Jump to content

MoneyPak - Residual Issues


ShadMP
 Share

Recommended Posts

My computer was infected with MoneyPak (FBI notice on some boots and a plain white screen on others; was not able to boot in safe mode, safe mode with networking), and through my readings I was able to boot in safe mode with command prompt, run explorer.exe, and create a new user through which I could run MBAM.  

 

I was then able to boot normally,  However, when I log into my user account, I still get a plain white screen for a few seconds, after which my usual desktop appears.  This did not happen prior to being infected, and the white screen is just like what MoneyPak would show prior to running MBAM.  Once the desktop loads, everything seems be running normally, including the internet and Microsoft Security Essentials.  I'm wondering if I haven't cleaned all of it out.  Any suggestions would be a great help.

 

 

 

DDS Log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 1.6.0_37
Run by Shad at 15:18:50 on 2013-10-06
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.4095.2552 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\Shad\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Users\Shad\AppData\Local\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\Users\Shad\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Users\Shad\AppData\Local\Google\Update\1.3.21.153\GoogleCrashHandler64.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\ehome\ehRecvr.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uProxyOverride = 127.0.0.1:9421;<local>
mWinlogon: Userinit = userinit.exe,
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\AMD\SteadyVideo\SteadyVideo.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\Shad\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] "C:\Users\Shad\AppData\Local\Akamai\netsession_win.exe"
uRun: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 136.142.57.10 136.142.188.73 136.142.188.76
TCP: Interfaces\{2BC47A3A-3967-441A-B56A-440A01287FFE} : DHCPNameServer = 136.142.57.10 136.142.188.73 136.142.188.76
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [POWER PLAN ASSISTANT] C:\Program Files\PowerPlanAssistant\PowerPlanAssistantLauncher.exe
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Shad\AppData\Roaming\Mozilla\Firefox\Profiles\3d9k9fsh.default\
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\Shad\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Users\Shad\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Shad\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Shad\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_168.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-1-22 8704]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-6-18 247216]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2011-6-29 91864]
R1 NEOFLTR_650_16339;Juniper Networks TDI Filter Driver (NEOFLTR_650_16339);C:\Windows\System32\drivers\NEOFLTR_650_16339.SYS [2012-5-19 100472]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 27136]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-12-19 361984]
R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-4-9 57472]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2011-1-3 46136]
R3 AngelUsb;Angel USB MPEG Device;C:\Windows\System32\drivers\AngelUsb.sys [2009-6-10 429952]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;C:\Windows\System32\drivers\hitmanpro37.sys [2013-10-6 32512]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2011-9-2 76056]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2011-9-2 15128]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-9-21 351520]
R3 LVUVC64;Logitech HD Webcam C310(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-9-21 4763680]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-2-24 78336]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-2-24 181248]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-11-30 54400]
S2 AODDriver4.2;AODDriver4.2;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-4-9 57472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-10-5 418376]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-10-5 701512]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-10-5 25928]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 139616]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-6-20 366600]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-1 19456]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-1 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-9-19 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-7 161384]
.
=============== Created Last 30 ================
.
2013-10-06 15:14:56 32512 ----a-w- C:\Windows\System32\drivers\hitmanpro37.sys
2013-10-06 14:50:24 -------- d-----w- C:\ProgramData\HitmanPro
2013-10-05 18:00:08 9694160 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{995C67CD-217C-4319-84DA-4B334E1E071A}\mpengine.dll
2013-10-05 05:44:52 -------- d-----w- C:\ProgramData\Malwarebytes
2013-10-05 05:44:50 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-10-05 05:44:50 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-04 17:00:20 9694160 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-12 17:55:38 155584 ----a-w- C:\Windows\System32\drivers\ataport.sys
.
==================== Find3M  ====================
.
2013-10-05 17:22:04 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-05 17:22:04 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-09-22 14:50:21 205 ----a-w- C:\Windows\SysWow64\lsprst7.dll
2013-08-10 05:22:18 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-08-10 05:20:59 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-08-10 05:20:55 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-08-10 05:20:55 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-08-10 03:59:10 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-08-10 03:17:38 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-08-10 03:07:50 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-08-10 02:27:59 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-10 02:17:19 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-08-08 01:20:43 3155456 ----a-w- C:\Windows\System32\win32k.sys
2013-08-02 02:23:53 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-02 02:15:44 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-02 02:15:03 362496 ----a-w- C:\Windows\System32\wow64win.dll
2013-08-02 02:15:03 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-02 02:15:03 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2013-08-02 02:14:57 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-08-02 02:14:11 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2013-08-02 02:13:34 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-08-02 01:59:30 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-02 01:50:42 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-02 01:50:42 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17 338432 ----a-w- C:\Windows\System32\conhost.exe
2013-08-02 00:59:09 112640 ----a-w- C:\Windows\System32\smss.exe
2013-08-02 00:45:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-02 00:45:36 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-02 00:45:35 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-02 00:45:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-02 00:43:05 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-07-09 05:52:52 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-07-09 05:51:16 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20 1472512 ----a-w- C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-07-09 04:52:33 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:10 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2006-05-03 15:06:54 163328 --sha-r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 16:47:16 31232 --sha-r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 18:30:52 216064 --sha-r- C:\Windows\SysWOW64\nbDX.dll
2010-01-07 03:00:00 107520 --sha-r- C:\Windows\SysWOW64\TAKDSDecoder.dll
.
============= FINISH: 15:19:01.71 ===============
 
Link to post
Share on other sites

Welcome to the forum, here's how we deal with that malware: (must be run on the infected account)

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
      • Startup Repair

        System Restore

        Windows Complete PC Restore

        Windows Memory Diagnostic Tool

        Command Prompt

        Select Command Prompt

        Once in the Command Prompt:

    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
MrC
Link to post
Share on other sites

Thank you for your help MrC!

 

Here is the FRST log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by SYSTEM on MININT-SGUQ2OQ on 06-10-2013 16:18:08
Running from E:\
Windows 7 Ultimate (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [POWER PLAN ASSISTANT] - C:\Program Files\PowerPlanAssistant\PowerPlanAssistantLauncher.exe
HKLM\...\Run: [EvtMgr6] - C:\Program Files\Logitech\SetPointP\SetPoint.exe [1744152 2011-10-07] (Logitech, Inc.)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1356240 2013-06-20] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] - C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKLM-x32\...\Run: [ATICustomerCare] - C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe [311296 2010-03-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [NUSB3MON] - C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113296 2010-03-30] (NEC Electronics Corporation)
HKLM-x32\...\Run: [ConnectionCenter] - C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [362432 2011-12-22] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKU\Shad\...\Run: [Google Update] - C:\Users\Shad\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2010-09-18] (Google Inc.)
HKU\Shad\...\Run: [Akamai NetSession Interface] - C:\Users\Shad\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-04] (Akamai Technologies, Inc.)
HKU\Shad\...\Run: [HydraVisionDesktopManager] - C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe [393216 2011-11-18] (AMD)
HKU\Shad\...\Winlogon: [shell] explorer.exe <==== ATTENTION 
HKU\VirusRemove\...\Run: [HydraVisionDesktopManager] - C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe [393216 2011-11-18] (AMD)
 
==================== Services (Whitelisted) =================
 
S2 Akamai; c:\program files (x86)\common files\akamai/netsession_win_8fa3539.dll [4569856 2013-07-01] (Akamai Technologies, Inc.)
S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-12-19] (Advanced Micro Devices, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-06-20] (Microsoft Corporation)
S2 MySQL; C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe [7599616 2009-08-18] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-06-20] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S3 AngelUsb; C:\Windows\System32\DRIVERS\AngelUsb.sys [429952 2009-06-10] (Lumanate, Inc.)
S2 AODDriver4.01; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [57472 2012-04-09] (Advanced Micro Devices)
S2 AODDriver4.2; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [57472 2012-04-09] (Advanced Micro Devices)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32512 2013-10-06] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247216 2013-06-18] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-06 16:17 - 2013-10-06 16:17 - 00000000 ____D C:\FRST
2013-10-06 12:07 - 2013-10-04 21:29 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Shad\Desktop\mbam-setup-1.75.0.1300.exe
2013-10-06 12:06 - 2013-10-06 12:06 - 01954124 _____ (Farbar) C:\Users\Shad\Desktop\FRST64.exe
2013-10-06 11:20 - 2013-10-06 11:20 - 00000000 ____D C:\Users\Shad\Desktop\DDS
2013-10-06 07:14 - 2013-10-06 07:14 - 00032512 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-10-06 07:13 - 2013-10-06 07:13 - 00000570 _____ C:\Windows\System32\.crusader
2013-10-06 06:50 - 2013-10-06 07:13 - 00000000 ____D C:\ProgramData\HitmanPro
2013-10-06 06:50 - 2013-10-06 06:50 - 09879648 _____ (SurfRight B.V.) C:\Users\Shad\Desktop\HitmanPro_x64.exe
2013-10-06 06:43 - 2013-10-06 06:43 - 00602112 _____ (OldTimer Tools) C:\Users\Shad\Desktop\OTL.exe
2013-10-06 06:41 - 2013-10-06 06:41 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Shad\Desktop\tdsskiller.exe
2013-10-06 06:29 - 2013-10-06 06:39 - 00002228 _____ C:\Users\Shad\Desktop\Rkill.txt
2013-10-05 09:22 - 2013-10-05 09:22 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\Macromedia
2013-10-05 09:21 - 2013-10-05 09:22 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\Adobe
2013-10-05 09:17 - 2013-10-05 09:17 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\Google
2013-10-05 07:51 - 2013-10-05 08:17 - 00002286 _____ C:\Users\VirusRemove\Desktop\Rkill.txt
2013-10-05 07:51 - 2013-10-05 07:51 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\VirusRemove\Desktop\rkill.com
2013-10-05 07:51 - 2013-10-05 07:51 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\Shad\Desktop\rkill.com
2013-10-05 07:51 - 2013-10-05 07:51 - 00000000 ____D C:\Users\VirusRemove\Desktop\rkill
2013-10-04 21:45 - 2013-10-04 21:45 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\Malwarebytes
2013-10-04 21:44 - 2013-10-04 21:49 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-04 21:44 - 2013-10-04 21:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-04 21:44 - 2013-10-04 21:44 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-04 21:44 - 2013-10-04 21:29 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\VirusRemove\Desktop\mbam-setup-1.75.0.1300.exe
2013-10-04 21:44 - 2013-04-04 10:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-10-04 21:04 - 2013-10-04 21:04 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\ICAClient
2013-10-04 21:04 - 2013-10-04 21:04 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\ATI
2013-10-04 21:04 - 2013-10-04 21:04 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\ATI
2013-10-04 21:04 - 2013-10-04 21:04 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\AMD
2013-10-04 21:03 - 2013-10-04 21:04 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\Citrix
2013-10-04 21:03 - 2013-10-04 21:03 - 00119080 _____ C:\Users\VirusRemove\AppData\Local\GDIPFONTCACHEV1.DAT
2013-10-04 21:03 - 2013-10-04 21:03 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\Logitech
2013-10-04 21:03 - 2013-10-04 21:03 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\Adobe
2013-10-04 21:03 - 2013-10-04 21:03 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\VirtualStore
2013-10-04 21:02 - 2013-10-04 21:03 - 00000000 ____D C:\users\VirusRemove
2013-10-04 21:02 - 2013-10-04 21:02 - 00000020 ___SH C:\Users\VirusRemove\ntuser.ini
2013-10-04 21:02 - 2011-11-29 23:47 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\Microsoft Help
2013-10-04 14:10 - 2013-10-04 20:45 - 00000004 _____ C:\Users\Shad\AppData\Roaming\settings.ini
2013-10-02 15:40 - 2013-10-03 14:58 - 00011183 _____ C:\Users\Shad\Desktop\Interviews.xlsx
2013-09-16 15:11 - 2013-09-16 15:11 - 00000221 _____ C:\Users\Shad\Desktop\The Elder Scrolls V Skyrim.url
2013-09-14 19:51 - 2013-09-14 19:51 - 00000000 ____D C:\ProgramData\Mozilla
2013-09-14 19:51 - 2013-09-14 19:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-09-12 10:59 - 2013-08-09 21:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-09-12 10:59 - 2013-08-09 21:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-09-12 10:59 - 2013-08-09 21:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-09-12 10:59 - 2013-08-09 21:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-09-12 10:59 - 2013-08-09 21:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-09-12 10:59 - 2013-08-09 21:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-09-12 10:59 - 2013-08-09 21:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-09-12 10:59 - 2013-08-09 21:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-09-12 10:59 - 2013-08-09 21:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-09-12 10:59 - 2013-08-09 21:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-09-12 10:59 - 2013-08-09 21:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-09-12 10:59 - 2013-08-09 21:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-09-12 10:59 - 2013-08-09 21:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-09-12 10:59 - 2013-08-09 21:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-09-12 10:59 - 2013-08-09 19:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-09-12 10:59 - 2013-08-09 19:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-09-12 10:59 - 2013-08-09 19:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-09-12 10:59 - 2013-08-09 19:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-09-12 10:59 - 2013-08-09 19:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-09-12 10:59 - 2013-08-09 18:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-12 10:59 - 2013-08-09 18:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-09-12 09:55 - 2013-08-07 17:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-09-12 09:55 - 2013-08-04 18:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ataport.sys
2013-09-12 09:55 - 2013-08-01 18:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-09-12 09:55 - 2013-08-01 18:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-09-12 09:55 - 2013-08-01 18:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2013-09-12 09:55 - 2013-08-01 18:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-09-12 09:55 - 2013-08-01 18:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2013-09-12 09:55 - 2013-08-01 18:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-09-12 09:55 - 2013-08-01 18:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2013-09-12 09:55 - 2013-08-01 18:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2013-09-12 09:55 - 2013-08-01 18:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\System32\apisetschema.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-09-12 09:55 - 2013-08-01 17:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-09-12 09:55 - 2013-08-01 17:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-09-12 09:55 - 2013-08-01 17:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-09-12 09:55 - 2013-08-01 17:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-09-12 09:55 - 2013-08-01 17:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 17:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\System32\conhost.exe
2013-09-12 09:55 - 2013-08-01 16:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-09-12 09:55 - 2013-08-01 16:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-09-12 09:55 - 2013-08-01 16:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-09-12 09:55 - 2013-08-01 16:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-09-12 09:55 - 2013-08-01 16:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-09-12 09:55 - 2013-08-01 16:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 16:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 16:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-09-12 09:55 - 2013-08-01 16:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-09-12 09:55 - 2013-07-25 18:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-09-12 09:55 - 2013-07-25 18:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-09-12 09:55 - 2013-07-25 17:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-09-12 09:55 - 2013-07-25 17:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
 
==================== One Month Modified Files and Folders =======
 
2013-10-06 16:17 - 2013-10-06 16:17 - 00000000 ____D C:\FRST
2013-10-06 12:13 - 2010-09-19 00:42 - 01751279 _____ C:\Windows\WindowsUpdate.log
2013-10-06 12:09 - 2010-09-21 23:44 - 00687496 _____ C:\Windows\System32\prfh0816.dat
2013-10-06 12:09 - 2010-09-21 23:44 - 00133902 _____ C:\Windows\System32\prfc0816.dat
2013-10-06 12:09 - 2010-09-21 23:23 - 00369922 _____ C:\Windows\System32\prfh0804.dat
2013-10-06 12:09 - 2010-09-21 23:23 - 00104398 _____ C:\Windows\System32\prfc0804.dat
2013-10-06 12:09 - 2010-09-21 23:13 - 00699346 _____ C:\Windows\System32\perfh013.dat
2013-10-06 12:09 - 2010-09-21 23:13 - 00133090 _____ C:\Windows\System32\perfc013.dat
2013-10-06 12:09 - 2010-09-21 23:04 - 00625722 _____ C:\Windows\System32\perfh01D.dat
2013-10-06 12:09 - 2010-09-21 23:04 - 00123890 _____ C:\Windows\System32\perfc01D.dat
2013-10-06 12:09 - 2010-09-21 22:56 - 00651990 _____ C:\Windows\System32\perfh007.dat
2013-10-06 12:09 - 2010-09-21 22:56 - 00129690 _____ C:\Windows\System32\perfc007.dat
2013-10-06 12:09 - 2010-09-21 22:47 - 00631298 _____ C:\Windows\System32\perfh005.dat
2013-10-06 12:09 - 2010-09-21 22:47 - 00121938 _____ C:\Windows\System32\perfc005.dat
2013-10-06 12:09 - 2010-09-21 22:27 - 00684112 _____ C:\Windows\System32\perfh019.dat
2013-10-06 12:09 - 2010-09-21 22:27 - 00132666 _____ C:\Windows\System32\perfc019.dat
2013-10-06 12:09 - 2010-09-21 22:19 - 00697262 _____ C:\Windows\System32\perfh010.dat
2013-10-06 12:09 - 2010-09-21 22:19 - 00127294 _____ C:\Windows\System32\perfc010.dat
2013-10-06 12:09 - 2010-09-21 22:12 - 00396672 _____ C:\Windows\System32\perfh011.dat
2013-10-06 12:09 - 2010-09-21 22:12 - 00106538 _____ C:\Windows\System32\perfc011.dat
2013-10-06 12:09 - 2010-09-21 22:02 - 00456740 _____ C:\Windows\System32\perfh014.dat
2013-10-06 12:09 - 2010-09-21 22:02 - 00077246 _____ C:\Windows\System32\perfc014.dat
2013-10-06 12:09 - 2010-09-21 21:50 - 00559924 _____ C:\Windows\System32\perfh008.dat
2013-10-06 12:09 - 2010-09-21 21:50 - 00089586 _____ C:\Windows\System32\perfc008.dat
2013-10-06 12:09 - 2010-09-21 21:44 - 00671958 _____ C:\Windows\System32\prfh0416.dat
2013-10-06 12:09 - 2010-09-21 21:44 - 00128244 _____ C:\Windows\System32\prfc0416.dat
2013-10-06 12:09 - 2010-09-21 21:34 - 00697880 _____ C:\Windows\System32\perfh015.dat
2013-10-06 12:09 - 2010-09-21 21:34 - 00134990 _____ C:\Windows\System32\perfc015.dat
2013-10-06 12:09 - 2010-09-21 21:23 - 00702584 _____ C:\Windows\System32\perfh00C.dat
2013-10-06 12:09 - 2010-09-21 21:23 - 00442640 _____ C:\Windows\System32\perfh001.dat
2013-10-06 12:09 - 2010-09-21 21:23 - 00130290 _____ C:\Windows\System32\perfc00C.dat
2013-10-06 12:09 - 2010-09-21 21:23 - 00079134 _____ C:\Windows\System32\perfc001.dat
2013-10-06 12:09 - 2010-09-21 21:17 - 00640334 _____ C:\Windows\System32\perfh00E.dat
2013-10-06 12:09 - 2010-09-21 21:17 - 00148460 _____ C:\Windows\System32\perfc00E.dat
2013-10-06 12:09 - 2010-09-21 21:01 - 00441542 _____ C:\Windows\System32\perfh00B.dat
2013-10-06 12:09 - 2010-09-21 21:01 - 00082298 _____ C:\Windows\System32\perfc00B.dat
2013-10-06 12:09 - 2009-07-13 21:13 - 12599248 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-06 12:06 - 2013-10-06 12:06 - 01954124 _____ (Farbar) C:\Users\Shad\Desktop\FRST64.exe
2013-10-06 12:00 - 2012-01-15 13:20 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-06 11:27 - 2010-09-18 22:22 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-48751649-2200319825-1992072656-1000UA.job
2013-10-06 11:20 - 2013-10-06 11:20 - 00000000 ____D C:\Users\Shad\Desktop\DDS
2013-10-06 11:20 - 2010-09-18 23:04 - 00000000 ____D C:\Users\Shad\Documents\Outlook Files
2013-10-06 07:22 - 2009-07-13 20:45 - 00017296 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-06 07:22 - 2009-07-13 20:45 - 00017296 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-06 07:15 - 2012-01-15 13:20 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-06 07:14 - 2013-10-06 07:14 - 00032512 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-10-06 07:14 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-06 07:14 - 2009-07-13 20:51 - 00181897 _____ C:\Windows\setupact.log
2013-10-06 07:13 - 2013-10-06 07:13 - 00000570 _____ C:\Windows\System32\.crusader
2013-10-06 07:13 - 2013-10-06 06:50 - 00000000 ____D C:\ProgramData\HitmanPro
2013-10-06 06:50 - 2013-10-06 06:50 - 09879648 _____ (SurfRight B.V.) C:\Users\Shad\Desktop\HitmanPro_x64.exe
2013-10-06 06:43 - 2013-10-06 06:43 - 00602112 _____ (OldTimer Tools) C:\Users\Shad\Desktop\OTL.exe
2013-10-06 06:41 - 2013-10-06 06:41 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Shad\Desktop\tdsskiller.exe
2013-10-06 06:39 - 2013-10-06 06:29 - 00002228 _____ C:\Users\Shad\Desktop\Rkill.txt
2013-10-05 13:00 - 2011-11-29 14:18 - 00000402 _____ C:\Users\Shad\d3d_antilag.log
2013-10-05 13:00 - 2011-01-14 14:26 - 00000000 ____D C:\Program Files (x86)\Steam
2013-10-05 10:25 - 2010-09-18 22:47 - 00118724 _____ C:\Windows\PFRO.log
2013-10-05 09:22 - 2013-10-05 09:22 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\Macromedia
2013-10-05 09:22 - 2013-10-05 09:21 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\Adobe
2013-10-05 09:22 - 2013-08-26 13:12 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-05 09:22 - 2013-08-26 13:12 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-05 09:17 - 2013-10-05 09:17 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\Google
2013-10-05 09:17 - 2010-09-18 22:23 - 00002630 _____ C:\Users\Shad\Desktop\Google Chrome.lnk
2013-10-05 08:17 - 2013-10-05 07:51 - 00002286 _____ C:\Users\VirusRemove\Desktop\Rkill.txt
2013-10-05 07:51 - 2013-10-05 07:51 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\VirusRemove\Desktop\rkill.com
2013-10-05 07:51 - 2013-10-05 07:51 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\Shad\Desktop\rkill.com
2013-10-05 07:51 - 2013-10-05 07:51 - 00000000 ____D C:\Users\VirusRemove\Desktop\rkill
2013-10-04 21:49 - 2013-10-04 21:44 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-04 21:49 - 2013-10-04 21:44 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-04 21:45 - 2013-10-04 21:45 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\Malwarebytes
2013-10-04 21:44 - 2013-10-04 21:44 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-04 21:29 - 2013-10-06 12:07 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Shad\Desktop\mbam-setup-1.75.0.1300.exe
2013-10-04 21:29 - 2013-10-04 21:44 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\VirusRemove\Desktop\mbam-setup-1.75.0.1300.exe
2013-10-04 21:04 - 2013-10-04 21:04 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\ICAClient
2013-10-04 21:04 - 2013-10-04 21:04 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\ATI
2013-10-04 21:04 - 2013-10-04 21:04 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\ATI
2013-10-04 21:04 - 2013-10-04 21:04 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\AMD
2013-10-04 21:04 - 2013-10-04 21:03 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\Citrix
2013-10-04 21:03 - 2013-10-04 21:03 - 00119080 _____ C:\Users\VirusRemove\AppData\Local\GDIPFONTCACHEV1.DAT
2013-10-04 21:03 - 2013-10-04 21:03 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\Logitech
2013-10-04 21:03 - 2013-10-04 21:03 - 00000000 ____D C:\Users\VirusRemove\AppData\Roaming\Adobe
2013-10-04 21:03 - 2013-10-04 21:03 - 00000000 ____D C:\Users\VirusRemove\AppData\Local\VirtualStore
2013-10-04 21:03 - 2013-10-04 21:02 - 00000000 ____D C:\users\VirusRemove
2013-10-04 21:02 - 2013-10-04 21:02 - 00000020 ___SH C:\Users\VirusRemove\ntuser.ini
2013-10-04 20:45 - 2013-10-04 14:10 - 00000004 _____ C:\Users\Shad\AppData\Roaming\settings.ini
2013-10-04 08:53 - 2010-09-18 22:21 - 00000000 ____D C:\Users\Shad\AppData\Local\Deployment
2013-10-03 17:15 - 2010-09-18 22:22 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-48751649-2200319825-1992072656-1000Core.job
2013-10-03 14:58 - 2013-10-02 15:40 - 00011183 _____ C:\Users\Shad\Desktop\Interviews.xlsx
2013-09-26 09:27 - 2010-09-19 09:13 - 00000000 ____D C:\Users\Shad\AppData\Roaming\Mozilla
2013-09-25 15:27 - 2010-10-11 10:59 - 00000000 ____D C:\Users\Shad\Desktop\Junk
2013-09-25 08:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-09-22 16:31 - 2009-07-13 20:45 - 00492016 _____ C:\Windows\System32\FNTCACHE.DAT
2013-09-22 12:56 - 2011-06-26 16:11 - 00000000 ____D C:\Users\Shad\Desktop\Research
2013-09-22 06:58 - 2010-09-18 22:06 - 00119080 _____ C:\Users\Shad\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-22 06:57 - 2011-07-19 11:32 - 00000000 ____D C:\Users\Shad\Documents\SPSSInc
2013-09-22 06:53 - 2011-07-19 10:48 - 00000000 ____D C:\Users\Shad\AppData\Local\javasharedresources
2013-09-22 06:50 - 2011-07-19 10:28 - 00000219 _____ C:\Windows\SysWOW64\lsprst7.tgz
2013-09-22 06:50 - 2011-07-19 10:28 - 00000205 _____ C:\Windows\SysWOW64\lsprst7.dll
2013-09-22 06:50 - 2011-07-19 10:28 - 00000016 ____H C:\Windows\SysWOW64\servdat.slm
2013-09-22 06:34 - 2010-09-18 22:53 - 00000000 ____D C:\Windows\System32\appmgmt
2013-09-17 13:59 - 2011-11-27 22:16 - 00000000 ____D C:\Users\Shad\AppData\Local\Skyrim
2013-09-16 19:45 - 2013-01-28 15:49 - 00000000 ____D C:\Users\Shad\AppData\Local\Black_Tree_Gaming
2013-09-16 15:11 - 2013-09-16 15:11 - 00000221 _____ C:\Users\Shad\Desktop\The Elder Scrolls V Skyrim.url
2013-09-15 10:30 - 2011-07-13 10:02 - 00000000 ____D C:\Users\Shad\AppData\Local\CutePDF Writer
2013-09-14 19:51 - 2013-09-14 19:51 - 00000000 ____D C:\ProgramData\Mozilla
2013-09-14 19:51 - 2013-09-14 19:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-09-14 19:51 - 2010-09-19 09:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-09-13 08:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\th-TH
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sr-Latn-CS
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sl-SI
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sk-SK
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ro-RO
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lt-LT
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\hr-HR
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\et-EE
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\bg-BG
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ar-SA
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\th-TH
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sr-Latn-CS
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sl-SI
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sk-SK
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ro-RO
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lt-LT
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\hr-HR
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\et-EE
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\bg-BG
2013-09-12 11:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ar-SA
2013-09-12 10:59 - 2013-07-19 20:10 - 00000000 ____D C:\Windows\System32\MRT
2013-09-12 10:57 - 2010-09-21 23:13 - 79143768 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-09-12 10:57 - 2010-09-18 22:43 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-10 08:42 - 2012-04-03 21:39 - 00000000 ____D C:\Users\Shad\AppData\Roaming\vlc
 
Files to move or delete:
====================
C:\Users\Shad\AppData\Roaming\i.ini
 
 
Some content of TEMP:
====================
C:\Users\Shad\AppData\Local\Temp\AskSLib.dll
C:\Users\Shad\AppData\Local\Temp\converter.exe
C:\Users\Shad\AppData\Local\Temp\DivXSetup.exe
C:\Users\Shad\AppData\Local\Temp\DivXWebPlayerInstaller.exe
C:\Users\Shad\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Shad\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\Shad\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Shad\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Shad\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Shad\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\Shad\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\Shad\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Shad\AppData\Local\Temp\metaouy0.dll
C:\Users\Shad\AppData\Local\Temp\NGMDll.dll
C:\Users\Shad\AppData\Local\Temp\NGMResource.dll
C:\Users\Shad\AppData\Local\Temp\NGMSetup.exe
C:\Users\Shad\AppData\Local\Temp\ose00000.exe
C:\Users\Shad\AppData\Local\Temp\pslist.exe
C:\Users\Shad\AppData\Local\Temp\Risweb32.exe
C:\Users\Shad\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Shad\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Shad\AppData\Local\Temp\tmp3CA2.exe
C:\Users\Shad\AppData\Local\Temp\tmp492.exe
C:\Users\Shad\AppData\Local\Temp\tmp52A1.exe
C:\Users\Shad\AppData\Local\Temp\tmp57B0.exe
C:\Users\Shad\AppData\Local\Temp\tmp78A8.exe
C:\Users\Shad\AppData\Local\Temp\tmpDB31.exe
C:\Users\Shad\AppData\Local\Temp\tmpFC38.exe
C:\Users\Shad\AppData\Local\Temp\unicows.dll
C:\Users\Shad\AppData\Local\Temp\uninstall-temp.exe
C:\Users\Shad\AppData\Local\Temp\vlc-2.0.1-win32.exe
C:\Users\Shad\AppData\Local\Temp\vlc-2.0.2-win32.exe
C:\Users\Shad\AppData\Local\Temp\wmpfirefoxplugin.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
1
Restore point made on: 2013-10-06 08:26:22
 
==================== Memory info =========================== 
 
Percentage of memory in use: 17%
Total physical RAM: 4095.18 MB
Available physical RAM: 3389.61 MB
Total Pagefile: 4093.33 MB
Available Pagefile: 3411.05 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:596.16 GB) (Free:272.31 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (HP v125w) (Removable) (Total:1.86 GB) (Free:1.84 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: 89A089A0)
Partition 1: (Active) - (Size=596 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 2 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=2 GB) - (Type=0C)
 
 
LastRegBack: 2013-10-01 09:06
 
==================== End Of Log ============================
Link to post
Share on other sites

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

Was able to run the FRST fix and a log was generated, posted below.  The computer boots normally now, I don't see a white screen for a few seconds anymore before the desktop appears.  Are there any other steps I should take?

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013
Ran by SYSTEM at 2013-10-06 17:13:27 Run:1
Running from E:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
HKU\Shad\...\Winlogon: [shell] explorer.exe <==== ATTENTION 
C:\Users\Shad\AppData\Roaming\settings.ini
C:\Users\Shad\AppData\Roaming\i.ini
C:\Users\Shad\AppData\Local\Temp\AskSLib.dll
C:\Users\Shad\AppData\Local\Temp\converter.exe
C:\Users\Shad\AppData\Local\Temp\metaouy0.dll
C:\Users\Shad\AppData\Local\Temp\NGMDll.dll
C:\Users\Shad\AppData\Local\Temp\NGMResource.dll
C:\Users\Shad\AppData\Local\Temp\NGMSetup.exe
C:\Users\Shad\AppData\Local\Temp\ose00000.exe
C:\Users\Shad\AppData\Local\Temp\pslist.exe
C:\Users\Shad\AppData\Local\Temp\Risweb32.exe
C:\Users\Shad\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Shad\AppData\Local\Temp\tmp3CA2.exe
C:\Users\Shad\AppData\Local\Temp\tmp492.exe
C:\Users\Shad\AppData\Local\Temp\tmp52A1.exe
C:\Users\Shad\AppData\Local\Temp\tmp57B0.exe
C:\Users\Shad\AppData\Local\Temp\tmp78A8.exe
C:\Users\Shad\AppData\Local\Temp\tmpDB31.exe
C:\Users\Shad\AppData\Local\Temp\tmpFC38.exe
C:\Users\Shad\AppData\Local\Temp\unicows.dll
C:\Users\Shad\AppData\Local\Temp\uninstall-temp.exe
C:\Users\Shad\AppData\Local\Temp\vlc-2.0.1-win32.exe
C:\Users\Shad\AppData\Local\Temp\vlc-2.0.2-win32.exe
C:\Users\Shad\AppData\Local\Temp\wmpfirefoxplugin.exe
 
 
*****************
 
HKU\Shad\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Users\Shad\AppData\Roaming\settings.ini => Moved successfully.
"C:\Users\Shad\AppData\Roaming\i.ini" => File/Directory not found.
C:\Users\Shad\AppData\Local\Temp\AskSLib.dll => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\converter.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\metaouy0.dll => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\NGMDll.dll => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\NGMResource.dll => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\NGMSetup.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\pslist.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\Risweb32.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\swt-win32-3349.dll => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\tmp3CA2.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\tmp492.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\tmp52A1.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\tmp57B0.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\tmp78A8.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\tmpDB31.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\tmpFC38.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\unicows.dll => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\uninstall-temp.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\vlc-2.0.1-win32.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\vlc-2.0.2-win32.exe => Moved successfully.
C:\Users\Shad\AppData\Local\Temp\wmpfirefoxplugin.exe => Moved successfully.
 
==== End of Fixlog ====
Link to post
Share on other sites

Well we should run some scans:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Thanks, MrC.  MBAR found no threats, logs are below.  The internet, Windows Update, and Windows Firewall all seem to be working.

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org
 
Database version: v2013.10.06.05
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16686
Shad :: DESKTOP [administrator]
 
10/6/2013 5:38:07 PM
mbar-log-2013-10-06 (17-38-07).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 283949
Time elapsed: 32 minute(s), 25 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
 
 
 
 
 
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 10.0.9200.16686
 
Java version: 1.6.0_37
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.000000 GHz
Memory total: 4294107136, free: 2230943744
 
Downloaded database version: v2013.10.06.05
Downloaded database version: v2013.09.30.01
=======================================
Initializing...
------------ Kernel report ------------
     10/06/2013 17:38:02
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\vmbus.sys
\SystemRoot\system32\drivers\winhv.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\AtiPcie64.sys
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\??\C:\Windows\system32\Drivers\NEOFLTR_650_16339.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ctxusbm.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\nusb3xhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\usbfilter.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\circlass.sys
\SystemRoot\system32\drivers\WmBEnum.sys
\SystemRoot\system32\drivers\WmXlCore.sys
\SystemRoot\system32\DRIVERS\amdiox64.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\nusb3hub.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\AtihdW76.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\AngelUsb.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\LEqdUsb.Sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\LHidEqd.Sys
\SystemRoot\system32\DRIVERS\lvuvc64.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\system32\DRIVERS\lvrs64.sys
\SystemRoot\system32\DRIVERS\LHidFilt.Sys
\SystemRoot\system32\DRIVERS\LMouFilt.Sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\ole32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\lpk.dll
\Windows\System32\Wldap32.dll
\Windows\System32\urlmon.dll
\Windows\System32\comdlg32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\user32.dll
\Windows\System32\wininet.dll
\Windows\System32\advapi32.dll
\Windows\System32\gdi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\usp10.dll
\Windows\System32\kernel32.dll
\Windows\System32\msctf.dll
\Windows\System32\setupapi.dll
\Windows\System32\shell32.dll
\Windows\System32\psapi.dll
\Windows\System32\difxapi.dll
\Windows\System32\imagehlp.dll
\Windows\System32\shlwapi.dll
\Windows\System32\normaliz.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\sechost.dll
\Windows\System32\clbcatq.dll
\Windows\System32\nsi.dll
\Windows\System32\iertutil.dll
\Windows\System32\imm32.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8004d0e790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007a\
Lower Device Object: 0xfffffa8004d11b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80049d1060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa80049ce060
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80049d1060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004934b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80049d1060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800491a9b0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80049ce060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 89A089A0
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 1250242497
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 640135028736 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-62-1250243728-1250263728)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8004d0e790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004d0db90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004d0e790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004d11b60, DeviceName: \Device\0000007a\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C3072E18
 
Partition information:
 
    Partition 0 type is Other (0xc)
    Partition is ACTIVE.
    Partition starts at LBA: 64  Numsec = 3915712
    Partition file system is FAT32
    Partition is not bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 2004877312 bytes
Sector size: 512 bytes
 
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_1_0_64_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
Removal finished
 
Link to post
Share on other sites

OK.....

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

Log for Security Check:

 

 Results of screen317's Security Check version 0.99.74  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 6 Update 21  
 Java 6 Update 37  
 Java version out of Date! 
 Adobe Flash Player 11.8.800.168  
 Adobe Reader 10.1.8 Adobe Reader out of Date!  
 Mozilla Firefox 12.0 Firefox out of Date!  
 Google Chrome 30.0.1599.66  
 Google Chrome 30.0.1599.69  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please uninstall these and any other Java listed in your add/remove programs:
Java™ 6 Update 21
Java™ 6 Update 37


Java version out of Date! <-------Download and install the latest version (Java™ 7 Update 40) from Here. Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

-----------------------------------

Adobe Reader 10.1.8 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).


Mozilla Firefox 12.0 Firefox out of Date! <----------please check for an update if available

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used FRST:
Download the fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-----------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Thanks, MrC!

 

Only one issue: when I was installing the latest version of Java, my MSE flagged a file: 

 

Name: Exploit:Java/CVE-2013-2465

Path: file:_C:\Users\Shad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\fc79ba9-2c7a8c10->File4.class

 

 

 

This was also in the quarantine, but dated for yesterday (I'm assuming this is part of the MoneyPak malware we removed?):

 

Name: Trojan:Win32/Urausy.E

Path: file:_C:\Users\Shad\AppData\Local\Temp\vqamkfxyjphvvwcphqi.bfg

Link to post
Share on other sites

Name: Exploit:Java/CVE-2013-2465
Path: file:_C:\Users\Shad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\fc79ba9-2c7a8c10->File4.class


OK...clear out you Java cache:

Go here and follow the instructions to clear your Java Cache
[url=http://www.java.com/en/download/help/plugin_cache.xml



This was also in the quarantine, but dated for yesterday (I'm assuming this is part of the MoneyPak malware we removed?):

Name: Trojan:Win32/Urausy.E
Path: file:_C:\Users\Shad\AppData\Local\Temp\vqamkfxyjphvvwcphqi.bfg


I didn't remove it, maybe you did..and yes it's part of the infection.

 

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.