18:16 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin

[2012/02/22 02:38:26 | 005,210,112 | ---- | C] () -- C:\Documents and Settings\Kristen\s-1-5-21-57989841-1078081533-682003330-1005.rrr

[2012/02/22 02:38:26 | 000,962,560 | ---- | C] () -- C:\Documents and Settings\Michelle\s-1-5-21-57989841-1078081533-682003330-1004.rrr

[2012/02/22 02:38:21 | 010,989,568 | ---- | C] () -- C:\Documents and Settings\Bob\s-1-5-21-57989841-1078081533-682003330-1003.rrr

[2012/02/22 02:38:21 | 000,385,024 | ---- | C] () -- C:\Documents and Settings\NetworkService\s-1-5-20.rrr

[2012/02/22 02:38:21 | 000,253,952 | ---- | C] () -- C:\Documents and Settings\LocalService\s-1-5-19.rrr

[2012/02/22 00:11:28 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe

[2012/02/21 21:39:52 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2011/06/15 20:52:08 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\fusioncache.dat

[2011/05/21 06:01:00 | 002,123,582 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data

[2011/05/21 00:07:19 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/05/07 20:14:22 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat

[2011/05/07 20:14:22 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat

[2011/01/19 21:31:59 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI

[2011/01/19 21:31:32 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf09a.dat

[2011/01/19 21:31:27 | 000,000,086 | ---- | C] () -- C:\WINDOWS\Brfaxrx.ini

[2011/01/04 17:47:12 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

[2010/12/30 00:24:20 | 000,000,065 | ---- | C] () -- C:\WINDOWS\System32\BD8860DN.DAT

[2010/10/15 11:03:07 | 000,072,080 | ---- | C] () -- C:\Documents and Settings\Bob\g2mdlhlpx.exe

[2010/08/23 18:19:48 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Kristen\Local Settings\Application Data\fusioncache.dat

[2010/08/03 03:32:01 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\Bob\Cache.db

[2010/08/03 00:40:46 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/06/07 12:04:40 | 000,000,167 | ---- | C] () -- C:\Documents and Settings\Bob\udownload.dat

[2010/06/06 10:20:02 | 000,065,344 | ---- | C] () -- C:\WINDOWS\System32\PDFreDirectMonNT.dll

[2010/02/14 17:59:11 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

[2010/02/05 00:20:52 | 000,102,344 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/01/06 23:37:48 | 000,001,255 | ---- | C] () -- C:\WINDOWS\checkip.dat

[2009/08/14 14:43:04 | 000,000,269 | ---- | C] () -- C:\WINDOWS\PrnPrint.ini

[2009/06/01 03:11:21 | 000,000,765 | ---- | C] () -- C:\WINDOWS\efscan.ini

[2009/06/01 03:11:21 | 000,000,021 | ---- | C] () -- C:\WINDOWS\efaxview.ini

[2009/03/29 19:15:32 | 000,215,144 | R--- | C] () -- C:\WINDOWS\patchw32.dll

[2009/03/29 19:13:46 | 000,215,144 | R--- | C] () -- C:\WINDOWS\pw32a.dll

[2009/03/29 18:44:42 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\fusioncache.dat

[2009/03/29 18:10:12 | 000,000,148 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini

[2009/03/29 18:10:11 | 000,003,567 | R--- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

[2009/03/29 18:09:43 | 000,000,650 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini

[2009/03/29 18:04:03 | 000,094,260 | ---- | C] () -- C:\WINDOWS\HPHins03.dat

[2009/03/29 18:04:03 | 000,002,655 | ---- | C] () -- C:\WINDOWS\hphmdl03.dat

[2009/03/17 02:00:32 | 000,002,907 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate

[2009/03/17 01:45:02 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\PRTSERV.dll

[2009/03/17 01:10:41 | 000,000,056 | ---- | C] () -- C:\WINDOWS\Addrfixr.ini

[2009/03/17 01:10:41 | 000,000,035 | ---- | C] () -- C:\WINDOWS\iltwain.ini

[2009/03/17 01:10:40 | 000,009,391 | ---- | C] () -- C:\WINDOWS\System32\dymourl.ini

[2009/03/17 01:07:38 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\DYMOCFG.DLL

[2009/03/17 00:04:07 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI

[2009/03/14 23:37:26 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\FASTWiz.html

[2009/03/14 16:07:51 | 000,000,435 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI

[2009/03/14 16:07:23 | 000,000,844 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini

[2009/03/14 16:07:23 | 000,000,094 | ---- | C] () -- C:\WINDOWS\brpcfx.ini

[2009/03/14 16:07:09 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL

[2009/03/14 16:07:08 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI

[2009/03/14 16:06:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat

[2009/03/14 16:06:53 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll

[2009/03/14 16:02:57 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini

[2009/03/14 11:37:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2009/03/14 11:33:59 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2009/03/14 08:51:09 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2009/03/14 08:50:09 | 000,471,576 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2008/07/27 01:18:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll

[2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2008/04/14 08:00:00 | 000,484,464 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2008/04/14 08:00:00 | 000,080,734 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2007/02/23 21:05:20 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2007/02/23 20:59:36 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll

[2005/10/14 17:09:48 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys

[2004/06/07 00:32:52 | 000,009,505 | ---- | C] () -- C:\WINDOWS\System32\hphmon06.dat

[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

[2001/08/07 18:59:54 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HPNVRRes.dll

[2001/01/24 09:31:18 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\prntfix.exe

[2000/04/14 16:50:02 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll

[1998/06/11 14:08:06 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll

========== LOP Check ==========

[2013/03/29 02:10:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1

[2013/04/23 03:45:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2C533BF2BA1AC45700002C530FA4C976

[2011/01/19 21:47:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T

[2011/10/12 00:31:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avery

[2011/08/10 22:12:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN

[2010/09/27 17:59:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog

[2010/01/07 00:55:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Linksys

[2009/03/17 01:57:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings

[2011/06/28 22:31:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PDF reDirect

[2009/03/14 16:02:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft

[2013/04/23 23:23:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/03/17 21:29:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

[2010/01/07 00:50:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{35ACA973-70F0-495F-9092-74A130711865}

[2010/04/10 20:53:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2009/09/11 12:23:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/04/10 11:39:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

[2013/04/23 04:21:18 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 177 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D287FACF

< End of report >

MrCharlie · April 29, 2013

Looking at it now.....MrC

MrCharlie · April 29, 2013

OK, basically what we want to do is copy the text that's in BOLD into the Custom Scans/Fixes box of OTLPE:

Here's how to do that:

Copy the text in BOLD into notepad and save it:

:OTL

O4 - HKLM..\Run: [rkbcob] C:\Documents and Settings\Bob\Application Data\rkbcob.dll (Interactive, Inc.)

O4 - HKLM..\Run: [isrml] C:\Documents and Settings\Bob\Application Data\isrml.dll (Axacalto)

O4 - HKLM..\Run: [soundDrivers] C:\Documents and Settings\All Users\Application Data\f34rfcdsfwe.exe (Hilgraeve, Inc.)

O4 - HKLM..\Run: [zzzHPSETUP] File not found

O20 - HKU\Bob_ON_C Winlogon: Shell - (J:\Documents and Settings\Bob\Application Data\skype.dat) - File not found

[2013/04/23 03:39:14 | 000,093,696 | ---- | C] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\f34rfcdsfwe.exe

[2013/04/23 03:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\2C533BF2BA1AC45700002C530FA4C976

[2013/04/23 03:35:53 | 000,458,752 | ---- | C] (Axacalto) -- C:\Documents and Settings\Bob\Application Data\isrml.dll

[2013/04/23 03:35:48 | 000,696,320 | ---- | C] (Interactive, Inc.) -- C:\Documents and Settings\Bob\Application Data\rkbcob.dll

[2013/04/23 23:23:04 | 000,006,491 | ---- | M] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\659d9545-abe8-11e2-8274-b8ac6f996f26.crx

[2013/04/23 20:54:43 | 000,006,491 | ---- | M] () -- C:\Documents and Settings\Kristen\Local Settings\Application Data\659d9545-abe8-11e2-8274-b8ac6f996f26.crx

[2013/04/23 04:22:56 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\skype.ini

Copy it to your flash drive

Boot the computer up using the OTLPE disk

Run OTLPE

Plug in the flash drive

Drag the notepad text to the desktop

Open it up and copy and paste the text into Custom Scans/Fixes

Then click the Run Fix button at the top

Copy and paste the log back here.

See if the computer boots up normally now.......MrC

oasis · April 29, 2013

Thanks for the help. This seems to have worked.

After I ran the custom fix, I closed out of OTLPE and attempted a normal boot. Here is a rough outline of what happened next...

Boot made it to the usual Win XP splash screen.
Then went to a blue background screen where Win XP autoran a CHKDSK on my boot HDD.
Started with "verifying files".
Next went to "verifying indexes".
Deleted multiple index entries in file 42385.
Recovered 2 orphaned files.
Next went to "verifying security descriptors".
Automatically re-started boot process.
Made it to user names screen where I selected my user name.
Briefly launched then changed to "logging off" next to my user name.
Then changed to "saving your settings" next to my user name.
Reverted back to main welcome screen with all user names.
Selected my user name again and the desktop main screen loaded normally.

So far, the system seems stable and no ransom screen has appeared. Log file output from the custom fix is below...

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\rkbcob deleted successfully.

C:\Documents and Settings\Bob\Application Data\rkbcob.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\isrml deleted successfully.

C:\Documents and Settings\Bob\Application Data\isrml.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SoundDrivers deleted successfully.

C:\Documents and Settings\All Users\Application Data\f34rfcdsfwe.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\zzzHPSETUP deleted successfully.

Registry value HKEY_USERS\Bob_ON_C\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:J:\Documents and Settings\Bob\Application Data\skype.dat deleted successfully.

File C:\Documents and Settings\All Users\Application Data\f34rfcdsfwe.exe not found.

Folder C:\Documents and Settings\All Users\Application Data\2C533BF2BA1AC45700002C530FA4C976\ not found.

File C:\Documents and Settings\Bob\Application Data\isrml.dll not found.

File C:\Documents and Settings\Bob\Application Data\rkbcob.dll not found.

C:\Documents and Settings\Bob\Local Settings\Application Data\659d9545-abe8-11e2-8274-b8ac6f996f26.crx moved successfully.

C:\Documents and Settings\Kristen\Local Settings\Application Data\659d9545-abe8-11e2-8274-b8ac6f996f26.crx moved successfully.

C:\Documents and Settings\Bob\Application Data\skype.ini moved successfully.

OTLPE by OldTimer - Version 3.1.48.0 log created on 04282013_222033

MrCharlie · April 29, 2013

OK, we have to run some other scans to make sure you're clean:

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

MrC

oasis · April 29, 2013

RK - 32 bit ran successfully. Here is the output quarantine report...

Time : 28/04/2013 22:27:42

--------------------------

ERROR [userinit.exe.vir] -> C:\Windows\system32\userinit.exe

MrCharlie · April 29, 2013

That's not a correct log.

Just do this:

Download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC (be back in the AM)

oasis · April 29, 2013

Ran MBAR. First run detected 10 instances of malware.

Used cleanup to remove.
Rebooted and ran MBAR scan again.
No additional malware found.
Log files below.

Internet access and Windows firewall appear to be working OK, but Windows Update is not.

Attempting to run Windows Update and/or Microsoft Update is VERY slow. Almost goes to 'not responding' state.
Returns message: "Files required to use Microsoft Update are no longer registered or installed on your computer."
Offers option to "Register or reinstall the files for me now."
Appears to download software. Screen says "Registering 100%".
Returns error message: "The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem."
Options are generic MS FAQs or a link to online MS support.

How can I restore Windows Update? Thanks.

System log file attached. Log files from MBAR follow...

Malwarebytes Anti-Rootkit BETA 1.05.0.1001

www.malwarebytes.org

Database version: v2013.04.29.01

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Bob :: OFFICE-SERVER [administrator]

4/28/2013 11:45:17 PM

mbar-log-2013-04-28 (23-45-17).txt

Scan type: Quick scan

Scan options disabled:

Objects scanned: 29419

Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 6

j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\U (Trojan.Siredef.C) -> Delete on reboot.

j:\RECYCLER\S-1-5-21-57989841-1078081533-682003330-1003\$858d097930831b36089b39a3c55210d3\U (Trojan.Siredef.C) -> Delete on reboot.

j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\L (Trojan.Siredef.C) -> Delete on reboot.

j:\RECYCLER\S-1-5-21-57989841-1078081533-682003330-1003\$858d097930831b36089b39a3c55210d3\L (Trojan.Siredef.C) -> Delete on reboot.

j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3 (Trojan.Siredef.C) -> Delete on reboot.

j:\RECYCLER\S-1-5-21-57989841-1078081533-682003330-1003\$858d097930831b36089b39a3c55210d3 (Trojan.Siredef.C) -> Delete on reboot.

Files Detected: 4

j:\Documents and Settings\Bob\Local Settings\Temp\hfgTy68aaa.tmp.exe (Trojan.Winlock) -> Delete on reboot.

j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\L\00000004.@ (Trojan.Siredef.C) -> Delete on reboot.

j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\L\201d3dde (Trojan.Siredef.C) -> Delete on reboot.

j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\L\76603ac3 (Trojan.Siredef.C) -> Delete on reboot.

(end)

Malwarebytes Anti-Rootkit BETA 1.05.0.1001

www.malwarebytes.org

Database version: v2013.04.29.01

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Bob :: OFFICE-SERVER [administrator]

4/29/2013 12:15:12 AM

mbar-log-2013-04-29 (00-15-12).txt

Scan type: Quick scan

Scan options disabled:

Objects scanned: 29322

Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

system-log.txt

MrCharlie · April 29, 2013

Did you run the "fixdamage tool" ??

It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

MrC

oasis · April 29, 2013

Sorry...I neglected to mention that I already did run fixdamage yesterday and it did not change the outcome.

I ran MBAR again this morning and nothing was found.
Also re-ran fixdamage.
I was able to get Windows Update to at least scan my system and provide a list of available updates (no critical updates, but several optional updates).
Any attempt to install one or more of the updates (either HW or SW updates) hangs for a few minutes, then fails to install (returns a failure message).

MrCharlie · April 29, 2013

Scan the system again with RogueKiller and post the new log which should be located on your desktop.

What you posted before was the quarantine text that you got from the quarantine folder.

If you can't find it...

Go to Start > Run > copy and paste Desktop in and click OK

Look for it there.

MrC

oasis · April 29, 2013

Just ran Rogue Killer. Here is the latest RK log file...

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Bob [Admin rights]

Mode : Scan -- Date : 04/29/2013 11:16:00

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\RunOnce : Z1 (cmd /c "J:\Documents and Settings\Bob\Desktop\MWB Anti-Rootkit\MBAR Extract\mbar\mbar.exe" /cleanup /s) [7] -> FOUND

[sHELL][HJNAME] HKCU\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1003[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1004[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1005[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1007[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8A7F33B0)

SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8A7EBBC8)

SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8A77D5B0)

SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8B096178)

SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8AD2C258)

SSDT[43] : NtCreateMutant @ 0x806177F2 -> HOOKED (Unknown @ 0x8A9646F0)

SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8B055268)

SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8A77BA18)

SSDT[57] : NtDebugActiveProcess @ 0x80643C82 -> HOOKED (Unknown @ 0x8AD1D378)

SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8A73BC08)

SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8A78A3B0)

SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9332 -> HOOKED (Unknown @ 0x8A7EA510)

SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8B0633E8)

SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8AE943B0)

SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8A7403B0)

SSDT[114] : NtOpenEvent @ 0x8060F1B0 -> HOOKED (Unknown @ 0x8A5C94B8)

SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (\??\J:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB03A9C4C)

SSDT[123] : NtOpenProcessToken @ 0x805EE000 -> HOOKED (Unknown @ 0x8B0458A0)

SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8AE79500)

SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (\??\J:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB03A9D3C)

SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8AD2A150)

SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8B006C70)

SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8A72CD40)

SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8A735740)

SSDT[240] : NtSetSystemInformation @ 0x8060FE68 -> HOOKED (Unknown @ 0x8B033278)

SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8AE7DD40)

SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8A619860)

SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8AD0EB08)

SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8AED6740)

SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8A973D10)

SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8A5B3420)

S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8B064600)

S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8B04E248)

S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A733440)

S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8B04E280)

S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8B00B860)

S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A73C1E0)

S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A73EAA8)

S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A73C6C0)

S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A7F4440)

S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8AF278C0)

¤¤¤ HOSTS File: ¤¤¤

--> J:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

192.168.1.2 HP000E7FD4E88F

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1001FALS-00Y6A0 +++++

--- User ---

[MBR] 29c4c383c3910d3cbd7352336f01741e

[bSP] e5689fa077fdbde540f3aa45688e8d30 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST31000333AS +++++

--- User ---

[MBR] d8bc69b26b2ea6cd42733af77250683d

[bSP] 588c4ef17834bb2909ed18f3951fe7ba : Empty MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_S_04292013_02d1116.txt >>

RKreport[1]_S_04282013_02d2227.txt ; RKreport[2]_S_04292013_02d1116.txt

MrCharlie · April 29, 2013

OK, run DeFogger to disable CD Emulation drivers:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Reboot and run RogueKiller again and post the new log.

MrC

oasis · April 29, 2013

Here is the latest RK report...

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Bob [Admin rights]

Mode : Scan -- Date : 04/29/2013 11:40:38

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤

[sHELL][HJNAME] HKCU\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1003[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1004[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1005[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1007[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1009[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8B190070)

SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8B190130)

SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8AF54120)

SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8B109CA8)

SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8AF094B0)

SSDT[43] : NtCreateMutant @ 0x806177F2 -> HOOKED (Unknown @ 0x8B1A1120)

SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8B1D5458)

SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8AEC0B80)

SSDT[57] : NtDebugActiveProcess @ 0x80643C82 -> HOOKED (Unknown @ 0x8B109D88)

SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8AF6F2E8)

SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8AF55090)

SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9332 -> HOOKED (Unknown @ 0x8B1D6960)

SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8B1D6A20)

SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8AEBD290)

SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8AF5C150)

SSDT[114] : NtOpenEvent @ 0x8060F1B0 -> HOOKED (Unknown @ 0x8B1A1060)

SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8AF5B418)

SSDT[123] : NtOpenProcessToken @ 0x805EE000 -> HOOKED (Unknown @ 0x8B0210E8)

SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8B24BC88)

SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x8AF5B348)

SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8B1D5548)

SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8B1D0C40)

SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8AF10748)

SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8AF5A160)

SSDT[240] : NtSetSystemInformation @ 0x8060FE68 -> HOOKED (Unknown @ 0x8AF640E8)

SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8B24BD48)

SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8B1D0D00)

SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8AFB3668)

SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8AF54058)

SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8AD8D128)

SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8AF55160)

S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8AEC4300)

S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8AEBE2A8)

S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8AEBD300)

S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8AED62F8)

S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8AEC33C8)

S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8AEB9080)

S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8AED02B0)

S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8AF421F0)

S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8AF4B1A8)

S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8AECA330)

¤¤¤ HOSTS File: ¤¤¤

--> J:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

192.168.1.2 HP000E7FD4E88F

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1001FALS-00Y6A0 +++++

--- User ---

[MBR] 29c4c383c3910d3cbd7352336f01741e

[bSP] e5689fa077fdbde540f3aa45688e8d30 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST31000333AS +++++

--- User ---

[MBR] d8bc69b26b2ea6cd42733af77250683d

[bSP] 588c4ef17834bb2909ed18f3951fe7ba : Empty MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3]_S_04292013_02d1140.txt >>

RKreport[1]_S_04282013_02d2227.txt ; RKreport[2]_S_04292013_02d1116.txt ; RKreport[3]_S_04292013_02d1140.txt

MrCharlie · April 29, 2013

[sHELL][HJNAME] HKCU\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND
[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1003[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND
[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1004[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND
[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1005[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND
[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1007[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND
[sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1009[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND

These were fixed before and they're all back, please do this:

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP and PUM > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

MrC

oasis · April 29, 2013

MBAM has never detected the above items as far as I can recall. They have always shown up when I run Rogue Killer and we have never addressed or removed them.

I made the modifications to MBAM and ran it again. Nothing found. Here is the log...

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.29.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Bob :: OFFICE-SERVER [administrator]

4/29/2013 12:29:13 PM

mbam-log-2013-04-29 (12-29-13).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 317186

Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

MrCharlie · April 29, 2013

What's your drives name C: or J:

MrC

oasis · April 29, 2013

Main boot drive is J:

MrCharlie · April 29, 2013

OK, that's why they're showing up.

Besides that, how's the computer running??

MrC

oasis · April 29, 2013

^{Definitely running slow, but that was a problem before I was infected with the MoneyPak trojan. All other applications I have tried seem to be launching and running OK. Just need to fix Windows Update and wish I could speed the PC up a bit.}

oasis · April 29, 2013

^{Definitely running slow, but that was a problem before I was infected with the MoneyPak trojan. All other applications I have tried seem to be launching and running OK. Just need to fix Windows Update and wish I could speed the PC up a bit.}

MrCharlie · April 29, 2013

Please download on the Desktop the following application: Windows Repair

Next, extract and launch the Repair_Windows.exe

Click on Start repairs tab and then click on Start

Check mark following options:

Reset registry permissions

Reset file permissions

Repair WMI

Remove Policies Set By Infections

Repair Windows Updates

Check > Restart System When Finished option

Click the Start button

System should restart after repair

Let me know.....MrC

oasis · April 29, 2013

Unfortunately, I'm not able to make any progress with Windows Repair. I have tried it twice.

Both times it starts the process but doesn't get very far into the first portion (registry permissions) before the MS "blue screen of death" appears and forces a complete reboot.

MrCharlie · April 29, 2013

OK, just try it without that checked.

MrC

oasis · April 30, 2013

OK. Making some good progress now.

Once I unchecked Registry Permissions, Windows Repair made it through the entire cycle and rebooted.
I was then able to run Windows Update and actually download and install the updates. The first time around, I did get a number of SearchFilterHost "file not found" errors, but I haven't seen that message since then.
There seems to be a slight speed improvement in some areas since running Windows Repair.
One new strange thing that occurs is Windows Firewall seems to be turned off when I first reboot the PC. It pops up with a warning, but after a minute or two it turns itself on. Not sure if this is a major concern, but it didn't used to happen.

Do we still need to go back and do something about the line items that were uncovered by Rogue Killer? I don't believe we ever deleted or removed anything that was listed in the report.

Also, do we need to re-enable CD emulation that we previously disabled with defogger?

Any other tricks to improve speed/performance? Thanks again!

Infected w/ FBI/MoneyPak Ransom Trojan - No Safe Mode

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information