Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloading any file from any browser is nixed, also infinite boot loop.


  • This topic is locked This topic is locked
92 replies to this topic

#1 chrislbrown

chrislbrown

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:20 PM

Posted 23 May 2013 - 10:04 AM

Hi Folks.  Thanks for what you do.
 
I recently had a virus on my laptop, it was a fake security program.  I used MalwareBytes to clean everything I could.  Yet, now I can't download anything--pictures, programs, whatever.
 
This is the main issue.  A secondary issue, that understandably I might have to create another post for after this is resolved, is that there is an infinite boot loop happening on this machine.  I have Hirem's Boot CD in the drive and it saves me because it takes over and then I simply select the "Boot from Windows" option.  Without this CD, the infinite loop is on.  There is a very fast message that I can't quite read which mentions something like "Boot stack error".  Is this a simple fix, by copying a backup BIOS? 
 
MAN I hope I didn't mess everything up when I used MalwareBytes.
 
Back to the download problems, here is the DDS log:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16521  BrowserJavaVersion: 10.17.2
Run by lyredd at 10:40:36 on 2013-05-23
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2996.2260 [GMT -4:00]
.
AV: Trend Micro Core Protection Module *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Core Protection Module *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\M86 Security\Authenticator\Authenticat_s.exe
C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
C:\Program Files\SMART Technologies\Education Software\ResponseHardwareService.exe
C:\ProgramData\Rpcnet\Bin\rpcld.exe
C:\Windows\System32\rpcnet.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\Program Files\SMART Technologies\Education Software\SMARTBoardService.exe
C:\Program Files\SMART Technologies\Education Software\SMARTBoardTools.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\SMART Technologies\Education Software\DesktopMenu.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Adobe\Reader 11.0\Reader\Reader_sl.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\SMART Technologies\Education Software\Aware.exe
C:\Program Files\SMART Technologies\Education Software\Marker.exe
C:\Program Files\SMART Technologies\Education Software\ResponseSoftwareService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k WbioSvcGroup
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
mWinlogon: Userinit = c:\windows\system32\KUsrInit.exe,
BHO: SMART Notebook Download Utility: {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - c:\program files\smart technologies\education software\win32\NotebookPlugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Deployment] rundll32 "c:\users\lyredd\appdata\local\flixster\deployment\nkyehcmo.dll",DllRegisterServer
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Unattend0000000001{D0088610-9A00-499E-AD7B-DCD4AE4A6837}] net user user /delete
mRun: [Unattend0000000002{73878A3B-F5B3-44C4-B21D-0F3195007F4E}] c:\windows\image_setup\Agent_Install.vbs
mRun: [Unattend0000000003{A0DB1449-97CD-4B24-AD49-21E4F0B141E3}] c:\windows\image_setup\Init_Admin_Account.exe
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [Unattend0000000001{58764BC9-FC35-498F-8D5C-300197E64E0D}] net user user /delete
mRun: [Unattend0000000002{3D9DA5AB-11F2-49D1-8AA2-35FDCDED2045}] c:\windows\image_setup\Agent_Install.vbs
mRun: [Unattend0000000003{A82EE8CF-889D-47B0-9144-20E98D0C0772}] c:\windows\image_setup\Init_Admin_Account.exe
mRun: [SMART Board Service] "c:\program files\smart technologies\education software\SMARTBoardService.exe"
mRun: [SMART Board Tools] "c:\program files\smart technologies\education software\SMARTBoardTools.exe"
mRun: [Response Desktop Menu] "c:\program files\smart technologies\education software\DesktopMenu.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
uPolicies-Explorer: ForceActiveDesktopOn = dword:1
uPolicies-Explorer: ForceStartMenuLogOff = dword:1
uPolicies-Explorer: ForceClassicControlPanel = dword:1
uPolicies-Explorer: NoSimpleStartMenu = dword:1
uPolicies-Explorer: NoSMConfigurePrograms = dword:1
uPolicies-Explorer: NoCommonGroups = dword:1
uPolicies-Explorer: NoInternetIcon = dword:1
uPolicies-Explorer: NoPropertiesMyDocuments = dword:1
uPolicies-Explorer: NoPropertiesMyComputer = dword:1
uPolicies-Explorer: DisablePersonalDirChange = dword:1
uPolicies-Explorer: NoWindowsUpdate = dword:1
uPolicies-Explorer: NoSMMyDocs = dword:1
uPolicies-Explorer: NoSMMyPictures = dword:1
uPolicies-Explorer: NoStartMenuMyMusic = dword:1
uPolicies-Explorer: NoStartMenuNetworkPlaces = dword:1
uPolicies-Explorer: NoSMHelp = dword:1
uPolicies-Explorer: NoNetworkConnections = dword:1
uPolicies-Explorer: LockTaskbar = dword:1
uPolicies-Explorer: NoSMBalloonTip = dword:1
uPolicies-Explorer: NoStartMenuPinnedList = dword:1
uPolicies-Explorer: NoToolbarsOnTaskbar = dword:1
uPolicies-Explorer: NoCloseDragDropBands = dword:1
uPolicies-Explorer: NoPublishingWizard = dword:1
uPolicies-Explorer: NoWebServices = dword:1
uPolicies-Explorer: NoOnlinePrintsWizard = dword:1
uPolicies-Explorer: NoAutoTrayNotify = dword:1
uPolicies-Explorer: NoNetConnectDisconnect = dword:1
uPolicies-Explorer: NoManageMyComputerVerb = dword:1
uPolicies-Explorer: EnforceShellExtensionSecurity = dword:1
uPolicies-Explorer: NoDFSTab = dword:1
uPolicies-Explorer: NoHardwareTab = dword:1
uPolicies-Explorer: NoSecurityTab = dword:1
uPolicies-Explorer: NoRunasInstallPrompt = dword:1
uPolicies-Explorer: MaxRecentDocs = dword:10
uPolicies-Explorer: NoComputersNearMe = dword:1
uPolicies-Explorer: NoChangeKeyboardNavigationIndicators = dword:1
uPolicies-Explorer: NoChangeAnimation = dword:1
uPolicies-Explorer: PreXPSP2ShellProtocolBehavior = dword:1
uPolicies-Explorer: NoWinKeys = dword:1
uPolicies-Explorer: NoThumbnailCache = dword:1
uPolicies-Explorer: RecycleBinSize = dword:30
uPolicies-System: Wallpaper = c:\windows\image_setup\wallpaper\TranscodedWallpaper.jpg
uPolicies-System: WallpaperStyle = 4
uPolicies-System: NoDispBackgroundPage = dword:1
uPolicies-System: NoDispAppearancePage = dword:1
uPolicies-System: NoDispScrSavPage = dword:1
mPolicies-Explorer: UseDefaultTile = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:181
mPolicies-Explorer: NoAutorun = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableInstallerDetection = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableSecureUIAPaths = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-System: disablecad = dword:1
mPolicies-Windows\System: LeaveAppMgmtData = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
TCP: NameServer = 10.4.223.146 10.4.223.145
TCP: Interfaces\{15032E59-33E3-42A3-A18F-BF577AD27BEA} : DHCPNameServer = 10.4.223.146 10.4.223.145
TCP: Interfaces\{4BCA41CF-3FB3-4DCC-8669-7A22E121C721} : DHCPNameServer = 10.4.223.146 10.4.223.145
TCP: Interfaces\{4BCA41CF-3FB3-4DCC-8669-7A22E121C721}\341607471696E6024634F6B656 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{4BCA41CF-3FB3-4DCC-8669-7A22E121C721}\36862796372627166756E6 : DHCPNameServer = 192.168.43.1
TCP: Interfaces\{87CFF325-149E-4076-B3BE-3D27EAAEB21E} : DHCPNameServer = 192.168.42.129
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
SSODL: WebCheck - <orphaned>
LSA: Notification Packages =  scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lyredd\appdata\roaming\mozilla\firefox\profiles\a6xv4n0q.default\
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\lyredd\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1200112.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files\adobe\elements 10 organizer\PhotoshopElementsFileAgent.exe [2011-9-15 169624]
R2 M86_Auth;M86 Security Authenticator;c:\program files\m86 security\authenticator\Authenticat_s.exe [2011-5-4 394584]
R2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\motorola mobility\motorola device manager\MotoHelperService.exe [2012-10-23 120728]
R2 PST Service;PST Service;c:\program files\motorola\motforwarddaemon\ForwardDaemon.exe [2013-2-9 65657]
R2 Response Hardware;Response Hardware;c:\program files\smart technologies\education software\ResponseHardwareService.exe [2011-6-24 19312]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2012-5-24 45056]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\rpcnet\bin\rpcld.exe --> c:\programdata\rpcnet\bin\rpcld.exe [?]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2011-5-30 11976]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-4-17 378472]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2012-6-26 2016504]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2012-6-22 268968]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\Netwsn00.sys [2012-10-11 10364416]
R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\drivers\SMARTMouseFilterx86.sys [2011-7-14 11632]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\drivers\SMARTVHidMini2000x86.sys [2011-7-14 14704]
R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\drivers\SMARTVTabletPCx86.sys [2011-7-14 21872]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 PccNTUpd;PccNTUpd;"c:\program files\trend micro\officescan client\pccntupd.exe" -service --> c:\program files\trend micro\officescan client\PccNTUpd.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
S3 DKONOFPAS;DKONOFPAS;c:\users\wsadmin\appdata\local\temp\DKONOFPAS.exe [2013-5-5 351104]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2012-6-11 20864]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2012-1-25 8448]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2012-6-8 23808]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2011-11-8 11008]
S3 RTL8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2012-5-24 873576]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S4 AMPAgent;Dell KACE Agent;c:\program files\dell\kace\AMPAgent.exe [2012-1-16 2772072]
.
=============== Created Last 30 ================
.
2013-05-20 03:20:21 -------- d-----w- c:\windows\system32\??
2013-05-18 01:30:35 -------- d-----w- C:\iCamSource Motion Events
2013-05-18 01:27:38 -------- d-----w- c:\program files\iCamSource
2013-05-15 04:46:42 -------- d-----w- c:\windows\system32\??
2013-05-15 04:32:33 -------- d-----w- c:\windows\system32\??
2013-05-12 08:55:30 -------- d-----w- c:\program files\Lazesoft Recovery Suite
2013-05-10 23:11:27 -------- d-----w- c:\windows\system32\?s
2013-05-10 01:32:22 -------- d-----w- c:\windows\system32\??
2013-05-10 01:29:40 -------- d-----w- c:\windows\system32\??
2013-05-09 23:18:28 -------- d-----w- c:\windows\system32\?m
2013-05-07 16:52:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-06 18:56:01 -------- d-----w- c:\users\lyredd\appdata\local\Macromedia
2013-05-06 18:55:35 -------- d-----w- c:\users\lyredd\appdata\local\Mozilla
2013-05-04 06:55:22 -------- d-----w- c:\programdata\EA4AD22E78C8C4A60000EA49E7E9C9DF
2013-05-04 06:54:46 102400 ----a-w- c:\windows\RegBootClean.exe
2013-05-02 03:36:49 -------- d-----w- c:\programdata\APN
.
==================== Find3M  ====================
.
2013-05-23 14:38:00 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2013-05-23 14:37:58 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2013-05-23 14:37:57 69792 ----a-w- c:\windows\system32\rpcnet.dll
2013-05-15 05:01:18 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-15 05:01:18 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-05 12:24:06 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-04-06 08:28:21 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-06 08:28:19 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-04-06 08:28:19 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-06 13:18:57 69792 ------w- c:\windows\system32\rpcnet.exe
2013-03-03 07:56:02 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-03 07:56:02 185344 ----a-w- c:\windows\system32\elshyph.dll
2013-03-03 07:56:01 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-03-03 07:56:01 158720 ----a-w- c:\windows\system32\msls31.dll
2013-03-03 07:56:00 523264 ----a-w- c:\windows\system32\vbscript.dll
2013-03-03 07:56:00 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-03-03 07:56:00 1766912 ----a-w- c:\windows\system32\wininet.dll
2013-03-03 07:56:00 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-03-03 07:56:00 138752 ----a-w- c:\windows\system32\wextract.exe
2013-03-03 07:56:00 137216 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-03 07:54:56 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-03-03 07:53:52 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
.
============= FINISH: 10:41:28.18 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/19/2012 11:56:21 AM
System Uptime: 5/23/2013 10:37:43 AM (0 hours ago)
.
Motherboard: LENOVO | |
Processor: Intel® Core™ i5 CPU M 520 @ 2.40GHz | None | 1848/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 234.428 GiB free.
D: is CDROM (CDFS)
G: is NetworkDisk (NTFS) - 0 GiB total, 333.111 GiB free.
H: is NetworkDisk (NTFS) - 0 GiB total, 333.111 GiB free.
S: is NetworkDisk (NTFS) - 0 GiB total, 333.111 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: 10083
Device ID: ROOT\LEGACY_10083\0000
Manufacturer:
Name: 10083
PNP Device ID: ROOT\LEGACY_10083\0000
Service: 10083
.
==== System Restore Points ===================
.
RP25: 1/11/2013 9:52:57 AM - Scheduled Checkpoint
RP26: 5/6/2013 12:39:13 PM - Scheduled Checkpoint
RP27: 5/7/2013 12:52:35 PM - Windows Update
RP28: 5/11/2013 1:47:03 AM - Windows Update
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Community Help
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop.com Inspiration Browser
Adobe Premiere Elements 10
Adobe Premiere Elements 10 Content 2
Adobe Reader XI (11.0.03)
Adobe Shockwave Player 11.5
Adobe Shockwave Player 12.0
Backup Assistant Plus
CutePDF Writer 2.7
D3DX10
Dell KACE Agent
Elements 10 Organizer
ffdshow [rev 2527] [2008-12-19]
Flixster
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
iCamSource
Intel® Network Connections Drivers
Java 7 Update 17
Java Auto Updater
Lazesoft Recovery Suite version 3.3 Home Edition
M86 Security Authenticator
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Motorola Device Manager
Motorola Device Software Update
Motorola Mobile Drivers Installation 5.9.0
Movie Maker
Mozilla Firefox 20.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT110
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2721691)
NVIDIA 3D Vision Driver 268.24
NVIDIA Control Panel 268.24
NVIDIA Graphics Driver 268.24
NVIDIA HD Audio Driver 1.2.23.3
NVIDIA Install Application
NVIDIA Stereoscopic 3D Driver
Photo Common
Photo Gallery
PRE10STIInstaller
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
SMART Common Platform
SMART Education Software 2011
SMART Notebook
SMART Product Drivers
SMART Response Software
SmartSound Common Data
SmartSound Premiere Elements 10 Plugin
SmartSound Sonicfire Pro 5
swMSM
ThinkPad Power Management Driver
ThinkVantage Fingerprint Software
Trend Micro Endpoint Security Platform
UltraVnc
Unity Web Player
VLC Media Player
VLC media player 2.0.5
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
5/23/2013 4:02:20 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain WSFCSNET due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
5/23/2013 4:02:15 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
5/23/2013 4:02:15 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
5/23/2013 10:37:57 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
5/23/2013 10:37:57 AM, Error: Service Control Manager [7000] - The PccNTUpd service failed to start due to the following error: The system cannot find the file specified.
5/23/2013 10:37:56 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
5/23/2013 10:37:56 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
5/23/2013 10:37:56 AM, Error: Service Control Manager [7000] - The 10083 service failed to start due to the following error: The system cannot find the file specified.
5/22/2013 7:14:20 PM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 107.
5/22/2013 7:14:20 PM, Error: Schannel [36874] - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
5/22/2013 7:14:04 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
5/20/2013 2:17:02 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
5/17/2013 9:44:46 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {C2BFE331-6739-4270-86C9-493D9A04CD38}. The error: "2" Happened while starting this command: C:\Windows\system32\igfxsrvc.exe -Embedding
5/17/2013 9:44:46 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C}. The error: "2" Happened while starting this command: C:\Windows\system32\igfxsrvc.exe -Embedding
5/16/2013 6:46:02 AM, Error: Microsoft-Windows-GroupPolicy [1006] - The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
.
==== End Of File ===========================

 
Thank you in advance, I'll be alert for when a reply comes through.
 
Chris B.

Attached Files


Edited by Oh My, 27 May 2013 - 10:54 PM.
Posted Attach.txt


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:20 PM

Posted 27 May 2013 - 10:33 PM

Greetings Chris and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run this program for me.

===================================================

Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.
  • Please download Farbar Recovery Scan Tool and save it to a flash drive. You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool
----------

Entering into the System Recovery Options

Option #1

To enter System Recovery Options in Windows 8:Option #2

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Option #3

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next
----------

Running Farbar's Recovery Scan Tool in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • FRST log

Edited by Oh My, 27 May 2013 - 10:54 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 chrislbrown

chrislbrown
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:20 PM

Posted 30 May 2013 - 10:10 AM

Hi Gary!

 

I appreciate your time and help.  I saw your post right away, but it has been extremely difficult to run the tool because my laptop will not boot without the Hirem's CD help mentioned in my previous post.  I could not get to the Advanced Boot Options menu.  It would loop back and start rebooting again.  I did capture a picture of the error given, and it reads:

"No PXE Stack commands (hangup means means you have a problematic config)....

Running menu commands (Hangup means you have a problematic config)...."

 

I went to a clean computer and made a Windows 7 recovery disk.  From there I was able to use the CD boot option above, and then get into the FRST tool.  The log is below.

 

Thanks again, I'll be standing by.

Chris

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-05-2013
Ran by SYSTEM on 30-05-2013 10:53:05
Running from G:\
Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Unattend0000000003{A82EE8CF-889D-47B0-9144-20E98D0C0772}] c:\windows\Image_Setup\Init_Admin_Account.exe [253440 2011-06-01] ()
HKLM\...\Run: [Unattend0000000003{A0DB1449-97CD-4B24-AD49-21E4F0B141E3}] c:\windows\Image_Setup\Init_Admin_Account.exe [253440 2011-06-01] ()
HKLM\...\Run: [Unattend0000000002{73878A3B-F5B3-44C4-B21D-0F3195007F4E}] C:\Windows\Image_Setup\Agent_Install.vbs [786 2012-04-23] ()
HKLM\...\Run: [Unattend0000000002{3D9DA5AB-11F2-49D1-8AA2-35FDCDED2045}] C:\Windows\Image_Setup\Agent_Install.vbs [786 2012-04-23] ()
HKLM\...\Run: [Unattend0000000001{D0088610-9A00-499E-AD7B-DCD4AE4A6837}] net user user /delete [x]
HKLM\...\Run: [Unattend0000000001{58764BC9-FC35-498F-8D5C-300197E64E0D}] net user user /delete [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [SMART Board Tools] "C:\Program Files\SMART Technologies\Education Software\SMARTBoardTools.exe" [9800560 2011-06-23] (SMART Technologies ULC)
HKLM\...\Run: [SMART Board Service] "C:\Program Files\SMART Technologies\Education Software\SMARTBoardService.exe" [1761136 2011-07-13] (SMART Technologies)
HKLM\...\Run: [Response Desktop Menu] "C:\Program Files\SMART Technologies\Education Software\DesktopMenu.exe" [1900912 2011-06-23] (SMART Technologies)
HKLM\...\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup [55656 2012-08-02] (Authentec Inc.)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-06-16] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM Group Policy restriction on software: c:\windows\psexec.exe <====== ATTENTION
HKLM Group Policy restriction on software: P:\*.rar <====== ATTENTION
HKLM Group Policy restriction on software: S:\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\psexesvc.exe <====== ATTENTION
HKLM Group Policy restriction on software: H:\zPharaoh.exe <====== ATTENTION
HKLM Group Policy restriction on software: P:\autorun.inf <====== ATTENTION
HKLM Group Policy restriction on software: H:\autorun.inf <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\system32\vistaupgrade.exe <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\system32\2.exe <====== ATTENTION
HKLM Group Policy restriction on software: S:\*.rar <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\system32\1.exe <====== ATTENTION
HKLM Group Policy restriction on software: S:\autorun.inf <====== ATTENTION
HKLM Group Policy restriction on software: P:\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: H:\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\psexecsvc.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\zPharaoh.exe <====== ATTENTION
HKLM Group Policy restriction on software: H:\*.rar <====== ATTENTION
HKLM Group Policy restriction on software: C:\1.taz <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Winlogon: [Userinit] C:\Windows\System32\KUsrInit.exe, [393832 2012-01-15] (Dell Inc.)
Winlogon\Notify\psfus: C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
HKU\cataylor\...\Policies\system: [Wallpaper] C:\Windows\Image_Setup\Wallpaper\TranscodedWallpaper.jpg
HKU\cataylor\...\Policies\system: [WallpaperStyle] 4
HKU\gsparker\...\Policies\system: [Wallpaper] C:\Windows\Image_Setup\Wallpaper\TranscodedWallpaper.jpg
HKU\gsparker\...\Policies\system: [WallpaperStyle] 4
HKU\gsparker\...\Policies\system: [NoDispBackgroundPage] 1
HKU\gsparker\...\Policies\system: [NoDispAppearancePage] 1
HKU\gsparker\...\Policies\system: [NoDispScrSavPage] 1
HKU\lyredd\...\Run: [Deployment] rundll32 "C:\Users\lyredd\AppData\Local\Flixster\Deployment\nkyehcmo.dll",DllRegisterServer [x]
HKU\lyredd\...\Policies\system: [Wallpaper] C:\Windows\Image_Setup\Wallpaper\TranscodedWallpaper.jpg
HKU\lyredd\...\Policies\system: [WallpaperStyle] 4
HKU\lyredd\...\Policies\system: [NoDispBackgroundPage] 1
HKU\lyredd\...\Policies\system: [NoDispAppearancePage] 1
HKU\lyredd\...\Policies\system: [NoDispScrSavPage] 1
HKU\msouthern\...\Policies\system: [Wallpaper] C:\Windows\Image_Setup\Wallpaper\TranscodedWallpaper.jpg
HKU\msouthern\...\Policies\system: [WallpaperStyle] 4
HKU\WSAdmin\...\Run: [CAHeadless] C:\Program Files\Adobe\Elements 10 Organizer\CAHeadless\ElementsAutoAnalyzer.exe [ 2011-09-14] (Adobe Systems Incorporated)
HKU\WSAdmin\...\Run: [HLBackupScheduler] C:\Program Files\Backup Assistant Plus\V CAST Backup Scheduler.exe [ 2012-08-20] ()
HKU\WSAdmin\...\Run: [SkyDrive] "C:\Users\WSAdmin\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background [ 2013-03-19] (Microsoft Corporation)
HKU\WSAdmin\...\Run: [Akamai NetSession Interface] "C:\Users\WSAdmin\AppData\Local\Akamai\netsession_win.exe" [x]
HKU\WSAdmin\...\Policies\system: [Wallpaper] C:\Windows\Image_Setup\Wallpaper\TranscodedWallpaper.jpg
HKU\WSAdmin\...\Policies\system: [WallpaperStyle] 4
Lsa: [Notification Packages] scecli C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll

========================== Services (Whitelisted) =================

S2 AdobeActiveFileMonitor10.0; C:\Program Files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [169624 2011-09-14] (Adobe Systems Incorporated)
S4 AMPAgent; C:\Program Files\Dell\KACE\AMPAgent.exe [2772072 2012-01-15] (Dell Inc.)
S2 BESClient; C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe [4675992 2012-03-19] (IBM Corp.)
S3 DKONOFPAS; C:\Users\WSAdmin\AppData\Local\Temp\DKONOFPAS.exe [351104 2013-05-05] (Sysinternals - www.sysinternals.com)
S2 M86_Auth; C:\Program Files\M86 Security\Authenticator\Authenticat_s.exe [394584 2011-05-04] (M86 Security)
S2 Motorola Device Manager; C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [120728 2012-10-23] ()
S2 PST Service; C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola)
S2 Response Hardware; C:\Program Files\SMART Technologies\Education Software\ResponseHardwareService.exe [19312 2011-06-23] (SMART Technologies)
S2 rpcld; C:\ProgramData\Rpcnet\Bin\rpcld.exe [179120 2011-09-28] (Absolute Software Corp.)
S2 Rpcnet; C:\Windows\System32\rpcnet.exe [69792 2013-03-06] (Absolute Software Corp.)
S2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2016504 2011-05-18] (UltraVNC)
S2 PccNTUpd; "C:\Program Files\Trend Micro\OfficeScan Client\PccNTUpd.exe" -service [x]

==================== Drivers (Whitelisted) ====================

S3 NETwNs32; C:\Windows\System32\DRIVERS\Netwsn00.sys [10364416 2012-06-03] (Intel Corporation)
S3 SMARTMouseFilterx86; C:\Windows\System32\DRIVERS\SMARTMouseFilterx86.sys [11632 2011-07-13] (SMART Technologies ULC)
S3 SMARTVHidMini2000x86; C:\Windows\System32\DRIVERS\SMARTVHidMini2000x86.sys [14704 2011-07-13] (SMART Technologies ULC)
S3 SMARTVTabletPCx86; C:\Windows\System32\DRIVERS\SMARTVTabletPCx86.sys [21872 2011-07-13] (SMART Technologies ULC)
S2 smihlp; C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [11976 2011-05-30] (Authentec Inc.)
S2 10083; \??\C:\Users\WSAdmin\AppData\Local\Temp\10083.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-30 10:52 - 2013-05-30 10:52 - 00000000 ____D C:\FRST
2013-05-30 05:48 - 2013-05-30 06:20 - 00000444 ___AH C:\Windows\Tasks\Norton Security Scan for WSAdmin.job
2013-05-30 03:47 - 2013-05-30 03:47 - 00000000 ____D C:\Windows\pss
2013-05-29 03:18 - 2013-05-30 05:49 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-05-29 03:17 - 2013-05-29 18:33 - 00000442 ___AH C:\Windows\Tasks\Norton Security Scan for lyredd.job
2013-05-29 03:17 - 2013-05-29 03:17 - 00001415 ____A C:\Users\Public\Desktop\Norton Security Scan.LNK
2013-05-29 03:17 - 2013-05-29 03:17 - 00000000 ____D C:\Windows\System32\Drivers\NSS
2013-05-29 03:17 - 2013-05-29 03:17 - 00000000 ____D C:\ProgramData\Symantec
2013-05-29 03:17 - 2013-05-29 03:17 - 00000000 ____D C:\ProgramData\Norton
2013-05-29 03:17 - 2013-05-29 03:17 - 00000000 ____D C:\Program Files\Norton Security Scan
2013-05-27 08:28 - 2013-05-30 05:51 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-05-24 17:51 - 2013-05-24 17:51 - 00000000 ____D C:\Windows\System32\?u
2013-05-23 11:18 - 2013-05-23 11:23 - 00000000 ____D C:\Users\lyredd\AppData\Local\CutePDF Writer
2013-05-23 02:31 - 2013-05-23 07:08 - 00000000 ____D C:\Users\WSAdmin\Documents\Fix
2013-05-22 09:03 - 2013-05-22 09:03 - 08161699 ____A C:\Users\Public\Documents\cartoon.pptx
2013-05-19 19:20 - 2013-05-19 19:20 - 00000000 ____D C:\Windows\System32\?I
2013-05-17 17:30 - 2013-05-17 17:30 - 00000000 ____D C:\iCamSource Motion Events
2013-05-17 17:27 - 2013-05-17 17:27 - 00000919 ____A C:\Users\Public\Desktop\iCamSource.lnk
2013-05-17 17:27 - 2013-05-17 17:27 - 00000000 ____D C:\Program Files\iCamSource
2013-05-17 17:19 - 2013-05-23 00:11 - 00000000 ____D C:\Users\Public\Documents\loaddown
2013-05-17 09:05 - 2013-05-17 09:05 - 00000000 ____D C:\Users\gsparker\AppData\Local\Google
2013-05-17 07:48 - 2013-05-17 09:41 - 00002162 ____A C:\Users\gsparker\Desktop\NCTest.lnk
2013-05-17 04:50 - 2013-05-30 06:21 - 00002104 ____A C:\Users\lyredd\Desktop\Google Chrome.lnk
2013-05-16 11:07 - 2013-05-30 06:21 - 00002162 ____A C:\Users\lyredd\Desktop\NCTest.lnk
2013-05-16 03:06 - 2013-05-16 03:06 - 00001367 ____A C:\Users\Public\Documents\Remote Desktop Connection.lnk
2013-05-15 02:47 - 2013-05-17 09:41 - 00002104 ____A C:\Users\gsparker\Desktop\Google Chrome.lnk
2013-05-15 02:47 - 2013-05-17 09:41 - 00000065 ____A C:\Users\gsparker\Desktop\NCTest.url
2013-05-14 20:46 - 2013-05-14 20:46 - 00000000 ____D C:\Windows\System32\??
2013-05-14 20:32 - 2013-05-14 20:32 - 00000000 ____D C:\Windows\System32\?L
2013-05-14 03:29 - 2013-05-14 03:29 - 00144134 ____A C:\Users\Public\Documents\wxii.pptx
2013-05-12 00:55 - 2013-05-12 01:00 - 00000000 ____D C:\Program Files\Lazesoft Recovery Suite
2013-05-12 00:55 - 2013-05-12 00:55 - 00001337 ____A C:\Users\Public\Desktop\Lazesoft Recovery Suite Home Edition.lnk
2013-05-12 00:55 - 2013-05-12 00:55 - 00000000 ____D C:\Users\WSAdmin\AppData\Local\CrashRpt
2013-05-12 00:55 - 2013-05-12 00:46 - 21666231 ____N (Lazesoft                                                    ) C:\Users\WSAdmin\Desktop\lsrshsetup.exe
2013-05-11 17:49 - 2013-05-11 17:50 - 00000000 ____D C:\Users\WSAdmin\Desktop\usb
2013-05-11 09:45 - 2013-05-11 09:45 - 00002197 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-11 09:44 - 2013-05-11 09:45 - 00000000 ____D C:\Users\WSAdmin\AppData\Local\Google
2013-05-10 15:11 - 2013-05-10 15:11 - 00000000 ____D C:\Windows\System32\?s
2013-05-10 04:54 - 2013-05-30 06:21 - 00000065 ____A C:\Users\lyredd\Desktop\NCTest.url
2013-05-09 17:32 - 2013-05-09 17:32 - 00000000 ____D C:\Windows\System32\?I
2013-05-09 17:29 - 2013-05-09 17:29 - 00000000 ____D C:\Windows\System32\??
2013-05-09 15:18 - 2013-05-09 15:18 - 00000000 ____D C:\Windows\System32\?m
2013-05-07 23:27 - 2013-05-07 23:27 - 00000165 ___AH C:\Users\Public\Documents\~$hero.pptx
2013-05-07 08:52 - 2013-05-02 07:28 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-05-07 08:39 - 2013-05-12 00:30 - 00001945 ____A C:\Windows\epplauncher.mif
2013-05-07 08:32 - 2013-05-07 08:38 - 02645817 ____A C:\Windows\CPMUninstall.log
2013-05-07 04:07 - 2013-05-07 04:07 - 00000165 ___AH C:\Users\Public\Documents\~$likearaven2.pptx
2013-05-06 10:56 - 2013-05-06 10:56 - 00000000 ____D C:\Users\lyredd\AppData\Local\Macromedia
2013-05-06 10:55 - 2013-05-06 10:55 - 00000000 ____D C:\Users\lyredd\AppData\Roaming\Mozilla
2013-05-06 10:55 - 2013-05-06 10:55 - 00000000 ____D C:\Users\lyredd\AppData\Local\Mozilla
2013-05-05 04:19 - 2013-05-05 04:19 - 00000361 ____A C:\rkill.log
2013-05-05 02:48 - 2013-05-05 02:48 - 00001063 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-05 02:41 - 2013-05-05 02:41 - 00000000 ____D C:\Users\WSAdmin\AppData\Roaming\Malwarebytes
2013-05-03 22:55 - 2013-05-03 23:02 - 00000000 ____D C:\ProgramData\EA4AD22E78C8C4A60000EA49E7E9C9DF
2013-05-03 22:54 - 2013-05-03 22:54 - 00182276 ____A C:\Windows\System32\c_7265253.nls
2013-05-03 22:54 - 2013-05-03 22:54 - 00102400 ____A C:\Windows\RegBootClean.exe
2013-05-03 04:30 - 2013-05-03 04:30 - 00336636 ____A C:\Users\Public\Documents\google.pptx
2013-05-01 19:36 - 2013-05-01 19:36 - 01611344 ____A (InstallX, LLC) C:\Users\WSAdmin\Downloads\vioplayer2_d3795647.exe
2013-05-01 19:36 - 2013-05-01 19:36 - 00000000 ____D C:\ProgramData\APN
2013-04-30 19:47 - 2013-04-30 19:50 - 147615744 ____A C:\Users\lyredd\Desktop\hulkangermgmt.mpg
2013-04-30 19:47 - 2013-04-30 19:50 - 01431412 ____A C:\Users\WSAdmin\Documents\hulkangermgmt.mpg.xmpses
2013-04-30 12:46 - 2013-05-21 10:39 - 00015701 ____H C:\Users\lyredd\Desktop\~WRL0003.tmp
2013-04-30 12:46 - 2013-05-13 04:18 - 00015413 ____H C:\Users\lyredd\Desktop\~WRL0005.tmp
2013-04-30 12:46 - 2013-05-02 07:02 - 00014903 ____H C:\Users\lyredd\Desktop\~WRL1612.tmp

==================== One Month Modified Files and Folders ========

2013-05-30 10:52 - 2013-05-30 10:52 - 00000000 ____D C:\FRST
2013-05-30 10:44 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-05-30 06:27 - 2009-07-13 20:34 - 00019120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-30 06:27 - 2009-07-13 20:34 - 00019120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-30 06:21 - 2013-05-17 04:50 - 00002104 ____A C:\Users\lyredd\Desktop\Google Chrome.lnk
2013-05-30 06:21 - 2013-05-16 11:07 - 00002162 ____A C:\Users\lyredd\Desktop\NCTest.lnk
2013-05-30 06:21 - 2013-05-10 04:54 - 00000065 ____A C:\Users\lyredd\Desktop\NCTest.url
2013-05-30 06:21 - 2013-02-20 12:17 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-30 06:21 - 2013-02-20 12:17 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-30 06:21 - 2013-01-24 12:05 - 00000174 ____A C:\Windows\hpbafd.ini
2013-05-30 06:21 - 2013-01-23 13:26 - 00001916 ____A C:\Users\lyredd\Desktop\Internet Explorer.lnk
2013-05-30 06:21 - 2013-01-23 13:26 - 00001636 ____A C:\Users\lyredd\Desktop\Student Shared Folder.lnk
2013-05-30 06:21 - 2013-01-23 13:26 - 00001634 ____A C:\Users\lyredd\Desktop\Staff Shared Folder.lnk
2013-05-30 06:21 - 2013-01-23 13:26 - 00001614 ____A C:\Users\lyredd\Desktop\Home Folder.lnk
2013-05-30 06:21 - 2013-01-23 13:26 - 00000609 ____A C:\Users\lyredd\Desktop\Orchard.lnk
2013-05-30 06:21 - 2013-01-23 13:26 - 00000134 ____A C:\Users\lyredd\Desktop\Destiny Online Catalog.url
2013-05-30 06:21 - 2013-01-23 13:26 - 00000130 ____A C:\Users\lyredd\Desktop\Cook Online.url
2013-05-30 06:21 - 2013-01-23 13:26 - 00000125 ____A C:\Users\lyredd\Desktop\Staff Email.url
2013-05-30 06:21 - 2013-01-23 13:26 - 00000116 ____A C:\Users\lyredd\Desktop\Starfall.url
2013-05-30 06:21 - 2013-01-11 05:45 - 00000120 ____A C:\Windows\System32\config\netlogon.ftl
2013-05-30 06:20 - 2013-05-30 05:48 - 00000444 ___AH C:\Windows\Tasks\Norton Security Scan for WSAdmin.job
2013-05-30 06:20 - 2013-01-24 06:08 - 00000000 ____D C:\ProgramData\NVIDIA
2013-05-30 06:20 - 2012-06-25 08:03 - 00017920 ____A C:\Windows\System32\rpcnetp.dll
2013-05-30 06:20 - 2012-06-25 08:02 - 00017920 ____A C:\Windows\System32\rpcnetp.exe
2013-05-30 06:20 - 2012-06-25 06:25 - 00069792 ____A (Absolute Software Corp.) C:\Windows\System32\rpcnet.dll
2013-05-30 06:20 - 2010-11-20 13:48 - 00016512 ____A C:\Windows\PFRO.log
2013-05-30 06:20 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-30 06:20 - 2009-07-13 20:39 - 00085124 ____A C:\Windows\setupact.log
2013-05-30 06:14 - 2013-02-09 14:26 - 00000000 ___RD C:\Users\WSAdmin\SkyDrive
2013-05-30 06:01 - 2013-02-09 23:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-30 05:57 - 2012-10-19 07:58 - 01559019 ____A C:\Windows\WindowsUpdate.log
2013-05-30 05:51 - 2013-05-27 08:28 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-05-30 05:51 - 2013-02-08 00:14 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-05-30 05:49 - 2013-05-29 03:18 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-05-30 03:47 - 2013-05-30 03:47 - 00000000 ____D C:\Windows\pss
2013-05-30 03:45 - 2010-11-20 13:01 - 00797534 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-30 03:26 - 2009-07-13 20:53 - 00032634 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-29 18:33 - 2013-05-29 03:17 - 00000442 ___AH C:\Windows\Tasks\Norton Security Scan for lyredd.job
2013-05-29 18:22 - 2013-01-11 08:23 - 00000071 __RSH C:\ProgramData\3002.xml
2013-05-29 18:12 - 2013-03-13 04:16 - 00000000 ____D C:\Users\lyredd\AppData\Roaming\vlc
2013-05-29 08:33 - 2013-04-16 10:45 - 19232560 ____A C:\Users\Public\Documents\likearaven2.pptx
2013-05-29 04:25 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-05-29 03:17 - 2013-05-29 03:17 - 00001415 ____A C:\Users\Public\Desktop\Norton Security Scan.LNK
2013-05-29 03:17 - 2013-05-29 03:17 - 00000000 ____D C:\Windows\System32\Drivers\NSS
2013-05-29 03:17 - 2013-05-29 03:17 - 00000000 ____D C:\ProgramData\Symantec
2013-05-29 03:17 - 2013-05-29 03:17 - 00000000 ____D C:\ProgramData\Norton
2013-05-29 03:17 - 2013-05-29 03:17 - 00000000 ____D C:\Program Files\Norton Security Scan
2013-05-28 12:07 - 2012-06-26 04:44 - 00000000 ____D C:\Windows\System32\Macromed
2013-05-28 03:18 - 2013-04-03 10:37 - 00037376 ____A C:\Users\Public\Documents\timesheet.xls
2013-05-24 17:51 - 2013-05-24 17:51 - 00000000 ____D C:\Windows\System32\?u
2013-05-24 08:17 - 2013-04-08 03:49 - 01444301 ____A C:\Users\Public\Documents\ccom.pptx
2013-05-23 11:23 - 2013-05-23 11:18 - 00000000 ____D C:\Users\lyredd\AppData\Local\CutePDF Writer
2013-05-23 07:08 - 2013-05-23 02:31 - 00000000 ____D C:\Users\WSAdmin\Documents\Fix
2013-05-23 00:11 - 2013-05-17 17:19 - 00000000 ____D C:\Users\Public\Documents\loaddown
2013-05-22 09:03 - 2013-05-22 09:03 - 08161699 ____A C:\Users\Public\Documents\cartoon.pptx
2013-05-21 10:39 - 2013-04-30 12:46 - 00015701 ____H C:\Users\lyredd\Desktop\~WRL0003.tmp
2013-05-19 19:20 - 2013-05-19 19:20 - 00000000 ____D C:\Windows\System32\?I
2013-05-17 17:30 - 2013-05-17 17:30 - 00000000 ____D C:\iCamSource Motion Events
2013-05-17 17:27 - 2013-05-17 17:27 - 00000919 ____A C:\Users\Public\Desktop\iCamSource.lnk
2013-05-17 17:27 - 2013-05-17 17:27 - 00000000 ____D C:\Program Files\iCamSource
2013-05-17 09:41 - 2013-05-17 07:48 - 00002162 ____A C:\Users\gsparker\Desktop\NCTest.lnk
2013-05-17 09:41 - 2013-05-15 02:47 - 00002104 ____A C:\Users\gsparker\Desktop\Google Chrome.lnk
2013-05-17 09:41 - 2013-05-15 02:47 - 00000065 ____A C:\Users\gsparker\Desktop\NCTest.url
2013-05-17 09:41 - 2013-01-25 09:08 - 00001916 ____A C:\Users\gsparker\Desktop\Internet Explorer.lnk
2013-05-17 09:41 - 2013-01-25 09:08 - 00001636 ____A C:\Users\gsparker\Desktop\Student Shared Folder.lnk
2013-05-17 09:41 - 2013-01-25 09:08 - 00001634 ____A C:\Users\gsparker\Desktop\Staff Shared Folder.lnk
2013-05-17 09:41 - 2013-01-25 09:08 - 00001614 ____A C:\Users\gsparker\Desktop\Home Folder.lnk
2013-05-17 09:41 - 2013-01-25 09:08 - 00000609 ____A C:\Users\gsparker\Desktop\Orchard.lnk
2013-05-17 09:41 - 2013-01-25 09:08 - 00000134 ____A C:\Users\gsparker\Desktop\Destiny Online Catalog.url
2013-05-17 09:41 - 2013-01-25 09:08 - 00000130 ____A C:\Users\gsparker\Desktop\Cook Online.url
2013-05-17 09:41 - 2013-01-25 09:08 - 00000122 ____A C:\Users\gsparker\Desktop\Staff Email.url
2013-05-17 09:41 - 2013-01-25 09:08 - 00000116 ____A C:\Users\gsparker\Desktop\Starfall.url
2013-05-17 09:05 - 2013-05-17 09:05 - 00000000 ____D C:\Users\gsparker\AppData\Local\Google
2013-05-17 03:05 - 2013-02-20 12:17 - 00000000 ____D C:\Users\lyredd\AppData\Local\Google
2013-05-17 03:04 - 2012-06-26 04:49 - 00000000 ____D C:\Windows\System32\Adobe
2013-05-16 11:07 - 2013-03-27 07:51 - 00000000 ____D C:\Users\lyredd\AppData\Local\Backup Assistant Plus
2013-05-16 03:06 - 2013-05-16 03:06 - 00001367 ____A C:\Users\Public\Documents\Remote Desktop Connection.lnk
2013-05-15 03:29 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\twain_32
2013-05-15 03:28 - 2013-02-07 06:26 - 00002006 ___AH C:\Users\WSAdmin\Documents\Default.rdp
2013-05-15 02:47 - 2012-06-25 06:19 - 00111568 _RASH C:\ProgramData\ntuser.pol
2013-05-14 21:01 - 2013-02-09 23:15 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-14 21:01 - 2012-06-26 04:44 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-05-14 20:46 - 2013-05-14 20:46 - 00000000 ____D C:\Windows\System32\??
2013-05-14 20:32 - 2013-05-14 20:32 - 00000000 ____D C:\Windows\System32\?L
2013-05-14 03:29 - 2013-05-14 03:29 - 00144134 ____A C:\Users\Public\Documents\wxii.pptx
2013-05-13 04:18 - 2013-04-30 12:46 - 00015413 ____H C:\Users\lyredd\Desktop\~WRL0005.tmp
2013-05-12 18:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-05-12 01:07 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Speech
2013-05-12 01:00 - 2013-05-12 00:55 - 00000000 ____D C:\Program Files\Lazesoft Recovery Suite
2013-05-12 00:55 - 2013-05-12 00:55 - 00001337 ____A C:\Users\Public\Desktop\Lazesoft Recovery Suite Home Edition.lnk
2013-05-12 00:55 - 2013-05-12 00:55 - 00000000 ____D C:\Users\WSAdmin\AppData\Local\CrashRpt
2013-05-12 00:53 - 2013-02-08 09:11 - 00000000 ____D C:\Users\WSAdmin\AppData\Roaming\vlc
2013-05-12 00:46 - 2013-05-12 00:55 - 21666231 ____N (Lazesoft                                                    ) C:\Users\WSAdmin\Desktop\lsrshsetup.exe
2013-05-12 00:30 - 2013-05-07 08:39 - 00001945 ____A C:\Windows\epplauncher.mif
2013-05-11 17:50 - 2013-05-11 17:49 - 00000000 ____D C:\Users\WSAdmin\Desktop\usb
2013-05-11 09:45 - 2013-05-11 09:45 - 00002197 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-11 09:45 - 2013-05-11 09:44 - 00000000 ____D C:\Users\WSAdmin\AppData\Local\Google
2013-05-11 09:44 - 2013-02-20 12:17 - 00000000 ____D C:\Program Files\Google
2013-05-11 00:59 - 2013-03-27 05:48 - 00000000 ____D C:\Users\lyredd\AppData\Local\Flixster
2013-05-10 15:11 - 2013-05-10 15:11 - 00000000 ____D C:\Windows\System32\?s
2013-05-09 17:32 - 2013-05-09 17:32 - 00000000 ____D C:\Windows\System32\?I
2013-05-09 17:29 - 2013-05-09 17:29 - 00000000 ____D C:\Windows\System32\??
2013-05-09 15:18 - 2013-05-09 15:18 - 00000000 ____D C:\Windows\System32\?m
2013-05-08 04:25 - 2012-06-26 07:04 - 00018208 __RSH C:\ProgramData\3002.abs
2013-05-07 23:27 - 2013-05-07 23:27 - 00000165 ___AH C:\Users\Public\Documents\~$hero.pptx
2013-05-07 08:38 - 2013-05-07 08:32 - 02645817 ____A C:\Windows\CPMUninstall.log
2013-05-07 08:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-05-07 04:07 - 2013-05-07 04:07 - 00000165 ___AH C:\Users\Public\Documents\~$likearaven2.pptx
2013-05-06 10:56 - 2013-05-06 10:56 - 00000000 ____D C:\Users\lyredd\AppData\Local\Macromedia
2013-05-06 10:55 - 2013-05-06 10:55 - 00000000 ____D C:\Users\lyredd\AppData\Roaming\Mozilla
2013-05-06 10:55 - 2013-05-06 10:55 - 00000000 ____D C:\Users\lyredd\AppData\Local\Mozilla
2013-05-06 10:38 - 2013-01-11 05:28 - 00738034 ____A C:\Windows\System32\TmInstall.log
2013-05-05 04:24 - 2009-07-13 15:11 - 00445008 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2013-05-05 04:19 - 2013-05-05 04:19 - 00000361 ____A C:\rkill.log
2013-05-05 02:48 - 2013-05-05 02:48 - 00001063 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-05 02:48 - 2013-01-11 09:05 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-05 02:41 - 2013-05-05 02:41 - 00000000 ____D C:\Users\WSAdmin\AppData\Roaming\Malwarebytes
2013-05-03 23:02 - 2013-05-03 22:55 - 00000000 ____D C:\ProgramData\EA4AD22E78C8C4A60000EA49E7E9C9DF
2013-05-03 22:54 - 2013-05-03 22:54 - 00182276 ____A C:\Windows\System32\c_7265253.nls
2013-05-03 22:54 - 2013-05-03 22:54 - 00102400 ____A C:\Windows\RegBootClean.exe
2013-05-03 04:42 - 2013-03-13 04:16 - 00000000 ____D C:\Users\lyredd\AppData\Roaming\dvdcss
2013-05-03 04:30 - 2013-05-03 04:30 - 00336636 ____A C:\Users\Public\Documents\google.pptx
2013-05-02 12:16 - 2013-02-15 14:08 - 00000395 ____A C:\Windows\TMFilter.log
2013-05-02 07:28 - 2013-05-07 08:52 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-05-02 07:02 - 2013-04-30 12:46 - 00014903 ____H C:\Users\lyredd\Desktop\~WRL1612.tmp
2013-05-01 19:36 - 2013-05-01 19:36 - 01611344 ____A (InstallX, LLC) C:\Users\WSAdmin\Downloads\vioplayer2_d3795647.exe
2013-05-01 19:36 - 2013-05-01 19:36 - 00000000 ____D C:\ProgramData\APN
2013-04-30 19:50 - 2013-04-30 19:47 - 147615744 ____A C:\Users\lyredd\Desktop\hulkangermgmt.mpg
2013-04-30 19:50 - 2013-04-30 19:47 - 01431412 ____A C:\Users\WSAdmin\Documents\hulkangermgmt.mpg.xmpses
2013-04-30 15:33 - 2013-02-08 09:11 - 00000000 ____D C:\Users\WSAdmin\AppData\Roaming\dvdcss

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-14291297-1635149340-415560179-1000\$76713e802526bf0c47617113803997cf

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$76713e802526bf0c47617113803997cf

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-01-11 06:53:13
Restore point made on: 2013-05-06 08:39:51
Restore point made on: 2013-05-07 08:52:45
Restore point made on: 2013-05-10 21:47:13

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 2995.67 MB
Available physical RAM: 2528.1 MB
Total Pagefile: 2993.96 MB
Available Pagefile: 2533.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1932.36 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.99 GB) (Free:233.69 GB) NTFS
Drive e: (Repair disc Windows 7 32-bit) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
Drive g: (My 512MB) (Removable) (Total:0.47 GB) (Free:0.24 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 535CC0BC)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 477 MB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=477 MB) - (Type=0E)


Last Boot: 2013-05-24 04:01

==================== End Of Log ============================

 

 

 



#4 chrislbrown

chrislbrown
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:20 PM

Posted 30 May 2013 - 10:13 AM

Oh, and, Lord Bless.  Nice quote on your signature. :)



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:20 PM

Posted 30 May 2013 - 07:44 PM

Greetings Chris,

Thanks for the words of encouragement, I deeply appreciate your comment. And thanks for the hard work getting it report. Your computer is quite sick and had you not been able to produce the log the job ahead of us would have been much more difficult.

Can you tell me if you intentionally installed Flixster?

I have a step for you to take but I must first advise you of the following.

===================================================

BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evidences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
HKLM\...\Run: [Unattend0000000003{A82EE8CF-889D-47B0-9144-20E98D0C0772}] c:\windows\Image_Setup\Init_Admin_Account.exe [253440 2011-06-01] ()
HKLM\...\Run: [Unattend0000000003{A0DB1449-97CD-4B24-AD49-21E4F0B141E3}] c:\windows\Image_Setup\Init_Admin_Account.exe [253440 2011-06-01] ()
HKLM\...\Run: [Unattend0000000002{73878A3B-F5B3-44C4-B21D-0F3195007F4E}] C:\Windows\Image_Setup\Agent_Install.vbs [786 2012-04-23] ()
HKLM\...\Run: [Unattend0000000002{3D9DA5AB-11F2-49D1-8AA2-35FDCDED2045}] C:\Windows\Image_Setup\Agent_Install.vbs [786 2012-04-23] ()
HKLM\...\Run: [Unattend0000000001{D0088610-9A00-499E-AD7B-DCD4AE4A6837}] net user user /delete [x]
HKLM\...\Run: [Unattend0000000001{58764BC9-FC35-498F-8D5C-300197E64E0D}] net user user /delete [x]
HKLM Group Policy restriction on software: c:\windows\psexec.exe <====== ATTENTION
HKLM Group Policy restriction on software: P:\*.rar <====== ATTENTION
HKLM Group Policy restriction on software: S:\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\psexesvc.exe <====== ATTENTION
HKLM Group Policy restriction on software: H:\zPharaoh.exe <====== ATTENTION
HKLM Group Policy restriction on software: P:\autorun.inf <====== ATTENTION
HKLM Group Policy restriction on software: H:\autorun.inf <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\system32\vistaupgrade.exe <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\system32\2.exe <====== ATTENTION
HKLM Group Policy restriction on software: S:\*.rar <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\system32\1.exe <====== ATTENTION
HKLM Group Policy restriction on software: S:\autorun.inf <====== ATTENTION
HKLM Group Policy restriction on software: P:\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: H:\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: c:\windows\psexecsvc.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\zPharaoh.exe <====== ATTENTION
HKLM Group Policy restriction on software: H:\*.rar <====== ATTENTION
HKLM Group Policy restriction on software: C:\1.taz <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
HKU\gsparker\...\Policies\system: [NoDispBackgroundPage] 1
HKU\gsparker\...\Policies\system: [NoDispAppearancePage] 1
HKU\gsparker\...\Policies\system: [NoDispScrSavPage] 1
HKU\lyredd\...\Policies\system: [NoDispBackgroundPage] 1
HKU\lyredd\...\Policies\system: [NoDispAppearancePage] 1
HKU\lyredd\...\Policies\system: [NoDispScrSavPage] 1
S2 10083; \??\C:\Users\WSAdmin\AppData\Local\Temp\10083.sys [x]
2013-04-30 12:46 - 2013-05-21 10:39 - 00015701 ____H C:\Users\lyredd\Desktop\~WRL0003.tmp
2013-04-30 12:46 - 2013-05-13 04:18 - 00015413 ____H C:\Users\lyredd\Desktop\~WRL0005.tmp
2013-04-30 12:46 - 2013-05-02 07:02 - 00014903 ____H C:\Users\lyredd\Desktop\~WRL1612.tmp
2013-05-29 18:22 - 2013-01-11 08:23 - 00000071 __RSH C:\ProgramData\3002.xml
2013-05-08 04:25 - 2012-06-26 07:04 - 00018208 __RSH C:\ProgramData\3002.abs
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-14291297-1635149340-415560179-1000\$76713e802526bf0c47617113803997cf
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$76713e802526bf0c47617113803997cf
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
c:\windows\Image_Setup\Init_Admin_Account.exe [253440 2011-06-01] ()
C:\Windows\Image_Setup\Agent_Install.vbs [786 2012-04-23] ()
2013-05-09 15:18 - 2013-05-09 15:18 - 00000000 ____D C:\Windows\System32\?m
2013-05-24 17:51 - 2013-05-24 17:51 - 00000000 ____D C:\Windows\System32\?u
2013-05-14 20:46 - 2013-05-14 20:46 - 00000000 ____D C:\Windows\System32\??
2013-05-10 15:11 - 2013-05-10 15:11 - 00000000 ____D C:\Windows\System32\?s
2013-05-09 17:32 - 2013-05-09 17:32 - 00000000 ____D C:\Windows\System32\?I
2013-05-14 20:32 - 2013-05-14 20:32 - 00000000 ____D C:\Windows\System32\?L
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Please attempt to boot your computer into Normal Mode, or if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST log
  • Are you able to successfully boot

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 chrislbrown

chrislbrown
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:20 PM

Posted 31 May 2013 - 10:39 AM

Hi Gary,

 

Good day sir.  Thank you for your prompt response!

 

I did what you instructed.  The laptop is still not booting and doing the boot loop deal.  I know your fixlist was executed, because I tried it a second time to make sure and got an error because the list was gone from the first iteration.  Confirmation that it worked (i.e. got used) the first time.  So I did not go through with a second run from there.

 

Still had to use the recovery disk to get to the Advanced Boot Options, but you probably already knew that.

 

Here is the log, I'll stay tuned.

 

Oh, and I did install Flickster myself.

 

Thanks and God Bless,

Chris B.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-05-2013
Ran by SYSTEM at 2013-05-31 11:23:54 Run:1
Running from F:\
Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000003{A82EE8CF-889D-47B0-9144-20E98D0C0772} => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000003{A0DB1449-97CD-4B24-AD49-21E4F0B141E3} => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000002{73878A3B-F5B3-44C4-B21D-0F3195007F4E} => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000002{3D9DA5AB-11F2-49D1-8AA2-35FDCDED2045} => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000001{D0088610-9A00-499E-AD7B-DCD4AE4A6837} => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000001{58764BC9-FC35-498F-8D5C-300197E64E0D} => Value deleted successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKEY_USERS\gsparker\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispBackgroundPage => Value deleted successfully.
HKEY_USERS\gsparker\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispAppearancePage => Value deleted successfully.
HKEY_USERS\gsparker\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispScrSavPage => Value deleted successfully.
HKEY_USERS\lyredd\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispBackgroundPage => Value deleted successfully.
HKEY_USERS\lyredd\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispAppearancePage => Value deleted successfully.
HKEY_USERS\lyredd\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispScrSavPage => Value deleted successfully.
10083 => Service deleted successfully.
C:\Users\lyredd\Desktop\~WRL0003.tmp => Moved successfully.
C:\Users\lyredd\Desktop\~WRL0005.tmp => Moved successfully.
C:\Users\lyredd\Desktop\~WRL1612.tmp => Moved successfully.
C:\ProgramData\3002.xml => Moved successfully.
C:\ProgramData\3002.abs => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-14291297-1635149340-415560179-1000\$76713e802526bf0c47617113803997cf => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$76713e802526bf0c47617113803997cf => Moved successfully.
Error: C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender => entry should be fixed outside recovery mode.
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender => File/Directory not found.
c:\windows\Image_Setup\Init_Admin_Account.exe [253440 2011-06-01] () => File/Directory not found.
C:\Windows\Image_Setup\Agent_Install.vbs [786 2012-04-23] () => File/Directory not found.
C:\Windows\System32\?m => Could not move.
C:\Windows\System32\?u => Could not move.
C:\Windows\System32\?? => Could not move.
C:\Windows\System32\?s => Could not move.
C:\Windows\System32\?I => File/Directory not found.
C:\Windows\System32\?L => File/Directory not found.

==== End of Fixlog ====

 



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:20 PM

Posted 31 May 2013 - 11:41 AM

Hi Chris,

Thanks for the information. Please run the below and subsequent to that I would like you to do another full FRST scan.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Boot to the System Recovery Options again and run FRST
  • Type the following in the edit box
Unlock: C:\Windows\System32\?m
Unlock: C:\Windows\System32\?u
Unlock: C:\Windows\System32\??
Unlock: C:\Windows\System32\?s
Folder: C:\Windows\System32\?m
Folder: C:\Windows\System32\?u
Folder: C:\Windows\System32\??
Folder: C:\Windows\System32\?s
  • Click Search File(s) button
  • A Search.txt document will be saved to your USB device
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Search log
  • FRST log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 chrislbrown

chrislbrown
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:20 PM

Posted 31 May 2013 - 01:42 PM

Hey Gary,

 

I don't understand what the edit box is.  When I run FRST, it doesn't seem to be accepting the input.  I tried to put each line in individually, and then I tried to put it all in at the same time.  It doesn't acknowledge either (it doesn't allow for me to put it all in at once).  I'm hitting the <return> button, should I be pressing one of the other buttons on the program GUI? 

 

Thanks,

Chris B.



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:20 PM

Posted 31 May 2013 - 01:49 PM

Hi Chris,

Sorry the edit box is the code box. So you are putting the information in the same box as you did in Post #5? And are you selecting Search rather than either of the other 2 options?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 chrislbrown

chrislbrown
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:20 PM

Posted 31 May 2013 - 01:58 PM

Hey Gary--

In my verison of FRST, the only box is the "Search:" box.  Am I supposed to hit <return> after each line entered, or search?

 

CB

 



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:20 PM

Posted 31 May 2013 - 03:06 PM

So you don't have 3 buttons, one being Scan like you had when you first ran the program?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:20 PM

Posted 31 May 2013 - 08:59 PM

Hi Chris,

I apologize but I gave you wrong instructions. There is a quirk with the program which requires this to be done as a Fix. If you do not have a Fix button then please download FRST64 again. We will try it without the Unlock to see if we are able to get results.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
Folder: C:\Windows\System32\?m
Folder: C:\Windows\System32\?u
Folder: C:\Windows\System32\??
Folder: C:\Windows\System32\?s
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 chrislbrown

chrislbrown
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:20 PM

Posted 31 May 2013 - 09:33 PM

Gary--

I have the same program as before, it only seems to not match your instructions.  I have attached a pic taken by my cell of the interface.  It does have the three buttons.

 

GB

CB



#14 chrislbrown

chrislbrown
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:20 PM

Posted 31 May 2013 - 09:44 PM

Gary--
I just saw your last response.  OK, I ran the commands as a fix.  We're crankin' again! :thumbup2:

 

Here is the log.

 

GB

CB

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-05-2013
Ran by SYSTEM at 2013-05-31 22:39:20 Run:2
Running from F:\
Boot Mode: Recovery

==============================================


========================= Folder: C:\Windows\System32\?m ========================

2013-05-09 15:18 - 2013-05-09 15:18 - 0000000 ____D () C:\Windows\System32\?m

====== End of Folder: ======

========================= Folder: C:\Windows\System32\?u ========================

2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 ____D () C:\Windows\System32\?u
2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 ____D () C:\Windows\System32\?u

====== End of Folder: ======

========================= Folder: C:\Windows\System32\?? ========================

2011-04-11 18:16 - 2011-04-11 18:16 - 0000000 ____D () C:\Windows\System32\en
2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 ____D () C:\Windows\System32\?s
2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 _____ () C:\Windows\System32\?I
2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 _____ () C:\Windows\System32\?J
2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 _____ () C:\Windows\System32\?L
2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 ____D () C:\Windows\System32\?u
2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 _____ () C:\Windows\System32\?I
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 ____D () C:\Windows\System32\?u
2013-05-09 15:18 - 2013-05-09 15:18 - 0000000 ____D () C:\Windows\System32\?m
2013-03-22 17:35 - 2013-03-22 17:35 - 0000000 ____D () C:\Windows\System32\?p
2013-03-22 17:35 - 2013-03-22 17:35 - 0000000 _____ () C:\Windows\System32\?I
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8
2013-02-20 10:19 - 2013-02-20 10:19 - 0000000 ____D () C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9
2009-07-13 20:36 - 2009-07-13 20:36 - 0000000 ___SD () C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My
2009-07-13 20:52 - 2011-04-11 18:16 - 0000000 ____D () C:\Windows\System32\Speech\Engines\SR
2009-07-13 18:37 - 2013-01-24 12:05 - 0000000 ____D () C:\Windows\System32\spool\drivers\w32x86\3
2012-06-25 08:05 - 2012-06-25 08:05 - 0000000 ____D () C:\Windows\System32\sysprep\Panther\IE
2009-07-13 20:46 - 2009-07-13 20:46 - 0003506 ____A () C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore\SR

====== End of Folder: ======

========================= Folder: C:\Windows\System32\?s ========================

2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 ____D () C:\Windows\System32\?s

====== End of Folder: ======

==== End of Fixlog ====



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:20 PM

Posted 31 May 2013 - 10:08 PM

Hi Chris,

OK, let's try to delete the folders again.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
2013-05-09 15:18 - 2013-05-09 15:18 - 0000000 ____D () C:\Windows\System32\?m
2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 ____D () C:\Windows\System32\?u
2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 ____D () C:\Windows\System32\?u
2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 ____D () C:\Windows\System32\?s
2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 _____ () C:\Windows\System32\?I
2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 _____ () C:\Windows\System32\?J
2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 _____ () C:\Windows\System32\?L
2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 ____D () C:\Windows\System32\?u
2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 _____ () C:\Windows\System32\?I
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2013-05-24 17:51 - 2013-05-24 17:51 - 0000000 ____D () C:\Windows\System32\?u
2013-05-09 15:18 - 2013-05-09 15:18 - 0000000 ____D () C:\Windows\System32\?m
2013-03-22 17:35 - 2013-03-22 17:35 - 0000000 ____D () C:\Windows\System32\?p
2013-03-22 17:35 - 2013-03-22 17:35 - 0000000 _____ () C:\Windows\System32\?I
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2009-07-13 18:37 - 2013-05-31 09:43 - 0000000 ____D () C:\Windows\System32\??
2013-05-10 15:11 - 2013-05-10 15:11 - 0000000 ____D () C:\Windows\System32\?s
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Please attempt to boot your computer into Normal Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users