Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware, Locked PC Help Please!!


  • This topic is locked This topic is locked
14 replies to this topic

#1 nastytang

nastytang

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 14 December 2013 - 04:27 AM

Hello I`m running Win XP Pro 64 Bit OS I was surfing threw the Web one day when I happen a pond a very Nasty Bug!! Imagine my 

surprise when I finely realize that I could no longer use my Puter after that day!!

 

 

IT`s National Security Agency Central Security Service (VIRUS!!Nasty)

 

I tried Hitman no go kickstart show 3 options 1,2 or 3 ,.. all 3 options boot PC and nothing else happens no program starts and lock screen shows,... yes the program is on the usb drive both the 32 bit and 64bit beside kickstart.

When I try ctrl alt delete the only thing I can do is shut PC down taskmanger will not show up

also when trying to boot into safe mode the pc shut back down.

 

 

 

I hope I explain this issue good!

 

 

 

Thanks!!

Nasty!



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 AM

Posted 14 December 2013 - 01:19 PM


Hello nastytang

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
I want you to poste the FRST.txt report into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 nastytang

nastytang
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 15 December 2013 - 01:30 AM

Hey Gringo thanks for the Help!! :rolleyes:  Here is the log

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-12-2013 01
Ran by Administrator (administrator) on SX64PC on 14-12-2013 22:33:14
Running from O:\
Microsoft Windows XP Service Pack 2 (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) =================

(Microsoft Corporation) D:\WINDOWS\system32\taskmgr.exe
(Microsoft Corporation) D:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IMJPMIG8.1] - D:\WINDOWS\ime\IMJP8_1\imjpmig.exe [167424 2007-02-18] (Microsoft Corporation)
HKLM\...\Run: [IMEKRMIG6.1] - D:\WINDOWS\ime\IMKR6_1\imekrmig.exe [69120 2007-02-18] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002ASync] - D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [432128 2007-02-18] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] - D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [432128 2007-02-18] (Microsoft Corporation)
HKLM\...\Run: [OutpostMonitor] - D:\Program Files\Agnitum\Outpost Security Suite Pro\op_mon.exe [4263392 2011-02-23] (Agnitum Ltd.)
HKLM\...\Run: [OutpostFeedBack] - D:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe [769912 2011-02-07] (Agnitum Ltd.)
HKLM\...\Run: [Seagate Scheduler2 Service] - D:\Program Files (x86)\Common Files\Seagate\Schedule2\schedhlp.exe [136544 2009-10-16] (Seagate)
HKLM\...\Run: [NvMediaCenter] - RunDLL32.exe NvMCTray.dll,NvTaskbarInit
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] - "D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] - rundll32.exe "D:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1127496 2013-04-04] (Malwarebytes Corporation)
HKLM-x32\...\RunOnce: [InnoSetupRegFile.0000000001] - "D:\WINDOWS\is-PPMRB.exe" /REG /REGSVRMODE [710504 2013-01-03] ()
HKLM-x32\...\Runonce: [advancedworldclock6qvuk] - [x]
HKLM-x32\...\Winlogon: [Userinit] userinit, [x]
HKLM\...\Winlogon: [UIHost] D:\WINDOWS\system32\logonui.exe [662016 2007-02-18] ( (Microsoft Corporation))
Winlogon\Notify\crypt32chain: D:\Windows\system32\crypt32.dll (Microsoft Corporation)
Winlogon\Notify\cryptnet: D:\Windows\system32\cryptnet.dll (Microsoft Corporation)
Winlogon\Notify\cscdll: D:\Windows\system32\cscdll.dll (Microsoft Corporation)
Winlogon\Notify\dimsntfy: D:\Windows\system32\dimsntfy.dll (Microsoft Corporation)
Winlogon\Notify\ScCertProp: D:\Windows\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\Schedule: D:\Windows\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\sclgntfy: D:\Windows\system32\sclgntfy.dll (Microsoft Corporation)
Winlogon\Notify\SensLogn: D:\Windows\system32\WlNotify.dll (Microsoft Corporation)
Winlogon\Notify\termsrv: D:\Windows\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\wlballoon: D:\Windows\system32\wlnotify.dll (Microsoft Corporation)
HKLM\...\Policies\Explorer: [Start_ShowMyComputer] 1
HKLM\...\Policies\Explorer: [Start_ShowMyDocs] 1
HKLM\...\Policies\Explorer: [Start_ShowNetConn] 1
HKLM\...\Policies\Explorer: [StartMenuFavorites] 0
HKLM\...\Policies\Explorer: [Start_ShowMyMusic] 0
HKLM\...\Policies\Explorer: [Start_ShowRun] 1
HKLM\...\Policies\Explorer: [Start_ShowSearch] 0
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKLM\...\Policies\Explorer: [NoStrCmpLogical] 1
HKLM\...\Command Processor: <======= ATTENTION
HKLM-x32\...\Command Processor: <======= ATTENTION
HKCU\...\Run: [Abosen] - D:\Program Files (x86)\MetaGhana\Abosen\abosen.exe -z
HKCU\...\Winlogon: [Shell] explorer.exe,D:\Documents and Settings\Administrator\Application Data\skype.dat [135680 2011-11-22] (SinkDev Software) <==== ATTENTION
HKCU\...\Policies\Explorer\Run: [Adobe] - D:\Documents and Settings\Administrator\Application Data\rjuavfvr\certegsh.exe No File
HKCU\...\Policies\system: [NoDispAppearancePage] 0
HKCU\...\Policies\system: [NoColorChoice] 0
HKCU\...\Policies\system: [NoSizeChoice] 0
HKCU\...\Policies\system: [NoDispBackgroundPage] 0
HKCU\...\Policies\system: [NoDispScrSavPage] 0
HKCU\...\Policies\system: [NoDispCPL] 0
HKCU\...\Policies\system: [NoVisualStyleChoice] 0
HKCU\...\Policies\system: [NoDispSettingsPage] 0
HKCU\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKCU\...\Policies\Explorer: [NoResolveSearch] 1
HKCU\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKCU\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKCU\...\Policies\Explorer: [NoUserNameInStartMenu] 1
HKCU\...\Policies\Explorer: [NoSaveSettings] 0
HKCU\...\Policies\Explorer: [NoStartBanner] 0x01000000
HKCU\...\Policies\Explorer: [Intellimenus] 0
HKCU\...\Policies\Explorer: [NoInternetOpenWith] 1
HKCU\...\Policies\Explorer: [NoSharedDocuments] 0
HKLM-x32\...\Run: [SoundMAXPnP] - D:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1036288 2007-10-08] (Analog Devices, Inc.)
HKLM-x32\...\Run: [SoundMAX] - D:\Program Files (x86)\Analog Devices\SoundMAX\SMax4.exe [864256 2007-10-08] (Analog Devices, Inc.)
HKLM-x32\...\Run: [DiscWizardMonitor.exe] - D:\Program Files (x86)\Seagate\DiscWizard\DiscWizardMonitor.exe [1325936 2009-10-16] (Seagate)
HKLM-x32\...\Run: [AcronisTimounterMonitor] - D:\Program Files (x86)\Seagate\DiscWizard\TimounterMonitor.exe [904840 2009-10-16] (Acronis)
HKLM-x32\...\Run: [SunJavaUpdateSched] - D:\Program Files (x86)\Java\jre6\bin\jusched.exe [148888 2011-08-24] (Sun Microsystems, Inc.)
HKU\Default User\...\Run: [CTFMON.EXE] - D:\WINDOWS\system32\ctfmon.exe [20992 2007-02-18] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [tscuninstall] - D:\WINDOWS\system32\tscupgrd.exe [62464 2007-02-18] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\Default User\...\RunOnce: [IE8.1st_UserStart] - rundll32.exe advpack.dll,LaunchINFSection 5erIE8.inf,1st_UserStart
HKU\LocalService\...\Run: [CTFMON.EXE] - D:\WINDOWS\system32\ctfmon.exe [20992 2007-02-18] (Microsoft Corporation)
HKU\LocalService\...\RunOnce: [tscuninstall] - D:\WINDOWS\system32\tscupgrd.exe [62464 2007-02-18] (Microsoft Corporation)
HKU\LocalService\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\LocalService\...\RunOnce: [IE8.1st_UserStart] - rundll32.exe advpack.dll,LaunchINFSection 5erIE8.inf,1st_UserStart
HKU\UpdatusUser\...\Run: [CTFMON.EXE] - D:\WINDOWS\system32\ctfmon.exe [20992 2007-02-18] (Microsoft Corporation)
HKU\UpdatusUser\...\RunOnce: [tscuninstall] - D:\WINDOWS\system32\tscupgrd.exe [62464 2007-02-18] (Microsoft Corporation)
HKU\UpdatusUser\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\UpdatusUser\...\RunOnce: [IE8.1st_UserStart] - rundll32.exe advpack.dll,LaunchINFSection 5erIE8.inf,1st_UserStart
AppInit_DLLs: D:\Program Files\Agnitum\Outpost Security Suite Pro\wl_hook64.dll [983152 2011-02-07] (Agnitum Ltd.)
AppInit_DLLs-x32: d:\progra~1\agnitum\outpos~1\wl_hook.dll [701456 2011-02-07] (Agnitum Ltd.)
IFEO\Your Image File Name Here without a path: [Debugger] ntsd -d
Lsa: [Authentication Packages] msv1_0 relog_ap
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
Startup: D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
ShortcutTarget: ERUNT AutoBackup.lnk -> D:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - D:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
SSODL-x32: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\syswow64\SHELL32.dll No File
SSODL-x32: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\syswow64\SHELL32.dll No File
SSODL-x32: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - D:\WINDOWS\SysWOW64\stobject.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie_rsearch.html
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
URLSearchHook: HKLM-x32 - (No Name) - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - No File
URLSearchHook: HKCU - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - D:\Program Files (x86)\uTorrentControl_v2\prxtbuTo1.dll (Conduit Ltd.)
StartMenuInternet: IEXPLORE.EXE - D:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 - DefaultScope {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110929103356342&tb_oid=29-09-2011&tb_mrud=29-09-2011
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 - {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110929103356342&tb_oid=29-09-2011&tb_mrud=29-09-2011
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www.delta-search.com/?q={searchTerms}&affID=119776&babsrc=SP_ss&mntrId=24ac46b7000000000000001d60151995
SearchScopes: HKCU - {30019AAB-3F32-48AC-BBF8-FC35FF3B1ABA} URL = http://www.bing.com/search?q={searchTerms}&r=531
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
SearchScopes: HKCU - {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110929103356342&tb_oid=29-09-2011&tb_mrud=29-09-2011
BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - D:\Program Files (x86)\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer_x64.dll (IVO Software Sp. z o.o.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - D:\Program Files (x86)\uTorrentControl_v2\prxtbuTo1.dll (Conduit Ltd.)
BHO-x32: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - D:\Program Files (x86)\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll (IVO Software Sp. z o.o.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - D:\Program Files (x86)\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer_x64.dll (IVO Software Sp. z o.o.)
Toolbar: HKLM-x32 - No Name - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - No File
Toolbar: HKLM-x32 - Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - D:\Program Files (x86)\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll (IVO Software Sp. z o.o.)
Toolbar: HKLM-x32 - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - D:\Program Files (x86)\uTorrentControl_v2\prxtbuTo1.dll (Conduit Ltd.)
Toolbar: HKCU - No Name - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - No File
Toolbar: HKCU - No Name - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No File
DPF: HKLM-x32 {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1314876458878
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - D:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - D:\WINDOWS\SysWOW64\urlmon.dll (Microsoft Corporation)
Handler-x32: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - %SystemRoot%\SysWOW64\inetcomm.dll No File
Handler-x32: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - %SystemRoot%\SysWOW64\mshtml.dll No File
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - D:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
Filter-x32: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - %SystemRoot%\syswow64\SHELL32.dll No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 74.81.99.1 74.81.99.2

FireFox:
========
FF ProfilePath: D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default
FF user.js: detected! => D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\user.js
FF DefaultSearchEngine: Google
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.excite.com/
FF Keyword.URL: user_pref("keyword.URL", "");
FF NetworkProxy: "http", "127.0.0.1"
FF NetworkProxy: "http_port", 57758
FF Homepage: hxxp://www.excite.com/
FF SelectedSearchEngine: Google
FF Plugin-x32: @adobe.com/FlashPlayer - D:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
FF Plugin-x32: @adobe.com/ShockwavePlayer - D:\WINDOWS\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - D:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 - D:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=6.0.12.69 - D:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.69 - D:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF SearchPlugin: D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\searchplugins\aol-web-search.xml
FF SearchPlugin: D:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: D:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
FF SearchPlugin: D:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: No Name - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\ffxtlbr@babylon.com
FF Extension: No Name - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{042c6db7-55f1-406d-bc77-d6ee990b2852}
FF Extension: Winamp Toolbar - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{0d4a971c-c4c1-426e-9182-d5cba19ae2e2}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{13f3718f-19d6-4364-aeec-af07db5c27e5}
FF Extension: Microsoft .NET Framework Assistant - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{2fd618b9-07d9-447f-99de-1737603c77aa}
FF Extension: No Name - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{57fc1433-0b49-4de1-a690-1df73d125dd0}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{6d2f1cab-2170-4f13-b2b8-71eca57bbf92}
FF Extension: uTorrentControl_v2 - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{7e868a9d-cba2-48bf-a9f5-43296c10464a}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{ade2bbf0-cddc-469a-a291-edcff71b4af0}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{b7114507-4e89-4bd2-a60a-697ade7597fe}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{bd807443-b4fa-4318-a83c-05826778deae}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{db610429-b8e0-4436-a1de-08415aa0c8b8}
FF Extension: ShopToWin6 - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{e68d0d96-5f18-496c-87f2-c0d521d78fbe}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{f94e8139-2d68-48df-9eed-f86538191c9b}
FF Extension: XUL Cache - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\{fbed2805-1b59-4b96-8ca3-1b4e37db6b56}
FF Extension: gophoto - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\gophoto@gophoto.it.xpi
FF Extension: torntv2 - D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8batkzfr.default\Extensions\torntv2@torntv.com.xpi
FF Extension: Java Console - D:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF Extension: Adblock Plus - D:\Program Files (x86)\Mozilla Firefox\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF Extension: expressivo - D:\Program Files (x86)\Mozilla Firefox\extensions\expressivo@expressivo.com
FF HKLM-x32\...\Firefox\Extensions: [jqs@sun.com] - D:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - D:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ff
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - D:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - D:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

==================== Services (Whitelisted) =================

S2 acssrv; D:\Program Files\Agnitum\Outpost Security Suite Pro\acs.exe [3453312 2011-02-23] (Agnitum Ltd.)
S2 AeLookupSvc; D:\Windows\SysWow64\aelupsvc.dll [26624 2007-02-18] (Microsoft Corporation)
S2 ALG; D:\Windows\SysWow64\alg.exe [45056 2007-02-18] (Microsoft Corporation)
S2 AudioSrv; D:\Windows\SysWow64\audiosrv.dll [41472 2007-02-18] (Microsoft Corporation)
S2 bgsvcgen; D:\WINDOWS\SysWow64\bgsvcgen.exe [139264 2012-04-28] (SOURCENEXT)
S3 Browser; D:\Windows\SysWow64\browser.dll [78336 2007-03-14] (Microsoft Corporation)
S3 ClipSrv; D:\Windows\system32\clipsrv.exe [49664 2007-02-18] (Microsoft Corporation)
S3 ClipSrv; D:\Windows\SysWow64\clipsrv.exe [32256 2007-02-18] (Microsoft Corporation)
S3 dmadmin; D:\Windows\System32\dmadmin.exe [399872 2008-08-27] (Microsoft Corporation)
R2 dmserver; D:\Windows\System32\dmserver.dll [37376 2007-02-18] (Microsoft Corporation)
S2 DragonUpdater; D:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [1853584 2012-10-11] ()
S3 ERSvc; D:\Windows\System32\ersvc.dll [31744 2007-02-18] (Microsoft Corporation)
S3 helpsvc; D:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [77312 2007-02-18] (Microsoft Corporation)
S3 HTTPFilter; D:\Windows\System32\w3ssl.dll [21504 2007-02-18] (Microsoft Corporation)
S3 IASJet; D:\Windows\SysWOW64\iasrecst.dll [162816 2007-02-18] (Microsoft Corporation)
S3 ImapiService; D:\WINDOWS\system32\imapi.exe [265728 2007-02-18] (Microsoft Corporation)
S3 JavaQuickStarterService; D:\Program Files (x86)\Java\jre6\bin\jqs.exe [152984 2011-08-24] (Sun Microsystems, Inc.)
S2 MBAMScheduler; D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 mnmsrvc; D:\WINDOWS\SysWow64\mnmsrvc.exe [32768 2007-02-18] (Microsoft Corporation)
S4 NetDDE; D:\Windows\system32\netdde.exe [160768 2007-02-18] (Microsoft Corporation)
S4 NetDDEdsdm; D:\Windows\system32\netdde.exe [160768 2007-02-18] (Microsoft Corporation)
S2 Netman; D:\Windows\SysWow64\netman.dll [263680 2007-02-18] (Microsoft Corporation)
S2 Nla; D:\Windows\System32\mswsock.dll [493056 2011-03-03] (Microsoft Corporation)
S2 Nla; D:\Windows\SysWow64\mswsock.dll [234496 2011-03-03] (Microsoft Corporation)
S3 NMSAccessU; D:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe [71096 2008-10-20] ()
S3 NtLmSsp; D:\Windows\system32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
S3 NtmsSvc; D:\Windows\system32\ntmssvc.dll [794112 2007-02-18] (Microsoft Corporation)
S2 NVSvc; D:\Windows\system32\nvsvc64.exe [178688 2009-09-27] (NVIDIA Corporation)
R2 PlugPlay; D:\Windows\system32\services.exe [227840 2009-03-19] (Microsoft Corporation)
S3 PolicyAgent; D:\Windows\system32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
S3 RasAuto; D:\Windows\SysWow64\rasauto.dll [91648 2007-02-18] (Microsoft Corporation)
S3 RasMan; D:\Windows\SysWow64\rasmans.dll [181760 2007-02-18] (Microsoft Corporation)
S3 RpcLocator; D:\Windows\SysWow64\locator.exe [71680 2007-02-18] (Microsoft Corporation)
S3 SCardSvr; D:\Windows\System32\SCardSvr.exe [166400 2007-02-18] (Microsoft Corporation)
S3 Schedule; D:\Windows\SysWow64\schedsvc.dll [202240 2008-05-09] (Microsoft Corporation)
S4 seclogon; D:\Windows\SysWow64\seclogon.dll [18432 2007-02-18] (Microsoft Corporation)
S2 SentinelSecurityRuntime; D:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [292128 2009-09-17] (SafeNet, Inc.)
S4 SysmonLog; D:\Windows\system32\smlogsvc.exe [133120 2007-12-14] (Microsoft Corporation)
S4 SysmonLog; D:\Windows\SysWow64\smlogsvc.exe [96256 2007-12-14] (Microsoft Corporation)
S3 TrkWks; D:\Windows\SysWow64\trkwks.dll [86528 2007-02-18] (Microsoft Corporation)
S3 UPS; D:\Windows\System32\ups.exe [34816 2007-02-18] (Microsoft Corporation)
S3 UPS; D:\Windows\SysWow64\ups.exe [16896 2007-02-18] (Microsoft Corporation)
S4 vToolbarUpdater14.2.0; D:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [968880 2013-02-28] ()
S3 WmdmPmSN; D:\WINDOWS\SysWOW64\mspmsnsv.dll [27136 2009-06-10] (Microsoft Corporation)
S3 Wmi; D:\Windows\System32\advapi32.dll [1065472 2009-03-19] (Microsoft Corporation)
S3 Wmi; D:\Windows\SysWow64\advapi32.dll [619008 2009-03-19] (Microsoft Corporation)
S3 WMPNetworkSvc; D:\Program Files (x86)\Windows Media Player\WMPNetwk.exe [913408 2006-10-18] (Microsoft Corporation)
S2 wuauserv; D:\WINDOWS\system32\wuauserv.dll [22552 2008-10-16] (Microsoft Corporation)
S2 WZCSVC; D:\Windows\System32\wzcsvc.dll [659968 2009-06-10] (Microsoft Corporation)
S2 WZCSVC; D:\Windows\SysWow64\wzcsvc.dll [489472 2007-02-18] (Microsoft Corporation)
S3 xmlprov; D:\Windows\System32\xmlprov.dll [326144 2007-02-18] (Microsoft Corporation)
S3 xmlprov; D:\Windows\SysWow64\xmlprov.dll [131584 2007-02-18] (Microsoft Corporation)
R2 Eventlog; [x]
S3 RDSessMgr;
S3 WinHttpAutoProxySvc; winhttp.dll [x]
S4 WmiApSrv;

==================== Drivers (Whitelisted) ====================

S4 Abiosdsk; No ImagePath
S4 ACPIEC; D:\Windows\System32\Drivers\ACPIEC.sys [18432 2007-02-18] (Microsoft Corporation)
S4 adpu160m; No ImagePath
S4 adpu320; No ImagePath
S3 AEAudio; D:\Windows\System32\drivers\AEAudio.sys [140160 2007-06-19] (Andrea Electronics Corporation)
S3 aec; D:\Windows\System32\drivers\aec.sys [188928 2005-03-24] (Microsoft Corporation)
S3 afw; D:\Windows\System32\DRIVERS\afw.sys [40552 2010-04-20] (Agnitum Ltd.)
S3 afwcore; D:\Windows\System32\drivers\afwcore.sys [350312 2010-09-27] (Agnitum Ltd.)
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 AmdIde; No ImagePath
S1 AmdPPM64; D:\Windows\System32\DRIVERS\AmdPPM64.sys [44544 2007-04-16] (Advanced Micro Devices)
S4 arc; No ImagePath
S1 ArcSec; D:\Windows\System32\drivers\ArcSec.sys [312184 2010-09-21] ()
S3 Arp1394; D:\Windows\System32\DRIVERS\arp1394.sys [111104 2007-02-16] (Microsoft Corporation)
S3 ASWFilt; D:\WINDOWS\system32\Filt\ASWFilt64.dll [51360 2011-02-02] (Agnitum Ltd.)
S4 Atdisk; No ImagePath
S3 Atmarpc; D:\Windows\System32\DRIVERS\atmarpc.sys [106496 2007-02-18] (Microsoft Corporation)
S3 audstub; D:\Windows\System32\DRIVERS\audstub.sys [5632 2005-03-24] (Microsoft Corporation)
S2 CdaC15BA; D:\Windows\System32\DRIVERS\CdaC15BA.sys [13312 2007-02-18] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
S2 CdaD10BA; D:\Windows\System32\DRIVERS\CdaD10BA.sys [13312 2007-02-18] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
S1 cdrbsdrv; D:\Windows\SysWow64\Drivers\cdrbsdrv.sys [38944 2012-04-28] (B.H.A Corporation)
S4 CmdIde; No ImagePath
S4 dmboot; D:\Windows\System32\drivers\dmboot.sys [415232 2007-02-18] (Microsoft Corporation)
R0 dmio; D:\Windows\System32\drivers\dmio.sys [246784 2009-01-08] (Microsoft Corporation)
R0 dmload; D:\Windows\System32\drivers\dmload.sys [9216 2007-02-18] (Microsoft Corporation)
S4 dpti2o; No ImagePath
S1 Fips; D:\Windows\System32\Drivers\Fips.sys [50176 2007-02-18] (Microsoft Corporation)
R0 Ftdisk; D:\Windows\System32\DRIVERS\ftdisk.sys [240128 2007-09-01] (Microsoft Corporation)
S3 Gpc; D:\Windows\System32\DRIVERS\msgpc.sys [71168 2007-02-18] (Microsoft Corporation)
R3 HDAudBus; D:\Windows\System32\DRIVERS\HDAudBus.sys [239616 2005-07-13] (Windows ® Server 2003 DDK provider)
S4 iirsp; No ImagePath
R1 imapi; D:\Windows\System32\DRIVERS\imapi.sys [72704 2009-06-10] (Microsoft Corporation)
S4 IntelIde; No ImagePath
S3 Ip6Fw; D:\Windows\System32\DRIVERS\Ip6Fw.sys [57856 2007-02-18] (Microsoft Corporation)
S1 IPSec; D:\Windows\System32\DRIVERS\ipsec.sys [156672 2007-11-22] (Microsoft Corporation)
S3 kmixer; D:\Windows\System32\drivers\kmixer.sys [204288 2005-03-24] (Microsoft Corporation)
S3 MBAMProtector; D:\WINDOWS\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S1 mnmdd; D:\Windows\System32\Drivers\mnmdd.sys [8192 2007-02-18] (Microsoft Corporation)
S4 mraid35x; No ImagePath
S3 NIC1394; D:\Windows\System32\DRIVERS\nic1394.sys [92160 2005-03-24] (Microsoft Corporation)
S3 nv; D:\Windows\System32\DRIVERS\nv4_mini.sys [9687424 2009-09-27] (NVIDIA Corporation)
R0 nvata64; D:\Windows\System32\DRIVERS\nvata64.sys [164864 2006-05-01] (NVIDIA Corporation)
S3 NVENETFD; D:\Windows\System32\DRIVERS\NVENETFD.sys [103424 2010-08-12] (NVIDIA Corporation)
R0 nvgts64; D:\Windows\System32\DRIVERS\nvgts64.sys [192544 2009-06-30] (NVIDIA Corporation)
S3 nvnetbus; D:\Windows\System32\DRIVERS\nvnetbus.sys [20480 2010-08-12] (NVIDIA Corporation)
S3 pgfilter; D:\Program Files\PeerGuardian2\pgfilter.sys [7680 2005-09-18] ()
S3 PSched; D:\Windows\System32\DRIVERS\psched.sys [106496 2007-02-18] (Microsoft Corporation)
S3 Ptilink; D:\Windows\System32\DRIVERS\ptilink.sys [31232 2007-02-18] (Parallel Technologies, Inc.)
S3 Raspti; D:\Windows\System32\DRIVERS\raspti.sys [31232 2007-02-18] (Microsoft Corporation)
R1 redbook; D:\Windows\System32\DRIVERS\redbook.sys [64000 2005-03-24] (Microsoft Corporation)
S1 SandBox; D:\WINDOWS\system32\drivers\SandBox64.sys [1099352 2011-02-02] (Agnitum Ltd.)
S3 SenFiltService; D:\Windows\System32\drivers\Senfilt.sys [1821184 2005-11-21] (Creative Technology Ltd.)
S2 Sentinel64; D:\Windows\System32\Drivers\Sentinel64.sys [145448 2009-09-17] (SafeNet, Inc.)
R0 SI3132; D:\Windows\System32\DRIVERS\SI3132.sys [90664 2007-10-03] (Silicon Image, Inc)
R0 SiFilter; D:\Windows\System32\DRIVERS\SiWinAcc.sys [22056 2007-10-03] (Silicon Image, Inc)
S4 Simbad; No ImagePath
R0 SiRemFil; D:\Windows\System32\DRIVERS\SiRemFil.sys [17448 2007-10-03] (Silicon Image, Inc)
S3 splitter; D:\Windows\System32\drivers\splitter.sys [10240 2007-02-16] (Microsoft Corporation)
S3 swmidi; D:\Windows\System32\drivers\swmidi.sys [86528 2005-03-24] (Microsoft Corporation)
S4 symc8xx; No ImagePath
S4 symmpi; No ImagePath
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S3 sysaudio; D:\Windows\System32\drivers\sysaudio.sys [147456 2007-02-16] (Microsoft Corporation)
S4 TosIde; No ImagePath
S4 ultra; No ImagePath
R3 Update; D:\Windows\System32\DRIVERS\update.sys [152576 2007-05-29] (Microsoft Corporation)
S3 VBEngNT; D:\WINDOWS\system32\drivers\VBEngNT.sys [293048 2011-02-02] (VirusBuster Kft.)
S3 VBFilt; D:\WINDOWS\system32\Filt\VBFilt64.dll [45168 2011-02-02] (Agnitum Ltd.)
S3 VBoxNetAdp; D:\Windows\System32\DRIVERS\VBoxNetAdp.sys [130704 2009-07-10] (Sun Microsystems, Inc.)
S4 ViaIde; No ImagePath
S3 wdmaud; D:\Windows\System32\drivers\wdmaud.sys [187904 2007-02-16] (Microsoft Corporation)
S3 EverestDriver; \??\L:\My Portables APPS\Port.Everest.5.50.2100.www.dailymaza.com\kerneld.amd64 [x]
S3 PSTRIP; \??\D:\WINDOWS\system32\DRIVERS\PSTRIP.SYS [x]
U5 ScsiPort; D:\Windows\system32\drivers\scsiport.sys [171008 2007-02-18] (Microsoft Corporation)
S2 supersafer64; \??\D:\WINDOWS\SysWOW64\drivers\supersafer64.sys [x]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [x]
U1 WS2IFSL;
U4 wscsvc;

==================== NetSvcs (Whitelisted) ===================

NETSVCx32: Browser -> D:\Windows\SysWOW64\browser.dll (Microsoft Corporation)
NETSVCx32: CryptSvc -> D:\Windows\SysWOW64\cryptsvc.dll (Microsoft Corporation)
NETSVCx32: DMServer -> D:\Windows\SysWOW64\dmserver.dll ==> No File.
NETSVCx32: EventSystem -> D:\WINDOWS\SysWOW64\es.dll (Microsoft Corporation)
NETSVCx32: HidServ -> D:\Windows\SysWOW64\hidserv.dll ==> No File.
NETSVCx32: Iprip -> No ServiceDLL Path.
NETSVCx32: LanmanWorkstation -> D:\Windows\SysWOW64\wkssvc.dll ==> No File.
NETSVCx32: Netman -> D:\Windows\SysWOW64\netman.dll (Microsoft Corporation)
NETSVCx32: Seclogon -> D:\Windows\SysWOW64\seclogon.dll (Microsoft Corporation)
NETSVCx32: TrkWks -> D:\Windows\SysWOW64\trkwks.dll (Microsoft Corporation)
NETSVCx32: WZCSVC -> D:\Windows\SysWOW64\wzcsvc.dll (Microsoft Corporation)
NETSVCx32: xmlprov -> D:\Windows\SysWOW64\xmlprov.dll (Microsoft Corporation)
NETSVCx32: WmdmPmSN -> D:\WINDOWS\SysWOW64\mspmsnsv.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2013-12-14 22:33 - 2013-12-14 22:33 - 00000000 ____D D:\FRST
2013-12-09 10:24 - 2013-12-14 03:41 - 00000004 _____ D:\Documents and Settings\Administrator\Application Data\skype.ini
2013-11-14 03:06 - 2011-05-24 21:42 - 00000156 _____ D:\Documents and Settings\Administrator\Desktop\Chris Brown.txt

==================== One Month Modified Files and Folders =======

2013-12-14 22:33 - 2013-12-14 22:33 - 00000000 ____D D:\FRST
2013-12-14 03:41 - 2013-12-09 10:24 - 00000004 _____ D:\Documents and Settings\Administrator\Application Data\skype.ini
2013-12-14 03:41 - 2011-08-26 17:58 - 00523836 _____ D:\WINDOWS\system32\config\afw_db.conf
2013-12-14 03:41 - 2011-08-26 17:58 - 00000708 _____ D:\WINDOWS\system32\config\afw_hm.conf
2013-12-14 03:41 - 2011-08-26 03:54 - 00168175 _____ D:\WINDOWS\system32\config\rules.rdb
2013-12-14 03:41 - 2011-08-24 23:15 - 00723564 _____ D:\WINDOWS\system32\PerfStringBackup.INI
2013-12-14 03:41 - 2011-08-24 21:30 - 00000216 _____ D:\Documents and Settings\LocalService\wiadebug.log
2013-12-14 03:41 - 2011-08-24 21:22 - 01740955 _____ D:\WINDOWS\WindowsUpdate.log
2013-12-14 03:38 - 2007-02-18 07:00 - 00002206 _____ D:\WINDOWS\system32\wpa.dbl
2013-12-14 03:37 - 2011-08-24 22:11 - 00000000 _____ D:\WINDOWS\0.log
2013-12-14 03:37 - 2009-09-27 18:33 - 00253748 _____ D:\WINDOWS\system32\NvApps.xml
2013-12-10 06:09 - 2011-08-24 21:25 - 00000178 ___SH D:\Documents and Settings\Administrator\ntuser.ini
2013-12-10 06:03 - 2011-08-26 03:53 - 00000000 ____D D:\WINDOWS\system32\Filt
2013-12-09 10:29 - 2011-08-26 17:57 - 00000000 ____D D:\Documents and Settings\Administrator\Application Data\uTorrent
2013-12-09 10:20 - 2011-08-31 17:45 - 00000000 ____D D:\Program Files\PeerGuardian2
2013-12-09 09:00 - 2009-03-19 18:42 - 00000000 __SHD D:\Documents and Settings\Administrator\Application Data\rjuavfvr
2013-12-04 19:33 - 2011-09-03 09:13 - 00011384 _____ D:\Documents and Settings\Administrator\My Documents\Notepad2.ini
2013-11-22 08:44 - 2011-08-25 07:31 - 00063566 _____ D:\WINDOWS\PFRO.log
2013-11-20 04:11 - 2011-09-16 10:49 - 00000116 _____ D:\WINDOWS\NeroDigital.ini

ZeroAccess:
D:\Windows\assembly\tmp
D:\Windows\assembly\tmp\@
D:\Windows\assembly\tmp\cfg.ini

ZeroAccess:
D:\Windows\System32\consrv.dll

ZeroAccess:
D:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
D:\Windows\assembly\GAC_64\Desktop.ini

Files to move or delete:
====================
D:\Documents and Settings\Administrator\Application Data\skype.dat
D:\Documents and Settings\Administrator\Application Data\skype.ini


Some content of TEMP:
====================
D:\Documents and Settings\Administrator\Local Settings\Temp\12B.tmp.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\bassmod.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\gert0.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\getsavin.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\htmlayout.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\ICReinstall_ADClockSetup_setup.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\ICReinstall_ZuneClock10_setup.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\keystone.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\mirc725.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\nvAppBar.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\nview.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\nView64.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\nViewSetup.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\nvnt4cpl.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\nvShell.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\nvTaskBar.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\nvwdmcpl.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\nvwimg.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\nvwimg64.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSAR.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSCS.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSDA.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSDE.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSEL.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSENG.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSENU.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSES.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSESM.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSFI.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSFR.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSHE.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSHU.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSIT.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSJA.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSKO.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSNL.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSNO.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSPL.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSPT.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSPTB.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSRU.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSSK.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSSL.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSSV.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSTH.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSTR.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSZHC.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\NVWRSZHT.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\nwiz.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\oi_{3444CC05-B9BC-4945-9AC5-7741DD653E5E}.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\psu2bjlw.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\swt-win32-3448.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\tbedrs.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\TB_3ED.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\Tsu2B237A60.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\Tsu5C166E11.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\Tsu7DF0DF07.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\uninst1.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\UNINSTALL.EXE
D:\Documents and Settings\Administrator\Local Settings\Temp\uninstall100264875.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\uninstall100275171.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\utt1F.tmp.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\uttD0.tmp.exe


==================== Bamital & volsnap Check =================

D:\Windows\System32\winlogon.exe
[2008-04-23 22:12] - [2008-04-23 22:12] - 0944128 ____A (Microsoft Corporation) 41433583EA482B238DE2951DE59DEB4C

D:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.
D:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.
D:\Windows\explorer.exe
[2007-02-05 23:03] - [2007-02-05 23:03] - 1364480 ____A (Microsoft Corporation) B02B95ED58DFB67502B3908573FAC6D7

D:\Windows\SysWOW64\explorer.exe
[2007-02-05 23:03] - [2007-02-05 23:03] - 1053184 ____A (Microsoft Corporation) A7350345C820527B581DA9337EB9601F

D:\Windows\System32\svchost.exe
[2007-02-18 07:00] - [2007-02-18 07:00] - 0025600 ____A (Microsoft Corporation) 46300880A5062A41C16DF5E3E836A6C9

D:\Windows\SysWOW64\svchost.exe
[2007-02-18 07:00] - [2007-02-18 07:00] - 0014848 ____A (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

D:\Windows\System32\services.exe
[2009-03-19 18:42] - [2009-03-19 18:42] - 0227840 ____A (Microsoft Corporation) 5BC6B0FFA0EB95A02F63D5BCAD39127B

D:\Windows\System32\User32.dll
[2007-03-01 23:56] - [2007-03-01 23:56] - 1086464 ____A (Microsoft Corporation) 35BC0334F3D679209C34CB6E4293C29C

D:\Windows\SysWOW64\User32.dll
[2007-03-01 23:56] - [2007-03-01 23:56] - 0602624 ____A (Microsoft Corporation) F8DA18588869B9480F99AD2E0CC7EFC2

D:\Windows\System32\userinit.exe
[2007-02-18 07:00] - [2007-02-18 07:00] - 0039424 ____A (Microsoft Corporation) 438393CC0B5122B5D988BD7BA05FE3C9

D:\Windows\SysWOW64\userinit.exe
[2007-02-18 07:00] - [2007-02-18 07:00] - 0026112 ____A (Microsoft Corporation) B5FEB3B971A8B8C81CE9DE65031A87E5

D:\Windows\System32\Drivers\volsnap.sys
[2009-02-23 21:07] - [2009-02-23 21:07] - 0326144 ____A (Microsoft Corporation) 511F64AC3D17D9E6E59E0D20B3EC7B9D

ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: D:\Windows\system64
D:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== End Of Log ============================
[/code]
BTW The PC is in safe mode with no internet tho!
 
Awaiting your reply.
 
 
Nasty!

Edited by gringo_pr, 15 December 2013 - 02:07 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 AM

Posted 15 December 2013 - 02:20 AM

Hello nastytang

I see allot of issues on this computer most are older infections and on top of that it is XP64, we are going to be very lucky if we get this to work - I would backup any important that you may want to keep in case things do not go right.



I need you to download this script I have made for you --> xx

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo

Edited by gringo_pr, 15 December 2013 - 09:17 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 nastytang

nastytang
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 15 December 2013 - 02:26 AM

OK will do!

 

Sorry do I need to scan again or just hit Fix??


Edited by nastytang, 15 December 2013 - 02:30 AM.


#6 nastytang

nastytang
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 15 December 2013 - 02:53 AM

will so much for that. it ran fix said it needed to re start,.... A pond re start I got blue screen of death so I guess that it now



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 AM

Posted 15 December 2013 - 03:15 AM

Hello

Can you get to safe mode or the safe mode menu?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 nastytang

nastytang
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 15 December 2013 - 03:20 AM

No it tries to start windows gets to what looks like it is loading desktop and blue screens said unable to locate component

`

 

IF you mean F8 and get the safe mode and last know working the other 10 options yes.


Edited by nastytang, 15 December 2013 - 03:22 AM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 AM

Posted 15 December 2013 - 03:44 AM

Hello

Last post of the night (might be one more)

Try lastknown and then try a system restore if last known did not work


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 nastytang

nastytang
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 15 December 2013 - 03:53 AM

Hi gringo

good nite to you sir

 

I think we`re toast!! that did not work either

 

Edit

 

thanks for your help But I`ll have to do a reformat and clean install you can close this threat.

 

 

 

Nasty!


Edited by nastytang, 15 December 2013 - 04:07 AM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 AM

Posted 15 December 2013 - 09:18 PM

sent you a PM


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 nastytang

nastytang
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 16 December 2013 - 02:19 AM

OK got it! the PM

 

Nasty!


Edited by nastytang, 16 December 2013 - 02:19 AM.


#13 nastytang

nastytang
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 22 December 2013 - 06:49 AM

PM updated!!

 

 

 

 

Nasty!



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 AM

Posted 28 December 2013 - 11:40 AM

Hello Nasty

There is nothing else I can find to do.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 AM

Posted 04 January 2014 - 10:10 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users