Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7/64 - Infected with ICE Money Pak


  • This topic is locked This topic is locked
13 replies to this topic

#1 Engel44

Engel44

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 26 June 2013 - 03:01 PM

Downloaded and ran FRST64
Scan Results
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-06-2013 02
Ran by SYSTEM on 26-06-2013 15:35:36
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6561384 2010-12-14] (Realtek Semiconductor)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [608112 2011-03-29] (Alps Electric Co., Ltd.)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2010-12-17] (Intel® Corporation)
HKLM\...\Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10222080 2010-12-14] (Intel Corporation)
HKLM\...\Run: [QuickSet] c:\Program Files\Dell\QuickSet\QuickSet.exe [4500640 2011-03-10] (Dell Inc.)
HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()
HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [483424 2012-02-01] ()
HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [2991856 2013-02-20] (Logitech, Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [37960 2013-05-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [968048 2012-02-01] ()
HKLM-x32\...\Run: [Webfetti_52 Browser Plugin Loader] C:\PROGRA~2\WEBFET~2\bar\1.bin\52brmon.exe [30096 2012-05-20] (VER_COMPANY_NAME)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [BingDesktop] C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktop.exe /fromkey [2249352 2013-06-05] (Microsoft Corp.)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [1058400 2012-01-26] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [502912 2012-02-29] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [863360 2012-02-29] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [LTCM Client] C:\Program Files (x86)\LTCM Client\ltcmClient.exe /startup [1596096 2009-08-05] (Leader Technologies Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKU\Karl Engelh\...\Run: [Temp] rundll32.exe "C:\Users\Karl Engelh\AppData\Local\VirtualStore\Temp\airlock32.dll",DllRegisterServer [x] <===== ATTENTION
HKU\Karl Engelh\...\Run: [bfaeefebbbbdct] "C:\ProgramData\bfaeefebbbbdct.exe" [x]
HKU\Karl Engelh\...\Run: [Akamai NetSession Interface] "C:\Users\Karl Engelh\AppData\Local\Akamai\netsession_win.exe" [4480768 2013-01-26] (Akamai Technologies, Inc.)
HKU\Karl Engelh\...\Run: [EPLTarget\P0000000000000001] C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIJHE.EXE /EPT "EPLTarget\P0000000000000001" /M "WF-3540 Series" /EF "HKCU" [283232 2013-02-06] (SEIKO EPSON CORPORATION)
HKU\Karl Engelh\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\KARLEN~1\AppData\Local\Temp\fgwikviklunqhjqhg.exe [68096 2013-06-26] (NVIDIA Corporation)
HKU\Karl Engelh\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Karl Engelh\...\Command Processor: "C:\Users\KARLEN~1\AppData\Local\Temp\fgwikviklunqhjqhg.exe" <===== ATTENTION!
Startup: C:\Users\Karl Engelh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel® Turbo Boost Technology Monitor 2.0.lnk
ShortcutTarget: Intel® Turbo Boost Technology Monitor 2.0.lnk -> C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe (Intel® Corporation)
Startup: C:\Users\Karl Engelh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Legalsounds Download Manager.lnk
ShortcutTarget: Legalsounds Download Manager.lnk -> C:\Program Files (x86)\Legalsounds Download Manager\Legalsounds Download Manager.exe (No File)
Startup: C:\Users\Karl Engelh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
ShortcutTarget: Logitech . Product Registration.lnk -> C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe (Leader Technologies/Logitech)
==================== Services (Whitelisted) =================
S2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
S2 BingDesktopUpdate; C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [173192 2013-06-05] (Microsoft Corp.)
S2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [8498608 2012-04-10] (DisplayLink Corp.)
S2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-12-17] ()
S2 Webfetti_52Service; C:\PROGRA~2\WEBFET~2\bar\1.bin\52barsvc.exe [42528 2012-05-20] (COMPANYVERS_NAME)
==================== Drivers (Whitelisted) ====================
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 DisplayLinkUsbPort; C:\Windows\System32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [17408 2012-05-09] (http://libusb-win32.sourceforge.net)
S3 dlcdbus; C:\Windows\System32\DRIVERS\dlcdbus.sys [116224 2010-11-25] (MCCI Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 LAN9500; C:\Windows\System32\DRIVERS\lan9500-x64-n620f.sys [76288 2013-05-13] (SMSC)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 McPvDrv; C:\Windows\System32\drivers\McPvDrv.sys [73096 2012-09-14] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S3 NETwNs64; C:\Windows\System32\DRIVERS\Netwsw00.sys [11518976 2012-12-06] (Intel Corporation)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-06-26 15:35 - 2013-06-26 15:35 - 00000000 ____D C:\FRST
2013-06-26 14:10 - 2013-06-26 14:10 - 00003416 ____N C:\bootsqm.dat
2013-06-26 13:28 - 2013-06-26 13:28 - 02019346 ____A C:\Users\Karl Engelh\Local Settings\Application Data\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019346 ____A C:\Users\Karl Engelh\Local Settings\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019346 ____A C:\Users\Karl Engelh\AppData\Local\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019313 ____A C:\ProgramData\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019306 ____A C:\Users\Karl Engelh\Application Data\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019306 ____A C:\Users\Karl Engelh\AppData\Roaming\2433f433
2013-06-20 06:17 - 2013-06-20 06:17 - 00266320 ____A C:\Windows\Minidump\062013-33743-01.dmp
2013-06-18 15:37 - 2013-06-18 15:37 - 00000000 ____D C:\Users\Public\Documents\Logishrd
2013-06-18 15:36 - 2013-06-18 15:37 - 00009133 ____A C:\Windows\LDPINST.LOG
2013-06-18 15:36 - 2013-06-18 15:37 - 00000548 ____A C:\Windows\LkmdfCoInst.log
2013-06-18 15:36 - 2013-06-18 15:37 - 00000000 ____D C:\ProgramData\Logishrd
2013-06-18 15:36 - 2013-06-18 15:37 - 00000000 ____D C:\Program Files\Common Files\Logishrd
2013-06-18 15:36 - 2013-06-18 15:36 - 00018960 ____A (Logitech, Inc.) C:\Windows\System32\Drivers\LNonPnP.sys
2013-06-18 15:36 - 2013-06-18 15:36 - 00000000 ____D C:\ProgramData\Logitech
2013-06-18 15:36 - 2013-06-18 15:36 - 00000000 ____D C:\Program Files\Logitech
2013-06-18 15:33 - 2013-06-18 15:37 - 00000000 ____D C:\Users\Karl Engelh\Application Data\Logitech
2013-06-18 15:33 - 2013-06-18 15:37 - 00000000 ____D C:\Users\Karl Engelh\AppData\Roaming\Logitech
2013-06-18 15:33 - 2013-06-18 15:33 - 03685760 ____A (Logitech Inc.) C:\Users\Karl Engelh\Downloads\setpoint652_smart.exe
2013-06-18 15:33 - 2013-06-18 15:33 - 00000000 ____D C:\Users\Karl Engelh\Application Data\Logishrd
2013-06-18 15:33 - 2013-06-18 15:33 - 00000000 ____D C:\Users\Karl Engelh\AppData\Roaming\Logishrd
2013-06-17 14:38 - 2013-06-08 07:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-17 14:38 - 2013-06-08 06:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-17 14:37 - 2013-06-08 09:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-17 14:37 - 2013-06-08 09:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-17 14:37 - 2013-06-08 09:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-17 14:37 - 2013-06-08 09:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-17 14:37 - 2013-06-08 09:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-17 14:37 - 2013-06-08 06:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-17 14:37 - 2013-06-08 06:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-17 14:37 - 2013-06-08 06:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-17 14:37 - 2013-06-08 06:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-17 14:37 - 2013-06-08 06:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-12 07:36 - 2013-06-12 07:36 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-12 07:36 - 2013-06-12 07:36 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-12 07:36 - 2013-06-12 07:36 - 00000000 ____D C:\Program Files\iTunes
2013-06-12 07:36 - 2013-06-12 07:36 - 00000000 ____D C:\Program Files\iPod
2013-06-12 07:36 - 2013-06-12 07:36 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-12 07:05 - 2013-06-12 07:05 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\Application Data\{8DC17C77-DD41-4BC0-940A-748B8491F783}
2013-06-12 07:05 - 2013-06-12 07:05 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\{8DC17C77-DD41-4BC0-940A-748B8491F783}
2013-06-12 07:05 - 2013-06-12 07:05 - 00000000 ____D C:\Users\Karl Engelh\AppData\Local\{8DC17C77-DD41-4BC0-940A-748B8491F783}
2013-06-12 02:00 - 2013-05-16 20:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-12 02:00 - 2013-05-16 20:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-12 02:00 - 2013-05-16 20:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-12 02:00 - 2013-05-16 20:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-12 02:00 - 2013-05-16 20:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-12 02:00 - 2013-05-16 20:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-12 02:00 - 2013-05-16 20:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-12 02:00 - 2013-05-16 20:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-12 02:00 - 2013-05-16 19:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-12 02:00 - 2013-05-16 19:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-12 02:00 - 2013-05-16 19:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-12 02:00 - 2013-05-16 19:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-12 02:00 - 2013-05-16 19:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-12 02:00 - 2013-05-16 19:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-12 02:00 - 2013-05-16 19:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-12 02:00 - 2013-05-16 19:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-12 02:00 - 2013-05-16 19:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-12 02:00 - 2013-05-14 07:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-12 02:00 - 2013-05-14 03:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-06-11 17:02 - 2013-05-10 00:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 17:02 - 2013-05-09 22:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-11 17:02 - 2013-05-08 01:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 17:02 - 2013-04-26 00:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 17:02 - 2013-04-25 23:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-11 17:02 - 2013-04-17 02:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-11 17:02 - 2013-04-17 01:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-11 17:01 - 2013-05-13 00:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 17:01 - 2013-05-13 00:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 17:01 - 2013-05-13 00:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 17:01 - 2013-05-13 00:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 17:01 - 2013-05-12 23:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-11 17:01 - 2013-05-12 23:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-11 17:01 - 2013-05-12 23:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-11 17:01 - 2013-05-12 22:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 17:01 - 2013-05-12 22:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-11 17:01 - 2013-05-12 22:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-11 17:01 - 2013-04-25 18:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-11 17:01 - 2013-03-31 17:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-07 12:22 - 2013-06-07 12:22 - 00000000 ____D C:\Windows\Sun
2013-06-05 13:22 - 2013-06-05 13:22 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\Application Data\{ACC3DF48-83CB-498F-A2E5-239A4EA55AD5}
2013-06-05 13:22 - 2013-06-05 13:22 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\{ACC3DF48-83CB-498F-A2E5-239A4EA55AD5}
2013-06-05 13:22 - 2013-06-05 13:22 - 00000000 ____D C:\Users\Karl Engelh\AppData\Local\{ACC3DF48-83CB-498F-A2E5-239A4EA55AD5}
2013-06-04 16:59 - 2013-06-04 16:59 - 00009987 ____A C:\Users\Karl Engelh\My Documents\KLE-1.rp155p
2013-06-04 16:59 - 2013-06-04 16:59 - 00009987 ____A C:\Users\Karl Engelh\Documents\KLE-1.rp155p
2013-06-03 14:40 - 2013-06-03 14:40 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\Application Data\{199A7189-DAF7-4285-B7D0-22E3FDBCBB27}
2013-06-03 14:40 - 2013-06-03 14:40 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\{199A7189-DAF7-4285-B7D0-22E3FDBCBB27}
2013-06-03 14:40 - 2013-06-03 14:40 - 00000000 ____D C:\Users\Karl Engelh\AppData\Local\{199A7189-DAF7-4285-B7D0-22E3FDBCBB27}
2013-06-03 14:07 - 2013-06-03 14:17 - 201565904 ____A (Online Media Technologies Ltd.                              ) C:\Users\Karl Engelh\Downloads\VideoMenu-PresetPack.exe
2013-05-27 16:22 - 2013-06-01 22:41 - 00000000 ____D C:\Program Files\My Dell
==================== One Month Modified Files and Folders =======
2013-06-26 15:35 - 2013-06-26 15:35 - 00000000 ____D C:\FRST
2013-06-26 14:12 - 2011-06-19 14:46 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-06-26 14:12 - 2011-06-19 14:14 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-06-26 14:11 - 2012-08-24 10:57 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-26 14:11 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-26 14:10 - 2013-06-26 14:10 - 00003416 ____N C:\bootsqm.dat
2013-06-26 14:10 - 2009-07-13 23:51 - 00057927 ____A C:\Windows\setupact.log
2013-06-26 13:57 - 2009-07-14 00:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-26 13:41 - 2009-07-14 00:10 - 01438449 ____A C:\Windows\WindowsUpdate.log
2013-06-26 13:38 - 2011-06-19 14:36 - 00000000 ____D C:\ProgramData\Sonic
2013-06-26 13:28 - 2013-06-26 13:28 - 02019346 ____A C:\Users\Karl Engelh\Local Settings\Application Data\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019346 ____A C:\Users\Karl Engelh\Local Settings\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019346 ____A C:\Users\Karl Engelh\AppData\Local\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019313 ____A C:\ProgramData\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019306 ____A C:\Users\Karl Engelh\Application Data\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019306 ____A C:\Users\Karl Engelh\AppData\Roaming\2433f433
2013-06-26 13:23 - 2012-08-24 10:57 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-26 12:58 - 2012-05-07 07:28 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-26 08:21 - 2012-09-19 11:02 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\CrashDumps
2013-06-26 08:21 - 2012-09-19 11:02 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\Application Data\CrashDumps
2013-06-26 08:21 - 2012-09-19 11:02 - 00000000 ____D C:\Users\Karl Engelh\AppData\Local\CrashDumps
2013-06-25 22:34 - 2012-11-14 10:22 - 00001790 ____A C:\Users\Public\Desktop\McAfee Total Protection.lnk
2013-06-21 13:26 - 2012-08-24 10:58 - 00002185 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-06-20 13:36 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-06-20 08:42 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-20 08:42 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-20 06:17 - 2013-06-20 06:17 - 00266320 ____A C:\Windows\Minidump\062013-33743-01.dmp
2013-06-20 06:17 - 2012-04-06 14:12 - 00000000 ____D C:\Windows\Minidump
2013-06-20 06:17 - 2012-04-06 14:11 - 1144575028 ____A C:\Windows\MEMORY.DMP
2013-06-18 15:37 - 2013-06-18 15:37 - 00000000 ____D C:\Users\Public\Documents\Logishrd
2013-06-18 15:37 - 2013-06-18 15:36 - 00009133 ____A C:\Windows\LDPINST.LOG
2013-06-18 15:37 - 2013-06-18 15:36 - 00000548 ____A C:\Windows\LkmdfCoInst.log
2013-06-18 15:37 - 2013-06-18 15:36 - 00000000 ____D C:\ProgramData\Logishrd
2013-06-18 15:37 - 2013-06-18 15:36 - 00000000 ____D C:\Program Files\Common Files\Logishrd
2013-06-18 15:37 - 2013-06-18 15:33 - 00000000 ____D C:\Users\Karl Engelh\Application Data\Logitech
2013-06-18 15:37 - 2013-06-18 15:33 - 00000000 ____D C:\Users\Karl Engelh\AppData\Roaming\Logitech
2013-06-18 15:36 - 2013-06-18 15:36 - 00018960 ____A (Logitech, Inc.) C:\Windows\System32\Drivers\LNonPnP.sys
2013-06-18 15:36 - 2013-06-18 15:36 - 00000000 ____D C:\ProgramData\Logitech
2013-06-18 15:36 - 2013-06-18 15:36 - 00000000 ____D C:\Program Files\Logitech
2013-06-18 15:33 - 2013-06-18 15:33 - 03685760 ____A (Logitech Inc.) C:\Users\Karl Engelh\Downloads\setpoint652_smart.exe
2013-06-18 15:33 - 2013-06-18 15:33 - 00000000 ____D C:\Users\Karl Engelh\Application Data\Logishrd
2013-06-18 15:33 - 2013-06-18 15:33 - 00000000 ____D C:\Users\Karl Engelh\AppData\Roaming\Logishrd
2013-06-12 07:36 - 2013-06-12 07:36 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-12 07:36 - 2013-06-12 07:36 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-12 07:36 - 2013-06-12 07:36 - 00000000 ____D C:\Program Files\iTunes
2013-06-12 07:36 - 2013-06-12 07:36 - 00000000 ____D C:\Program Files\iPod
2013-06-12 07:36 - 2013-06-12 07:36 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-12 07:05 - 2013-06-12 07:05 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\Application Data\{8DC17C77-DD41-4BC0-940A-748B8491F783}
2013-06-12 07:05 - 2013-06-12 07:05 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\{8DC17C77-DD41-4BC0-940A-748B8491F783}
2013-06-12 07:05 - 2013-06-12 07:05 - 00000000 ____D C:\Users\Karl Engelh\AppData\Local\{8DC17C77-DD41-4BC0-940A-748B8491F783}
2013-06-12 02:54 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-06-12 02:01 - 2012-05-07 07:27 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-12 02:01 - 2012-05-07 07:27 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-09 07:45 - 2013-02-06 09:23 - 00000000 ____D C:\Program Files (x86)\EPSON Software
2013-06-08 09:08 - 2013-06-17 14:37 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 09:07 - 2013-06-17 14:37 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 09:06 - 2013-06-17 14:37 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 09:06 - 2013-06-17 14:37 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 09:06 - 2013-06-17 14:37 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 07:28 - 2013-06-17 14:38 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-08 06:42 - 2013-06-17 14:37 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-08 06:40 - 2013-06-17 14:37 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-08 06:40 - 2013-06-17 14:37 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-08 06:40 - 2013-06-17 14:37 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-08 06:40 - 2013-06-17 14:37 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-08 06:13 - 2013-06-17 14:38 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-07 12:22 - 2013-06-07 12:22 - 00000000 ____D C:\Windows\Sun
2013-06-05 13:22 - 2013-06-05 13:22 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\Application Data\{ACC3DF48-83CB-498F-A2E5-239A4EA55AD5}
2013-06-05 13:22 - 2013-06-05 13:22 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\{ACC3DF48-83CB-498F-A2E5-239A4EA55AD5}
2013-06-05 13:22 - 2013-06-05 13:22 - 00000000 ____D C:\Users\Karl Engelh\AppData\Local\{ACC3DF48-83CB-498F-A2E5-239A4EA55AD5}
2013-06-04 16:59 - 2013-06-04 16:59 - 00009987 ____A C:\Users\Karl Engelh\My Documents\KLE-1.rp155p
2013-06-04 16:59 - 2013-06-04 16:59 - 00009987 ____A C:\Users\Karl Engelh\Documents\KLE-1.rp155p
2013-06-04 16:59 - 2013-03-18 10:19 - 00000000 ____D C:\Users\Karl Engelh\Application Data\Audacity
2013-06-04 16:59 - 2013-03-18 10:19 - 00000000 ____D C:\Users\Karl Engelh\AppData\Roaming\Audacity
2013-06-03 14:40 - 2013-06-03 14:40 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\Application Data\{199A7189-DAF7-4285-B7D0-22E3FDBCBB27}
2013-06-03 14:40 - 2013-06-03 14:40 - 00000000 ____D C:\Users\Karl Engelh\Local Settings\{199A7189-DAF7-4285-B7D0-22E3FDBCBB27}
2013-06-03 14:40 - 2013-06-03 14:40 - 00000000 ____D C:\Users\Karl Engelh\AppData\Local\{199A7189-DAF7-4285-B7D0-22E3FDBCBB27}
2013-06-03 14:17 - 2013-06-03 14:07 - 201565904 ____A (Online Media Technologies Ltd.                              ) C:\Users\Karl Engelh\Downloads\VideoMenu-PresetPack.exe
2013-06-01 22:41 - 2013-05-27 16:22 - 00000000 ____D C:\Program Files\My Dell
2013-05-31 06:26 - 2012-04-19 07:12 - 00030525 ____A C:\Users\Karl Engelh\My Documents\Account Access.xlsx
2013-05-31 06:26 - 2012-04-19 07:12 - 00030525 ____A C:\Users\Karl Engelh\Documents\Account Access.xlsx
2013-05-28 14:37 - 2012-04-06 14:33 - 00000000 ____D C:\Users\Karl Engelh\My Documents\Quicken
2013-05-28 14:37 - 2012-04-06 14:33 - 00000000 ____D C:\Users\Karl Engelh\Documents\Quicken
2013-05-28 07:23 - 2011-06-19 15:33 - 00134300 ____A C:\Windows\PFRO.log
2013-05-28 07:23 - 2011-06-19 14:30 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-05-28 07:19 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\NDF
2013-05-27 16:22 - 2012-04-11 16:08 - 00000000 ____D C:\Program Files\Dell Support Center
2013-05-27 16:22 - 2012-04-11 16:00 - 00000000 ____D C:\ProgramData\PCDr
ZeroAccess:
C:\Windows\Installer\{7d1c39cc-640d-6840-8526-27b78d7a4299}
C:\Windows\Installer\{7d1c39cc-640d-6840-8526-27b78d7a4299}\L
C:\Windows\Installer\{7d1c39cc-640d-6840-8526-27b78d7a4299}\U
ZeroAccess:
C:\Users\Karl Engelh\AppData\Local\{7d1c39cc-640d-6840-8526-27b78d7a4299}
C:\Users\Karl Engelh\AppData\Local\{7d1c39cc-640d-6840-8526-27b78d7a4299}\L
C:\Users\Karl Engelh\AppData\Local\{7d1c39cc-640d-6840-8526-27b78d7a4299}\U
Files to move or delete:
====================
C:\ProgramData\go_0molg.pad
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points  =========================
==================== Memory info ===========================
Percentage of memory in use: 9%
Total physical RAM: 8106.17 MB
Available physical RAM: 7313.25 MB
Total Pagefile: 8104.32 MB
Available Pagefile: 7301.73 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:683.89 GB) (Free:555.65 GB) NTFS (Disk=0 Partition=3)
Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:7.56 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive e: (Lexar) (Removable) (Total:3.73 GB) (Free:2.99 GB) FAT32 (Disk=1 Partition=1)
Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.17 GB) (Free:0 GB) UDF
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: B36085DD)
Partition 1: (Not Active) - (Size=102 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=684 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=4 GB) - (Type=0C)
LastRegBack: 2013-06-22 23:00
==================== End Of Log ============================
 
 

Search results
 
Farbar Recovery Scan Tool (x64) Version: 25-06-2013 02
Ran by SYSTEM at 2013-06-26 15:37:41
Running from E:\
Boot Mode: Recovery
================== Search: ".services.exe" ===================
====== End Of Search ======


*Moderator Edit: Moved topic from Windows 7 to the appropriate forum. FRST logs are allowed only in Malware Removal Logs. ~ Queen-Evie*

Edited by Queen-Evie, 26 June 2013 - 03:26 PM.


BC AdBot (Login to Remove)

 


#2 Engel44

Engel44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 26 June 2013 - 03:32 PM

Opps... sorry about that... I saw that after the fact     :whistle: .



#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:06 AM

Posted 27 June 2013 - 12:44 AM

Hello Engel44

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!
  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt


 
HKU\Karl Engelh\...\Run: [Temp] rundll32.exe "C:\Users\Karl Engelh\AppData\Local\VirtualStore\Temp\airlock32.dll",DllRegisterServer [x] <===== ATTENTION
HKU\Karl Engelh\...\Run: [bfaeefebbbbdct] "C:\ProgramData\bfaeefebbbbdct.exe" [x]
HKU\Karl Engelh\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\KARLEN~1\AppData\Local\Temp\fgwikviklunqhjqhg.exe [68096 2013-06-26] (NVIDIA Corporation)
HKU\Karl Engelh\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Karl Engelh\...\Command Processor: "C:\Users\KARLEN~1\AppData\Local\Temp\fgwikviklunqhjqhg.exe" <===== ATTENTION!
2013-06-26 13:28 - 2013-06-26 13:28 - 02019346 ____A C:\Users\Karl Engelh\Local Settings\Application Data\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019346 ____A C:\Users\Karl Engelh\Local Settings\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019346 ____A C:\Users\Karl Engelh\AppData\Local\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019313 ____A C:\ProgramData\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019306 ____A C:\Users\Karl Engelh\Application Data\2433f433
2013-06-26 13:28 - 2013-06-26 13:28 - 02019306 ____A C:\Users\Karl Engelh\AppData\Roaming\2433f433
C:\Windows\Installer\{7d1c39cc-640d-6840-8526-27b78d7a4299}
C:\Users\Karl Engelh\AppData\Local\{7d1c39cc-640d-6840-8526-27b78d7a4299}

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

Edited by gringo_pr, 27 June 2013 - 12:44 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Engel44

Engel44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 June 2013 - 05:53 AM

Thanks.... will do this now



#5 Engel44

Engel44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 June 2013 - 06:16 AM

Ran Fix, rebooted, currently in "Your computer was unable to start" and running Startup Repair

 

Here is the fix log

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-06-2013 02
Ran by SYSTEM at 2013-06-27 07:06:37 Run:1
Running from E:\
Boot Mode: Recovery
==============================================

HKU\Karl Engelh\Software\Microsoft\Windows\CurrentVersion\Run\\Temp => Value deleted successfully.
HKU\Karl Engelh\Software\Microsoft\Windows\CurrentVersion\Run\\bfaeefebbbbdct => Value deleted successfully.
HKU\Karl Engelh\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.
HKU\Karl Engelh\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Karl Engelh\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\Users\Karl Engelh\Local Settings\Application Data\2433f433 => Moved successfully.
C:\Users\Karl Engelh\Local Settings\2433f433 => File/Directory not found.
C:\Users\Karl Engelh\AppData\Local\2433f433 => File/Directory not found.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\Karl Engelh\Application Data\2433f433 => Moved successfully.
C:\Users\Karl Engelh\AppData\Roaming\2433f433 => File/Directory not found.
C:\Windows\Installer\{7d1c39cc-640d-6840-8526-27b78d7a4299} => Moved successfully.
C:\Users\Karl Engelh\AppData\Local\{7d1c39cc-640d-6840-8526-27b78d7a4299} => Moved successfully.

==== End of Fixlog ====



#6 Engel44

Engel44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 June 2013 - 06:44 AM

After startup repairs, rebooted, came up fine, running malware bytes, so far 1 object detected on quick scan....

Will clean after quick scan then run full scan.



#7 Engel44

Engel44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 June 2013 - 06:59 AM

Malwarebyteslog

alwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.27.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
Karl Engelh :: KARLENGELH-PC [administrator]

6/27/2013 7:34:33 AM
mbam-log-2013-06-27 (07-34-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 243973
Time elapsed: 18 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Karl Engelh\AppData\Local\Temp\fgwikviklunqhjqhg.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\Karl Engelh\Templates\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.

(end)



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:06 AM

Posted 27 June 2013 - 08:52 PM



Hello Engel44

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Engel44

Engel44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 28 June 2013 - 07:53 AM

Thanks, will do this now.



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:06 AM

Posted 28 June 2013 - 01:16 PM

I will be looking for you

 

 

gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Engel44

Engel44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 29 June 2013 - 07:44 AM

Ran everything, computer is running fine.

Will post the scripts Monday when I return



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:06 AM

Posted 29 June 2013 - 02:26 PM

No problem and I will be looking for you



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:06 AM

Posted 03 July 2013 - 01:19 AM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:06 AM

Posted 07 July 2013 - 02:12 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users