Jump to content

Logs for MrC (FBI virus)


Recommended Posts

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-06-2013
Ran by SYSTEM on 18-06-2013 18:54:01
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$b22b05834748ebf764a121f70e4d6814\n. ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2009-11-18] (Hewlett-Packard)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
HKLM-x32\...\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe [479232 2005-07-15] (Google Inc.)
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [345312 2013-05-07] (Avira Operations GmbH & Co. KG)
HKU\User\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-01-30] (Google Inc.)
HKU\User\...\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart [19662744 2013-04-16] (Google)
HKU\User\...\Run: [MFAData] rundll32 "C:\Users\User\AppData\Local\VirtualStore\MFAData\hkmk.dll",DllRegisterServer [310784 2013-06-08] (Eugene Roshal & Far Group) <===== ATTENTION
HKU\User\...\Run: [Hewlett-Packard] Rundll32.exe C:\Users\User\AppData\Local\Hewlett-Packard\gncrbeid.dll,rqmxyldzsidv [833024 2013-06-08] (Dassault Systèmes SolidWorks Corp.) <===== ATTENTION
HKU\User\...\Run: [wabEventSupport16] rundll32.exe "C:\Users\User\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll",AwPath KernelUtilLibs [30208 2013-06-16] ()
HKU\User\...\Run: [internet Security] C:\Users\User\AppData\Roaming\ildefender.exe [849408 2013-06-18] (FileZilla Project)
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DealFinder.lnk
ShortcutTarget: DealFinder.lnk -> C:\Program Files (x86)\AA\DealFinder\DealFinder\DealFinder.exe (No File)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk
ShortcutTarget: IMVU.lnk ->  (No File)

==================== Services (Whitelisted) =================

S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [86752 2013-04-14] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [110816 2013-04-14] (Avira Operations GmbH & Co. KG)

==================== Drivers (Whitelisted) ====================

S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [100712 2013-04-14] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130016 2013-04-14] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-04-14] (Avira Operations GmbH & Co. KG)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-28] ()
S2 TMAgent;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-18 15:06 - 2013-06-18 15:06 - 00029651 ____A C:\Users\User\Downloads\FRST.txt
2013-06-18 15:05 - 2013-06-18 15:06 - 00013804 ____A C:\Users\User\Downloads\Addition.txt
2013-06-18 14:57 - 2013-06-18 14:57 - 00000000 ____D C:\FRST
2013-06-18 14:56 - 2013-06-18 14:57 - 01928350 ____A (Farbar) C:\Users\User\Downloads\FRST64.exe
2013-06-18 14:55 - 2013-06-18 14:55 - 01367073 ____A (Farbar) C:\Users\User\Downloads\FRST.exe
2013-06-18 12:48 - 2013-06-18 12:48 - 00849408 ____A (FileZilla Project) C:\Users\User\AppData\Roaming\ildefender.exe
2013-06-18 12:48 - 2013-06-18 12:48 - 00163328 ____A (Grand-Automatic Software Group) C:\Users\User\rundll32568748.exe
2013-06-18 12:48 - 2013-06-18 12:48 - 00066989 ____A C:\Users\User\notepad714774.exe
2013-06-18 12:48 - 2013-06-18 12:48 - 00000794 ____A C:\Users\User\Desktop\Internet Security PRO.lnk
2013-06-18 12:48 - 2013-06-18 12:48 - 00000000 ____A C:\Users\User\mstsc315593.exe
2013-06-16 17:50 - 2013-06-08 06:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-16 17:50 - 2013-06-08 06:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-16 17:50 - 2013-06-08 06:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-16 17:50 - 2013-06-08 06:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-16 17:50 - 2013-06-08 06:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-16 17:50 - 2013-06-08 04:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-16 17:50 - 2013-06-08 03:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-16 17:50 - 2013-06-08 03:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-16 17:50 - 2013-06-08 03:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-16 17:50 - 2013-06-08 03:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-16 17:50 - 2013-06-08 03:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-16 17:50 - 2013-06-08 03:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-16 17:50 - 2013-05-16 17:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-16 17:50 - 2013-05-16 17:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-16 17:50 - 2013-05-16 17:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-16 17:50 - 2013-05-16 17:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-16 17:50 - 2013-05-16 17:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-16 17:50 - 2013-05-16 17:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-16 17:50 - 2013-05-16 17:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-16 17:50 - 2013-05-16 17:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-16 17:50 - 2013-05-16 16:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-16 17:50 - 2013-05-16 16:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-16 17:50 - 2013-05-16 16:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-16 17:50 - 2013-05-16 16:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-16 17:50 - 2013-05-16 16:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-16 17:50 - 2013-05-16 16:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-16 17:50 - 2013-05-16 16:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-16 17:50 - 2013-05-16 16:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-16 17:50 - 2013-05-16 16:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-16 17:50 - 2013-05-14 04:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-16 17:50 - 2013-05-14 00:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-06-16 17:37 - 2013-06-16 17:37 - 00000000 ____D C:\Users\User\AppData\Roaming\wabEventSupport16
2013-06-16 17:36 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-16 17:36 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-16 17:36 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-16 17:36 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-16 17:36 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-16 17:36 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-16 17:36 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-16 17:36 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-16 17:36 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-16 17:36 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-16 17:36 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-16 17:36 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-16 17:36 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-16 17:36 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-16 17:36 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-16 17:36 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-16 17:36 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-16 17:35 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-16 17:35 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-09 19:40 - 2013-06-09 19:40 - 00000000 ____A C:\Users\User\jucheck621150.exe
2013-06-09 19:40 - 2013-06-09 19:40 - 00000000 ____A C:\Users\User\chrome512102.exe
2013-06-09 19:38 - 2013-06-09 19:38 - 00000000 ____A C:\Users\User\msconfig761671.exe
2013-06-09 19:38 - 2013-06-09 19:38 - 00000000 ____A C:\Users\User\acrobat805475.exe
2013-06-09 19:28 - 2013-06-09 19:28 - 00000000 ____A C:\Users\User\icq846511.exe
2013-06-09 19:28 - 2013-06-09 19:28 - 00000000 ____A C:\Users\User\firefox684667.exe
2013-06-09 16:00 - 2013-06-09 16:00 - 00000000 ____A C:\Users\User\windowsupdate562231.exe
2013-06-09 16:00 - 2013-06-09 16:00 - 00000000 ____A C:\Users\User\opera941704.exe
2013-06-09 15:54 - 2013-06-09 15:54 - 00000000 ____A C:\Users\User\java791258.exe
2013-06-09 15:54 - 2013-06-09 15:54 - 00000000 ____A C:\Users\User\acrobatreader551729.exe
2013-06-09 15:52 - 2013-06-09 15:52 - 00000000 ____A C:\Users\User\teamviewer828070.exe
2013-06-09 15:52 - 2013-06-09 15:52 - 00000000 ____A C:\Users\User\spoolsv992999.exe
2013-06-09 15:41 - 2013-06-09 15:41 - 00000000 ____A C:\Users\User\spoolsv241388.exe
2013-06-09 15:41 - 2013-06-09 15:41 - 00000000 ____A C:\Users\User\icq423812.exe
2013-06-09 12:05 - 2013-06-09 12:05 - 00000000 ____A C:\Users\User\windowsupdate200067.exe
2013-06-09 12:05 - 2013-06-09 12:05 - 00000000 ____A C:\Users\User\notepad111032.exe
2013-06-09 11:56 - 2013-06-09 11:56 - 00000000 ____A C:\Users\User\flashplayer.exe
2013-06-09 11:56 - 2013-06-09 11:56 - 00000000 ____A C:\Users\User\acrobatreader.exe
2013-06-09 09:23 - 2013-06-09 09:23 - 00000000 ____A C:\Users\User\vlcplayer.exe
2013-06-09 09:23 - 2013-06-09 09:23 - 00000000 ____A C:\Users\User\mstsc.exe
2013-06-09 09:23 - 2013-06-09 09:23 - 00000000 ____A C:\Users\User\jucheck.exe
2013-06-09 09:17 - 2013-06-09 09:17 - 00000000 ____A C:\Users\User\windowsupdate.exe
2013-06-09 09:17 - 2013-06-09 09:17 - 00000000 ____A C:\Users\User\csrss.exe
2013-06-09 09:17 - 2013-06-09 09:17 - 00000000 ____A C:\Users\User\chrome.exe
2013-06-09 09:07 - 2013-06-09 09:07 - 00000000 ____A C:\Users\User\rundll32.exe
2013-06-09 09:07 - 2013-06-09 09:07 - 00000000 ____A C:\Users\User\googleupdate.exe
2013-06-09 09:07 - 2013-06-09 09:07 - 00000000 ____A C:\Users\User\acrobat.exe
2013-06-09 09:02 - 2013-06-18 14:00 - 00000318 ___AH C:\Windows\Tasks\{D958ED80-CD81-49CA-BB1F-20BE0673E02A}.job
2013-06-09 09:02 - 2013-06-18 12:29 - 00000000 ____D C:\Users\User\AppData\Local\8175cb13-2db1-44e7-88c1-1f125da86854ad
2013-06-09 09:02 - 2013-06-09 09:02 - 00000000 ____A C:\Users\User\opera.exe
2013-06-09 09:02 - 2013-06-09 09:02 - 00000000 ____A C:\Users\User\notepad.exe
2013-06-09 09:02 - 2013-06-09 09:02 - 00000000 ____A C:\Users\User\msconfig.exe
2013-06-08 07:45 - 2013-06-08 11:48 - 00000000 ____D C:\Users\User\AppData\Local\Hewlett-Packard
2013-06-05 06:23 - 2013-06-05 06:23 - 00028778 ____A C:\Users\User\Downloads\refwlesunclassified (1).zip
2013-06-05 06:21 - 2013-06-05 06:21 - 00028778 ____A C:\Users\User\Downloads\refwlesunclassified.zip

==================== One Month Modified Files and Folders =======

2013-06-18 15:06 - 2013-06-18 15:06 - 00029651 ____A C:\Users\User\Downloads\FRST.txt
2013-06-18 15:06 - 2013-06-18 15:05 - 00013804 ____A C:\Users\User\Downloads\Addition.txt
2013-06-18 14:57 - 2013-06-18 14:57 - 00000000 ____D C:\FRST
2013-06-18 14:57 - 2013-06-18 14:56 - 01928350 ____A (Farbar) C:\Users\User\Downloads\FRST64.exe
2013-06-18 14:55 - 2013-06-18 14:55 - 01367073 ____A (Farbar) C:\Users\User\Downloads\FRST.exe
2013-06-18 14:53 - 2009-07-13 21:13 - 00742028 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-18 14:39 - 2009-07-13 20:51 - 00101817 ____A C:\Windows\setupact.log
2013-06-18 14:38 - 2012-01-27 13:45 - 01101651 ____A C:\Windows\WindowsUpdate.log
2013-06-18 14:37 - 2012-01-30 06:49 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-18 14:00 - 2013-06-09 09:02 - 00000318 ___AH C:\Windows\Tasks\{D958ED80-CD81-49CA-BB1F-20BE0673E02A}.job
2013-06-18 13:51 - 2013-03-19 07:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-18 12:48 - 2013-06-18 12:48 - 00849408 ____A (FileZilla Project) C:\Users\User\AppData\Roaming\ildefender.exe
2013-06-18 12:48 - 2013-06-18 12:48 - 00163328 ____A (Grand-Automatic Software Group) C:\Users\User\rundll32568748.exe
2013-06-18 12:48 - 2013-06-18 12:48 - 00066989 ____A C:\Users\User\notepad714774.exe
2013-06-18 12:48 - 2013-06-18 12:48 - 00000794 ____A C:\Users\User\Desktop\Internet Security PRO.lnk
2013-06-18 12:48 - 2013-06-18 12:48 - 00000000 ____A C:\Users\User\mstsc315593.exe
2013-06-18 12:33 - 2009-07-13 20:45 - 00021872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-18 12:33 - 2009-07-13 20:45 - 00021872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-18 12:29 - 2013-06-09 09:02 - 00000000 ____D C:\Users\User\AppData\Local\8175cb13-2db1-44e7-88c1-1f125da86854ad
2013-06-18 12:28 - 2013-04-25 05:25 - 00000000 ___SD C:\Users\User\Google Drive
2013-06-18 12:28 - 2012-01-30 06:49 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-18 12:27 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-16 17:51 - 2013-03-19 07:13 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-16 17:51 - 2012-01-30 10:46 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-16 17:37 - 2013-06-16 17:37 - 00000000 ____D C:\Users\User\AppData\Roaming\wabEventSupport16
2013-06-09 19:40 - 2013-06-09 19:40 - 00000000 ____A C:\Users\User\jucheck621150.exe
2013-06-09 19:40 - 2013-06-09 19:40 - 00000000 ____A C:\Users\User\chrome512102.exe
2013-06-09 19:38 - 2013-06-09 19:38 - 00000000 ____A C:\Users\User\msconfig761671.exe
2013-06-09 19:38 - 2013-06-09 19:38 - 00000000 ____A C:\Users\User\acrobat805475.exe
2013-06-09 19:28 - 2013-06-09 19:28 - 00000000 ____A C:\Users\User\icq846511.exe
2013-06-09 19:28 - 2013-06-09 19:28 - 00000000 ____A C:\Users\User\firefox684667.exe
2013-06-09 16:00 - 2013-06-09 16:00 - 00000000 ____A C:\Users\User\windowsupdate562231.exe
2013-06-09 16:00 - 2013-06-09 16:00 - 00000000 ____A C:\Users\User\opera941704.exe
2013-06-09 15:54 - 2013-06-09 15:54 - 00000000 ____A C:\Users\User\java791258.exe
2013-06-09 15:54 - 2013-06-09 15:54 - 00000000 ____A C:\Users\User\acrobatreader551729.exe
2013-06-09 15:52 - 2013-06-09 15:52 - 00000000 ____A C:\Users\User\teamviewer828070.exe
2013-06-09 15:52 - 2013-06-09 15:52 - 00000000 ____A C:\Users\User\spoolsv992999.exe
2013-06-09 15:41 - 2013-06-09 15:41 - 00000000 ____A C:\Users\User\spoolsv241388.exe
2013-06-09 15:41 - 2013-06-09 15:41 - 00000000 ____A C:\Users\User\icq423812.exe
2013-06-09 12:05 - 2013-06-09 12:05 - 00000000 ____A C:\Users\User\windowsupdate200067.exe
2013-06-09 12:05 - 2013-06-09 12:05 - 00000000 ____A C:\Users\User\notepad111032.exe
2013-06-09 11:56 - 2013-06-09 11:56 - 00000000 ____A C:\Users\User\flashplayer.exe
2013-06-09 11:56 - 2013-06-09 11:56 - 00000000 ____A C:\Users\User\acrobatreader.exe
2013-06-09 09:23 - 2013-06-09 09:23 - 00000000 ____A C:\Users\User\vlcplayer.exe
2013-06-09 09:23 - 2013-06-09 09:23 - 00000000 ____A C:\Users\User\mstsc.exe
2013-06-09 09:23 - 2013-06-09 09:23 - 00000000 ____A C:\Users\User\jucheck.exe
2013-06-09 09:17 - 2013-06-09 09:17 - 00000000 ____A C:\Users\User\windowsupdate.exe
2013-06-09 09:17 - 2013-06-09 09:17 - 00000000 ____A C:\Users\User\csrss.exe
2013-06-09 09:17 - 2013-06-09 09:17 - 00000000 ____A C:\Users\User\chrome.exe
2013-06-09 09:07 - 2013-06-09 09:07 - 00000000 ____A C:\Users\User\rundll32.exe
2013-06-09 09:07 - 2013-06-09 09:07 - 00000000 ____A C:\Users\User\googleupdate.exe
2013-06-09 09:07 - 2013-06-09 09:07 - 00000000 ____A C:\Users\User\acrobat.exe
2013-06-09 09:02 - 2013-06-09 09:02 - 00000000 ____A C:\Users\User\opera.exe
2013-06-09 09:02 - 2013-06-09 09:02 - 00000000 ____A C:\Users\User\notepad.exe
2013-06-09 09:02 - 2013-06-09 09:02 - 00000000 ____A C:\Users\User\msconfig.exe
2013-06-08 11:48 - 2013-06-08 07:45 - 00000000 ____D C:\Users\User\AppData\Local\Hewlett-Packard
2013-06-08 07:45 - 2012-01-27 11:53 - 00000000 ____D C:\Users\User\AppData\Local\VirtualStore
2013-06-08 06:08 - 2013-06-16 17:50 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 06:07 - 2013-06-16 17:50 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 06:06 - 2013-06-16 17:50 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 06:06 - 2013-06-16 17:50 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 06:06 - 2013-06-16 17:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 04:28 - 2013-06-16 17:50 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-08 03:42 - 2013-06-16 17:50 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-08 03:40 - 2013-06-16 17:50 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-08 03:40 - 2013-06-16 17:50 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-08 03:40 - 2013-06-16 17:50 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-08 03:40 - 2013-06-16 17:50 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-08 03:13 - 2013-06-16 17:50 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-06 16:40 - 2013-04-03 15:04 - 00002187 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-06-05 06:23 - 2013-06-05 06:23 - 00028778 ____A C:\Users\User\Downloads\refwlesunclassified (1).zip
2013-06-05 06:21 - 2013-06-05 06:21 - 00028778 ____A C:\Users\User\Downloads\refwlesunclassified.zip
2013-06-04 06:17 - 2012-01-29 12:58 - 00000000 ____D C:\Users\User\Desktop\Danielle
2013-06-03 19:05 - 2012-11-06 05:58 - 00000000 ____D C:\Users\User\Documents\My Scans
2013-06-03 10:37 - 2012-09-19 13:02 - 00000000 ____D C:\Users\User\ZipForm
2013-06-02 21:30 - 2011-04-12 00:28 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-06-02 21:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-06-02 21:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-05-22 04:08 - 2009-07-13 21:08 - 00032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-20 18:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3090479118-3698766337-2013796773-1000\$b22b05834748ebf764a121f70e4d6814

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$b22b05834748ebf764a121f70e4d6814

Files to move or delete:
====================
C:\Users\User\acrobat.exe
C:\Users\User\acrobat805475.exe
C:\Users\User\acrobatreader.exe
C:\Users\User\acrobatreader551729.exe
C:\Users\User\chrome.exe
C:\Users\User\chrome512102.exe
C:\Users\User\csrss.exe
C:\Users\User\firefox684667.exe
C:\Users\User\flashplayer.exe
C:\Users\User\googleupdate.exe
C:\Users\User\icq423812.exe
C:\Users\User\icq846511.exe
C:\Users\User\java791258.exe
C:\Users\User\jucheck.exe
C:\Users\User\jucheck621150.exe
C:\Users\User\msconfig.exe
C:\Users\User\msconfig761671.exe
C:\Users\User\mstsc.exe
C:\Users\User\mstsc315593.exe
C:\Users\User\notepad.exe
C:\Users\User\notepad111032.exe
C:\Users\User\notepad714774.exe
C:\Users\User\opera.exe
C:\Users\User\opera941704.exe
C:\Users\User\rundll32.exe
C:\Users\User\rundll32568748.exe
C:\Users\User\spoolsv241388.exe
C:\Users\User\spoolsv992999.exe
C:\Users\User\teamviewer828070.exe
C:\Users\User\vlcplayer.exe
C:\Users\User\windowsupdate.exe
C:\Users\User\windowsupdate200067.exe
C:\Users\User\windowsupdate562231.exe
C:\Windows\Tasks\{D958ED80-CD81-49CA-BB1F-20BE0673E02A}.job

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-15 17:52:36
Restore point made on: 2013-05-20 15:15:44
Restore point made on: 2013-05-23 17:59:10
Restore point made on: 2013-05-31 08:56:39
Restore point made on: 2013-06-03 12:36:37
Restore point made on: 2013-06-03 12:47:22
Restore point made on: 2013-06-03 14:25:31
Restore point made on: 2013-06-16 17:49:19
Restore point made on: 2013-06-18 12:50:17
Restore point made on: 2013-06-18 13:35:19

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3839.18 MB
Available physical RAM: 3263.52 MB
Total Pagefile: 3837.38 MB
Available Pagefile: 3257.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (WIN7) (Fixed) (Total:921.72 GB) (Free:845.68 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive f: (KINGSTON) (Removable) (Total:3.65 GB) (Free:3.65 GB) FAT32 (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: CB5BD2B2)
Partition 1: (Not Active) - (Size=10 GB) - (Type=1B)
Partition 2: (Active) - (Size=922 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=4 GB) - (Type=0C)

LastRegBack: 2013-06-03 08:59

==================== End Of Log ============================

FRST.txt

Link to post
Share on other sites

OK, here you go......this should get you going:

 

Please download the attached  fixlist.txt and copy it to your flashdrive.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

 

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

 

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

See if the computer boots normally now and if so..........

 

Download Malwarebytes Anti-Rootkit from HERE
  •  


  • Unzip the contents to a folder in a convenient location.


  • Open the folder where the contents were unzipped and run mbar.exe


  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.


  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.


  • Wait while the system shuts down and the cleanup process is performed.


  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.


  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

 

 

To attach a log if needed:

 

Bottom right corner of this page.

more-reply-options.jpg

 

New window that comes up.

choose-files1.jpg

 

 

~~~~~~~~~~~~~~~~~~~~~~~

 

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

 

Just run fixdamage.exe.

 

Verify that they are now functioning normally.

 

 

MrC

 

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-06-2013
Ran by SYSTEM at 2013-06-18 22:06:24 Run:1
Running from E:\
Boot Mode: Recovery
==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\User\Software\Microsoft\Windows\CurrentVersion\Run\\MFAData => Value deleted successfully.
HKU\User\Software\Microsoft\Windows\CurrentVersion\Run\\Hewlett-Packard => Value deleted successfully.
HKU\User\Software\Microsoft\Windows\CurrentVersion\Run\\wabEventSupport16 => Value deleted successfully.
HKU\User\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value deleted successfully.
C:\Users\User\AppData\Local\Hewlett-Packard\gncrbeid.dll => Moved successfully.
C:\Users\User\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll  => Moved successfully.
C:\Users\User\AppData\Local\VirtualStore\MFAData\hkmk.dll => Moved successfully.
C:\Users\User\AppData\Roaming\ildefender.exe => Moved successfully.
C:\Users\User\Desktop\Internet Security PRO.lnk => Moved successfully.
C:\Users\User\mstsc315593.exe => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-3090479118-3698766337-2013796773-1000\$b22b05834748ebf764a121f70e4d6814 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$b22b05834748ebf764a121f70e4d6814 => Moved successfully.
C:\Users\User\acrobat.exe => Moved successfully.
C:\Users\User\acrobat805475.exe => Moved successfully.
C:\Users\User\acrobatreader.exe => Moved successfully.
C:\Users\User\acrobatreader551729.exe => Moved successfully.
C:\Users\User\chrome.exe => Moved successfully.
C:\Users\User\chrome512102.exe => Moved successfully.
C:\Users\User\csrss.exe => Moved successfully.
C:\Users\User\firefox684667.exe => Moved successfully.
C:\Users\User\flashplayer.exe => Moved successfully.
C:\Users\User\googleupdate.exe => Moved successfully.
C:\Users\User\icq423812.exe => Moved successfully.
C:\Users\User\icq846511.exe => Moved successfully.
C:\Users\User\java791258.exe => Moved successfully.
C:\Users\User\jucheck.exe => Moved successfully.
C:\Users\User\jucheck621150.exe => Moved successfully.
C:\Users\User\msconfig.exe => Moved successfully.
C:\Users\User\msconfig761671.exe => Moved successfully.
C:\Users\User\mstsc.exe => Moved successfully.
C:\Users\User\mstsc315593.exe => File/Directory not found.
C:\Users\User\notepad.exe => Moved successfully.
C:\Users\User\notepad111032.exe => Moved successfully.
C:\Users\User\notepad714774.exe => Moved successfully.
C:\Users\User\opera.exe => Moved successfully.
C:\Users\User\opera941704.exe => Moved successfully.
C:\Users\User\rundll32.exe => Moved successfully.
C:\Users\User\rundll32568748.exe => Moved successfully.
C:\Users\User\spoolsv241388.exe => Moved successfully.
C:\Users\User\spoolsv992999.exe => Moved successfully.
C:\Users\User\teamviewer828070.exe => Moved successfully.
C:\Users\User\vlcplayer.exe => Moved successfully.
C:\Users\User\windowsupdate.exe => Moved successfully.
C:\Users\User\windowsupdate200067.exe => Moved successfully.
C:\Users\User\windowsupdate562231.exe => Moved successfully.
C:\Windows\Tasks\{D958ED80-CD81-49CA-BB1F-20BE0673E02A}.job => Moved successfully.

==== End of Fixlog ====

Fixlog.txt

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.