Life1 Posted May 22, 2013 ID:682676 Share Posted May 22, 2013 I've recently got the FBI Moneypack virus on my other laptop, which uses Windows 7. It won't let me use any safe modes. From viewing other similar threads I have already used the FRST64 program, and have a copy of the log.Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-05-2013 01Ran by SYSTEM on 22-05-2013 17:30:50Running from F:\Windows 7 Home Premium (X64) OS Language: English(US)Internet Explorer Version 9Boot Mode: RecoveryThe current controlset is ControlSet001[b]ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.[/b]==================== Registry (Whitelisted) ==================HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2531624 2010-12-17] (Synaptics Incorporated)HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6561384 2010-12-14] (Realtek Semiconductor)HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX3 [2186856 2010-12-10] (Realtek Semiconductor)HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [312936 2011-02-18] (NVIDIA Corporation)HKLM\...\Run: [NtrigApplet] C:\Program Files\N-trig\DuoSense Control Apps\NtrigApplet.exe [2563072 2012-07-25] (N-trig LLC)HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [4479648 2011-01-25] (Dell Inc.)HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)HKLM-x32\...\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2010-10-01] (CyberLink Corp.)HKLM-x32\...\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-09-17] (CyberLink Corp.)HKLM-x32\...\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe [75048 2011-08-11] (cyberlink)HKLM-x32\...\Run: [] [x]HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2011-01-30] (Adobe Systems Incorporated)HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-10] (Adobe Systems Incorporated)HKLM-x32\...\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [180224 2009-11-08] (PowerISO Computing, Inc.)HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-01-21] (Microsoft Corporation)HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)HKU\VP\...\Run: [Google Update] "C:\Users\VP\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2013-02-13] (Google Inc.)HKU\VP\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\VP\Documents\7614808c.exe [37888 2013-05-22] ()HKU\VP\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTIONAppInit_DLLs: C:\Windows\system32\nvinitx.dll [226920 2011-02-18] (NVIDIA Corporation)Startup: C:\Users\VP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnkShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()==================== Services (Whitelisted) =================S2 CLKMSVC10_9EC60124; C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [248304 2011-08-11] (CyberLink)S2 Pharos Systems ComTaskMaster; C:\PROGRA~2\PHAROS~1\Core\CTskMstr.exe [339456 2010-12-22] (Pharos Systems International)S2 SepMasterService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\sms.dll [167344 2012-04-18] (Symantec Corporation)S3 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe [2601544 2012-04-18] (Symantec Corporation)S2 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\snac64.exe [325040 2012-04-18] (Symantec Corporation)==================== Drivers (Whitelisted) ====================S3 AVer7231_x64; C:\Windows\System32\DRIVERS\AVer7231_x64.sys [1800576 2010-08-27] (AVerMedia TECHNOLOGIES, Inc.)S1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20130107.011\BHDrvx64.sys [1384608 2012-11-14] (Symantec Corporation)S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-14] (Symantec Corporation)S1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20130115.001\IDSvia64.sys [513184 2012-12-20] (Symantec Corporation)S3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\VirusDefs\20130115.025\ENG64.SYS [126192 2013-01-15] (Symantec Corporation)S3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\VirusDefs\20130115.025\EX64.SYS [2087664 2013-01-15] (Symantec Corporation)S3 NtrigDigitizerUSBLowerFilter; C:\Windows\System32\DRIVERS\NtrigDigitizerUSBLowerFilter.sys [13776 2010-08-16] (Windows (R) Codename Longhorn DDK provider)S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SyDvCtrl64.sys [29664 2012-04-18] (Symantec Corporation)S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-08-30] (Symantec Corporation)S1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [62672 2012-04-18] (Symantec Corporation)S1 SRTSP; system32\Drivers\SEP\0C01044D\0191.105\x64\SRTSP64.SYS [x]S1 SRTSPX; system32\Drivers\SEP\0C01044D\0191.105\x64\SRTSPX64.SYS [x]S0 SymDS; system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS [x]S0 SymEFA; system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS [x]S1 SymIRON; system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS [x]S1 SYMNETS; system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS [x]S1 SysPlant; system32\Drivers\SysPlant.sys [x]==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-05-22 17:30 - 2013-05-22 17:30 - 00000000 ____D C:\FRST2013-05-22 11:55 - 2013-05-22 11:55 - 01418607 ____A C:\Users\VP\Local Settings\Application Data\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418607 ____A C:\Users\VP\Local Settings\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418607 ____A C:\Users\VP\AppData\Local\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418601 ____A C:\Users\VP\Application Data\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418601 ____A C:\Users\VP\AppData\Roaming\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418569 ____A C:\ProgramData\Application Data\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418569 ____A C:\ProgramData\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 00037888 ____A C:\Users\VP\My Documents\7614808c.exe2013-05-22 11:55 - 2013-05-22 11:55 - 00037888 ____A C:\Users\VP\Documents\7614808c.exe2013-05-18 20:23 - 2013-05-18 20:23 - 00000000 ___HD C:\Windows\AxInstSV2013-05-17 14:01 - 2013-05-17 14:01 - 00893000 ____A (PrivitizeVPN) C:\Users\VP\Downloads\PHP_Programming_With_MySQL_Second_Edition_secure.exe2013-05-17 08:42 - 2013-05-17 08:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox2013-05-16 19:43 - 2013-05-05 13:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-05-16 19:43 - 2013-05-05 13:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-05-16 19:43 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll2013-05-16 19:43 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb2013-05-16 19:42 - 2013-04-04 17:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll2013-05-16 19:42 - 2013-04-04 16:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll2013-05-16 19:42 - 2013-04-04 16:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe2013-05-16 19:42 - 2013-04-04 16:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll2013-05-16 19:42 - 2013-04-04 16:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll2013-05-16 19:42 - 2013-04-04 16:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll2013-05-16 19:42 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll2013-05-16 19:42 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll2013-05-16 19:42 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe2013-05-16 19:42 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll2013-05-16 19:42 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll2013-05-16 19:42 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll2013-05-16 19:42 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll2013-05-16 19:41 - 2013-04-04 17:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll2013-05-16 19:41 - 2013-04-04 17:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll2013-05-16 19:41 - 2013-04-04 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll2013-05-16 19:41 - 2013-04-04 16:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl2013-05-16 19:41 - 2013-04-04 16:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll2013-05-16 19:41 - 2013-04-04 16:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll2013-05-16 19:41 - 2013-04-04 16:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll2013-05-16 19:41 - 2013-04-04 16:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll2013-05-16 19:41 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll2013-05-16 19:41 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll2013-05-16 19:41 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl2013-05-16 19:41 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll2013-05-16 19:41 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll2013-05-16 19:41 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll2013-05-16 19:41 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll2013-05-15 10:25 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys2013-05-15 10:25 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys2013-05-15 10:25 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe2013-05-15 10:25 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll2013-05-15 10:25 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll2013-05-15 10:25 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll2013-05-15 10:25 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll2013-05-15 10:25 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll2013-05-15 10:25 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll2013-05-15 10:25 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll2013-05-15 10:25 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll2013-05-15 10:24 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys2013-05-15 10:24 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll2013-05-15 10:24 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll2013-05-12 18:21 - 2013-05-12 18:21 - 02127067 ____A C:\Users\VP\Downloads\sample-exam.pptx2013-05-11 18:14 - 2013-05-11 18:14 - 00006621 ____A C:\Users\VP\Local Settings\recently-used.xbel2013-05-11 18:14 - 2013-05-11 18:14 - 00006621 ____A C:\Users\VP\Local Settings\Application Data\recently-used.xbel2013-05-11 18:14 - 2013-05-11 18:14 - 00006621 ____A C:\Users\VP\AppData\Local\recently-used.xbel2013-05-11 09:04 - 2013-05-11 09:04 - 00155777 ____A C:\Users\VP\Desktop\Untitled.xcf2013-05-10 02:28 - 2013-05-10 02:28 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2899491175-1165285153-3823797879-1003Core1ce4d6925f35fef.job2013-05-03 07:59 - 2013-05-03 07:59 - 00048929 ____A C:\Users\VP\Downloads\US2013-04-24 04:14 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys2013-04-23 14:14 - 2013-05-03 08:00 - 00000000 ____D C:\Users\VP\Downloads\New folder==================== One Month Modified Files and Folders =======2013-05-22 17:30 - 2013-05-22 17:30 - 00000000 ____D C:\FRST2013-05-22 13:04 - 2012-07-25 10:37 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks2013-05-22 13:04 - 2012-07-25 10:37 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks2013-05-22 13:04 - 2012-07-25 10:37 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks2013-05-22 13:04 - 2012-07-25 10:37 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks2013-05-22 13:04 - 2012-07-25 10:37 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks2013-05-22 13:04 - 2012-07-25 10:37 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks2013-05-22 13:04 - 2012-07-25 10:30 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup2013-05-22 13:03 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT2013-05-22 13:03 - 2009-07-13 20:51 - 00119586 ____A C:\Windows\setupact.log2013-05-22 11:55 - 2013-05-22 11:55 - 01418607 ____A C:\Users\VP\Local Settings\Application Data\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418607 ____A C:\Users\VP\Local Settings\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418607 ____A C:\Users\VP\AppData\Local\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418601 ____A C:\Users\VP\Application Data\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418601 ____A C:\Users\VP\AppData\Roaming\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418569 ____A C:\ProgramData\Application Data\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 01418569 ____A C:\ProgramData\2433f4332013-05-22 11:55 - 2013-05-22 11:55 - 00037888 ____A C:\Users\VP\My Documents\7614808c.exe2013-05-22 11:55 - 2013-05-22 11:55 - 00037888 ____A C:\Users\VP\Documents\7614808c.exe2013-05-22 11:46 - 2012-07-25 09:59 - 01924649 ____A C:\Windows\WindowsUpdate.log2013-05-22 11:40 - 2012-08-30 19:37 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job2013-05-22 11:08 - 2009-07-13 20:45 - 00020880 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-05-22 11:08 - 2009-07-13 20:45 - 00020880 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02013-05-20 19:31 - 2013-02-10 09:08 - 00000552 ____A C:\Users\VP\Desktop\spects 2013.txt2013-05-20 16:42 - 2012-07-25 10:19 - 00000000 ____D C:\ProgramData\Sonic2013-05-20 16:42 - 2012-07-25 10:19 - 00000000 ____D C:\ProgramData\Application Data\Sonic2013-05-20 14:00 - 2013-03-09 05:57 - 00000000 ____D C:\Users\VP\Desktop\reverv_files2013-05-20 14:00 - 2012-08-30 10:15 - 00000000 ____D C:\users\VP2013-05-20 13:58 - 2012-12-16 12:22 - 00000000 ____D C:\Users\VP\Application Data\uTorrent2013-05-20 13:58 - 2012-12-16 12:22 - 00000000 ____D C:\Users\VP\AppData\Roaming\uTorrent2013-05-20 13:58 - 2012-11-23 13:30 - 00000000 ____D C:\Users\VP\Application Data\Winamp2013-05-20 13:58 - 2012-11-23 13:30 - 00000000 ____D C:\Users\VP\AppData\Roaming\Winamp2013-05-20 13:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration2013-05-18 20:23 - 2013-05-18 20:23 - 00000000 ___HD C:\Windows\AxInstSV2013-05-17 14:01 - 2013-05-17 14:01 - 00893000 ____A (PrivitizeVPN) C:\Users\VP\Downloads\PHP_Programming_With_MySQL_Second_Edition_secure.exe2013-05-17 13:08 - 2012-08-30 13:50 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service2013-05-17 08:42 - 2013-05-17 08:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox2013-05-17 07:30 - 2009-07-13 20:45 - 00492208 ____A C:\Windows\System32\FNTCACHE.DAT2013-05-16 20:40 - 2012-08-30 19:37 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe2013-05-16 20:40 - 2012-08-30 19:37 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl2013-05-16 19:48 - 2012-08-30 17:15 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe2013-05-16 19:45 - 2009-07-13 21:13 - 00740374 ____A C:\Windows\System32\PerfStringBackup.INI2013-05-16 19:41 - 2012-09-05 08:17 - 00000000 ____D C:\ProgramData\Microsoft Help2013-05-16 19:41 - 2012-09-05 08:17 - 00000000 ____D C:\ProgramData\Application Data\Microsoft Help2013-05-12 18:21 - 2013-05-12 18:21 - 02127067 ____A C:\Users\VP\Downloads\sample-exam.pptx2013-05-12 10:16 - 2012-08-30 13:50 - 00000000 ____D C:\Users\VP\Application Data\Mozilla2013-05-12 10:16 - 2012-08-30 13:50 - 00000000 ____D C:\Users\VP\AppData\Roaming\Mozilla2013-05-11 18:45 - 2013-01-13 20:14 - 00000000 ____D C:\Users\VP\.gimp-2.82013-05-11 18:14 - 2013-05-11 18:14 - 00006621 ____A C:\Users\VP\Local Settings\recently-used.xbel2013-05-11 18:14 - 2013-05-11 18:14 - 00006621 ____A C:\Users\VP\Local Settings\Application Data\recently-used.xbel2013-05-11 18:14 - 2013-05-11 18:14 - 00006621 ____A C:\Users\VP\AppData\Local\recently-used.xbel2013-05-11 09:04 - 2013-05-11 09:04 - 00155777 ____A C:\Users\VP\Desktop\Untitled.xcf2013-05-10 09:18 - 2013-01-09 08:00 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware2013-05-10 02:28 - 2013-05-10 02:28 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2899491175-1165285153-3823797879-1003Core1ce4d6925f35fef.job2013-05-05 13:36 - 2013-05-16 19:43 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-05-05 13:16 - 2013-05-16 19:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-05-05 11:25 - 2013-05-16 19:43 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll2013-05-05 11:12 - 2013-05-16 19:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb2013-05-03 08:00 - 2013-04-23 14:14 - 00000000 ____D C:\Users\VP\Downloads\New folder2013-05-03 07:59 - 2013-05-03 07:59 - 00048929 ____A C:\Users\VP\Downloads\US2013-04-28 06:06 - 2009-07-13 21:08 - 00032622 ____A C:\Windows\Tasks\SCHEDLGU.TXT2013-04-27 12:18 - 2012-08-30 10:15 - 00000000 ____D C:\Users\VP\Local Settings\VirtualStore2013-04-27 12:18 - 2012-08-30 10:15 - 00000000 ____D C:\Users\VP\Local Settings\Application Data\VirtualStore2013-04-27 12:18 - 2012-08-30 10:15 - 00000000 ____D C:\Users\VP\AppData\Local\VirtualStore2013-04-26 11:38 - 2013-02-10 13:25 - 00000000 ____D C:\Program Files\Microsoft Silverlight2013-04-26 11:38 - 2013-02-10 13:25 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight2013-04-23 14:08 - 2012-09-27 09:51 - 00000000 ____D C:\Users\VP\Desktop\TempleZeroAccess:C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\@C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\LC:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\nC:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\UC:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\L\00000004.@C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\00000004.@C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\00000008.@C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\000000cb.@C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\80000000.@C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\80000032.@C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\80000064.@==================== Known DLLs (Whitelisted) ==================================== Bamital & volsnap Check =================C:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\SysWOW64\wininit.exe => MD5 is legitC:\Windows\explorer.exe => MD5 is legitC:\Windows\SysWOW64\explorer.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\SysWOW64\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\SysWOW64\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\SysWOW64\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit==================== EXE ASSOCIATION =====================HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK==================== Restore Points =========================Restore point made on: 2013-03-13 21:17:00Restore point made on: 2013-03-25 20:05:11Restore point made on: 2013-04-10 04:31:25Restore point made on: 2013-04-24 17:14:31Restore point made on: 2013-04-26 09:18:38Restore point made on: 2013-05-16 19:40:20Restore point made on: 2013-05-17 14:04:33Restore point made on: 2013-05-20 13:54:19==================== Memory info ===========================Percentage of memory in use: 11%Total physical RAM: 8086.17 MBAvailable physical RAM: 7128.15 MBTotal Pagefile: 8084.32 MBAvailable Pagefile: 7123.13 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.88 MB==================== Drives ================================Drive c: (OSDisk) (Fixed) (Total:917.84 GB) (Free:839.25 GB) NTFS (Disk=0 Partition=1)Drive e: (Recovery) (Fixed) (Total:13.67 GB) (Free:6.14 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]Drive f: () (Removable) (Total:0.96 GB) (Free:0.95 GB) FAT (Disk=1 Partition=1)Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS==================== MBR & Partition Table ==========================================================================Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: D63C339E)Partition 1: (Not Active) - (Size=918 GB) - (Type=07 NTFS)Partition 2: (Active) - (Size=14 GB) - (Type=07 NTFS)========================================================Disk: 1 (Size: 980 MB) (Disk ID: 9B79C3CE)Partition 1: (Not Active) - (Size=980 MB) - (Type=06)Last Boot: 2013-03-30 08:17==================== End Of Log ============================ Link to post Share on other sites More sharing options...
MrCharlie Posted May 22, 2013 ID:682681 Share Posted May 22, 2013 Looking at it know.....MrC Link to post Share on other sites More sharing options...
Life1 Posted May 22, 2013 Author ID:682682 Share Posted May 22, 2013 Thanks a lot MrC! Link to post Share on other sites More sharing options...
MrCharlie Posted May 22, 2013 ID:682690 Share Posted May 22, 2013 Please read the following information first.You're infected with Rootkit.ZeroAccess, a BackDoor Trojan also.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?http://www.dslreports.com/faq/10451When Should I Format, How Should I Reinstallhttp://www.dslreports.com/faq/10063I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.-----------------------------------------Please download the attached fixlist.txt and copy it to your flashdrive.NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7: Now please enter System Recovery Options. (as you did before)Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.See if the computer boots normally now and if so..........Download Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txtTo attach a log if needed:Bottom right corner of this page.New window that comes up.MrC Link to post Share on other sites More sharing options...
Life1 Posted May 22, 2013 Author ID:682698 Share Posted May 22, 2013 Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-05-2013 01Ran by SYSTEM at 2013-05-22 18:43:41 Run:1Running from F:\Boot Mode: Recovery==============================================HKEY_USERS\VP\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.HKEY_USERS\VP\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.C:\Users\VP\Local Settings\Application Data\2433f433 => Moved successfully.C:\Users\VP\Local Settings\2433f433 => File/Directory not found.C:\Users\VP\AppData\Local\2433f433 => File/Directory not found.C:\Users\VP\Application Data\2433f433 => Moved successfully.C:\Users\VP\AppData\Roaming\2433f433 => File/Directory not found.C:\ProgramData\Application Data\2433f433 => Moved successfully.C:\ProgramData\2433f433 => File/Directory not found.C:\Users\VP\My Documents\7614808c.exe => Moved successfully.C:\Users\VP\Documents\7614808c.exe => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4 => Moved successfully.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\@ => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\L => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\n => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\L\00000004.@ => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\00000004.@ => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\00000008.@ => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\000000cb.@ => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\80000000.@ => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\80000032.@ => File/Directory not found.C:\$Recycle.Bin\S-1-5-21-2899491175-1165285153-3823797879-1003\$f6c1ae68d13f99d5c853ef595c0afcf4\U\80000064.@ => File/Directory not found.==== End of Fixlog ==== Link to post Share on other sites More sharing options...
MrCharlie Posted May 22, 2013 ID:682703 Share Posted May 22, 2013 Please don't put logs in code or quote, they're too hard to read and I can't change it.Does the computer boot normally??If so run MBAR..... MrC Link to post Share on other sites More sharing options...
Life1 Posted May 22, 2013 Author ID:682709 Share Posted May 22, 2013 My bad, and yup it booted normally and currently running the other program now. I will post the other two logs as soon as the scan finishes.Fixlog.txt Link to post Share on other sites More sharing options...
Life1 Posted May 22, 2013 Author ID:682726 Share Posted May 22, 2013 Here are the two logs you wanted from the program.mbar-log-2013-05-22 (19-52-24).txtsystem-log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2013 ID:682730 Share Posted May 23, 2013 Looks Good....How is it??Lets check for any adware while you're here:Please download AdwCleaner from here and save it on your Desktop. AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.AdwCleaner is a tool that deletes :· Adwares (software ads)· PUP/LPI (Potentially Undesirable Program)· Toolbars· Hijacker (Hijack of the browser's homepage)It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.Now click on the Search tab.Please post the contents of the log-file created in your next post.Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.Note:Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:/DisableAskDetection - This option disables Ask Toolbar detection.MrC Link to post Share on other sites More sharing options...
Life1 Posted May 23, 2013 Author ID:682732 Share Posted May 23, 2013 # AdwCleaner v2.301 - Logfile created 05/22/2013 at 20:17:45# Updated 16/05/2013 by Xplode# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)# User : VP - VP# Boot Mode : Normal# Running from : C:\Users\VP\Downloads\adwcleaner.exe# Option [search]***** [services] ********** [Files / Folders] *****Folder Found : C:\Program Files (x86)\ConduitFolder Found : C:\Program Files (x86)\uTorrentControl_v2Folder Found : C:\Users\VP\AppData\Local\ConduitFolder Found : C:\Users\VP\AppData\LocalLow\ConduitFolder Found : C:\Users\VP\AppData\LocalLow\uTorrentControl_v2***** [Registry] *****Key Found : HKCU\Software\AppDataLow\Software\ConduitKey Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopesKey Found : HKCU\Software\AppDataLow\Software\SmartBarKey Found : HKCU\Software\AppDataLow\Software\uTorrentControl_v2Key Found : HKCU\Software\AppDataLow\ToolbarKey Found : HKCU\Software\ConduitKey Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7473B6BD-4691-4744-A82B-7854EB3D70B6}Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{537F4F0B-3542-4C7D-A3E5-CF121482696C}Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7473B6BD-4691-4744-A82B-7854EB3D70B6}Key Found : HKCU\Software\PrivitizeVPNInstallDatesKey Found : HKCU\Software\StartSearchKey Found : HKLM\SOFTWARE\Classes\Toolbar.CT3220468Key Found : HKLM\Software\ConduitKey Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{537F4F0B-3542-4C7D-A3E5-CF121482696C}Key Found : HKLM\Software\uTorrentControl_v2Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{537F4F0B-3542-4C7D-A3E5-CF121482696C}Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7473B6BD-4691-4744-A82B-7854EB3D70B6}Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C74A901-B9EF-48BD-A5B5-39FD00036F39}Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8DB40999-4D4C-4FD3-9FE0-ED04AACC62AE}Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7473B6BD-4691-4744-A82B-7854EB3D70B6}Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentControl_v2 ToolbarValue Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]***** [internet Browsers] *****-\\ Internet Explorer v9.0.8112.16483[OK] Registry is clean.-\\ Mozilla Firefox v21.0 (en-US)File : C:\Users\VP\AppData\Roaming\Mozilla\Firefox\Profiles\jli78dws.default\prefs.jsFound : user_pref("CT3220468_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]Found : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=1[...]Found : user_pref("Smartbar.ConduitSearchEngineList", "");Found : user_pref("Smartbar.ConduitSearchUrlList", "");Found : user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");Found : user_pref("extensions.privitize.srchPrvdr", "Search The Web (privitize)");*************************AdwCleaner[R1].txt - [3750 octets] - [22/05/2013 20:17:45]########## EOF - C:\AdwCleaner[R1].txt - [3810 octets] ########## Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2013 ID:682733 Share Posted May 23, 2013 Lots of adware found....lets clear it out.....Please re-run AdwCleanerClick on Delete button.Confirm each time with OK if asked.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.Then......Lets check your computers security before you go and we have a little cleanup to do also:Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
Life1 Posted May 23, 2013 Author ID:682737 Share Posted May 23, 2013 # AdwCleaner v2.301 - Logfile created 05/22/2013 at 20:25:43# Updated 16/05/2013 by Xplode# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)# User : VP - VP# Boot Mode : Normal# Running from : C:\Users\VP\Downloads\adwcleaner.exe# Option [Delete]***** [services] ********** [Files / Folders] *****Folder Deleted : C:\Program Files (x86)\ConduitFolder Deleted : C:\Program Files (x86)\uTorrentControl_v2Folder Deleted : C:\Users\VP\AppData\Local\ConduitFolder Deleted : C:\Users\VP\AppData\LocalLow\ConduitFolder Deleted : C:\Users\VP\AppData\LocalLow\uTorrentControl_v2***** [Registry] *****Key Deleted : HKCU\Software\AppDataLow\Software\ConduitKey Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopesKey Deleted : HKCU\Software\AppDataLow\Software\SmartBarKey Deleted : HKCU\Software\AppDataLow\Software\uTorrentControl_v2Key Deleted : HKCU\Software\AppDataLow\ToolbarKey Deleted : HKCU\Software\ConduitKey Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7473B6BD-4691-4744-A82B-7854EB3D70B6}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{537F4F0B-3542-4C7D-A3E5-CF121482696C}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7473B6BD-4691-4744-A82B-7854EB3D70B6}Key Deleted : HKCU\Software\PrivitizeVPNInstallDatesKey Deleted : HKCU\Software\StartSearchKey Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3220468Key Deleted : HKLM\Software\ConduitKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{537F4F0B-3542-4C7D-A3E5-CF121482696C}Key Deleted : HKLM\Software\uTorrentControl_v2Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{537F4F0B-3542-4C7D-A3E5-CF121482696C}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7473B6BD-4691-4744-A82B-7854EB3D70B6}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C74A901-B9EF-48BD-A5B5-39FD00036F39}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8DB40999-4D4C-4FD3-9FE0-ED04AACC62AE}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7473B6BD-4691-4744-A82B-7854EB3D70B6}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentControl_v2 ToolbarValue Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]***** [internet Browsers] *****-\\ Internet Explorer v9.0.8112.16483[OK] Registry is clean.-\\ Mozilla Firefox v21.0 (en-US)File : C:\Users\VP\AppData\Roaming\Mozilla\Firefox\Profiles\jli78dws.default\prefs.jsC:\Users\VP\AppData\Roaming\Mozilla\Firefox\Profiles\jli78dws.default\user.js ... Deleted !Deleted : user_pref("CT3220468_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=1[...]Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");Deleted : user_pref("extensions.privitize.srchPrvdr", "Search The Web (privitize)");*************************AdwCleaner[R1].txt - [3879 octets] - [22/05/2013 20:17:45]AdwCleaner[s1].txt - [3981 octets] - [22/05/2013 20:25:43]########## EOF - C:\AdwCleaner[s1].txt - [4041 octets] ########## Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2013 ID:682741 Share Posted May 23, 2013 Security Check log?????MrC Link to post Share on other sites More sharing options...
Life1 Posted May 23, 2013 Author ID:682742 Share Posted May 23, 2013 That is the log that popped up when the PC restarted Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2013 ID:682743 Share Posted May 23, 2013 Lets check your computers security before you go and we have a little cleanup to do also:Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
Life1 Posted May 23, 2013 Author ID:682746 Share Posted May 23, 2013 Results of screen317's Security Check version 0.99.64 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Symantec Endpoint Protection WMI entry may not exist for antivirus; attempting automatic update.`````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Java 7 Update 13 Java version out of Date! Adobe Flash Player 11.7.700.202 Adobe Reader 10.0.1 Adobe Reader out of Date! Mozilla Firefox (21.0)````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe`````````````````System Health check````````````````` Total Fragmentation on Drive C: 8%````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2013 ID:682747 Share Posted May 23, 2013 Out dated programs on the system are vulnerable to malware.Please update or uninstall them:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`Java 7 Update 13 <----Please update, should be Update 21Java version out of Date! <--------Go to control panel > Java > Update Tab > Update NowUncheck the box to install the Ask toolbar!!! and any other free "stuff".If there's no update tab in Java, uninstall it and Download and install the latest version from HereUncheck the box to install the Ask toolbar!!! and any other free "stuff".---------------------------------------------------------------------Adobe Reader 10.0.1 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~A little clean up to do....Please Uninstall ComboFix: (if you used it)Press the Windows logo key + R to bring up the "run box"Copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)---------------------------------If you used DeFogger to disable your CD Emulation drivers, please re-enable them.-------------------------------Please download OTC to your desktop.http://oldtimer.geekstogo.com/OTC.exeDouble-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")Click on the CleanUp! button and follow the prompts.(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)You will be asked to reboot the machine to finish the Cleanup process, choose Yes.After the reboot all the tools we used should be gone.Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.Any other programs or logs you can manually delete.IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.-------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again.Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Life1 Posted May 23, 2013 Author ID:682752 Share Posted May 23, 2013 Thanks a lot! Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 23, 2013 ID:682909 Share Posted May 23, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts