Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help removing FBI Ransomware virus [Solved]

Started by Stargeneral , Jun 18 2014 08:39 AM

  • This topic is locked This topic is locked

#46
Biscuithd
Posted 24 June 2014 - 02:35 PM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Hi Stargeneral,

 

I'm cautiously optimistic ;)

 

Please run OTLPE again.

 

Under the Custom Scans/Fixes box at the bottom, paste in the following

 
:Command
[CREATERESTOREPOINT]
 
:OTL
SRV - File not found [On_Demand] -- -- (AppMgmt)

SRV - File not found [Auto] -- -- (AfaService)

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | System] -- -- (lbrtfdc)

DRV - File not found [Kernel | System] -- -- (Changer)

DRV - File not found [Kernel | On_Demand] -- -- (bvrp_pci)

O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (MyWebSearch.com)

O2 - BHO: (mwsBar BHO) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)

O2 - BHO: (KangoBHO) - {A88DE8D3-9C38-4F0D-8981-A4C17F7677A1} - C:\Program Files\Notificatoin\1.0.0\KangoBHO.dll (Kango)

O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)

O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\GoogleAFE\GoogleAE.dll (Google)

O3 - HKLM\..\Toolbar: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)

O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKU\Nancy_Langston_ON_C\..\Toolbar\WebBrowser: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)

O3 - HKU\Nancy_Langston_ON_C\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)

O3 - HKU\Nancy_Langston_ON_C\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKU\Nancy_Langston_ON_C\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
 
[2014/06/21 15:39:00 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

[2014/06/20 18:08:53 | 000,000,440 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{37B74C27-72C0-470F-BC3D-810F55BB4292}.job

[2014/06/01 16:07:55 | 000,097,792 | ---- | M] () -- C:\Documents and Settings\Nancy Langston\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
 
:Command
[resethosts]

[emptytemp]

[Reboot]

  • Then click the Run Fix button at the top

  • Let the program run unhindered, reboot when it is done

  • Post the log that is produced

  • Attempt to reboot normally into Windows


Cross your fingers and see if the machine will boot normally without the FBI Ransomware


  • 0

Advertisements

#47
Stargeneral
Posted 24 June 2014 - 03:16 PM

Stargeneral

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

No good on the normal reboot. Still get blocker screen right away.

Here's the log

 

Error: Unable to interpret <:Command> in the current context!
Error: Unable to interpret <[CREATERESTOREPOINT]> in the current context!
Error: Unable to interpret < > in the current context!
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AfaService deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WDICA deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDRFRAME deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDRELI deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDFRAME deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDCOMP deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCIDump deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lbrtfdc deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Changer deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bvrp_pci deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}\ deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\ deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A88DE8D3-9C38-4F0D-8981-A4C17F7677A1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A88DE8D3-9C38-4F0D-8981-A4C17F7677A1}\ deleted successfully.
C:\Program Files\Notificatoin\1.0.0\KangoBHO.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
C:\Program Files\Ask.com\GenericAskToolbar.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ deleted successfully.
C:\Program Files\Yontoo\YontooIEClient.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ deleted successfully.
C:\Program Files\GoogleAFE\GoogleAE.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\ deleted successfully.
File C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\ deleted successfully.
C:\Program Files\Google\GoogleToolbar2.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry key HKEY_USERS\Nancy_Langston_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\ not found.
File C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL not found.
Registry key HKEY_USERS\Nancy_Langston_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
File C:\Program Files\Google\GoogleToolbar2.dll not found.
Registry key HKEY_USERS\Nancy_Langston_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry key HKEY_USERS\Nancy_Langston_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\\WallPaper deleted successfully.
B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\\BackupWallPaper deleted successfully.
File B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp not found.
C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job moved successfully.
C:\WINDOWS\tasks\User_Feed_Synchronization-{37B74C27-72C0-470F-BC3D-810F55BB4292}.job moved successfully.
C:\Documents and Settings\Nancy Langston\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
Error: Unable to interpret <:Command> in the current context!
Error: Unable to interpret <[resethosts]> in the current context!
Error: Unable to interpret <[emptytemp]> in the current context!
Error: Unable to interpret <[Reboot]> in the current context!

OTLPE by OldTimer - Version 3.1.48.0 log created on 06242014_055550


  • 0

#48
Stargeneral
Posted 24 June 2014 - 09:30 PM

Stargeneral

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

I have a question for you. I just ran AVG anti-virus and really started to look at the results returned. This was run from the uninfected drive. The scan picked up 2 tracking cookies and 215 notifications, most of which came from the infected drive. Looking at the results of these notifications I just ran by the macros from this drive but there was over a hundred "Locked Files" on the infected drive. All but one of these files were in the folder b5d28f147e7213e9f2418ba7a640 and contained a lot of .DLL and ie**** files. This is not a sub directory but has two sub-directories that I cannot access. All the files in this directory are labeled blue instead of the usual black. Do you know what this file is and why it should be locked????? AVG does not scan locked files. I got it so that I can see hidden files.


  • 0

#49
Stargeneral
Posted 24 June 2014 - 09:34 PM

Stargeneral

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

That files does not show up when I look at the same location on the unaffected drive.


  • 0

#50
Biscuithd
Posted 25 June 2014 - 06:09 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

The scan picked up 2 tracking cookies and 215 notifications, most of which came from the infected drive.

 

This is not unusual. Most systems have quite a collection of tracking cookies from the various websites that you visit. The more nefarious ones I clean up after the major infections are gone.

 

 

Looking at the results of these notifications I just ran by the macros from this drive but there was over a hundred "Locked Files" on the infected drive.

 

Files become locked because they are "in use" or because the process that had been using them, terminated abnormally and didn't do an "unlock" before exiting.

 

 

 

All but one of these files were in the folder b5d28f147e7213e9f2418ba7a640 and contained a lot of .DLL and ie**** files. This is not a sub directory but has two sub-directories that I cannot access.

 

I don't know what this folder or file is. It's not anything well known, but that doesn't mean it's nefarious in nature. Often game software uses randomly named folders and files. Often they are just used as Temporary files and since Games are sometimes not "well behaved", they leave locked, hidden, temporary files that take up a lot of space. Certainly Malware does too from time to time, but I'm not thinking that this is Malware. Certainly not the Malware we're looking for.

 

 

All the files in this directory are labeled blue instead of the usual black. Do you know what this file is and why it should be locked????? AVG does not scan locked files. I got it so that I can see hidden files.

I think the blue/black thing is Hidden files versus Non-Hidden files.


  • 0

#51
Biscuithd
Posted 25 June 2014 - 06:14 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

One last thought. Certainly very sophisticated Malware can be well hidden and difficult to find. However, most is not. And, it's not well hidden and difficult to find becuase if it was, it likely wouldn't work very well. The writers of this stuff need the malware to work, easily, on as many computers as possible. So, if it's burried at the bottom of dozens of randomly name folders or launched from an obscure part of the Registry, it limits the impact of the Malware. Exactly what the author doesn't want.

 

This "bad boy" is out in plain sight. I'm just not seeing it. I sure hope you don't mind sticking with me as I'm not even close to giving up! ;)


  • 0

#52
Biscuithd
Posted 25 June 2014 - 06:16 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

When you get a moment, would you do another OTLPE scan. I want to see how things look with the lines we removed yestarday.


  • 0

#53
Biscuithd
Posted 25 June 2014 - 07:27 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Stargeneral,

 

Disregard the scan I asked for in #52.

 

I think we're closing in on the culprit. We going to have to do this in two steps. In the first you're going to run a script and post the results. Then I'll cobble together a second script that I think will fix the problem.

 

Here's step one.

 

Please run OTLPE again.

 

Under the Custom Scans/Fixes box at the bottom, paste in the following

/md5start

user32.*

/md5stop

Then click the Run Scan button at the top and post the resulting log to me.


  • 0

#54
Stargeneral
Posted 25 June 2014 - 09:31 AM

Stargeneral

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

OTL logfile created on: 6/25/2014 11:11:49 AM - Run
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 82.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.21 Gb Total Space | 15.68 Gb Free Space | 45.82% Space Free | Partition Type: NTFS
Drive D: | 29.71 Gb Total Space | 10.31 Gb Free Space | 34.69% Space Free | Partition Type: FAT32
Drive E: | 3.68 Gb Total Space | 2.63 Gb Free Space | 71.42% Space Free | Partition Type: FAT32
Drive F: | 14.83 Gb Total Space | 12.92 Gb Free Space | 87.13% Space Free | Partition Type: FAT32
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2014/06/17 22:27:38 | 000,106,248 | ---- | M] (SurfRight B.V.) [Auto] -- C:\Program Files\HitmanPro\hmpsched.exe -- (HitmanProScheduler)
SRV - [2014/05/13 15:23:04 | 003,644,432 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG2014\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2014/05/13 15:15:28 | 000,292,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG2014\avgwdsvc.exe -- (avgwd)
SRV - [2014/05/09 18:35:32 | 001,801,752 | ---- | M] (AVG Secure Search) [Auto] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.5\ToolbarUpdater.exe -- (vToolbarUpdater18.1.5)
SRV - [2014/03/15 14:14:31 | 000,257,928 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/08/14 17:19:24 | 000,039,056 | ---- | M] () [Disabled] -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe -- (RealNetworks Downloader Resolver Service)
SRV - [2010/09/03 02:45:02 | 000,227,232 | ---- | M] (McAfee, Inc.) [Disabled] -- C:\Program Files\McAfee Security Scan\2.1.121\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/06/13 23:55:31 | 000,028,739 | ---- | M] (MyWebSearch.com) [Auto] -- C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE -- (MyWebSearchService)
SRV - [2008/02/22 12:33:00 | 000,104,960 | ---- | M] (ArcSoft Inc.) [Auto] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2004/04/07 14:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Auto] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - [2014/06/24 07:01:32 | 000,030,976 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hitmanpro37.sys -- (hitmanpro37)
DRV - [2014/05/13 15:19:14 | 000,192,280 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2014/05/13 15:17:24 | 000,237,848 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\avglogx.sys -- (Avglogx)
DRV - [2014/05/13 15:17:22 | 000,210,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2014/05/13 15:17:22 | 000,122,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- C:\WINDOWS\system32\drivers\avgdiskx.sys -- (Avgdiskx)
DRV - [2014/05/13 15:17:20 | 000,149,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2014/05/13 15:17:20 | 000,107,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2014/05/13 15:09:12 | 000,198,936 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2014/05/13 15:04:36 | 000,027,416 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2014/05/13 15:04:34 | 000,021,272 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2014/05/09 18:35:33 | 000,042,784 | ---- | M] (AVG Technologies) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2014/04/13 17:17:48 | 000,007,936 | ---- | M] (FNet Co., Ltd.) [Kernel | System] -- C:\WINDOWS\system32\drivers\FNETURPX.SYS -- (FNETURPX)
DRV - [2006/11/10 17:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2006/01/03 15:56:37 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/10/26 13:22:50 | 000,002,410 | ---- | M] () [Kernel | On_Demand] -- C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys -- (FreshIO)
DRV - [2004/09/17 16:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/06/16 05:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 06:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 06:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 06:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/06/12 09:33:00 | 000,059,977 | ---- | M] (FarStone Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\gdxwdm.sys -- (gdxwdm)
DRV - [2003/01/10 18:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin:  File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_39: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: 
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.3.51: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.3: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.3: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.3: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.3.51: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar\FireFoxExt\17.3.1.204 [2014/02/08 20:18:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2014/02/23 22:50:01 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG SafeGuard toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\18.1.5.514\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -  File not found
O2 - BHO: (CPrintEnhancer Object) - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll (Hewlett-Packard Co.)
O2 - BHO: (Free Download Manager) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Free Download Manager\iefdm2.dll (FreeDownloadManager.ORG)
O2 - BHO: (NetZero Toolbar Helper) - {FE3098B0-04A3-41fd-8CA9-BEA39CB14C87} - C:\Program Files\NetZero\UCReg.dll (NetZero, Inc.)
O3 - HKLM\..\Toolbar: (AVG SafeGuard toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\18.1.5.514\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKLM\..\Toolbar: (ZeroBar) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll (NetZero, Inc.)
O4 - HKLM..\Run: [AVG_UI] C:\Program Files\AVG\AVG2014\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [GameDrive] C:\Program Files\FarStone\GameDrive\gdtask.exe (FarStone Technology Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG SafeGuard toolbar\vprot.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra Button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - Reg Error: Value error. File not found
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1375492197765 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_39)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_39)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_39)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.mac...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.5\ViProtocol.dll (AVG Secure Search)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2004/08/10 15:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2014\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG2014\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2014/06/24 13:51:57 | 000,000,000 | ---D | C] -- C:\[bleep]
[2014/06/24 05:55:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2014/06/21 07:58:18 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2014/06/20 14:52:30 | 000,000,000 | -HSD | C] -- C:\found.001
[2014/06/18 16:11:02 | 000,000,000 | ---D | C] -- C:\frst
[2014/06/17 22:27:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
[2014/06/17 22:27:22 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2014/06/17 22:26:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2014/06/05 14:37:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Report
[2014/06/04 00:10:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Vega Strike
[2014/06/04 00:03:47 | 000,000,000 | ---D | C] -- C:\Program Files\Vega Strike
[2014/05/12 05:57:19 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\Program Files\DSETUP.DLL
[2014/05/12 05:57:03 | 000,273,408 | R--- | C] (Mpath Interactive) -- C:\Program Files\mplaynow.exe
[2014/05/12 05:57:01 | 004,094,464 | ---- | C] (Hothouse Creations) -- C:\Program Files\gangsters.exe
[2013/12/16 22:19:30 | 000,216,064 | ---- | C] ( ) -- C:\WINDOWS\System32\Lagarith.dll
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/06/24 07:05:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/06/24 07:05:21 | 1340,133,376 | -HS- | M] () -- C:\hiberfil.sys
[2014/06/24 07:01:50 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014/06/24 07:01:32 | 000,030,976 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro37.sys
[2014/06/24 07:00:54 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3312560122-1070824374-1967851052-1006.job
[2014/06/24 07:00:51 | 000,000,318 | ---- | M] () -- C:\WINDOWS\tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-3312560122-1070824374-1967851052-1006.job
[2014/06/24 07:00:24 | 000,000,898 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2014/06/17 22:27:36 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2014/06/17 22:27:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
[2014/06/05 15:34:32 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2014/06/05 15:33:13 | 000,000,902 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2014/06/04 00:10:36 | 000,444,952 | ---- | M] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
[2014/06/04 00:10:35 | 000,109,080 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\WINDOWS\System32\OpenAL32.dll
[2014/06/04 00:10:28 | 000,000,713 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vega Strike.lnk
[2014/06/04 00:10:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Vega Strike
[2014/06/03 16:04:02 | 000,000,304 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3312560122-1070824374-1967851052-1006.job
[2014/06/02 14:36:18 | 000,000,326 | ---- | M] () -- C:\WINDOWS\tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3312560122-1070824374-1967851052-1006.job
[2014/05/26 22:12:30 | 000,001,670 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\NetZero Quick Help.lnk
[2014/05/26 22:12:30 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\NetZero Internet.lnk
[2014/05/26 22:12:30 | 000,001,589 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\NetZero Internet.lnk
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/06/24 07:01:31 | 000,030,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro37.sys
[2014/06/17 22:27:36 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2014/06/04 00:10:28 | 000,000,713 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Vega Strike.lnk
[2014/05/12 05:57:20 | 000,096,256 | ---- | C] () -- C:\Program Files\SMACKW32.DLL
[2014/05/12 05:57:04 | 000,093,696 | ---- | C] () -- C:\Program Files\GameConfiguration.dll
[2014/05/12 05:57:04 | 000,058,880 | ---- | C] () -- C:\Program Files\readme.rtf
[2014/05/12 05:57:04 | 000,010,752 | R--- | C] () -- C:\Program Files\MplayerReadme.wri
[2014/05/12 05:57:04 | 000,000,229 | R--- | C] () -- C:\Program Files\MPLAYNOW.INI
[2014/05/12 05:56:36 | 000,000,018 | ---- | C] () -- C:\Program Files\Security.key
[2014/04/11 17:03:53 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2014/04/11 17:03:53 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2014/04/11 17:03:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2014/04/11 17:03:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2014/04/11 17:03:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2014/01/14 15:40:58 | 000,238,736 | ---- | C] () -- C:\WINDOWS\System32\libbluray.dll
[2013/12/16 23:28:08 | 003,916,288 | ---- | C] () -- C:\WINDOWS\System32\ffmpeg.dll
[2013/12/16 23:27:32 | 000,112,640 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2013/12/16 23:27:00 | 000,271,360 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2013/12/16 23:26:40 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2013/12/16 23:26:40 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2013/12/16 23:26:40 | 000,099,840 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2013/12/16 23:26:38 | 001,525,760 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2013/12/16 23:26:38 | 000,211,968 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2013/12/16 23:26:38 | 000,136,704 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2013/12/16 23:26:38 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2013/12/16 22:38:54 | 000,877,296 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2013/12/16 22:38:52 | 000,242,259 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2013/12/16 22:15:32 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OptimFROG.dll
[2013/12/16 22:15:32 | 000,000,236 | ---- | C] () -- C:\WINDOWS\System32\Formats.ini
[2013/12/16 22:15:30 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\bass_tak.dll
[2013/12/16 21:28:34 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\ac3config.exe
[2013/12/16 21:28:26 | 001,021,440 | ---- | C] () -- C:\WINDOWS\System32\ac3filter_intl.dll
[2013/12/16 21:28:18 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2013/12/16 21:28:18 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2013/12/16 21:28:18 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2013/12/16 21:27:52 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe
[2013/12/16 21:27:50 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2013/12/16 21:27:40 | 000,358,400 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe
[2013/12/16 21:27:16 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe
[2013/12/16 21:27:16 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2013/12/16 21:27:14 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2013/12/16 21:27:14 | 000,080,384 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2013/12/16 21:27:10 | 000,142,336 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2013/12/16 21:26:52 | 000,123,392 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2013/12/16 21:26:46 | 000,198,144 | ---- | C] () -- C:\WINDOWS\System32\spdif_test.exe
[2013/12/16 21:26:40 | 000,154,624 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2013/09/02 01:47:30 | 000,026,514 | ---- | C] () -- C:\WINDOWS\DIIUnin.dat
[2013/02/01 00:25:54 | 000,000,025 | ---- | C] () -- C:\WINDOWS\csgme96.ini
[2012/10/15 20:30:21 | 000,000,053 | ---- | C] () -- C:\WINDOWS\Kyor.ini
[2012/09/12 00:35:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\FSDataSvr.sys
[2012/09/12 00:35:21 | 000,005,501 | ---- | C] () -- C:\WINDOWS\System32\dptlcg32.dll
[2012/08/08 20:45:20 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2012/08/08 20:45:20 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2012/08/08 20:45:20 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2011/04/11 15:52:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2011/01/16 13:17:59 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2011/01/10 20:34:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2011/01/10 20:15:12 | 000,000,475 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2008/12/09 11:48:33 | 000,539,599 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\phn.dat
[2007/09/14 17:59:18 | 000,130,509 | ---- | C] () -- C:\WINDOWS\HPHins13.dat
[2007/09/14 17:59:18 | 000,002,977 | ---- | C] () -- C:\WINDOWS\hphmdl13.dat
[2007/03/22 16:47:35 | 000,046,344 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/11/22 21:31:35 | 000,000,016 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2006/11/15 21:56:15 | 000,000,933 | ---- | C] () -- C:\WINDOWS\ARCADE.INI
[2006/11/15 21:48:18 | 000,000,095 | ---- | C] () -- C:\WINDOWS\LTANK.INI
[2006/11/03 13:54:58 | 000,083,968 | ---- | C] () -- C:\WINDOWS\UnGins.exe
[2006/11/03 13:54:33 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\Unlha32.dll
[2006/11/03 13:54:32 | 000,473,600 | ---- | C] () -- C:\WINDOWS\System32\Harmony.dll
[2006/01/09 14:56:16 | 000,000,430 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2006/01/08 22:01:26 | 000,005,018 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/01/08 22:01:26 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\780B9A934A.sys
[2006/01/08 17:29:14 | 000,003,106 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/01/03 16:14:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/03 16:04:27 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2006/01/03 15:57:24 | 000,000,202 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/01/03 15:55:35 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/01/03 15:34:40 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/01/03 15:34:24 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2006/01/03 15:34:18 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/01/28 10:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 15:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 15:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 15:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 15:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 14:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 14:57:15 | 000,232,776 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 14:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 14:51:20 | 000,407,170 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 14:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 14:51:20 | 000,063,952 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 14:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 14:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 14:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 14:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 14:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 14:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 14:51:10 | 000,578,560 | ---- | C] () -- C:\WINDOWS\System32\user32.ini
[2004/08/10 14:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 14:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/07/21 17:38:30 | 000,006,398 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartCdx.sys
[2003/07/08 12:54:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\VDExtend.dll
[2003/07/08 12:54:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\GDExtend.dll
[2003/06/07 10:57:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\fsmesbox.dll
[2003/06/07 10:57:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FsLodLib.dll
[2003/06/07 10:56:00 | 000,040,960 | ---- | C] () -- C:\WINDOWS\DxpApp.exe
[2003/02/14 11:56:00 | 000,016,384 | ---- | C] () -- C:\WINDOWS\FSRunCmd.exe
[1997/06/13 22:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== LOP Check ==========

[2014/03/14 19:52:50 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\AVG2014
[2009/09/12 02:53:43 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\SACore
[2012/11/18 23:41:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\041890C4AF0DD1A3000004188CB3D95A
[2012/10/02 02:46:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1637A
[2014/04/08 00:25:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Auslogics
[2014/03/20 03:23:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG
[2013/12/17 01:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar
[2014/03/14 18:52:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Secure Search
[2014/03/14 19:53:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2013
[2014/03/23 12:32:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2014
[2012/07/23 23:32:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2013/03/28 00:00:29 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2014/04/13 17:18:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FNET
[2013/01/18 01:20:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Free Download Manager
[2014/06/17 22:26:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/10/02 02:45:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iMesh
[2013/11/10 03:44:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2006/08/11 21:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2014/06/19 10:01:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2006/02/14 00:12:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
[2011/10/30 01:13:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NetZero
[2012/09/14 02:04:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2012/06/29 22:46:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2006/01/03 15:56:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2014/03/20 03:44:39 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
[2014/03/20 03:44:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{3002E08A-4925-4821-8D06-D5FC4EBFF034}

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: USER32.DLL  >
[2005/03/02 14:19:56 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=1800F293BCCC8EDE8A70E12B88D80036 -- C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
[2012/10/03 00:58:13 | 000,617,984 | ---- | M] (Microsoft Corporation) MD5=1CF4FF12F6AE7ADAD82CA4AE55BD8B46 -- C:\WINDOWS\ServicePackFiles\i386\user32.dll
[2012/10/03 00:58:13 | 000,617,984 | ---- | M] (Microsoft Corporation) MD5=1CF4FF12F6AE7ADAD82CA4AE55BD8B46 -- C:\WINDOWS\system32\user32.dll
[2007/03/08 11:48:36 | 000,578,048 | ---- | M] (Microsoft Corporation) MD5=7AA4F6C00405DFC4B70ED4214E7D687B -- C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
[2007/03/08 11:36:28 | 000,577,536 | ---- | M] (Microsoft Corporation) MD5=B409909F6E2E8A7067076ED748ABF1E7 -- C:\WINDOWS\$NtServicePackUninstall$\user32.dll
[2004/08/04 07:00:00 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=C72661F8552ACE7C5C85E16A3CF505C4 -- C:\i386\user32.dll
[2004/08/04 07:00:00 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=C72661F8552ACE7C5C85E16A3CF505C4 -- C:\WINDOWS\$NtUninstallKB890859$\user32.dll
[2005/03/02 14:09:30 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=DE2DB164BBB35DB061AF0997E4499054 -- C:\WINDOWS\$NtUninstallKB925902$\user32.dll

< MD5 for: USER32.INI  >
[2012/10/03 00:58:13 | 000,578,560 | ---- | M] () MD5=DF74697FB06A25F2D119ECA1AC4AE8C2 -- C:\WINDOWS\ServicePackFiles\i386\user32.ini
[2012/10/03 00:58:13 | 000,578,560 | ---- | M] () MD5=DF74697FB06A25F2D119ECA1AC4AE8C2 -- C:\WINDOWS\system32\user32.ini
< End of report >


  • 0

#55
Biscuithd
Posted 25 June 2014 - 10:41 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Here's step two.

 

Run OTLPE again.

 

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands

[CREATERESTOREPOINT]
 
:Files

C:\WINDOWS\system32\user32.dll|C:\WINDOWS\$NtServicePackUninstall$\user32.dll/replace

C:\WINDOWS\ServicePackFiles\i386\user32.dll|C:\WINDOWS\$NtServicePackUninstall$\user32.dll/replace
 
:Commands

[resethosts]

[emptytemp]

[Reboot]

Then click the Run Fix button at the top. It will reboot after the fix. Hopefully, the Ransomeware virus will be gone.


  • 0

Advertisements

#56
Stargeneral
Posted 25 June 2014 - 11:12 AM

Stargeneral

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

No go. boots to blocker screen still.


  • 0

#57
Biscuithd
Posted 25 June 2014 - 11:20 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Let's make sure the fix worked. Maybe I had a syntax error. Could you post the Fix log from that last run.

 

Then, do a new Custom Scan using the info below as you have in the past.

 

Under the Custom Scans/Fixes box at the bottom, paste in the following

/md5start

user32.*

services.*

explorer.exe

winlogon.exe

Userinit.exe

svchost.exe

qmgr.dll

mpsvc.dll

winsock.*

rpcss.dll

/md5stop

Then click the Run Scan button at the top..

 


 


  • 0

#58
Stargeneral
Posted 25 June 2014 - 11:42 AM

Stargeneral

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

did not get a log on the last run.


  • 0

#59
Biscuithd
Posted 25 June 2014 - 11:44 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

No problem, can you do the custom scan. I should be able to tell from that.

 

Thanks!


  • 0

#60
Stargeneral
Posted 25 June 2014 - 12:04 PM

Stargeneral

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

Error: Unable to interpret </md5start> in the current context!
Error: Unable to interpret <user32.*> in the current context!
Error: Unable to interpret <services.*> in the current context!
Error: Unable to interpret <explorer.exe> in the current context!
Error: Unable to interpret <winlogon.exe> in the current context!
Error: Unable to interpret <Userinit.exe> in the current context!
Error: Unable to interpret <svchost.exe> in the current context!
Error: Unable to interpret <qmgr.dll> in the current context!
Error: Unable to interpret <mpsvc.dll> in the current context!
Error: Unable to interpret <winsock.*> in the current context!
Error: Unable to interpret <rpcss.dll> in the current context!
Error: Unable to interpret </md5stop> in the current context!

OTLPE by OldTimer - Version 3.1.48.0 log created on 06252014_165107


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP