Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Department of Justice Moneypak Virus


  • This topic is locked This topic is locked
38 replies to this topic

#1 rdkapp

rdkapp

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 02 March 2013 - 01:12 AM

Hello, my father's computer has been attacked by the Department of Justice Moneypak Virus, and I need some help getting rid of it.  I have some experience with virus and malware removal (mostly with HiJack This), but it has been awhile and my initial attempts to at least access the computer have been unsuccessful.

 

I have disconnected the computer from the network/internet; however, all attempts to boot into Safe Mode (plain, w/networking, and command prompt) have failed. They have either put the computer into a continuous rebooting loop or resulted in a BSOD.

 

Further, it does boot into Windows (XP Professional 32-bit) and I can get to a desktop, and it does give me a couple minutes max to do stuff before the DOJ lock screen shows up.  However, the computer is very slow in the process.

 

I have brought the infected computer to my house and thus have access to multiple other computers to download files to use in the diagnosis and removal process.  Also, if necessary and advisable, I can even remove the hard drive from my father's computer and plug it into one of the other available computers via usb port.

 

So, I am ready to get busy when one of you has the time and knowledge to help me get rid of this virus/malware.



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:54 AM

Posted 02 March 2013 - 07:26 AM


Hello rdkapp

Welcome to The Forums!!

Around here they call me Gringo and I'll be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.


-DeFogger-
  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
information and logs
  • In your next post I need the following
    • both reports from DDS
    • report from security check
    • let me know of any problems you may have had
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 rdkapp

rdkapp
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 02 March 2013 - 02:11 PM

Hello gringo_pr.

 

Thank you for your response.

 

Before I get started, I have a couple of questions:

 


NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

 

1.  Would you recommend against removing the infected hard drive in order to attach it (via USB) to another computer and back up my father's important files?  What are the chances of the malware/virus transferring itself to the other computer during that process?

 

 

I need to get some reports to get a base to start from so I need you to run these programs first.



-DeFogger-
  • Please download DeFogger to your desktop.
     
-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

 

 

2.  Last night when I was trying look at things on my own on the infected computer, I had very little time to do much of anything before the DOJ lock screen appeared.  I am planning to download these programs by another computer to a USB flash drive and then plug the flash drive into the infected computer.  However, I fear that the DOJ lock screen will show up before (i) I can complete running these programs and (ii) I can access and save the logs.  Do you have any advice on how I can accomplish these things before the DOJ lock screen appears?  As I said in my initial post, I cannot boot into safe mode at all.

 

EDIT: Another thought just occurred to me.  If you think I can remove the hard drive and attach it via USB to another computer, I could download the diagnostic programs directly to the desktop of the infected computer.  That way, when I reinstall the hard drive into the infected computer, the programs will be there and I'll just have to click on them to run them.  What are your thoughts on this?

 

Thanks again.

 

rdkapp


Edited by rdkapp, 02 March 2013 - 02:19 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:54 AM

Posted 02 March 2013 - 05:43 PM

Hello


1. I would turn off autorun on the computer that you want to use m- http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives


2. try and run the program if you can't then let me know and I will move to another one to try



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 rdkapp

rdkapp
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 03 March 2013 - 05:13 PM

gringo_pr,

 

Here's a summary of my status:

 

1. I removed the infected hard drive and attached it to a seldom used laptop (after disabling autorun per the link you provided - thank you for that btw).  I backed up my father's data files, but during the process, many corrupted files were found, including ones that it had already backed up.  Most, if not all of the corrupted files were desktop.ini, thumbs, and mp3 files.  I have to think this is the virus/malware attacking the files on the hard drive.  I also placed the Defogger, Security Check, and dds programs on the desktop of my father's login on the infected hard drive.

 

2. When I reinstalled the infected hard drive back into his computer and booted, Windows XP did its pre-boot CHKDSK and found multiple truncated/corrupt files/attribute records.  I recognized some of the file names as the corrupted ones during the backup.  The CHKDSK process corrected many, deleted some, and then it went through replacing many "invalid security id w/default security id."

 

3  I booted the infected computer and was able to run defogger.  It put a .txt file on the desktop, but I noticed you didn't ask for the contents.  

 

4. I attempted to run Security Check, and the 1st time, it opened up, but I never saw the "onscreen instructions inside of the black box" per your instructions.  The DOJ Moneypak lock screen showed up and prevented me from doing anything else.  I rebooted and three additional attempts to run Security Check were unsuccessful.  The black box with onscreen instructions never opened.

 

5. I never ran dds, because Security Check never completed.  Do you want me to try dds, or do you want to try the alternative mentioned in your last post.

 

6.  Question:  each time the computer is rebooted, do I need to run defogger again, or is it still resident after a reboot?

 

This is a booger.  I look forward to your next reply.  Thanks again.



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:54 AM

Posted 03 March 2013 - 09:05 PM

you only need to run Defogger once and go ahead and runn DDS now



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 rdkapp

rdkapp
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 03 March 2013 - 11:24 PM

Thanks gringo_pr.

 

I tried to run dds several times.  A couple of times, 2 small windows popped up, the 1st one saying "DDS is running in silent mode," and the 2nd one saying "Two logs will be created on your desktop."  Both times this happened, the DOJ lock screen showed up before the files appeared on the Desktop.  The 2nd time, I let it sit for awhile in order to give the program some time to complete and thinking the files would still be saved to the Desktop, but after re-booting, no files were there.  Thus, no success running dds either.

 

I noticed that a minute or so before the DOJ lock screen appears, I repeatedly get the following MS Windows error: 

 

The system has recovered from a serious error.

 

Even if I click "Don't Send" the error shows right back up.  I'm wondering if this is stopping me from running Security Check and dds.

 

I even tried running both Security Check and dds from the other Windows login, thinking it might give me a little more time, but I got the same results.  No success.

 

Anyway, I'm ready for Plan B.



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:54 AM

Posted 04 March 2013 - 12:10 AM


Hello

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.
  • Gringo



Edited by gringo_pr, 04 March 2013 - 02:39 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 rdkapp

rdkapp
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 04 March 2013 - 04:15 AM

Everything worked just as described.

 

Below is the entire contents of the C:\OTL.txt file from the infected computer.

 

OTL logfile created on: 3/4/2013 2:44:45 AM - Run 

OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,022.00 Mb Total Physical Memory | 826.00 Mb Available Physical Memory | 81.00% Memory free
906.00 Mb Paging File | 854.00 Mb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 15.11 Gb Free Space | 40.58% Space Free | Partition Type: NTFS
Drive D: | 74.52 Gb Total Space | 69.86 Gb Free Space | 93.75% Space Free | Partition Type: NTFS
Drive E: | 74.53 Gb Total Space | 67.16 Gb Free Space | 90.11% Space Free | Partition Type: NTFS
Drive G: | 963.70 Mb Total Space | 894.95 Mb Free Space | 92.87% Space Free | Partition Type: FAT
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet002
 
========== Win32 Services (SafeList) ==========
 
SRV - [2013/02/27 19:24:59 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/12/21 23:45:29 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/11/02 20:56:40 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2010/05/11 15:58:04 | 000,247,352 | ---- | M] (HP) [Auto] -- C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe -- (HPM1210RcvFaxSrvc)
SRV - [2010/04/29 12:11:48 | 000,099,896 | ---- | M] (HP) [Auto] -- C:\WINDOWS\system32\HPSIsvc.exe -- (HPSIService)
SRV - [2009/10/15 11:13:50 | 000,136,192 | ---- | M] (HP) [Auto] -- C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe -- (HP LaserJet Service)
SRV - [2006/10/23 07:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDCOMP)
DRV - File not found [Kernel | System] --  -- (PCIDump)
DRV - File not found [Kernel | System] --  -- (lbrtfdc)
DRV - File not found [Kernel | System] --  -- (i2omgmt)
DRV - File not found [Kernel | System] --  -- (Changer)
DRV - [2010/04/28 10:49:50 | 000,017,408 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mvusbews.sys -- (mvusbews)
DRV - [2010/04/28 10:49:50 | 000,013,824 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HPM1210FAX.sys -- (HP1210FAX)
DRV - [2008/04/13 13:36:41 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/12/15 15:18:32 | 000,220,928 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/12/15 15:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 15:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 15:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 15:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
 
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Annette_Kapp_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\Annette_Kapp_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Annette_Kapp_ON_C\..\URLSearchHook: {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - Reg Error: Key error. File not found
IE - HKU\Annette_Kapp_ON_C\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\Annette_Kapp_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Armand_Kapp_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Armand_Kapp_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\Armand_Kapp_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Armand_Kapp_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 38 64 9B 25 EE 53 CD 01  [binary data]
IE - HKU\Armand_Kapp_ON_C\..\URLSearchHook: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (America Online, Inc.)
IE - HKU\Armand_Kapp_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Armand_Kapp_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_171.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@ei.BringMeSports_1c.com/Plugin:  File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP:  File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/10/31 16:05:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/21 23:45:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/02/22 09:18:40 | 000,000,000 | ---D | M]
 
[2012/12/21 23:42:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/21 23:45:32 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/03/18 13:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/03/18 13:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2012/11/09 23:12:10 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/12/21 23:43:59 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
 
O1 HOSTS File: ([2012/06/26 16:33:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (CutePDF Editor Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (CutePDF Editor Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\Annette_Kapp_ON_C\..\Toolbar\WebBrowser: (no name) - {364EA597-E728-4CE4-BB4A-ED846EF47970} - No CLSID value found.
O3 - HKU\Annette_Kapp_ON_C\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\Annette_Kapp_ON_C\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\Annette_Kapp_ON_C\..\Toolbar\WebBrowser: (CutePDF Editor Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\Armand_Kapp_ON_C\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\Armand_Kapp_ON_C\..\Toolbar\WebBrowser: (CutePDF Editor Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [HPUsageTrackingLEDM] C:\Program Files\HP\HP UT LEDM\bin\hppusg.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O4 - HKLM..\Run: [MigAutoPlay] C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\Annette_Kapp_ON_C..\Run: [Aim6]  File not found
O4 - HKU\Armand_Kapp_ON_C..\Run: [FileHippo.com] C:\Program Files\FileHippo.com\UpdateChecker.exe (FileHippo.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk = C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe (Scansoft, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Annette_Kapp_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Armand_Kapp_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Armand_Kapp_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Armand_Kapp_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227848628906 (WUWebControl Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab (GMNRev Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/18 10:01:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: 6to4 -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
 
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0
 
 
 
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files\Google\Chrome\Application\25.0.1364.97\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
 
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/03/03 23:07:36 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\Annette Kapp\Desktop\dds.scr
[2013/03/03 23:07:36 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\Annette Kapp\Desktop\dds.com
[2013/03/03 22:36:28 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\Armand Kapp\Desktop\dds.scr
[2013/03/03 22:09:15 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2013/03/03 16:34:59 | 000,000,000 | -HSD | C] -- C:\found.000
[2013/03/03 14:39:36 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\Armand Kapp\Desktop\dds.com
[2013/03/01 23:41:49 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Armand Kapp\Desktop\OTL.exe
[2013/02/27 08:06:11 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe
 
========== Files - Modified Within 30 Days ==========
 
[2013/03/04 03:30:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/03/03 23:23:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/03/03 23:23:04 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/03/03 23:22:00 | 000,000,246 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2013/03/03 23:14:52 | 000,012,678 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/03/03 23:12:55 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/03/03 22:45:10 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/03/03 22:11:50 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\Armand Kapp\Desktop\dds.scr
[2013/03/03 22:11:50 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\Annette Kapp\Desktop\dds.scr
[2013/03/02 15:07:54 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\Armand Kapp\Desktop\dds.com
[2013/03/02 15:07:54 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\Annette Kapp\Desktop\dds.com
[2013/03/02 15:06:48 | 000,881,950 | ---- | M] () -- C:\Documents and Settings\Armand Kapp\Desktop\SecurityCheck.exe
[2013/03/02 15:06:48 | 000,881,950 | ---- | M] () -- C:\Documents and Settings\Annette Kapp\Desktop\SecurityCheck.exe
[2013/03/02 15:06:02 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Armand Kapp\Desktop\Defogger.exe
[2013/03/02 15:06:02 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Annette Kapp\Desktop\Defogger.exe
[2013/03/01 23:29:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Armand Kapp\Desktop\OTL.exe
[2013/02/27 19:24:57 | 000,691,568 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/02/27 19:24:56 | 000,071,024 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/02/27 10:38:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/02/27 08:30:47 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/02/27 08:30:32 | 000,313,046 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/02/27 08:06:06 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe
[2013/02/26 16:52:20 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/02/20 15:05:08 | 000,002,479 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
[2013/02/19 23:51:16 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/02/19 23:51:13 | 000,001,704 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/02/14 06:39:48 | 000,149,200 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/13 23:26:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/13 23:21:21 | 000,434,180 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/13 23:21:21 | 000,068,466 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
 
========== Files Created - No Company Name ==========
 
[2013/03/03 23:07:36 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Annette Kapp\Desktop\Defogger.exe
[2013/03/03 23:07:26 | 000,881,950 | ---- | C] () -- C:\Documents and Settings\Annette Kapp\Desktop\SecurityCheck.exe
[2013/03/03 14:39:36 | 000,881,950 | ---- | C] () -- C:\Documents and Settings\Armand Kapp\Desktop\SecurityCheck.exe
[2013/03/03 14:39:35 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Armand Kapp\Desktop\Defogger.exe
[2013/02/27 08:30:47 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/02/27 08:30:31 | 000,313,046 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/02/20 06:51:21 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/06/23 00:33:36 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Armand Kapp\defogger_reenable
[2012/03/11 16:54:50 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Armand Kapp\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/15 06:41:32 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/11/04 23:15:09 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2011/11/02 18:11:46 | 000,028,572 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/10/31 16:05:00 | 000,023,101 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2011/10/31 13:57:51 | 001,167,360 | ---- | C] () -- C:\WINDOWS\System32\HPM1210SM.exe
[2011/10/31 13:57:51 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\HPM1210LM.DLL
[2011/10/31 13:57:26 | 000,013,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\HPM1210FAX.sys
[2011/10/31 13:57:24 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\m1210wia.dll
[2011/10/31 13:57:21 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\mvusbews.dll
[2011/10/31 13:56:37 | 000,284,672 | ---- | C] () -- C:\WINDOWS\System32\mvhlewsi.DLL
[2011/10/31 13:56:31 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\m1210nwia.dll
[2011/10/31 13:56:29 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\HPM1210SMs.dll
[2010/12/22 13:40:19 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Annette Kapp\Local Settings\Application Data\PUTTY.RND
[2010/10/08 22:40:36 | 000,000,099 | ---- | C] () -- C:\Documents and Settings\Armand Kapp\jagex_runescape_preferences2.dat
[2010/09/18 22:33:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Annette Kapp\jagex__preferences3.dat
[2010/09/18 22:32:57 | 000,000,099 | ---- | C] () -- C:\Documents and Settings\Annette Kapp\jagex_runescape_preferences2.dat
[2010/04/18 16:53:42 | 000,000,084 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2010/01/28 15:55:34 | 000,053,478 | ---- | C] () -- C:\WINDOWS\mvtcpui.ini
[2009/08/19 19:25:35 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/07/17 23:03:30 | 000,088,656 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/06/27 15:17:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/04/08 21:17:08 | 000,000,046 | ---- | C] () -- C:\Documents and Settings\Armand Kapp\jagex_runescape_preferences.dat
[2009/01/31 18:02:25 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Armand Kapp\Local Settings\Application Data\PUTTY.RND
[2008/12/12 23:29:44 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/27 23:06:29 | 000,000,046 | ---- | C] () -- C:\Documents and Settings\Annette Kapp\jagex_runescape_preferences.dat
[2008/10/26 09:59:44 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Armand Kapp\Application Data\iexplore.iss
[2008/10/26 09:51:21 | 000,000,164 | ---- | C] () -- C:\WINDOWS\System32\TDSSosvd.dat
[2008/08/29 20:40:25 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2008/08/28 22:05:21 | 000,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2008/08/28 22:02:16 | 000,000,063 | ---- | C] () -- C:\WINDOWS\Brpcfx.ini
[2008/08/28 22:02:12 | 000,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2008/08/28 22:02:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2008/08/28 22:00:05 | 000,002,653 | ---- | C] () -- C:\WINDOWS\BRMFBIDI.INI
[2008/08/28 22:00:03 | 000,000,256 | R--- | C] () -- C:\WINDOWS\System32\brmsl05.bin
[2008/08/28 21:57:10 | 000,000,767 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/07/31 12:06:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/07/18 10:04:05 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/07/18 09:59:28 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/07/18 09:49:18 | 000,000,079 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/07/18 09:49:08 | 000,434,180 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/07/18 09:49:08 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/07/18 09:49:08 | 000,068,466 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/07/18 09:49:08 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/07/18 09:49:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/07/18 09:49:07 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/07/18 09:49:07 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/07/18 09:49:07 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/07/18 09:49:06 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/07/18 09:49:06 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/07/18 09:49:02 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/07/18 09:49:02 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2008/07/18 02:55:07 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/18 02:54:17 | 000,149,200 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/04/10 17:03:04 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\Welsof32.dll
[2002/01/08 18:57:34 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
 
========== LOP Check ==========
 
[2011/12/26 14:44:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
[2008/07/18 10:21:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ESET
[2008/08/29 20:41:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annette Kapp\Application Data\acccore
[2008/07/18 10:21:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annette Kapp\Application Data\ESET
[2012/12/15 00:43:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annette Kapp\Application Data\Marvell
[2010/03/01 16:48:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annette Kapp\Application Data\Viewpoint
[2009/05/19 17:04:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Armand Kapp\Application Data\aAvgApi
[2008/07/18 10:21:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Armand Kapp\Application Data\ESET
[2011/11/02 17:21:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Armand Kapp\Application Data\Marvell
[2012/06/27 20:42:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Armand Kapp\Application Data\Oracle
[2009/08/19 19:33:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Armand Kapp\Application Data\Viewpoint
[2012/12/14 21:52:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2008/07/18 10:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011/02/16 18:45:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2008/08/28 22:05:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2008/08/29 20:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/07/18 10:17:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2011/11/02 17:34:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2013/03/03 23:22:00 | 000,000,246 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.
 
Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.exe
 
Invalid Environment Variable: %APPDATA%\*.
 
Invalid Environment Variable: %APPDATA%\*.exe
 
< %SYSTEMDRIVE%\*.exe >
 
 
< MD5 for: AGP440.SYS  >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/11/28 00:24:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2008/11/28 00:24:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\erdnt\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
 
< MD5 for: ATAPI.SYS  >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/11/28 00:24:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/11/28 00:24:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\erdnt\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
 
< MD5 for: EVENTLOG.DLL  >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\erdnt\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/28 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
 
< MD5 for: NETLOGON.DLL  >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\erdnt\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/28 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
 
< MD5 for: SCECLI.DLL  >
[2006/02/28 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\erdnt\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
 
< MD5 for: USERINIT.EXE  >
[2006/02/28 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\erdnt\cache\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe
 
< %systemroot%\system32\drivers\*.sys /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
[2008/07/18 02:53:54 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2008/07/18 02:53:54 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2008/07/18 02:53:54 | 000,880,640 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
[2011/03/03 01:55:19 | 000,149,504 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dnsapi.dll
[2012/12/26 15:16:28 | 011,111,424 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ieframe.dll
[2012/12/26 15:16:28 | 002,004,992 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iertutil.dll
[2008/04/13 19:12:00 | 000,274,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mstask.dll
[2008/04/13 19:12:02 | 000,067,072 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ntdsapi.dll
[2012/06/08 09:26:20 | 008,462,848 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shell32.dll
< End of report >
 


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:54 AM

Posted 04 March 2013 - 02:46 PM


Hello

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.
    :OTL
    O4 - HKLM..\Run: [MigAutoPlay] C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe (Microsoft Corporation)
    [2013/02/27 08:30:47 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
    [2013/02/27 08:30:32 | 000,313,046 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.


  • Let me know How things are doing

    Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 rdkapp

rdkapp
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 04 March 2013 - 03:36 PM

Hi gringo_pr
 
I will run the custom script posted in your latest response and report back, however, I just noticed that you modified your previous post #8 above.  Thus, I was wondering if you wanted me to go back and do anything different per the modified post?
 
Please let me know.

Edited by rdkapp, 04 March 2013 - 07:09 PM.


#12 rdkapp

rdkapp
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 04 March 2013 - 07:32 PM

I ran the custom script and everything went fine, except there were a couple of issues:

 

1.  I never saw the btnOK.png button after clicking the Run Fix button, but I just let it run until it was done.

2.  OTL asked me to reboot and I clicked OK, but it wouldn't reboot.  I had to manually power off the computer.  The report did not pop up after rebooting, so I found it and the contents are below.

 

After rebooting a 2nd time and removing the OTLPE disk, it booted up to Windows pretty normally, however, I did receive the following MS Windows error message:

 

The system has recovered from a serious error.

 

Error signature: BCCode: f4  BCP1:00000003  BCP2:85BcB630  BCP3:85BCB7A4  BCP4:805FAFF4  OSVer:5_1_2600  SP:3_0  Product:256_1

 

Error Report Contents:
The following files will be included in the report:
C:\DOCUME~1\ARMAND~1\LOCALS~1\Temp\WERc013.dir00\Mini022713-04.dmp
C:\DOCUME~1\ARMAND~1\LOCALS~1\Temp\WERc013.dir00\sysdata.xml

 

There was a similar error for the other Windows Login, but obviously the files were located in a different folder.

 

The computer has been booted up to Windows for 20+ minutes and still no DOJ Moneypak lock screen.

 

EDIT: I should also mention that the computer is not connected to the network/internet.  Please let me know if I should connect to the network/internet.

 

The following is the OTL log file (03042013_172549.log)

 

 

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MigAutoPlay deleted successfully.
C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\1.bmp moved successfully.
C:\Documents and Settings\All Users\Application Data\1.jpg moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
C:\cmd.bat deleted successfully.
C:\cmd.txt deleted successfully.
========== COMMANDS ==========
Error: Unable to interpret <[emptyjava]> in the current context!
 
[EMPTYFLASH]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: All Users
->Flash cache emptied: 0 bytes
 
User: Annette Kapp
->Temp folder emptied: 2471555 bytes
->Temporary Internet Files folder emptied: 149235454 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 397022867 bytes
->Google Chrome cache emptied: 107855400 bytes
->Flash cache emptied: 9002 bytes
 
User: Armand Kapp
->Temp folder emptied: 31653970 bytes
->Temporary Internet Files folder emptied: 988456186 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 227960098 bytes
->Google Chrome cache emptied: 36747969 bytes
->Flash cache emptied: 51072 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
 
User: NetworkService
->Temp folder emptied: 1169966 bytes
->Temporary Internet Files folder emptied: 83814593 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 1,933.00 mb
 
 
OTLPE by OldTimer - Version 3.1.48.0 log created on 03042013_172549

Edited by rdkapp, 04 March 2013 - 07:37 PM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:54 AM

Posted 04 March 2013 - 09:40 PM


Hello rdkapp


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 rdkapp

rdkapp
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 04 March 2013 - 11:10 PM

Below is the log after running AdwCleaner.
 
 
# AdwCleaner v2.114 - Logfile created 03/04/2013 at 21:43:04
# Updated 05/03/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Armand Kapp - ARMAND
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Armand Kapp\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\Annette Kapp\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\Annette Kapp\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Documents and Settings\Annette Kapp\Local Settings\Application Data\AVG Security Toolbar
Folder Deleted : C:\Documents and Settings\Annette Kapp\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Annette Kapp\Local Settings\Application Data\NPR_Radio
Folder Deleted : C:\Documents and Settings\Armand Kapp\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\Armand Kapp\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Documents and Settings\Armand Kapp\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Armand Kapp\Local Settings\Application Data\NPR_Radio
Folder Deleted : C:\Documents and Settings\NetworkService\Local Settings\Application Data\NPR_Radio
Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\Program Files\Common Files\Software Update Utility
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\NPR_Radio
Folder Deleted : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\AskToolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EC5AF249-350A-472C-94C6-C3BCE128426D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\NPR_Radio
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\BringMeSports_1cInstaller.Start
Key Deleted : HKLM\SOFTWARE\Classes\BringMeSports_1cInstaller.Start.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{971B6321-6A8E-40B9-8E06-72680E1395D6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EC5AF249-350A-472C-94C6-C3BCE128426D}
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{30CBDB40-5B21-481B-A09B-F87CEF73F020}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{952EEDFD-A98B-4670-9BDD-3634C8846FC1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT654402
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{70173968-791C-4CBF-B434-DF8ECE91924C}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\ImInstaller
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1CD0E36A-8147-4C21-89F0-B7DB8134405F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8A18D8ED-1064-4A20-BED6-CD695C2ED6D5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\NPR_Radio Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EC5AF249-350A-472C-94C6-C3BCE128426D}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B5BAE2ED018083A4C8DA86D6E3F4B024
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NPR_Radio Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@ei.BringMeSports_1c.com/Plugin
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\NPR_Radio
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v17.0.1 (en-US)
 
File : C:\Documents and Settings\Armand Kapp\Application Data\Mozilla\Firefox\Profiles\07y46t4q.default\prefs.js
 
C:\Documents and Settings\Armand Kapp\Application Data\Mozilla\Firefox\Profiles\07y46t4q.default\user.js ... Deleted !
 
Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("extensions.MapsGalaxy_39.openSearchURL", "hxxp://search.mywebsearch.com/mywebsearch/opens[...]
 
File : C:\Documents and Settings\Annette Kapp\Application Data\Mozilla\Firefox\Profiles\vdrlr767.default\prefs.js
 
Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("extensions.MapsGalaxy_39.openSearchURL", "hxxp://search.mywebsearch.com/mywebsearch/opens[...]
Deleted : user_pref("keyword.URL", "hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=UXxdm011YYus&ptn[...]
 
-\\ Google Chrome v25.0.1364.97
 
File : C:\Documents and Settings\Armand Kapp\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
File : C:\Documents and Settings\Annette Kapp\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [11847 octets] - [04/03/2013 21:43:04]
 
########## EOF - C:\AdwCleaner[S1].txt - [11908 octets] ##########


#15 rdkapp

rdkapp
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 04 March 2013 - 11:17 PM

I ran RogueKiller, and it actually produced 2 logs.  A quick glance tells me that the 1st log (RKreport[1].txt) was produced after the "Scan."  The 2nd log (RKreport[2].txt) was produced after the "delete."  Both are set out below.

 

Below is the log from the 1st one (RKreport[1].txt)

 

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Armand Kapp [Admin rights]
Mode : Scan -- Date : 03/04/2013 21:50:31
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{2af53f27-b96e-a6df-0262-aba63c1e113a}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\WINDOWS\Installer\{2af53f27-b96e-a6df-0262-aba63c1e113a}\L --> FOUND
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST340014A +++++
--- User ---
[MBR] c3e3c1242233bd969015eaec9b11f7ce
[BSP] 5aafcc929152962b2c27cc23caf13bb7 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38138 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: WDC WD1600JB-22GVA0 +++++
--- User ---
[MBR] ed329a8afc24f139acb06e26cbf7a10f
[BSP] c9ffd864ca82fec270d23c8bfc0b805a : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 156280320 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[1]_S_03042013_02d2150.txt >>
RKreport[1]_S_03042013_02d2150.txt
 
 
 
 
Below is the log from the 2nd one (RKreport[2)]
 
RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Armand Kapp [Admin rights]
Mode : Remove -- Date : 03/04/2013 21:51:38
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] ROOT : C:\WINDOWS\Installer\{2af53f27-b96e-a6df-0262-aba63c1e113a}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\WINDOWS\Installer\{2af53f27-b96e-a6df-0262-aba63c1e113a}\L --> REMOVED
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST340014A +++++
--- User ---
[MBR] c3e3c1242233bd969015eaec9b11f7ce
[BSP] 5aafcc929152962b2c27cc23caf13bb7 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38138 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: WDC WD1600JB-22GVA0 +++++
--- User ---
[MBR] ed329a8afc24f139acb06e26cbf7a10f
[BSP] c9ffd864ca82fec270d23c8bfc0b805a : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 156280320 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_D_03042013_02d2151.txt >>
RKreport[1]_S_03042013_02d2150.txt ; RKreport[2]_D_03042013_02d2151.txt
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users