Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypack Virus - Infected even in safe mode


  • This topic is locked This topic is locked
23 replies to this topic

#1 gsms123

gsms123

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 December 2012 - 10:05 PM

Hi - I am running a win 7 OS and am infected with the FBI moneypack virus. It is not allowing me to enter either 'safe mode' or 'safe mode w/ networking' or 'safe mode with command prompt'.

When I log in to the computer using a different user I don't have this issue.

Can you please help?

Edited by gsms123, 29 December 2012 - 12:25 PM.


BC AdBot (Login to Remove)

 


#2 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 31 December 2012 - 12:38 PM

Hi gsms123

I will be handling your log to help you get cleaned up. Please give me some time to do up a fix and I will get back to you as soon as possible.

White Warrior

#3 gsms123

gsms123
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  

Posted 31 December 2012 - 01:30 PM

Thank you for looking into this White Warrior. I will wait for further instructions from you on what steps you want me to take and what logs I need to provide for investigation.

Thanks.

#4 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 31 December 2012 - 05:16 PM

Hi gsms123

To start you will need access to another computer and a USB flash or CD drive.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]White Warrior.

#5 gsms123

gsms123
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 31 December 2012 - 05:39 PM

Here is the file White Warrior:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-12-2012
Ran by SYSTEM at 31-12-2012 14:37:14
Running from F:\
Windows 7 Enterprise (X86) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey [136512 2009-08-25] (McAfee, Inc.)
HKLM\...\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE [124224 2010-03-25] (McAfee, Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1725736 2010-04-23] (Synaptics Incorporated)
HKLM\...\Run: [RotateImage] C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe [31744 2008-10-30] (Ricoh co.,Ltd.)
HKLM\...\Run: [ForteConfig] C:\Program Files\Conexant\ForteConfig\fmapp.exe [49568 2010-10-26] ()
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [316032 2011-03-14] (Conexant systems, Inc.)
HKLM\...\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor [1258856 2011-04-19] (Lenovo Group Limited)
HKLM\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM\...\Run: [NUSB3MON] "C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM\...\Run: [ArcSoft MediaImpression Monitor] C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe [73728 2010-11-12] (ArcSoft, Inc.)
HKLM\...\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini" [380 2012-12-28] ()
HKLM\...\Run: [NBAgent] "C:\Program Files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart [1485096 2011-07-15] (Nero AG)
HKLM\...\Run: [IndexSearch] "C:\Program Files\Nuance\PaperPort\IndexSearch.exe" [46368 2010-03-08] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\Nuance\PaperPort\pptd40nt.exe" [29984 2010-03-08] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort12reminder] "C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini" [375 2012-12-28] ()
HKLM\...\Run: [PDFHook] C:\Program Files\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM\...\Run: [PDF5 Registry Controller] C:\Program Files\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM\...\Run: [ControlCenter4] C:\Program Files\ControlCenter4\BrCcBoot.exe /autorun [139264 2011-04-20] (Brother Industries, Ltd.)
HKLM\...\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN [2629632 2011-05-19] (Brother Industries, Ltd.)
HKLM\...\Run: [IJNetworkScannerSelectorEX] C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE [452016 2010-09-09] (CANON INC.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [x]
HKU\102644\...\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup [65216 2009-11-08] (WordWeb Software)
HKU\102644\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\102644\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2011-06-05] (Acresso Corporation)
HKU\102644\...\Run: [uhhcskwy] C:\ProgramData\_bd_uylzs [x]
HKU\102644\...\Policies\system: [DisableTaskMgr] 1
HKU\ctsuser1\...\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup [65216 2009-11-08] (WordWeb Software)
HKU\ctsuser1\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\ctsuser1\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2011-06-05] (Acresso Corporation)
HKU\ctsuser1\...\Run: [uhhcskwy] C:\Users\ctsuser1\AppData\Roaming\_bd_uylzs [x]
HKLM\...\Winlogon: [Shell] explorer.exe, C:\ProgramData\_bd_uylzs [x ] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs: C:\PROGRA~2\Wincert\WIN32C~1.DLL
Startup: C:\Users\102644\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\102644\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)

==================== Services (Whitelisted) ===================

2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
3 BrYNSvc; "C:\Program Files\Browny02\BrYNSvc.exe" [245760 2010-01-25] (Brother Industries, Ltd.)
2 CcmExec; C:\Windows\system32\CCM\CcmExec.exe [764768 2009-09-18] (Microsoft Corporation)
2 CVPND; "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" [1516584 2007-04-03] (Cisco Systems, Inc.)
2 CxAudMsg; C:\Windows\system32\CxAudMsg32.exe [190592 2010-12-17] (Conexant Systems Inc.)
2 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [296808 2011-06-05] (Nuance Communications, Inc.)
2 HFGService; C:\Windows\System32\HFGService.dll [413696 2009-12-21] (CSR, plc)
2 HyperW7Svc; C:\Program Files\Lenovo\RapidBoot\HyperW7Svc.exe [107880 2010-12-03] (Lenovo Group Limited)
2 jhi_service; C:\Program Files\Intel\Services\IPT\jhi_service.exe [210896 2011-02-07] (Intel Corporation)
2 LENOVO.MICMUTE; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [101736 2011-07-12] (Lenovo Group Limited)
2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [127336 2011-07-12] (Lenovo Group Limited)
2 McAfeeEngineService; "C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe" [22816 2010-03-25] (McAfee, Inc.)
2 McAfeeFramework; "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [103744 2009-08-25] (McAfee, Inc.)
2 McShield; "C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe" [147472 2010-03-25] (McAfee, Inc.)
2 McTaskManager; "C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe" [66880 2010-03-25] (McAfee, Inc.)
2 mfevtp; C:\Windows\system32\mfevtps.exe [70728 2010-03-25] (McAfee, Inc.)
2 NAUpdate; "C:\Program Files\Nero\Update\NASvc.exe" [687400 2011-11-25] (Nero AG)
2 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.)
2 PwmEWSvc; C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE [143360 2011-04-19] ()
2 SAService; C:\Windows\System32\SAsrv.exe [446592 2011-03-14] (Conexant Systems, Inc.)
2 Secunia PSI Agent; "C:\Program Files\Secunia\PSI\PSIA.exe" --start-service [1225312 2012-11-26] (Secunia)
3 smstsmgr; C:\Windows\system32\CCM\TSManager.exe /service [246624 2009-09-18] (Microsoft Corporation)
2 SUService; "C:\Program Files\Lenovo\System Update\SUService.exe" [28672 2011-04-18] (Lenovo Group Limited)
2 TPHKLOAD; C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe [131432 2011-07-12] (Lenovo Group Limited)

==================== Drivers (Whitelisted) ====================

1 A2DDA; \??\C:\Emissoft\Run\a2ddax86.sys [17904 2012-12-29] (Emsi Software GmbH)
3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
3 BthAudioHF; C:\Windows\System32\DRIVERS\BthAudioHF.sys [43008 2009-12-21] (CSR, plc)
3 bthav; C:\Windows\System32\drivers\bthav.sys [34816 2008-07-10] (CSR, plc)
3 BthAvrcp; C:\Windows\System32\DRIVERS\BthAvrcp.sys [22528 2009-08-13] (CSR, plc)
3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [225280 2011-07-19] (Intel Corporation)
3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
2 CVPNDRVA; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [306295 2007-04-03] (Cisco Systems, Inc.)
3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [127376 2007-01-31] (Deterministic Networks, Inc.)
3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2010-12-20] (Intel Corporation)
3 iBtFltCoex; C:\Windows\System32\DRIVERS\iBtFltCoex.sys [47104 2011-07-20] (Intel Corporation)
3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [75704 2010-03-25] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [91832 2010-03-25] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [43288 2010-03-25] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [343920 2010-03-25] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [66600 2010-03-25] (McAfee, Inc.)
1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [64208 2010-03-25] (McAfee, Inc.)
3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [6814720 2010-07-14] (Intel Corporation)
1 PHCORE; \??\C:\Program Files\Lenovo\RapidBoot\PHCORE.SYS [33640 2010-12-03] (Lenovo Group Limited)
3 prepdrvr; \??\C:\Windows\system32\CCM\prepdrv.sys [20848 2009-09-18] (Microsoft Corporation)
3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
2 risdxc; C:\Windows\System32\DRIVERS\risdxc86.sys [75264 2011-03-23] (REDC)
3 rixdpcie; C:\Windows\system32\DRIVERS\rixdpe86.sys [38912 2009-09-28] (REDC)
3 SWI32; \??\C:\Program Files\Lenovo\System Update\tvsuhd32.sys [28992 2011-05-31] (Lenovo Group Limited)
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-12-31 14:30 - 2012-12-31 14:30 - 00008212 ____A C:\Windows\mfebcdata
2012-12-28 20:06 - 2012-12-28 20:06 - 00005380 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-12-28 20:05 - 2012-12-28 20:05 - 00000000 ____D C:\Users\ctsuser1\AppData\Local\Adobe
2012-12-28 19:56 - 2012-12-28 19:56 - 00000000 ____D C:\Users\ctsuser1\AppData\Local\Secunia PSI
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Roaming\FLEXnet
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Roaming\ControlCenter4
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Roaming\ArcSoft
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Roaming\Apple Computer
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Local\ArcSoft
2012-12-28 19:52 - 2012-12-28 19:52 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\ctsuser1\AppData\Roaming\_bd_uylzs.exe
2012-12-28 19:52 - 2012-12-28 19:52 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\ctsuser1\AppData\Local\_bd_uylzs.exe
2012-12-28 19:50 - 2012-12-28 19:50 - 311653918 ____A C:\Windows\MEMORY.DMP
2012-12-28 19:50 - 2012-12-28 19:50 - 00131072 ____A C:\Windows\Minidump\122812-14352-01.dmp
2012-12-28 17:53 - 2012-12-28 17:53 - 00000286 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{94FF1846-78A9-499C-A358-DB873F607D6F}.job
2012-12-28 17:34 - 2012-12-28 17:34 - 00000020 __ASH C:\Users\ctsuser\ntuser.ini
2012-12-28 17:34 - 2012-02-08 03:03 - 00000000 ____D C:\Users\ctsuser\AppData\Local\Microsoft Help
2012-12-28 17:34 - 2011-01-20 00:34 - 00000000 ____D C:\Users\ctsuser\AppData\Roaming\Macromedia
2012-12-28 17:19 - 2012-12-28 17:20 - 00000000 ____D C:\Emissoft
2012-12-28 15:25 - 2012-12-28 15:25 - 00000000 ____D C:\Users\102644\AppData\Local\Secunia PSI
2012-12-28 15:25 - 2012-12-28 15:25 - 00000000 ____D C:\Program Files\Secunia
2012-12-28 15:24 - 2012-12-28 15:24 - 03137416 ____A (Secunia) C:\Users\102644\Downloads\PSISetup.exe
2012-12-28 15:20 - 2012-12-28 17:19 - 255294556 ____A C:\Users\102644\Downloads\EmsisoftEmergencyKit.zip
2012-12-28 15:01 - 2012-12-28 19:54 - 00010698 ____A C:\Windows\WindowsUpdate.log
2012-12-28 14:58 - 2012-12-31 14:33 - 00000728 ____A C:\Windows\setupact.log
2012-12-28 14:58 - 2012-12-28 14:58 - 00000000 ____A C:\Windows\setuperr.log
2012-12-28 14:38 - 2012-12-28 17:30 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\102644\AppData\Roaming\_bd_uylzs.exe
2012-12-28 14:36 - 2012-12-28 18:39 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\All Users\_bd_uylzs.exe
2012-12-28 14:36 - 2012-12-28 18:36 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\102644\AppData\Local\_bd_uylzs.exe
2012-12-28 12:25 - 2012-12-28 12:25 - 00000000 __HDC C:\Users\All Users\{C296F8FF-A964-4BB7-814C-2DE7755A03C9}
2012-12-28 12:25 - 2012-12-28 12:25 - 00000000 ____D C:\Users\All Users\Wincert
2012-12-28 12:25 - 2012-12-28 12:25 - 00000000 ____D C:\Program Files\SavevidPlug-in
2012-12-28 09:02 - 2012-12-28 09:02 - 00002473 ____A C:\Users\102644\Desktop\GoToMeeting Quick Connect.lnk
2012-12-21 10:03 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-21 10:03 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-18 12:37 - 2012-12-18 12:23 - 10626816 ____A C:\Users\102644\Desktop\db_17_0.zip
2012-12-17 09:44 - 2012-12-17 09:51 - 00000000 ____D C:\Windows\rescache
2012-12-14 07:51 - 2012-12-14 07:51 - 00001760 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-12-14 07:49 - 2012-12-14 07:51 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-14 07:49 - 2012-12-14 07:51 - 00000000 ____D C:\Program Files\iTunes
2012-12-14 07:49 - 2012-12-14 07:49 - 00000000 ____D C:\Program Files\iPod
2012-12-12 00:18 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-12-12 00:18 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-12-12 00:18 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-12-12 00:18 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-12 00:18 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-12 00:18 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-12-12 00:18 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-12-12 00:18 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-12-12 00:18 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-12 00:18 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-12 00:18 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-12-12 00:18 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-12 00:18 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-12-12 00:18 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-12-12 00:18 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-12 00:17 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-11 20:45 - 2012-11-21 18:56 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-12-11 20:44 - 2012-10-04 08:47 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-12-11 20:44 - 2012-10-04 08:43 - 00868352 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-12-11 20:44 - 2012-10-04 08:43 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-12-11 20:44 - 2012-10-04 06:57 - 00271360 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-12-11 20:43 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-12-11 20:43 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-12-11 20:43 - 2012-10-04 06:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-12-11 20:43 - 2012-10-04 06:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-11 20:43 - 2012-10-04 06:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-12-11 20:43 - 2012-10-04 06:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-12-11 20:42 - 2012-11-01 21:11 - 00376832 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2012-12-11 20:38 - 2012-11-08 20:42 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-12-07 12:39 - 2012-12-07 12:50 - 00016388 ____A C:\Users\102644\Desktop\Key Target Account Update w Follow Up Activities 12 03.xlsx
2012-12-07 11:07 - 2012-12-18 11:05 - 00004096 ___AH C:\Users\102644\AppData\Local\keyfile3.drm
2012-12-04 06:44 - 2012-12-04 06:44 - 00000127 ____A C:\Windows\System32\MRT.INI
2012-12-03 21:03 - 2012-12-03 21:07 - 23082677 ____A (Macrovision Corporation) C:\Users\102644\Desktop\everestclient.exe
2012-12-03 09:59 - 2012-12-03 10:00 - 00048640 ____A C:\Users\102644\Desktop\Important information regarding the upcoming 2013 Budgeting Cycle.msg


==================== One Month Modified Files and Folders ========

2012-12-31 14:37 - 2012-12-31 14:37 - 00000000 ____D C:\FRST
2012-12-31 14:33 - 2012-12-28 14:58 - 00000728 ____A C:\Windows\setupact.log
2012-12-31 14:33 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-31 14:30 - 2012-12-31 14:30 - 00008212 ____A C:\Windows\mfebcdata
2012-12-28 20:06 - 2012-12-28 20:06 - 00005380 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-12-28 20:05 - 2012-12-28 20:05 - 00000000 ____D C:\Users\ctsuser1\AppData\Local\Adobe
2012-12-28 20:05 - 2011-05-14 02:49 - 00000000 ____D C:\Users\ctsuser1\AppData\Roaming\Adobe
2012-12-28 20:00 - 2011-01-19 23:56 - 00729044 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-28 19:58 - 2009-07-13 20:34 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-28 19:58 - 2009-07-13 20:34 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-28 19:56 - 2012-12-28 19:56 - 00000000 ____D C:\Users\ctsuser1\AppData\Local\Secunia PSI
2012-12-28 19:54 - 2012-12-28 15:01 - 00010698 ____A C:\Windows\WindowsUpdate.log
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Roaming\FLEXnet
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Roaming\ControlCenter4
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Roaming\ArcSoft
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Roaming\Apple Computer
2012-12-28 19:53 - 2012-12-28 19:53 - 00000000 ____D C:\Users\ctsuser1\AppData\Local\ArcSoft
2012-12-28 19:52 - 2012-12-28 19:52 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\ctsuser1\AppData\Roaming\_bd_uylzs.exe
2012-12-28 19:52 - 2012-12-28 19:52 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\ctsuser1\AppData\Local\_bd_uylzs.exe
2012-12-28 19:52 - 2011-07-22 19:35 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-12-28 19:50 - 2012-12-28 19:50 - 311653918 ____A C:\Windows\MEMORY.DMP
2012-12-28 19:50 - 2012-12-28 19:50 - 00131072 ____A C:\Windows\Minidump\122812-14352-01.dmp
2012-12-28 19:50 - 2012-05-05 21:06 - 00000000 ____D C:\Windows\Minidump
2012-12-28 18:45 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2012-12-28 18:39 - 2012-12-28 14:36 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\All Users\_bd_uylzs.exe
2012-12-28 18:36 - 2012-12-28 14:36 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\102644\AppData\Local\_bd_uylzs.exe
2012-12-28 17:53 - 2012-12-28 17:53 - 00000286 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{94FF1846-78A9-499C-A358-DB873F607D6F}.job
2012-12-28 17:37 - 2011-05-14 03:14 - 00110144 ____A C:\Users\ctsuser1\AppData\Local\GDIPFONTCACHEV1.DAT
2012-12-28 17:34 - 2012-12-28 17:34 - 00000020 __ASH C:\Users\ctsuser\ntuser.ini
2012-12-28 17:30 - 2012-12-28 14:38 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\102644\AppData\Roaming\_bd_uylzs.exe
2012-12-28 17:20 - 2012-12-28 17:19 - 00000000 ____D C:\Emissoft
2012-12-28 17:19 - 2012-12-28 15:20 - 255294556 ____A C:\Users\102644\Downloads\EmsisoftEmergencyKit.zip
2012-12-28 15:25 - 2012-12-28 15:25 - 00000000 ____D C:\Users\102644\AppData\Local\Secunia PSI
2012-12-28 15:25 - 2012-12-28 15:25 - 00000000 ____D C:\Program Files\Secunia
2012-12-28 15:24 - 2012-12-28 15:24 - 03137416 ____A (Secunia) C:\Users\102644\Downloads\PSISetup.exe
2012-12-28 15:12 - 2012-01-10 14:12 - 00000000 ___RD C:\Users\102644\Dropbox
2012-12-28 15:12 - 2012-01-10 14:10 - 00000000 ____D C:\Users\102644\AppData\Roaming\Dropbox
2012-12-28 14:58 - 2012-12-28 14:58 - 00000000 ____A C:\Windows\setuperr.log
2012-12-28 14:51 - 2012-09-20 17:56 - 00001074 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-12-28 14:51 - 2012-09-20 17:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-12-28 14:49 - 2011-05-28 21:05 - 00000000 ____D C:\Users\102644\AppData\Roaming\uTorrent
2012-12-28 14:41 - 2011-10-30 21:18 - 00000466 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-12-28 14:28 - 2011-08-25 16:55 - 214221824 ____A C:\Users\102644\Documents\102644-archive.pst
2012-12-28 14:28 - 2008-05-08 06:09 - 2665874432 ____A C:\Users\102644\Documents\Pre-102644.pst
2012-12-28 14:20 - 2011-07-22 19:35 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-12-28 14:03 - 2012-06-07 18:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-12-28 12:35 - 2011-10-16 10:47 - 00000000 ____D C:\Users\102644\AppData\Roaming\vlc
2012-12-28 12:25 - 2012-12-28 12:25 - 00000000 __HDC C:\Users\All Users\{C296F8FF-A964-4BB7-814C-2DE7755A03C9}
2012-12-28 12:25 - 2012-12-28 12:25 - 00000000 ____D C:\Users\All Users\Wincert
2012-12-28 12:25 - 2012-12-28 12:25 - 00000000 ____D C:\Program Files\SavevidPlug-in
2012-12-28 09:02 - 2012-12-28 09:02 - 00002473 ____A C:\Users\102644\Desktop\GoToMeeting Quick Connect.lnk
2012-12-27 14:41 - 2011-05-25 18:27 - 00000000 ____D C:\Users\102644\AppData\Local\CutePDF Writer
2012-12-26 17:15 - 2011-05-17 05:11 - 00000000 ____D C:\Program Files\Opera
2012-12-21 17:07 - 2011-10-30 21:18 - 00000528 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-12-21 17:07 - 2009-07-13 20:33 - 00414696 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-18 21:43 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp
2012-12-18 21:42 - 2012-10-12 19:52 - 00000822 ____A C:\Windows\System32\Drivers\etc\hosts.bak
2012-12-18 12:23 - 2012-12-18 12:37 - 10626816 ____A C:\Users\102644\Desktop\db_17_0.zip
2012-12-18 11:46 - 2009-03-25 19:48 - 00000000 ____D C:\Users\102644\Documents\Expenses Reports
2012-12-18 11:05 - 2012-12-07 11:07 - 00004096 ___AH C:\Users\102644\AppData\Local\keyfile3.drm
2012-12-18 07:31 - 2011-05-16 10:29 - 00000000 ____D C:\Users\102644\Tracing
2012-12-17 09:51 - 2012-12-17 09:44 - 00000000 ____D C:\Windows\rescache
2012-12-16 06:13 - 2012-12-21 10:03 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-16 06:13 - 2012-12-21 10:03 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-14 16:49 - 2012-09-20 17:56 - 00021104 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-12-14 07:51 - 2012-12-14 07:51 - 00001760 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-12-14 07:51 - 2012-12-14 07:49 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-14 07:51 - 2012-12-14 07:49 - 00000000 ____D C:\Program Files\iTunes
2012-12-14 07:49 - 2012-12-14 07:49 - 00000000 ____D C:\Program Files\iPod
2012-12-14 07:49 - 2011-06-21 21:34 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-12-14 07:42 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-12-13 23:16 - 2011-09-21 07:44 - 00000000 ____D C:\Users\102644\Documents\PC_MS
2012-12-12 09:20 - 2012-03-28 10:19 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-12-12 09:20 - 2011-05-30 21:55 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-12-12 03:35 - 2009-06-17 07:36 - 4074423296 ____A C:\Users\102644\Documents\Pre-102644-PreCP-Pre2009.pst
2012-12-12 00:19 - 2011-01-19 23:57 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-12-12 00:15 - 2012-02-29 14:15 - 00000039 ____A C:\Windows\vbaddin.ini
2012-12-12 00:03 - 2011-01-20 01:34 - 65087872 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-12-09 21:55 - 2008-05-08 07:30 - 00000000 ____D C:\Users\102644\Documents\Vans
2012-12-09 21:53 - 2011-07-12 10:01 - 00000000 ____D C:\QUARANTINE
2012-12-07 12:50 - 2012-12-07 12:39 - 00016388 ____A C:\Users\102644\Desktop\Key Target Account Update w Follow Up Activities 12 03.xlsx
2012-12-04 06:50 - 2012-10-26 21:10 - 00000000 ____D C:\Users\102644\AppData\Local\Apps\Apple Computer
2012-12-04 06:44 - 2012-12-04 06:44 - 00000127 ____A C:\Windows\System32\MRT.INI
2012-12-03 21:07 - 2012-12-03 21:03 - 23082677 ____A (Macrovision Corporation) C:\Users\102644\Desktop\everestclient.exe
2012-12-03 10:00 - 2012-12-03 09:59 - 00048640 ____A C:\Users\102644\Desktop\Important information regarding the upcoming 2013 Budgeting Cycle.msg

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 3983.23 MB
Available physical RAM: 3459.9 MB
Total Pagefile: 3981.51 MB
Available Pagefile: 3460.94 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.7 MB

==================== Partitions =============================

1 Drive c: (Windows) (Fixed) (Total:297.89 GB) (Free:6.53 GB) NTFS
3 Drive f: () (Removable) (Total:1.88 GB) (Free:1.88 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 1928 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 200 MB 1024 KB
Partition 2 Primary 297 GB 201 MB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 200 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Windows NTFS Partition 297 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 1928 MB 0 B

=========================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

=========================================================

Last Boot: 2012-12-26 09:04

==================== End Of Log ============================

Edited by gsms123, 31 December 2012 - 05:47 PM.


#6 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 01 January 2013 - 06:32 AM

Hi gsms123

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\ctsuser1\...\Run: [uhhcskwy] C:\Users\ctsuser1\AppData\Roaming\_bd_uylzs [x]
HKU\102644\...\Run: [uhhcskwy] C:\ProgramData\_bd_uylzs [x]
HKU\102644\...\Policies\system: [DisableTaskMgr] 1
HKLM\...\Winlogon: [Shell] explorer.exe, C:\ProgramData\_bd_uylzs [x ] ()
File: C:\Users\ctsuser1\AppData\Roaming\_bd_uylzs.exe
File: C:\Users\ctsuser1\AppData\Local\_bd_uylzs.exe
File: C:\Users\102644\AppData\Roaming\_bd_uylzs.exe
File: C:\Users\All Users\_bd_uylzs.exe
2012-12-28 19:52 - 2012-12-28 19:52 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\ctsuser1\AppData\Roaming\_bd_uylzs.exe
2012-12-28 19:52 - 2012-12-28 19:52 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\ctsuser1\AppData\Local\_bd_uylzs.exe
2012-12-28 14:38 - 2012-12-28 17:30 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\102644\AppData\Roaming\_bd_uylzs.exe
2012-12-28 14:36 - 2012-12-28 18:39 - 00171520 ____A (Extensys Co. Ltd.) C:\Users\All Users\_bd_uylzs.exe
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Let me know if you can boot into windows now.

White Warrior.

#7 gsms123

gsms123
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  

Posted 01 January 2013 - 01:20 PM

White Warrior - The malware still exists. As far as I can tell the fix ran fine but once I restarted using the login id 102644 the malware fbi screen came up (did not try safe mode). Just out of curiosity I restarted after this and rescanned using frst.exe to see if "_bd_uylzs.exe" existed in the log file and it does. I will post that log file too in the next post to avoid any confusion. Happy New Year and pls let me know next steps.


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-12-2012
Ran by SYSTEM at 2013-01-01 09:57:36 Run:1
Running from F:\

==============================================

HKEY_USERS\ctsuser1\Software\Microsoft\Windows\CurrentVersion\Run\\uhhcskwy Value deleted successfully.
HKEY_USERS\102644\Software\Microsoft\Windows\CurrentVersion\Run\\uhhcskwy Value deleted successfully.
HKEY_USERS\102644\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .

========================= File: C:\Users\ctsuser1\AppData\Roaming\_bd_uylzs.exe ========================

MD5: E39182044CF53DB8EA71C94555956636
Creation and modification date: 2012-12-28 19:52 - 2012-12-28 19:52
Size: 0171520
Attributes: ----A
Company Name: Extensys Co. Ltd.
Internal Name: usconsole
Original Name: usconsole
Product Name: MySQL Framework Console
Description: MySQL Framework Console
File Version: 7.1.3.3
Product Version: 7.1.3.3
Copyright: Copyright © 2003-2012 - Extensys Co. Ltd.

====== End Of File: ======

========================= File: C:\Users\ctsuser1\AppData\Local\_bd_uylzs.exe ========================

MD5: E39182044CF53DB8EA71C94555956636
Creation and modification date: 2012-12-28 19:52 - 2012-12-28 19:52
Size: 0171520
Attributes: ----A
Company Name: Extensys Co. Ltd.
Internal Name: usconsole
Original Name: usconsole
Product Name: MySQL Framework Console
Description: MySQL Framework Console
File Version: 7.1.3.3
Product Version: 7.1.3.3
Copyright: Copyright © 2003-2012 - Extensys Co. Ltd.

====== End Of File: ======

========================= File: C:\Users\102644\AppData\Roaming\_bd_uylzs.exe ========================

MD5: E39182044CF53DB8EA71C94555956636
Creation and modification date: 2012-12-28 14:38 - 2012-12-28 17:30
Size: 0171520
Attributes: ----A
Company Name: Extensys Co. Ltd.
Internal Name: usconsole
Original Name: usconsole
Product Name: MySQL Framework Console
Description: MySQL Framework Console
File Version: 7.1.3.3
Product Version: 7.1.3.3
Copyright: Copyright © 2003-2012 - Extensys Co. Ltd.

====== End Of File: ======

========================= File: C:\Users\All Users\_bd_uylzs.exe ========================

MD5: E39182044CF53DB8EA71C94555956636
Creation and modification date: 2012-12-28 14:36 - 2012-12-28 18:39
Size: 0171520
Attributes: ----A
Company Name: Extensys Co. Ltd.
Internal Name: usconsole
Original Name: usconsole
Product Name: MySQL Framework Console
Description: MySQL Framework Console
File Version: 7.1.3.3
Product Version: 7.1.3.3
Copyright: Copyright © 2003-2012 - Extensys Co. Ltd.

====== End Of File: ======
C:\Users\ctsuser1\AppData\Roaming\_bd_uylzs.exe moved successfully.
C:\Users\ctsuser1\AppData\Local\_bd_uylzs.exe moved successfully.
C:\Users\102644\AppData\Roaming\_bd_uylzs.exe moved successfully.
C:\Users\All Users\_bd_uylzs.exe moved successfully.

==== End of Fixlog ====

#8 gsms123

gsms123
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 01 January 2013 - 01:22 PM

This is the log file when I rescanned aftert running the fix.

Attached Files

  • Attached File  FRST.txt   31.27KB   6 downloads


#9 gsms123

gsms123
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  

Posted 01 January 2013 - 11:06 PM

White Warrior - Since I posted the last log I did a couple things. I logged in to the comuter in safe mode using one of the userids that was not infected and did searches for _bd_uylzs.exe in c: and also in the registry. There were a couple copies of the file in AppData and c:\programdata folder. I was able to manually delete them. Registry had one or two value which I deleted.

Once done I am able to log into the laptop. I am typing this from the same laptop using the original login that was infected. However I am not sure if there is still any residual malware. Can I request you to guide me in running checks to see that everything has been deleted.

Thanks for your help.

#10 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 02 January 2013 - 07:21 AM

Hi gsms123

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Note: **Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Note: **If you get a message saying "Illegal operation attempted on a Registry Key that has been marked for deletion", please restart your computer.**

Download Security Check by screen317 from here or here.
  • Save it to your desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Please post the C:\ComboFix.txt, and Security Check log in your next reply.

White Warrior

#11 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 04 January 2013 - 08:26 PM

Hi gsms123

It has been three days since I heard from you. Do you still want my help?
Please post a reply telling me what you want to do from now.
Thank you.

White Warrior

#12 gsms123

gsms123
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 04 January 2013 - 11:50 PM

Please bear with me for another day. Will post the logs you had instructed. Been a bit tied up. Want to make sure there are no more infections White Warrior. Thanks for your patience.

#13 gsms123

gsms123
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 05 January 2013 - 01:39 PM

White Warrior - Attached are the log files from ComboFix and SecurityCheck. Kindly let me know if they look good.

Attached Files



#14 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 05 January 2013 - 10:41 PM

ComboFix 13-01-05.01 - 102644 01/05/2013 10:23:32.1.4 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2985.1805 [GMT -8:00]
Running from: c:\users\102644\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\nogolniw.pad
c:\users\102644\AppData\Local\assembly\tmp
c:\users\102644\AppData\Local\TempDIR
c:\users\102644\g2mdlhlpx.exe
c:\users\ctsuser1\AppData\Roaming\JomCap.dll
c:\windows\system32\SET548F.tmp
c:\windows\system32\SET5A11.tmp
c:\windows\system32\SET5C63.tmp
c:\windows\system32\SET5FD0.tmp
c:\windows\system32\SET6CF7.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-12-05 to 2013-01-05 )))))))))))))))))))))))))))))))
.
.
2013-01-05 18:30 . 2013-01-05 18:30 -------- d-----w- c:\users\102644\AppData\Local\temp
2013-01-05 18:30 . 2013-01-05 18:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-04 17:34 . 2013-01-04 17:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2013-01-04 17:34 . 2013-01-04 17:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2013-01-04 17:34 . 2013-01-04 17:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2013-01-04 17:34 . 2013-01-04 17:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2013-01-04 17:34 . 2013-01-04 17:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2013-01-04 17:34 . 2013-01-04 17:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2013-01-04 17:34 . 2013-01-04 17:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2013-01-04 17:33 . 2013-01-04 17:34 -------- d-----w- c:\program files\QuickTime
2013-01-04 16:48 . 2013-01-05 18:30 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1A952D5-0EBB-44F8-9E08-C6C92783026B}\offreg.dll
2013-01-04 15:37 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1A952D5-0EBB-44F8-9E08-C6C92783026B}\mpengine.dll
2013-01-02 04:01 . 2013-01-02 04:01 -------- d-----w- c:\program files\WinSCP
2013-01-01 20:31 . 2013-01-01 20:31 68874 ----a-w- C:\cc_20130101_123100.reg
2013-01-01 20:03 . 2013-01-01 20:03 686 ----a-w- C:\abc.reg
2013-01-01 18:03 . 2013-01-01 18:04 -------- d-----w- C:\fada1aef9166b10c047dad
2012-12-31 22:37 . 2012-12-31 22:37 -------- d-----w- C:\FRST
2012-12-29 01:34 . 2012-12-29 01:34 -------- d-----w- c:\users\ctsuser
2012-12-29 01:19 . 2012-12-29 01:20 -------- d-----w- C:\Emissoft
2012-12-28 23:25 . 2012-12-28 23:25 -------- d-----w- c:\users\102644\AppData\Local\Secunia PSI
2012-12-28 23:25 . 2012-12-28 23:25 -------- d-----w- c:\program files\Secunia
2012-12-28 20:25 . 2012-12-28 20:25 -------- d-----w- c:\programdata\Wincert
2012-12-28 20:25 . 2012-12-28 20:25 -------- dc-h--w- c:\programdata\{C296F8FF-A964-4BB7-814C-2DE7755A03C9}
2012-12-28 20:25 . 2012-12-28 20:25 -------- d-----w- c:\program files\SavevidPlug-in
2012-12-21 18:03 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-21 18:03 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-17 17:44 . 2012-12-17 17:51 -------- d-----w- c:\windows\rescache
2012-12-14 15:49 . 2012-12-14 15:49 -------- d-----w- c:\program files\iPod
2012-12-14 15:49 . 2012-12-14 15:51 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-14 15:49 . 2012-12-14 15:51 -------- d-----w- c:\program files\iTunes
2012-12-12 04:45 . 2012-11-22 02:56 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-12-12 04:43 . 2012-10-04 14:41 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-12-12 04:43 . 2012-10-04 14:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-12-12 04:43 . 2012-10-04 14:41 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-12 04:43 . 2012-10-04 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-12-12 04:43 . 2012-10-04 16:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-12-12 04:43 . 2012-10-04 16:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-12-12 04:42 . 2012-11-02 05:11 376832 ----a-w- c:\windows\system32\dpnet.dll
2012-12-12 04:38 . 2012-11-09 04:42 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-15 00:49 . 2012-09-21 01:56 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-12 17:20 . 2012-03-28 18:19 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 17:20 . 2011-05-31 05:55 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-25 11:12 . 2012-10-25 11:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 11:12 . 2012-10-25 11:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-10-16 07:39 . 2012-11-27 21:08 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-09 17:40 . 2012-11-14 02:10 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-10-09 17:40 . 2012-11-14 02:10 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\102644\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\102644\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\102644\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-09 65216]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2011-06-06 222496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-26 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-03-26 124224]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"RotateImage"="c:\program files\Integrated Camera Driver\RCIMGDIR.exe" [2008-10-30 31744]
"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49568]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2011-03-15 316032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-11 143384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-11 176664]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-11 178200]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2011-04-19 1258856]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"ArcSoft MediaImpression Monitor"="c:\program files\Kodak\MediaImpression\ArcMonitor.exe" [2010-11-12 73728]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"ControlCenter4"="c:\program files\ControlCenter4\BrCcBoot.exe" [2011-04-21 139264]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2011-05-19 2629632]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
.
c:\users\102644\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\102644\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-12-28 28539392]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-10-2 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
2007-07-23 18:33 5803368 ----a-w- c:\program files\Microsoft Office Communicator\communicator.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2010-09-09 09:08 452016 ----a-w- c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2010-03-09 07:37 46368 ----a-w- c:\program files\Nuance\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 21:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2011-07-16 01:47 1485096 ----a-w- c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2]
2010-05-26 02:16 619008 ----a-w- c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2010-03-09 07:42 29984 ----a-w- c:\program files\Nuance\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF5 Registry Controller]
2010-03-06 02:11 62752 ----a-w- c:\program files\Nuance\PDF Viewer Plus\RegistryController.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDFHook]
2010-03-06 03:11 636192 ----a-w- c:\program files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort12reminder]
2010-02-09 20:42 328992 ----a-w- c:\program files\Nuance\PaperPort\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 11:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 20:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc.exe [x]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.EXE [x]
R3 BthAudioHF;BthAudioHF Service;c:\windows\system32\DRIVERS\BthAudioHF.sys [x]
R3 bthav;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [x]
R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [x]
R3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [x]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [x]
R3 SWI32;SWI32;c:\program files\Lenovo\System Update\tvsuhd32.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [x]
S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [x]
S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\emissoft\Run\a2ddax86.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x]
S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE.SYS [x]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg32.exe [x]
S2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe [x]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [x]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [x]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]
S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc86.sys [x]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [x]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [x]
S3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthaudiosvc REG_MULTI_SZ HFGService
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 17:20]
.
2013-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-23 03:34]
.
2013-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-23 03:34]
.
2012-12-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:54]
.
2013-01-05 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:54]
.
2012-12-29 c:\windows\Tasks\User_Feed_Synchronization-{94FF1846-78A9-499C-A358-DB873F607D6F}.job
- c:\windows\system32\msfeedssync.exe [2011-05-17 06:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Save video on Savevid.com - c:\program files\SavevidPlug-in\redirect.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
<removed as requested>
TCP: DhcpNameServer = 192.168.1.1
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-05 10:32:21
ComboFix-quarantined-files.txt 2013-01-05 18:32
.
Pre-Run: 6,467,076,096 bytes free
Post-Run: 6,339,039,232 bytes free
.
- - End Of File - - 638E9345A72F793907646746747BF849


Results of screen317's Security Check version 0.99.56
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee VirusScan Enterprise
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
McAfee AntiSpyware Enterprise Module
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
Java™ 6 Update 29
Java version out of Date!
Adobe Flash Player 11.5.502.135
Adobe Reader 10.1.4 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
McAfee VirusScan Enterprise EngineServer.exe
McAfee VirusScan Enterprise VsTskMgr.exe
McAfee VirusScan Enterprise Mcshield.exe
McAfee VirusScan Enterprise mfeann.exe
McAfee VirusScan Enterprise shstat.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Edited by Elise, 13 January 2013 - 04:22 AM.


#15 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 06 January 2013 - 08:40 AM

Hi gsms123

Please copy/paste your logs. Do not attach them as it makes it hard for me to read them.

That's looking good.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Any remaining problems?

White Warrior




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users