Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

internet crime complaint center virus in safe mode on my laptop


  • This topic is locked This topic is locked
6 replies to this topic

#1 daniel_hb

daniel_hb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 13 March 2013 - 11:37 AM

 I have the same  virus as this one:

http://www.bleepingcomputer.com/forums/t/481664/internet-crime-complaint-center-virus-in-safe-mode/

 

Thank you very much for your help!!!

 

here are my log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-03-2013 01
Ran by SYSTEM at 12-03-2013 23:03:39
Running from F:\
Windows 7 Home Premium   (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: []  [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe [195080 2008-09-25] (LSI Corp.)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [909624 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1482080 2009-08-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [596328 2009-08-06] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35160 2009-08-06] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-08-03] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [711000 2009-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [CDAServer] C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe [438784 2010-12-17] ()
HKLM-x32\...\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2446648 2009-08-11] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60 [1294136 2009-08-17] (TOSHIBA Corporation)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [268640 2011-11-12] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2009-11-18] (Hewlett-Packard)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-01] (Research In Motion Limited)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [D4Svr_ICBC.exe] D4Svr_ICBC.exe [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
HKU\Julie\...\Run: [XMP] "C:\Users\Public\THUNDE~1\XMP4\Core\Program\XMP.exe" /embedding /sstartfrom Startup101 [194512 2012-11-16] (?????????????)
HKU\Julie\...\Run: [PPAP] "C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.EXE"  -background [251744 2013-02-21] (PPLive Corporation)
HKU\Julie\...\Run: [Google Update] "C:\Users\Julie\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-09-13] (Google Inc.)
HKU\Julie\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Julie\...\Run: [ieodjrzotp] C:\Users\Julie\AppData\Roaming\phxzbypky [x]
HKU\Julie\...\Policies\system: [DisableTaskMgr] 1
HKLM\...\Winlogon: [Shell] explorer.exe, C:\ProgramData\phxzbypky [x ] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 184.16.33.54
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Julie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Services (Whitelisted) ===================

3 Adobe LM Service; "C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" [72704 2010-12-16] (Adobe Systems)
3 BaiduUpdater; C:\Program Files (x86)\Baidu\BaiduUpdate\bdupdate.exe [552568 2012-12-18] (Baidu.com, Inc.)
2 CntvCBoxService; "C:\Program Files (x86)\CNTV\CBox\CntvCBoxService.exe" [274344 2012-05-21] (???????)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 OnKey Service _ICBC; C:\windows\SysWOW64\D4Ser_ICBC.exe [58672 2011-11-23] (Tendyron Corporation)
2 PPTVService; C:\windows\SysWOW64\PPTVSvc.dll [478032 2013-02-21] (PPTV)
2 XLDoctor Service; C:\Program Files (x86)\Thunder Network\Thunder\Program\DctSer.dll [81072 2011-08-18] (ShenZhen Xunlei Networking Technologies,LTD)
2 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [46768 2011-08-18] (ShenZhen Xunlei Networking Technologies,LTD)

==================== Drivers (Whitelisted) =====================

3 Alidevice; C:\Windows\SysWow64\Drivers\Alidevice.sys [6656 2010-07-01] (alipay.com)
3 BthAvrcp; C:\Windows\System32\Drivers\BthAvrcp.sys [29184 2009-08-13] (CSR, plc)
3 CH341SER; C:\Windows\System32\Drivers\CH341S64.SYS [58368 2011-11-04] (www.winchiphead.com)
2 CMB8100; \??\C:\windows\SysWOW64\Drivers\CertClient.dat [10784 2008-09-24] ()
2 CMBProtector; \??\C:\windows\SysWOW64\Drivers\CMBProtector.dat [12320 2008-09-24] ()
3 FlyUsb; C:\Windows\System32\Drivers\FlyUsb.sys [24576 2011-08-05] (LeapFrog)
3 SQTECH9052; C:\Windows\System32\Drivers\Capt9052.sys [47680 2008-02-21] (Service & Quality Technology.)
3 SQTECH905C; C:\Windows\System32\Drivers\Capt905c.sys [44480 2007-05-02] (Service & Quality Technology.)
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 TcHardWare; \??\C:\Program Files (x86)\Tencent\QQPCMgr\6.6.2162.401\QQPCHW-x64.sys [x]
3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-03-12 21:17 - 2013-03-12 21:48 - 00119296 ____A (Yzu) C:\Users\Julie\AppData\Roaming\phxzbypky.exe
2013-03-10 21:37 - 2013-03-10 21:38 - 00290686 ____A C:\Users\Julie\Desktop\tax.xps
2013-03-09 22:28 - 2013-03-09 22:28 - 00001646 ____A C:\Users\Julie\Desktop\PP????.lnk
2013-03-09 22:17 - 2013-03-10 21:39 - 00000000 ____D C:\Users\Julie\Documents\2012 TAX
2013-03-06 00:03 - 2013-03-06 00:03 - 00000000 ____D C:\Users\Julie\AppData\Roaming\Mozilla
2013-03-05 22:18 - 2013-03-09 22:04 - 00000000 ____D C:\Users\Julie\AppData\Local\{63377780-5C99-4957-82D3-3A86E6215300}
2013-03-04 21:40 - 2013-03-04 21:40 - 00000000 ____D C:\Users\Julie\AppData\Local\{DE68129A-79C4-4F95-9D1B-6013E3ACF1BF}
2013-03-01 22:06 - 2013-03-01 22:07 - 00000272 ____A C:\Users\Julie\Desktop\Ebay shipping.url
2013-02-21 23:23 - 2013-02-21 23:23 - 02584912 ____A C:\Windows\System32\kindling.dll
2013-02-21 23:23 - 2013-02-21 23:23 - 02307408 ____A C:\Windows\SysWOW64\kindling.dll
2013-02-21 23:23 - 2013-02-21 23:23 - 00478032 ____A (PPTV) C:\Windows\SysWOW64\PPTVSvc.dll
2013-02-21 23:23 - 2013-02-21 23:23 - 00399816 ____A (PPLive Corporation) C:\Windows\SysWOW64\PPTVLauncher.exe
2013-02-18 18:23 - 2013-02-18 18:23 - 00000000 ____D C:\Users\Julie\AppData\Local\{31954EB9-9394-4DC0-BED4-20048F5C9B8F}
2013-02-16 20:21 - 2013-02-16 20:21 - 00000000 ____D C:\Users\Julie\AppData\Roaming\Dreamtaskbar
2013-02-16 20:21 - 2013-02-16 20:21 - 00000000 ____D C:\Program Files (x86)\Dreamtaskbar
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\Users\Julie\AppData\Local\TTPlayer
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\ProgramData\PPBrowserHelper
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\ProgramData\Baidu
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\Program Files (x86)\TTPlayer
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\Program Files (x86)\Baidu
2013-02-16 09:30 - 2013-02-16 16:59 - 00000000 ____D C:\Users\Julie\Documents\PPTV
2013-02-16 09:30 - 2013-02-16 09:30 - 00000000 ____D C:\Users\Public\Documents\PPTV
2013-02-16 09:28 - 2013-02-16 09:28 - 00002335 ____A C:\Users\Public\Desktop\????.lnk
2013-02-14 07:46 - 2013-01-08 17:48 - 17812992 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-02-14 07:46 - 2013-01-08 17:22 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-02-14 07:46 - 2013-01-08 17:19 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-02-14 07:46 - 2013-01-08 17:12 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-02-14 07:46 - 2013-01-08 17:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-02-14 07:46 - 2013-01-08 17:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-02-14 07:46 - 2013-01-08 17:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-02-14 07:46 - 2013-01-08 17:09 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-02-14 07:46 - 2013-01-08 17:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-02-14 07:46 - 2013-01-08 17:07 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-02-14 07:46 - 2013-01-08 17:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-02-14 07:46 - 2013-01-08 17:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-02-14 07:46 - 2013-01-08 17:05 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-02-14 07:46 - 2013-01-08 17:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-02-14 07:46 - 2013-01-08 17:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-02-14 07:46 - 2013-01-08 17:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-02-14 07:46 - 2013-01-08 14:23 - 12321280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-02-14 07:46 - 2013-01-08 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-02-14 07:46 - 2013-01-08 14:09 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-02-14 07:46 - 2013-01-08 14:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-02-14 07:46 - 2013-01-08 14:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-02-14 07:46 - 2013-01-08 14:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-02-14 07:46 - 2013-01-08 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-02-14 07:46 - 2013-01-08 14:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-02-14 07:46 - 2013-01-08 13:59 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-02-14 07:46 - 2013-01-08 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-02-14 07:46 - 2013-01-08 13:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-02-14 07:46 - 2013-01-08 13:57 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-02-14 07:46 - 2013-01-08 13:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-02-14 07:46 - 2013-01-08 13:56 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-02-14 07:46 - 2013-01-08 13:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-02-14 07:46 - 2013-01-08 13:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-02-13 21:39 - 2013-01-04 21:57 - 05500776 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-02-13 21:39 - 2013-01-04 21:02 - 03957608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-02-13 21:39 - 2013-01-04 21:02 - 03902312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-02-13 21:39 - 2013-01-03 21:37 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2013-02-13 21:39 - 2013-01-03 21:37 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-02-13 21:39 - 2013-01-03 21:37 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2013-02-13 21:39 - 2013-01-03 21:36 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-02-13 21:39 - 2013-01-03 21:33 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2013-02-13 21:39 - 2013-01-03 21:30 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2013-02-13 21:39 - 2013-01-03 21:30 - 00424960 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:51 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-02-13 21:39 - 2013-01-03 20:51 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-02-13 21:39 - 2013-01-03 20:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 19:22 - 03150848 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-02-13 21:39 - 2013-01-03 19:19 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2013-02-13 21:39 - 2013-01-03 18:48 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-02-13 21:39 - 2013-01-03 18:48 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-02-13 21:39 - 2013-01-03 18:48 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-02-13 21:39 - 2013-01-03 18:48 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-02-13 21:39 - 2013-01-03 18:43 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 18:43 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 18:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-02-13 21:39 - 2013-01-03 18:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-02-13 21:38 - 2013-01-03 21:41 - 01893224 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-02-13 21:38 - 2013-01-03 21:40 - 00287576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS


==================== One Month Modified Files and Folders =======

2013-03-12 21:48 - 2013-03-12 21:17 - 00119296 ____A (Yzu) C:\Users\Julie\AppData\Roaming\phxzbypky.exe
2013-03-12 21:48 - 2013-01-17 21:10 - 00119296 ____A (Yzu) C:\Users\Julie\AppData\Local\phxzbypky.exe
2013-03-12 21:48 - 2012-09-05 19:11 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-12 21:48 - 2010-10-31 20:23 - 00000000 ____D C:\FavoriteVideo
2013-03-12 21:48 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-12 21:48 - 2009-07-13 20:51 - 00304196 ____A C:\Windows\setupact.log
2013-03-12 21:48 - 2009-07-13 20:45 - 00494272 ____A C:\Windows\System32\FNTCACHE.DAT
2013-03-12 21:47 - 2010-02-14 03:15 - 01542836 ____A C:\Windows\PFRO.log
2013-03-12 21:44 - 2013-01-17 21:10 - 00119296 ____A (Yzu) C:\ProgramData\phxzbypky.exe
2013-03-12 21:28 - 2009-07-13 21:13 - 00741370 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-12 21:11 - 2012-06-19 22:35 - 00000099 ____A C:\Users\Public\LMDebug.log
2013-03-12 21:04 - 2012-11-21 22:49 - 00000562 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4160697036-188152083-38436257-1000UA.job
2013-03-12 21:03 - 2010-02-14 02:28 - 01367060 ____A C:\Windows\WindowsUpdate.log
2013-03-12 20:33 - 2012-09-05 19:11 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-12 20:32 - 2012-06-08 19:51 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-12 20:23 - 2010-09-24 20:29 - 00000000 ____D C:\Users\Julie\Documents\Tencent Files
2013-03-12 20:18 - 2012-11-21 22:49 - 00000510 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4160697036-188152083-38436257-1000Core.job
2013-03-12 20:05 - 2012-06-08 19:51 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-03-12 20:05 - 2011-09-16 17:05 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-03-10 21:39 - 2013-03-09 22:17 - 00000000 ____D C:\Users\Julie\Documents\2012 TAX
2013-03-10 21:38 - 2013-03-10 21:37 - 00290686 ____A C:\Users\Julie\Desktop\tax.xps
2013-03-09 22:34 - 2011-03-30 19:13 - 00000891 ____A C:\Windows\SysWOW64\secushr.dat
2013-03-09 22:34 - 2011-03-30 19:13 - 00000336 ____A C:\Windows\SysWOW64\secustat.dat
2013-03-09 22:34 - 2011-03-30 19:13 - 00000000 ____D C:\Users\Julie\AppData\Roaming\BITS
2013-03-09 22:28 - 2013-03-09 22:28 - 00001646 ____A C:\Users\Julie\Desktop\PP????.lnk
2013-03-09 22:18 - 2013-03-05 22:18 - 00000000 ____D C:\Users\Julie\AppData\Local\{63377780-5C99-4957-82D3-3A86E6215300}
2013-03-09 21:09 - 2012-07-18 21:58 - 00002220 ____A C:\Users\Julie\Documents\123.jgs
2013-03-09 14:18 - 2010-02-14 22:57 - 00130384 ____A C:\Users\Julie\AppData\Local\GDIPFONTCACHEV1.DAT
2013-03-09 14:17 - 2010-10-31 20:21 - 00000000 ____D C:\ProgramData\PPLive
2013-03-09 10:06 - 2010-09-27 15:18 - 00000000 ____D C:\ProgramData\Tencent
2013-03-06 00:03 - 2013-03-06 00:03 - 00000000 ____D C:\Users\Julie\AppData\Roaming\Mozilla
2013-03-05 22:36 - 2012-09-05 19:12 - 00002194 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-03-05 22:25 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-05 22:25 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-05 22:17 - 2010-02-14 15:10 - 00000000 ____D C:\Users\Julie\Tracing
2013-03-04 21:40 - 2013-03-04 21:40 - 00000000 ____D C:\Users\Julie\AppData\Local\{DE68129A-79C4-4F95-9D1B-6013E3ACF1BF}
2013-03-02 18:05 - 2010-09-24 19:44 - 00000000 ____D C:\Program Files (x86)\AliWangWang
2013-03-01 22:07 - 2013-03-01 22:06 - 00000272 ____A C:\Users\Julie\Desktop\Ebay shipping.url
2013-02-27 21:32 - 2010-10-03 12:33 - 00000000 ____D C:\Users\Julie\AppData\Roaming\FileZilla
2013-02-27 19:04 - 2010-08-02 16:45 - 00000000 ___SD C:\kankan
2013-02-21 23:23 - 2013-02-21 23:23 - 02584912 ____A C:\Windows\System32\kindling.dll
2013-02-21 23:23 - 2013-02-21 23:23 - 02307408 ____A C:\Windows\SysWOW64\kindling.dll
2013-02-21 23:23 - 2013-02-21 23:23 - 00478032 ____A (PPTV) C:\Windows\SysWOW64\PPTVSvc.dll
2013-02-21 23:23 - 2013-02-21 23:23 - 00399816 ____A (PPLive Corporation) C:\Windows\SysWOW64\PPTVLauncher.exe
2013-02-18 18:23 - 2013-02-18 18:23 - 00000000 ____D C:\Users\Julie\AppData\Local\{31954EB9-9394-4DC0-BED4-20048F5C9B8F}
2013-02-18 17:32 - 2011-10-18 18:32 - 00000035 ____A C:\Users\Julie\AppData\Roaming\CoreAVC.ini
2013-02-16 20:21 - 2013-02-16 20:21 - 00000000 ____D C:\Users\Julie\AppData\Roaming\Dreamtaskbar
2013-02-16 20:21 - 2013-02-16 20:21 - 00000000 ____D C:\Program Files (x86)\Dreamtaskbar
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\Users\Julie\AppData\Local\TTPlayer
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\ProgramData\PPBrowserHelper
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\ProgramData\Baidu
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\Program Files (x86)\TTPlayer
2013-02-16 16:59 - 2013-02-16 16:59 - 00000000 ____D C:\Program Files (x86)\Baidu
2013-02-16 16:59 - 2013-02-16 09:30 - 00000000 ____D C:\Users\Julie\Documents\PPTV
2013-02-16 09:33 - 2010-10-31 20:23 - 00000000 ____D C:\Users\Julie\AppData\Roaming\PPLive
2013-02-16 09:32 - 2010-10-31 20:21 - 00000000 ____D C:\ProgramData\Jlcm
2013-02-16 09:30 - 2013-02-16 09:30 - 00000000 ____D C:\Users\Public\Documents\PPTV
2013-02-16 09:28 - 2013-02-16 09:28 - 00002335 ____A C:\Users\Public\Desktop\????.lnk
2013-02-16 09:28 - 2010-08-02 16:45 - 00000000 ____D C:\Users\Public\Thunder Network
2013-02-16 09:25 - 2012-06-06 20:21 - 00001182 ____A C:\Users\Public\Desktop\????-??????.lnk
2013-02-16 09:25 - 2010-08-02 16:44 - 00002476 ____A C:\Users\Public\Desktop\???????.lnk
2013-02-16 00:20 - 2012-05-01 06:47 - 00002201 ____A C:\Users\Julie\Desktop\??QQ.lnk
2013-02-16 00:06 - 2012-03-29 15:04 - 00000000 ____D C:\business
2013-02-14 21:38 - 2010-02-14 03:00 - 00000000 ____D C:\ProgramData\Microsoft Help


==================== Known DLLs (Whitelisted) =================

[2009-07-13 16:18] - [2009-07-13 17:41] - 0083456 ____A (Microsoft Corporation) C:\Windows\System32\msacm32.dll
[2009-07-13 16:03] - [2009-07-13 17:15] - 0072192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msacm32.dll
[2009-07-13 15:21] - [2009-07-13 17:41] - 0006656 ____A (Microsoft Corporation) C:\Windows\System32\shimeng.dll
[2009-07-13 15:12] - [2009-07-13 17:16] - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shimeng.dll
[2009-07-13 15:55] - [2009-07-13 17:41] - 0332288 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
[2009-07-13 15:39] - [2009-07-13 17:11] - 0245760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-01-29 21:21:16
Restore point made on: 2013-02-05 12:05:30
Restore point made on: 2013-02-12 07:32:13
Restore point made on: 2013-02-14 07:45:50
Restore point made on: 2013-02-19 11:05:33
Restore point made on: 2013-02-22 22:17:35
Restore point made on: 2013-02-26 19:04:00
Restore point made on: 2013-03-05 22:22:31
Restore point made on: 2013-03-12 20:07:05

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3963.99 MB
Available physical RAM: 3372.54 MB
Total Pagefile: 3962.14 MB
Available Pagefile: 3360.05 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (S3A8105D003) (Fixed) (Total:341.38 GB) (Free:150.15 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (BLACKBERRY) (Removable) (Total:7.4 GB) (Free:7.4 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          372 GB  1024 KB        
  Disk 1    Online         7580 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: CA2BF041

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery          1500 MB  1024 KB
  Partition 2    Primary            341 GB  1501 MB
  Partition 0    Extended            19 GB   342 GB
  Partition 4    Logical             19 GB   342 GB
  Partition 3    Primary             10 GB   361 GB

==================================================================================

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D   System       NTFS   Partition   1500 MB  Healthy    Hidden 

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   S3A8105D003  NTFS   Partition    341 GB  Healthy           

=========================================================

Disk: 0
Partition 4
Type  : 17
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Disk: 0
Partition 3
Type  : 17
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7575 MB  4117 KB

==================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F   BLACKBERRY   FAT32  Removable   7575 MB  Healthy           

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: CA2BF041

Partition 1:
=========
Hex: 8020210027591ABF0008000000E02E00
Active: YES
Type: 27
Size: 1 GB

Partition 2:
=========
Hex: 00591BBF07FEFFFF00E82E000040AC2A
Active: NO
Type: 07 (NTFS)
Size: 341 GB

Partition 3:
=========
Hex: 00FEFFFF0FFEFFFF0028DB2A00D06202
Active: NO
Type: OF (Extended)
Size: 19 GB

Partition 4:
=========
Hex: 00FEFFFF17FEFFFF00F83D2D00985501
Active: NO
Type: 17
Size: 11 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 00822E000B50CAC62B200000D5BFEC00
Active: NO
Type: 0B
Size: 7 GB


Last Boot: 2013-03-06 22:04

==================== End Of Log =============================

 

Farbar Recovery Scan Tool (x64) Version: 10-03-2013 01
Ran by SYSTEM at 2013-03-12 23:29:28
Running from F:\

================== Search: "service.exe" ===================

====== End Of Search ======

 

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:27 PM

Posted 13 March 2013 - 11:51 AM


Hello daniel_hb

Welcome to The Forums!!

Around here they call me Gringo and I'll be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
 
HKU\Julie\...\Run: [ieodjrzotp] C:\Users\Julie\AppData\Roaming\phxzbypky [x]
HKU\Julie\...\Policies\system: [DisableTaskMgr] 1
HKLM\...\Winlogon: [Shell] explorer.exe, C:\ProgramData\phxzbypky [x ] ()
C:\Users\Julie\AppData\Roaming\phxzbypky.exe
C:\Users\Julie\AppData\Local\phxzbypky.exe
C:\ProgramData\phxzbypky.exe
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 daniel_hb

daniel_hb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 13 March 2013 - 07:31 PM

Thanks for your quick help. you are great!!

 

here is the fix log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-03-2013 01
Ran by SYSTEM at 2013-03-13 17:30:19 Run:1
Running from F:\

==============================================

HKEY_USERS\Julie\Software\Microsoft\Windows\CurrentVersion\Run\\ieodjrzotp Value deleted successfully.
HKEY_USERS\Julie\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .
C:\Users\Julie\AppData\Roaming\phxzbypky.exe moved successfully.
C:\Users\Julie\AppData\Local\phxzbypky.exe moved successfully.
C:\ProgramData\phxzbypky.exe moved successfully.

==== End of Fixlog ====



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:27 PM

Posted 13 March 2013 - 08:27 PM


Hello daniel_hb


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:27 PM

Posted 16 March 2013 - 02:58 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:27 PM

Posted 19 March 2013 - 09:35 AM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

  • Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:27 PM

Posted 22 March 2013 - 02:39 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users