Jump to content

FBI Malware (MoneyPak)

anitan4
 Share

Recommended Posts

anitan4

anitan4

Posted
Posted

Hi, my name is Anita and I was reading an older forum post (http://forums.malwar...pic=121315&st=0) about this type of malware. My son's computer is infected with it and all he does is plays Minecraft, skypes with his friends and watches Minecraft videos on it. I followed the instructions and downloaded frst and frst64 to a flash drive and used frst64 to scan my son's computer. I have disconnected this computer from the internet just in case because before giving it to our son, it had been my husband and my computer with our personal and financial records on there. I hope there's help for this computer. Thank you! PS: I'm not very computer savvy but am teachable... :)

The following is the txt after the scan:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-05-2013 01

Ran by SYSTEM on 31-05-2013 18:48:02

Running from G:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11580520 2010-11-10] (Realtek Semiconductor)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-05-24] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe [627304 2011-08-10] ()

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [sMessaging] C:\Users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe [31664 2012-04-04] (Stronghold Online Backup)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)

HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe /default [154144 2010-07-29] ()

HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe /default [154144 2010-07-29] ()

HKU\Negron\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18678376 2013-04-19] (Skype Technologies S.A.)

HKU\Negron\...\Run: [Open Download Manager] C:\Program Files (x86)\OpenDownloaderManager\odm.exe -autorun [6369280 2013-02-20] (OpenDownloadManager.com)

HKU\Negron\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-06-30] (Google Inc.)

HKU\Negron\...\Run: [Macromedia] Rundll32.exe C:\Users\Negron\AppData\Local\Macromedia\pqlchzne.dll,bddgygkfbapzb [830976 2013-05-31] (SEIKO EPSON CORPORATION)

HKU\Negron\...\Run: [vMobilecdrom] rundll32.exe "C:\Users\Negron\AppData\Roaming\vMobilecdrom\vMobilecdrom.dll",fxcrtNotifier acxMapdb [28672 2013-04-05] ()

HKU\Negron\...\Run: [Adobe CSS5.1 Manager] C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad\ceabfeaadffcad.exe [126976 2013-05-31] ()

HKU\Negron\...\RunOnce: [Adobe CSS5.1 Manager] C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad\ceabfeaadffcad.exe [126976 2013-05-31] ()

HKU\Negron\...\Winlogon: [shell] explorer.exe,C:\Users\Negron\AppData\Roaming\skype.dat [117248 2011-11-16] (VSN Software LTD) <==== ATTENTION

AppInit_DLLs: [0 ] ()

Startup: C:\Users\Negron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk

ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) =================

S2 BrowserProtect; C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [2787280 2013-03-22] ()

S2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [36456 2011-05-29] (Acer Incorporated)

S2 Live Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [244624 2011-04-22] (Acer Incorporated)

S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.313\McCHSvc.exe [234776 2012-10-26] (McAfee, Inc.)

S2 RelevantKnowledge; C:\Program Files (x86)\RelevantKnowledge\rlservice.exe [162072 2013-04-04] (TMRG, Inc.)

==================== Drivers (Whitelisted) ====================

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-31 18:47 - 2013-05-31 18:47 - 00000000 ____D C:\FRST

2013-05-31 14:24 - 2013-05-31 14:31 - 00007201 ____A C:\Windows\IE10_main.log

2013-05-31 14:21 - 2013-05-31 14:23 - 00000004 ____A C:\Users\Negron\AppData\Roaming\skype.ini

2013-05-31 14:19 - 2013-05-31 14:19 - 00000332 ___AH C:\Windows\Tasks\{A61CE5CB-7FE4-4D20-A37F-DC8EDBB897C7}.job

2013-05-31 14:19 - 2013-05-31 14:19 - 00000000 ____D C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad

2013-05-31 14:18 - 2013-05-31 14:18 - 00117248 ____A (VSN Software LTD) C:\Users\Negron\vlcplayer.exe

2013-05-31 14:18 - 2013-05-31 14:18 - 00000000 ____A C:\Users\Negron\jqs.exe

2013-05-31 14:18 - 2013-05-31 14:18 - 00000000 ____A C:\Users\Negron\icq.exe

2013-05-31 14:18 - 2013-05-31 14:18 - 00000000 ____A C:\Users\Negron\firefox.exe

2013-05-30 11:43 - 2013-05-30 11:43 - 00014219 ____A C:\Users\Negron\Desktop\hs_err_pid8704.log

2013-05-28 03:52 - 2013-05-28 03:52 - 00014210 ____A C:\Users\Negron\Desktop\hs_err_pid14304.log

2013-05-26 09:12 - 2013-05-31 17:42 - 00000000 ____D C:\Users\Negron\AppData\Roaming\wabEventSupport16

2013-05-21 12:25 - 2013-05-21 12:25 - 00055808 ____A C:\Users\Negron\AppData\Local\otgkuw.rns

2013-05-21 12:25 - 2013-05-21 12:25 - 00055808 ____A C:\ProgramData\nzgnbtdf.lig

2013-05-15 14:26 - 2013-05-05 13:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 14:26 - 2013-05-05 13:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 14:26 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-15 14:26 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-15 14:24 - 2013-04-04 17:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 14:24 - 2013-04-04 17:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 14:24 - 2013-04-04 17:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 14:24 - 2013-04-04 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 14:24 - 2013-04-04 16:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-15 14:24 - 2013-04-04 16:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-15 14:24 - 2013-04-04 16:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 14:24 - 2013-04-04 16:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-15 14:24 - 2013-04-04 16:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 14:24 - 2013-04-04 16:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-15 14:24 - 2013-04-04 16:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 14:24 - 2013-04-04 16:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 14:24 - 2013-04-04 16:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-15 14:24 - 2013-04-04 16:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 14:24 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-15 14:24 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 14:24 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-05-15 14:24 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-15 14:24 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-15 14:24 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-05-15 14:24 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-15 14:24 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-15 14:24 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-05-15 14:24 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-05-15 14:24 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-15 14:24 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-15 14:24 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-05-15 14:24 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-15 13:38 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 13:38 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 13:38 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 13:38 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 13:38 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 13:38 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 13:38 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-15 13:38 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-15 13:38 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-15 13:38 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-15 13:38 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-15 13:37 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 13:37 - 2013-03-31 22:03 - 00078680 ____A (Microsoft Corporation) C:\Windows\System32\mcupdate_AuthenticAMD.dll

2013-05-15 13:37 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 13:37 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-11 08:40 - 2013-05-11 08:40 - 00013609 ____A C:\Users\Negron\Desktop\hs_err_pid6220.log

2013-05-08 12:48 - 2013-05-08 14:14 - 02436926 ____A C:\Users\Negron\Documents\tekkitlaucher.jar

2013-05-07 03:22 - 2013-05-07 03:22 - 00641808 ____A C:\Windows\Minidump\050713-21668-01.dmp

==================== One Month Modified Files and Folders =======

2013-05-31 18:47 - 2013-05-31 18:47 - 00000000 ____D C:\FRST

2013-05-31 17:44 - 2013-04-05 04:44 - 00000000 ____D C:\Users\Negron\AppData\Roaming\vMobilecdrom

2013-05-31 17:44 - 2013-02-21 17:40 - 00000000 ____D C:\Users\Negron\AppData\Roaming\Delta

2013-05-31 17:44 - 2013-02-17 18:10 - 00000000 ____D C:\Users\Negron\Desktop\OpenOffice.org 3.4.1 (en-US) Installation Files

2013-05-31 17:44 - 2013-02-05 15:47 - 00000000 ____D C:\Users\Negron\AppData\Local\Strongvault Online Backup

2013-05-31 17:44 - 2013-02-05 15:29 - 00000000 ____D C:\Users\Negron\AppData\Roaming\CamStudio Packages

2013-05-31 17:44 - 2012-03-11 10:15 - 00000000 ____D C:\ProgramData\webex

2013-05-31 17:44 - 2011-02-11 19:12 - 00000000 ___AD C:\Windows\DeployWinRE2

2013-05-31 17:44 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages

2013-05-31 17:44 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-05-31 17:44 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2013-05-31 17:42 - 2013-05-26 09:12 - 00000000 ____D C:\Users\Negron\AppData\Roaming\wabEventSupport16

2013-05-31 17:42 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-05-31 14:31 - 2013-05-31 14:24 - 00007201 ____A C:\Windows\IE10_main.log

2013-05-31 14:31 - 2012-05-28 10:33 - 00196608 ____A C:\Windows\System32\Ikeext.etl

2013-05-31 14:31 - 2012-01-27 15:49 - 01881706 ____A C:\Windows\WindowsUpdate.log

2013-05-31 14:25 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-31 14:23 - 2013-05-31 14:21 - 00000004 ____A C:\Users\Negron\AppData\Roaming\skype.ini

2013-05-31 14:23 - 2013-02-21 17:45 - 00000000 ____D C:\Program Files (x86)\RelevantKnowledge

2013-05-31 14:23 - 2013-02-21 17:44 - 00000000 ____D C:\Users\Negron\AppData\Roaming\Open Download Manager

2013-05-31 14:23 - 2012-07-15 10:14 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-31 14:23 - 2009-07-13 20:51 - 00074377 ____A C:\Windows\setupact.log

2013-05-31 14:19 - 2013-05-31 14:19 - 00000332 ___AH C:\Windows\Tasks\{A61CE5CB-7FE4-4D20-A37F-DC8EDBB897C7}.job

2013-05-31 14:19 - 2013-05-31 14:19 - 00000000 ____D C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad

2013-05-31 14:19 - 2012-03-17 09:58 - 00000000 ____D C:\Users\Negron\AppData\Roaming\.minecraft

2013-05-31 14:19 - 2012-03-11 09:40 - 00000000 ____D C:\users\Negron

2013-05-31 14:18 - 2013-05-31 14:18 - 00117248 ____A (VSN Software LTD) C:\Users\Negron\vlcplayer.exe

2013-05-31 14:18 - 2013-05-31 14:18 - 00000000 ____A C:\Users\Negron\jqs.exe

2013-05-31 14:18 - 2013-05-31 14:18 - 00000000 ____A C:\Users\Negron\icq.exe

2013-05-31 14:18 - 2013-05-31 14:18 - 00000000 ____A C:\Users\Negron\firefox.exe

2013-05-31 14:10 - 2013-03-27 03:18 - 00000000 ____D C:\Users\Negron\AppData\Local\Macromedia

2013-05-31 14:05 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing

2013-05-31 14:00 - 2012-08-25 10:49 - 00000000 ____D C:\Users\Negron\AppData\Roaming\Skype

2013-05-31 13:54 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-31 13:54 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-31 13:45 - 2012-06-30 15:58 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-31 13:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-30 11:43 - 2013-05-30 11:43 - 00014219 ____A C:\Users\Negron\Desktop\hs_err_pid8704.log

2013-05-29 10:57 - 2012-03-11 13:42 - 00000000 ____D C:\Users\Negron\AppData\Local\CrashDumps

2013-05-28 03:52 - 2013-05-28 03:52 - 00014210 ____A C:\Users\Negron\Desktop\hs_err_pid14304.log

2013-05-24 22:40 - 2012-06-30 15:58 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-21 12:25 - 2013-05-21 12:25 - 00055808 ____A C:\Users\Negron\AppData\Local\otgkuw.rns

2013-05-21 12:25 - 2013-05-21 12:25 - 00055808 ____A C:\ProgramData\nzgnbtdf.lig

2013-05-18 09:44 - 2013-02-02 06:33 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-05-18 09:44 - 2011-08-10 03:46 - 00000000 ____D C:\ProgramData\Skype

2013-05-15 15:15 - 2009-07-13 20:45 - 00294024 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 15:12 - 2013-02-21 17:41 - 00000000 ____D C:\ProgramData\BrowserProtect

2013-05-15 15:12 - 2010-11-20 19:47 - 00602178 ____A C:\Windows\PFRO.log

2013-05-15 14:39 - 2013-02-14 00:12 - 00000118 ____A C:\Windows\System32\MRT.INI

2013-05-15 14:36 - 2012-04-22 08:34 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-14 12:28 - 2012-07-15 10:14 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-14 12:28 - 2011-08-10 04:01 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-11 08:40 - 2013-05-11 08:40 - 00013609 ____A C:\Users\Negron\Desktop\hs_err_pid6220.log

2013-05-08 14:14 - 2013-05-08 12:48 - 02436926 ____A C:\Users\Negron\Documents\tekkitlaucher.jar

2013-05-08 14:14 - 2013-04-26 03:36 - 00000000 ____D C:\Users\Negron\AppData\Roaming\.technic

2013-05-07 03:22 - 2013-05-07 03:22 - 00641808 ____A C:\Windows\Minidump\050713-21668-01.dmp

2013-05-07 03:22 - 2012-05-24 12:29 - 416127751 ____A C:\Windows\MEMORY.DMP

2013-05-07 03:22 - 2012-05-24 12:29 - 00000000 ____D C:\Windows\Minidump

2013-05-05 13:36 - 2013-05-15 14:26 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-05 13:16 - 2013-05-15 14:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-05 11:25 - 2013-05-15 14:26 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-05 11:12 - 2013-05-15 14:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-01 22:06 - 2010-11-20 19:27 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

Other Malware:

===========

C:\Users\Negron\firefox.exe

C:\Users\Negron\icq.exe

C:\Users\Negron\jqs.exe

C:\Users\Negron\vlcplayer.exe

C:\Users\Negron\AppData\Roaming\skype.dat

C:\Users\Negron\AppData\Roaming\skype.ini

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-19 12:23:15

Restore point made on: 2013-04-23 03:38:37

Restore point made on: 2013-04-24 18:00:29

Restore point made on: 2013-04-30 00:39:59

Restore point made on: 2013-05-03 15:35:58

Restore point made on: 2013-05-07 01:34:35

Restore point made on: 2013-05-10 10:41:25

Restore point made on: 2013-05-13 23:11:06

Restore point made on: 2013-05-15 14:24:04

Restore point made on: 2013-05-20 23:23:46

Restore point made on: 2013-05-24 11:15:25

Restore point made on: 2013-05-24 23:00:33

Restore point made on: 2013-05-28 03:49:00

Restore point made on: 2013-05-31 13:54:14

Restore point made on: 2013-05-31 14:23:57

==================== Memory info ===========================

Percentage of memory in use: 18%

Total physical RAM: 3576.26 MB

Available physical RAM: 2914.61 MB

Total Pagefile: 3574.46 MB

Available Pagefile: 2906.36 MB

Total Virtual: 8192 MB

Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (eMachines) (Fixed) (Total:446.13 GB) (Free:363.45 GB) NTFS (Disk=0 Partition=3)

Drive e: (PQSERVICE) (Fixed) (Total:19.53 GB) (Free:7.89 GB) NTFS (Disk=0 Partition=1)

Drive g: () (Removable) (Total:7.45 GB) (Free:7.4 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: B25EC62F)

Partition 1: (Not Active) - (Size=20 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=446 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 7 GB) (Disk ID: 00000000)

Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

Last Boot: 2013-02-13 05:05

==================== End Of Log ============================

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites
anitan4

anitan4

Posted
  • Author
Posted

I have done what you asked and pressed the 'Fix' button and have copied the fixlog.txt below.

I have restarted the computer normally and not FBI coverup page.

But there is a box requesting access. It says,

"Windows Firewall has blocked some features of Relevant-Knowledge on all public and private networks.

TMRG, Inc.

C:\programfiles (x86) relevantknowledge\rlvknlg.exe

Do I allow it or cancel?

------------------------------------

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-05-2013 01

Ran by SYSTEM at 2013-06-05 15:42:54 Run:1

Running from G:\

Boot Mode: Recovery

==============================================

HKEY_USERS\Negron\Software\Microsoft\Windows\CurrentVersion\Run\\Macromedia => Value deleted successfully.

HKEY_USERS\Negron\Software\Microsoft\Windows\CurrentVersion\Run\\vMobilecdrom => Value deleted successfully.

HKEY_USERS\Negron\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.

HKEY_USERS\Negron\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe CSS5.1 Manager => Value deleted successfully.

HKEY_USERS\Negron\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\Users\Negron\AppData\Local\Macromedia\pqlchzne.dll => Moved successfully.

C:\Users\Negron\AppData\Roaming\vMobilecdrom\vMobilecdrom.dll => Moved successfully.

C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad\ceabfeaadffcad.exe => Moved successfully.

C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad => Moved successfully.

C:\Users\Negron\firefox.exe => Moved successfully.

C:\Users\Negron\icq.exe => Moved successfully.

C:\Users\Negron\jqs.exe => Moved successfully.

C:\Users\Negron\vlcplayer.exe => Moved successfully.

C:\Users\Negron\AppData\Roaming\skype.dat => Moved successfully.

C:\Users\Negron\AppData\Roaming\skype.ini => Moved successfully.

==== End of Fixlog ====

----------------------------------

I am currently downloading the Anti-Rootkit to my flash drive.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, lets start form the beginning:

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic:
Click on the
Follow This Topic Button
(at the top right of this page), make sure that the
Receive notification
box is checked and that it is set to
Instantly

Removing malware can be unpredictable
...things can go very wrong!
Backup
any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>
Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>
Please stick with me until I give you the "all clear" and
Please don't waste my time by leaving before that
.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites
anitan4

anitan4

Posted
  • Author
Posted

Okay, from the beginning.

DDS has been run.

Here is the first txt and the other is attached:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 10.0.9200.16576

Run by Negron at 5:26:04 on 2013-06-06

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3576.2997 [GMT -4:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe

C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\WUDFHost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\OpenDownloaderManager\ODM.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin

C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe

C:\Users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Nero\Update\NASvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Bar = Preserve

uDefault_Page_URL = hxxp://emachines.msn.com

mWinlogon: Userinit = userinit.exe,

BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.313\McAfeeMSS_IE.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

uRun: [Open Download Manager] C:\Program Files (x86)\OpenDownloaderManager\odm.exe -autorun

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [sMessaging] C:\Users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

StartupFolder: C:\Users\Negron\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Download all with Open Download Manager - C:\Program Files (x86)\OpenDownloaderManager\dlall.htm

IE: Download selected with Open Download Manager - C:\Program Files (x86)\OpenDownloaderManager\dlselected.htm

IE: Download video with Open Download Manager - C:\Program Files (x86)\OpenDownloaderManager\dlfvideo.htm

IE: Download with Open Download Manager - C:\Program Files (x86)\OpenDownloaderManager\dllink.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{028226FF-27A9-40E4-9EC5-79E850F98B18} : DHCPNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-12-12 204288]

R2 GREGService;GREGService;C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [2011-5-29 36456]

R2 Live Updater Service;Live Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2011-8-10 244624]

R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-5-4 503080]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-12-12 231440]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-8-10 533096]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]

S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\3.0.313\McCHSvc.exe [2012-10-26 234776]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-2-15 52736]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-3-13 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2013-06-05 23:43:05 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FDC2D76F-97DD-4143-866E-6B794F068444}\offreg.dll

2013-06-05 23:34:25 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2013-06-05 23:06:11 -------- d-----w- C:\Users\Negron\AppData\Roaming\Malwarebytes

2013-06-05 23:04:22 -------- d-----w- C:\ProgramData\Malwarebytes

2013-06-05 23:04:21 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-06-05 23:04:21 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-06-05 22:57:38 -------- d-----w- C:\Users\Negron\AppData\Local\Programs

2013-06-05 22:23:42 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FDC2D76F-97DD-4143-866E-6B794F068444}\mpengine.dll

2013-06-01 02:47:59 -------- d-----w- C:\FRST

2013-05-26 17:12:15 -------- d-----w- C:\Users\Negron\AppData\Roaming\wabEventSupport16

2013-05-15 21:38:35 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys

2013-05-15 21:38:35 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys

2013-05-15 21:38:35 144384 ----a-w- C:\Windows\System32\cdd.dll

2013-05-15 21:38:14 1930752 ----a-w- C:\Windows\System32\authui.dll

2013-05-15 21:38:12 70144 ----a-w- C:\Windows\System32\appinfo.dll

2013-05-15 21:38:12 1796096 ----a-w- C:\Windows\SysWow64\authui.dll

2013-05-15 21:38:12 111448 ----a-w- C:\Windows\System32\consent.exe

2013-05-15 21:37:59 78680 ----a-w- C:\Windows\System32\mcupdate_AuthenticAMD.dll

2013-05-15 21:37:59 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll

2013-05-15 21:37:59 230400 ----a-w- C:\Windows\System32\wwansvc.dll

2013-05-15 21:37:56 3153920 ----a-w- C:\Windows\System32\win32k.sys

.

==================== Find3M ====================

.

2013-05-14 20:28:09 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-14 20:28:09 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-05-02 06:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe

2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll

2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll

2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe

.

============= FINISH: 5:26:40.38 ===============

attach.txt

Link to post
Share on other sites
anitan4

anitan4

Posted
  • Author
Posted

Used RogueKiller 64 to scan the PC. Here are the logs:

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Negron [Admin rights]

Mode : Scan -- Date : 06/06/2013 17:49:06

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH] SMessaging.exe -- C:\Users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe [7] -> KILLED [TermProc]

[sUSP PATH] setup.exe -- C:\Windows\Temp\CR_19CEC.tmp\setup.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : SMessaging (C:\Users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe) [7] -> FOUND

[TASK][sUSP PATH] {A61CE5CB-7FE4-4D20-A37F-DC8EDBB897C7}.job : C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad\ceabfeaadffcad.exe [x] -> FOUND

[TASK][sUSP PATH] DealPly : C:\Users\Negron\AppData\Roaming\DealPly\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND

[TASK][sUSP PATH] EPUpdater : C:\Users\Negron\AppData\Roaming\BabMaint.exe [-] -> FOUND

[TASK][sUSP PATH] Searchya : C:\Users\Negron\AppData\Roaming\Searchya\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\Command Processor : AutoRun (regsvr32 /n /i /s "C:\Users\Negron\AppData\Local\otgkuw.rns") -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST500DM002-1BD142 ATA Device +++++

--- User ---

[MBR] 9d6fc4fe93881bfe7b71e5dae1a36436

[bSP] d4bf1dd464fb581e576fc930f20553f4 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 20000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40962048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_06062013_02d1749.txt >>

RKreport[1]_S_06062013_02d1749.txt

SECOND TXT - says Quarantine Report:

Time : 06/06/2013 17:49:06

--------------------------

[sMessaging.exe.vir] -> C:\Users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe

ERROR [setup.exe.vir] -> C:\Windows\Temp\CR_19CEC.tmp\setup.exe

[sMessaging.exe.vir] -> C:\Users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe

ERROR [ceabfeaadffcad.exe.vir] -> C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad\ceabfeaadffcad.exe

ERROR [uPDATE~1.EXE.vir] -> C:\Users\Negron\AppData\Roaming\DealPly\UPDATE~1\UPDATE~1.EXE

[babMaint.exe.vir] -> C:\Users\Negron\AppData\Roaming\BabMaint.exe

ERROR [uPDATE~1.EXE.vir] -> C:\Users\Negron\AppData\Roaming\Searchya\UPDATE~1\UPDATE~1.EXE

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[TASK][sUSP PATH] {A61CE5CB-7FE4-4D20-A37F-DC8EDBB897C7}.job : C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad\ceabfeaadffcad.exe [x] -> FOUND

[TASK][sUSP PATH] DealPly : C:\Users\Negron\AppData\Roaming\DealPly\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND

[TASK][sUSP PATH] EPUpdater : C:\Users\Negron\AppData\Roaming\BabMaint.exe [-] -> FOUND

[TASK][sUSP PATH] Searchya : C:\Users\Negron\AppData\Roaming\Searchya\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND

[HJ] HKCU\[...]\Command Processor : AutoRun (regsvr32 /n /i /s "C:\Users\Negron\AppData\Local\otgkuw.rns") -> FOUND

Now click Delete on the right hand column under Options

-------------

Then.........

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
    If in doubt about an entry....please ask or choose Skip
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites
anitan4

anitan4

Posted
  • Author
Posted

Okay, part I done....RogueKiller run again. Deleted the 5. Am going to download and run TDSSKiller.

Here are the two logs saved on my desktop:

RKreport[1]_S_06062013_02d1813

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Negron [Admin rights]

Mode : Scan -- Date : 06/06/2013 18:13:53

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : SMessaging (C:\Users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe) [7] -> FOUND

[TASK][sUSP PATH] {A61CE5CB-7FE4-4D20-A37F-DC8EDBB897C7}.job : C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad\ceabfeaadffcad.exe [x] -> FOUND

[TASK][sUSP PATH] DealPly : C:\Users\Negron\AppData\Roaming\DealPly\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND

[TASK][sUSP PATH] EPUpdater : C:\Users\Negron\AppData\Roaming\BabMaint.exe [-] -> FOUND

[TASK][sUSP PATH] Searchya : C:\Users\Negron\AppData\Roaming\Searchya\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\Command Processor : AutoRun (regsvr32 /n /i /s "C:\Users\Negron\AppData\Local\otgkuw.rns") -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST500DM002-1BD142 ATA Device +++++

--- User ---

[MBR] 9d6fc4fe93881bfe7b71e5dae1a36436

[bSP] d4bf1dd464fb581e576fc930f20553f4 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 20000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40962048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_06062013_02d1813.txt >>

RKreport[1]_S_06062013_02d1813.txt

RKreport[2]_D_06062013_02d1817

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Negron [Admin rights]

Mode : Remove -- Date : 06/06/2013 18:17:15

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : SMessaging (C:\Users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe) [7] -> NOT SELECTED

[TASK][sUSP PATH] {A61CE5CB-7FE4-4D20-A37F-DC8EDBB897C7}.job : C:\Users\Negron\AppData\Local\13cea454-2539-4671-bf39-1897eaadffc9ad\ceabfeaadffcad.exe [x] -> DELETED

[TASK][sUSP PATH] DealPly : C:\Users\Negron\AppData\Roaming\DealPly\UPDATE~1\UPDATE~1.EXE /Check [x] -> DELETED

[TASK][sUSP PATH] EPUpdater : C:\Users\Negron\AppData\Roaming\BabMaint.exe [-] -> DELETED

[TASK][sUSP PATH] Searchya : C:\Users\Negron\AppData\Roaming\Searchya\UPDATE~1\UPDATE~1.EXE /Check [x] -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED

[HJ] HKCU\[...]\Command Processor : AutoRun (regsvr32 /n /i /s "C:\Users\Negron\AppData\Local\otgkuw.rns") -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST500DM002-1BD142 ATA Device +++++

--- User ---

[MBR] 9d6fc4fe93881bfe7b71e5dae1a36436

[bSP] d4bf1dd464fb581e576fc930f20553f4 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 20000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40962048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_06062013_02d1817.txt >>

RKreport[1]_S_06062013_02d1813.txt ; RKreport[2]_D_06062013_02d1817.txt

Link to post
Share on other sites
anitan4

anitan4

Posted
  • Author
Posted

TDSSKiller has been run. 1 file has been skipped. I did not have the CURE option. There is a Report which seems to be imbedded in the application itself but I am unable to copy it or save it into a txt document. How can I attach it or post it here?

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, that looks good...next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites
anitan4

anitan4

Posted
  • Author
Posted

ComboFix has been run.

Here is the txt log:

ComboFix 13-06-06.04 - Negron 06/06/2013 20:05:35.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3576.2696 [GMT -4:00]

Running from: c:\users\Negron\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Negron\AppData\Roaming\BabMaint.exe

c:\windows\SysWow64\frapsvid.dll

.

.

((((((((((((((((((((((((( Files Created from 2013-05-07 to 2013-06-07 )))))))))))))))))))))))))))))))

.

.

2013-06-07 00:17 . 2013-06-07 00:17 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-06-05 23:34 . 2013-06-06 09:06 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)

2013-06-05 23:06 . 2013-06-05 23:06 -------- d-----w- c:\users\Negron\AppData\Roaming\Malwarebytes

2013-06-05 23:04 . 2013-06-05 23:04 -------- d-----w- c:\programdata\Malwarebytes

2013-06-05 23:04 . 2013-06-05 23:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-06-05 23:04 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-06-05 22:57 . 2013-06-05 22:57 -------- d-----w- c:\users\Negron\AppData\Local\Programs

2013-06-05 22:23 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FDC2D76F-97DD-4143-866E-6B794F068444}\mpengine.dll

2013-06-01 02:47 . 2013-06-01 02:47 -------- d-----w- C:\FRST

2013-05-26 17:12 . 2013-06-01 01:42 -------- d-----w- c:\users\Negron\AppData\Roaming\wabEventSupport16

2013-05-15 21:38 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2013-05-15 21:38 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-05-15 21:38 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll

2013-05-15 21:38 . 2013-02-27 05:52 14172672 ----a-w- c:\windows\system32\shell32.dll

2013-05-15 21:38 . 2013-02-27 05:48 1930752 ----a-w- c:\windows\system32\authui.dll

2013-05-15 21:38 . 2013-02-27 05:52 197120 ----a-w- c:\windows\system32\shdocvw.dll

2013-05-15 21:38 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe

2013-05-15 21:38 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll

2013-05-15 21:38 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\SysWow64\authui.dll

2013-05-15 21:37 . 2013-04-01 06:03 78680 ----a-w- c:\windows\system32\mcupdate_AuthenticAMD.dll

2013-05-15 21:37 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll

2013-05-15 21:37 . 2013-03-19 05:53 230400 ----a-w- c:\windows\system32\wwansvc.dll

2013-05-15 21:37 . 2013-04-10 03:30 3153920 ----a-w- c:\windows\system32\win32k.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-15 22:36 . 2012-04-22 16:34 75016696 ----a-w- c:\windows\system32\MRT.exe

2013-05-14 20:28 . 2012-07-15 18:14 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-05-14 20:28 . 2011-08-10 12:01 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-11 13:54 . 2010-06-24 18:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2013-05-02 06:06 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe

2013-04-13 05:49 . 2013-05-15 21:38 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49 . 2013-05-15 21:38 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49 . 2013-05-15 21:38 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49 . 2013-05-15 21:38 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45 . 2013-05-15 21:38 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45 . 2013-05-15 21:38 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-04-12 14:45 . 2013-04-24 09:42 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-03-19 06:04 . 2013-04-10 20:47 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-19 05:46 . 2013-04-10 20:47 43520 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 05:04 . 2013-04-10 20:47 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04 . 2013-04-10 20:47 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47 . 2013-04-10 20:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll

2013-03-19 03:06 . 2013-04-10 20:47 112640 ----a-w- c:\windows\system32\smss.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-04-19 18678376]

"Open Download Manager"="c:\program files (x86)\OpenDownloaderManager\odm.exe" [2013-02-20 6369280]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-06-30 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-25 336384]

"Hotkey Utility"="c:\program files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe" [2011-08-11 627304]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"SMessaging"="c:\users\Negron\AppData\Local\Strongvault Online Backup\SMessaging.exe" [2012-04-04 31664]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]

.

c:\users\Negron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]

S2 GREGService;GREGService;c:\program files (x86)\eMachines\Registration\GREGsvc.exe;c:\program files (x86)\eMachines\Registration\GREGsvc.exe [x]

S2 Live Updater Service;Live Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [x]

S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 26216467

*NewlyCreated* - 41038890

*Deregistered* - 26216467

*Deregistered* - 41038890

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-05-23 21:43 1165776 ----a-w- c:\program files (x86)\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-07 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-15 20:28]

.

2013-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-30 23:58]

.

2013-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-30 23:58]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-11 11580520]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Download all with Open Download Manager - file://c:\program files (x86)\OpenDownloaderManager\dlall.htm

IE: Download selected with Open Download Manager - file://c:\program files (x86)\OpenDownloaderManager\dlselected.htm

IE: Download video with Open Download Manager - file://c:\program files (x86)\OpenDownloaderManager\dlfvideo.htm

IE: Download with Open Download Manager - file://c:\program files (x86)\OpenDownloaderManager\dllink.htm

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Toolbar-10 - (no file)

SafeBoot-26216467.sys

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

Toolbar-10 - (no file)

AddRemove-JNLP - c:\windows\system32\javaws.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2062484516-3041785461-466553787-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F978003-5F0A-4059-919D-58BEF95EEF48}*ALID*]

"AppName"="Roblox.exe"

"Policy"=dword:00000003

"AppPath"="c:\\Users\\Negron\\AppData\\Local\\Roblox\\Versions\\version-3f2bb30af20140a4\\"

.

[HKEY_USERS\S-1-5-21-2062484516-3041785461-466553787-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E58EF0A1-58F6-483D-A07A-CF31CB4854C8}*ALID*]

"AppName"="Roblox.exe"

"Policy"=dword:00000003

"AppPath"="c:\\Users\\Negron\\AppData\\Local\\Roblox\\Versions\\version-3f2bb30af20140a4\\"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-06-06 20:35:32

ComboFix-quarantined-files.txt 2013-06-07 00:35

.

Pre-Run: 389,999,480,832 bytes free

Post-Run: 424,815,276,032 bytes free

.

- - End Of File - - 87CE52A36A361FFB1CC0F16B6FEC90C5

Link to post
Share on other sites
anitan4

anitan4

Posted
  • Author
Posted

MBAM updated and quick scan performed. Six items checked and removed. Now all these items are in quarantine with some other items previously detected. Can I delete the things in quarantine?

Here is the log:

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.06.07.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16576

Negron :: NEGRON-PC [administrator]

6/7/2013 5:13:57 AM

mbam-log-2013-06-07 (05-13-57).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 221682

Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 6

HKCR\CLSID\{f34c9277-6577-4dff-b2d7-7d58092f272f} (PUP.Datamngr) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.

HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Users\Negron\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage (PUP.FunMoods) -> Quarantined and deleted successfully.

C:\Users\Negron\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage (PUP.FunMoods) -> Quarantined and deleted successfully.

(end)

post-140767-0-07311600-1370597557.jpg

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept