FBI MoneyPak, no SafeMode options

[DarkNights05]

Hi,  The ICE Moneypak trojan hit our computer last night and we can't boot into safemode (any of the safemode options) to run a scan off the USB sticks. I can get to command prompt through advanced options and here is the result of the frst64 scan -- Any help to get this off the system is appreciated!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-06-2013 02
Ran by SYSTEM on 21-06-2013 09:35:54
Running from K:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet003
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8306208 2009-10-20] (Realtek Semiconductor)
HKLM\...\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807680 2010-02-09] ()
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-12-29] (CyberLink Corp.)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-03-07] (Apple Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [309184 2012-03-28] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKU\Beetz\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [719672 2012-01-20] (Microsoft Corporation)
HKU\Beetz\...\Run: [Torrent2Exe[55bc15411c4be6287d582cff80167e16479072f4]] C:\Users\Beetz\Downloads\ShesOutOfMyLeague[2010]dvdripaxxo.exe [x]
HKU\Beetz\...\Run: [Google Update] "C:\Users\Beetz\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-01-03] (Google Inc.)
HKU\Beetz\...\Run: [DelayShred] "c:\PROGRA~1\mcafee\mqs\ShrCL.EXE" /P1 /q "F:\DCIM\100CASIO\CIMG0363.JPG" "F:\DCIM\100CASIO\CIMG0367.JPG" "F:\DCIM\100CASIO\CIMG0364.JPG" "F:\DCIM\100CASIO\CIMG0365.JPG" "F:\DCIM\100CASIO\CIMG0366.JPG" [x]
HKU\Beetz\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Beetz\AppData\Local\Temp\nopeaetltadttwdoy.exe [x]
HKU\Beetz\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Beetz\...\Command Processor: "C:\Users\Beetz\AppData\Local\Temp\nopeaetltadttwdoy.exe" <===== ATTENTION!
Startup: C:\Users\Beetz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Beetz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Beetz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XPlay.lnk
ShortcutTarget: XPlay.lnk -> C:\Program Files\Commons\xplay.exe (Insight Technology Ltd.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) =================

S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 NitroReaderDriverReadSpool3; C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [230416 2012-10-30] (Nitro PDF Software)
S3 wcncsvc; C:\Windows\System32\wcncsvc.dll [367104 2010-11-20] ()

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdX64.sys [29184 2009-03-26] (Juniper Networks)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S1 lbweizkj; \??\C:\Windows\system32\drivers\lbweizkj.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-20 15:51 - 2013-06-20 15:51 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-06-20 10:15 - 2013-06-20 10:15 - 00000000 ____D C:\FRST
2013-06-20 08:28 - 2013-06-20 08:28 - 00000000 ____D C:\ProgramData\HitmanPro
2013-06-20 08:28 - 2013-06-20 08:28 - 00000000 ____D C:\ProgramData\Application Data\HitmanPro
2013-06-20 07:31 - 2013-06-20 07:31 - 01097680 ____A C:\Users\Beetz\Local Settings\Application Data\2433f433
2013-06-20 07:31 - 2013-06-20 07:31 - 01097680 ____A C:\Users\Beetz\Local Settings\2433f433
2013-06-20 07:31 - 2013-06-20 07:31 - 01097680 ____A C:\Users\Beetz\AppData\Local\2433f433
2013-06-20 07:31 - 2013-06-20 07:31 - 01097679 ____A C:\Users\Beetz\Application Data\2433f433
2013-06-20 07:31 - 2013-06-20 07:31 - 01097679 ____A C:\Users\Beetz\AppData\Roaming\2433f433
2013-06-16 02:00 - 2013-06-08 09:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-16 02:00 - 2013-06-08 09:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-16 02:00 - 2013-06-08 09:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-16 02:00 - 2013-06-08 09:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-16 02:00 - 2013-06-08 09:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-16 02:00 - 2013-06-08 07:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-16 02:00 - 2013-06-08 06:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-16 02:00 - 2013-06-08 06:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-16 02:00 - 2013-06-08 06:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-16 02:00 - 2013-06-08 06:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-16 02:00 - 2013-06-08 06:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-16 02:00 - 2013-06-08 06:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-13 19:09 - 2013-06-14 17:35 - 00009251 ____A C:\Users\Beetz\My Documents\Birthdays.xlsx
2013-06-13 19:09 - 2013-06-14 17:35 - 00009251 ____A C:\Users\Beetz\Documents\Birthdays.xlsx
2013-06-12 02:01 - 2013-05-16 20:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-12 02:01 - 2013-05-16 19:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-12 02:01 - 2013-05-16 19:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-12 02:01 - 2013-05-16 19:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-12 02:01 - 2013-05-14 07:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-12 02:01 - 2013-05-14 03:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-06-11 19:20 - 2013-05-08 01:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 19:20 - 2013-04-26 00:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 19:20 - 2013-04-25 23:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-11 19:19 - 2013-05-13 00:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 19:19 - 2013-05-13 00:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 19:19 - 2013-05-13 00:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 19:19 - 2013-05-13 00:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 19:19 - 2013-05-12 23:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-11 19:19 - 2013-05-12 23:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-11 19:19 - 2013-05-12 23:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-11 19:19 - 2013-05-12 22:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 19:19 - 2013-05-12 22:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-11 19:19 - 2013-05-12 22:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-11 19:19 - 2013-05-10 00:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 19:19 - 2013-05-09 22:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-11 19:19 - 2013-04-25 18:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-11 19:19 - 2013-04-17 02:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-11 19:19 - 2013-04-17 01:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-11 19:19 - 2013-03-31 17:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll

==================== One Month Modified Files and Folders =======

2013-06-21 08:27 - 2010-07-25 19:14 - 00000000 ____D C:\users\Beetz
2013-06-20 20:40 - 2009-07-14 00:13 - 00005168 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-20 20:24 - 2010-10-12 17:51 - 00054786 ____A C:\Windows\setupact.log
2013-06-20 20:24 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-20 15:51 - 2013-06-20 15:51 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-06-20 14:07 - 2013-04-18 07:37 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2013-06-20 14:07 - 2013-03-13 22:17 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-06-20 14:07 - 2013-03-13 22:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-06-20 14:07 - 2013-03-09 17:09 - 00000000 ____D C:\Program Files\Commons
2013-06-20 14:07 - 2012-10-15 18:17 - 00000000 ____D C:\Users\Beetz\Application Data\ICAClient
2013-06-20 14:07 - 2012-10-15 18:17 - 00000000 ____D C:\Users\Beetz\AppData\Roaming\ICAClient
2013-06-20 14:07 - 2012-06-20 10:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-06-20 14:07 - 2011-03-11 15:35 - 00000000 ____D C:\Program Files\iTunes
2013-06-20 14:07 - 2011-03-11 15:35 - 00000000 ____D C:\Program Files\iPod
2013-06-20 14:07 - 2011-03-11 15:35 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-20 14:07 - 2011-03-11 15:34 - 00000000 ____D C:\Program Files (x86)\QuickTime
2013-06-20 14:07 - 2011-03-11 15:33 - 00000000 ____D C:\Program Files\Bonjour
2013-06-20 14:07 - 2011-03-11 15:33 - 00000000 ____D C:\Program Files (x86)\Bonjour
2013-06-20 14:07 - 2010-10-17 15:53 - 00000000 ___SD C:\Users\Beetz\My Documents\My Data Sources
2013-06-20 14:07 - 2010-10-17 15:53 - 00000000 ___SD C:\Users\Beetz\Documents\My Data Sources
2013-06-20 14:07 - 2010-09-17 11:13 - 00000000 ____D C:\Program Files (x86)\Coupons
2013-06-20 14:07 - 2010-08-26 12:53 - 00000000 ____D C:\Program Files (x86)\DivX
2013-06-20 14:07 - 2010-08-19 06:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Synchronization Services
2013-06-20 14:07 - 2010-08-19 06:07 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8
2013-06-20 14:07 - 2010-08-14 16:13 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-20 14:07 - 2010-07-25 19:17 - 00000000 ____D C:\Users\Beetz\Local Settings\Stardock_Corporation
2013-06-20 14:07 - 2010-07-25 19:17 - 00000000 ____D C:\Users\Beetz\Local Settings\Application Data\Stardock_Corporation
2013-06-20 14:07 - 2010-07-25 19:17 - 00000000 ____D C:\Users\Beetz\AppData\Local\Stardock_Corporation
2013-06-20 14:07 - 2010-07-15 11:28 - 00000000 ____D C:\dell
2013-06-20 14:07 - 2010-07-15 10:48 - 00000000 ____D C:\Program Files\Realtek
2013-06-20 14:07 - 2010-07-15 09:07 - 00000000 ____D C:\ProgramData\McAfee
2013-06-20 14:07 - 2010-07-15 09:07 - 00000000 ____D C:\ProgramData\Application Data\McAfee
2013-06-20 14:07 - 2010-07-15 08:59 - 00000000 ____D C:\Program Files (x86)\Windows Live
2013-06-20 14:07 - 2010-07-15 08:55 - 00000000 ____D C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2
2013-06-20 14:07 - 2010-07-15 08:55 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Online
2013-06-20 14:07 - 2010-07-15 08:55 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-06-20 14:07 - 2010-07-15 08:54 - 00000000 ____D C:\Program Files (x86)\Citrix
2013-06-20 14:07 - 2009-07-14 02:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-06-20 14:07 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\System32\restore
2013-06-20 14:07 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-06-20 14:07 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\DVD Maker
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 __RSD C:\Windows\Media
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 __RHD C:\Users\Public\Libraries
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\spp
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\migwiz
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\servicing
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\IME
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Cursors
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Branding
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-06-20 11:11 - 2012-01-03 16:53 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2103324274-264647483-924665500-1000UA.job
2013-06-20 11:09 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2013-06-20 11:08 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-06-20 10:15 - 2013-06-20 10:15 - 00000000 ____D C:\FRST
2013-06-20 08:28 - 2013-06-20 08:28 - 00000000 ____D C:\ProgramData\HitmanPro
2013-06-20 08:28 - 2013-06-20 08:28 - 00000000 ____D C:\ProgramData\Application Data\HitmanPro
2013-06-20 07:31 - 2013-06-20 07:31 - 01097680 ____A C:\Users\Beetz\Local Settings\Application Data\2433f433
2013-06-20 07:31 - 2013-06-20 07:31 - 01097680 ____A C:\Users\Beetz\Local Settings\2433f433
2013-06-20 07:31 - 2013-06-20 07:31 - 01097680 ____A C:\Users\Beetz\AppData\Local\2433f433
2013-06-20 07:31 - 2013-06-20 07:31 - 01097679 ____A C:\Users\Beetz\Application Data\2433f433
2013-06-20 07:31 - 2013-06-20 07:31 - 01097679 ____A C:\Users\Beetz\AppData\Roaming\2433f433
2013-06-20 07:27 - 2010-08-14 05:36 - 00000000 ____D C:\Users\Beetz\Application Data\Macromedia
2013-06-20 07:27 - 2010-08-14 05:36 - 00000000 ____D C:\Users\Beetz\AppData\Roaming\Macromedia
2013-06-20 07:24 - 2009-07-14 00:10 - 01980201 ____A C:\Windows\WindowsUpdate.log
2013-06-20 07:14 - 2013-04-18 07:35 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-19 20:21 - 2012-01-03 16:53 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2103324274-264647483-924665500-1000Core.job
2013-06-17 19:59 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-17 19:59 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-17 14:36 - 2010-11-27 10:06 - 00156672 ____A C:\Users\Beetz\My Documents\Master Address List.xls
2013-06-17 14:36 - 2010-11-27 10:06 - 00156672 ____A C:\Users\Beetz\Documents\Master Address List.xls
2013-06-14 17:35 - 2013-06-13 19:09 - 00009251 ____A C:\Users\Beetz\My Documents\Birthdays.xlsx
2013-06-14 17:35 - 2013-06-13 19:09 - 00009251 ____A C:\Users\Beetz\Documents\Birthdays.xlsx
2013-06-11 20:04 - 2012-10-16 14:03 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-11 20:04 - 2011-06-05 09:02 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-08 09:08 - 2013-06-16 02:00 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 09:07 - 2013-06-16 02:00 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 09:06 - 2013-06-16 02:00 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 09:06 - 2013-06-16 02:00 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 09:06 - 2013-06-16 02:00 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 07:28 - 2013-06-16 02:00 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-08 06:42 - 2013-06-16 02:00 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-08 06:40 - 2013-06-16 02:00 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-08 06:40 - 2013-06-16 02:00 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-08 06:40 - 2013-06-16 02:00 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-08 06:40 - 2013-06-16 02:00 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-08 06:13 - 2013-06-16 02:00 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-07 10:12 - 2013-03-27 19:31 - 00318464 __ASH C:\Users\Beetz\Desktop\Thumbs.db
2013-06-01 12:17 - 2013-05-04 19:44 - 00000000 ____D C:\Users\Beetz\Desktop\Yamaha Waverunner III
2013-05-26 10:15 - 2010-07-15 10:47 - 00580460 ____A C:\Windows\PFRO.log

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c\@
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c\L
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c\U
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c\L\00000004.@

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-16 02:01:00
Restore point made on: 2013-05-23 17:53:00
Restore point made on: 2013-05-31 07:38:59
Restore point made on: 2013-06-08 08:26:32
Restore point made on: 2013-06-12 02:00:43
Restore point made on: 2013-06-16 02:00:44

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 4060.98 MB
Available physical RAM: 3404.41 MB
Total Pagefile: 4059.13 MB
Available Pagefile: 3426.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:690.47 GB) (Free:575.77 GB) NTFS (Disk=0 Partition=3)
Drive e: (RECOVERY) (Fixed) (Total:8.12 GB) (Free:3.65 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]
Drive k: (HITMANPRO) (Removable) (Total:1.95 GB) (Free:1.91 GB) NTFS (Disk=6 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 699 GB) (Disk ID: 48E2F468)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=690 GB) - (Type=07 NTFS)

========================================================
Disk: 6 (Size: 2 GB) (Disk ID: 6FB65E5B)
Partition 1: (Active) - (Size=2 GB) - (Type=07 NTFS)


LastRegBack: 2013-06-13 19:43

==================== End Of Log ============================

[MrCharlie]

Looking at it now.....MrC

[MrCharlie]

Please read the following information first.

 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan also.

 

BACKDOOR WARNING

 

------------------------------

 

One or more of the identified infections is known to use a backdoor.

 

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

 

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

 

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

 

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

 

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

 

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

 

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

 

 

-----------------------------------------

 

OK, here you go......this should get you going:

 

Please download the attached  fixlist.txt and copy it to your flashdrive.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

 

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

 

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

See if the computer boots normally now and if so..........

 

Download Malwarebytes Anti-Rootkit from HERE

•  

• Unzip the contents to a folder in a convenient location.

• Open the folder where the contents were unzipped and run mbar.exe

• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

• Click on the Cleanup button to remove any threats and reboot if prompted to do so.

• Wait while the system shuts down and the cleanup process is performed.

• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

 

 

To attach a log if needed:

 

Bottom right corner of this page.

 

New window that comes up.

 

 

~~~~~~~~~~~~~~~~~~~~~~~

 

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

 

Just run fixdamage.exe.

 

Verify that they are now functioning normally.

 

 

MrC

 

 

 

[DarkNights05]

Hi MrC - thank you for the prompt help! I am in the process of changing all our banking and financial passwords, etc from the clean PC I am currently typing from. I ran the txt file you provided and it still does not boot normally (with internet cable disconnected)

 

Here's the attached file from the fix (it won't upload as an attachment)

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-06-2013 02
Ran by SYSTEM at 2013-06-21 11:01:53 Run:1
Running from K:\
Boot Mode: Recovery
==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore => Value deleted successfully.
HKU\Beetz\Software\Microsoft\Windows\CurrentVersion\Run\\HKU\Beetz\...\Run: [Torrent2Exe[55bc15411c4be6287d582cff80167e16479072f4]] C:\Users\Beetz\Downloads\ShesOutOfMyLeague[2010]dvdripaxxo.exe [x] => Value not found.
HKU\Beetz\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.
HKU\Beetz\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Beetz\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\Users\Beetz\Downloads\ShesOutOfMyLeague[2010]dvdripaxxo.exe  => File/Directory not found.
C:\Users\Beetz\AppData\Local\Temp\nopeaetltadttwdoy.exe  => File/Directory not found.
lbweizkj => Service deleted successfully.
C:\Windows\system32\drivers\lbweizkj.sys  => File/Directory not found.
C:\Users\Beetz\Local Settings\Application Data\2433f433 => Moved successfully.
C:\Users\Beetz\Local Settings\2433f433 => File/Directory not found.
C:\Users\Beetz\AppData\Local\2433f433 => File/Directory not found.
C:\Users\Beetz\Application Data\2433f433 => Moved successfully.
C:\Users\Beetz\AppData\Roaming\2433f433 => File/Directory not found.
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c\@ => File/Directory not found.
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c\L => File/Directory not found.
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c\U => File/Directory not found.
C:\$Recycle.Bin\S-1-5-21-2103324274-264647483-924665500-1000\$aecdebeef706012bb2a44720af1bbf9c\L\00000004.@ => File/Directory not found.

==== End of Fixlog ====

[DarkNights05]

I should add, I still can't get into any of the safemode options either, much less a regular windows boot.

[MrCharlie]

Can you re-scan with FRST and post the new log,  MrC

[DarkNights05]

Here are the result of the  second FRST scan I just completed

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-06-2013 02
Ran by SYSTEM on 21-06-2013 11:28:16
Running from L:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet003
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8306208 2009-10-20] (Realtek Semiconductor)
HKLM\...\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807680 2010-02-09] ()
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-12-29] (CyberLink Corp.)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-03-07] (Apple Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [309184 2012-03-28] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKU\Beetz\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [719672 2012-01-20] (Microsoft Corporation)
HKU\Beetz\...\Run: [Torrent2Exe[55bc15411c4be6287d582cff80167e16479072f4]] C:\Users\Beetz\Downloads\ShesOutOfMyLeague[2010]dvdripaxxo.exe [x]
HKU\Beetz\...\Run: [Google Update] "C:\Users\Beetz\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-01-03] (Google Inc.)
HKU\Beetz\...\Run: [DelayShred] "c:\PROGRA~1\mcafee\mqs\ShrCL.EXE" /P1 /q "F:\DCIM\100CASIO\CIMG0363.JPG" "F:\DCIM\100CASIO\CIMG0367.JPG" "F:\DCIM\100CASIO\CIMG0364.JPG" "F:\DCIM\100CASIO\CIMG0365.JPG" "F:\DCIM\100CASIO\CIMG0366.JPG" [x]
Startup: C:\Users\Beetz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Beetz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Beetz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XPlay.lnk
ShortcutTarget: XPlay.lnk -> C:\Program Files\Commons\xplay.exe (Insight Technology Ltd.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) =================

S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 NitroReaderDriverReadSpool3; C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [230416 2012-10-30] (Nitro PDF Software)
S3 wcncsvc; C:\Windows\System32\wcncsvc.dll [367104 2010-11-20] ()

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdX64.sys [29184 2009-03-26] (Juniper Networks)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-20 15:51 - 2013-06-20 15:51 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-06-20 10:15 - 2013-06-20 10:15 - 00000000 ____D C:\FRST
2013-06-20 08:28 - 2013-06-20 08:28 - 00000000 ____D C:\ProgramData\HitmanPro
2013-06-20 08:28 - 2013-06-20 08:28 - 00000000 ____D C:\ProgramData\Application Data\HitmanPro
2013-06-16 02:00 - 2013-06-08 09:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-16 02:00 - 2013-06-08 09:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-16 02:00 - 2013-06-08 09:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-16 02:00 - 2013-06-08 09:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-16 02:00 - 2013-06-08 09:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-16 02:00 - 2013-06-08 07:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-16 02:00 - 2013-06-08 06:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-16 02:00 - 2013-06-08 06:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-16 02:00 - 2013-06-08 06:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-16 02:00 - 2013-06-08 06:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-16 02:00 - 2013-06-08 06:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-16 02:00 - 2013-06-08 06:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-13 19:09 - 2013-06-14 17:35 - 00009251 ____A C:\Users\Beetz\My Documents\Birthdays.xlsx
2013-06-13 19:09 - 2013-06-14 17:35 - 00009251 ____A C:\Users\Beetz\Documents\Birthdays.xlsx
2013-06-12 02:01 - 2013-05-16 20:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-12 02:01 - 2013-05-16 20:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-12 02:01 - 2013-05-16 19:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-12 02:01 - 2013-05-16 19:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-12 02:01 - 2013-05-16 19:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-12 02:01 - 2013-05-16 19:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-12 02:01 - 2013-05-14 07:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-12 02:01 - 2013-05-14 03:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-06-11 19:20 - 2013-05-08 01:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 19:20 - 2013-04-26 00:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 19:20 - 2013-04-25 23:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-11 19:19 - 2013-05-13 00:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 19:19 - 2013-05-13 00:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 19:19 - 2013-05-13 00:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 19:19 - 2013-05-13 00:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 19:19 - 2013-05-12 23:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-11 19:19 - 2013-05-12 23:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-11 19:19 - 2013-05-12 23:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-11 19:19 - 2013-05-12 22:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 19:19 - 2013-05-12 22:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-11 19:19 - 2013-05-12 22:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-11 19:19 - 2013-05-10 00:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 19:19 - 2013-05-09 22:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-11 19:19 - 2013-04-25 18:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-11 19:19 - 2013-04-17 02:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-11 19:19 - 2013-04-17 01:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-11 19:19 - 2013-03-31 17:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll

==================== One Month Modified Files and Folders =======

2013-06-21 10:04 - 2010-10-12 17:51 - 00054842 ____A C:\Windows\setupact.log
2013-06-21 10:04 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-21 08:27 - 2010-07-25 19:14 - 00000000 ____D C:\users\Beetz
2013-06-20 20:40 - 2009-07-14 00:13 - 00005168 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-20 15:51 - 2013-06-20 15:51 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-06-20 14:07 - 2013-04-18 07:37 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2013-06-20 14:07 - 2013-03-13 22:17 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-06-20 14:07 - 2013-03-13 22:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-06-20 14:07 - 2013-03-09 17:09 - 00000000 ____D C:\Program Files\Commons
2013-06-20 14:07 - 2012-10-15 18:17 - 00000000 ____D C:\Users\Beetz\Application Data\ICAClient
2013-06-20 14:07 - 2012-10-15 18:17 - 00000000 ____D C:\Users\Beetz\AppData\Roaming\ICAClient
2013-06-20 14:07 - 2012-06-20 10:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-06-20 14:07 - 2011-03-11 15:35 - 00000000 ____D C:\Program Files\iTunes
2013-06-20 14:07 - 2011-03-11 15:35 - 00000000 ____D C:\Program Files\iPod
2013-06-20 14:07 - 2011-03-11 15:35 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-20 14:07 - 2011-03-11 15:34 - 00000000 ____D C:\Program Files (x86)\QuickTime
2013-06-20 14:07 - 2011-03-11 15:33 - 00000000 ____D C:\Program Files\Bonjour
2013-06-20 14:07 - 2011-03-11 15:33 - 00000000 ____D C:\Program Files (x86)\Bonjour
2013-06-20 14:07 - 2010-10-17 15:53 - 00000000 ___SD C:\Users\Beetz\My Documents\My Data Sources
2013-06-20 14:07 - 2010-10-17 15:53 - 00000000 ___SD C:\Users\Beetz\Documents\My Data Sources
2013-06-20 14:07 - 2010-09-17 11:13 - 00000000 ____D C:\Program Files (x86)\Coupons
2013-06-20 14:07 - 2010-08-26 12:53 - 00000000 ____D C:\Program Files (x86)\DivX
2013-06-20 14:07 - 2010-08-19 06:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Synchronization Services
2013-06-20 14:07 - 2010-08-19 06:07 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8
2013-06-20 14:07 - 2010-08-14 16:13 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-20 14:07 - 2010-07-25 19:17 - 00000000 ____D C:\Users\Beetz\Local Settings\Stardock_Corporation
2013-06-20 14:07 - 2010-07-25 19:17 - 00000000 ____D C:\Users\Beetz\Local Settings\Application Data\Stardock_Corporation
2013-06-20 14:07 - 2010-07-25 19:17 - 00000000 ____D C:\Users\Beetz\AppData\Local\Stardock_Corporation
2013-06-20 14:07 - 2010-07-15 11:28 - 00000000 ____D C:\dell
2013-06-20 14:07 - 2010-07-15 10:48 - 00000000 ____D C:\Program Files\Realtek
2013-06-20 14:07 - 2010-07-15 09:07 - 00000000 ____D C:\ProgramData\McAfee
2013-06-20 14:07 - 2010-07-15 09:07 - 00000000 ____D C:\ProgramData\Application Data\McAfee
2013-06-20 14:07 - 2010-07-15 08:59 - 00000000 ____D C:\Program Files (x86)\Windows Live
2013-06-20 14:07 - 2010-07-15 08:55 - 00000000 ____D C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2
2013-06-20 14:07 - 2010-07-15 08:55 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Online
2013-06-20 14:07 - 2010-07-15 08:55 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-06-20 14:07 - 2010-07-15 08:54 - 00000000 ____D C:\Program Files (x86)\Citrix
2013-06-20 14:07 - 2009-07-14 02:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-06-20 14:07 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\System32\restore
2013-06-20 14:07 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-06-20 14:07 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\DVD Maker
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 __RSD C:\Windows\Media
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 __RHD C:\Users\Public\Libraries
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\spp
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\migwiz
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\servicing
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\IME
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Cursors
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Branding
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-06-20 14:07 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-06-20 11:11 - 2012-01-03 16:53 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2103324274-264647483-924665500-1000UA.job
2013-06-20 11:09 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2013-06-20 11:08 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-06-20 10:15 - 2013-06-20 10:15 - 00000000 ____D C:\FRST
2013-06-20 08:28 - 2013-06-20 08:28 - 00000000 ____D C:\ProgramData\HitmanPro
2013-06-20 08:28 - 2013-06-20 08:28 - 00000000 ____D C:\ProgramData\Application Data\HitmanPro
2013-06-20 07:27 - 2010-08-14 05:36 - 00000000 ____D C:\Users\Beetz\Application Data\Macromedia
2013-06-20 07:27 - 2010-08-14 05:36 - 00000000 ____D C:\Users\Beetz\AppData\Roaming\Macromedia
2013-06-20 07:24 - 2009-07-14 00:10 - 01980201 ____A C:\Windows\WindowsUpdate.log
2013-06-20 07:14 - 2013-04-18 07:35 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-19 20:21 - 2012-01-03 16:53 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2103324274-264647483-924665500-1000Core.job
2013-06-17 19:59 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-17 19:59 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-17 14:36 - 2010-11-27 10:06 - 00156672 ____A C:\Users\Beetz\My Documents\Master Address List.xls
2013-06-17 14:36 - 2010-11-27 10:06 - 00156672 ____A C:\Users\Beetz\Documents\Master Address List.xls
2013-06-14 17:35 - 2013-06-13 19:09 - 00009251 ____A C:\Users\Beetz\My Documents\Birthdays.xlsx
2013-06-14 17:35 - 2013-06-13 19:09 - 00009251 ____A C:\Users\Beetz\Documents\Birthdays.xlsx
2013-06-11 20:04 - 2012-10-16 14:03 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-11 20:04 - 2011-06-05 09:02 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-08 09:08 - 2013-06-16 02:00 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 09:07 - 2013-06-16 02:00 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 09:06 - 2013-06-16 02:00 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 09:06 - 2013-06-16 02:00 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 09:06 - 2013-06-16 02:00 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 07:28 - 2013-06-16 02:00 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-08 06:42 - 2013-06-16 02:00 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-08 06:40 - 2013-06-16 02:00 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-08 06:40 - 2013-06-16 02:00 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-08 06:40 - 2013-06-16 02:00 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-08 06:40 - 2013-06-16 02:00 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-08 06:13 - 2013-06-16 02:00 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-07 10:12 - 2013-03-27 19:31 - 00318464 __ASH C:\Users\Beetz\Desktop\Thumbs.db
2013-06-01 12:17 - 2013-05-04 19:44 - 00000000 ____D C:\Users\Beetz\Desktop\Yamaha Waverunner III
2013-05-26 10:15 - 2010-07-15 10:47 - 00580460 ____A C:\Windows\PFRO.log

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-16 02:01:00
Restore point made on: 2013-05-23 17:53:00
Restore point made on: 2013-05-31 07:38:59
Restore point made on: 2013-06-08 08:26:32
Restore point made on: 2013-06-12 02:00:43
Restore point made on: 2013-06-16 02:00:44

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4060.98 MB
Available physical RAM: 3447.83 MB
Total Pagefile: 4059.13 MB
Available Pagefile: 3438.88 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:690.47 GB) (Free:575.78 GB) NTFS (Disk=0 Partition=3)
Drive e: (RECOVERY) (Fixed) (Total:8.12 GB) (Free:3.65 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]
Drive l: (HITMANPRO) (Removable) (Total:1.95 GB) (Free:1.91 GB) NTFS (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 699 GB) (Disk ID: 48E2F468)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=690 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 6FB65E5B)
Partition 1: (Active) - (Size=2 GB) - (Type=07 NTFS)


LastRegBack: 2013-06-13 19:43

==================== End Of Log ============================

[MrCharlie]

Try it again with the attached fixlist.txt, make sure all the others are deleted from the flash drive.

 

Let me know...MrC

[DarkNights05]

Nope. Windows won't load in normal or safemode... It loads the windows banner, and then sits at a black screen the rest of the time, as I watch the hard drive light spin and spin. 

 

Is there a way to remove stuff out of the registry with command prompt/regedit?

 

Here's the fixlog:

(added as attachment)

 

Here's the results of FRST #3 scan, post fix attempt #2 

(added as attachment)

FRST.txt

Fixlog.txt

[MrCharlie]

We already removed all the registry entries associated with the malware.

 

We can restore the registry back to  2013-06-13 19:43.

 

If it doesn't boot I can suggest you try Kaspersky Rescue Disk and WindowsUnlocker: (it also has registry editor built in that can be used)

You can also try system restore if you can get to it.

http://maddoktor2.com/forums/index.php/topic,55928.0.html

 

Run the attached fixlist.txt as before.

 

Let me know.....MrC

[DarkNights05]

which do I do first? system restore, run the fix, or kasperkey??

[MrCharlie]

Run the fix with FRST first, then system restore....last Kaspersky.

 

MrC

[DarkNights05]

• Fix log attached.. (couldn't boot to windows after fix log)
• System Restore ran and threw the following error at the very end:

"system restore did not complete successfully. Your computer's system files and settings were not changed.

Details: System restore failed while deleting the following file/directory: Path: c:\     An unspecficied error occured during system restore (0x8000ffff)

You can try system restore again and choose a different restore point."

 

• Off to go download and run KasperKey. Be back in about an hour-ish

Fixlog.txt

[MrCharlie]

OK, the problem is not in the registry then, cause we just restored back to when the computer boot OK.

 

When you use Kaspersky, make sure you run the windowsunlocker first.

 

Let me know.....MrC

 

 

[DarkNights05]

So I can't launch Kaspersky. I wrote it to a newly formatted FAT32 USB stick (no DVD writer on my clean PC) and started the boot sequence to read from the USB and got the following screen instead.

 

 

[MrCharlie]

Try it in another computer and see if it actually works.

MrC

[DarkNights05]

It won't launch on a clean PC either. And I have tried to re-burn the ISO on the USB 3 times and it gives the same crazy black screen or it gives a cmd-like screen that says "grub>"  as if it is waiting for a command to execute

[DarkNights05]

Found someone to burn an ISO CD for me, USB process doesn't work, CD does. Unlcoked first and now it is running a scan. Looks to take a while ...

[MrCharlie]

OK...let me know.....MrC

[DarkNights05]

It finishing running. Found two trojans, both of which Kasperksy said it could not quartintine and recommended that I skip and do nothing. The two Trojans are:

 

HEUR:Exploit.Java.CVE-2013-1493.a   & HEUR: Trojan-Downloader.Win32.Generic

 

Not sure how to get the log files to you since the infected PC still cannot connect to the internet and I still can't get to windows login.

[MrCharlie]

Are you still getting the FBI screen or does it just not want to boot?

 

For now try the "Startup Repair" option.

 

http://www.sevenforums.com/tutorials/681-startup-repair.html

 

----------------------------------------------

 

I see you have tried HitmanPro, can you take this out of the line up:

Drive k: (HITMANPRO) (Removable) (Total:1.95 GB) (Free:1.91 GB) NTFS (Disk=2 Partition=1)

 

 

On occasion this has prevented the computer from boot normally.

 

------------------------------

 

If no luck with those.......

 

Run another scan with FRST but this time uncheck all 6 of the boxes listed under Whitelist.

 

MrC

 

[DarkNights05]

I took out HitManPro (it was on a USB stick) and also tried startup repair. Neither of which solved the issue that it would let me even get to windows environment. It just starts its normal boot process and then shows the windows logo and then on to a black screen... no login to windows ever pops up.

 

We actually just plugged the hard drive into another tower last night and copied relevant files to an external drive.    I need to put the computer back together and then will post the FRST results

[DarkNights05]

MrC, thanks for all your help. We actually decided to wipe the system clean since we were able to get to our files and save to an external drive and then re-install Windows 7 - you can close this issue.

[MrCharlie]

OK........

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!