Need help removing FBI Ransomware [Solved]
Started by
Gooddvant
, Jun 10 2013 01:44 PM
-
This topic is locked
#1
Posted 10 June 2013 - 01:44 PM
Gooddvant
-
- Member
-
- 11 posts
Member
#2
Posted 11 June 2013 - 07:26 AM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
Hello Gooddvant and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.
Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.
Please try the steps below. If you don't get the System Recovery Options on boot, let me know and we will try a different method.
For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.
Please try the steps below. If you don't get the System Recovery Options on boot, let me know and we will try a different method.
For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select English as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
#3
Posted 12 June 2013 - 06:27 AM
Gooddvant
- Topic Starter
-
- Member
-
- 11 posts
Member
The System Recovery Options screen did not come up on boot, went straight to the Windows accounts selection screen and, when the administrator account was chosen, went to the FBI ransom screen. you mentioned trying a different route? I want to make a correction on my previous reply: the OS is XP 32-bit version.
#4
Posted 12 June 2013 - 06:39 AM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
With XP, we need a different method.
Please print these instruction out so that you know what you are doing
Please print these instruction out so that you know what you are doing
- Download OTLPENet.exe to your desktop
- Download Farbar Recovery Scan Tool and save it to a flash drive.
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here - As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
- Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy - Insert the flash drive with FRST on it
- Locate the flash drive and run FSRT
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
#5
Posted 18 June 2013 - 07:33 AM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
Are you still with me?
#6
Posted 18 June 2013 - 09:44 AM
Gooddvant
- Topic Starter
-
- Member
-
- 11 posts
Member
I am still with you. I have made the disk and the flashdrive files and will attempt a startup tomorrow evening. I will let you know how it goes on Thursday morning. (working between computers in two different locations). Thanks for your patience.
#8
Posted 19 June 2013 - 07:25 PM
Gooddvant
- Topic Starter
-
- Member
-
- 11 posts
Member
Hey Buddierdl. I tried to boot from CD. No luck; but got into safe mode somehow so I activated the cammand mode. From there, hit FRST.exe from the CD drive and it ran. But when it went to write a notepad file, it said it was not found. And it also said "addition.txt not found. Do you want to save?" first time I hit 'yes' but nothing happened. Ran it again and hit 'no' - again nothing happened. So frst.exe ran the scan (I did it a few times to try to get it to write a txt file) but nothing was saved. Any suggestions? The malware is still there.
#9
Posted 19 June 2013 - 08:09 PM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
You can't run FRST from the CD like that. You need to copy it to the desktop first. Then it should create 2 logs on the desktop.
#10
Posted 21 June 2013 - 05:35 AM
Gooddvant
- Topic Starter
-
- Member
-
- 11 posts
Member
This is what it produced. . .
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04 (ATTENTION: FRST version is 9 days old)
Ran by Guest (ATTENTION: The logged in user is not administrator) on 21-06-2013 07:12:19
Running from D:\G2G 6 11 13
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
==================== Could not list processes ===============
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize [x]
HKLM\...\Run: [GWMDMMSG] GWMDMMSG.exe [x]
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150016 2008-08-20] (Hewlett-Packard)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKCU\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [x]
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
ShortcutTarget: Microsoft Works Calendar Reminders.lnk -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (MicrosoftÆ Corporation)
==================== Internet (Whitelisted) ====================
HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
SearchScopes: HKLM - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = http://www.mywebsear...r={searchTerms}
HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...Box&Form=IE8SRC
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...Box&Form=IE8SRC
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...etup1.0.1.1.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} http://update.hpphot.../HPSWUpdate.ocx
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
Handler: ipp - No CLSID Value -
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 24.89.0.22 24.89.0.21
========================== Services (Whitelisted) =================
U2 C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [54784 2009-04-05] (Macrovision)
U3 PictureTaker; C:\WINDOWS\system32\PCTKRNT.SYS [45056 2009-02-20] (LANovation)
U2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\ini3zd.dat [155648 2013-05-08] (Microsoft Corporation)
U3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
U2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
==================== Drivers (Whitelisted) ====================
U3 AN983; C:\Windows\System32\DRIVERS\AN983.sys [36224 2004-08-04] (ADMtek Incorporated.)
U3 BCMModem; C:\Windows\System32\DRIVERS\BCMDM.sys [871388 2001-08-17] (BCM)
U2 CdaC15BA; C:\WINDOWS\system32\drivers\CdaC15BA.SYS [12464 2009-04-05] (Macrovision Europe Ltd)
U3 es1371; C:\Windows\System32\drivers\es1371mp.sys [40704 2001-08-17] (Creative Technology Ltd.)
U3 GTWModem; C:\Windows\System32\DRIVERS\GWMDM.sys [1141888 2001-08-15] (GTW)
U3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-03-08] (HP)
U3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-03-08] (HP)
U3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-03-08] (HP)
U3 nv4; C:\Windows\System32\DRIVERS\nv4_mini.sys [829305 2001-08-31] (NVIDIA Corporation)
U3 sbpci; C:\Windows\System32\drivers\sbpci.sys [412672 2001-08-24] (Creative Technology Ltd.)
U4 Abiosdsk; No ImagePath
U4 abp480n5; No ImagePath
U4 adpu160m; No ImagePath
U4 Aha154x; No ImagePath
U4 aic78u2; No ImagePath
U4 aic78xx; No ImagePath
U4 AliIde; No ImagePath
U4 amsint; No ImagePath
U4 asc; No ImagePath
U4 asc3350p; No ImagePath
U4 asc3550; No ImagePath
U4 Atdisk; No ImagePath
U4 cd20xrnt; No ImagePath
U1 Changer; No ImagePath
U4 CmdIde; No ImagePath
U4 Cpqarray; No ImagePath
U4 dac2w2k; No ImagePath
U4 dac960nt; No ImagePath
U4 dpti2o; No ImagePath
U4 hpn; No ImagePath
U4 hpt3xx; No ImagePath
U1 i2omgmt; No ImagePath
U4 i2omp; No ImagePath
U4 ini910u; No ImagePath
U0 Lbd; system32\DRIVERS\Lbd.sys [x]
U1 lbrtfdc; No ImagePath
U4 mraid35x; No ImagePath
U1 PCIDump; No ImagePath
U4 PCIIde; No ImagePath
U3 PDCOMP; No ImagePath
U3 PDFRAME; No ImagePath
U3 PDRELI; No ImagePath
U3 PDRFRAME; No ImagePath
U4 perc2; No ImagePath
U4 perc2hib; No ImagePath
U4 ql1080; No ImagePath
U4 Ql10wnt; No ImagePath
U4 ql12160; No ImagePath
U4 ql1240; No ImagePath
U4 ql1280; No ImagePath
U4 Simbad; No ImagePath
U4 Sparrow; No ImagePath
U4 symc810; No ImagePath
U4 symc8xx; No ImagePath
U4 sym_hi; No ImagePath
U4 sym_u3; No ImagePath
U4 TosIde; No ImagePath
U4 ultra; No ImagePath
U4 ViaIde; No ImagePath
U3 WDICA; No ImagePath
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-06-21 07:11 - 2013-06-21 07:11 - 00000338 ____A C:\Documents and Settings\Guest\Desktop\ImgBurn.ibq
2013-06-21 07:01 - 2013-06-12 16:17 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Guest\Desktop\OTLPENet.exe
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 ____D C:\FRST
2013-06-19 18:34 - 2013-06-19 18:34 - 00138264 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-05-31 18:16 - 2013-05-31 18:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC-Doctor
2013-05-24 13:53 - 2013-05-24 13:53 - 00000583 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to bmrt.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000521 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to avg_free_stf_en_8_169a1359.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000399 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to pcdrcui.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\Sun
2013-05-24 13:49 - 2013-05-24 13:49 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\LockAP
==================== One Month Modified Files and Folders ========
2013-06-21 07:11 - 2013-06-21 07:11 - 00000338 ____A C:\Documents and Settings\Guest\Desktop\ImgBurn.ibq
2013-06-21 06:55 - 2009-01-20 03:37 - 01971081 ____A C:\Windows\WindowsUpdate.log
2013-06-21 06:54 - 2009-02-10 21:37 - 00000062 _ASHC C:\Documents and Settings\Guest\Local Settings\desktop.ini
2013-06-21 06:53 - 2009-01-19 10:14 - 00000159 ____A C:\Windows\wiadebug.log
2013-06-21 06:53 - 2009-01-19 10:14 - 00000049 ____A C:\Windows\wiaservc.log
2013-06-20 19:58 - 2013-05-08 06:31 - 95023320 ___AT C:\Documents and Settings\All Users\Application Data\dz3ini.pad
2013-06-20 19:55 - 2013-05-08 06:32 - 00000000 ____A C:\Documents and Settings\All Users\Application Data\as98213.txt
2013-06-20 19:51 - 2009-01-19 15:25 - 00032536 ____A C:\Windows\SchedLgU.Txt
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 ____D C:\FRST
2013-06-19 18:34 - 2013-06-19 18:34 - 00138264 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-06-19 18:20 - 2001-08-30 06:30 - 00002206 ____A C:\Windows\System32\wpa.dbl
2013-06-12 16:17 - 2013-06-21 07:01 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Guest\Desktop\OTLPENet.exe
2013-05-31 18:16 - 2013-05-31 18:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC-Doctor
2013-05-31 17:47 - 2009-03-23 18:33 - 00855373 ____A C:\Windows\setupapi.log
2013-05-24 13:53 - 2013-05-24 13:53 - 00000583 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to bmrt.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000521 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to avg_free_stf_en_8_169a1359.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000399 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to pcdrcui.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\Sun
2013-05-24 13:49 - 2013-05-24 13:49 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\LockAP
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe
[2001-08-30 06:30] - [2008-04-13 20:12] - 1033728 ____A (Microsoft Corporation)
C:\Windows\System32\winlogon.exe
[2001-08-30 06:30] - [2008-04-13 20:12] - 0507904 ____A (Microsoft Corporation)
C:\Windows\System32\svchost.exe
[2001-08-30 06:30] - [2008-04-13 20:12] - 0014336 ____A (Microsoft Corporation)
C:\Windows\System32\services.exe
[2001-08-30 06:30] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation)
C:\Windows\System32\User32.dll
[2001-08-30 06:30] - [2008-04-13 20:12] - 0578560 ____A (Microsoft Corporation)
C:\Windows\System32\userinit.exe
[2001-08-30 06:30] - [2008-04-13 20:12] - 0026112 ____A (Microsoft Corporation)
C:\Windows\System32\Drivers\volsnap.sys
[2001-08-30 06:30] - [2008-04-13 14:41] - 0052352 ____A (Microsoft Corporation)
==================== End Of Log ============================
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04 (ATTENTION: FRST version is 9 days old)
Ran by Guest (ATTENTION: The logged in user is not administrator) on 21-06-2013 07:12:19
Running from D:\G2G 6 11 13
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
==================== Could not list processes ===============
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize [x]
HKLM\...\Run: [GWMDMMSG] GWMDMMSG.exe [x]
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150016 2008-08-20] (Hewlett-Packard)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKCU\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [x]
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
ShortcutTarget: Microsoft Works Calendar Reminders.lnk -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (MicrosoftÆ Corporation)
==================== Internet (Whitelisted) ====================
HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
SearchScopes: HKLM - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = http://www.mywebsear...r={searchTerms}
HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...Box&Form=IE8SRC
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...Box&Form=IE8SRC
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...etup1.0.1.1.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} http://update.hpphot.../HPSWUpdate.ocx
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
Handler: ipp - No CLSID Value -
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 24.89.0.22 24.89.0.21
========================== Services (Whitelisted) =================
U2 C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [54784 2009-04-05] (Macrovision)
U3 PictureTaker; C:\WINDOWS\system32\PCTKRNT.SYS [45056 2009-02-20] (LANovation)
U2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\ini3zd.dat [155648 2013-05-08] (Microsoft Corporation)
U3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
U2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
==================== Drivers (Whitelisted) ====================
U3 AN983; C:\Windows\System32\DRIVERS\AN983.sys [36224 2004-08-04] (ADMtek Incorporated.)
U3 BCMModem; C:\Windows\System32\DRIVERS\BCMDM.sys [871388 2001-08-17] (BCM)
U2 CdaC15BA; C:\WINDOWS\system32\drivers\CdaC15BA.SYS [12464 2009-04-05] (Macrovision Europe Ltd)
U3 es1371; C:\Windows\System32\drivers\es1371mp.sys [40704 2001-08-17] (Creative Technology Ltd.)
U3 GTWModem; C:\Windows\System32\DRIVERS\GWMDM.sys [1141888 2001-08-15] (GTW)
U3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-03-08] (HP)
U3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-03-08] (HP)
U3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-03-08] (HP)
U3 nv4; C:\Windows\System32\DRIVERS\nv4_mini.sys [829305 2001-08-31] (NVIDIA Corporation)
U3 sbpci; C:\Windows\System32\drivers\sbpci.sys [412672 2001-08-24] (Creative Technology Ltd.)
U4 Abiosdsk; No ImagePath
U4 abp480n5; No ImagePath
U4 adpu160m; No ImagePath
U4 Aha154x; No ImagePath
U4 aic78u2; No ImagePath
U4 aic78xx; No ImagePath
U4 AliIde; No ImagePath
U4 amsint; No ImagePath
U4 asc; No ImagePath
U4 asc3350p; No ImagePath
U4 asc3550; No ImagePath
U4 Atdisk; No ImagePath
U4 cd20xrnt; No ImagePath
U1 Changer; No ImagePath
U4 CmdIde; No ImagePath
U4 Cpqarray; No ImagePath
U4 dac2w2k; No ImagePath
U4 dac960nt; No ImagePath
U4 dpti2o; No ImagePath
U4 hpn; No ImagePath
U4 hpt3xx; No ImagePath
U1 i2omgmt; No ImagePath
U4 i2omp; No ImagePath
U4 ini910u; No ImagePath
U0 Lbd; system32\DRIVERS\Lbd.sys [x]
U1 lbrtfdc; No ImagePath
U4 mraid35x; No ImagePath
U1 PCIDump; No ImagePath
U4 PCIIde; No ImagePath
U3 PDCOMP; No ImagePath
U3 PDFRAME; No ImagePath
U3 PDRELI; No ImagePath
U3 PDRFRAME; No ImagePath
U4 perc2; No ImagePath
U4 perc2hib; No ImagePath
U4 ql1080; No ImagePath
U4 Ql10wnt; No ImagePath
U4 ql12160; No ImagePath
U4 ql1240; No ImagePath
U4 ql1280; No ImagePath
U4 Simbad; No ImagePath
U4 Sparrow; No ImagePath
U4 symc810; No ImagePath
U4 symc8xx; No ImagePath
U4 sym_hi; No ImagePath
U4 sym_u3; No ImagePath
U4 TosIde; No ImagePath
U4 ultra; No ImagePath
U4 ViaIde; No ImagePath
U3 WDICA; No ImagePath
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-06-21 07:11 - 2013-06-21 07:11 - 00000338 ____A C:\Documents and Settings\Guest\Desktop\ImgBurn.ibq
2013-06-21 07:01 - 2013-06-12 16:17 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Guest\Desktop\OTLPENet.exe
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 ____D C:\FRST
2013-06-19 18:34 - 2013-06-19 18:34 - 00138264 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-05-31 18:16 - 2013-05-31 18:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC-Doctor
2013-05-24 13:53 - 2013-05-24 13:53 - 00000583 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to bmrt.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000521 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to avg_free_stf_en_8_169a1359.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000399 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to pcdrcui.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\Sun
2013-05-24 13:49 - 2013-05-24 13:49 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\LockAP
==================== One Month Modified Files and Folders ========
2013-06-21 07:11 - 2013-06-21 07:11 - 00000338 ____A C:\Documents and Settings\Guest\Desktop\ImgBurn.ibq
2013-06-21 06:55 - 2009-01-20 03:37 - 01971081 ____A C:\Windows\WindowsUpdate.log
2013-06-21 06:54 - 2009-02-10 21:37 - 00000062 _ASHC C:\Documents and Settings\Guest\Local Settings\desktop.ini
2013-06-21 06:53 - 2009-01-19 10:14 - 00000159 ____A C:\Windows\wiadebug.log
2013-06-21 06:53 - 2009-01-19 10:14 - 00000049 ____A C:\Windows\wiaservc.log
2013-06-20 19:58 - 2013-05-08 06:31 - 95023320 ___AT C:\Documents and Settings\All Users\Application Data\dz3ini.pad
2013-06-20 19:55 - 2013-05-08 06:32 - 00000000 ____A C:\Documents and Settings\All Users\Application Data\as98213.txt
2013-06-20 19:51 - 2009-01-19 15:25 - 00032536 ____A C:\Windows\SchedLgU.Txt
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 ____D C:\FRST
2013-06-19 18:34 - 2013-06-19 18:34 - 00138264 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-06-19 18:20 - 2001-08-30 06:30 - 00002206 ____A C:\Windows\System32\wpa.dbl
2013-06-12 16:17 - 2013-06-21 07:01 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Guest\Desktop\OTLPENet.exe
2013-05-31 18:16 - 2013-05-31 18:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC-Doctor
2013-05-31 17:47 - 2009-03-23 18:33 - 00855373 ____A C:\Windows\setupapi.log
2013-05-24 13:53 - 2013-05-24 13:53 - 00000583 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to bmrt.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000521 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to avg_free_stf_en_8_169a1359.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000399 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to pcdrcui.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\Sun
2013-05-24 13:49 - 2013-05-24 13:49 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\LockAP
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe
[2001-08-30 06:30] - [2008-04-13 20:12] - 1033728 ____A (Microsoft Corporation)
C:\Windows\System32\winlogon.exe
[2001-08-30 06:30] - [2008-04-13 20:12] - 0507904 ____A (Microsoft Corporation)
C:\Windows\System32\svchost.exe
[2001-08-30 06:30] - [2008-04-13 20:12] - 0014336 ____A (Microsoft Corporation)
C:\Windows\System32\services.exe
[2001-08-30 06:30] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation)
C:\Windows\System32\User32.dll
[2001-08-30 06:30] - [2008-04-13 20:12] - 0578560 ____A (Microsoft Corporation)
C:\Windows\System32\userinit.exe
[2001-08-30 06:30] - [2008-04-13 20:12] - 0026112 ____A (Microsoft Corporation)
C:\Windows\System32\Drivers\volsnap.sys
[2001-08-30 06:30] - [2008-04-13 14:41] - 0052352 ____A (Microsoft Corporation)
==================== End Of Log ============================
Attached Files
-
FRST.txt 12.1KB
289 downloads
-
Addition.txt 7.34KB
242 downloads
-
Result.txt 53bytes
232 downloads
#11
Posted 21 June 2013 - 10:38 AM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
Hi,
I think you have made a mistake here. Are you sure this scan is from the infected computer? I don't really see anything in the logs and it shows the computer as being in Normal Boot Mode. Also, the tool needs to be run from an account with administrator privileges.
Let's make sure I understand this properly. The computer cannot boot into Normal Mode without being blocked by the virus. But you can get into Safe Mode, right? Which Safe Mode versions work?
Safe Mode with Networking
Safe Mode (Minimal)
Same Mode with Command Prompt
I think you have made a mistake here. Are you sure this scan is from the infected computer? I don't really see anything in the logs and it shows the computer as being in Normal Boot Mode. Also, the tool needs to be run from an account with administrator privileges.
Let's make sure I understand this properly. The computer cannot boot into Normal Mode without being blocked by the virus. But you can get into Safe Mode, right? Which Safe Mode versions work?
Safe Mode with Networking
Safe Mode (Minimal)
Same Mode with Command Prompt
#12
Posted 21 June 2013 - 12:31 PM
Gooddvant
- Topic Starter
-
- Member
-
- 11 posts
Member
This scan is from the affected computer but not from the administrator's account. That one won't open - goes right to FBI.
I will try to get into the admin account but have been unsuccessful so far. Sometimes I can keep hitting F8 and get into safe mode but not sure if all (about a dozen) of the modes work. I've only tried regular Safe Mode and Safe Mode with Command Prompt.
I guess I need some help getting into my account (admin) without the FBI screen coming up first.
I will try to get into the admin account but have been unsuccessful so far. Sometimes I can keep hitting F8 and get into safe mode but not sure if all (about a dozen) of the modes work. I've only tried regular Safe Mode and Safe Mode with Command Prompt.
I guess I need some help getting into my account (admin) without the FBI screen coming up first.
#13
Posted 21 June 2013 - 02:59 PM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
Can you get into Safe Mode with Command Prompt? It will be basically just a black screen with a flashing cursor. If so, put frst.exe on a flash drive and follow the instructions below:
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive. - The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
#14
Posted 21 June 2013 - 08:36 PM
Gooddvant
- Topic Starter
-
- Member
-
- 11 posts
Member
here's the file:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04 (ATTENTION: FRST version is 9 days old)
Ran by Administrator (administrator) on 21-06-2013 21:20:37
Running from D:\
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (minimal)
==================== Could not list processes ===============
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize [x]
HKLM\...\Run: [GWMDMMSG] GWMDMMSG.exe [x]
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150016 2008-08-20] (Hewlett-Packard)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKCU\...\Run: [ctfmon.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe c:\docume~1\alluse~1\applic~1\ini3zd.dat,FG00 [155648 2013-05-08] (Microsoft Corporation)
HKU\Gene\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2008-04-13] (Microsoft Corporation)
HKU\Gene\...\Run: [ctfmon.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe c:\docume~1\alluse~1\applic~1\ini3zd.dat,FG00 [ 2013-05-08] (Microsoft Corporation)
HKU\Gene\...\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [ 2009-05-21] (Yahoo! Inc.)
HKU\Gene\...\Run: [Microsoft Works Update Detection] ?\WkDetect.exe [x]
HKU\Guest\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [x]
HKU\Nancy\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2008-04-13] (Microsoft Corporation)
HKU\Nancy\...\Run: [ctfmon.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe c:\docume~1\alluse~1\applic~1\ini3zd.dat,FG00 [ 2013-05-08] (Microsoft Corporation)
HKU\Nancy\...\Run: [Microsoft Works Update Detection] ?\WkDetect.exe [x]
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> c:\docume~1\alluse~1\applic~1\ini3zd.dat (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
ShortcutTarget: Microsoft Works Calendar Reminders.lnk -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (MicrosoftÆ Corporation)
Startup: C:\Documents and Settings\Gene\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\ini3zd.dat (Microsoft Corporation)
Startup: C:\Documents and Settings\Gene\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\Nancy\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> c:\docume~1\alluse~1\applic~1\ini3zd.dat (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
SearchScopes: HKLM - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = http://www.mywebsear...r={searchTerms}
SearchScopes: HKCU - DefaultScope value is missing.
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...etup1.0.1.1.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} http://update.hpphot.../HPSWUpdate.ocx
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
Handler: ipp - No CLSID Value -
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 24.89.0.22 24.89.0.21
========================== Services (Whitelisted) =================
S2 C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [54784 2009-04-05] (Macrovision)
S3 PictureTaker; C:\WINDOWS\system32\PCTKRNT.SYS [45056 2009-02-20] (LANovation)
S2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\ini3zd.dat [155648 2013-05-08] (Microsoft Corporation)
S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
==================== Drivers (Whitelisted) ====================
S3 AN983; C:\Windows\System32\DRIVERS\AN983.sys [36224 2004-08-04] (ADMtek Incorporated.)
S3 BCMModem; C:\Windows\System32\DRIVERS\BCMDM.sys [871388 2001-08-17] (BCM)
S2 CdaC15BA; C:\WINDOWS\system32\drivers\CdaC15BA.SYS [12464 2009-04-05] (Macrovision Europe Ltd)
S3 es1371; C:\Windows\System32\drivers\es1371mp.sys [40704 2001-08-17] (Creative Technology Ltd.)
S3 GTWModem; C:\Windows\System32\DRIVERS\GWMDM.sys [1141888 2001-08-15] (GTW)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-03-08] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-03-08] (HP)
R3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-03-08] (HP)
S3 nv4; C:\Windows\System32\DRIVERS\nv4_mini.sys [829305 2001-08-31] (NVIDIA Corporation)
S3 sbpci; C:\Windows\System32\drivers\sbpci.sys [412672 2001-08-24] (Creative Technology Ltd.)
S4 Abiosdsk; No ImagePath
S4 abp480n5; No ImagePath
S4 adpu160m; No ImagePath
S4 Aha154x; No ImagePath
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 amsint; No ImagePath
S4 asc; No ImagePath
S4 asc3350p; No ImagePath
S4 asc3550; No ImagePath
S4 Atdisk; No ImagePath
S4 cd20xrnt; No ImagePath
S1 Changer; No ImagePath
S4 CmdIde; No ImagePath
S4 Cpqarray; No ImagePath
U4 dac2w2k; No ImagePath
S4 dac960nt; No ImagePath
S4 dpti2o; No ImagePath
S4 hpn; No ImagePath
S4 hpt3xx; No ImagePath
S1 i2omgmt; No ImagePath
S4 i2omp; No ImagePath
S4 ini910u; No ImagePath
S0 Lbd; system32\DRIVERS\Lbd.sys [x]
S1 lbrtfdc; No ImagePath
S4 mraid35x; No ImagePath
S1 PCIDump; No ImagePath
S4 PCIIde; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 perc2; No ImagePath
S4 perc2hib; No ImagePath
S4 ql1080; No ImagePath
S4 Ql10wnt; No ImagePath
S4 ql12160; No ImagePath
S4 ql1240; No ImagePath
S4 ql1280; No ImagePath
S4 Simbad; No ImagePath
S4 Sparrow; No ImagePath
S4 symc810; No ImagePath
S4 symc8xx; No ImagePath
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S4 TosIde; No ImagePath
S4 ultra; No ImagePath
S4 ViaIde; No ImagePath
S3 WDICA; No ImagePath
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-06-21 12:55 - 2013-06-21 12:55 - 00000664 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2013-06-21 07:11 - 2013-06-21 07:11 - 00000338 ____A C:\Documents and Settings\Guest\Desktop\ImgBurn.ibq
2013-06-21 07:01 - 2013-06-12 16:17 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Guest\Desktop\OTLPENet.exe
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 ____D C:\FRST
2013-06-19 19:14 - 2013-06-21 21:13 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2013-06-19 19:14 - 2013-06-20 20:00 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-06-19 19:14 - 2009-12-15 05:01 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft Help
2013-06-19 19:14 - 2009-01-19 10:12 - 00000062 __ASH C:\Documents and Settings\Administrator\Application Data\desktop.ini
2013-06-19 18:34 - 2013-06-19 18:34 - 00138264 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-05-31 18:16 - 2013-05-31 18:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC-Doctor
2013-05-24 13:53 - 2013-05-24 13:53 - 00000583 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to bmrt.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000521 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to avg_free_stf_en_8_169a1359.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000399 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to pcdrcui.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\Sun
2013-05-24 13:49 - 2013-05-24 13:49 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\LockAP
==================== One Month Modified Files and Folders ========
2013-06-21 21:13 - 2013-06-19 19:14 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2013-06-21 21:13 - 2009-01-19 15:25 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-06-21 21:10 - 2009-01-20 03:37 - 01974868 ____A C:\Windows\WindowsUpdate.log
2013-06-21 21:10 - 2009-01-19 15:25 - 00032536 ____A C:\Windows\SchedLgU.Txt
2013-06-21 21:10 - 2009-01-19 15:25 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-06-21 21:10 - 2009-01-19 15:22 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-21 21:10 - 2009-01-19 10:14 - 00000235 ____A C:\Windows\wiadebug.log
2013-06-21 21:10 - 2009-01-19 10:14 - 00000049 ____A C:\Windows\wiaservc.log
2013-06-21 12:55 - 2013-06-21 12:55 - 00000664 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2013-06-21 07:11 - 2013-06-21 07:11 - 00000338 ____A C:\Documents and Settings\Guest\Desktop\ImgBurn.ibq
2013-06-21 06:54 - 2009-02-10 21:37 - 00000062 _ASHC C:\Documents and Settings\Guest\Local Settings\desktop.ini
2013-06-20 20:00 - 2013-06-19 19:14 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-06-20 19:58 - 2013-05-08 06:31 - 95023320 ___AT C:\Documents and Settings\All Users\Application Data\dz3ini.pad
2013-06-20 19:55 - 2013-05-08 06:32 - 00000000 ____A C:\Documents and Settings\All Users\Application Data\as98213.txt
2013-06-20 19:44 - 2009-01-19 23:36 - 00000178 __ASH C:\Documents and Settings\Nancy\ntuser.ini
2013-06-20 19:41 - 2009-01-19 23:36 - 00000062 __ASH C:\Documents and Settings\Nancy\Local Settings\desktop.ini
2013-06-19 21:04 - 2009-01-19 15:27 - 00000178 __ASH C:\Documents and Settings\Gene\ntuser.ini
2013-06-19 21:00 - 2009-01-19 15:27 - 00000062 __ASH C:\Documents and Settings\Gene\Local Settings\desktop.ini
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 ____D C:\FRST
2013-06-19 18:34 - 2013-06-19 18:34 - 00138264 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-06-19 18:20 - 2001-08-30 06:30 - 00002206 ____A C:\Windows\System32\wpa.dbl
2013-06-12 16:17 - 2013-06-21 07:01 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Guest\Desktop\OTLPENet.exe
2013-05-31 18:16 - 2013-05-31 18:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC-Doctor
2013-05-31 17:47 - 2009-03-23 18:33 - 00855373 ____A C:\Windows\setupapi.log
2013-05-24 13:53 - 2013-05-24 13:53 - 00000583 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to bmrt.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000521 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to avg_free_stf_en_8_169a1359.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000399 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to pcdrcui.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\Sun
2013-05-24 13:49 - 2013-05-24 13:49 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\LockAP
Files to move or delete:
====================
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\msconfig.lnk
C:\Documents and Settings\Gene\Start Menu\Programs\Startup\msconfig.lnk
C:\Documents and Settings\Nancy\Start Menu\Programs\Startup\msconfig.lnk
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== End Of Log ============================
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04 (ATTENTION: FRST version is 9 days old)
Ran by Administrator (administrator) on 21-06-2013 21:20:37
Running from D:\
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (minimal)
==================== Could not list processes ===============
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize [x]
HKLM\...\Run: [GWMDMMSG] GWMDMMSG.exe [x]
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150016 2008-08-20] (Hewlett-Packard)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKCU\...\Run: [ctfmon.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe c:\docume~1\alluse~1\applic~1\ini3zd.dat,FG00 [155648 2013-05-08] (Microsoft Corporation)
HKU\Gene\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2008-04-13] (Microsoft Corporation)
HKU\Gene\...\Run: [ctfmon.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe c:\docume~1\alluse~1\applic~1\ini3zd.dat,FG00 [ 2013-05-08] (Microsoft Corporation)
HKU\Gene\...\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [ 2009-05-21] (Yahoo! Inc.)
HKU\Gene\...\Run: [Microsoft Works Update Detection] ?\WkDetect.exe [x]
HKU\Guest\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [x]
HKU\Nancy\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2008-04-13] (Microsoft Corporation)
HKU\Nancy\...\Run: [ctfmon.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe c:\docume~1\alluse~1\applic~1\ini3zd.dat,FG00 [ 2013-05-08] (Microsoft Corporation)
HKU\Nancy\...\Run: [Microsoft Works Update Detection] ?\WkDetect.exe [x]
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> c:\docume~1\alluse~1\applic~1\ini3zd.dat (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
ShortcutTarget: Microsoft Works Calendar Reminders.lnk -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (MicrosoftÆ Corporation)
Startup: C:\Documents and Settings\Gene\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\ini3zd.dat (Microsoft Corporation)
Startup: C:\Documents and Settings\Gene\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\Nancy\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> c:\docume~1\alluse~1\applic~1\ini3zd.dat (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
SearchScopes: HKLM - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = http://www.mywebsear...r={searchTerms}
SearchScopes: HKCU - DefaultScope value is missing.
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...etup1.0.1.1.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} http://update.hpphot.../HPSWUpdate.ocx
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
Handler: ipp - No CLSID Value -
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 24.89.0.22 24.89.0.21
========================== Services (Whitelisted) =================
S2 C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [54784 2009-04-05] (Macrovision)
S3 PictureTaker; C:\WINDOWS\system32\PCTKRNT.SYS [45056 2009-02-20] (LANovation)
S2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\ini3zd.dat [155648 2013-05-08] (Microsoft Corporation)
S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
==================== Drivers (Whitelisted) ====================
S3 AN983; C:\Windows\System32\DRIVERS\AN983.sys [36224 2004-08-04] (ADMtek Incorporated.)
S3 BCMModem; C:\Windows\System32\DRIVERS\BCMDM.sys [871388 2001-08-17] (BCM)
S2 CdaC15BA; C:\WINDOWS\system32\drivers\CdaC15BA.SYS [12464 2009-04-05] (Macrovision Europe Ltd)
S3 es1371; C:\Windows\System32\drivers\es1371mp.sys [40704 2001-08-17] (Creative Technology Ltd.)
S3 GTWModem; C:\Windows\System32\DRIVERS\GWMDM.sys [1141888 2001-08-15] (GTW)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-03-08] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-03-08] (HP)
R3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-03-08] (HP)
S3 nv4; C:\Windows\System32\DRIVERS\nv4_mini.sys [829305 2001-08-31] (NVIDIA Corporation)
S3 sbpci; C:\Windows\System32\drivers\sbpci.sys [412672 2001-08-24] (Creative Technology Ltd.)
S4 Abiosdsk; No ImagePath
S4 abp480n5; No ImagePath
S4 adpu160m; No ImagePath
S4 Aha154x; No ImagePath
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 amsint; No ImagePath
S4 asc; No ImagePath
S4 asc3350p; No ImagePath
S4 asc3550; No ImagePath
S4 Atdisk; No ImagePath
S4 cd20xrnt; No ImagePath
S1 Changer; No ImagePath
S4 CmdIde; No ImagePath
S4 Cpqarray; No ImagePath
U4 dac2w2k; No ImagePath
S4 dac960nt; No ImagePath
S4 dpti2o; No ImagePath
S4 hpn; No ImagePath
S4 hpt3xx; No ImagePath
S1 i2omgmt; No ImagePath
S4 i2omp; No ImagePath
S4 ini910u; No ImagePath
S0 Lbd; system32\DRIVERS\Lbd.sys [x]
S1 lbrtfdc; No ImagePath
S4 mraid35x; No ImagePath
S1 PCIDump; No ImagePath
S4 PCIIde; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 perc2; No ImagePath
S4 perc2hib; No ImagePath
S4 ql1080; No ImagePath
S4 Ql10wnt; No ImagePath
S4 ql12160; No ImagePath
S4 ql1240; No ImagePath
S4 ql1280; No ImagePath
S4 Simbad; No ImagePath
S4 Sparrow; No ImagePath
S4 symc810; No ImagePath
S4 symc8xx; No ImagePath
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S4 TosIde; No ImagePath
S4 ultra; No ImagePath
S4 ViaIde; No ImagePath
S3 WDICA; No ImagePath
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-06-21 12:55 - 2013-06-21 12:55 - 00000664 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2013-06-21 07:11 - 2013-06-21 07:11 - 00000338 ____A C:\Documents and Settings\Guest\Desktop\ImgBurn.ibq
2013-06-21 07:01 - 2013-06-12 16:17 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Guest\Desktop\OTLPENet.exe
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 ____D C:\FRST
2013-06-19 19:14 - 2013-06-21 21:13 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2013-06-19 19:14 - 2013-06-20 20:00 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-06-19 19:14 - 2009-12-15 05:01 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft Help
2013-06-19 19:14 - 2009-01-19 10:12 - 00000062 __ASH C:\Documents and Settings\Administrator\Application Data\desktop.ini
2013-06-19 18:34 - 2013-06-19 18:34 - 00138264 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-05-31 18:16 - 2013-05-31 18:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC-Doctor
2013-05-24 13:53 - 2013-05-24 13:53 - 00000583 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to bmrt.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000521 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to avg_free_stf_en_8_169a1359.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000399 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to pcdrcui.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\Sun
2013-05-24 13:49 - 2013-05-24 13:49 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\LockAP
==================== One Month Modified Files and Folders ========
2013-06-21 21:13 - 2013-06-19 19:14 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2013-06-21 21:13 - 2009-01-19 15:25 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-06-21 21:10 - 2009-01-20 03:37 - 01974868 ____A C:\Windows\WindowsUpdate.log
2013-06-21 21:10 - 2009-01-19 15:25 - 00032536 ____A C:\Windows\SchedLgU.Txt
2013-06-21 21:10 - 2009-01-19 15:25 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-06-21 21:10 - 2009-01-19 15:22 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-21 21:10 - 2009-01-19 10:14 - 00000235 ____A C:\Windows\wiadebug.log
2013-06-21 21:10 - 2009-01-19 10:14 - 00000049 ____A C:\Windows\wiaservc.log
2013-06-21 12:55 - 2013-06-21 12:55 - 00000664 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2013-06-21 07:11 - 2013-06-21 07:11 - 00000338 ____A C:\Documents and Settings\Guest\Desktop\ImgBurn.ibq
2013-06-21 06:54 - 2009-02-10 21:37 - 00000062 _ASHC C:\Documents and Settings\Guest\Local Settings\desktop.ini
2013-06-20 20:00 - 2013-06-19 19:14 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-06-20 19:58 - 2013-05-08 06:31 - 95023320 ___AT C:\Documents and Settings\All Users\Application Data\dz3ini.pad
2013-06-20 19:55 - 2013-05-08 06:32 - 00000000 ____A C:\Documents and Settings\All Users\Application Data\as98213.txt
2013-06-20 19:44 - 2009-01-19 23:36 - 00000178 __ASH C:\Documents and Settings\Nancy\ntuser.ini
2013-06-20 19:41 - 2009-01-19 23:36 - 00000062 __ASH C:\Documents and Settings\Nancy\Local Settings\desktop.ini
2013-06-19 21:04 - 2009-01-19 15:27 - 00000178 __ASH C:\Documents and Settings\Gene\ntuser.ini
2013-06-19 21:00 - 2009-01-19 15:27 - 00000062 __ASH C:\Documents and Settings\Gene\Local Settings\desktop.ini
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-06-19 19:16 - 2013-06-19 19:16 - 00000000 ____D C:\FRST
2013-06-19 18:34 - 2013-06-19 18:34 - 00138264 ____A C:\Documents and Settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-06-19 18:20 - 2001-08-30 06:30 - 00002206 ____A C:\Windows\System32\wpa.dbl
2013-06-12 16:17 - 2013-06-21 07:01 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Guest\Desktop\OTLPENet.exe
2013-05-31 18:16 - 2013-05-31 18:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC-Doctor
2013-05-31 17:47 - 2009-03-23 18:33 - 00855373 ____A C:\Windows\setupapi.log
2013-05-24 13:53 - 2013-05-24 13:53 - 00000583 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to bmrt.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000521 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to avg_free_stf_en_8_169a1359.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000399 ____A C:\Documents and Settings\Guest\Desktop\Shortcut to pcdrcui.lnk
2013-05-24 13:53 - 2013-05-24 13:53 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\Sun
2013-05-24 13:49 - 2013-05-24 13:49 - 00000000 ____D C:\Documents and Settings\Guest\Application Data\LockAP
Files to move or delete:
====================
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\msconfig.lnk
C:\Documents and Settings\Gene\Start Menu\Programs\Startup\msconfig.lnk
C:\Documents and Settings\Nancy\Start Menu\Programs\Startup\msconfig.lnk
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== End Of Log ============================
Attached Files
-
FRST.txt 15.34KB
310 downloads
#15
Posted 22 June 2013 - 06:55 AM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
Please download the attached file and copy to the same location on the flash drive as frst.exe. The run FRST the same way as before, but click "Fix" this time. It should produce a log called fixlog.txt. Please post it in your next reply.
fixlist.txt 1.74KB
319 downloads
Your computer should be able to boot normally now. Please run the scans below:
Download OTL to your Desktop and run it.
Under the Custom Scans/Fixes box at the bottom, paste in the following: Select the Scan All Users box in the middle on the top of the window Click the Run Scan button. Post the log it produces in your next reply.
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
fixlist.txt 1.74KB
319 downloadsYour computer should be able to boot normally now. Please run the scans below:
Download OTL to your Desktop and run it.
BASESERVICES %SYSTEMDRIVE%\*.exe /md5start services.* explorer.exe winlogon.exe Userinit.exe svchost.exe /md5stop dir "%systemdrive%\*" /S /A:L /C CREATERESTOREPOINT
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
