Sign in to follow this  
Followers 0
MichaelAnomoly

Please help me, the fbi moneypak virus has shut down safemode on my acer aspire...

17 posts in this topic

Hi guys glad to be here, shame we have to meet under these circumstances

Just what the headline says, I really need a solution that I won't have to buy and please don't tell me to wipe my hd...

What happened is that at first safemode was available, but then as I tried to enter the command screen and the virus came up and since then it has not been avoidable in safemode - it shows its face within moments of booting up.

Please give me a step by step response to beat this thing over the head!

a quick note, the virus says the fine is $500, not $100 or something else... does this matter?

Thanks so much for your help and timely responses...

Share this post


Link to post
Share on other sites

Thanks for your suggestion, Mr. Charlie, but my acer is one of those mini-laptops with no disk drives...are you familiar with the Farbar Recovery Scan tool?

I don't mean to undermine but after this post I kept searching around and found that on another forum...I'm not sure whether the programs make the same types of logs, but I have one that I would be happy to paste for examination! Would you like me to?

Thanks so much!

Share this post


Link to post
Share on other sites

Sure, we can do it that way also...........

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Share this post


Link to post
Share on other sites

Oh this is great, you work so quickly, it's beautiful, really!

First, the FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013

Ran by SYSTEM at 12-01-2013 14:16:46

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)

HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [320000 2009-04-09] (AlcorMicro Co., Ltd.)

HKLM\...\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)

HKLM\...\Run: [mwlDaemon] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe [349480 2009-09-10] (Egis Technology Inc.)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)

HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [200704 2008-07-29] ()

HKLM\...\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch [1580368 2010-11-03] (Logitech, Inc.)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)

HKLM-x32\...\Run: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [91432 2009-04-15] (CyberLink Corp.)

HKLM-x32\...\Run: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [50472 2009-04-15] (CyberLink Corp.)

HKLM-x32\...\Run: [EgisTecLiveUpdate] "C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe" [199464 2009-08-03] (Egis Technology Inc.)

HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [588648 2009-07-24] (Symantec Corporation)

HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [825864 2009-09-24] (Dritek System Inc.)

HKLM-x32\...\Run: [Acer Assist Launcher] C:\Program Files (x86)\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()

HKLM-x32\...\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe" [74752 2010-12-09] (Nullsoft, Inc.)

HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [x]

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKU\A\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

HKU\A\...\Run: [Google Update] "C:\Users\A\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-07-17] (Google Inc.)

HKU\A\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17875120 2012-10-19] (Skype Technologies S.A.)

HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [x]

HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [x]

HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Acer VCM.lnk

ShortcutTarget: Acer VCM.lnk -> C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.)

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)

2 FTSvc; "C:\Program Files (x86)\Brand Affinity Technologies\Fantapper Player\FantapperUpdateService.exe" [11776 2011-12-12] (Brand Affinity Technologies)

3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe" [227232 2010-09-02] (McAfee, Inc.)

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)

3 MWLService; C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [305448 2009-09-10] (Egis Technology Inc.)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)

2 RS_Service; C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [253952 2009-07-10] (Acer Incorporated)

2 Stuffit Archive Name Service; "C:\Program Files (x86)\Smith Micro\StuffIt\ArcNameService.exe" [157016 2008-01-31] (Smith Micro Software, Inc.)

==================== Drivers (Whitelisted) =====================

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)

2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)

1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

3 swmsflt; C:\Windows\System32\Drivers\swmsflt.sys [28808 2008-03-05] ()

3 swmsflt; C:\Windows\SysWow64\Drivers\swmsflt.sys [28808 2008-03-05] ()

3 SWNC5E00; C:\Windows\System32\Drivers\SWNC5E00.sys [195584 2008-03-05] (Sierra Wireless Inc.)

3 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHD64.sys [x]

3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-09 13:38 - 2013-01-12 01:38 - 00000000 ____D C:\Users\A\AppData\Roaming\Adobe

2013-01-09 09:49 - 2012-11-29 21:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2013-01-08 16:14 - 2013-01-08 16:14 - 00000000 ____D C:\Users\A\AppData\Local\{11B94B33-8E73-472E-80E9-E0DFCEDFF21F}

2013-01-07 12:16 - 2013-01-07 12:15 - 00260528 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2013-01-07 12:15 - 2013-01-07 12:15 - 00174000 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2013-01-07 12:15 - 2013-01-07 12:15 - 00173992 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2013-01-07 12:15 - 2013-01-07 12:15 - 00095184 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2013-01-02 08:35 - 2013-01-02 08:35 - 00277056 ____A C:\Windows\Minidump\010213-71776-01.dmp

2012-12-27 02:22 - 2012-12-27 02:22 - 00277112 ____A C:\Windows\Minidump\122712-26067-01.dmp

2012-12-21 14:02 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-21 14:02 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-21 14:02 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-21 14:02 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

==================== One Month Modified Files and Folders =======

2013-01-12 01:57 - 2013-01-12 01:57 - 00000000 ____D C:\FRST

2013-01-12 01:42 - 2011-11-18 19:57 - 00000000 ____D C:\Windows\System32\Macromed

2013-01-12 01:42 - 2010-11-01 08:48 - 00000000 ____D C:\users\A

2013-01-12 01:42 - 2009-10-29 00:28 - 00000000 ____D C:\Windows\SysWOW64\Macromed

2013-01-12 01:42 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-01-12 01:41 - 2012-09-28 09:14 - 00000000 ____D C:\Users\All Users\McAfee Security Scan

2013-01-12 01:41 - 2011-12-01 19:44 - 00000000 ____D C:\Users\A\Desktop\PhotoshopPortable

2013-01-12 01:41 - 2011-10-09 19:53 - 00000000 ____D C:\Users\A\AppData\Roaming\FinalTorrent

2013-01-12 01:41 - 2009-10-29 00:34 - 00000000 ____D C:\Users\All Users\Symantec

2013-01-12 01:41 - 2009-10-28 23:55 - 00000000 ____D C:\Users\All Users\Microsoft Help

2013-01-12 01:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-01-12 01:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-01-12 01:38 - 2013-01-09 13:38 - 00000000 ____D C:\Users\A\AppData\Roaming\Adobe

2013-01-12 01:33 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV

2013-01-11 20:11 - 2011-11-30 11:32 - 01851904 __ASH C:\Users\A\Desktop\Thumbs.db

2013-01-11 17:46 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing

2013-01-09 14:00 - 2011-12-02 04:31 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-01-09 14:00 - 2010-11-01 05:37 - 01344437 ____A C:\Windows\WindowsUpdate.log

2013-01-09 13:47 - 2012-04-17 22:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-01-09 13:37 - 2012-08-31 04:27 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1002288550-3500451634-2136258424-1000UA.job

2013-01-09 09:33 - 2012-08-31 04:27 - 00000840 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1002288550-3500451634-2136258424-1000Core.job

2013-01-08 23:32 - 2011-10-09 19:51 - 00000384 ____A C:\Windows\Tasks\FinalTorrent Update Checker.job

2013-01-08 19:22 - 2012-09-14 10:17 - 00000428 ____A C:\Windows\System32\Drivers\etc\hosts.ics

2013-01-08 18:00 - 2011-12-02 04:31 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-01-08 16:14 - 2013-01-08 16:14 - 00000000 ____D C:\Users\A\AppData\Local\{11B94B33-8E73-472E-80E9-E0DFCEDFF21F}

2013-01-07 12:15 - 2013-01-07 12:16 - 00260528 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2013-01-07 12:15 - 2013-01-07 12:15 - 00174000 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2013-01-07 12:15 - 2013-01-07 12:15 - 00173992 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2013-01-07 12:15 - 2013-01-07 12:15 - 00095184 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2013-01-07 12:15 - 2012-09-28 09:12 - 00859072 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll

2013-01-07 12:15 - 2011-11-03 21:00 - 00779704 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll

2013-01-07 12:15 - 2011-03-10 09:00 - 00000000 ____D C:\Program Files (x86)\Java

2013-01-06 16:55 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-06 16:55 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-04 17:44 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-01-02 08:35 - 2013-01-02 08:35 - 00277056 ____A C:\Windows\Minidump\010213-71776-01.dmp

2013-01-02 08:35 - 2011-08-28 14:26 - 00000000 ____D C:\Windows\Minidump

2013-01-02 08:35 - 2010-11-04 17:55 - 00327680 ____A C:\Windows\System32\Ikeext.etl

2013-01-02 08:35 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-02 08:35 - 2009-07-13 20:51 - 00074849 ____A C:\Windows\setupact.log

2013-01-02 08:34 - 2012-09-02 18:56 - 294335352 ____A C:\Windows\MEMORY.DMP

2012-12-31 17:53 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-27 08:20 - 2012-11-05 16:44 - 00000000 ____D C:\Users\A\AppData\Roaming\Skype

2012-12-27 02:22 - 2012-12-27 02:22 - 00277112 ____A C:\Windows\Minidump\122712-26067-01.dmp

2012-12-22 10:59 - 2009-07-13 20:45 - 00366160 ____A C:\Windows\System32\FNTCACHE.DAT

2012-12-16 09:11 - 2012-12-21 14:02 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-16 06:45 - 2012-12-21 14:02 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-16 06:13 - 2012-12-21 14:02 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-16 06:13 - 2012-12-21 14:02 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2012-12-13 12:54 - 2012-08-31 04:36 - 00002467 ____A C:\Users\A\Desktop\Google Chrome.lnk

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-09 14:02:28

==================== Memory info ===========================

Percentage of memory in use: 29%

Total physical RAM: 1978.92 MB

Available physical RAM: 1395.64 MB

Total Pagefile: 1978.92 MB

Available Pagefile: 1383.05 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (Acer) (Fixed) (Total:220.79 GB) (Free:40.03 GB) NTFS

2 Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:3.02 GB) NTFS

3 Drive f: () (Removable) (Total:1.97 GB) (Free:1.97 GB) FAT

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

5 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 0 B

Disk 1 Online 2015 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 12 GB 1024 KB

Partition 2 Primary 100 MB 12 GB

Partition 3 Primary 220 GB 12 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E PQSERVICE NTFS Partition 12 GB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C Acer NTFS Partition 220 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 2014 MB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT Removable 2014 MB Healthy

=========================================================

Last Boot: 2013-01-03 23:03

==================== End Of Log =============================

now Services.exe:

Farbar Recovery Scan Tool (x64) Version: 09-01-2013

Ran by SYSTEM at 2013-01-12 14:18:34

Running from F:\

================== Search: "services,exe" ===================

====== End Of Search ======

Share this post


Link to post
Share on other sites

Not much showing, that's why I like OTLPE..it shows more.

What date did you get this virus? MrC

Share this post


Link to post
Share on other sites

I got it yesterday night around 9 oclock while streaming television...for the record, what happened is that at first I could enter safemode, but when I tried following some instructions, like %appdata% it appeared there too, is there any way of using OTLPE via usb?

Share this post


Link to post
Share on other sites

No that can't be done.

I'm going to restore it back to this date > Last Boot: 2013-01-03 23:03

That's our only option.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Share this post


Link to post
Share on other sites

Hey no problem, whatever I have to do, short of a full wipe to get this thing outta my hair...

Followed instructions here's the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-01-2013

Ran by SYSTEM at 2013-01-12 16:04:17 Run:1

Running from F:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup

DEFAULT hive was successfully restored from registry back up.

SAM hive was successfully copied to System32\config\HiveBackup

SAM hive was successfully restored from registry back up.

SECURITY hive was successfully copied to System32\config\HiveBackup

SECURITY hive was successfully restored from registry back up.

SOFTWARE hive was successfully copied to System32\config\HiveBackup

SOFTWARE hive was successfully restored from registry back up.

SYSTEM hive was successfully copied to System32\config\HiveBackup

SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

Share this post


Link to post
Share on other sites

Yes! Mr. Charlie, you're a genuis...you know honestly, I'm intruiged...not to sound like a fanboy or anything, but do you think it would be possible to start learning what it is that you're doing here to help people?

Share this post


Link to post
Share on other sites
Yes! Mr. Charlie, you're a genuis...you know honestly,

Well it's just not me it's a whole team of people behind this that make it all possible.

I'm intruiged...not to sound like a fanboy or anything, but do you think it would be possible to start learning what it is that you're doing here to help people?

At the bottom of this post you'll find a list schools:

http://forums.malwar...showtopic=12264

~~~~~~~~~~~~~~~~~~~~~~

Lets clean up the rest of it......

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Share this post


Link to post
Share on other sites

Oh I see, well alright, here's the RK report"

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : A [Admin rights]

Mode : Scan -- Date : 01/12/2013 19:17:39

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVT-22A23T0 +++++

--- User ---

[MBR] 144e7a4309129cc8e45132fac3a3cc68

[bSP] 9aaf140d59838c9f44199345a563cd61 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12288 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25167872 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25372672 | Size: 226085 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_01122013_02d1917.txt >>

RKreport[1]_S_01122013_02d1917.txt

Share this post


Link to post
Share on other sites

Next.................

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

Here's the log... wow, there sure are alot of steps, so this malware has some pretty long tentacles, huh?

ComboFix 13-01-13.01 - A 01/12/2013 22:33:14.3.1 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1979.824 [GMT -6:00]

Running from: c:\users\A\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-12-13 to 2013-01-13 )))))))))))))))))))))))))))))))

.

.

2013-01-13 04:42 . 2013-01-13 04:42 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-12 22:48 . 2013-01-12 23:48 16369160 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2013-01-12 22:34 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA37DF96-F436-4A36-B2CF-CD07AA08702D}\mpengine.dll

2013-01-12 22:33 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll

2013-01-12 22:33 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2013-01-12 22:32 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll

2013-01-12 22:32 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll

2013-01-12 22:32 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll

2013-01-12 22:32 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2013-01-12 22:32 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-12 22:32 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-01-12 22:32 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll

2013-01-12 22:30 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe

2013-01-12 22:24 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2013-01-12 22:09 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-12 09:57 . 2013-01-12 09:57 -------- d-----w- C:\FRST

2013-01-09 17:49 . 2012-11-30 05:41 1161216 ----a-w- c:\windows\system32\kernel32.dll

2013-01-07 20:15 . 2013-01-07 20:15 95184 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-12-21 22:02 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-21 22:02 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 22:02 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 22:02 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-12 23:49 . 2012-04-18 06:07 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-12 23:49 . 2011-07-05 22:37 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-07 20:15 . 2012-09-28 17:12 859072 ----a-w- c:\windows\SysWow64\npdeployJava1.dll

2013-01-07 20:15 . 2011-11-04 05:00 779704 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-11-30 04:45 . 2013-01-12 22:31 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-11-28 08:55 . 2012-11-28 08:56 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{78DB3719-85C7-4CB6-AC3C-9949E2B5FF5E}\gapaengine.dll

2012-11-14 07:06 . 2012-12-12 22:03 17811968 ----a-w- c:\windows\system32\mshtml.dll

2012-11-14 06:32 . 2012-12-12 22:03 10925568 ----a-w- c:\windows\system32\ieframe.dll

2012-11-14 06:11 . 2012-12-12 22:04 2312704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 06:04 . 2012-12-12 22:04 1346048 ----a-w- c:\windows\system32\urlmon.dll

2012-11-14 06:04 . 2012-12-12 22:04 1392128 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 06:02 . 2012-12-12 22:04 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 06:02 . 2012-12-12 22:04 237056 ----a-w- c:\windows\system32\url.dll

2012-11-14 05:59 . 2012-12-12 22:04 85504 ----a-w- c:\windows\system32\jsproxy.dll

2012-11-14 05:58 . 2012-12-12 22:04 816640 ----a-w- c:\windows\system32\jscript.dll

2012-11-14 05:57 . 2012-12-12 22:04 599040 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 05:57 . 2012-12-12 22:04 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 05:55 . 2012-12-12 22:04 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-11-14 05:55 . 2012-12-12 22:04 729088 ----a-w- c:\windows\system32\msfeeds.dll

2012-11-14 05:53 . 2012-12-12 22:04 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-11-14 05:52 . 2012-12-12 22:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-14 05:46 . 2012-12-12 22:04 248320 ----a-w- c:\windows\system32\ieui.dll

2012-11-14 02:09 . 2012-12-12 22:04 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-11-14 01:58 . 2012-12-12 22:04 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-11-14 01:57 . 2012-12-12 22:04 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

2012-11-14 01:49 . 2012-12-12 22:04 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-11-14 01:48 . 2012-12-12 22:04 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

2012-11-14 01:44 . 2012-12-12 22:04 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-11-09 05:45 . 2012-12-12 16:26 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-09 04:42 . 2012-12-12 16:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-11-02 05:59 . 2012-12-12 16:20 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-11-02 05:11 . 2012-12-12 16:20 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-10-16 08:38 . 2012-11-28 11:21 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-28 11:21 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-28 11:21 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files (x86)\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]

2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentControl2\prxtbuTor.dll

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8A86D350-37AB-410A-8531-7D1363F317B3}]

c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\\IEInstaller.dll [bU]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2011-08-19 16:45 790304 ----a-w- c:\program files (x86)\Yontoo Layers Runtime\YontooIEClient.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files (x86)\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]

@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"

[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]

2009-09-10 13:41 120104 ----a-w- c:\program files (x86)\EgisTec\MyWinLocker 3\x86\PSDProtect.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-10-19 17875120]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]

"PDVD8LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]

"EgisTecLiveUpdate"="c:\program files (x86)\EgisTec Egis Software Update\EgisUpdate.exe" [2009-08-04 199464]

"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-24 588648]

"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-09-24 825864]

"Acer Assist Launcher"="c:\program files (x86)\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]

"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Acer VCM.lnk - c:\program files (x86)\Acer\Acer VCM\AcerVCM.exe [2009-10-29 708608]

McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-10-19 160944]

R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2009-05-26 40448]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]

R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-09-10 305448]

R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-08 1255736]

S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2009-06-02 22576]

S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2009-06-02 20016]

S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2009-06-02 60464]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-09-30 844320]

S2 Greg_Service;GRegService;c:\program files (x86)\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]

S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

S2 RS_Service;Raw Socket Service;c:\program files (x86)\Acer\Acer VCM\RS_Service.exe [2009-07-10 253952]

S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-03-15 145408]

S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [2009-04-27 57344]

S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2009-09-15 6952960]

S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-13 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 23:49]

.

2013-01-13 c:\windows\Tasks\FinalTorrent Update Checker.job

- c:\program files (x86)\FinalTorrent\FTCheckForUpdates.exe [2011-10-10 20:24]

.

2013-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-02 12:31]

.

2013-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-02 12:31]

.

2013-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1002288550-3500451634-2136258424-1000Core.job

- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-31 15:07]

.

2013-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1002288550-3500451634-2136258424-1000UA.job

- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-31 15:07]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]

@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"

[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]

2009-09-10 13:44 137512 ----a-w- c:\program files (x86)\EgisTec\MyWinLocker 3\x64\PSDProtect.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-04-09 320000]

"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-09-30 823840]

"mwlDaemon"="c:\program files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-10 349480]

"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]

"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]

"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-04 1580368]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-03 159232]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-03 380928]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-03 358912]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uLocal Page = c:\windows\system32\blank.htm

mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_1410&r=273611103206l0383z1l5w4931r72o

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_1410&r=273611103206l0383z1l5w4931r72o

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{6C4103BD-356A-47FE-8112-F785E4576138}: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{6C4103BD-356A-47FE-8112-F785E4576138}\16474777966696: DhcpNameServer = 10.130.220.129 64.134.255.2 64.134.255.10

TCP: Interfaces\{6C4103BD-356A-47FE-8112-F785E4576138}\2375942554335303: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{6C4103BD-356A-47FE-8112-F785E4576138}\2456C6B696E6F5052756D2E4F5238373638363: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{6C4103BD-356A-47FE-8112-F785E4576138}\65562796A7F6E60275962756C6563737D27657563747: DhcpNameServer = 192.168.7.254

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.download\UserChoice]

@Denied: (2) (LocalSystem)

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

"Progid"="SafariDownload"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

@Denied: (2) (LocalSystem)

"Progid"="ChromeHTML.F7Z7ID2FUMVLXX7TA2XHHPG35M"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

@Denied: (2) (LocalSystem)

"Progid"="ChromeHTML.F7Z7ID2FUMVLXX7TA2XHHPG35M"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.safariextz\UserChoice]

@Denied: (2) (LocalSystem)

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

"Progid"="SafariExtension"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

@Denied: (2) (LocalSystem)

"Progid"="ChromeHTML.F7Z7ID2FUMVLXX7TA2XHHPG35M"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]

@Denied: (2) (LocalSystem)

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

"Progid"="SafariHTML"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webarchive\UserChoice]

@Denied: (2) (LocalSystem)

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

"Progid"="SafariHTML"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

@Denied: (2) (LocalSystem)

"Progid"="ChromeHTML.F7Z7ID2FUMVLXX7TA2XHHPG35M"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

@Denied: (2) (LocalSystem)

"Progid"="ChromeHTML.F7Z7ID2FUMVLXX7TA2XHHPG35M"

.

[HKEY_USERS\S-1-5-21-1002288550-3500451634-2136258424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]

@Denied: (2) (LocalSystem)

@Denied: (2) (S-1-5-21-1002288550-3500451634-2136258424-1000)

"Progid"="SafariHTML"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-12 22:47:12

ComboFix-quarantined-files.txt 2013-01-13 04:47

ComboFix2.txt 2013-01-13 04:18

.

Pre-Run: 136,426,524,672 bytes free

Post-Run: 136,365,617,152 bytes free

.

- - End Of File - - 24763E0FF602CB2805C3725EEDC0A99A

Share this post


Link to post
Share on other sites

That scan looks OK......

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.