[PirateGuy]

Hello, my PC has recently been infected by the "FBI" MoneyPak Virus, which I believe is the same as or similar to the one in this video (please note, I have not done anything mentioned in this video, it is just an example):

I got this virus although I have an up-to-date installation of Norton Security Suite which I got with a Comcast subscription. I have attempted to go into regular safe mode to remove the virus with Malwarebytes or a Norton Scan, but when I attempt to do so the virus still pops up in fullscreen after a moment and I am unable to do anything except shut down my PC. I am currently running Windows Vista Ultimate 32-bit SP2, and I can answer any questions necessary to help remove this infection. I appreciate any help that can be provided ASAP.

[Advertisements]

Hello PirateGuy

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe or e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo

[gringo_pr]

Hello PirateGuy

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe or e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo

[PirateGuy]

Sorry, I took so long to reply, I've been a bit busy. I was able to do the first scan part, and I will copy the log to my post here. However, the second part with the services.exe search was taking a while (over an hour) and I had to shut down my PC before it completed because of a lightning storm that could have fried my PC (it happened to one a few years back, and I've always been careful since.) How long should the second part take? If it searches through all of my files it might explain why it takes so long, as I have 2 1tb hard drives that are both fairly full. Also, a bit of info that occurred to me that might be important: to be clear, I'm fairly sure this virus entered my PC through my internet browser, as it suddenly popped up during browsing and it had been a while since I downloaded any files that could possibly be harmful to my PC. That might be obvious, but I thought it couldn't hurt to mention it. Anyway, here's the log of the scan:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-04-2013 (ATTENTION: FRST version is 7 days old)
Ran by SYSTEM at 18-04-2013 16:48:37
Running from F:\
Windows Vista ™ Ultimate Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7346720 2009-04-07] (Realtek Semiconductor)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [215552 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM\...\Run: [boincmgr] "E:\Program Files\BOINC\boincmgr.exe" /a /s [x]
HKLM\...\Run: [boinctray] "E:\Program Files\BOINC\boinctray.exe" [x]
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-06-11] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKU\Guest\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKU\Reese\...\Run: [Google Update] "C:\Users\Reese\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-05-25] (Google Inc.)
HKU\Reese\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Reese\...\Run: [Akamai NetSession Interface] "C:\Users\Reese\AppData\Local\Akamai\netsession_win.exe" [4480768 2013-01-26] (Akamai Technologies, Inc.)
HKU\Reese\...\Run: [ctfmon.exe] C:\PROGRA~2\rundll32.exe C:\PROGRA~2\lotdoi.dat,FG00 [44544 2013-04-17] (Microsoft Corporation)
HKU\Reese\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex [706776 2013-03-12] (Adobe Systems Incorporated)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files\Soluto\soluto.exe /userinit [1265208 2012-09-13] (Soluto)
Tcpip\..\Interfaces\{67B577CE-0CC0-40CE-B49D-10F84BE75926}: [NameServer]192.168.1.1
Startup: C:\Users\Reese\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\PROGRA~2\lotdoi.dat ()

==================== Services (Whitelisted) ===================

2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [291840 2012-09-28] (Advanced Micro Devices, Inc.)
4 AODService; C:\Program Files\AMD\OverDrive\AODAssist.exe [136616 2012-05-10] ()
3 BEService; C:\Program Files\Common Files\BattlEye\BEService.exe [49152 2013-03-02] ()
3 CGVPNCliSrvc; C:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exe [2438696 2012-04-26] (mobile concepts GmbH)
3 FileZilla Server; "C:\Program Files\FileZilla Server\FileZilla Server.exe" [742912 2010-10-17] (FileZilla Project)
3 Futuremark SystemInfo Service; "C:\Program Files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe" [128928 2010-11-11] (Futuremark Corporation)
3 HiPatchService; C:\Program Files\Hi-Rez Studios\HiPatchService.exe [8704 2012-05-30] (Hi-Rez Studios)
2 N360; "C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton Security Suite\Engine\20.2.0.19\diMaster.dll" /prefetch:1 [535416 2012-10-11] (Symantec Corporation)
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2013-01-23] ()
2 RosettaStoneDaemon; "C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe" [1646056 2011-04-15] (Rosetta Stone Ltd.)
2 SolutoService; "C:\Program Files\Soluto\SolutoService.exe" [603704 2012-09-13] (Soluto)
3 TunngleService; C:\Program Files\Tunngle\TnglCtrl.exe [738152 2012-07-19] (Tunngle.net GmbH)
2 Winmgmt; C:\PROGRA~2\lotdoi.dat [99328 2013-04-17] ()

==================== Drivers (Whitelisted) ====================

3 AmdLLD; C:\Windows\System32\DRIVERS\AmdLLD.sys [34304 2007-06-29] (AMD, Inc.)
2 AODDriver4.01; \??\c:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [48256 2012-04-09] (Advanced Micro Devices)
2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [48256 2012-04-09] (Advanced Micro Devices)
2 AODDriver4.2; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [48256 2012-04-09] (Advanced Micro Devices)
2 AODDriver4.2.0; \??\C:\Program Files\AMD\OverDrive\i386\AODDriver2.sys [48256 2012-05-10] (Advanced Micro Devices)
1 AsIO; C:\Windows\System32\drivers\AsIO.sys [12400 2007-12-17] ()
3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdLH3.sys [83984 2012-02-23] (Advanced Micro Devices)
2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [279712 2011-10-20] ()
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130412.001\BHDrvx86.sys [1000024 2013-04-12] (Symantec Corporation)
1 ccSet_N360; C:\Windows\system32\drivers\N360\1402000.013\ccSetx86.sys [134304 2012-10-03] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-01-25] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-11-15] (Symantec Corporation)
0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-03] ()
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130416.001\IDSvix86.sys [386720 2012-11-15] (Symantec Corporation)
2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [25888 2011-10-20] ()
3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [81680 2010-10-21] (MotioninJoy)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [7680 2006-10-17] ()
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130417.004\NAVENG.SYS [93296 2013-04-04] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130417.004\NAVEX15.SYS [1603824 2013-04-04] (Symantec Corporation)
3 pbfilter; \??\C:\Program Files\PeerBlock\pbfilter.sys [20080 2010-11-06] ()
3 PsSdk41; \??\C:\Windows\system32\Drivers\pssdk41.sys [36928 2012-02-26] (microOLAP Technologies LTD)
3 RT2500; C:\Windows\System32\DRIVERS\RT2500.sys [243328 2005-10-20] (Ralink Technology Inc.)
0 Soluto; C:\Windows\System32\DRIVERS\Soluto.sys [51144 2012-09-13] (Soluto LTD.)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2011-01-04] (Duplex Secure Ltd.)
3 SRTSP; C:\Windows\System32\Drivers\N360\1402000.013\SRTSP.SYS [586400 2012-10-08] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\1402000.013\SRTSPX.SYS [32888 2012-05-24] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360\1402000.013\SYMDS.SYS [368288 2012-10-03] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\1402000.013\SYMEFA.SYS [927904 2012-10-03] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2012-11-15] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360\1402000.013\Ironx86.SYS [175264 2012-07-27] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\N360\1402000.013\SYMTDIV.SYS [350368 2012-07-22] (Symantec Corporation)
3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [26624 2011-12-15] (The OpenVPN Project)
3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [27136 2009-09-16] (Tunngle.net)
3 wod0205; C:\Windows\System32\DRIVERS\wod0205.sys [28936 2011-04-23] (WeOnlyDo Software)
3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [61984 2010-08-19] (Microsoft Corporation)
3 ALSysIO; \??\C:\Users\Reese\AppData\Local\Temp\ALSysIO.sys [x]
3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x32.sys [x]
3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 nenum13E; \??\C:\Users\Reese\AppData\Local\Temp\nenum13E.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-04-18 16:48 - 2013-04-18 16:48 - 00000000 ____D C:\FRST
2013-04-17 15:45 - 2013-04-17 15:45 - 00099328 ____A C:\Users\Reese\1831546.dll
2013-04-15 11:16 - 2013-04-15 11:16 - 00000000 ____D C:\Users\Reese\Desktop\DSII_shield_design_contest
2013-04-15 11:12 - 2013-04-15 11:12 - 00427635 ____A C:\Users\Reese\Desktop\DSII_shield_design_contest.zip
2013-04-14 17:17 - 2013-04-14 17:17 - 00083340 ____A C:\Users\Reese\Desktop\DSCfix-v1.1.zip
2013-04-14 16:52 - 2013-04-14 16:54 - 00000000 ____D C:\Users\Reese\Desktop\elona
2013-04-14 08:37 - 2013-04-14 08:37 - 00000000 ____D C:\Users\Reese\AppData\Local\Targem
2013-04-13 15:52 - 2013-04-13 15:57 - 00000000 ____D C:\Users\Reese\Desktop\OFF
2013-04-13 15:23 - 2013-04-13 15:49 - 53881284 ____A C:\Users\Reese\Desktop\OFF.rar
2013-04-11 18:09 - 2013-04-11 18:09 - 00001106 ____A C:\Users\Reese\Desktop\tumblr shite.txt
2013-04-11 12:08 - 2013-04-11 12:26 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-04-10 11:05 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-10 11:05 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-10 11:05 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-10 11:05 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-10 11:05 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-10 11:05 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-10 11:05 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-10 11:05 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-10 11:05 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-10 11:05 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-10 11:05 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-10 11:05 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-10 11:05 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-10 11:05 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-10 11:05 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-10 11:05 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-09 12:07 - 2013-04-09 12:07 - 00000000 ____D C:\Users\Reese\Desktop\Off translation V. 2.0
2013-04-09 12:04 - 2013-04-09 12:05 - 62446948 ____A C:\Users\Reese\Desktop\Off translation V. 2.0.zip
2013-04-09 11:18 - 2013-03-11 05:25 - 03603816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-04-09 11:18 - 2013-03-11 05:25 - 03551080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-09 11:18 - 2013-03-08 19:45 - 00049152 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-09 11:18 - 2013-03-08 17:28 - 00064000 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-09 11:18 - 2013-03-07 19:53 - 00376320 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-04-09 11:18 - 2013-03-07 19:52 - 02067968 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-09 11:18 - 2013-03-04 17:40 - 02049024 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-09 11:18 - 2013-03-03 11:07 - 01082232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-06 15:55 - 2013-04-06 15:55 - 00000635 ____A C:\Users\Reese\Desktop\Terraria.lnk
2013-04-03 15:42 - 2013-04-03 15:42 - 00000099 ____A C:\Users\Reese\Desktop\asdsadsda.txt
2013-04-02 18:25 - 2013-04-11 12:26 - 00000000 ____D C:\Program Files\Mozilla Firefox.bak
2013-03-31 16:16 - 2013-03-31 16:16 - 00000901 ____A C:\Users\Public\Desktop\METAL GEAR SOLID2 SUBSTANCE.lnk
2013-03-31 15:32 - 2013-03-31 15:32 - 00009834 ____A C:\Users\Reese\Desktop\honk.sol
2013-03-31 15:14 - 2013-03-31 15:14 - 05786990 ____A C:\Users\Reese\Desktop\CoC_0.7.8e10.swf
2013-03-31 15:13 - 2013-03-29 13:30 - 00009828 ____A C:\Users\Reese\Desktop\butts.sol
2013-03-31 13:50 - 2013-03-31 13:50 - 00001864 ____A C:\Users\Public\Desktop\Baldur's Gate.lnk
2013-03-30 19:39 - 2013-03-30 19:39 - 00000000 ____D C:\Users\Reese\AppData\Roaming\Beat Hazard
2013-03-30 19:38 - 2013-03-30 19:38 - 00000708 ____A C:\Users\Reese\Desktop\Beat Hazard Ultra.lnk
2013-03-29 13:30 - 2013-03-29 13:30 - 00009828 ____A C:\Users\Reese\Desktop\CoC_1.sol
2013-03-29 11:52 - 2013-03-29 11:52 - 00000000 ____D C:\Users\Reese\Desktop\dist
2013-03-29 11:50 - 2013-03-29 11:50 - 01299914 ____A C:\Users\Reese\Desktop\dist.zip
2013-03-28 11:26 - 2013-04-17 13:53 - 00000000 ____D C:\Users\Reese\Documents\Uncompressed Steam Screenshots
2013-03-21 16:08 - 2013-03-21 16:08 - 00000000 ____D C:\Users\Reese\Desktop\SavedGames
2013-03-21 16:08 - 2013-03-21 16:08 - 00000000 ____D C:\Users\Reese\Desktop\JAPE041
2013-03-21 16:07 - 2013-03-21 16:07 - 00101740 ____A C:\Users\Reese\Desktop\JAPE041.ZIP
2013-03-20 12:59 - 2013-02-11 17:57 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023x.sys
2013-03-20 12:59 - 2013-02-11 17:57 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-03-19 18:44 - 2013-03-19 18:51 - 837876083 ____A C:\Program Files\JA2 v113.rar

==================== One Month Modified Files and Folders ========

2013-04-17 15:46 - 2011-03-20 07:21 - 00000000 ____D C:\Program Files\PeerBlock
2013-04-17 15:46 - 2011-01-01 19:15 - 00000000 ____D C:\Users\Reese\AppData\Roaming\uTorrent
2013-04-17 15:46 - 2011-01-01 02:17 - 00002032 ____A C:\Users\Reese\AppData\Local\d3d9caps.dat
2013-04-17 15:45 - 2013-04-17 15:45 - 00099328 ____A C:\Users\Reese\1831546.dll
2013-04-17 15:45 - 2011-01-01 02:16 - 00000000 ____D C:\users\Reese
2013-04-17 15:11 - 2012-06-13 18:01 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000UA.job
2013-04-17 15:11 - 2012-06-13 18:01 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000Core.job
2013-04-17 15:08 - 2011-05-25 11:58 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000UA.job
2013-04-17 15:08 - 2011-01-01 14:43 - 00000000 ____D C:\Program Files\Steam
2013-04-17 14:56 - 2012-10-25 17:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-04-17 14:54 - 2006-11-02 05:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-17 14:54 - 2006-11-02 04:46 - 00004096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-17 14:54 - 2006-11-02 04:46 - 00004096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-17 13:53 - 2013-03-28 11:26 - 00000000 ____D C:\Users\Reese\Documents\Uncompressed Steam Screenshots
2013-04-17 12:14 - 2008-01-20 17:37 - 01977214 ____A C:\Windows\WindowsUpdate.log
2013-04-16 18:13 - 2006-11-02 05:00 - 00032600 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-04-16 17:17 - 2011-01-03 16:57 - 00183296 ____A C:\Users\Reese\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-04-16 17:08 - 2011-05-25 11:58 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000Core.job
2013-04-15 18:09 - 2006-11-02 02:33 - 00772330 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-15 11:54 - 2006-11-02 02:23 - 00000614 ____A C:\Windows\win.ini
2013-04-15 11:16 - 2013-04-15 11:16 - 00000000 ____D C:\Users\Reese\Desktop\DSII_shield_design_contest
2013-04-15 11:12 - 2013-04-15 11:12 - 00427635 ____A C:\Users\Reese\Desktop\DSII_shield_design_contest.zip
2013-04-14 17:17 - 2013-04-14 17:17 - 00083340 ____A C:\Users\Reese\Desktop\DSCfix-v1.1.zip
2013-04-14 16:54 - 2013-04-14 16:52 - 00000000 ____D C:\Users\Reese\Desktop\elona
2013-04-14 08:37 - 2013-04-14 08:37 - 00000000 ____D C:\Users\Reese\AppData\Local\Targem
2013-04-14 08:37 - 2011-01-01 17:08 - 00000000 ____D C:\Users\Reese\Documents\My Games
2013-04-13 15:57 - 2013-04-13 15:52 - 00000000 ____D C:\Users\Reese\Desktop\OFF
2013-04-13 15:49 - 2013-04-13 15:23 - 53881284 ____A C:\Users\Reese\Desktop\OFF.rar
2013-04-13 11:13 - 2006-11-02 04:46 - 00256216 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-13 11:11 - 2012-11-14 12:00 - 00139566 ____A C:\Windows\PFRO.log
2013-04-13 11:11 - 2012-06-04 12:08 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-04-11 18:09 - 2013-04-11 18:09 - 00001106 ____A C:\Users\Reese\Desktop\tumblr shite.txt
2013-04-11 12:26 - 2013-04-11 12:08 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-04-11 12:26 - 2013-04-02 18:25 - 00000000 ____D C:\Program Files\Mozilla Firefox.bak
2013-04-10 11:00 - 2006-11-02 02:24 - 70490256 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-04-09 16:58 - 2012-06-27 22:27 - 00055576 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-04-09 12:07 - 2013-04-09 12:07 - 00000000 ____D C:\Users\Reese\Desktop\Off translation V. 2.0
2013-04-09 12:05 - 2013-04-09 12:04 - 62446948 ____A C:\Users\Reese\Desktop\Off translation V. 2.0.zip
2013-04-07 13:13 - 2011-05-26 14:56 - 00280856 ____A C:\Windows\System32\PnkBstrB.xtr
2013-04-07 13:13 - 2011-05-26 12:31 - 00280856 ____A C:\Windows\System32\PnkBstrB.exe
2013-04-07 13:13 - 2011-05-26 12:31 - 00140064 ____A C:\Windows\System32\Drivers\PnkBstrK.sys
2013-04-06 18:46 - 2012-07-19 10:43 - 00000000 ____D C:\Users\Reese\AppData\Local\ArmA 2 OA
2013-04-06 15:55 - 2013-04-06 15:55 - 00000635 ____A C:\Users\Reese\Desktop\Terraria.lnk
2013-04-06 13:11 - 2011-01-01 14:43 - 00000000 ____D C:\Program Files\Common Files\Steam
2013-04-03 15:42 - 2013-04-03 15:42 - 00000099 ____A C:\Users\Reese\Desktop\asdsadsda.txt
2013-03-31 16:56 - 2013-03-16 21:52 - 00000000 ____D C:\Users\Reese\Documents\SimCity 4
2013-03-31 16:56 - 2011-01-03 15:44 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-03-31 16:16 - 2013-03-31 16:16 - 00000901 ____A C:\Users\Public\Desktop\METAL GEAR SOLID2 SUBSTANCE.lnk
2013-03-31 15:32 - 2013-03-31 15:32 - 00009834 ____A C:\Users\Reese\Desktop\honk.sol
2013-03-31 15:14 - 2013-03-31 15:14 - 05786990 ____A C:\Users\Reese\Desktop\CoC_0.7.8e10.swf
2013-03-31 13:50 - 2013-03-31 13:50 - 00001864 ____A C:\Users\Public\Desktop\Baldur's Gate.lnk
2013-03-31 13:46 - 2011-05-14 11:39 - 00000000 ____D C:\Program Files\Black Isle
2013-03-30 19:39 - 2013-03-30 19:39 - 00000000 ____D C:\Users\Reese\AppData\Roaming\Beat Hazard
2013-03-30 19:38 - 2013-03-30 19:38 - 00000708 ____A C:\Users\Reese\Desktop\Beat Hazard Ultra.lnk
2013-03-29 13:30 - 2013-03-31 15:13 - 00009828 ____A C:\Users\Reese\Desktop\butts.sol
2013-03-29 13:30 - 2013-03-29 13:30 - 00009828 ____A C:\Users\Reese\Desktop\CoC_1.sol
2013-03-29 11:52 - 2013-03-29 11:52 - 00000000 ____D C:\Users\Reese\Desktop\dist
2013-03-29 11:50 - 2013-03-29 11:50 - 01299914 ____A C:\Users\Reese\Desktop\dist.zip
2013-03-29 08:05 - 2011-01-01 14:38 - 00000000 ____D C:\Users\Reese\AppData\Roaming\Mozilla
2013-03-21 17:32 - 2011-07-06 11:44 - 00000000 ____D C:\Program Files\Jagged Alliance 2 Gold
2013-03-21 16:08 - 2013-03-21 16:08 - 00000000 ____D C:\Users\Reese\Desktop\SavedGames
2013-03-21 16:08 - 2013-03-21 16:08 - 00000000 ____D C:\Users\Reese\Desktop\JAPE041
2013-03-21 16:07 - 2013-03-21 16:07 - 00101740 ____A C:\Users\Reese\Desktop\JAPE041.ZIP
2013-03-20 12:36 - 2012-11-11 14:03 - 00002176 ____A C:\Windows\setupact.log
2013-03-19 18:51 - 2013-03-19 18:44 - 837876083 ____A C:\Program Files\JA2 v113.rar


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-14 12:15] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-20 16:12:58
Restore point made on: 2013-03-29 18:51:00
Restore point made on: 2013-03-30 08:05:45
Restore point made on: 2013-03-31 16:10:49
Restore point made on: 2013-03-31 16:57:36
Restore point made on: 2013-04-01 14:28:31
Restore point made on: 2013-04-03 13:10:05
Restore point made on: 2013-04-06 22:59:52
Restore point made on: 2013-04-09 23:00:54

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 4093.22 MB
Available physical RAM: 3594.41 MB
Total Pagefile: 3837.8 MB
Available Pagefile: 3665.9 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.31 MB

==================== Partitions =============================

2 Drive c: (Alpha) (Fixed) (Total:931.51 GB) (Free:116.21 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive d: (Omega) (Fixed) (Total:931.51 GB) (Free:86.54 GB) NTFS
4 Drive e: (FRMCFRE_EN_DVD) (CDROM) (Total:2.87 GB) (Free:0 GB) UDF
5 Drive f: () (Removable) (Total:3.72 GB) (Free:0.17 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 932 GB 0 B
Disk 1 Online 932 GB 0 B
Disk 2 Online 3820 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 932 GB 1024 KB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D Omega NTFS Partition 932 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 932 GB 1024 KB

=========================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Alpha NTFS Partition 932 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3820 MB 0 B

=========================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: C5155D70

Partition 1:
=========
Hex: 0020210007FEFFFF0008000000587074
Active: NO
Type: 07 (NTFS)
Size: 932 GB

==============================
Partitions of Disk 1:
===============
Disk ID: BC749333

Partition 1:
=========
Hex: 8020210007FEFFFF0008000000587074
Active: YES
Type: 07 (NTFS)
Size: 932 GB

==============================
Partitions of Disk 2:
===============
Disk ID: 69737369

Partition 1:
=========
Hex: FF0D0A4469736B206572726F72FF0D0A
Active: NO
Type: 69
Size: 80 GB

Partition 2:
=========
Hex: 507265737320616E79206B657920746F
Active: NO
Type: 73
Size: 892 GB

Partition 3:
=========
Hex: 20726573746172740D0A000000000000
Active: NO
Type: 74
Size: 0 byte

Partition 4:
=========
Hex: 0000000000000000000000ACBFCC0000
Active: NO
Type: 00
Size: 26 MB


Last Boot: 2013-04-17 15:01

==================== End Of Log ============================

[PirateGuy]

-sorry, double post-

Edited by PirateGuy, 18 April 2013 - 08:21 PM.

[gringo_pr]

Hello PirateGuy



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

ShortcutTarget: msconfig.lnk -> C:\PROGRA~2\lotdoi.dat ()
C:\Users\Reese\1831546.dll

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

[PirateGuy]

I restarted my PC as normal after doing what you instructed, but the virus still appears to be on my PC as the fake FBI warning still pops up like before.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-04-2013
Ran by SYSTEM at 2013-04-19 15:40:53 Run:1
Running from F:\

==============================================

ShortcutTarget: msconfig.lnk -> C:\PROGRA~2\lotdoi.dat () not found.
C:\Users\Reese\1831546.dll moved successfully.

==== End of Fixlog ====

[gringo_pr]

Hello PirateGuy



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

HKU\Reese\...\Run: [ctfmon.exe] C:\PROGRA~2\rundll32.exe C:\PROGRA~2\lotdoi.dat,FG00 [44544 2013-04-17] (Microsoft Corporation)
Startup: C:\Users\Reese\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\PROGRA~2\lotdoi.dat ()
2 Winmgmt; C:\PROGRA~2\lotdoi.dat [99328 2013-04-17] ()
C:\Users\Reese\1831546.dll

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

[PirateGuy]

I did as you instructed and then booted as normal, and my PC appears to have booted normally, I do not see the fake FBI warning as before.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-04-2013
Ran by SYSTEM at 2013-04-19 16:31:54 Run:2
Running from F:\

==============================================

HKEY_USERS\Reese\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmon.exe Value deleted successfully.
C:\Users\Reese\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk moved successfully.
ShortcutTarget: msconfig.lnk -> C:\PROGRA~2\lotdoi.dat () not found.
Winmgmt service deleted successfully.
C:\Users\Reese\1831546.dll not found.

==== End of Fixlog ====

[gringo_pr]

Hello PirateGuy


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-

• Please download AdwCleaner by Xplode onto your desktop.
  
• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

• Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• For Windows XP, double-click to start.
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
• Exit/Close RogueKiller+

Gringo

[PirateGuy]

# AdwCleaner v2.200 - Logfile created 04/19/2013 at 17:15:20
# Updated 02/04/2013 by Xplode
# Operating system : Windows Vista ™ Ultimate Service Pack 2 (32 bits)
# User : Reese - PRIVATEER-MK-I
# Boot Mode : Normal
# Running from : C:\Users\Reese\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\SOFTWARE\14919ea49a8f3b4aa3cf1058d9a64cec

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Reese\AppData\Roaming\Mozilla\Firefox\Profiles\uq1g6nnz.default\prefs.js

Deleted : user_pref("extensions.foxlingo.addit.defaultAddons", "{ \"software\": {\"20\": {\"id\": \"20\",\"tit[...]

*************************

AdwCleaner[S1].txt - [1111 octets] - [19/04/2013 17:15:20]

########## EOF - C:\AdwCleaner[S1].txt - [1171 octets] ##########




RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Reese [Admin rights]
Mode : Scan -- Date : 04/19/2013 17:36:51
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] DAODx.exe -- C:\Windows\DAODx.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤
[TASK][SUSP PATH] RunDAOD : C:\Windows\DAODx.exe [-] -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SCREENSV][SUSP PATH] HKCU\[...]\Desktop (C:\Windows\TheMatrix.scr) [-] -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0xE32CA7B3 -> HOOKED (Unknown @ 0xA16EB5E8)
SSDT[14] : NtAlertThread @ 0xE3243357 -> HOOKED (Unknown @ 0xA16EB6C8)
SSDT[18] : NtAllocateVirtualMemory @ 0xE327F6AD -> HOOKED (Unknown @ 0xA12176C0)
SSDT[21] : NtAlpcConnectPort @ 0xE32218A1 -> HOOKED (Unknown @ 0xA1124540)
SSDT[42] : NtAssignProcessToJobObject @ 0xE31F4B32 -> HOOKED (Unknown @ 0xA1462908)
SSDT[67] : NtCreateMutant @ 0xE32579A3 -> HOOKED (Unknown @ 0xA16EB338)
SSDT[77] : NtCreateSymbolicLinkObject @ 0xE31F7349 -> HOOKED (Unknown @ 0xA1462628)
SSDT[78] : NtCreateThread @ 0xE32C8DC8 -> HOOKED (Unknown @ 0xA18CE040)
SSDT[116] : NtDebugActiveProcess @ 0xE329BF04 -> HOOKED (Unknown @ 0xA14629E8)
SSDT[129] : NtDuplicateObject @ 0xE322F581 -> HOOKED (Unknown @ 0xA1217818)
SSDT[147] : NtFreeVirtualMemory @ 0xE30BBF6D -> HOOKED (Unknown @ 0xA19D1E18)
SSDT[156] : NtImpersonateAnonymousToken @ 0xE31F1F3F -> HOOKED (Unknown @ 0xA16EB428)
SSDT[158] : NtImpersonateThread @ 0xE3207584 -> HOOKED (Unknown @ 0xA16EB508)
SSDT[165] : NtLoadDriver @ 0xE31A2E12 -> HOOKED (Unknown @ 0xA1124D00)
SSDT[177] : NtMapViewOfSection @ 0xE324799C -> HOOKED (Unknown @ 0xA19D1D18)
SSDT[184] : NtOpenEvent @ 0xE3230DFF -> HOOKED (Unknown @ 0xA1462DD0)
SSDT[194] : NtOpenProcess @ 0xE325813F -> HOOKED (Unknown @ 0xA166A9F0)
SSDT[195] : NtOpenProcessToken @ 0xE3238A60 -> HOOKED (Unknown @ 0xA18CE848)
SSDT[197] : NtOpenSection @ 0xE3248794 -> HOOKED (Unknown @ 0xA1462C10)
SSDT[201] : NtOpenThread @ 0xE325363B -> HOOKED (Unknown @ 0xA166A920)
SSDT[210] : NtProtectVirtualMemory @ 0xE32513F2 -> HOOKED (Unknown @ 0xA1462818)
SSDT[282] : NtResumeThread @ 0xE3252C5A -> HOOKED (Unknown @ 0xA16EB7A8)
SSDT[289] : NtSetContextThread @ 0xE32CA25F -> HOOKED (Unknown @ 0xA176CD58)
SSDT[305] : NtSetInformationProcess @ 0xE324B9EE -> HOOKED (Unknown @ 0xA176CE38)
SSDT[317] : NtSetSystemInformation @ 0xE321DF18 -> HOOKED (Unknown @ 0xA1462AC8)
SSDT[330] : NtSuspendProcess @ 0xE32CA6EF -> HOOKED (Unknown @ 0xA1462CF0)
SSDT[331] : NtSuspendThread @ 0xE31D1945 -> HOOKED (Unknown @ 0xA16EB888)
SSDT[334] : NtTerminateProcess @ 0xE3228173 -> HOOKED (Unknown @ 0xA18CE880)
SSDT[335] : unknown @ 0xE3253670 -> HOOKED (Unknown @ 0xA16EB968)
SSDT[348] : NtUnmapViewOfSection @ 0xE3247C5F -> HOOKED (Unknown @ 0xA176CF28)
SSDT[358] : NtWriteVirtualMemory @ 0xE3244A2F -> HOOKED (Unknown @ 0xA19D1F08)
SSDT[382] : NtCreateThreadEx @ 0xE3253125 -> HOOKED (Unknown @ 0xA1462718)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0xA0A52108)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0xA0E9B428)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0xA1123290)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0xA106BE78)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0xA0A9B578)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0xA1BDB338)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0xA09B87B0)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0xA08127E8)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xA0894008)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0xA08791E8)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] fdd46d44559af41e2c9557e6404cd0b9
[BSP] 6ec5630801aa2d430ed177f8d89acb8a : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 450009cb1d7c11e325a80303380ab37c
[BSP] 41c9bab35e2e09b7dc9f2d75d44411ca : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04192013_02d1736.txt >>
RKreport[1]_S_04192013_02d1736.txt

[gringo_pr]

Hello PirateGuy

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
• Log from Combofix
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

[PirateGuy]

After running combofix I haven't noticed anything different or any problems (the malware screen hasn't come back or anything), but there are some files on my desktop that weren't there before: a shortcut to my user folder and a shortcut to the "Internet Properties" menu. I haven't run any regular programs after combofix yet, but as far as I can tell my PC is looking good. Also, should I turn my antivirus back on yet? Or maybe install a new one, I was thinking of changing my antivirus.

ComboFix 13-04-20.02 - Reese 04/20/2013 18:11:57.1.4 - x86
Running from: c:\users\Reese\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files\Java\svchost.exe
c:\programdata\iodtol.pad
c:\programdata\lotdoi.dat
c:\programdata\rundll32.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-03-20 to 2013-04-20 )))))))))))))))))))))))))))))))
.
.
2074-05-07 23:38 . 2006-11-22 01:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2013-04-20 22:26 . 2013-04-20 22:32 -------- d-----w- c:\users\Reese\AppData\Local\temp
2013-04-20 22:26 . 2013-04-20 22:26 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-04-20 22:26 . 2013-04-20 22:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-19 00:48 . 2013-04-19 00:48 -------- d-----w- C:\FRST
2013-04-17 23:48 . 2013-04-17 23:48 2640 ----a-w- c:\programdata\iodtol.js
2013-04-14 16:37 . 2013-04-14 16:37 -------- d-----w- c:\users\Reese\AppData\Local\Targem
2013-04-09 19:18 . 2013-03-03 19:07 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-09 19:18 . 2013-03-11 13:25 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-09 19:18 . 2013-03-11 13:25 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-09 19:18 . 2013-03-09 03:45 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-09 19:18 . 2013-03-09 01:28 64000 ----a-w- c:\windows\system32\smss.exe
2013-04-09 19:18 . 2013-03-08 03:52 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-04-01 00:56 . 2003-11-10 22:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2013-04-01 00:56 . 2003-11-10 22:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2013-04-01 00:56 . 2003-11-10 22:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2013-04-01 00:56 . 2003-11-10 22:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2013-04-01 00:56 . 2003-11-10 22:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2013-04-01 00:56 . 2013-04-01 00:56 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2013-04-01 00:56 . 2013-04-01 00:56 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2013-04-01 00:08 . 2013-04-01 00:08 270468 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\Setup.dll
2013-04-01 00:08 . 2013-04-01 00:08 159876 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\IGdi.dll
2013-04-01 00:08 . 2002-08-05 14:46 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\ctor.dll
2013-04-01 00:08 . 2002-08-02 07:10 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\DotNetInstaller.exe
2013-04-01 00:08 . 2002-08-02 06:20 634880 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKernel.dll
2013-04-01 00:08 . 2002-08-02 06:20 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iscript.dll
2013-04-01 00:08 . 2002-08-02 06:20 151552 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iuser.dll
2013-03-31 03:39 . 2013-03-31 03:39 -------- d-----w- c:\users\Reese\AppData\Roaming\Beat Hazard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-07 21:13 . 2011-05-26 20:31 140064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-04-07 21:13 . 2011-05-26 22:56 280856 ----a-w- c:\windows\system32\PnkBstrB.xtr
2013-04-07 21:13 . 2011-05-26 20:31 280856 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-03-13 07:03 . 2012-04-06 03:25 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-13 07:03 . 2011-05-22 21:29 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-08 03:53 . 2013-04-09 19:18 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-03-05 01:40 . 2013-04-09 19:18 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-02-22 03:38 . 2013-04-10 19:05 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-22 03:34 . 2013-04-10 19:05 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-12 01:57 . 2013-03-20 20:59 15872 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 01:57 . 2013-03-20 20:59 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-01-23 22:17 . 2011-05-26 20:31 282512 ----a-w- c:\windows\system32\PnkBstrB.ex0
2013-01-23 22:17 . 2011-05-26 20:30 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2013-04-11 20:08 . 2013-04-11 20:08 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-07 7346720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"boincmgr"="e:\program files\BOINC\boincmgr.exe" [2010-09-23 4543232]
"boinctray"="e:\program files\BOINC\boinctray.exe" [2010-09-23 58112]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-06-11 641704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AOD"="c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe" [2012-09-28 291840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-527956562-4280007354-2008016634-1000]
"EnableNotificationsRef"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 07:04]
.
2013-04-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000Core.job
- c:\users\Reese\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-06-14 23:06]
.
2013-04-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000UA.job
- c:\users\Reese\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-06-14 23:06]
.
2013-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000Core.job
- c:\users\Reese\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-25 19:57]
.
2013-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000UA.job
- c:\users\Reese\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-25 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Settings,ProxyOverride = <local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: Interfaces\{67B577CE-0CC0-40CE-B49D-10F84BE75926}: NameServer = 192.168.1.1
FF - ProfilePath - c:\users\Reese\AppData\Roaming\Mozilla\Firefox\Profiles\uq1g6nnz.default\
FF - prefs.js: browser.startup.homepage - hxxp://barfquestion.com/
FF - ExtSQL: 2013-02-21 19:05; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn
FF - ExtSQL: !HIDDEN! 2011-01-02 14:30; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-AMSH PC - c:\program files\3DO\AMSH PC\Uninst.isu
AddRemove-GOGPACKSIDMEIERSALPHACENTAURI_is1 - g:\program files\Sid Meier's Alpha Centauri\unins000.exe
AddRemove-KeyFinder_is1 - g:\program files\Magical Jelly Bean\unins000.exe
AddRemove-MercenariesDeinstKey - c:\program files\Activision\Mercenaries\DeIsL1.isu
AddRemove-One Unit Whole Blood_is1 - g:\misc. stuff\One Unit Whole Blood\unins000.exe
AddRemove-Sid Meier's Alien Crossfire - g:\program files\Sid Meier's Alpha Centauri\unins000.exe
AddRemove-Sid Meier's Alpha Centauri - g:\program files\Sid Meier's Alpha Centauri\unins000.exe
AddRemove-Starsiege TRIBES - c:\dynamix\TRIBES\Uninst.isu
AddRemove-WinDjView - g:\program files\WinDjView\uninstall.exe
AddRemove-{20E23A40-38E5-4DD6-B738-BC8097AE66B6}_is1 - g:\program files\FTL\unins000.exe
AddRemove-Third Age - Total War 3.0 (Part 1of2) - e:\program files\Steam\SteamApps\common\Medieval II Total War\Uninstal.exe
AddRemove-Third Age - Total War 3.0 (Part 2of2) - e:\program files\Steam\SteamApps\common\Medieval II Total War\Uninstal.exe
AddRemove-UnityWebPlayer - c:\users\Reese\AppData\Local\Unity\WebPlayer\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-20 18:33
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-527956562-4280007354-2008016634-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C053560A-A8A5-9A6E-95DF-8A465B80A091}*]
"bbohifmmfgljmhaonjmkinnfeglbcgddeflo"=hex:69,61,70,61,6b,6f,6e,6d,6e,67,67,67,
6a,64,6c,6b,6f,6e,00,00
"abmijknaipkkgddbgkonhdcbkdfllnbloi"=hex:69,61,70,61,6b,6f,6e,6d,6e,67,67,67,
6a,64,6c,6b,6f,6e,00,02
.
[HKEY_USERS\S-1-5-21-527956562-4280007354-2008016634-1000\Software\SecuROM\License information*]
"datasecu"=hex:64,1c,59,90,75,2e,9b,bf,e3,0c,97,19,49,de,55,52,9b,8d,b4,bf,d3,
fc,17,0f,86,ee,73,30,27,4b,2c,97,18,c9,fb,73,e6,86,72,1a,f3,8c,6d,7f,ef,3a,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5580)
c:\program files\FileZilla FTP Client\fzshellext.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
c:\program files\Soluto\SolutoService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\DllHost.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
c:\windows\System32\wsqmcons.exe
.
**************************************************************************
.
Completion time: 2013-04-20 18:40:59 - machine was rebooted
ComboFix-quarantined-files.txt 2013-04-20 22:40
.
Pre-Run: 143,207,981,056 bytes free
Post-Run: 142,975,451,136 bytes free
.
- - End Of File - - 801AC61E917812A7F60D0A81D61A6A90

Edited by PirateGuy, 20 April 2013 - 05:00 PM.

[gringo_pr]

Hello PirateGuy

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


File::
c:\programdata\iodtol.js

RegNull::
[HKEY_USERS\S-1-5-21-527956562-4280007354-2008016634-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C053560A-A8A5-9A6E-95DF-8A465B80A091}*]

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
  
• report from Combofix
• let me know of any problems you may have had
• How is the computer doing now after running the script?

Gringo

[PirateGuy]

No problems yet, as far as I can tell my PC seems fine. I hope this log is looking good to you!


ComboFix 13-04-20.02 - Reese 04/20/2013 22:45:51.2.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3325.2092 [GMT -4:00]
Running from: c:\users\Reese\Desktop\ComboFix.exe
Command switches used :: c:\users\Reese\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\iodtol.js"
.
.
((((((((((((((((((((((((( Files Created from 2013-03-21 to 2013-04-21 )))))))))))))))))))))))))))))))
.
.
2074-05-07 23:38 . 2006-11-22 01:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2013-04-21 03:05 . 2013-04-21 03:05 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-04-21 03:05 . 2013-04-21 03:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-20 22:26 . 2013-04-21 03:05 -------- d-----w- c:\users\Reese\AppData\Local\temp
2013-04-19 00:48 . 2013-04-19 00:48 -------- d-----w- C:\FRST
2013-04-17 23:48 . 2013-04-17 23:48 2640 ----a-w- c:\programdata\iodtol.js
2013-04-14 16:37 . 2013-04-14 16:37 -------- d-----w- c:\users\Reese\AppData\Local\Targem
2013-04-09 19:18 . 2013-03-03 19:07 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-09 19:18 . 2013-03-11 13:25 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-09 19:18 . 2013-03-11 13:25 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-09 19:18 . 2013-03-09 03:45 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-09 19:18 . 2013-03-09 01:28 64000 ----a-w- c:\windows\system32\smss.exe
2013-04-09 19:18 . 2013-03-08 03:52 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-04-09 19:18 . 2013-03-08 03:53 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-04-09 19:18 . 2013-03-05 01:40 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-04-01 00:56 . 2003-11-10 22:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2013-04-01 00:56 . 2003-11-10 22:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2013-04-01 00:56 . 2003-11-10 22:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2013-04-01 00:56 . 2003-11-10 22:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2013-04-01 00:56 . 2003-11-10 22:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2013-04-01 00:56 . 2013-04-01 00:56 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2013-04-01 00:56 . 2013-04-01 00:56 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2013-04-01 00:08 . 2013-04-01 00:08 270468 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\Setup.dll
2013-04-01 00:08 . 2013-04-01 00:08 159876 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\IGdi.dll
2013-04-01 00:08 . 2002-08-05 14:46 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\ctor.dll
2013-04-01 00:08 . 2002-08-02 07:10 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\DotNetInstaller.exe
2013-04-01 00:08 . 2002-08-02 06:20 634880 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKernel.dll
2013-04-01 00:08 . 2002-08-02 06:20 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iscript.dll
2013-04-01 00:08 . 2002-08-02 06:20 151552 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iuser.dll
2013-03-31 03:39 . 2013-03-31 03:39 -------- d-----w- c:\users\Reese\AppData\Roaming\Beat Hazard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-07 21:13 . 2011-05-26 20:31 140064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-04-07 21:13 . 2011-05-26 22:56 280856 ----a-w- c:\windows\system32\PnkBstrB.xtr
2013-04-07 21:13 . 2011-05-26 20:31 280856 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-03-13 07:03 . 2012-04-06 03:25 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-13 07:03 . 2011-05-22 21:29 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-12 01:57 . 2013-03-20 20:59 15872 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 01:57 . 2013-03-20 20:59 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-01-23 22:17 . 2011-05-26 20:31 282512 ----a-w- c:\windows\system32\PnkBstrB.ex0
2013-01-23 22:17 . 2011-05-26 20:30 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2013-04-11 20:08 . 2013-04-11 20:08 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-07 7346720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"boincmgr"="e:\program files\BOINC\boincmgr.exe" [2010-09-23 4543232]
"boinctray"="e:\program files\BOINC\boinctray.exe" [2010-09-23 58112]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-06-11 641704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AOD"="c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe" [2012-09-28 291840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-527956562-4280007354-2008016634-1000]
"EnableNotificationsRef"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 07:04]
.
2013-04-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000Core.job
- c:\users\Reese\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-06-14 23:06]
.
2013-04-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000UA.job
- c:\users\Reese\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-06-14 23:06]
.
2013-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000Core.job
- c:\users\Reese\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-25 19:57]
.
2013-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527956562-4280007354-2008016634-1000UA.job
- c:\users\Reese\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-25 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Settings,ProxyOverride = <local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: Interfaces\{67B577CE-0CC0-40CE-B49D-10F84BE75926}: NameServer = 192.168.1.1
FF - ProfilePath - c:\users\Reese\AppData\Roaming\Mozilla\Firefox\Profiles\uq1g6nnz.default\
FF - prefs.js: browser.startup.homepage - hxxp://barfquestion.com/
FF - ExtSQL: 2013-02-21 19:05; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn
FF - ExtSQL: !HIDDEN! 2011-01-02 14:30; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-20 23:05
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-527956562-4280007354-2008016634-1000\Software\SecuROM\License information*]
"datasecu"=hex:64,1c,59,90,75,2e,9b,bf,e3,0c,97,19,49,de,55,52,9b,8d,b4,bf,d3,
fc,17,0f,86,ee,73,30,27,4b,2c,97,18,c9,fb,73,e6,86,72,1a,f3,8c,6d,7f,ef,3a,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4880)
c:\progra~1\MICROS~3\OFFICE11\msohev.dll
.
Completion time: 2013-04-20 23:10:27
ComboFix-quarantined-files.txt 2013-04-21 03:10
ComboFix2.txt 2013-04-20 22:41
.
Pre-Run: 141,970,157,568 bytes free
Post-Run: 141,884,157,952 bytes free
.
- - End Of File - - 78ADE51467B27D2F4317DCE4499B3C30

[gringo_pr]

Hello PirateGuy

Yes They are looking good I would like to see a report that combofix makes.

extra combofix report

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

• click ok

copy and paste the report into this topic for me to review

Gringo