"Interpole" Extortion virus - locked up PC

[bcurtis65nj]

Malwarebytes found nothing when run under Administrator but under the user account it is all locked up, clock ticking down and demanding $300 be wired to some scum.  Here is the log, thanks in advance.

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 2:32:15 PM, on 11/8/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16446)

Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Administrator\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [sigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://jacada.webex.com/client/WBXclient-T28L10NSP8EP1-15699/event/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmpdirect.ad
O17 - HKLM\Software\..\Telephony: DomainName = tmpdirect.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmpdirect.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tmpdirect.ad
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: ININ Tracing Initialization (ININ Tracing) - Interactive Intelligence, Inc. - C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe
O23 - Service: Interactive Update Client - Interactive Intelligence, Inc. - C:\Program Files\Interactive Intelligence\Interactive Update\ININ.UpdateClientService.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 5857 bytes

hijackthis.log

[MrCharlie]

Welcome to the forum, please do this:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

[bcurtis65nj]

here you go:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013
Ran by Administrator (administrator) on NJTMPDDT047 on 08-11-2013 17:03:23
Running from C:\Users\Administrator\Desktop
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) ===================

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [McAfeeUpdaterUI] - C:\Program Files\McAfee\Common Framework\UdaterUI.exe [136512 2009-01-16] (McAfee, Inc.)
HKLM\...\Run: [shStatEXE] - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe [124224 2010-08-25] (McAfee, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [sigmatelSysTrayApp] - C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2007-05-06] (SigmaTel, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKCU\...\Run: [iSUSPM] - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [218032 2006-09-11] (Macrovision Corporation)
MountPoints2: {58a0b9e2-a765-11e2-bac6-001aa0331aa4} - F:\LaunchU3.exe -a
HKU\cdomahid\...\Policies\system: [DisableRegistryTools] 2
HKU\dcollins\...\Run: [GoToMeeting] - C:\Users\dcollins\AppData\Local\Citrix\GoToMeeting\1132\g2mstart.exe [ 2013-03-21] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\dcollins\...\Run: [XnlY1NVWa.exe] - C:\Users\dcollins\AppData\Local\Nxrzwh3By5\XnlY1NVWa.exe [ 2013-11-08] (Microsoft Corporation)
HKU\dcollins\...\Winlogon: [shell] cmd.exe [ 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\dcollins\...\Command Processor: "C:\Users\dcollins\AppData\Local\Nxrzwh3By5\XnlY1NVWa.exe" <===== ATTENTION!
Startup: C:\Users\dcollins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Interaction Client.lnk
ShortcutTarget: Interaction Client.lnk -> C:\Program Files\Interactive Intelligence\ICUserApps\InteractionClient.exe (Interactive Intelligence, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x6D3E06E6B3DCCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://jacada.webex.com/client/WBXclient-T28L10NSP8EP1-15699/event/ieatgpc1.cab
Tcpip\Parameters: [DhcpNameServer] 10.17.24.20 10.17.24.4 10.17.24.36

========================== Services (Whitelisted) =================

S2 ININ Tracing; C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe [36352 2012-08-24] (Interactive Intelligence, Inc.)
S2 Interactive Update Client; C:\Program Files\Interactive Intelligence\Interactive Update\ININ.UpdateClientService.exe [388264 2010-11-09] (Interactive Intelligence, Inc.)
S2 McAfeeEngineService; C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe [22816 2010-08-25] (McAfee, Inc.)
S2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [103744 2009-01-16] (McAfee, Inc.)
S2 McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [147984 2010-08-25] (McAfee, Inc.)
S2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [66880 2010-08-25] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [69192 2010-08-25] (McAfee, Inc.)
S2 STacSV; C:\Windows\system32\STacSV.exe [94208 2007-05-06] (SigmaTel, Inc.)
S2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2016504 2011-05-18] (UltraVNC)

==================== Drivers (Whitelisted) ====================

S2 DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [37360 2007-07-23] (Roxio)
S2 DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [32848 2007-07-23] (Roxio)
S2 DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [9104 2007-07-23] (Roxio)
S2 DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [108752 2007-07-23] (Roxio)
S2 DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [27216 2007-07-23] (Roxio)
S2 DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [16304 2007-07-23] (Roxio)
S2 DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [93552 2007-07-23] (Roxio)
S2 DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [98448 2007-07-23] (Roxio)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [76024 2010-08-25] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [91896 2010-08-25] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [43192 2010-08-25] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [344712 2010-08-25] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [66536 2010-08-25] (McAfee, Inc.)
R1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [64208 2010-08-25] (McAfee, Inc.)
S3 STHDA; C:\Windows\System32\drivers\stwrt.sys [326656 2007-05-06] (SigmaTel, Inc.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-08 17:03 - 2013-11-08 17:03 - 00000000 ____D C:\FRST
2013-11-08 17:03 - 2013-11-08 17:00 - 01089445 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe
2013-11-08 14:32 - 2013-11-08 14:32 - 00388608 _____ (Trend Micro Inc.) C:\Users\Administrator\Downloads\HijackThis.exe
2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Downloads\hijackthis.log
2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Desktop\hijackthis.log
2013-11-08 13:55 - 2013-11-08 13:55 - 00001063 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-11-08 13:55 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\KBW3HQKJLD
2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Local\ACZqHB7poi
2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\ProgramData\ntN9v4aPVVt
2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\BGGL6jWIdD
2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Local\z0EVe60la0
2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\ProgramData\hm5LUHBahL
2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\QbiJfO82
2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Local\iNXChPq3d
2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\ProgramData\ewRQE8JscJ
2013-11-08 13:29 - 2013-11-08 13:33 - 00000000 ____D C:\Users\dcollins\AppData\Local\Nxrzwh3By5
2013-11-06 16:17 - 2013-11-06 16:17 - 00103364 _____ C:\Users\dcollins\Desktop\Remote Chat Application Mock Up 10 30 13.pptx
2013-11-05 17:57 - 2013-11-05 17:57 - 00026624 _____ C:\Users\dcollins\Desktop\FS Inquiries vs Hours.xls
2013-11-05 11:25 - 2013-11-05 18:30 - 00113437 _____ C:\Users\dcollins\Desktop\TRACFONE.cap
2013-10-24 12:33 - 2013-10-24 12:33 - 00288549 _____ C:\Users\dcollins\Desktop\Olsen Race Picture.pptx
2013-10-17 12:22 - 2013-10-17 12:50 - 00011840 ____N C:\Users\dcollins\Desktop\Updated Review report for Dan 2013.xlsx

==================== One Month Modified Files and Folders =======

2013-11-08 17:03 - 2013-11-08 17:03 - 00000000 ____D C:\FRST
2013-11-08 17:00 - 2013-11-08 17:03 - 01089445 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe
2013-11-08 14:32 - 2013-11-08 14:32 - 00388608 _____ (Trend Micro Inc.) C:\Users\Administrator\Downloads\HijackThis.exe
2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Downloads\hijackthis.log
2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Desktop\hijackthis.log
2013-11-08 13:59 - 2010-11-20 16:01 - 00730320 _____ C:\Windows\system32\PerfStringBackup.INI
2013-11-08 13:55 - 2013-11-08 13:55 - 00001063 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-11-08 13:53 - 2012-07-05 09:08 - 00000128 _____ C:\Windows\system32\config\netlogon.ftl
2013-11-08 13:52 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-08 13:52 - 2009-07-13 23:39 - 00044735 _____ C:\Windows\setupact.log
2013-11-08 13:43 - 2009-07-13 23:34 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-08 13:43 - 2009-07-13 23:34 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\KBW3HQKJLD
2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Local\ACZqHB7poi
2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\ProgramData\ntN9v4aPVVt
2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\BGGL6jWIdD
2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Local\z0EVe60la0
2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\ProgramData\hm5LUHBahL
2013-11-08 13:33 - 2013-11-08 13:29 - 00000000 ____D C:\Users\dcollins\AppData\Local\Nxrzwh3By5
2013-11-08 13:31 - 2012-07-03 12:02 - 01485501 _____ C:\Windows\WindowsUpdate.log
2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\QbiJfO82
2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Local\iNXChPq3d
2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\ProgramData\ewRQE8JscJ
2013-11-08 09:22 - 2012-07-06 09:53 - 00046785 _____ C:\Windows\MKDEMSG.LOG
2013-11-08 09:22 - 2012-07-06 09:53 - 00001024 _____ C:\Windows\MKDEWE.TRN
2013-11-06 16:17 - 2013-11-06 16:17 - 00103364 _____ C:\Users\dcollins\Desktop\Remote Chat Application Mock Up 10 30 13.pptx
2013-11-05 18:30 - 2013-11-05 11:25 - 00113437 _____ C:\Users\dcollins\Desktop\TRACFONE.cap
2013-11-05 17:57 - 2013-11-05 17:57 - 00026624 _____ C:\Users\dcollins\Desktop\FS Inquiries vs Hours.xls
2013-10-24 12:33 - 2013-10-24 12:33 - 00288549 _____ C:\Users\dcollins\Desktop\Olsen Race Picture.pptx
2013-10-17 12:50 - 2013-10-17 12:22 - 00011840 ____N C:\Users\dcollins\Desktop\Updated Review report for Dan 2013.xlsx
2013-10-14 14:33 - 2013-10-03 16:41 - 00010832 ____N C:\Users\dcollins\Desktop\Queue Server Problem Tracking.xlsx

Files to move or delete:
====================
C:\Users\dcollins\AppData\Local\Nxrzwh3By5\XnlY1NVWa.exe

Some content of TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\ose00000.exe
C:\Users\dcollins\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\dcollins\AppData\Local\Temp\~tmf919980727443332709.dll

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-10-31 09:58

==================== End Of Log ============================

Addition.txt

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[bcurtis65nj]

yes, still need help.  I was away all weekend, will get to this in the AM.  thanks.

[MrCharlie]

Last Chance!!

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!