Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 chem_girl

chem_girl

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 18 November 2012 - 09:27 AM

My Windows 7 laptop was infected last night with the Moneypak virus. It is completely locked.

I tried restarting it a number of times in safe mode, safe mode with networking, safe mode with command prompt, but in each instance, after "loading files, please wait...", the screen stays completely black. I literally can do nothing, not even access system restore.

Please help! Thank you in advance.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:27 AM

Posted 18 November 2012 - 11:40 AM

Hello,

Do you have a Usb Flash Drive you can use?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 chem_girl

chem_girl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 18 November 2012 - 11:45 AM

Thank you for replying. Yes, I do have a flashdrive.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:27 AM

Posted 18 November 2012 - 11:53 AM

Im take a shot in the dark and say you have a 64 bit machine.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 chem_girl

chem_girl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 18 November 2012 - 12:11 PM

Thank you. Should I shut down my computer now or just let it sit in this Farbar Recovery Scan in Repair Mode?

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-11-2012
Ran by SYSTEM at 18-11-2012 12:08:03
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SA3\SACpl.exe /sa3 /nv:3.0 /dne /s [x]
HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2010-12-17] ()
HKLM\...\Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray [1935120 2011-11-01] (Intel® Corporation)
HKLM\...\Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10357008 2011-10-18] (Intel Corporation)
HKLM\...\Run: [QuickSet] c:\Program Files\Dell\QuickSet\QuickSet.exe [4500640 2011-03-10] (Dell Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [497648 2010-07-28] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [x]
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1535112 2012-09-12] (McAfee, Inc.)
HKLM-x32\...\Run: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe 900 [66872 2012-02-06] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre7\bin\jusched.exe" [x]
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [296096 2012-10-28] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [926896 2012-09-23] (Adobe Systems Incorporated)
HKU\dumm\...\Run: [Microsoft Updater] "C:\Users\dumm\AppData\Local\Temp\013b0bb216bb.exe" [218904 2012-11-16] (25r23 52)
HKU\dumm\...\Run: [Google] "xidpwooedd.exe" [x]
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\822\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
Startup: C:\Users\dumm\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 CxAudMsg; C:\Windows\system32\CxAudMsg64.exe [200320 2011-05-12] (Conexant Systems Inc.)
3 CxUtilSvc; "C:\Program Files\Conexant\SA3\CxUtilSvc.exe" [109184 2011-08-11] (Conexant Systems, Inc.)
3 lltdsvc; C:\Windows\System32\svchost.exe -k LocalService [27136 2009-07-13] (Microsoft Corporation)
3 lltdsvc; C:\Windows\SysWow64\svchost.exe -k LocalService [20992 2009-07-13] (Microsoft Corporation)
3 McAWFwk; C:\PROGRA~1\mcafee\msc\mcawfwk.exe [224704 2011-03-08] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [383608 2012-09-10] (McAfee, Inc.)
4 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [237920 2012-07-17] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [218320 2012-07-17] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [177144 2012-07-17] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-11-01] ()
3 netprofm; C:\Windows\System32\svchost.exe -k LocalService [27136 2009-07-13] (Microsoft Corporation)
3 netprofm; C:\Windows\SysWow64\svchost.exe -k LocalService [20992 2009-07-13] (Microsoft Corporation)
3 SCardSvr; C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [27136 2009-07-13] (Microsoft Corporation)
3 SCardSvr; C:\Windows\SysWow64\svchost.exe -k LocalServiceAndNoImpersonation [20992 2009-07-13] (Microsoft Corporation)

==================== Drivers (Whitelisted) =====================

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [69672 2012-07-17] (McAfee, Inc.)
3 HipShieldK; C:\Windows\System32\Drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
3 MCfilt; C:\Windows\System32\drivers\MCfilt64.sys [32344 2010-12-08] (Creative Technology Ltd.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [169320 2012-07-17] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [300392 2012-07-17] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [752672 2012-07-17] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [106112 2012-07-17] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [335784 2012-07-17] (McAfee, Inc.)
3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0; [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-16 16:56 - 2012-11-16 16:56 - 00006512 ____N C:\bootsqm.dat
2012-11-16 16:55 - 2012-11-16 16:55 - 00000000 __SHD C:\found.000
2012-11-15 02:39 - 2012-11-15 02:39 - 00000000 ____D C:\Program Files (x86)\Belkin
2012-11-14 15:03 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-11-14 15:03 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-11-14 15:03 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-11-14 15:03 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-11-14 14:59 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-11-14 14:59 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-11-14 14:59 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-11-14 14:59 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-11-14 14:59 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-11-14 14:59 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-11-14 14:59 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-11-14 14:59 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-11-14 14:59 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-11-14 14:59 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-11-14 14:59 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-11-14 14:59 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-11-14 14:59 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-11-14 14:59 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-11-14 14:59 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-11-14 14:59 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-11-14 14:59 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-11-14 14:59 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-11-14 14:59 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-11-14 14:59 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-11-14 14:59 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-11-14 14:59 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-11-14 14:59 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-11-14 14:59 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-11-14 14:59 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-11-14 14:59 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-11-14 14:59 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-11-14 14:59 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-11-14 14:59 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-11-14 14:59 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-11-14 14:59 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-11-14 14:59 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-11-14 14:55 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-11-14 14:55 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-11-14 14:55 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-11-14 14:55 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-11-14 14:55 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-11-14 14:55 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-11-14 14:55 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-11-14 14:55 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-11-14 03:50 - 2012-11-14 03:50 - 01988047 ____A C:\Users\dumm\Desktop\Andrew Bogut High Fiving Himself.wmv
2012-11-14 03:48 - 2012-11-14 03:48 - 02615223 ____A C:\Users\dumm\Desktop\James Harden free throw high five, handshakes fail, funny.wmv
2012-11-14 02:47 - 2012-10-18 10:25 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-11-14 02:47 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll
2012-11-14 02:47 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll
2012-11-14 02:47 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll
2012-11-14 02:47 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll
2012-11-14 02:47 - 2012-10-03 09:56 - 01914248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-11-14 02:47 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
2012-11-14 02:47 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll
2012-11-14 02:47 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll
2012-11-14 02:47 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
2012-11-14 02:47 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll
2012-11-14 02:47 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll
2012-11-14 02:47 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2012-11-14 02:47 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2012-11-14 02:47 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2012-11-14 02:47 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2012-11-14 02:47 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2012-11-14 02:46 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2012-11-14 02:46 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2012-11-11 07:34 - 2012-11-11 07:34 - 00099817 ____A C:\Users\dumm\Desktop\natural_cure_spiritual_disease.txt
2012-11-11 06:55 - 2012-11-11 06:55 - 00001526 ____A C:\Users\dumm\Local Settings\PDLSetup.20121111.095545.txt
2012-11-11 06:55 - 2012-11-11 06:55 - 00001526 ____A C:\Users\dumm\Local Settings\Application Data\PDLSetup.20121111.095545.txt
2012-11-11 06:55 - 2012-11-11 06:55 - 00001526 ____A C:\Users\dumm\AppData\Local\PDLSetup.20121111.095545.txt
2012-11-11 06:09 - 2012-11-11 08:10 - 00009672 ____A C:\Users\dumm\Desktop\ap_chem_ch_1_10_exam.tst
2012-11-09 20:15 - 2012-11-09 20:15 - 00000000 ____D C:\Users\dumm\Desktop\simple_guide_to_life
2012-11-03 08:01 - 2012-11-03 08:01 - 00386282 ____A C:\Users\dumm\Downloads\2012-miamidade-county-christian-voter-guides-candidate-endorsements-sample-ballot-election-recommendations
2012-11-01 02:07 - 2012-11-01 02:08 - 01993216 ____A C:\Users\dumm\Downloads\All-districts-11-12.xls
2012-11-01 02:06 - 2012-11-01 02:06 - 00064000 ____A C:\Users\dumm\Downloads\SchoolImprovementAllDistricts.xls
2012-10-29 12:18 - 2012-10-29 12:18 - 00000000 ____D C:\Users\dumm\Application Data\Apple Computer
2012-10-29 12:18 - 2012-10-29 12:18 - 00000000 ____D C:\Users\dumm\AppData\Roaming\Apple Computer
2012-10-28 14:48 - 2012-10-28 14:48 - 03399680 ____A C:\Users\dumm\Downloads\ch_6_ppt (1).ppt
2012-10-28 14:47 - 2012-10-28 14:47 - 03401728 ____A C:\Users\dumm\Downloads\ch_6_ppt.ppt
2012-10-28 09:35 - 2012-10-28 09:35 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk
2012-10-28 09:35 - 2012-10-28 09:35 - 00002021 ____A C:\Users\All Users\Desktop\Adobe Reader XI.lnk
2012-10-28 09:29 - 2012-10-28 09:31 - 00000000 ____D C:\Program Files (x86)\LiveMath
2012-10-28 09:21 - 2012-10-28 09:22 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\dumm\Local Settings\Application Data\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\dumm\Local Settings\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\dumm\AppData\Local\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\All Users\Application Data\Apple Computer
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\All Users\Application Data\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\All Users\Apple Computer
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\All Users\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2012-10-28 09:15 - 2012-11-10 18:22 - 00000000 ____D C:\Users\dumm\Application Data\Real
2012-10-28 09:15 - 2012-11-10 18:22 - 00000000 ____D C:\Users\dumm\AppData\Roaming\Real
2012-10-28 09:15 - 2012-10-28 09:15 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00001270 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2012-10-28 09:15 - 2012-10-28 09:15 - 00001270 ____A C:\Users\All Users\Desktop\RealPlayer.lnk
2012-10-28 09:15 - 2012-10-28 09:15 - 00000000 ____D C:\Program Files (x86)\Real
2012-10-28 09:13 - 2012-10-28 09:16 - 00000000 ____D C:\Users\All Users\Real
2012-10-28 09:13 - 2012-10-28 09:16 - 00000000 ____D C:\Users\All Users\Application Data\Real
2012-10-27 08:54 - 2012-10-27 08:54 - 00002261 ____A C:\Users\dumm\Desktop\Google Chrome.lnk
2012-10-27 08:49 - 2012-11-16 16:58 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-27 08:49 - 2012-11-16 16:00 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-27 08:48 - 2012-10-27 08:48 - 00000000 ____D C:\Users\dumm\Local Settings\Deployment
2012-10-27 08:48 - 2012-10-27 08:48 - 00000000 ____D C:\Users\dumm\Local Settings\Application Data\Deployment
2012-10-27 08:48 - 2012-10-27 08:48 - 00000000 ____D C:\Users\dumm\AppData\Local\Deployment
2012-10-27 08:48 - 2012-10-27 08:48 - 00000000 ____D C:\Users\dumm\AppData\Local\Apps\2.0
2012-10-25 17:58 - 2012-04-20 12:40 - 00196440 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2012-10-20 19:51 - 2012-10-25 21:33 - 00000000 ____D C:\Program Files\Google
2012-10-19 15:33 - 2012-10-19 15:33 - 00010538 ____A C:\Users\dumm\My Documents\prop222_extra_credit_rubric.xlsx
2012-10-19 15:33 - 2012-10-19 15:33 - 00010538 ____A C:\Users\dumm\Documents\prop222_extra_credit_rubric.xlsx


==================== One Month Modified Files and Folders =======

2012-11-18 12:07 - 2012-11-18 12:07 - 00000000 ____D C:\FRST
2012-11-16 18:09 - 2009-07-13 20:45 - 00003072 _____ C:\Windows\System32\umstartup.etl
2012-11-16 16:58 - 2012-10-27 08:49 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-16 16:58 - 2012-09-08 08:52 - 00002576 ____A C:\Windows\setupact.log
2012-11-16 16:58 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-16 16:56 - 2012-11-16 16:56 - 00006512 ____N C:\bootsqm.dat
2012-11-16 16:55 - 2012-11-16 16:55 - 00000000 __SHD C:\found.000
2012-11-16 16:10 - 2012-05-21 04:44 - 01618352 ____A C:\Windows\WindowsUpdate.log
2012-11-16 16:00 - 2012-10-27 08:49 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-16 16:00 - 2012-05-21 04:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-16 12:36 - 2009-07-13 21:13 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-16 04:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-11-15 17:59 - 2012-06-20 17:07 - 00000000 ____D C:\Users\dumm\Local Settings\Nero
2012-11-15 17:59 - 2012-06-20 17:07 - 00000000 ____D C:\Users\dumm\Local Settings\Application Data\Nero
2012-11-15 17:59 - 2012-06-20 17:07 - 00000000 ____D C:\Users\dumm\AppData\Local\Nero
2012-11-15 17:51 - 2009-07-13 20:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-15 17:51 - 2009-07-13 20:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-15 17:43 - 2009-07-13 21:08 - 00032596 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-15 02:47 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-11-15 02:39 - 2012-11-15 02:39 - 00000000 ____D C:\Program Files (x86)\Belkin
2012-11-15 02:39 - 2012-05-21 05:05 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-11-14 15:17 - 2012-07-03 16:38 - 00000000 ____D C:\Users\dumm\Local Settings\Microsoft Games
2012-11-14 15:17 - 2012-07-03 16:38 - 00000000 ____D C:\Users\dumm\Local Settings\Application Data\Microsoft Games
2012-11-14 15:17 - 2012-07-03 16:38 - 00000000 ____D C:\Users\dumm\AppData\Local\Microsoft Games
2012-11-14 15:17 - 2012-06-13 06:58 - 00110752 ____A C:\Users\dumm\Local Settings\GDIPFONTCACHEV1.DAT
2012-11-14 15:17 - 2012-06-13 06:58 - 00110752 ____A C:\Users\dumm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-11-14 15:17 - 2012-06-13 06:58 - 00110752 ____A C:\Users\dumm\AppData\Local\GDIPFONTCACHEV1.DAT
2012-11-14 15:08 - 2009-07-13 20:45 - 00416552 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-14 15:05 - 2012-06-24 09:22 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-11-14 15:05 - 2012-06-24 09:22 - 00000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2012-11-14 14:56 - 2012-06-16 04:33 - 66395536 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-11-14 14:55 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2012-11-14 14:55 - 2009-07-13 18:34 - 00000510 ____A C:\Windows\win.ini
2012-11-14 03:50 - 2012-11-14 03:50 - 01988047 ____A C:\Users\dumm\Desktop\Andrew Bogut High Fiving Himself.wmv
2012-11-14 03:48 - 2012-11-14 03:48 - 02615223 ____A C:\Users\dumm\Desktop\James Harden free throw high five, handshakes fail, funny.wmv
2012-11-11 08:10 - 2012-11-11 06:09 - 00009672 ____A C:\Users\dumm\Desktop\ap_chem_ch_1_10_exam.tst
2012-11-11 08:10 - 2012-09-09 10:37 - 00004258 ____A C:\Users\dumm\Application Data\evpro32.prf
2012-11-11 08:10 - 2012-09-09 10:37 - 00004258 ____A C:\Users\dumm\AppData\Roaming\evpro32.prf
2012-11-11 07:34 - 2012-11-11 07:34 - 00099817 ____A C:\Users\dumm\Desktop\natural_cure_spiritual_disease.txt
2012-11-11 06:55 - 2012-11-11 06:55 - 00001526 ____A C:\Users\dumm\Local Settings\PDLSetup.20121111.095545.txt
2012-11-11 06:55 - 2012-11-11 06:55 - 00001526 ____A C:\Users\dumm\Local Settings\Application Data\PDLSetup.20121111.095545.txt
2012-11-11 06:55 - 2012-11-11 06:55 - 00001526 ____A C:\Users\dumm\AppData\Local\PDLSetup.20121111.095545.txt
2012-11-11 05:15 - 2012-05-21 05:57 - 00000000 ____D C:\Program Files (x86)\McAfee
2012-11-11 05:15 - 2010-11-20 19:47 - 00026288 ____A C:\Windows\PFRO.log
2012-11-10 18:22 - 2012-10-28 09:15 - 00000000 ____D C:\Users\dumm\Application Data\Real
2012-11-10 18:22 - 2012-10-28 09:15 - 00000000 ____D C:\Users\dumm\AppData\Roaming\Real
2012-11-09 20:15 - 2012-11-09 20:15 - 00000000 ____D C:\Users\dumm\Desktop\simple_guide_to_life
2012-11-04 02:13 - 2012-05-21 05:26 - 00000000 ____D C:\Users\All Users\Skype
2012-11-04 02:13 - 2012-05-21 05:26 - 00000000 ____D C:\Users\All Users\Application Data\Skype
2012-11-03 08:01 - 2012-11-03 08:01 - 00386282 ____A C:\Users\dumm\Downloads\2012-miamidade-county-christian-voter-guides-candidate-endorsements-sample-ballot-election-recommendations
2012-11-01 02:08 - 2012-11-01 02:07 - 01993216 ____A C:\Users\dumm\Downloads\All-districts-11-12.xls
2012-11-01 02:06 - 2012-11-01 02:06 - 00064000 ____A C:\Users\dumm\Downloads\SchoolImprovementAllDistricts.xls
2012-10-29 12:18 - 2012-10-29 12:18 - 00000000 ____D C:\Users\dumm\Application Data\Apple Computer
2012-10-29 12:18 - 2012-10-29 12:18 - 00000000 ____D C:\Users\dumm\AppData\Roaming\Apple Computer
2012-10-28 14:48 - 2012-10-28 14:48 - 03399680 ____A C:\Users\dumm\Downloads\ch_6_ppt (1).ppt
2012-10-28 14:47 - 2012-10-28 14:47 - 03401728 ____A C:\Users\dumm\Downloads\ch_6_ppt.ppt
2012-10-28 09:40 - 2012-05-21 05:18 - 00000000 ____D C:\Users\All Users\Application Data\Adobe
2012-10-28 09:40 - 2012-05-21 05:18 - 00000000 ____D C:\Users\All Users\Adobe
2012-10-28 09:35 - 2012-10-28 09:35 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk
2012-10-28 09:35 - 2012-10-28 09:35 - 00002021 ____A C:\Users\All Users\Desktop\Adobe Reader XI.lnk
2012-10-28 09:35 - 2012-05-21 05:18 - 00000000 ____D C:\Program Files (x86)\Adobe
2012-10-28 09:31 - 2012-10-28 09:29 - 00000000 ____D C:\Program Files (x86)\LiveMath
2012-10-28 09:22 - 2012-10-28 09:21 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\dumm\Local Settings\Application Data\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\dumm\Local Settings\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\dumm\AppData\Local\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\All Users\Application Data\Apple Computer
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\All Users\Application Data\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\All Users\Apple Computer
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Users\All Users\Apple
2012-10-28 09:21 - 2012-10-28 09:21 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2012-10-28 09:16 - 2012-10-28 09:13 - 00000000 ____D C:\Users\All Users\Real
2012-10-28 09:16 - 2012-10-28 09:13 - 00000000 ____D C:\Users\All Users\Application Data\Real
2012-10-28 09:15 - 2012-10-28 09:15 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-10-28 09:15 - 2012-10-28 09:15 - 00001270 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2012-10-28 09:15 - 2012-10-28 09:15 - 00001270 ____A C:\Users\All Users\Desktop\RealPlayer.lnk
2012-10-28 09:15 - 2012-10-28 09:15 - 00000000 ____D C:\Program Files (x86)\Real
2012-10-27 08:54 - 2012-10-27 08:54 - 00002261 ____A C:\Users\dumm\Desktop\Google Chrome.lnk
2012-10-27 08:54 - 2012-06-15 06:52 - 00000000 ____D C:\Program Files (x86)\Google
2012-10-27 08:48 - 2012-10-27 08:48 - 00000000 ____D C:\Users\dumm\Local Settings\Deployment
2012-10-27 08:48 - 2012-10-27 08:48 - 00000000 ____D C:\Users\dumm\Local Settings\Application Data\Deployment
2012-10-27 08:48 - 2012-10-27 08:48 - 00000000 ____D C:\Users\dumm\AppData\Local\Deployment
2012-10-27 08:48 - 2012-10-27 08:48 - 00000000 ____D C:\Users\dumm\AppData\Local\Apps\2.0
2012-10-25 21:33 - 2012-10-20 19:51 - 00000000 ____D C:\Program Files\Google
2012-10-25 21:33 - 2012-05-21 05:57 - 00000000 ____D C:\Program Files\Common Files\mcafee
2012-10-25 17:58 - 2012-05-21 05:57 - 00000000 ____D C:\Users\All Users\McAfee
2012-10-25 17:58 - 2012-05-21 05:57 - 00000000 ____D C:\Users\All Users\Application Data\McAfee
2012-10-25 17:58 - 2012-05-21 05:57 - 00000000 ____D C:\Program Files\mcafee
2012-10-24 23:27 - 2012-06-15 06:52 - 00000000 ____D C:\Users\dumm\Local Settings\Google
2012-10-24 23:27 - 2012-06-15 06:52 - 00000000 ____D C:\Users\dumm\Local Settings\Application Data\Google
2012-10-24 23:27 - 2012-06-15 06:52 - 00000000 ____D C:\Users\dumm\AppData\Local\Google
2012-10-20 19:51 - 2012-05-21 04:45 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-10-20 19:51 - 2012-05-21 04:45 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-10-19 15:33 - 2012-10-19 15:33 - 00010538 ____A C:\Users\dumm\My Documents\prop222_extra_credit_rubric.xlsx
2012-10-19 15:33 - 2012-10-19 15:33 - 00010538 ____A C:\Users\dumm\Documents\prop222_extra_credit_rubric.xlsx

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-02 16:15:16
Restore point made on: 2012-11-06 17:59:21
Restore point made on: 2012-11-11 06:57:11
Restore point made on: 2012-11-14 02:43:32
Restore point made on: 2012-11-14 14:54:59
Restore point made on: 2012-11-15 02:38:51

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 6030.99 MB
Available physical RAM: 5324.65 MB
Total Pagefile: 6029.19 MB
Available Pagefile: 5323.46 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:679 GB) (Free:615.6 GB) NTFS
2 Drive d: (F7D1101v1) (CDROM) (Total:0.05 GB) (Free:0 GB) CDFS
3 Drive e: () (Removable) (Total:1.86 GB) (Free:1.81 GB) FAT
4 Drive f: (RECOVERY) (Fixed) (Total:19.53 GB) (Free:7.32 GB) NTFS ==>[System with boot components (obtained from reading drive)]
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 2048 KB
Disk 1 Online 1907 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 101 MB 31 KB
Partition 2 Primary 19 GB 104 MB
Partition 3 Primary 679 GB 19 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 101 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 F RECOVERY NTFS Partition 19 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 679 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1907 MB 64 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E FAT Removable 1907 MB Healthy

=========================================================

Last Boot: 2012-11-16 04:17

==================== End Of Log =============================

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:27 AM

Posted 18 November 2012 - 07:06 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKU\dumm\...\Run: [Microsoft Updater] "C:\Users\dumm\AppData\Local\Temp\013b0bb216bb.exe" [218904 2012-11-16] (25r23 52)
HKU\dumm\...\Run: [Google] "xidpwooedd.exe" [x]

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.



Try and boot your machine into normal mode after you run this fix.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 chem_girl

chem_girl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 18 November 2012 - 07:23 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-11-2012
Ran by SYSTEM at 2012-11-18 19:21:22 Run:1
Running from G:\

==============================================

HKEY_USERS\dumm\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft Updater Value deleted successfully.
HKEY_USERS\dumm\Software\Microsoft\Windows\CurrentVersion\Run\\Google Value deleted successfully.

==== End of Fixlog ====

#8 chem_girl

chem_girl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 18 November 2012 - 07:25 PM

Thank you, but it appears I am still in black screen. Restarted in normal mode, can't get to login for Windows screen.

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:27 AM

Posted 18 November 2012 - 11:15 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Last Boot: 2012-11-16 04:17

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


See if this lets you boot into Normal mode. It may let you boot but reinfect you. As long as you can boot we will clean the infection.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 chem_girl

chem_girl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 19 November 2012 - 05:29 AM

Got it! I have logged in normally. Ready for the next step...

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-11-2012
Ran by SYSTEM at 2012-11-19 05:26:38 Run:2
Running from G:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

#11 chem_girl

chem_girl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 19 November 2012 - 05:30 AM

PS. I didn't get the FBI lock-down screen again, but I shut the computer down so it was not running while I waited for the next step.

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:27 AM

Posted 19 November 2012 - 06:23 PM

Hello,

1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

2.
Download AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    Posted Image
  • Click the Search button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.

Things to include in your next reply::
MBAM log
AdwCleaner log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 chem_girl

chem_girl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 19 November 2012 - 07:12 PM

Hello and thank you again. Here are the files requested. I fear I made a mistake in the directions. I ran everything as suggested, and then for some reason, my mind got away from me and after I ran the AdwCleaner, I saved the text file, then hit "Delete". I hope this has not changed anything from your instructions.

So far, my computer is working great!!! Is there something else I need to do or am I okay now?

Order of text files:
1. MBAM log
2. AdwCleaner log 1 (before delete)
3. AdwCleaner log (after delete and restart)

1. MBAM log
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.19.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
dumm :: DUMM_WORK [administrator]

19-Nov-12 18:47:27
mbam-log-2012-11-19 (18-47-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208282
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\dumm\AppData\Local\Temp\013b0bb216bb.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

(end)

2. AdwCleaner log 1 (before delete)

# AdwCleaner v2.008 - Logfile created 11/19/2012 at 18:59:51
# Updated 17/11/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : dumm - DUMM_WORK
# Boot Mode : Normal
# Running from : C:\Users\dumm\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\user.js
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\Users\dumm\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Folder Found : C:\Users\dumm\AppData\Local\Wajam
Folder Found : C:\Users\dumm\AppData\LocalLow\BabylonToolbar
Folder Found : C:\Users\dumm\AppData\Roaming\Babylon

***** [Registry] *****

Key Found : HKLM\Software\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\dumm\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1615 octets] - [19/11/2012 18:58:47]
AdwCleaner[R2].txt - [1546 octets] - [19/11/2012 18:59:51]

########## EOF - C:\AdwCleaner[R2].txt - [1606 octets] ##########

3. AdwCleaner (after delete and restart)
# AdwCleaner v2.008 - Logfile created 11/19/2012 at 19:00:39
# Updated 17/11/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : dumm - DUMM_WORK
# Boot Mode : Normal
# Running from : C:\Users\dumm\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\user.js
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\dumm\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Folder Deleted : C:\Users\dumm\AppData\Local\Wajam
Folder Deleted : C:\Users\dumm\AppData\LocalLow\BabylonToolbar
Folder Deleted : C:\Users\dumm\AppData\Roaming\Babylon

***** [Registry] *****

Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\dumm\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1615 octets] - [19/11/2012 18:58:47]
AdwCleaner[R2].txt - [1675 octets] - [19/11/2012 18:59:51]
AdwCleaner[S1].txt - [1632 octets] - [19/11/2012 19:00:39]

########## EOF - C:\AdwCleaner[S1].txt - [1692 octets] ##########

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:27 AM

Posted 19 November 2012 - 08:28 PM

How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 chem_girl

chem_girl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 19 November 2012 - 08:32 PM

Brilliantly! Thank you so much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users