Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help removing FBI Ransomware [Solved]


  • This topic is locked This topic is locked

#16
Gooddvant

Gooddvant

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ran the FRSTfix.exe and the report is attached.
Attached File  Fixlog.txt   1.81KB   109 downloads


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-06-2013 04
Ran by Administrator at 2013-06-22 11:09:41 Run:2
Running from D:\
Boot Mode: Safe Mode (minimal)

==============================================

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmon.exe => Value not found.
HKU\Gene\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmon.exe => Value not found.
HKU\Nancy\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmon.exe => Value not found.
C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe => File/Directory not found.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\msconfig.lnk => Moved successfully.
c:\docume~1\alluse~1\applic~1\ini3zd.dat => Moved successfully.
C:\Documents and Settings\Gene\Start Menu\Programs\Startup\msconfig.lnk => Moved successfully.
C:\DOCUME~1\ALLUSE~1\APPLIC~1\ini3zd.dat not found.
C:\Documents and Settings\Nancy\Start Menu\Programs\Startup\msconfig.lnk => Moved successfully.
c:\docume~1\alluse~1\applic~1\ini3zd.dat not found.
Default URLSearchHook was restored successfully .
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} => Key deleted successfully.
HKCR\CLSID\{56256A51-B582-467e-B8D4-7786EDA79AE0} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCR\CLSID\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} => Key not found.
HKCR\PROTOCOLS\Handler\ic32pp => Key deleted successfully.
HKCR\CLSID\{BBCA9F81-8F4F-11D2-90FF-0080C83D3571} => Key deleted successfully.
winmgmt => Service restored successfully.
C:\Documents and Settings\All Users\Application Data\dz3ini.pad => Moved successfully.
C:\Documents and Settings\All Users\Application Data\as98213.txt => Moved successfully.

==== End of Fixlog ====
Ran the OTL and the report is attached.
Attached File  OTL.Txt   77.57KB   89 downloads


OTL logfile created on: 6/23/2013 9:22:13 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Gene\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.30 Mb Total Physical Memory | 293.05 Mb Available Physical Memory | 57.32% Memory free
1.22 Gb Paging File | 1.04 Gb Available in Paging File | 85.73% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.54 Gb Total Space | 35.76 Gb Free Space | 47.97% Space Free | Partition Type: NTFS
Drive D: | 29.80 Gb Total Space | 29.59 Gb Free Space | 99.29% Space Free | Partition Type: FAT32

Computer Name: JASPER | User Name: Gene | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/23 10:12:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gene\Desktop\OTL.exe
PRC - [2009/04/05 19:36:03 | 000,054,784 | ---- | M] (Macrovision) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/08/15 21:25:02 | 000,100,913 | ---- | M] (GTW) -- C:\WINDOWS\GWMDMMSG.exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/06/23 09:08:55 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2009/04/05 19:36:03 | 000,054,784 | ---- | M] (Macrovision) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
SRV - [2009/02/20 21:38:37 | 000,045,056 | ---- | M] (LANovation) [On_Demand | Stopped] -- C:\WINDOWS\system32\PCTKRNT.SYS -- (PictureTaker)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [File_System | Boot | Stopped] -- system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2009/04/05 19:24:55 | 000,012,464 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2004/08/04 01:31:18 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\an983.sys -- (AN983)
DRV - [2001/08/24 00:58:00 | 000,412,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sbpci.sys -- (sbpci)
DRV - [2001/08/17 09:28:00 | 000,871,388 | ---- | M] (BCM) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMDM.sys -- (BCMModem)
DRV - [2001/08/17 08:19:34 | 000,040,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371)
DRV - [2001/08/15 21:25:06 | 001,141,888 | ---- | M] (GTW) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GWMDM.sys -- (GTWModem)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebs...HdIbrMQOrUx1AnQ
IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\..\SearchScopes,DefaultScope = {56256A51-B582-467e-B8D4-7786EDA79AE0}
IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://www.mywebsear...r={searchTerms}
IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\..\SearchScopes\{835BC06B-F229-4ADF-9A00-774216124426}: "URL" = http://www.google.co...age={startPage}
IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....s}&fr=chr-iobit
IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Nancy\Application Data\Move Networks\plugins\npqmp071505000011.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Program Files\Mozilla Firefox\components [2011/04/30 11:26:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Program Files\Mozilla Firefox\plugins [2013/04/06 09:34:32 | 000,000,000 | ---D | M]

[2009/01/20 21:23:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gene\Application Data\Mozilla\Extensions
[2009/06/04 06:21:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gene\Application Data\Mozilla\Firefox\Profiles\0gltqf27.default\extensions
[2009/06/02 18:47:31 | 000,009,949 | ---- | M] () -- C:\Documents and Settings\Gene\Application Data\Mozilla\Firefox\Profiles\0gltqf27.default\searchplugins\mywebsearch.xml
[2010/04/19 14:15:17 | 000,000,000 | ---D | M] (Java Console) -- C:\DOCUMENTS AND SETTINGS\GENE\MY DOCUMENTS\MY COMPUTER JASPER\LOCAL DISK © COPIED\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/22 12:14:05 | 000,000,000 | ---D | M] (Java Console) -- C:\DOCUMENTS AND SETTINGS\GENE\MY DOCUMENTS\MY COMPUTER JASPER\LOCAL DISK © COPIED\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/09 22:40:30 | 000,000,000 | ---D | M] (Java Console) -- C:\DOCUMENTS AND SETTINGS\GENE\MY DOCUMENTS\MY COMPUTER JASPER\LOCAL DISK © COPIED\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/10/20 19:03:50 | 000,000,000 | ---D | M] (Java Console) -- C:\DOCUMENTS AND SETTINGS\GENE\MY DOCUMENTS\MY COMPUTER JASPER\LOCAL DISK © COPIED\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
[2010/04/19 14:14:52 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2001/08/30 06:30:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O4 - HKLM..\Run: [GWMDMMSG] C:\WINDOWS\GWMDMMSG.exe (GTW)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize File not found
O4 - HKU\S-1-5-21-507921405-1935655697-1343024091-1004..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-507921405-1935655697-1343024091-1004..\Run: [Microsoft Works Update Detection] ￿\WkDetect.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...etup1.0.1.1.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1232437027944 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} http://update.hpphot.../HPSWUpdate.ocx (CUpdateCtl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.89.0.22 24.89.0.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{05D0B4E5-5D12-4E03-A20D-BE601D2628C0}: DhcpNameServer = 24.89.0.22 24.89.0.21
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Gene\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Gene\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/19 15:22:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/06/23 09:16:18 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gene\Desktop\OTL.exe
[2013/06/23 09:12:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2013/06/23 09:08:55 | 000,692,104 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/06/19 19:16:13 | 000,000,000 | ---D | C] -- C:\FRST
[2013/05/31 18:16:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2013/05/08 06:31:20 | 000,155,648 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\wlfoe.dat
[2009/02/09 20:01:17 | 007,642,128 | ---- | C] (IObit ) -- C:\Program Files\asc-setup.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/06/23 10:12:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gene\Desktop\OTL.exe
[2013/06/23 09:08:57 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/06/23 09:08:55 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/06/23 09:08:55 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/06/23 09:06:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/06/23 09:06:53 | 536,203,264 | -HS- | M] () -- C:\hiberfil.sys
[2013/06/19 18:20:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/06/23 09:08:57 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/06/22 11:13:51 | 536,203,264 | -HS- | C] () -- C:\hiberfil.sys
[2013/05/08 06:32:59 | 000,003,062 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dz3ini.js
[2013/05/08 06:31:53 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\eoflw.pad
[2012/02/15 18:06:23 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/08/26 21:58:49 | 000,147,616 | ---- | C] () -- C:\WINDOWS\hpoins21.dat
[2011/08/26 21:58:48 | 000,008,138 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat
[2011/08/26 20:56:18 | 002,338,640 | ---- | C] () -- C:\Program Files\HPSDU.exe
[2009/03/25 20:40:43 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Gene\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/08 19:59:09 | 000,134,391 | ---- | C] () -- C:\Program Files\pdfdownload_2.0.0.0.xpi

========== ZeroAccess Check ==========


[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\System32\shdocvw.dll -- [2008/04/13 20:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\System32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\System32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

========== Base Services ==========
SRV - [2008/04/13 20:12:12 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\alg.exe -- (ALG)
SRV - [2008/04/13 20:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/13 20:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2012/07/06 09:58:51 | 000,078,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/13 20:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/13 20:11:51 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2009/04/20 13:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/04/13 20:11:52 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2009/07/27 19:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/13 20:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/13 19:11:54 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2008/04/13 20:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/13 20:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [On_Demand | Stopped] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/13 20:12:17 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/13 20:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/13 20:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/06/20 12:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla)
SRV - [2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2010/08/17 09:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/13 20:12:03 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/13 20:12:03 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs)
SRV - [2008/04/13 20:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/13 20:12:05 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2008/04/13 20:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)
SRV - [2010/08/27 01:57:43 | 000,099,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2009/07/27 19:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/13 20:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/13 20:12:05 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/13 20:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/13 20:12:07 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/13 20:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2009/07/27 19:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/13 20:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/13 20:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/13 20:11:55 | 000,331,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess)
SRV - [2008/04/13 20:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc)
SRV - [2008/04/13 20:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/13 20:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
No service found with a name of Wmi
SRV - [2008/04/13 20:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/13 20:12:11 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2009/06/10 02:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2001/08/30 06:30:00 | 001,000,960 | ---- | M] (Microsoft Corporation) MD5=5A26FC6010886D25B3E412493DD95ED8 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\dllcache\explorer.exe
[2001/08/30 06:30:00 | 001,000,960 | ---- | M] (Microsoft Corporation) MD5=5A26FC6010886D25B3E412493DD95ED8 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\dllcache\explorer.exe
[2001/08/30 06:30:00 | 001,000,960 | ---- | M] (Microsoft Corporation) MD5=5A26FC6010886D25B3E412493DD95ED8 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\explorer.exe
[2001/08/30 06:30:00 | 001,000,960 | ---- | M] (Microsoft Corporation) MD5=5A26FC6010886D25B3E412493DD95ED8 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\dllcache\explorer.exe
[2007/06/13 07:26:04 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2004/08/04 03:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: SERVICES >
[2001/08/30 06:30:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\drivers\etc\services
[2001/08/30 06:30:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\drivers\etc\services
[2001/08/30 06:30:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\drivers\etc\services
[2001/08/30 06:30:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES.DLL >
[2004/09/22 22:20:40 | 000,019,968 | ---- | M] () MD5=7273380075B0F4E45D03AE3D92954484 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Program Files\Musicmatch\Musicmatch Jukebox\Services.dll
[2006/06/14 20:41:30 | 000,019,968 | ---- | M] () MD5=BF5998931DC9AFD6A207A3D54843690A -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Program Files\Musicmatch\Musicmatch Update\MMJB\Services.dll

< MD5 for: SERVICES.EXE >
[2009/02/06 07:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 20:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2008/04/13 20:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/04 03:56:55 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe
[2001/08/30 06:30:00 | 000,101,376 | ---- | M] (Microsoft Corporation) MD5=E3DF4A0252D287C44606EE55355E1623 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\dllcache\services.exe
[2001/08/30 06:30:00 | 000,101,376 | ---- | M] (Microsoft Corporation) MD5=E3DF4A0252D287C44606EE55355E1623 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\services.exe
[2001/08/30 06:30:00 | 000,101,376 | ---- | M] (Microsoft Corporation) MD5=E3DF4A0252D287C44606EE55355E1623 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\dllcache\services.exe
[2001/08/30 06:30:00 | 000,101,376 | ---- | M] (Microsoft Corporation) MD5=E3DF4A0252D287C44606EE55355E1623 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\services.exe
[2001/08/30 06:30:00 | 000,101,376 | ---- | M] (Microsoft Corporation) MD5=E3DF4A0252D287C44606EE55355E1623 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\dllcache\services.exe
[2001/08/30 06:30:00 | 000,101,376 | ---- | M] (Microsoft Corporation) MD5=E3DF4A0252D287C44606EE55355E1623 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\services.exe

< MD5 for: SERVICES.EXE-2F433351.PF >
[2013/06/22 11:14:45 | 000,015,340 | ---- | M] () MD5=BBD666CFAB02FF548422DD91198D5697 -- C:\WINDOWS\Prefetch\SERVICES.EXE-2F433351.pf

< MD5 for: SERVICES.HTML >
[2005/10/25 00:08:04 | 000,007,922 | ---- | M] () MD5=17FD8FD76A856DE741E177B2D934ABCA -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Program Files\Yahoo SiteBuilder\sites\Dad's Web Page\services.html
[2005/10/25 00:08:04 | 000,007,948 | ---- | M] () MD5=60569B2FF5933160A81381E942CD3955 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Program Files\Yahoo SiteBuilder\sites\Dad's Web Page\sitebuilder\preview\services.html

< MD5 for: SERVICES.ICO >
[2005/12/14 21:21:08 | 000,007,318 | ---- | M] () MD5=9443DA63ACDF55D7D153D6B22E40722E -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Program Files\Yahoo!\Common\icons\services.ico

< MD5 for: SERVICES.LNK >
[2009/02/08 21:03:15 | 000,001,632 | ---- | M] () MD5=DEABF4094AA933657361E18AD40B0870 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk
[2009/02/08 21:02:15 | 000,001,602 | ---- | M] () MD5=EB8B3C26ED01CA40B043E3C1A9F01C3B -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MSC >
[2001/08/30 06:30:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\services.msc
[2001/08/30 06:30:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\services.msc
[2001/08/30 06:30:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\services.msc
[2001/08/30 06:30:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: SVCHOST.EXE >
[2001/08/30 06:30:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\dllcache\svchost.exe
[2001/08/30 06:30:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\svchost.exe
[2001/08/30 06:30:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\dllcache\svchost.exe
[2001/08/30 06:30:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\svchost.exe
[2001/08/30 06:30:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\dllcache\svchost.exe
[2001/08/30 06:30:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\svchost.exe
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 03:56:57 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 03:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2001/08/30 06:30:00 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=585398603F570F9705774D65D292E5D1 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\dllcache\userinit.exe
[2001/08/30 06:30:00 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=585398603F570F9705774D65D292E5D1 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\dllcache\userinit.exe
[2001/08/30 06:30:00 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=585398603F570F9705774D65D292E5D1 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\userinit.exe
[2001/08/30 06:30:00 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=585398603F570F9705774D65D292E5D1 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\userinit.exe
[2001/08/30 06:30:00 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=585398603F570F9705774D65D292E5D1 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\dllcache\userinit.exe
[2001/08/30 06:30:00 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=585398603F570F9705774D65D292E5D1 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 03:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2001/08/30 06:30:00 | 000,430,080 | ---- | M] (Microsoft Corporation) MD5=2B0E480E975EE51F2D5CE5F068FED6E2 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\dllcache\winlogon.exe
[2001/08/30 06:30:00 | 000,430,080 | ---- | M] (Microsoft Corporation) MD5=2B0E480E975EE51F2D5CE5F068FED6E2 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\dllcache\winlogon.exe
[2001/08/30 06:30:00 | 000,430,080 | ---- | M] (Microsoft Corporation) MD5=2B0E480E975EE51F2D5CE5F068FED6E2 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\system32\winlogon.exe
[2001/08/30 06:30:00 | 000,430,080 | ---- | M] (Microsoft Corporation) MD5=2B0E480E975EE51F2D5CE5F068FED6E2 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\a misc\winlogon.exe
[2001/08/30 06:30:00 | 000,430,080 | ---- | M] (Microsoft Corporation) MD5=2B0E480E975EE51F2D5CE5F068FED6E2 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\dllcache\winlogon.exe
[2001/08/30 06:30:00 | 000,430,080 | ---- | M] (Microsoft Corporation) MD5=2B0E480E975EE51F2D5CE5F068FED6E2 -- C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\system32\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< dir "%systemdrive%\*" /S /A:L /C >
Volume in drive C has no label.
Volume Serial Number is A02C-61F1

< End of report >

Tried to run the aswMBR twice (both times took over an hour). Both ended in an error state. No report available.

The FBI screen no longer appears and holds the screen hostage. All appears to be running acceptably. I don't know if there's anything left to do?
  • 0

Advertisements


#17
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi,

There's a little bit more to take care of. After this we should be able to scan for any remnants.

Step 1: Run OTL fix.

Please be aware that this fix will delete your temporary files. If the virus has "hidden" any of your files, please do not run the fix, but stop and let me know.

Start OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Commands
    [createrestorepoint]
    
    :OTL
    
    IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebs...HdIbrMQOrUx1AnQ
    IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\..\SearchScopes,DefaultScope = {56256A51-B582-467e-B8D4-7786EDA79AE0}
    IE - HKU\S-1-5-21-507921405-1935655697-1343024091-1004\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://www.mywebsear...r={searchTerms}
    
    [2009/06/02 18:47:31 | 000,009,949 | ---- | M] () -- C:\Documents and Settings\Gene\Application Data\Mozilla\Firefox\Profiles\0gltqf27.default\searchplugins\mywebsearch.xml
    
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...etup1.0.1.1.cab (Reg Error: Key error.)
    
    [2013/05/08 06:31:20 | 000,155,648 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\wlfoe.dat
    
    [2013/05/08 06:32:59 | 000,003,062 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dz3ini.js
    [2013/05/08 06:31:53 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\eoflw.pad
    
    :Commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Post the log it produces in your next reply.

Step 2: Run adwCleaner.

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

Posted Image

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please attach that

Step 3: Run aswMBR.

When you tried to run this, did you say "yes" when it asked to download and scan with the definitions? If so, try it again and click "no."

Things I need in your next reply:
  • OTL fix log
  • adwCleaner log
  • aswMBR log
  • How is your computer running now?

  • 0

#18
Gooddvant

Gooddvant

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
It appears that everything is back to the way it was. Your direction and expertise are very much appreciated. I intend to make a modest donation to G2G as soon as I am in a better position to do so. Again, thanks sincerely.
Gooddvant

Attached Files


  • 0

#19
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts

Again, thanks sincerely.



You're very welcome. :)


I recommend a few last scans to pick up any leftovers.

Step 1: Run SecurityCheck

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 2: Run MBAM.

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3: Run online scan.

Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Things I need in your next reply:
  • SecurityCheck log
  • MBAM log
  • ESET log
  • Any outstanding problems?

  • 0

#20
Gooddvant

Gooddvant

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks again. You have been tremendous.

Attached Files


  • 0

#21
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi,

ESET found a few things that we should get rid of, so one last fix and then you are good.


Start OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Commands
    [createrestorepoint]
    
    :Files
    
    C:\Documents and Settings\Gene\My Documents\Downloads\fdminst(2).exe
    C:\Documents and Settings\Gene\My Documents\Downloads\fdminst.exe
    C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk (C) copied\WINDOWS\index.html	
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Post the log it produces in your next reply. The log should be saved in C:\_OTL\MovedFiles and should be named with numbers describing the date and time it was run.

Also, do you recognize this folder:

C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Program Files\rhcljtj0ea4t

If you don't recognize it, please delete it and make sure not to run anything it contains.


Congratulations, Mark. :) Your computer now appears to be clean. Please complete the followings steps to finalize the cleaning process.

Please be sure to install an anti-virus on this PC as soon as possible. This is very important for the continued protection of the PC. I recommend the free and lightweight Microsoft Security Essentials.

Please update these programs, as old versions pose a security risk.

  • Java

    WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
    See this article and this article.
    I would recommend that you completely uninstall Java unless you need it to run an important software.
    In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

    If you do need java, then you should definitely update to the latest version:

    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe, then click Remove JRE.
    • Run the built-in uninstallers for all copies of java listed
    • Click the Next button
    • Click the Next button again
    • Click the Java Manual Download link
    • A browser window will open with the Java download page
    • Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your browser type)
    • Run the installer
    • Close JavaRa
  • Adobe Reader -> You can get the latest version here.

    I would recommend securing Adobe Reader against the latest exploits as follows:

    • Launch Adobe Reader.
    • Click on Edit and select Preferences.
    • On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
    • Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
    • Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
    • Click the OK button.
  • Adobe Flash -> Always keep up with the latest version here. You also have an old version on your computer (Adobe Flash 10) that needs to be uninstalled to keep your computer secure.
  • Firefox -> You can get the latest version here.

Clean up OTL:
  • Open OTL and select the "CleanUp" button.
  • Allow the computer to reboot.

Delete possibly infected restore points. Your computer may have saved a restore point while it was infected, so we need to delete the old restore points and create a new, clean one.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

  • Create a new, clean System Restore point which you can use in case of future system problems:
  • Press Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Next click Start >> Run and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Yes to confirm

Reset SP3 Firewall: Make sure you don't have any open ports in your firewall.
Click on Start >> Run... and cut/paste in the following and click on OK
firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK
Now click on the General tab >> select On(recommended) >> OK.

Ensure that Windows is always updated. Keeping Windows updated is very important to prevent security vulnerabilities. I recommend turning on automatic updates following the instructions below:
  • First, click on Start and click on Control Panel.
  • Double-click on Automatic Updates to bring up the configuration dialog. If you're in Category view, you'll have to click on Security Center.
  • Select the Automatic (recommended) option and click on OK at the bottom of the window.

Empty temp files. I would recommend doing this every so often to free up some space on your computer.

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Always ensure that your firewall and anti-virus program are updated and running. These are your first line of defense against infection.

Make sure that you keep all of your programs updated. Out-of-date programs can make your computer more vulnerable to infection. Software manufacturers release updates to fix security problems as they are discovered. Secunia Personal Software Inspector, free to download here, is a good program that will scan your computer looking for programs that need to be updated.

This article has good information about how computers get infected. You can read it for good tips on staying clean and safe.
  • 0

#22
Gooddvant

Gooddvant

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi.
I ran the OTL - results posted.
There was no file C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\Program Files\rhcljtj0ea4t found.



========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
C:\Documents and Settings\Gene\My Documents\Downloads\fdminst(2).exe moved successfully.
C:\Documents and Settings\Gene\My Documents\Downloads\fdminst.exe moved successfully.
C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk © copied\WINDOWS\index.html moved successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 07052013_091123

I will run the programs and update the software as suggested and I really appreciate all you have done to fix this. You guys ROCK!
  • 0

#23
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi,

Sorry for taking so long. If you run this fix, we can just make sure that the folder is not hidden. After that, we're done. :)


Start OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
    C:\Documents and Settings\Gene\My Documents\My Computer Jasper\Local Disk (C) copied\Program Files\rhcljtj0ea4t
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Post the log it produces in your next reply. The log should be saved in C:\_OTL\MovedFiles and should be named with numbers describing the date and time it was run.

  • 0

#24
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP