Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PCeU infection (Safe Mode inaccessible)


  • This topic is locked This topic is locked
53 replies to this topic

#1 Colin01

Colin01

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 24 August 2013 - 02:18 PM

Dear kind people of BleepingComputer,

 

I have contracted the virus on my PC, and being the noob I am, need desperate help!

 

I am using Windows Vista (Home Premium). Upon startup, CHKDSK runs and 'fixes some incorrect information in file segments'. After logging in normally, the white PCeU screen appears and locks everything. If I try to log into Safe Mode with command prompt, it immediately shuts down.

 

I have been reading through some other similar logs; have ran FRST from the recovery options and can paste the results if that's acceptable.    

 

I would greatly appreciate any help,

Kind Regards,

Colin



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 29 August 2013 - 02:20 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/505471 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Colin01

Colin01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 29 August 2013 - 04:59 PM

Hi,

 

Upon startup, CHKDSK runs and 'fixes some incorrect information in file segments'. After logging in, the white PCeU screen appears and locks everything. If I try to log into Safe Mode with command prompt, it immediately shuts down. I should also add that windows updates have not been installing correctly.

 

I am using Windows Vista Home Premium. I do have the original Windows CD.

 

I have created a new FRST log, pasted below. Hopefully it's not too bad...

 

Many thanks,

Colin

 

---

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-08-2013

Ran by SYSTEM on 29-08-2013 22:26:53
Running from I:\
Windows Vista ™ Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [Bluetooth HCI Monitor] - C:\Windows\System32\HCIMNTR.DLL [9728 2006-12-07] (Logitech Inc.)
HKLM\...\Run: [NVRaidService] - C:\Windows\system32\nvraidservice.exe [203296 2008-08-18] (NVIDIA Corporation)
HKLM\...\Run: [VolPanel] - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe [184320 2007-04-17] (Creative Technology Ltd)
HKLM\...\Run: [UpdReg] - C:\Windows\UpdReg.EXE [90112 2000-05-10] (Creative Technology Ltd.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-11] (Adobe Systems Incorporated)
HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-15] (Google)
HKLM\...\Run: [] -  [x]
HKLM\...\Run: [RoxWatchTray] - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe [244208 2008-05-14] (Sonic Solutions)
HKLM\...\Run: [Dell DataSafe Online] - C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe [1745648 2008-11-03] ()
HKLM\...\Run: [dellsupportcenter] - C:\Program Files\Dell Support Center\bin\sprtcmd.exe [206064 2008-10-04] (SupportSoft, Inc.)
HKLM\...\Run: [4oD] - "C:\Program Files\Kontiki\KHost.exe" -all [x]
HKLM\...\Run: [PDVDDXSrv] - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2010-01-07] (CyberLink Corp.)
HKLM\...\Run: [NvCplDaemon] - C:\Windows\system32\NvCpl.dll [13687328 2009-04-13] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] - C:\Windows\system32\NvMcTray.dll [92704 2009-04-13] (NVIDIA Corporation)
HKLM\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1278064 2013-03-13] (McAfee, Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-24] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM\...\Run: [TkBellExe] - C:\Program Files\Real\RealPlayer\Update\realsched.exe [295512 2013-08-09] (RealNetworks, Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [X]
HKU\Colin\...\Run: [NVIDIA nTune] - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe [ 2008-05-30] (NVIDIA)
HKU\Colin\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-20] (Microsoft Corporation)
HKU\Colin\...\Run: [hqkcomka] - C:\Users\Colin\hqkcomka.exe [x]
HKU\Colin\...\Run: [Google Update] - C:\Users\Colin\AppData\Local\Google\Update\GoogleUpdate.exe [ 2012-06-19] (Google Inc.)
HKU\Colin\...\Run: [Skype] - C:\Program Files\Skype\Phone\Skype.exe [ 2013-03-01] (Skype Technologies S.A.)
HKU\Colin\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-20] (Microsoft Corporation)
HKU\Colin\...\Run: [Steam] - C:\Program Files\Steam\Steam.exe [ 2013-07-26] (Valve Corporation)
HKU\Colin\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe [ 2013-08-21] (Valve Corporation) <===== ATTENTION
HKU\Colin\...\Winlogon: [Shell] cmd.exe [ 2008-01-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Colin\...\Command Processor: "C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe" <===== ATTENTION!
Startup: C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
ShortcutTarget: BBC iPlayer Desktop.lnk -> C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe ()
Startup: C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
 
========================== Services (Whitelisted) =================
 
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-15] (Google)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [279048 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [203840 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [172416 2013-02-19] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
S2 nTuneService; C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe [155648 2008-05-30] (NVIDIA)
S2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-04-15] ()
S2 RoxLiveShare10; C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [309744 2008-05-14] (Sonic Solutions)
S2 sprtsvc_DellSupportCenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-10-04] (SupportSoft, Inc.)
S2 pgsql-8.3; "C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "C:\Program Files\PostgreSQL\8.3\data\" [x]
S2 SessionLauncher; C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
 
==================== Drivers (Whitelisted) ====================
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-02-19] (McAfee, Inc.)
S0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-10] (Microsoft Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-01-15] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133416 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [235264 2013-02-19] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [363080 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565888 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92632 2013-02-19] (McAfee, Inc.)
S1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210608 2013-02-19] (McAfee, Inc.)
S3 moufiltr; C:\Windows\System32\DRIVERS\moufiltr.sys [6144 2007-01-09] (Chic)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S1 MpKslab65a241; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1D26F4A7-DE70-44FD-A921-3C4CA0CEE4D1}\MpKslab65a241.sys [29904 2013-08-21] ()
S3 NVR0Dev; C:\Windows\nvoclock.sys [29824 2008-05-30] (NVidia Corp.)
S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}; C:\Program Files\CyberLink\PowerDVD DX\000.fcl [87536 2010-01-07] (CyberLink Corp.)
S3 cpuz132; \??\C:\Users\Colin\AppData\Local\Temp\cpuz132\cpuz132_x32.sys [x]
S3 CT20XUT.DLL; system32\CT20XUT.DLL [x]
S3 CTEXFIFX.DLL; system32\CTEXFIFX.DLL [x]
S3 CTHWIUT.DLL; system32\CTHWIUT.DLL [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 mfeavfk01; No ImagePath
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-08-21 18:38 - 2013-08-21 18:38 - 00116849 _____ C:\Users\Colin\AppData\Local\2433f433
2013-08-21 18:38 - 2013-08-21 18:38 - 00116839 _____ C:\Users\Colin\AppData\Roaming\2433f433
2013-08-21 18:38 - 2013-08-21 18:38 - 00116809 _____ C:\ProgramData\2433f433
2013-08-12 10:56 - 2013-08-15 03:54 - 00000000 ____D C:\Windows\System32\MRT
2013-08-09 05:04 - 2013-08-09 05:04 - 00001071 _____ C:\Users\Public\Desktop\RealPlayer.lnk
2013-08-09 05:03 - 2013-08-09 05:03 - 00201872 _____ (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
2013-08-09 05:03 - 2013-08-09 05:03 - 00000000 ____D C:\Program Files\Common Files\xing shared
2013-08-09 05:02 - 2013-08-09 05:02 - 00272896 _____ (Progressive Networks) C:\Windows\System32\pncrt.dll
2013-08-09 05:02 - 2013-08-09 05:02 - 00006656 _____ (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
2013-08-09 05:02 - 2013-08-09 05:02 - 00005632 _____ (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
2013-08-09 04:59 - 2013-08-09 04:59 - 00773296 _____ (RealNetworks, Inc.) C:\Users\Colin\Desktop\RealPlayer.exe
2013-07-31 03:21 - 2013-07-31 03:21 - 00205352 _____ C:\Windows\Minidump\Mini073113-01.dmp
 
==================== One Month Modified Files and Folders =======
 
2013-08-29 13:23 - 2009-01-15 05:11 - 00000012 _____ C:\Windows\bthservsdp.dat
2013-08-29 13:23 - 2006-11-02 04:47 - 00003616 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-29 13:23 - 2006-11-02 04:47 - 00003616 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-24 13:15 - 2013-08-24 13:15 - 00000000 ____D C:\FRST
2013-08-24 10:01 - 2009-01-15 05:10 - 01715781 _____ C:\Windows\WindowsUpdate.log
2013-08-23 09:30 - 2006-11-02 02:33 - 00703388 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-22 15:24 - 2013-03-26 05:38 - 00000000 ____D C:\Users\postgres\AppData\Local\CrashDumps
2013-08-22 06:24 - 2012-12-23 07:38 - 00262144 _____ C:\Windows\System32\config\ELAM
2013-08-21 18:45 - 2008-01-20 18:47 - 00212260 _____ C:\Windows\PFRO.log
2013-08-21 18:38 - 2013-08-21 18:38 - 00116849 _____ C:\Users\Colin\AppData\Local\2433f433
2013-08-21 18:38 - 2013-08-21 18:38 - 00116839 _____ C:\Users\Colin\AppData\Roaming\2433f433
2013-08-21 18:38 - 2013-08-21 18:38 - 00116809 _____ C:\ProgramData\2433f433
2013-08-21 15:00 - 2009-01-25 10:01 - 00000000 ____D C:\Program Files\PokerTracker 3
2013-08-21 07:43 - 2013-05-21 13:37 - 00000000 ____D C:\Users\Colin\AppData\Roaming\Skype
2013-08-21 02:54 - 2013-07-20 11:29 - 00000000 ____D C:\Program Files\Steam
2013-08-20 10:05 - 2009-01-22 13:17 - 00203776 _____ C:\Users\Colin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-08-17 08:15 - 2013-05-22 11:24 - 00000000 ____D C:\Users\Colin\AppData\Local\CrashDumps
2013-08-15 15:59 - 2011-02-20 02:57 - 00050956 _____ C:\Users\Colin\Desktop\DriverLic.zip
2013-08-15 03:58 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-08-15 03:54 - 2013-08-12 10:56 - 00000000 ____D C:\Windows\System32\MRT
2013-08-15 03:51 - 2006-11-02 02:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-08-15 03:44 - 2009-01-15 05:30 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-08-09 05:04 - 2013-08-09 05:04 - 00001071 _____ C:\Users\Public\Desktop\RealPlayer.lnk
2013-08-09 05:04 - 2013-02-23 11:50 - 00000000 ____D C:\Users\Colin\AppData\Roaming\RealNetworks
2013-08-09 05:04 - 2013-02-23 11:49 - 00000000 ____D C:\Program Files\RealNetworks
2013-08-09 05:03 - 2013-08-09 05:03 - 00201872 _____ (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
2013-08-09 05:03 - 2013-08-09 05:03 - 00000000 ____D C:\Program Files\Common Files\xing shared
2013-08-09 05:03 - 2013-02-23 11:49 - 00000000 ____D C:\ProgramData\RealNetworks
2013-08-09 05:03 - 2013-02-23 11:48 - 00000000 ____D C:\Program Files\Real
2013-08-09 05:02 - 2013-08-09 05:02 - 00272896 _____ (Progressive Networks) C:\Windows\System32\pncrt.dll
2013-08-09 05:02 - 2013-08-09 05:02 - 00006656 _____ (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
2013-08-09 05:02 - 2013-08-09 05:02 - 00005632 _____ (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
2013-08-09 05:02 - 2009-01-15 05:22 - 00499712 _____ (Microsoft Corporation) C:\Windows\System32\msvcp71.dll
2013-08-09 04:59 - 2013-08-09 04:59 - 00773296 _____ (RealNetworks, Inc.) C:\Users\Colin\Desktop\RealPlayer.exe
2013-08-07 11:29 - 2010-08-04 20:38 - 00000000 ____D C:\Program Files\McAfee
2013-07-31 03:26 - 2012-01-14 01:34 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
2013-07-31 03:21 - 2013-07-31 03:21 - 00205352 _____ C:\Windows\Minidump\Mini073113-01.dmp
2013-07-31 03:21 - 2009-01-24 18:52 - 330674713 _____ C:\Windows\MEMORY.DMP
2013-07-31 03:21 - 2009-01-24 18:52 - 00000000 ____D C:\Windows\Minidump
2013-07-31 01:35 - 2012-06-28 00:00 - 00002044 _____ C:\Users\Colin\Desktop\Google Chrome.lnk
2013-07-30 05:05 - 2013-07-20 11:29 - 00000000 ____D C:\Program Files\Common Files\Steam
 
Files to move or delete:
====================
C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe
C:\ProgramData\c_0_lpt.pad
C:\Users\Colin\BetfairPokerInstaller.exe
C:\Users\Colin\Dasher_130_installer.exe
C:\Users\Colin\FullTiltSetup.exe
C:\Users\Colin\ic81aa_setup.exe
C:\Users\Colin\ic_full.exe
C:\Users\Colin\interpoker.exe
C:\Users\Colin\PokerStarsInstall.exe
C:\Users\Colin\PowerDVD-DX.exe
C:\Users\Colin\PT-Install-v3.00.3.pgsql.exe
C:\Users\Colin\PT-Install-v3.00.5.1.pgsql.exe
C:\Users\Colin\PT-Install-v3.00.b25.3.exe
C:\Users\Colin\PT-Install-v3.00.b26.exe
C:\Users\Colin\PT-Install-v3.06.2.exe
C:\Users\Colin\QuickTimeInstaller.exe
C:\Users\Colin\RealPlayer11GOLD.exe
C:\Users\Colin\vlc-0.9.8a-win32.exe
C:\Users\Colin\wlsetup-custom.exe
C:\Users\Colin\wrar380.exe
C:\Users\Colin\AppData\Local\Temp\224ddd2903470.exe
C:\Users\Colin\AppData\Local\Temp\Bandwidth Controller.exe
C:\Users\Colin\AppData\Local\Temp\bcevent.dll
C:\Users\Colin\AppData\Local\Temp\cabex.dll
C:\Users\Colin\AppData\Local\Temp\DivXInstaller.exe
C:\Users\Colin\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Colin\AppData\Local\Temp\FlashPlayerUpdate01.exe
C:\Users\Colin\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\Colin\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Colin\AppData\Local\Temp\jre-6u12-windows-i586-p-iftw.exe
C:\Users\Colin\AppData\Local\Temp\jre-6u13-windows-i586-p-iftw.exe
C:\Users\Colin\AppData\Local\Temp\jre-6u15-windows-i586-iftw.exe
C:\Users\Colin\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe
C:\Users\Colin\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\Colin\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Colin\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Colin\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Colin\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe
C:\Users\Colin\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
C:\Users\Colin\AppData\Local\Temp\lowproc.exe
C:\Users\Colin\AppData\Local\Temp\MSN8872.exe
C:\Users\Colin\AppData\Local\Temp\pPokerSetup.exe
C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.dll
C:\Users\Colin\AppData\Local\Temp\stubhelper.dll
C:\Users\Colin\AppData\Local\Temp\svd_dap.exe
C:\Users\Colin\AppData\Local\Temp\Traffic Shaper XP.exe
C:\Users\Colin\AppData\Local\Temp\ueabklu.exe
C:\Users\Colin\AppData\Local\Temp\Uninstall.exe
C:\Users\Colin\AppData\Local\Temp\~rnsetup\GEMSETUP\msvcr100.dll
C:\Users\Colin\AppData\Local\Temp\~rnsetup\GEMSETUP\pnrs3260.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\GoogleCrashHandler.exe
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\GoogleCrashHandler64.exe
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\GoogleUpdate.exe
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\GoogleUpdateBroker.exe
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\GoogleUpdateOnDemand.exe
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\GoogleUpdateSetup.exe
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdate.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_am.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ar.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_bg.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_bn.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ca.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_cs.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_da.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_de.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_el.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_en-GB.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_en.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_es-419.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_es.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_et.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_fa.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_fi.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_fil.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_fr.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_gu.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_hi.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_hr.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_hu.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_id.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_is.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_it.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_iw.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ja.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_kn.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ko.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_lt.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_lv.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ml.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_mr.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ms.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_nl.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_no.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_pl.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_pt-BR.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_pt-PT.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ro.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ru.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_sk.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_sl.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_sr.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_sv.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_sw.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ta.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_te.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_th.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_tr.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_uk.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_ur.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_vi.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_zh-CN.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\goopdateres_zh-TW.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\npGoogleUpdate3.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\psmachine.dll
C:\Users\Colin\AppData\Local\Temp\{6BEBE88C-B292-4448-816D-EB1BDEC35AC3}\psuser.dll
C:\Users\Colin\AppData\Local\Temp\WZSE2.TMP\ascode.dll
C:\Users\Colin\AppData\Local\Temp\WZSE2.TMP\psapi_.dll
C:\Users\Colin\AppData\Local\Temp\WZSE2.TMP\Setup.exe
C:\Users\Colin\AppData\Local\Temp\WZSE2.TMP\SpyProDll.dll
C:\Users\Colin\AppData\Local\Temp\WZSE2.TMP\SpyProtector.exe
C:\Users\Colin\AppData\Local\Temp\WZSE2.TMP\TaskMan.exe
C:\Users\Colin\AppData\Local\Temp\WZSE2.TMP\uninstal.exe
C:\Users\Colin\AppData\Local\Temp\WZSE1.TMP\ascode.dll
C:\Users\Colin\AppData\Local\Temp\WZSE1.TMP\psapi_.dll
C:\Users\Colin\AppData\Local\Temp\WZSE1.TMP\Setup.exe
C:\Users\Colin\AppData\Local\Temp\WZSE1.TMP\SpyProDll.dll
C:\Users\Colin\AppData\Local\Temp\WZSE1.TMP\SpyProtector.exe
C:\Users\Colin\AppData\Local\Temp\WZSE1.TMP\TaskMan.exe
C:\Users\Colin\AppData\Local\Temp\WZSE1.TMP\uninstal.exe
C:\Users\Colin\AppData\Local\Temp\WZSE0.TMP\ascode.dll
C:\Users\Colin\AppData\Local\Temp\WZSE0.TMP\psapi_.dll
C:\Users\Colin\AppData\Local\Temp\WZSE0.TMP\Setup.exe
C:\Users\Colin\AppData\Local\Temp\WZSE0.TMP\SpyProDll.dll
C:\Users\Colin\AppData\Local\Temp\WZSE0.TMP\SpyProtector.exe
C:\Users\Colin\AppData\Local\Temp\WZSE0.TMP\TaskMan.exe
C:\Users\Colin\AppData\Local\Temp\WZSE0.TMP\uninstal.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_extra.zip\bin\eula.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\awt.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\axbridge.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\cmm.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\dcpr.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\deploy.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\dt_shmem.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\dt_socket.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\fontmanager.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\hpi.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\hprof.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\instrument.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\ioser12.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\j2pcsc.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\j2pkcs11.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jaas_nt.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\java-rmi.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\java.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\java.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\javacpl.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\javaw.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\javaws.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\java_crw_demo.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jawt.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\JdbcOdbc.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jdwp.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jli.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jpeg.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jpicom.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jpiexp.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jpinscp.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jpioji.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jpishare.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jsound.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jsoundds.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jucheck.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\jusched.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\keytool.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\kinit.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\klist.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\ktab.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\management.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\net.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\nio.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\npjava11.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\npjava12.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\npjava13.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\npjava14.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\npjava32.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\npjpi160.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\npoji610.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\npt.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\orbd.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\pack200.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\policytool.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\rmi.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\rmid.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\rmiregistry.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\servertool.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\splashscreen.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\ssv.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\sunmscapi.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\tnameserv.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\unpack.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\unpack200.exe
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\verify.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\w2k_lsa_auth.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\wsdetect.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\zip.dll
C:\Users\Colin\AppData\Local\Temp\Temp5_core1.zip\bin\client\jvm.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_extra.zip\bin\eula.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\awt.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\axbridge.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\cmm.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\dcpr.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\deploy.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\dt_shmem.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\dt_socket.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\fontmanager.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\hpi.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\hprof.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\instrument.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\ioser12.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\j2pcsc.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\j2pkcs11.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jaas_nt.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\java-rmi.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\java.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\java.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\javacpl.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\javaw.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\javaws.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\java_crw_demo.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jawt.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\JdbcOdbc.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jdwp.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jli.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jpeg.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jpicom.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jpiexp.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jpinscp.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jpioji.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jpishare.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jsound.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jsoundds.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jucheck.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\jusched.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\keytool.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\kinit.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\klist.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\ktab.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\management.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\net.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\nio.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\npjava11.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\npjava12.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\npjava13.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\npjava14.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\npjava32.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\npjpi160.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\npoji610.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\npt.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\orbd.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\pack200.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\policytool.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\rmi.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\rmid.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\rmiregistry.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\servertool.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\splashscreen.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\ssv.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\sunmscapi.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\tnameserv.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\unpack.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\unpack200.exe
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\verify.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\w2k_lsa_auth.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\wsdetect.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\zip.dll
C:\Users\Colin\AppData\Local\Temp\Temp4_core1.zip\bin\client\jvm.dll
C:\Users\Colin\AppData\Local\Temp\Temp2_hjsplit.zip\hjsplit.exe
C:\Users\Colin\AppData\Local\Temp\Temp1_hjsplit.zip\hjsplit.exe
C:\Users\Colin\AppData\Local\Temp\sunpoker\casino.exe
C:\Users\Colin\AppData\Local\Temp\rninst~0\RUP\control.dll
C:\Users\Colin\AppData\Local\Temp\PRECEF6.tmp\x64\McShield.DLL
C:\Users\Colin\AppData\Local\Temp\PREBAE3.tmp\x64\McShield.DLL
C:\Users\Colin\AppData\Local\Temp\PRE3B5F.tmp\x64\McShield.DLL
C:\Users\Colin\AppData\Local\Temp\PRE26B0.tmp\x64\McShield.DLL
C:\Users\Colin\AppData\Local\Temp\PRE2041.tmp\x64\McShield.DLL
C:\Users\Colin\AppData\Local\Temp\pft4F4B.tmp\CLSM.exe
C:\Users\Colin\AppData\Local\Temp\pft4F4B.tmp\setup.exe
C:\Users\Colin\AppData\Local\Temp\Omni Casino\SetupCasino.exe
C:\Users\Colin\AppData\Local\Temp\Messenger_20.0.0001_0\SkypeSetupFull(6.3.73.105)(Trackable457)trackable.exe
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\mccleanup.exe
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\McClnUI.exe
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\VS\SdOASMon.dll
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\VS\vscore64\DAInstall.exe
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\VS\vscore64\mfehidin.exe
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\VS\vscore64\x86\DAInstall.exe
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\VS\vscore\DAInstall.exe
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\VS\vscore\mfehidin.exe
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\MSC\McMSCIns.dll
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\MSC\mscclnup.dll
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\MQC\McpIns.dll
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\MPS\mpsunins.dll
C:\Users\Colin\AppData\Local\Temp\MCPR.tmp\MNA\McSHIns.dll
C:\Users\Colin\AppData\Local\Temp\Low\DWPUpgradeInstaller.exe
C:\Users\Colin\AppData\Local\Temp\Kontiki4oDInstall\KHost.exe
C:\Users\Colin\AppData\Local\Temp\Kontiki4oDInstall\KService.exe
C:\Users\Colin\AppData\Local\Temp\CRY6B91.tmp\c03.dll
C:\Users\Colin\AppData\Local\Temp\CRY6B91.tmp\casresC2.dll
C:\Users\Colin\AppData\Local\Temp\CRY6B91.tmp\ICSYS.dll
C:\Users\Colin\AppData\Local\Temp\CRY6B91.tmp\ICSysInf.dll
C:\Users\Colin\AppData\Local\Temp\CRY6B91.tmp\install.exe
C:\Users\Colin\AppData\Local\Temp\CRY6B91.tmp\newimessages.dll
C:\Users\Colin\AppData\Local\Temp\CB5A.dir\InstallFlashPlayer.exe
C:\Users\Colin\AppData\Local\Temp\B2DB.dir\InstallFlashPlayer.exe
C:\Users\Colin\AppData\Local\Temp\978E.dir\InstallFlashPlayer.exe
C:\Users\Colin\AppData\Local\Temp\78D8.dir\InstallFlashPlayer.exe
C:\Users\Colin\AppData\Local\Temp\781.dir\InstallFlashPlayer.exe
C:\Users\Colin\AppData\Local\Temp\757E.dir\InstallFlashPlayer.exe
C:\Users\Colin\AppData\Local\Temp\5486.dir\InstallFlashPlayer.exe
C:\Users\Colin\AppData\Local\Temp\2423.dir\InstallFlashPlayer.exe
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-08-02 18:00:42
Restore point made on: 2013-08-03 06:31:29
Restore point made on: 2013-08-03 15:18:44
Restore point made on: 2013-08-04 04:56:35
Restore point made on: 2013-08-04 18:01:27
Restore point made on: 2013-08-05 14:42:38
Restore point made on: 2013-08-06 03:11:32
Restore point made on: 2013-08-06 17:29:04
Restore point made on: 2013-08-08 02:58:19
Restore point made on: 2013-08-08 18:01:03
Restore point made on: 2013-08-09 12:54:43
Restore point made on: 2013-08-09 18:00:52
Restore point made on: 2013-08-10 07:15:46
Restore point made on: 2013-08-10 18:00:50
Restore point made on: 2013-08-11 18:01:01
Restore point made on: 2013-08-12 10:48:17
Restore point made on: 2013-08-12 18:00:44
Restore point made on: 2013-08-13 15:00:22
Restore point made on: 2013-08-14 02:58:40
Restore point made on: 2013-08-15 03:24:52
Restore point made on: 2013-08-15 18:00:56
Restore point made on: 2013-08-16 14:23:39
Restore point made on: 2013-08-16 18:00:42
Restore point made on: 2013-08-16 18:41:29
Restore point made on: 2013-08-17 18:01:21
Restore point made on: 2013-08-18 14:31:50
Restore point made on: 2013-08-19 01:32:53
Restore point made on: 2013-08-19 18:01:25
Restore point made on: 2013-08-20 18:01:17
Restore point made on: 2013-08-21 07:15:13
Restore point made on: 2013-08-21 18:00:42
Restore point made on: 2013-08-22 05:47:01
Restore point made on: 2013-08-23 09:30:20
 
==================== Memory info =========================== 
 
Percentage of memory in use: 9%
Total physical RAM: 4092.57 MB
Available physical RAM: 3705.08 MB
Total Pagefile: 3959.89 MB
Available Pagefile: 3784.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.13 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:1182.26 GB) (Free:377.32 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive i: () (Removable) (Total:0.94 GB) (Free:0.92 GB) FAT
Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:3.72 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 1192 GB) (Disk ID: 48000000)
Partition 1: (Not Active) - (Size=86 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=-929583595520) - (Type=07 NTFS)
 
========================================================
Disk: 5 (Size: 964 MB) (Disk ID: 91F72D24)
Partition 1: (Not Active) - (Size=964 MB) - (Type=06)
 
 
LastRegBack: 2013-08-23 09:46
 
==================== End Of Log ============================

 

 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:40 PM

Posted 30 August 2013 - 10:22 PM

Greetings Colin and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Colin01

Colin01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 31 August 2013 - 07:51 AM

Hi Gary,

 

Thanks for the reply!

 

No problem about any delay, I'm just grateful for the help.

 

I have read the ground rules - got it - happy to let the expert lead the way.

 

I expect to check the thread very frequently.

 

Regards,

Colin



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:40 PM

Posted 31 August 2013 - 05:19 PM

Hi Colin,

Thank you for your patience and sorry for the delay. You can expect that I will respond much faster from here on out.

Please start with the below.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
HKLM\...\Run: [] -  [x]
HKU\Colin\...\Run: [hqkcomka] - C:\Users\Colin\hqkcomka.exe [x]
HKU\Colin\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe [ 2013-08-21] (Valve Corporation) <===== ATTENTION
HKU\Colin\...\Winlogon: [Shell] cmd.exe [ 2008-01-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Colin\...\Command Processor: "C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe" <===== ATTENTION!
2013-08-21 18:38 - 2013-08-21 18:38 - 00116849 _____ C:\Users\Colin\AppData\Local\2433f433
2013-08-21 18:38 - 2013-08-21 18:38 - 00116839 _____ C:\Users\Colin\AppData\Roaming\2433f433
2013-08-21 18:38 - 2013-08-21 18:38 - 00116809 _____ C:\ProgramData\2433f433
C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe
C:\ProgramData\c_0_lpt.pad
C:\Users\Colin\BetfairPokerInstaller.exe
C:\Users\Colin\Dasher_130_installer.exe
C:\Users\Colin\FullTiltSetup.exe
C:\Users\Colin\ic81aa_setup.exe
C:\Users\Colin\ic_full.exe
C:\Users\Colin\interpoker.exe
C:\Users\Colin\PokerStarsInstall.exe
C:\Users\Colin\PowerDVD-DX.exe
C:\Users\Colin\PT-Install-v3.00.3.pgsql.exe
C:\Users\Colin\PT-Install-v3.00.5.1.pgsql.exe
C:\Users\Colin\PT-Install-v3.00.b25.3.exe
C:\Users\Colin\PT-Install-v3.00.b26.exe
C:\Users\Colin\PT-Install-v3.06.2.exe
C:\Users\Colin\QuickTimeInstaller.exe
C:\Users\Colin\RealPlayer11GOLD.exe
C:\Users\Colin\vlc-0.9.8a-win32.exe
C:\Users\Colin\wlsetup-custom.exe
C:\Users\Colin\wrar380.exe
C:\Users\Colin\AppData\Local\Temp
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode, or if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Farbar log
  • Does your computer boot?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Colin01

Colin01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 31 August 2013 - 06:15 PM

Hey Gary,

 

I ran the fixlist; the fixlog is pasted below.

 

I was able to boot into windows normally (which was a pleasant sight!). Although, when starting the computer CHKDSK runs again. Is this normal? Bad? 

 

Regards,

Colin

 

---

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-08-2013
Ran by SYSTEM at 2013-08-31 23:45:30 Run:1
Running from I:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
HKLM\...\Run: [] -  [x]
HKU\Colin\...\Run: [hqkcomka] - C:\Users\Colin\hqkcomka.exe [x]
HKU\Colin\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe [ 2013-08-21] (Valve Corporation) <===== ATTENTION
HKU\Colin\...\Winlogon: [Shell] cmd.exe [ 2008-01-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Colin\...\Command Processor: "C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe" <===== ATTENTION!
2013-08-21 18:38 - 2013-08-21 18:38 - 00116849 _____ C:\Users\Colin\AppData\Local\2433f433
2013-08-21 18:38 - 2013-08-21 18:38 - 00116839 _____ C:\Users\Colin\AppData\Roaming\2433f433
2013-08-21 18:38 - 2013-08-21 18:38 - 00116809 _____ C:\ProgramData\2433f433
C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe
C:\ProgramData\c_0_lpt.pad
C:\Users\Colin\BetfairPokerInstaller.exe
C:\Users\Colin\Dasher_130_installer.exe
C:\Users\Colin\FullTiltSetup.exe
C:\Users\Colin\ic81aa_setup.exe
C:\Users\Colin\ic_full.exe
C:\Users\Colin\interpoker.exe
C:\Users\Colin\PokerStarsInstall.exe
C:\Users\Colin\PowerDVD-DX.exe
C:\Users\Colin\PT-Install-v3.00.3.pgsql.exe
C:\Users\Colin\PT-Install-v3.00.5.1.pgsql.exe
C:\Users\Colin\PT-Install-v3.00.b25.3.exe
C:\Users\Colin\PT-Install-v3.00.b26.exe
C:\Users\Colin\PT-Install-v3.06.2.exe
C:\Users\Colin\QuickTimeInstaller.exe
C:\Users\Colin\RealPlayer11GOLD.exe
C:\Users\Colin\vlc-0.9.8a-win32.exe
C:\Users\Colin\wlsetup-custom.exe
C:\Users\Colin\wrar380.exe
C:\Users\Colin\AppData\Local\Temp
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKU\Colin\Software\Microsoft\Windows\CurrentVersion\Run\\hqkcomka => Value deleted successfully.
HKU\Colin\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value not found.
HKU\Colin\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Colin\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
"C:\Users\Colin\AppData\Local\2433f433" => File/Directory not found.
"C:\Users\Colin\AppData\Roaming\2433f433" => File/Directory not found.
"C:\ProgramData\2433f433" => File/Directory not found.
"C:\Users\Colin\AppData\Local\Temp\qwciifkgjdtjntmuv.exe" => File/Directory not found.
C:\ProgramData\c_0_lpt.pad => Moved successfully.
C:\Users\Colin\BetfairPokerInstaller.exe => Moved successfully.
C:\Users\Colin\Dasher_130_installer.exe => Moved successfully.
C:\Users\Colin\FullTiltSetup.exe => Moved successfully.
C:\Users\Colin\ic81aa_setup.exe => Moved successfully.
C:\Users\Colin\ic_full.exe => Moved successfully.
C:\Users\Colin\interpoker.exe => Moved successfully.
C:\Users\Colin\PokerStarsInstall.exe => Moved successfully.
C:\Users\Colin\PowerDVD-DX.exe => Moved successfully.
C:\Users\Colin\PT-Install-v3.00.3.pgsql.exe => Moved successfully.
C:\Users\Colin\PT-Install-v3.00.5.1.pgsql.exe => Moved successfully.
C:\Users\Colin\PT-Install-v3.00.b25.3.exe => Moved successfully.
C:\Users\Colin\PT-Install-v3.00.b26.exe => Moved successfully.
C:\Users\Colin\PT-Install-v3.06.2.exe => Moved successfully.
C:\Users\Colin\QuickTimeInstaller.exe => Moved successfully.
C:\Users\Colin\RealPlayer11GOLD.exe => Moved successfully.
C:\Users\Colin\vlc-0.9.8a-win32.exe => Moved successfully.
C:\Users\Colin\wlsetup-custom.exe => Moved successfully.
C:\Users\Colin\wrar380.exe => Moved successfully.
C:\Users\Colin\AppData\Local\Temp => Moved successfully.
 
==== End of Fixlog ====

 

 

 

 

 



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:40 PM

Posted 31 August 2013 - 07:26 PM

Hi Colin,

Excellent!
 

Although, when starting the computer CHKDSK runs again. Is this normal?

Yes, although it shouldn't continue to run at startup.

Please do this.

===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Colin01

Colin01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 01 September 2013 - 01:35 PM

Hi Gary,

 

I ran combofix successfully, though it took some time. The log is pasted below.

 

I have not been using it much to run anything, but it seems to be fine so far. When I go to shutdown, I just opt to immediately shutdown instead of installing windows updates - is it ok to attempt to install them?

 

CHKDSK still runs at startup.

 

Thanks again for the help so far.

 

Regards,

Colin

 

---

 

ComboFix 13-08-31.01 - Colin 01/09/2013  14:37:49.1.4 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3325.1502 [GMT 1:00]
Running from: c:\users\Colin\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Microsoft Security Essentials *Disabled/Outdated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Microsoft Security Essentials *Disabled/Outdated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
c:\programdata\windows
c:\programdata\windows\dsdd.dat
c:\programdata\windows\nudr.dat
c:\users\Colin\AppData\Roaming\DataSafeDotNet.exe
c:\users\Colin\AppData\Roaming\Kyemp
c:\users\Colin\AppData\Roaming\Kyemp\ekda.ydl
c:\users\Colin\AppData\Roaming\SystemProc
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-01 to 2013-09-01  )))))))))))))))))))))))))))))))
.
.
2013-09-01 16:49 . 2013-09-01 16:49 -------- d-----w- c:\users\postgres\AppData\Local\temp
2013-09-01 16:49 . 2013-09-01 16:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-01 11:16 . 2013-08-06 07:28 7166848 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ACC90958-6192-47D4-9209-D7F13F4C7229}\mpengine.dll
2013-08-31 22:57 . 2013-09-01 16:57 -------- d-----w- c:\users\Colin\AppData\Local\Temp
2013-08-24 21:15 . 2013-08-24 21:15 -------- d-----w- C:\FRST
2013-08-20 16:06 . 2013-08-06 07:28 7166848 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-08-12 18:56 . 2013-08-15 11:54 -------- d-----w- c:\windows\system32\MRT
2013-08-09 13:03 . 2013-08-09 13:03 -------- d-----w- c:\program files\Common Files\xing shared
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-09 13:02 . 2009-01-15 13:22 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-07-17 17:14 . 2013-07-17 17:15 698504 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FEAB6CC9-6564-414F-82D1-141346159204}\gapaengine.dll
2013-07-17 11:19 . 2012-04-04 21:54 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-17 11:19 . 2011-07-18 11:08 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-22 02:25 . 2012-10-03 03:32 724464 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-05-30 110592]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-03-01 18643560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Steam"="c:\program files\Steam\Steam.exe" [2013-07-26 1807272]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-07 9728]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-18 203296]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-15 30192]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2008-11-03 1745648]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2010-01-07 140520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1278064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2013-08-09 295512]
.
c:\users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-13 715568]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-15 13:42 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ   BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 11:19]
.
2013-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904030888-2676532526-3568789145-1000Core.job
- c:\users\Colin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-19 15:42]
.
2013-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904030888-2676532526-3568789145-1000UA.job
- c:\users\Colin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-19 15:42]
.
2013-09-01 c:\windows\Tasks\ReclaimerUpdateFiles_Colin.job
- c:\users\Colin\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.60\agent\rnupgagent.exe [2013-09-01 13:34]
.
2013-09-01 c:\windows\Tasks\ReclaimerUpdateXML_Colin.job
- c:\users\Colin\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.60\agent\rnupgagent.exe [2013-09-01 13:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-4oD - c:\program files\Kontiki\KHost.exe
c:\users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
AddRemove-BlueSquare Poker - c:\poker\BlueSquare Poker\_SetupPoker[1].exe
AddRemove-sunpoker - c:\program files\SunPoker\_SetupPoker_349a.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-01 17:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-904030888-2676532526-3568789145-1000\Software\Microsoft\Windows\CurrentVersion\Dkebuxunakam*kebuxunakam]
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2013-09-01  18:03:14
ComboFix-quarantined-files.txt  2013-09-01 17:02
.
Pre-Run: 401,100,324,864 bytes free
Post-Run: 402,947,440,640 bytes free
.
- - End Of File - - 0C4AAAA41F8475013946185F85CC50D3
5C616939100B85E558DA92B899A0FC36


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:40 PM

Posted 01 September 2013 - 02:26 PM

Hi Collin,

It is best to resist updating Windows until we are sure your system is clean. Updating an infected computer can cause big time headaches.

===================================================

Multiple Antivirus Programs - McAfee and Microsoft Security Essentials

-------------------

I do not recommend that you have more than one anti virus product installed on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please remove all but one of the Antivirus programs currently on your computer, even if only one is running. You can do this via Add/Remove Programs, or Programs and Features in the Control Panel.

===================================================

Running Combofix Script

-------------------
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text below into the Notepad document
Regnull::
[HKEY_USERS\S-1-5-21-904030888-2676532526-3568789145-1000\Software\Microsoft\Windows\CurrentVersion\Dkebuxunakam*kebuxunakam]
  • Save this on your desktop as CFScript.txt

CFScriptB-4.gif

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.
===================================================

Running Chkdsk /r From Command Prompt

--------------------
  • Close any open programs
  • Click Start, Programs, Accessories
  • Right click on Command Prompt and select Run as Administrator
  • Copy and paste the following after the command prompt and press Enter

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 10

  • Please allow the system to reboot on its own and run the program. This may take a bit of time
  • When completed your system will automatically reboot
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • Did CHKDSK run properly?
  • Does CHKDSK automatically run at startup?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Colin01

Colin01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 02 September 2013 - 08:56 AM

Hi Gary,

 

Thanks for the info regarding the updates and multiple AV programs. I removed Security Essentials.

 

I ran the combofix script, log pasted below. I am a little curious - is it possible to give a little insight or quick layman explanation of what the error was/what the script did? No problem at all if not.

 

After hitting enter at the command prompt, the computer restarted and ran CHKDSK with the usual looking errors (of the form; fixing incorrect information in file segment X... Deleting corrupt attribute record (128, " ") from file segment X).

Once it finished, CHKDSK immediately started to run again and continues to automatically run at startup. 

 

Kind Regards,

Colin

 

---

 

ComboFix 13-08-31.01 - Colin 02/09/2013   2:04.2.4 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3325.1861 [GMT 1:00]
Running from: c:\users\Colin\Desktop\ComboFix.exe
Command switches used :: c:\users\Colin\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-02 to 2013-09-02  )))))))))))))))))))))))))))))))
.
.
2013-09-02 10:32 . 2013-09-02 10:32 -------- d-----w- c:\users\postgres\AppData\Local\temp
2013-09-02 10:32 . 2013-09-02 10:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-02 10:32 . 2013-09-02 10:33 -------- d-----w- c:\users\Colin\AppData\Local\temp
2013-08-24 21:15 . 2013-08-24 21:15 -------- d-----w- C:\FRST
2013-08-12 18:56 . 2013-08-15 11:54 -------- d-----w- c:\windows\system32\MRT
2013-08-09 13:03 . 2013-08-09 13:03 -------- d-----w- c:\program files\Common Files\xing shared
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-09 13:02 . 2009-01-15 13:22 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-07-17 11:19 . 2012-04-04 21:54 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-17 11:19 . 2011-07-18 11:08 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-05-30 110592]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-03-01 18643560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Steam"="c:\program files\Steam\Steam.exe" [2013-08-28 1811880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-07 9728]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-18 203296]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-15 30192]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2008-11-03 1745648]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2010-01-07 140520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1278064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2013-08-09 295512]
.
c:\users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-13 715568]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-15 13:42 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ   BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 11:19]
.
2013-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904030888-2676532526-3568789145-1000Core.job
- c:\users\Colin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-19 15:42]
.
2013-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904030888-2676532526-3568789145-1000UA.job
- c:\users\Colin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-19 15:42]
.
2013-09-01 c:\windows\Tasks\ReclaimerUpdateFiles_Colin.job
- c:\users\Colin\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.60\agent\rnupgagent.exe [2013-09-01 13:34]
.
2013-09-01 c:\windows\Tasks\ReclaimerUpdateXML_Colin.job
- c:\users\Colin\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.60\agent\rnupgagent.exe [2013-09-01 13:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-02 11:32
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4216)
c:\windows\system32\btmmhook.dll
.
Completion time: 2013-09-02  11:36:57
ComboFix-quarantined-files.txt  2013-09-02 10:36
ComboFix2.txt  2013-09-01 17:03
.
Pre-Run: 402,215,321,600 bytes free
Post-Run: 402,844,643,328 bytes free
.
- - End Of File - - 2BBE5AC25BDF35952639222AE09CBA73
5C616939100B85E558DA92B899A0FC36
 

 

 

 



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:40 PM

Posted 02 September 2013 - 02:19 PM

Hi Colin,

Of course you may ask.

That entry in the script was a locked registry key which contained random letters. That is usually not a good sign. Combofix was instructed to investigate the entry to determined if it should be deleted, which it was. All I can tell you is the entry appears to have been bad. I can't tell you exactly what it had been doing, if anything. Having said that we are going to do a follow up search relative to that entry. I also want to take a peek at a registry key related to CHKDSK.

Please do this.

===================================================

Farbar's MiniRegTool

--------------------
  • Please download MiniRegTool.zip (for 32 bit systems) and save it to your desktop
  • Unzip the folder and double click the icon
  • When you run the tool this is what you will see

MiniReg.gif

  • Copy and paste the following into the edit box:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

  • Check the Export radio button.
  • Press the Go button and post the result.
  • Copy and paste the following into the edit box:

Dkebuxunakam
kebuxunakam

  • Check the Search radio button.
  • Press the Go button and post the result.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • MiniRegTool reports

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Colin01

Colin01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 02 September 2013 - 03:35 PM

Hi Gary,

 

Thanks for the response :) I guess I can only hope for the best.

 

I have the two logs, but for the first one when I attempt to paste it into the reply Chrome becomes unresponsive so I have attached it, if you don't mind.

 

The second is pasted below.

 

Regards,

Colin

 

--

 

MiniRegTool by Farbar Version:29-11-2012
Ran by Colin (administrator) on 2013-09-02 at 21:07:32
 
==========================================
Search Result For: "Dkebuxunakam"
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Dkebuxunakam]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DkebuxunakamDkebuxunakam]
==========================================
Search Result For: "kebuxunakam"
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Dkebuxunakam]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DkebuxunakamDkebuxunakam]
 
==== End of Search ====

 



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:40 PM

Posted 02 September 2013 - 03:52 PM

Thanks Colin,

The file was too large, thanks for attaching it. Please do this.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:reg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Dkebuxunakam /s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DkebuxunakamDkebuxunakam /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • SystemLook log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Colin01

Colin01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 02 September 2013 - 04:09 PM

Hi,

 

Here it is...

 

Colin

 

--

 

SystemLook 30.07.11 by jpshortstuff
Log created at 22:05 on 02/09/2013 by Colin
Administrator - Elevation successful
 
========== reg ==========
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Dkebuxunakam]
"Irire"=41 01 40 03 40 05 34 07 31 09 4b 0b 4f 0d 37 0f 21 11 22 13 23 15 21 17 2c 19 59 1b 28 1d 5d 1f 19 21 14 23 16 25 11 27 69 29 1d 2b 1d 2d 6a 2f 08 31 77 33 72 35 70 37 7a 39 0e 3b 7d 3d 0f 3f 40 41  (REG_BINARY)
"Lkigeweriquyiwif"=43 01 38 03 58 05 53 07 7b 09 6f 0b 7e 0d 7d 0f 4c 11 51 13 7b 15 7a 17 71 19 74 1b 40 1d 5f 1f 50 21 52 23 60 25 47 27 5c 29 4b 2b 70 2d 62 2f 5f 31 51 33 55 35 5a 37 64 39 4e 3b 5d 3d 50 3f 34 41 31 43 08 45 2f 47 66 49 2e 4b 20 4d 22 4f 50 51  (REG_BINARY)
"Gcedugaborovom"="160"
"Qyalasa"=31 01 30 03 35 05 37 07 08 09  (REG_BINARY)
"Jcazusob"=5f d3 62 f6  (REG_BINARY)
"Mlolutuye"=43 01 38 03 58 05 53 07 7b 09 6f 0b 7e 0d 7d 0f 4c 11 51 13 7b 15 7a 17 71 19 74 1b 40 1d 5f 1f 50 21 52 23 60 25 47 27 5c 29 4b 2b 70 2d 62 2f 5f 31 51 33 55 35 5a 37 64 39 5b 3b 5b 3d 5b 3f 31 41 23 43 23 45 23 47 3c 49 64 4b 28 4d 22 4f 3c 51 52 53  (REG_BINARY)
"Ljulali"=da 07 09 00 03 00 01 00 05 00 17 00 38 00 40 00  (REG_BINARY)
"Hpucij"=5e 4b dd 4d  (REG_BINARY)
"Bcohojocetuwe"=da 07 09 00 03 00 01 00 05 00 17 00 38 00 50 00  (REG_BINARY)
"Jxilanukukubub"=00 00 00 00  (REG_BINARY)
"m1"=01  (REG_BINARY)
"Vmudin"=":IEXPLORE.EXE:0:123Mi4567t8"
 
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DkebuxunakamDkebuxunakam]
(No values found)
 
 
-= EOF =-

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users