Jump to content

fbi moneypak virus no safe mode already ran frst what do i do now


Recommended Posts

  • Replies 59
  • Created
  • Last Reply

Top Posters In This Topic

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-07-2013 04

Ran by SYSTEM on 31-07-2013 23:25:49

Running from G:\

Windows 7 Home Premium (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

 

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1537320 2010-06-08] (Synaptics Incorporated)

HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)

HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [QlbCtrl.exe] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2008-08-01] ( Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [QPService] - C:\Program Files\HP\QuickPlay\QPService.exe [468264 2008-09-23] (CyberLink Corp.)

HKLM\...\Run: [updateLBPShortCut] - C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [210216 2008-06-13] (CyberLink Corp.)

HKLM\...\Run: [updateP2GoShortCut] - C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [210216 2008-06-13] (CyberLink Corp.)

HKLM\...\Run: [updatePDIRShortCut] - C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [210216 2008-06-13] (CyberLink Corp.)

HKLM\...\Run: [updatePSTShortCut] - C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2008-10-06] (CyberLink Corp.)

HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [x]

HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)

HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)

HKLM\...\Run: [] -  [x]

HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)

HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)

HKLM\...\InprocServer32: [Default-cscui]  <==== ATTENTION!

HKU\Owner\...\Run: [HPAdvisor] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2008-09-30] (Hewlett-Packard)

HKU\Owner\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2008-06-09] (Hewlett-Packard Company)

HKU\Owner\...\Run: [TomTomHOME.exe] - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [ 2011-04-22] (TomTom)

HKU\Owner\...\Run: [Google Update] - C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [ 2012-03-29] (Google Inc.)

HKU\Owner\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Owner\AppData\Local\Temp\gidselykfvgeesnvu.exe [ 2013-07-31] () <===== ATTENTION

HKU\Owner\...\Run: [DW6] - "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]

HKU\Owner\...\Winlogon: [shell] cmd.exe [ 2009-07-13] (Microsoft Corporation) <==== ATTENTION 

HKU\Owner\...\Command Processor: "C:\Users\Owner\AppData\Local\Temp\gidselykfvgeesnvu.exe" <===== ATTENTION!

 

========================== Services (Whitelisted) =================

 

S2 CSHelper; C:\Windows\system32\CSHelper.exe [266240 2010-04-18] ()

S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)

S2 NAV; C:\Program Files\Norton AntiVirus\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)

S2 Recovery Service for Windows; C:\Program Files\SMINST\BLService.exe [365952 2008-10-06] ()

S2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [241734 2008-09-15] ()

 

==================== Drivers (Whitelisted) ====================

 

S1 anodlwf; C:\Windows\System32\DRIVERS\anodlwf.sys [12800 2009-03-06] ()

S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.1.22\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)

S1 ccSet_NAV; C:\Windows\system32\drivers\NAV\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)

S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-03-10] (Symantec Corporation)

S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-03-10] (Symantec Corporation)

S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.1.22\Definitions\IPSDefs\20130730.001\IDSvix86.sys [386720 2013-06-07] (Symantec Corporation)

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.1.22\Definitions\VirusDefs\20130730.032\NAVENG.SYS [93272 2013-06-06] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.1.22\Definitions\VirusDefs\20130730.032\NAVEX15.SYS [1611992 2013-06-06] (Symantec Corporation)

S3 netr28u; C:\Windows\System32\DRIVERS\Dnetr28u.sys [750592 2009-08-05] (Ralink Technology Corp.)

S3 SRTSP; C:\Windows\System32\Drivers\NAV\1404000.028\SRTSP.SYS [603224 2013-05-15] (Symantec Corporation)

S1 SRTSPX; C:\Windows\system32\drivers\NAV\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)

S0 SymDS; C:\Windows\System32\drivers\NAV\1404000.028\SYMDS.SYS [367704 2013-05-20] (Symantec Corporation)

S0 SymEFA; C:\Windows\System32\drivers\NAV\1404000.028\SYMEFA.SYS [934488 2013-05-22] (Symantec Corporation)

S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-19] (Symantec Corporation)

S1 SymIRON; C:\Windows\system32\drivers\NAV\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)

S1 SymNetS; C:\Windows\System32\Drivers\NAV\1404000.028\SYMNETS.SYS [339544 2013-04-24] (Symantec Corporation)

S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x]

S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x]

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-07-31 20:29 - 2013-07-31 20:29 - 00000000 ____D C:\NPE

2013-07-31 20:00 - 2013-07-31 20:00 - 00000000 ____D C:\NBRT

2013-07-31 16:37 - 2013-07-31 16:37 - 01097633 _____ C:\Users\Owner\AppData\Roaming\2433f433

2013-07-31 16:37 - 2013-07-31 16:37 - 01097612 _____ C:\Users\Owner\AppData\Local\2433f433

15

 

==================== One Month Modified Files and Folders =======

 

2013-07-31 23:20 - 2013-07-31 23:20 - 00000000 ____D C:\FRST

2013-07-31 20:29 - 2013-07-31 20:29 - 00000000 ____D C:\NPE

2013-07-31 20:00 - 2013-07-31 20:00 - 00000000 ____D C:\NBRT

2013-07-31 19:33 - 2009-12-06 11:03 - 00011120 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-07-31 19:33 - 2009-12-06 11:03 - 00011120 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-07-31 19:29 - 2009-12-06 11:55 - 01906025 _____ C:\Windows\WindowsUpdate.log

2013-07-31 19:25 - 2013-04-24 17:23 - 01007512 _____ C:\Windows\setupact.log

2013-07-31 16:37 - 2013-07-31 16:37 - 01097633 _____ C:\Users\Owner\AppData\Roaming\2433f433

2013-07-31 16:37 - 2013-07-31 16:37 - 01097612 _____ C:\Users\Owner\AppData\Local\2433f433

2013-07-31 16:36 - 2009-12-06 12:07 - 00798322 _____ C:\Windows\System32\PerfStringBackup.INI

2013-07-31 14:22 - 2009-12-06 12:07 - 00000246 _____ C:\ProgramData\hpqp.ini

2013-07-29 14:13 - 2012-05-07 15:34 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-07-29 10:39 - 2009-09-27 20:17 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-07-14 16:08 - 2009-12-06 11:40 - 01073904 _____ C:\Windows\PFRO.log

2013-07-13 16:36 - 2012-05-03 18:00 - 00002368 _____ C:\Users\Owner\Desktop\Google Chrome.lnk

2013-07-06 13:36 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache

 

Files to move or delete:

====================

C:\Users\Owner\AppData\Local\Temp\gidselykfvgeesnvu.exe

C:\Users\Owner\ExcelQM3.RSH10.exe

C:\Users\Owner\mod.exe

C:\Users\Owner\setup.POMQMv3.RSH10.EXE

 

==================== Known DLLs (Whitelisted) ============

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-12 17:15] - [2012-09-06 08:48] - 0245616 ____A (Microsoft Corporation) 59F06B4968E58BC83DFC56CA4517960E

 

 

==================== EXE ASSOCIATION =====================

 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

 

==================== Restore Points  =========================

 

Restore point made on: 2013-06-01 19:02:12

Restore point made on: 2013-06-02 14:54:12

Restore point made on: 2013-06-02 17:51:40

Restore point made on: 2013-06-05 18:20:05

Restore point made on: 2013-07-03 16:54:36

Restore point made on: 2013-07-28 12:33:48

 

==================== Memory info =========================== 

 

Percentage of memory in use: 16%

Total physical RAM: 2814.43 MB

Available physical RAM: 2355.55 MB

Total Pagefile: 2812.7 MB

Available Pagefile: 2361.96 MB

Total Virtual: 2047.88 MB

Available Virtual: 1936.91 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:221.96 GB) (Free:135.74 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Drive d: (RECOVERY) (Fixed) (Total:10.92 GB) (Free:1.83 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive g: (CENTON USB) (Removable) (Total:3.77 GB) (Free:3.5 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (Size: 233 GB) (Disk ID: D610896A)

Partition 1: (Active) - (Size=222 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=11 GB) - (Type=07 NTFS)

 

========================================================

Disk: 2 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: 81425531)

Partition 1: (Active) - (Size=4 GB) - (Type=0C)

 

 

LastRegBack: 2013-07-28 12:23

 

==================== End Of Log ============================

Link to post
Share on other sites

Okay this should get you going.

 

Please do the following:

  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the flashdrive as fixlist.txt

HKLM\...\InprocServer32: [Default-cscui]  <==== ATTENTION!
HKU\Owner\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Owner\AppData\Local\Temp\gidselykfvgeesnvu.exe [ 2013-07-31] () <===== ATTENTION
HKU\Owner\...\Winlogon: [shell] cmd.exe [ 2009-07-13] (Microsoft Corporation) <==== ATTENTION
HKU\Owner\...\Command Processor: "C:\Users\Owner\AppData\Local\Temp\gidselykfvgeesnvu.exe" <===== ATTENTION!
C:\Users\Owner\AppData\Local\Temp\gidselykfvgeesnvu.exe
C:\Users\Owner\ExcelQM3.RSH10.exe
C:\Users\Owner\mod.exe
C:\Users\Owner\setup.POMQMv3.RSH10.EXE


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

After that- are you able to boot into normal mode? Let me know when you can as we have more malware to remove.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"
 

-------> Your topic will be closed if you haven't replied within 3 days! <--------
(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-07-2013 04

Ran by SYSTEM at 2013-08-01 00:05:18 Run:2

Running from G:\

Boot Mode: Recovery

 

==============================================

 

HKLM\Software\Classes\CLSID\{750fdf10-2a26-11d1-a3ea-080036587f03}\InprocServer32\\Default => Value was restored successfully.

HKU\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.

HKU\Owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

HKU\Owner\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.

C:\Users\Owner\AppData\Local\Temp\gidselykfvgeesnvu.exe => Moved successfully.

C:\Users\Owner\ExcelQM3.RSH10.exe => Moved successfully.

C:\Users\Owner\mod.exe => Moved successfully.

C:\Users\Owner\setup.POMQMv3.RSH10.EXE => Moved successfully.

 

==== End of Fixlog ====

Link to post
Share on other sites

Glad to hear you can boot. Let's start getting rid of the rest of it:

----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


----------Step 4----------------
Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------
In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

Link to post
Share on other sites

Yeah you'll have to run it from the Desktop of the infected computer. If you like, you can download all those programs (TDSSKiller, Malwarebytes Anti-Rootkit, ComboFix, and Security Check) and transfer them to the infected computer via a flash drive.

Link to post
Share on other sites

Take your time and go through the instructions here carefully: http://forums.malwarebytes.org/index.php?showtopic=130328#entry709488

Everything you need should be there ;)

 

Some of the logs will just open on their own- they'll open using Notepad. If that happens, just go to File -> Save As -> and save it to a location of your choice.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-07-2013 04

Ran by SYSTEM on 01-08-2013 01:27:19

Running from G:\

Windows 7 Home Premium (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

 

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1537320 2010-06-08] (Synaptics Incorporated)

HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)

HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [QlbCtrl.exe] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2008-08-01] ( Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [QPService] - C:\Program Files\HP\QuickPlay\QPService.exe [468264 2008-09-23] (CyberLink Corp.)

HKLM\...\Run: [updateLBPShortCut] - C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [210216 2008-06-13] (CyberLink Corp.)

HKLM\...\Run: [updateP2GoShortCut] - C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [210216 2008-06-13] (CyberLink Corp.)

HKLM\...\Run: [updatePDIRShortCut] - C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [210216 2008-06-13] (CyberLink Corp.)

HKLM\...\Run: [updatePSTShortCut] - C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2008-10-06] (CyberLink Corp.)

HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [x]

HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)

HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)

HKLM\...\Run: [] -  [x]

HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)

HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)

HKU\Owner\...\Run: [HPAdvisor] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2008-09-30] (Hewlett-Packard)

HKU\Owner\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2008-06-09] (Hewlett-Packard Company)

HKU\Owner\...\Run: [TomTomHOME.exe] - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [ 2011-04-22] (TomTom)

HKU\Owner\...\Run: [Google Update] - C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [ 2012-03-29] (Google Inc.)

HKU\Owner\...\Run: [DW6] - "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]

HKU\Owner\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Owner\AppData\Local\Temp\gidselykfvgeesnvu.exe [x] <===== ATTENTION

HKU\Owner\...\Winlogon: [shell] cmd.exe [ 2009-07-13] (Microsoft Corporation) <==== ATTENTION 

HKU\Owner\...\Command Processor: "C:\Users\Owner\AppData\Local\Temp\gidselykfvgeesnvu.exe" <===== ATTENTION!

 

========================== Services (Whitelisted) =================

 

S2 CSHelper; C:\Windows\system32\CSHelper.exe [266240 2010-04-18] ()

S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)

S2 NAV; C:\Program Files\Norton AntiVirus\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)

S2 Recovery Service for Windows; C:\Program Files\SMINST\BLService.exe [365952 2008-10-06] ()

S2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [241734 2008-09-15] ()

 

==================== Drivers (Whitelisted) ====================

 

S1 anodlwf; C:\Windows\System32\DRIVERS\anodlwf.sys [12800 2009-03-06] ()

S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.1.22\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)

S1 ccSet_NAV; C:\Windows\system32\drivers\NAV\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)

S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-03-10] (Symantec Corporation)

S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-03-10] (Symantec Corporation)

S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.1.22\Definitions\IPSDefs\20130731.001\IDSvix86.sys [386720 2013-06-07] (Symantec Corporation)

S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [31560 2013-07-31] ()

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.1.22\Definitions\VirusDefs\20130731.018\NAVENG.SYS [93272 2013-06-06] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.1.22\Definitions\VirusDefs\20130731.018\NAVEX15.SYS [1611992 2013-06-06] (Symantec Corporation)

S3 netr28u; C:\Windows\System32\DRIVERS\Dnetr28u.sys [750592 2009-08-05] (Ralink Technology Corp.)

S3 SRTSP; C:\Windows\System32\Drivers\NAV\1404000.028\SRTSP.SYS [603224 2013-05-15] (Symantec Corporation)

S1 SRTSPX; C:\Windows\system32\drivers\NAV\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)

S0 SymDS; C:\Windows\System32\drivers\NAV\1404000.028\SYMDS.SYS [367704 2013-05-20] (Symantec Corporation)

S0 SymEFA; C:\Windows\System32\drivers\NAV\1404000.028\SYMEFA.SYS [934488 2013-05-22] (Symantec Corporation)

S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-19] (Symantec Corporation)

S1 SymIRON; C:\Windows\system32\drivers\NAV\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)

S1 SymNetS; C:\Windows\System32\Drivers\NAV\1404000.028\SYMNETS.SYS [339544 2013-04-24] (Symantec Corporation)

S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x]

S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x]

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-07-31 22:10 - 2013-07-31 22:10 - 01097668 _____ C:\ProgramData\2433f433

2013-07-31 22:10 - 2013-07-31 22:10 - 01097624 _____ C:\Users\Owner\AppData\Roaming\2433f433

2013-07-31 22:10 - 2013-07-31 22:10 - 01097621 _____ C:\Users\Owner\AppData\Local\2433f433

2013-07-31 21:33 - 2013-07-31 21:53 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2013-07-31 21:33 - 2013-07-31 21:33 - 00031560 _____ C:\Windows\System32\Drivers\mbamchameleon.sys

2013-07-31 21:33 - 2013-07-31 21:33 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-07-31 20:29 - 2013-07-31 20:29 - 00000000 ____D C:\NPE

2013-07-31 20:00 - 2013-07-31 20:00 - 00000000 ____D C:\NBRT

15

 

==================== One Month Modified Files and Folders =======

 

2013-08-01 00:05 - 2009-12-06 11:06 - 00000000 ____D C:\users\Owner

2013-07-31 23:20 - 2013-07-31 23:20 - 00000000 ____D C:\FRST

2013-07-31 22:24 - 2013-04-24 17:23 - 01029400 _____ C:\Windows\setupact.log

2013-07-31 22:10 - 2013-07-31 22:10 - 01097668 _____ C:\ProgramData\2433f433

2013-07-31 22:10 - 2013-07-31 22:10 - 01097624 _____ C:\Users\Owner\AppData\Roaming\2433f433

2013-07-31 22:10 - 2013-07-31 22:10 - 01097621 _____ C:\Users\Owner\AppData\Local\2433f433

2013-07-31 21:54 - 2013-07-31 21:33 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2013-07-31 21:33 - 2013-07-31 21:33 - 00031560 _____ C:\Windows\System32\Drivers\mbamchameleon.sys

2013-07-31 21:33 - 2013-07-31 21:33 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-07-31 21:32 - 2009-12-06 12:07 - 00798322 _____ C:\Windows\System32\PerfStringBackup.INI

2013-07-31 21:23 - 2009-12-06 11:03 - 00011120 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-07-31 21:23 - 2009-12-06 11:03 - 00011120 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-07-31 21:19 - 2009-12-06 11:55 - 01914887 _____ C:\Windows\WindowsUpdate.log

2013-07-31 21:16 - 2009-12-06 12:07 - 00000246 _____ C:\ProgramData\hpqp.ini

2013-07-31 20:29 - 2013-07-31 20:29 - 00000000 ____D C:\NPE

2013-07-31 20:00 - 2013-07-31 20:00 - 00000000 ____D C:\NBRT

2013-07-29 14:13 - 2012-05-07 15:34 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-07-29 10:39 - 2009-09-27 20:17 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-07-14 16:08 - 2009-12-06 11:40 - 01073904 _____ C:\Windows\PFRO.log

2013-07-13 16:36 - 2012-05-03 18:00 - 00002368 _____ C:\Users\Owner\Desktop\Google Chrome.lnk

2013-07-06 13:36 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache

 

==================== Known DLLs (Whitelisted) ============

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-12 17:15] - [2012-09-06 08:48] - 0245616 ____A (Microsoft Corporation) 59F06B4968E58BC83DFC56CA4517960E

 

 

==================== EXE ASSOCIATION =====================

 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

 

==================== Restore Points  =========================

 

Restore point made on: 2013-06-01 19:02:12

Restore point made on: 2013-06-02 14:54:12

Restore point made on: 2013-06-02 17:51:40

Restore point made on: 2013-06-05 18:20:05

Restore point made on: 2013-07-03 16:54:36

Restore point made on: 2013-07-28 12:33:48

Restore point made on: 2013-07-31 21:53:16

 

==================== Memory info =========================== 

 

Percentage of memory in use: 16%

Total physical RAM: 2814.43 MB

Available physical RAM: 2357.55 MB

Total Pagefile: 2812.7 MB

Available Pagefile: 2357.77 MB

Total Virtual: 2047.88 MB

Available Virtual: 1941.8 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:221.96 GB) (Free:135.61 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Drive d: (RECOVERY) (Fixed) (Total:10.92 GB) (Free:1.83 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive g: (CENTON USB) (Removable) (Total:3.77 GB) (Free:3.47 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (Size: 233 GB) (Disk ID: D610896A)

Partition 1: (Active) - (Size=222 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=11 GB) - (Type=07 NTFS)

 

========================================================

Disk: 2 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: 81425531)

Partition 1: (Active) - (Size=4 GB) - (Type=0C)

 

 

LastRegBack: 2013-07-28 12:23

 

==================== End Of Log ============================

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.