Moneypak Ransomware virus

T

thelongshot

New Member
Thread author
May 12, 2013
11
I couldn't run OTL in regular mode. I'll run it in safe mode when I get a chance.
 

Attachments

  • aswMBR.txt
    2.2 KB · Views: 92
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi thelongshot and welcome to MalwareTips! :)

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>
 
Last edited by a moderator:
T

thelongshot

New Member
Thread author
May 12, 2013
11
Ok, "Repair Your Computer" isn't an option in Advanced Boot Options, so I went with "Safe Mode With Command Line" instead.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-05-2013
Ran by jason.birzer (administrator) on 12-05-2013 23:35:04
Running from H:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (minimal)
==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(Microsoft Corporation) C:\Windows\system32\cmd.exe
(Farbar) H:\FRST64.exe

==================== Registry (Whitelisted) ==================

MountPoints2: F - F:\.\Bin\ASSETUP.exe
HKLM-x32\...\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3825176 2012-11-13] (Safer-Networking Ltd.)
HKU\adm\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\adm\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-05-18] (Hewlett-Packard Company)
HKU\Administrator\...\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silent [1635752 2013-05-03] (Valve Corporation)
HKU\Administrator\...\Run: [TivoServer] C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer [2264336 2010-08-24] (TiVo Inc.)
HKU\Administrator\...\Run: [TivoTransfer] C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe [608528 2010-08-24] (TiVo Inc.)
HKU\Administrator\...\Run: [TivoNotify] C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify [437520 2010-08-24] (TiVo Inc.)
HKU\Administrator\...\Run: [TranscodingService] C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe [856336 2010-08-24] (TiVo Inc.)
HKU\Administrator\...\Run: [F.lux] "C:\Users\jason.birzer\Local Settings\Apps\F.lux\flux.exe" /noshow [x]
HKU\Administrator\...\Run: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe [6377120 2012-09-20] (SlySoft, Inc.)
HKU\Administrator\...\Run: [Desura] C:\Program Files (x86)\Desura\desura.exe -autostart [2529096 2012-03-24] (Desura Pty Ltd)
HKU\Administrator\...\Run: [Akamai NetSession Interface] "C:\Users\jason.birzer\AppData\Local\Akamai\netsession_win.exe" [4441920 2012-10-09] (Akamai Technologies, Inc.)
HKU\bogus\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\bogus\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-05-18] (Hewlett-Packard Company)
HKU\Classic .NET AppPool\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\DefaultAppPool\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\UpdatusUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
HKLM-x32 SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Qwiklinx - {3E7C8B5A-96AB-438F-BF9B-782400655440} - C:\Users\jason.birzer\AppData\Roaming\Qwiklinx\Qwiklinx.dll (Qwiklinx, Inc.)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
PDF: HKLM-x32 {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
PDF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
PDF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Winsock: Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation)
Winsock: Catalog5-x64 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\jason.birzer\AppData\Roaming\Mozilla\Firefox\Profiles\8nmd9h63.default
FF Homepage: hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
FF SelectedSearchEngine: Search
FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll ()
FF Plugin: @microsoft.com/GENUINE - C:\windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/McAfeeMssPlugin - C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - C:\windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @nosltd.com/getPlus+(R),version=1.6.2.103 - C:\Program Files (x86)\NOS\bin\np_gp.dll No File
FF Plugin-x32: @playstation.com/PsndlCheck,version=1.00 - C:\Program Files (x86)\Sony\PLAYSTATION Network Downloader\nppsndl.dll (Sony Computer Entertainment Inc.)
FF Plugin-x32: @SonyCreativeSoftware.com/Media Go,version=1.0 - C:\Program Files (x86)\Sony\Media Go\npmediago.dll (Sony Network Entertainment International LLC)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: No Name - C:\Users\jason.birzer\AppData\Roaming\Mozilla\Firefox\Profiles\8nmd9h63.default\Extensions\staged

==================== Services (Whitelisted) =================

S3 Droppix Service; C:\Program Files (x86)\Common Files\Droppix\DxService.exe [221184 2009-08-28] (Droppix)
S2 hasplms; C:\Windows\system32\hasplms.exe [4180576 2010-09-27] (SafeNet Inc.)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S3 Media Center 16 Service; C:\Program Files (x86)\J River\Media Center 16\JRService.exe [384136 2011-10-18] (J. River, Inc.)
S2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [67400 2011-04-01] (Microsoft Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [12784 2011-04-27] (Microsoft Corporation)
S2 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [57617752 2009-03-30] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [288272 2011-04-27] (Microsoft Corporation)
S2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [301760 2012-12-10] ()
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)
S2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1024384 2013-01-14] (Enigma Software Group USA, LLC.)
S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [427880 2009-03-30] (Microsoft Corporation)
S2 TivoBeacon2; C:\Program Files (x86)\TiVo\Desktop\TiVoBeacon.exe [1104656 2010-08-24] (TiVo Inc.)
S3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [x]
S3 SymSnapService; "C:\Program Files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe" [x]

==================== Drivers (Whitelisted) ====================

R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138400 2012-08-26] (SlySoft, Inc.)
S1 archlp; C:\Windows\System32\drivers\archlp.sys [136192 2010-07-07] ()
S3 dgderdrv; C:\Windows\SysWow64\drivers\dgderdrv.sys [20032 2011-05-08] (Devguru Co., Ltd)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
S3 GenericMount; C:\Windows\System32\DRIVERS\GenericMount.sys [66608 2010-02-12] (Symantec Corporation)
S1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [189440 2011-04-18] (Microsoft Corporation)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [84864 2011-04-27] (Microsoft Corporation)
S3 pwdrvio; C:\windows\system32\pwdrvio.sys [19032 2013-01-11] ()
S3 pwdspio; C:\windows\system32\pwdspio.sys [12384 2013-01-11] ()
S3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
S3 ADIHdAudAddService; system32\drivers\ADIHdAud.sys [x]
S2 Aspi32; System32\drivers\aspi32.sys [x]
S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [x]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
S1 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [x]
S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [x]
S3 X6va005; \??\C:\Users\JASON~1.BIR\AppData\Local\Temp\005F834.tmp [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-12 23:35 - 2013-05-12 23:35 - 00000000 ____D C:\FRST
2013-05-12 09:36 - 2013-05-12 09:36 - 00000000 ____D C:\Users\adm\AppData\Local\Apple
2013-05-12 01:57 - 2013-05-12 23:28 - 00000000 ____D C:\Users\adm\AppData\Local\TSVNCache
2013-05-12 01:57 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Roaming\Subversion
2013-05-11 23:45 - 2013-05-11 23:45 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Malwarebytes
2013-05-11 23:43 - 2013-05-11 23:43 - 00000020 ___SH C:\Users\adm\ntuser.ini
2013-05-11 23:43 - 2013-05-11 23:43 - 00000000 ____D C:\users\adm
2013-05-11 23:43 - 2010-01-25 02:24 - 00000000 ____D C:\Users\adm\AppData\Roaming\Macromedia
2013-05-11 23:13 - 2013-05-12 01:56 - 00000000 ____D C:\Users\bogus\AppData\Local\TSVNCache
2013-05-11 23:13 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Subversion
2013-05-11 23:12 - 2013-05-11 23:30 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\NPE
2013-05-11 23:12 - 2013-05-11 23:12 - 00000000 ____D C:\ProgramData\Norton
2013-05-11 23:02 - 2013-05-12 23:31 - 00000336 ____A C:\Windows\setupact.log
2013-05-11 23:02 - 2013-05-11 23:02 - 00000020 ___SH C:\Users\bogus\ntuser.ini
2013-05-11 23:02 - 2013-05-11 23:02 - 00000000 ____D C:\users\bogus
2013-05-11 23:02 - 2010-01-25 02:24 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Macromedia
2013-05-11 23:01 - 2013-05-11 23:01 - 00000318 ____A C:\Windows\wininit.ini
2013-05-11 22:47 - 2013-05-11 23:02 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-11 22:46 - 2013-05-11 22:46 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-05-11 22:46 - 2013-05-11 22:46 - 00000632 ____A C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000628 ____A C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000458 ____A C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-05-11 22:46 - 2009-01-25 12:14 - 00017272 ____A (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe
2013-05-11 15:39 - 2013-05-11 15:39 - 00002272 ____A C:\Users\jason.birzer\Desktop\SpyHunter.lnk
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Windows\22B3AE667A374118BADB3680C15CA366.TMP
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\sh4ldr
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-05-11 15:39 - 2012-06-22 11:01 - 00022704 ____A C:\Windows\System32\Drivers\EsgScanner.sys
2013-05-11 12:59 - 2013-05-11 12:59 - 00003078 ____A C:\Users\jason.birzer\Desktop\Rkill.txt
2013-05-11 12:59 - 2013-05-11 12:59 - 00000000 ____D C:\Users\jason.birzer\Desktop\rkill
2013-05-11 12:12 - 2013-05-11 12:44 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-11 11:57 - 2013-05-11 11:57 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Malwarebytes
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-11 11:57 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-11 01:16 - 2013-05-11 01:16 - 00000000 ___HD C:\Users\Public\Documents\Report
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Greenshot
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\Greenshot
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Program Files\Greenshot
2013-04-27 01:33 - 2013-04-27 01:33 - 00002127 ____A C:\Users\Public\Desktop\Venetica.lnk
2013-04-27 01:21 - 2013-04-27 01:33 - 00000000 ____D C:\Program Files (x86)\Venetica
2013-04-25 09:53 - 2013-05-02 10:13 - 00002010 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2013-04-25 09:53 - 2013-05-02 10:13 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
2013-04-25 09:53 - 2013-04-25 09:53 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-04-24 05:18 - 2013-04-12 10:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-19 16:54 - 2013-04-19 16:54 - 03867442 ____A C:\Users\jason.birzer\Desktop\Mycomputer.nfo
2013-04-19 16:52 - 2013-04-19 16:52 - 00036538 ____A C:\Users\jason.birzer\Desktop\DxDiag.txt

==================== One Month Modified Files and Folders =======

2013-05-12 23:35 - 2013-05-12 23:35 - 00000000 ____D C:\FRST
2013-05-12 23:31 - 2013-05-11 23:02 - 00000336 ____A C:\Windows\setupact.log
2013-05-12 23:31 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-12 23:30 - 2010-01-25 03:35 - 00523388 ____A C:\Windows\PFRO.log
2013-05-12 23:28 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Local\TSVNCache
2013-05-12 23:28 - 2012-10-14 17:07 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\TSVNCache
2013-05-12 23:28 - 2010-01-24 14:19 - 01153146 ____A C:\Windows\WindowsUpdate.log
2013-05-12 23:28 - 2009-07-14 01:13 - 00957134 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-12 23:28 - 2009-07-14 00:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-12 23:28 - 2009-07-14 00:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-12 22:51 - 2012-04-01 21:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-12 22:43 - 2012-06-20 00:23 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\CrashDumps
2013-05-12 09:36 - 2013-05-12 09:36 - 00000000 ____D C:\Users\adm\AppData\Local\Apple
2013-05-12 02:36 - 2010-02-02 02:08 - 00000000 ____D C:\ProgramData\Zoom Player
2013-05-12 01:57 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Roaming\Subversion
2013-05-12 01:56 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Local\TSVNCache
2013-05-11 23:45 - 2013-05-11 23:45 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Malwarebytes
2013-05-11 23:43 - 2013-05-11 23:43 - 00000020 ___SH C:\Users\adm\ntuser.ini
2013-05-11 23:43 - 2013-05-11 23:43 - 00000000 ____D C:\users\adm
2013-05-11 23:30 - 2013-05-11 23:12 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\NPE
2013-05-11 23:13 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Subversion
2013-05-11 23:12 - 2013-05-11 23:12 - 00000000 ____D C:\ProgramData\Norton
2013-05-11 23:02 - 2013-05-11 23:02 - 00000020 ___SH C:\Users\bogus\ntuser.ini
2013-05-11 23:02 - 2013-05-11 23:02 - 00000000 ____D C:\users\bogus
2013-05-11 23:02 - 2013-05-11 22:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-11 23:01 - 2013-05-11 23:01 - 00000318 ____A C:\Windows\wininit.ini
2013-05-11 22:46 - 2013-05-11 22:46 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-05-11 22:46 - 2013-05-11 22:46 - 00000632 ____A C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000628 ____A C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000458 ____A C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-05-11 15:39 - 2013-05-11 15:39 - 00002272 ____A C:\Users\jason.birzer\Desktop\SpyHunter.lnk
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Windows\22B3AE667A374118BADB3680C15CA366.TMP
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\sh4ldr
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-05-11 12:59 - 2013-05-11 12:59 - 00003078 ____A C:\Users\jason.birzer\Desktop\Rkill.txt
2013-05-11 12:59 - 2013-05-11 12:59 - 00000000 ____D C:\Users\jason.birzer\Desktop\rkill
2013-05-11 12:44 - 2013-05-11 12:12 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-11 12:35 - 2011-02-13 19:04 - 00016384 __ASH C:\Users\jason.birzer\Thumbs.db
2013-05-11 11:57 - 2013-05-11 11:57 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Malwarebytes
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-11 11:48 - 2011-06-13 00:03 - 00000000 ____D C:\Windows\pss
2013-05-11 01:16 - 2013-05-11 01:16 - 00000000 ___HD C:\Users\Public\Documents\Report
2013-05-09 20:36 - 2010-01-25 10:44 - 00000000 ____D C:\Program Files (x86)\Steam
2013-05-08 19:10 - 2010-08-29 23:20 - 00107971 ____A C:\Windows\cdplayer.ini
2013-05-07 00:00 - 2010-02-02 02:19 - 00000410 ____A C:\Windows\Tasks\updater.exe.job
2013-05-03 00:51 - 2012-04-26 02:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-05-02 11:29 - 2010-01-24 14:33 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-05-02 10:13 - 2013-04-25 09:53 - 00002010 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2013-05-02 10:13 - 2013-04-25 09:53 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
2013-04-30 17:10 - 2011-05-01 10:59 - 00000000 ____D C:\Program Files (x86)\Luxor
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Greenshot
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\Greenshot
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Program Files\Greenshot
2013-04-30 01:39 - 2012-03-18 01:35 - 00000000 ____D C:\Program Files (x86)\Screenshot Pilot
2013-04-27 01:33 - 2013-04-27 01:33 - 00002127 ____A C:\Users\Public\Desktop\Venetica.lnk
2013-04-27 01:33 - 2013-04-27 01:21 - 00000000 ____D C:\Program Files (x86)\Venetica
2013-04-25 09:53 - 2013-04-25 09:53 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-04-25 09:53 - 2012-04-01 21:10 - 00691592 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-04-25 09:53 - 2011-07-06 20:28 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-04-25 09:53 - 2010-01-25 02:25 - 00000000 ____D C:\ProgramData\Adobe
2013-04-25 09:51 - 2013-04-11 23:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-04-19 16:54 - 2013-04-19 16:54 - 03867442 ____A C:\Users\jason.birzer\Desktop\Mycomputer.nfo
2013-04-19 16:52 - 2013-04-19 16:52 - 00036538 ____A C:\Users\jason.birzer\Desktop\DxDiag.txt
2013-04-18 14:10 - 2011-10-22 23:41 - 00000000 ____D C:\Program Files (x86)\Origin
2013-04-12 10:45 - 2013-04-24 05:18 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

Other Malware:
===========
C:\ProgramData\hash.dat

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll
[2011-04-02 16:51] - [2012-10-04 12:47] - 0869376 ____A (Microsoft Corporation) 47F6DD86DDCAD50F2DC1E3652728F01E

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


Last Boot: 2013-05-04 00:23

==================== End Of Log ============================
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi,
Open notepad and copy & paste the following:

BHO-x32: Qwiklinx - {3E7C8B5A-96AB-438F-BF9B-782400655440} - C:\Users\jason.birzer\AppData\Roaming\Qwiklinx\Qwiklinx.dll (Qwiklinx, Inc.)
C:\Users\jason.birzer\AppData\Roaming\Qwiklinx
FF Homepage: hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFt​CtFtCtFtAtCtB&cr=593045297
FF SelectedSearchEngine: Search
S3 X6va005; \??\C:\Users\JASON~1.BIR\AppData\Local\Temp\005F834.tmp [x]
C:\Users\JASON~1.BIR\AppData\Local\Temp\005F834.tmp
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Windows\22B3AE667A374118BADB3680C15CA366.TMP
C:\ProgramData\hash.dat
Click to expand...

and save it as fixlist.txt onto your flash drive.

Then, boot to safe mode, plug in your flash drive, open FRST and click fix. Post the generated log.

Next,
  • Double click the RKill desktop icon.
  • It will quickly run. If it does not run, try another download link from above.
<img title="RKILL Command prompt" src="http://malwaretips.com/images/removalguide/rkill2.png" alt="[Image: run-rkill-2.png]" width="507" height="256" border="0" />
  • When Rkill has completed its task, it will <>generate a log</>. You can then <>proceed with the rest of the guide</>.

<img title="RKILL LOG" src="http://malwaretips.com/images/removalguide/rkill3.png" alt="[Image: XP Defender 2013 rkill3.jpg]" width="414" height="187" border="0" /></li>
</ol><br>
<br><>WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.</>

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
  • Click delete
  • Please post the content of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select Run as Administrator to start
  • Wait until Prescan has finished, then click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click delete and wait until it saids deleting finished
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
    Exit/Close RogueKiller+

Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
 
Last edited by a moderator:
T

thelongshot

New Member
Thread author
May 12, 2013
11
Ok, no change with any of these tools. Attaching requested logs.
 

Attachments

  • AdwCleaner[S1].txt
    13.9 KB · Views: 78
  • Rkill.txt
    2.8 KB · Views: 83
  • RKreport[1]_S_05132013_02d0012.txt
    2.5 KB · Views: 117
  • RKreport[2]_D_05132013_02d0012.txt
    2.4 KB · Views: 138
  • mbar-log-2013-05-13 (00-18-59).txt
    1.9 KB · Views: 92
  • system-log.txt
    26.9 KB · Views: 93
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Did you run the FRST fix? If so, run a scan with OTL in safe mode.

Download OTL by Old Timer from here and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Click the Scan All Users checkbox.
  • Check the boxes beside LOP Check and Purity Check
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please attach the contents of these 2 Notepad files in your next reply.
 
T

thelongshot

New Member
Thread author
May 12, 2013
11
Fiery said:
Did you run the FRST fix? If so, run a scan with OTL in safe mode.
Click to expand...

Sorry, I did run it, but I couldn't figure out which was the log file last night. Did figure it out today, tho, and attached it.

Couldn't run OTL. It crashed with an error: Exception EOleSysError in module OTL.exe at 00584A5. Class not registered.
 

Attachments

  • Fixlog.txt
    929 bytes · Views: 69
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
</ul>

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
 
Last edited by a moderator:
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Did the window pop up and then closed itself?

Download TDSSkiller from here
  • Double-Click on TDSSKiller.exe to run the application
  • click Start scan .
  • If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
  • If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
 
T

thelongshot

New Member
Thread author
May 12, 2013
11
No, the popup stayed up, not letting me see any results.

TDSSKiller didn't seem to find anything. Here's the log.
 

Attachments

  • TDSSKiller.2.8.16.0_13.05.2013_15.25.04_log.txt
    146.6 KB · Views: 66
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Can you give me an update on your PC? Is the moneypak ransomeware still there or just the white screen?
 
T

thelongshot

New Member
Thread author
May 12, 2013
11
Here it is:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-05-2013
Ran by jason.birzer (administrator) on 13-05-2013 17:26:37
Running from H:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (minimal)
==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(Microsoft Corporation) C:\windows\system32\cmd.exe
(Farbar) H:\FRST64.exe

==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3825176 2012-11-13] (Safer-Networking Ltd.)
HKU\adm\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\adm\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-05-18] (Hewlett-Packard Company)
HKU\Administrator\...\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silent [1635752 2013-05-03] (Valve Corporation)
HKU\Administrator\...\Run: [TivoServer] C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer [2264336 2010-08-24] (TiVo Inc.)
HKU\Administrator\...\Run: [TivoTransfer] C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe [608528 2010-08-24] (TiVo Inc.)
HKU\Administrator\...\Run: [TivoNotify] C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify [437520 2010-08-24] (TiVo Inc.)
HKU\Administrator\...\Run: [TranscodingService] C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe [856336 2010-08-24] (TiVo Inc.)
HKU\Administrator\...\Run: [F.lux] "C:\Users\jason.birzer\Local Settings\Apps\F.lux\flux.exe" /noshow [x]
HKU\Administrator\...\Run: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe [6377120 2012-09-20] (SlySoft, Inc.)
HKU\Administrator\...\Run: [Desura] C:\Program Files (x86)\Desura\desura.exe -autostart [2529096 2012-03-24] (Desura Pty Ltd)
HKU\Administrator\...\Run: [Akamai NetSession Interface] "C:\Users\jason.birzer\AppData\Local\Akamai\netsession_win.exe" [4441920 2012-10-09] (Akamai Technologies, Inc.)
HKU\bogus\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\bogus\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-05-18] (Hewlett-Packard Company)
HKU\Classic .NET AppPool\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\DefaultAppPool\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\UpdatusUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
PDF: HKLM-x32 {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
PDF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
PDF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Winsock: Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation)
Winsock: Catalog5-x64 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\jason.birzer\AppData\Roaming\Mozilla\Firefox\Profiles\8nmd9h63.default
FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll ()
FF Plugin: @microsoft.com/GENUINE - C:\windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/McAfeeMssPlugin - C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - C:\windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @nosltd.com/getPlus+(R),version=1.6.2.103 - C:\Program Files (x86)\NOS\bin\np_gp.dll No File
FF Plugin-x32: @playstation.com/PsndlCheck,version=1.00 - C:\Program Files (x86)\Sony\PLAYSTATION Network Downloader\nppsndl.dll (Sony Computer Entertainment Inc.)
FF Plugin-x32: @SonyCreativeSoftware.com/Media Go,version=1.0 - C:\Program Files (x86)\Sony\Media Go\npmediago.dll (Sony Network Entertainment International LLC)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

==================== Services (Whitelisted) =================

S3 Droppix Service; C:\Program Files (x86)\Common Files\Droppix\DxService.exe [221184 2009-08-28] (Droppix)
S2 hasplms; C:\Windows\system32\hasplms.exe [4180576 2010-09-27] (SafeNet Inc.)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S3 Media Center 16 Service; C:\Program Files (x86)\J River\Media Center 16\JRService.exe [384136 2011-10-18] (J. River, Inc.)
S2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [67400 2011-04-01] (Microsoft Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [12784 2011-04-27] (Microsoft Corporation)
S2 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [57617752 2009-03-30] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [288272 2011-04-27] (Microsoft Corporation)
S2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [301760 2012-12-10] ()
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)
S2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1024384 2013-01-14] (Enigma Software Group USA, LLC.)
S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [427880 2009-03-30] (Microsoft Corporation)
S2 TivoBeacon2; C:\Program Files (x86)\TiVo\Desktop\TiVoBeacon.exe [1104656 2010-08-24] (TiVo Inc.)
S3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [x]
S3 SymSnapService; "C:\Program Files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe" [x]

==================== Drivers (Whitelisted) ====================

R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138400 2012-08-26] (SlySoft, Inc.)
S1 archlp; C:\Windows\System32\drivers\archlp.sys [136192 2010-07-07] ()
S3 dgderdrv; C:\Windows\SysWow64\drivers\dgderdrv.sys [20032 2011-05-08] (Devguru Co., Ltd)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
S3 GenericMount; C:\Windows\System32\DRIVERS\GenericMount.sys [66608 2010-02-12] (Symantec Corporation)
S1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [189440 2011-04-18] (Microsoft Corporation)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [84864 2011-04-27] (Microsoft Corporation)
S3 pwdrvio; C:\windows\system32\pwdrvio.sys [19032 2013-01-11] ()
S3 pwdspio; C:\windows\system32\pwdspio.sys [12384 2013-01-11] ()
S3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
S3 ADIHdAudAddService; system32\drivers\ADIHdAud.sys [x]
S2 Aspi32; System32\drivers\aspi32.sys [x]
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [x]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
S1 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [x]
S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-13 13:56 - 2013-05-13 13:56 - 00017617 ____A C:\ComboFix.txt
2013-05-13 13:49 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2013-05-13 13:49 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2013-05-13 13:49 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-05-13 13:49 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-05-13 13:49 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-05-13 13:49 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2013-05-13 13:49 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2013-05-13 13:49 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2013-05-13 13:46 - 2013-05-13 13:56 - 00000000 ___AD C:\Qoobox
2013-05-13 13:46 - 2013-05-13 13:55 - 00000000 ____D C:\Windows\erdnt
2013-05-13 00:12 - 2013-05-13 00:12 - 00002577 ____A C:\Users\jason.birzer\Desktop\RKreport[1]_S_05132013_02d0012.txt
2013-05-13 00:12 - 2013-05-13 00:12 - 00002460 ____A C:\Users\jason.birzer\Desktop\RKreport[2]_D_05132013_02d0012.txt
2013-05-13 00:12 - 2013-05-13 00:12 - 00000000 ____D C:\Users\jason.birzer\Desktop\RK_Quarantine
2013-05-13 00:08 - 2013-05-13 00:08 - 00014236 ____A C:\AdwCleaner[S1].txt
2013-05-13 00:07 - 2013-05-13 00:01 - 00816128 ____A C:\Users\jason.birzer\Desktop\RogueKiller.exe
2013-05-13 00:07 - 2013-05-13 00:00 - 00628743 ____A C:\Users\jason.birzer\Desktop\AdwCleaner.exe
2013-05-13 00:06 - 2013-05-12 23:55 - 01752992 ____A (Bleeping Computer, LLC) C:\Users\jason.birzer\Desktop\rkill.com
2013-05-12 23:35 - 2013-05-12 23:35 - 00000000 ____D C:\FRST
2013-05-12 09:36 - 2013-05-12 09:36 - 00000000 ____D C:\Users\adm\AppData\Local\Apple
2013-05-12 01:57 - 2013-05-12 23:28 - 00000000 ____D C:\Users\adm\AppData\Local\TSVNCache
2013-05-12 01:57 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Roaming\Subversion
2013-05-11 23:45 - 2013-05-11 23:45 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Malwarebytes
2013-05-11 23:43 - 2013-05-11 23:43 - 00000020 ___SH C:\Users\adm\ntuser.ini
2013-05-11 23:43 - 2013-05-11 23:43 - 00000000 ____D C:\users\adm
2013-05-11 23:43 - 2010-01-25 02:24 - 00000000 ____D C:\Users\adm\AppData\Roaming\Macromedia
2013-05-11 23:13 - 2013-05-13 17:24 - 00000000 ____D C:\Users\bogus\AppData\Local\TSVNCache
2013-05-11 23:13 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Subversion
2013-05-11 23:12 - 2013-05-11 23:30 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\NPE
2013-05-11 23:12 - 2013-05-11 23:12 - 00000000 ____D C:\ProgramData\Norton
2013-05-11 23:02 - 2013-05-13 14:41 - 00000784 ____A C:\Windows\setupact.log
2013-05-11 23:02 - 2013-05-11 23:02 - 00000020 ___SH C:\Users\bogus\ntuser.ini
2013-05-11 23:02 - 2013-05-11 23:02 - 00000000 ____D C:\users\bogus
2013-05-11 23:02 - 2010-01-25 02:24 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Macromedia
2013-05-11 22:47 - 2013-05-11 23:02 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-11 22:46 - 2013-05-11 22:46 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-05-11 22:46 - 2013-05-11 22:46 - 00000632 ____A C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000628 ____A C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000458 ____A C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-05-11 22:46 - 2009-01-25 12:14 - 00017272 ____A (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe
2013-05-11 15:39 - 2013-05-11 15:39 - 00002272 ____A C:\Users\jason.birzer\Desktop\SpyHunter.lnk
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\sh4ldr
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-05-11 15:39 - 2012-06-22 11:01 - 00022704 ____A C:\Windows\System32\Drivers\EsgScanner.sys
2013-05-11 12:59 - 2013-05-11 12:59 - 00000000 ____D C:\Users\jason.birzer\Desktop\rkill
2013-05-11 12:12 - 2013-05-11 12:44 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-11 11:57 - 2013-05-11 11:57 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Malwarebytes
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-11 11:57 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-11 01:16 - 2013-05-11 01:16 - 00000000 ___HD C:\Users\Public\Documents\Report
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Greenshot
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\Greenshot
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Program Files\Greenshot
2013-04-27 01:33 - 2013-04-27 01:33 - 00002127 ____A C:\Users\Public\Desktop\Venetica.lnk
2013-04-27 01:21 - 2013-04-27 01:33 - 00000000 ____D C:\Program Files (x86)\Venetica
2013-04-25 09:53 - 2013-05-02 10:13 - 00002010 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2013-04-25 09:53 - 2013-05-02 10:13 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
2013-04-25 09:53 - 2013-04-25 09:53 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-04-24 05:18 - 2013-04-12 10:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-19 16:54 - 2013-04-19 16:54 - 03867442 ____A C:\Users\jason.birzer\Desktop\Mycomputer.nfo
2013-04-19 16:52 - 2013-04-19 16:52 - 00036538 ____A C:\Users\jason.birzer\Desktop\DxDiag.txt

==================== One Month Modified Files and Folders =======

2013-05-13 17:24 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Local\TSVNCache
2013-05-13 17:24 - 2012-10-14 17:07 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\TSVNCache
2013-05-13 17:24 - 2010-01-24 14:19 - 01318193 ____A C:\Windows\WindowsUpdate.log
2013-05-13 16:51 - 2012-04-01 21:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-13 15:43 - 2010-01-25 10:44 - 00000000 ____D C:\Program Files (x86)\Steam
2013-05-13 14:48 - 2009-07-14 00:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-13 14:48 - 2009-07-14 00:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-13 14:46 - 2009-07-14 01:13 - 00957134 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-13 14:41 - 2013-05-11 23:02 - 00000784 ____A C:\Windows\setupact.log
2013-05-13 14:41 - 2010-01-25 03:35 - 00523940 ____A C:\Windows\PFRO.log
2013-05-13 14:41 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-13 13:56 - 2013-05-13 13:56 - 00017617 ____A C:\ComboFix.txt
2013-05-13 13:56 - 2013-05-13 13:46 - 00000000 ___AD C:\Qoobox
2013-05-13 13:55 - 2013-05-13 13:46 - 00000000 ____D C:\Windows\erdnt
2013-05-13 13:54 - 2010-01-24 14:19 - 00000000 ____D C:\users\jason.birzer
2013-05-13 13:54 - 2009-07-13 22:34 - 00000215 ____A C:\Windows\system.ini
2013-05-13 13:14 - 2012-06-20 00:23 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\CrashDumps
2013-05-13 10:57 - 2010-02-02 02:08 - 00000000 ____D C:\ProgramData\Zoom Player
2013-05-13 00:12 - 2013-05-13 00:12 - 00002577 ____A C:\Users\jason.birzer\Desktop\RKreport[1]_S_05132013_02d0012.txt
2013-05-13 00:12 - 2013-05-13 00:12 - 00002460 ____A C:\Users\jason.birzer\Desktop\RKreport[2]_D_05132013_02d0012.txt
2013-05-13 00:12 - 2013-05-13 00:12 - 00000000 ____D C:\Users\jason.birzer\Desktop\RK_Quarantine
2013-05-13 00:08 - 2013-05-13 00:08 - 00014236 ____A C:\AdwCleaner[S1].txt
2013-05-13 00:01 - 2013-05-13 00:07 - 00816128 ____A C:\Users\jason.birzer\Desktop\RogueKiller.exe
2013-05-13 00:00 - 2013-05-13 00:07 - 00628743 ____A C:\Users\jason.birzer\Desktop\AdwCleaner.exe
2013-05-12 23:55 - 2013-05-13 00:06 - 01752992 ____A (Bleeping Computer, LLC) C:\Users\jason.birzer\Desktop\rkill.com
2013-05-12 23:35 - 2013-05-12 23:35 - 00000000 ____D C:\FRST
2013-05-12 23:28 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Local\TSVNCache
2013-05-12 09:36 - 2013-05-12 09:36 - 00000000 ____D C:\Users\adm\AppData\Local\Apple
2013-05-12 01:57 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Roaming\Subversion
2013-05-11 23:45 - 2013-05-11 23:45 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Malwarebytes
2013-05-11 23:43 - 2013-05-11 23:43 - 00000020 ___SH C:\Users\adm\ntuser.ini
2013-05-11 23:43 - 2013-05-11 23:43 - 00000000 ____D C:\users\adm
2013-05-11 23:30 - 2013-05-11 23:12 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\NPE
2013-05-11 23:13 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Subversion
2013-05-11 23:12 - 2013-05-11 23:12 - 00000000 ____D C:\ProgramData\Norton
2013-05-11 23:02 - 2013-05-11 23:02 - 00000020 ___SH C:\Users\bogus\ntuser.ini
2013-05-11 23:02 - 2013-05-11 23:02 - 00000000 ____D C:\users\bogus
2013-05-11 23:02 - 2013-05-11 22:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-11 22:46 - 2013-05-11 22:46 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-05-11 22:46 - 2013-05-11 22:46 - 00000632 ____A C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000628 ____A C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000458 ____A C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-05-11 22:46 - 2013-05-11 22:46 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-05-11 15:39 - 2013-05-11 15:39 - 00002272 ____A C:\Users\jason.birzer\Desktop\SpyHunter.lnk
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\sh4ldr
2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-05-11 12:59 - 2013-05-11 12:59 - 00000000 ____D C:\Users\jason.birzer\Desktop\rkill
2013-05-11 12:44 - 2013-05-11 12:12 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-11 12:35 - 2011-02-13 19:04 - 00016384 __ASH C:\Users\jason.birzer\Thumbs.db
2013-05-11 11:57 - 2013-05-11 11:57 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Malwarebytes
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-11 11:48 - 2011-06-13 00:03 - 00000000 ____D C:\Windows\pss
2013-05-11 01:16 - 2013-05-11 01:16 - 00000000 ___HD C:\Users\Public\Documents\Report
2013-05-08 19:10 - 2010-08-29 23:20 - 00107971 ____A C:\Windows\cdplayer.ini
2013-05-07 00:00 - 2010-02-02 02:19 - 00000410 ____A C:\Windows\Tasks\updater.exe.job
2013-05-03 00:51 - 2012-04-26 02:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-05-02 11:29 - 2010-01-24 14:33 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-05-02 10:13 - 2013-04-25 09:53 - 00002010 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2013-05-02 10:13 - 2013-04-25 09:53 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
2013-04-30 17:10 - 2011-05-01 10:59 - 00000000 ____D C:\Program Files (x86)\Luxor
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Greenshot
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\Greenshot
2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Program Files\Greenshot
2013-04-30 01:39 - 2012-03-18 01:35 - 00000000 ____D C:\Program Files (x86)\Screenshot Pilot
2013-04-27 01:33 - 2013-04-27 01:33 - 00002127 ____A C:\Users\Public\Desktop\Venetica.lnk
2013-04-27 01:33 - 2013-04-27 01:21 - 00000000 ____D C:\Program Files (x86)\Venetica
2013-04-25 09:53 - 2013-04-25 09:53 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-04-25 09:53 - 2012-04-01 21:10 - 00691592 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-04-25 09:53 - 2011-07-06 20:28 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-04-25 09:53 - 2010-01-25 02:25 - 00000000 ____D C:\ProgramData\Adobe
2013-04-25 09:51 - 2013-04-11 23:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-04-19 16:54 - 2013-04-19 16:54 - 03867442 ____A C:\Users\jason.birzer\Desktop\Mycomputer.nfo
2013-04-19 16:52 - 2013-04-19 16:52 - 00036538 ____A C:\Users\jason.birzer\Desktop\DxDiag.txt
2013-04-18 14:10 - 2011-10-22 23:41 - 00000000 ____D C:\Program Files (x86)\Origin

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll
[2011-04-02 16:51] - [2012-10-04 12:47] - 0869376 ____A (Microsoft Corporation) 47F6DD86DDCAD50F2DC1E3652728F01E

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


Last Boot: 2013-05-04 00:23

==================== End Of Log ============================
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Open notepad and copy & paste the following:

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=...=593045297
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=...=593045297
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=...=593045297
Click to expand...

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Then in FRST, typle User32.dll in the search box and click search. Another log will appear, please post that one also.
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Open notepad and copy & paste the following:

Replace: C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll C:\Windows\SysWOW64\user32.dll
Click to expand...

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Now see if you still have the white screen
 
T

thelongshot

New Member
Thread author
May 12, 2013
11
Fiery said:
Open notepad and copy & paste the following:

Replace: C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll C:\Windows\SysWOW64\user32.dll
Click to expand...

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Now see if you still have the white screen
Click to expand...

Yeah, that seems to be it. White screen is gone, and I can access task manager now.

Let me know if there are other things I need to clean up.
 

Attachments

  • Fixlog.txt
    486 bytes · Views: 75
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Good :D

A few more steps before I say you are clean.

Please download Malwarebytes' Anti-Malware from here to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • When it prompts you to try their 30-day trail, click decline
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt


Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A notepad document should open automatically called checkup.txt.
  • Please post the contents of that document in your next reply. Please do not attach it!
 

Similar threads

M
    • Wow
    • Sad
  • Locked
I got infected with .boza ransomware
Replies
3
Views
732
Windows Malware Removal Help & Support
nasdaq
nasdaq
P
    • Like
    • Wow
Serious Discussion AVAST is letting this malware run even with Hard Mode enabled.
Replies
23
Views
1,766
Avast
Jengo
Jengo
L
  • Locked
Waiting for reply I have my first virus
Replies
1
Views
149
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top