DOJ Ransom please help

[jofuss3232]

tried to download hitman pro but I am using my wifes laptop which is 64bit and mine is 32 so it wont let me download the 32bit version. IS there any way around this and is this why when I start my laptop in usb and push number 1 it will not load hitman pro beacause I have the 64 bit version and need the 32, I am guessing it is. Please help figure out how to download the 32bit version if this is the case.

 

[Fiery]

Hi jofuss3232 and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note : as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

[jofuss3232]

ult of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-05-2013 02
Ran by SYSTEM on 06-05-2013 12:51:44
Running from E:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg [x]
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe [2670592 2010-02-03] (Dell Inc.)
HKLM\...\Run: [OA015Mon] C:\WINDOWS\OA015Mon.exe [24576 2009-12-08] (Creative Technology Ltd.)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [278528 2010-02-17] (Alps Electric Co., Ltd.)
HKLM\...\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe [158592 2010-01-14] (Wave Systems Corp.)
HKLM\...\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [657920 2009-11-02] (Dell Inc.)
HKLM\...\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-01-14] (Broadcom Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-06-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248040 2010-02-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey [136512 2008-03-14] (McAfee, Inc.)
HKLM\...\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE [124240 2008-09-29] (McAfee, Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
HKLM\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2780432 2009-05-08] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-04-14] (Apple Inc.)
HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe [495708 2010-05-19] (IDT, Inc.)
HKLM\...\Run: [DisplaySwitch] "C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe" [137728 2013-05-03] (Hilgraeve, Inc.)
HKLM\...\Run: [ADBlocker] C:\Program Files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerTray.exe -tray [979816 2012-12-21] ()
HKLM\...\Run: [Anvi Smart Defender] C:\Program Files\Anvisoft\Anvi Smart Defender\ASDTray.exe [1434984 2012-12-20] (Anvisoft)
HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [x]
HKLM\...\Winlogon: [System]
HKU\CMKUser\...\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [x]
HKU\Default User\...\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [x]
HKU\joe.dickman\...\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [x]
HKU\joe.dickman\...\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode [ 2010-08-27] (Logitech Inc.)
Lsa: [Authentication Packages] msv1_0
wvauth
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor Ver.6.lnk
ShortcutTarget: ImageMixer 3 SE Camera Monitor Ver.6.lnk -> C:\Program Files\PIXELA\ImageMixer 3 SE Ver.6\Transfer Utility\CameraMonitor.exe (PIXELA CORPORATION)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TdmNotify.lnk
ShortcutTarget: TdmNotify.lnk -> C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe (Wave Systems Corp.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
ShortcutTarget: VPN Client.lnk -> C:\WINDOWS\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico ()
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 ADBlockerSrv; C:\Program Files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerSrv.exe [279368 2012-11-13] ()
S2 asdsrv; C:\Program Files\Anvisoft\Anvi Smart Defender\ASDSrv.exe [735592 2012-12-20] (Anvisoft)
S2 buttonsvc32; C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe [278304 2009-11-20] (Dell Inc.)
S2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96334 2009-09-08] (Canon Inc.)
S2 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [812448 2009-12-17] (Broadcom Corporation)
S2 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [27040 2009-12-17] (Broadcom Corporation)
S2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1528608 2009-01-13] (Cisco Systems, Inc.)
S2 InstallFilterService; C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [60928 2010-01-10] ()
S2 McAfeeEngineService; C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe [19456 2008-09-29] (McAfee, Inc.)
S2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [103744 2008-03-14] (McAfee, Inc.)
S2 McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [143088 2008-09-29] (McAfee, Inc.)
S2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [62800 2008-09-29] (McAfee, Inc.)
S2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [67904 2008-09-29] (McAfee, Inc.)
S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [1032192 2009-11-18] (Wave Systems Corp.)
S2 STacSV; C:\Program Files\IDT\WDM\stacsv.exe [245842 2010-05-19] (IDT, Inc.)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1273856 2008-11-12] ()
S2 TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [1148264 2009-11-24] (Wave Systems Corp.)
S2 wltrysvc; C:\Windows\System32\bcmwltry.exe [2404352 2010-02-03] (Dell Inc.)
S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

S3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [42672 2010-01-18] (ST Microelectronics)
S3 AESTAud; C:\Windows\System32\drivers\AESTAud.sys [113664 2009-04-22] (Andrea Electronics Corporation)
S1 asdnet; C:\Program Files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\sys\x86\asdnet.sys [15696 2012-09-07] ()
S1 asdrm; C:\Windows\System32\DRIVERS\asdrm.sys [16208 2012-11-07] (Anvisoft)
S2 asdrs; C:\WINDOWS\system32\DRIVERS\asdrs.sys [22864 2012-11-07] (Anvisoft)
S2 asdws; C:\WINDOWS\system32\DRIVERS\asdws.sys [14160 2012-11-07] ()
S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [2696448 2010-02-03] (Broadcom Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
S2 CVPNDRVA; C:\WINDOWS\system32\Drivers\CVPNDRVA.sys [306811 2009-01-13] (Cisco Systems, Inc.)
S3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [33832 2009-11-03] (Broadcom Corporation)
S3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131856 2008-08-28] (Deterministic Networks, Inc.)
S3 e1kexpress; C:\Windows\System32\DRIVERS\e1k5132.sys [167080 2009-12-10] (Intel Corporation)
S3 FilterService; C:\Windows\System32\DRIVERS\lvuvcflt.sys [23832 2009-04-30] (Logitech Inc.)
S3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows (R) Server 2003 DDK provider)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-03-08] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-03-08] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-03-08] (HP)
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25624 2009-04-30] ()
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [39984 2011-05-29] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [74648 2008-09-29] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [90360 2008-09-29] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [42424 2008-09-29] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [340592 2008-09-29] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [64432 2008-09-29] (McAfee, Inc.)
S1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [62704 2008-09-29] (McAfee, Inc.)
S3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-13] (Microsoft Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 OA015Afx; C:\WINDOWS\system32\Drivers\OA015Afx.sys [134144 2009-05-28] (Creative Technology Ltd.)
S3 OA015Vid; C:\Windows\System32\DRIVERS\OA015Vid.sys [273568 2009-12-08] (Creative Technology Ltd.)
S0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
S2 risdpcie; C:\Windows\System32\DRIVERS\risdpe86.sys [59904 2010-03-19] (REDC)
S3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [11136 2008-04-13] (Microsoft Corporation)
S0 stdflt; C:\Windows\System32\DRIVERS\stdfltn.sys [17072 2010-01-18] (ST Microelectronics)
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1660691 2010-05-19] (IDT, Inc.)
S3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [15232 2008-04-13] (Microsoft Corporation)
S3 vsdatant; C:\WINDOWS\system32\vsdatant.sys [394952 2007-11-14] (Zone Labs, LLC)
S2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [214656 2010-01-14] (Wave Systems Corp.)
S3 wceusbsh; C:\Windows\System32\DRIVERS\wceusbsh.sys [28672 2006-11-06] (Microsoft Corporation)
S3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-13] (Microsoft Corporation)
S4 Abiosdsk; No ImagePath
S4 abp480n5; No ImagePath
S4 adpu160m; No ImagePath
S4 Aha154x; No ImagePath
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 amsint; No ImagePath
S4 asc; No ImagePath
S4 asc3350p; No ImagePath
S4 asc3550; No ImagePath
S4 Atdisk; No ImagePath
S4 cd20xrnt; No ImagePath
S1 Changer; No ImagePath
S4 CmdIde; No ImagePath
S4 Cpqarray; No ImagePath
S4 dac2w2k; No ImagePath
S4 dac960nt; No ImagePath
S4 dpti2o; No ImagePath
S0 fqfhruyy; System32\drivers\krhorans.sys [x]
S4 hpn; No ImagePath
S1 i2omgmt; No ImagePath
S4 i2omp; No ImagePath
S4 ini910u; No ImagePath
S4 IntelIde; No ImagePath
S1 lbrtfdc; No ImagePath
S4 mraid35x; No ImagePath
S1 PCIDump; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 perc2; No ImagePath
S4 perc2hib; No ImagePath
S4 ql1080; No ImagePath
S4 Ql10wnt; No ImagePath
S4 ql12160; No ImagePath
S4 ql1240; No ImagePath
S4 ql1280; No ImagePath
S4 Simbad; No ImagePath
S4 Sparrow; No ImagePath
S4 symc810; No ImagePath
S4 symc8xx; No ImagePath
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S4 TosIde; No ImagePath
S4 ultra; No ImagePath
S4 ViaIde; No ImagePath
S3 WDICA; No ImagePath
S1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-06 12:51 - 2013-05-06 12:51 - 00000000 ____D C:\FRST
2013-05-06 10:37 - 2013-05-06 10:37 - 00106496 ____A C:\Windows\Minidump\Mini050613-02.dmp
2013-05-06 09:29 - 2013-05-06 09:29 - 00106496 ____A C:\Windows\Minidump\Mini050613-01.dmp
2013-05-03 16:36 - 2013-05-03 16:36 - 00106496 ____A C:\Windows\Minidump\Mini050313-03.dmp
2013-05-03 16:31 - 2013-05-03 16:31 - 00001109 ____A C:\Documents and Settings\All Users\Desktop\Anvi AD Blocker.lnk
2013-05-03 16:31 - 2013-05-03 16:31 - 00000837 ____A C:\Documents and Settings\All Users\Desktop\Anvi Smart Defender.lnk
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Program Files\Anvisoft
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Documents and Settings\joe.dickman\Application Data\Anvisoft
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Anvisoft
2013-05-03 16:31 - 2012-11-07 03:16 - 00022864 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrs.sys
2013-05-03 16:31 - 2012-11-07 03:16 - 00016208 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrm.sys
2013-05-03 16:31 - 2012-11-07 03:16 - 00014160 ____A C:\Windows\System32\Drivers\asdws.sys
2013-05-03 16:29 - 2013-05-03 16:29 - 00106496 ____A C:\Windows\Minidump\Mini050313-02.dmp
2013-05-03 16:20 - 2013-05-03 16:21 - 29016792 ____A C:\asdsetup.exe
2013-05-03 16:19 - 2013-05-03 16:19 - 39321600 ____A C:\Windows\System32\config\software.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 08388608 ____A C:\Windows\System32\config\system.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 04980736 ____A C:\Windows\System32\config\default.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 00028672 ____A C:\Windows\System32\config\SAM.bhv
2013-05-03 15:09 - 2013-05-03 15:09 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-05-03 13:25 - 2013-05-03 16:36 - 00000000 ____D C:\Windows\Minidump
2013-05-03 13:25 - 2013-05-03 13:25 - 00106496 ____A C:\Windows\Minidump\Mini050313-01.dmp
2013-05-03 13:15 - 2013-05-03 13:15 - 02250054 ____A C:\Documents and Settings\All Users\Application Data\1.bmp
2013-05-03 13:04 - 2013-05-03 13:04 - 00137728 ____A (Hilgraeve, Inc.) C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
2013-04-13 14:16 - 2013-04-16 08:35 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified Files and Folders ========

2013-05-06 12:51 - 2013-05-06 12:51 - 00000000 ____D C:\FRST
2013-05-06 10:42 - 2013-01-11 09:59 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-06 10:42 - 2011-04-25 12:49 - 00514980 ____A C:\Windows\System32\PerfStringBackup.TMP
2013-05-06 10:42 - 2010-05-06 12:18 - 00032258 ___AH C:\Windows\SchedLgU.Txt
2013-05-06 10:38 - 2010-05-06 14:35 - 00000000 __SHD C:\Windows\CSC
2013-05-06 10:38 - 2010-05-06 05:25 - 00000048 ___AH C:\Windows\wiaservc.log
2013-05-06 10:37 - 2013-05-06 10:37 - 00106496 ____A C:\Windows\Minidump\Mini050613-02.dmp
2013-05-06 10:37 - 2010-05-06 12:18 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-05-06 10:37 - 2010-05-06 12:18 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-06 10:37 - 2010-05-06 12:11 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-05-06 10:36 - 2010-05-06 12:06 - 00496795 ___AH C:\Windows\WindowsUpdate.log
2013-05-06 10:35 - 2010-06-21 17:04 - 00000000 ____A C:\Documents and Settings\joe.dickman\Local Settings\Application Data\WavXMapDrive.bat
2013-05-06 10:34 - 2010-06-21 17:04 - 00000062 __ASH C:\Documents and Settings\joe.dickman\Local Settings\desktop.ini
2013-05-06 09:29 - 2013-05-06 09:29 - 00106496 ____A C:\Windows\Minidump\Mini050613-01.dmp
2013-05-06 09:29 - 2008-04-14 08:00 - 00002206 ___AH C:\Windows\System32\wpa.dbl
2013-05-03 16:36 - 2013-05-03 16:36 - 00106496 ____A C:\Windows\Minidump\Mini050313-03.dmp
2013-05-03 16:36 - 2013-05-03 13:25 - 00000000 ____D C:\Windows\Minidump
2013-05-03 16:31 - 2013-05-03 16:31 - 00001109 ____A C:\Documents and Settings\All Users\Desktop\Anvi AD Blocker.lnk
2013-05-03 16:31 - 2013-05-03 16:31 - 00000837 ____A C:\Documents and Settings\All Users\Desktop\Anvi Smart Defender.lnk
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Program Files\Anvisoft
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Documents and Settings\joe.dickman\Application Data\Anvisoft
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Anvisoft
2013-05-03 16:29 - 2013-05-03 16:29 - 00106496 ____A C:\Windows\Minidump\Mini050313-02.dmp
2013-05-03 16:21 - 2013-05-03 16:20 - 29016792 ____A C:\asdsetup.exe
2013-05-03 16:19 - 2013-05-03 16:19 - 39321600 ____A C:\Windows\System32\config\software.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 08388608 ____A C:\Windows\System32\config\system.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 04980736 ____A C:\Windows\System32\config\default.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 00028672 ____A C:\Windows\System32\config\SAM.bhv
2013-05-03 15:09 - 2013-05-03 15:09 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-05-03 13:26 - 2010-06-21 17:04 - 00000178 ___SH C:\Documents and Settings\joe.dickman\ntuser.ini
2013-05-03 13:25 - 2013-05-03 13:25 - 00106496 ____A C:\Windows\Minidump\Mini050313-01.dmp
2013-05-03 13:22 - 2010-09-22 21:20 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2013-05-03 13:15 - 2013-05-03 13:15 - 02250054 ____A C:\Documents and Settings\All Users\Application Data\1.bmp
2013-05-03 13:04 - 2013-05-03 13:04 - 00137728 ____A (Hilgraeve, Inc.) C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
2013-05-03 11:33 - 2010-06-21 17:04 - 00000000 ____D C:\Documents and Settings\joe.dickman\My Documents\Outlook
2013-04-29 18:36 - 2012-04-24 15:37 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
2013-04-28 22:08 - 2012-07-04 20:35 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-04-16 08:35 - 2013-04-13 14:16 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-04-12 15:16 - 2010-09-15 10:58 - 00151552 __ASH C:\Documents and Settings\joe.dickman\My Documents\Thumbs.db

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2008-04-14 08:00] - [2008-04-14 08:00] - 0108544 ___AH (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-05-02 17:02 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP711

RP: -> 2013-05-01 13:56 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP710

RP: -> 2013-04-30 13:03 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP709

RP: -> 2013-04-29 12:01 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP708

RP: -> 2013-04-18 17:01 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP707

RP: -> 2013-04-17 12:54 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP706

RP: -> 2013-04-16 11:36 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP705

RP: -> 2013-04-15 11:10 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP704

RP: -> 2013-04-13 20:49 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP703

RP: -> 2013-04-12 20:18 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP702

RP: -> 2013-04-11 16:34 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP701

RP: -> 2013-04-10 16:14 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP700

RP: -> 2013-04-09 12:30 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP699

RP: -> 2013-04-08 11:42 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP698

RP: -> 2013-04-07 01:23 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP697

RP: -> 2013-04-05 21:23 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP696

RP: -> 2013-04-04 17:23 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP695

RP: -> 2013-04-03 13:51 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP694

RP: -> 2013-04-02 13:48 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP693

RP: -> 2013-04-01 12:43 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP692

RP: -> 2013-03-29 14:08 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP691

RP: -> 2013-03-28 13:55 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP690

RP: -> 2013-03-27 13:51 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP689

RP: -> 2013-03-26 12:32 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP688

RP: -> 2013-03-25 12:24 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP687

RP: -> 2013-03-23 21:08 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP686

RP: -> 2013-03-22 15:32 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP685

RP: -> 2013-03-21 12:51 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP684

RP: -> 2013-03-20 12:42 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP683

RP: -> 2013-03-19 12:23 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP682

RP: -> 2013-03-17 19:49 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP681

RP: -> 2013-03-16 20:10 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP680

RP: -> 2013-03-15 17:53 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP679

RP: -> 2013-03-14 14:24 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP678

RP: -> 2013-03-13 14:08 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP677

RP: -> 2013-03-12 13:54 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP676

RP: -> 2013-03-11 13:36 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP675

RP: -> 2013-03-09 18:22 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP674

RP: -> 2013-03-08 14:19 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP673

RP: -> 2013-03-07 13:41 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP672

RP: -> 2013-03-06 12:20 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP671

RP: -> 2013-03-04 12:16 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP670

RP: -> 2013-02-28 13:43 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP669

RP: -> 2013-02-27 12:24 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP668

RP: -> 2013-02-25 21:20 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP667

RP: -> 2013-02-24 18:17 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP666

RP: -> 2013-02-21 17:49 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP665

RP: -> 2013-02-20 17:40 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP664

RP: -> 2013-02-19 13:39 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP663

RP: -> 2013-02-18 12:12 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP662

RP: -> 2013-02-15 21:28 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP661

RP: -> 2013-02-14 21:22 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP660

RP: -> 2013-02-13 17:44 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP659

RP: -> 2013-02-12 13:58 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP658

RP: -> 2013-02-11 12:32 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP657

RP: -> 2013-02-07 17:34 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP656

RP: -> 2013-02-06 16:03 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP655

RP: -> 2013-02-05 13:48 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP654

RP: -> 2013-02-04 12:56 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP653

RP: -> 2013-02-03 12:42 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP652


==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 1973.85 MB
Available physical RAM: 1713.02 MB
Total Pagefile: 1804.91 MB
Available Pagefile: 1744.56 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.54 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:146.94 GB) (Free:104.61 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (READER) (Fixed) (Total:2.06 GB) (Free:1.97 GB) FAT32
Drive e: (HITMANPRO) (Removable) (Total:3.76 GB) (Free:3.75 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 147 GB 39 MB
Partition 3 Extended 2118 MB 147 GB
Partition 4 Logical 2118 MB 147 GB
==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 FAT Partition 39 MB Healthy
=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 147 GB Healthy
=========================================================

Disk: 0
Partition 4
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D READER FAT32 Partition 2118 MB Healthy
=========================================================
============================== MBR & Partition Table ==================

====================================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: 123AF4B7)
Partition 1: (Not Active) - (Size=2 GB) - (Type=OF Extended)
Partition 2: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 3: (Active) - (Size=147 GB) - (Type=07 NTFS)

====================================================================
Disk: 1 (Size: 4 GB) (Disk ID: 872059DD)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)

==================== End Of Log ============================

 

[jofuss3232]

Hi jofuss3232 and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note : as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

ult of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-05-2013 02
Ran by SYSTEM on 06-05-2013 12:51:44
Running from E:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg [x]
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe [2670592 2010-02-03] (Dell Inc.)
HKLM\...\Run: [OA015Mon] C:\WINDOWS\OA015Mon.exe [24576 2009-12-08] (Creative Technology Ltd.)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [278528 2010-02-17] (Alps Electric Co., Ltd.)
HKLM\...\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe [158592 2010-01-14] (Wave Systems Corp.)
HKLM\...\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [657920 2009-11-02] (Dell Inc.)
HKLM\...\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-01-14] (Broadcom Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-06-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248040 2010-02-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey [136512 2008-03-14] (McAfee, Inc.)
HKLM\...\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE [124240 2008-09-29] (McAfee, Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
HKLM\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2780432 2009-05-08] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-04-14] (Apple Inc.)
HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe [495708 2010-05-19] (IDT, Inc.)
HKLM\...\Run: [DisplaySwitch] "C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe" [137728 2013-05-03] (Hilgraeve, Inc.)
HKLM\...\Run: [ADBlocker] C:\Program Files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerTray.exe -tray [979816 2012-12-21] ()
HKLM\...\Run: [Anvi Smart Defender] C:\Program Files\Anvisoft\Anvi Smart Defender\ASDTray.exe [1434984 2012-12-20] (Anvisoft)
HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [x]
HKLM\...\Winlogon: [System]
HKU\CMKUser\...\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [x]
HKU\Default User\...\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [x]
HKU\joe.dickman\...\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [x]
HKU\joe.dickman\...\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode [ 2010-08-27] (Logitech Inc.)
Lsa: [Authentication Packages] msv1_0
wvauth
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor Ver.6.lnk
ShortcutTarget: ImageMixer 3 SE Camera Monitor Ver.6.lnk -> C:\Program Files\PIXELA\ImageMixer 3 SE Ver.6\Transfer Utility\CameraMonitor.exe (PIXELA CORPORATION)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TdmNotify.lnk
ShortcutTarget: TdmNotify.lnk -> C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe (Wave Systems Corp.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
ShortcutTarget: VPN Client.lnk -> C:\WINDOWS\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico ()
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 ADBlockerSrv; C:\Program Files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerSrv.exe [279368 2012-11-13] ()
S2 asdsrv; C:\Program Files\Anvisoft\Anvi Smart Defender\ASDSrv.exe [735592 2012-12-20] (Anvisoft)
S2 buttonsvc32; C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe [278304 2009-11-20] (Dell Inc.)
S2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96334 2009-09-08] (Canon Inc.)
S2 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [812448 2009-12-17] (Broadcom Corporation)
S2 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [27040 2009-12-17] (Broadcom Corporation)
S2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1528608 2009-01-13] (Cisco Systems, Inc.)
S2 InstallFilterService; C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [60928 2010-01-10] ()
S2 McAfeeEngineService; C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe [19456 2008-09-29] (McAfee, Inc.)
S2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [103744 2008-03-14] (McAfee, Inc.)
S2 McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [143088 2008-09-29] (McAfee, Inc.)
S2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [62800 2008-09-29] (McAfee, Inc.)
S2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [67904 2008-09-29] (McAfee, Inc.)
S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [1032192 2009-11-18] (Wave Systems Corp.)
S2 STacSV; C:\Program Files\IDT\WDM\stacsv.exe [245842 2010-05-19] (IDT, Inc.)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1273856 2008-11-12] ()
S2 TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [1148264 2009-11-24] (Wave Systems Corp.)
S2 wltrysvc; C:\Windows\System32\bcmwltry.exe [2404352 2010-02-03] (Dell Inc.)
S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

S3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [42672 2010-01-18] (ST Microelectronics)
S3 AESTAud; C:\Windows\System32\drivers\AESTAud.sys [113664 2009-04-22] (Andrea Electronics Corporation)
S1 asdnet; C:\Program Files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\sys\x86\asdnet.sys [15696 2012-09-07] ()
S1 asdrm; C:\Windows\System32\DRIVERS\asdrm.sys [16208 2012-11-07] (Anvisoft)
S2 asdrs; C:\WINDOWS\system32\DRIVERS\asdrs.sys [22864 2012-11-07] (Anvisoft)
S2 asdws; C:\WINDOWS\system32\DRIVERS\asdws.sys [14160 2012-11-07] ()
S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [2696448 2010-02-03] (Broadcom Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
S2 CVPNDRVA; C:\WINDOWS\system32\Drivers\CVPNDRVA.sys [306811 2009-01-13] (Cisco Systems, Inc.)
S3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [33832 2009-11-03] (Broadcom Corporation)
S3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131856 2008-08-28] (Deterministic Networks, Inc.)
S3 e1kexpress; C:\Windows\System32\DRIVERS\e1k5132.sys [167080 2009-12-10] (Intel Corporation)
S3 FilterService; C:\Windows\System32\DRIVERS\lvuvcflt.sys [23832 2009-04-30] (Logitech Inc.)
S3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows (R) Server 2003 DDK provider)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-03-08] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-03-08] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-03-08] (HP)
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25624 2009-04-30] ()
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [39984 2011-05-29] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [74648 2008-09-29] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [90360 2008-09-29] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [42424 2008-09-29] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [340592 2008-09-29] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [64432 2008-09-29] (McAfee, Inc.)
S1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [62704 2008-09-29] (McAfee, Inc.)
S3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-13] (Microsoft Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 OA015Afx; C:\WINDOWS\system32\Drivers\OA015Afx.sys [134144 2009-05-28] (Creative Technology Ltd.)
S3 OA015Vid; C:\Windows\System32\DRIVERS\OA015Vid.sys [273568 2009-12-08] (Creative Technology Ltd.)
S0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
S2 risdpcie; C:\Windows\System32\DRIVERS\risdpe86.sys [59904 2010-03-19] (REDC)
S3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [11136 2008-04-13] (Microsoft Corporation)
S0 stdflt; C:\Windows\System32\DRIVERS\stdfltn.sys [17072 2010-01-18] (ST Microelectronics)
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1660691 2010-05-19] (IDT, Inc.)
S3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [15232 2008-04-13] (Microsoft Corporation)
S3 vsdatant; C:\WINDOWS\system32\vsdatant.sys [394952 2007-11-14] (Zone Labs, LLC)
S2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [214656 2010-01-14] (Wave Systems Corp.)
S3 wceusbsh; C:\Windows\System32\DRIVERS\wceusbsh.sys [28672 2006-11-06] (Microsoft Corporation)
S3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-13] (Microsoft Corporation)
S4 Abiosdsk; No ImagePath
S4 abp480n5; No ImagePath
S4 adpu160m; No ImagePath
S4 Aha154x; No ImagePath
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 amsint; No ImagePath
S4 asc; No ImagePath
S4 asc3350p; No ImagePath
S4 asc3550; No ImagePath
S4 Atdisk; No ImagePath
S4 cd20xrnt; No ImagePath
S1 Changer; No ImagePath
S4 CmdIde; No ImagePath
S4 Cpqarray; No ImagePath
S4 dac2w2k; No ImagePath
S4 dac960nt; No ImagePath
S4 dpti2o; No ImagePath
S0 fqfhruyy; System32\drivers\krhorans.sys [x]
S4 hpn; No ImagePath
S1 i2omgmt; No ImagePath
S4 i2omp; No ImagePath
S4 ini910u; No ImagePath
S4 IntelIde; No ImagePath
S1 lbrtfdc; No ImagePath
S4 mraid35x; No ImagePath
S1 PCIDump; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 perc2; No ImagePath
S4 perc2hib; No ImagePath
S4 ql1080; No ImagePath
S4 Ql10wnt; No ImagePath
S4 ql12160; No ImagePath
S4 ql1240; No ImagePath
S4 ql1280; No ImagePath
S4 Simbad; No ImagePath
S4 Sparrow; No ImagePath
S4 symc810; No ImagePath
S4 symc8xx; No ImagePath
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S4 TosIde; No ImagePath
S4 ultra; No ImagePath
S4 ViaIde; No ImagePath
S3 WDICA; No ImagePath
S1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-06 12:51 - 2013-05-06 12:51 - 00000000 ____D C:\FRST
2013-05-06 10:37 - 2013-05-06 10:37 - 00106496 ____A C:\Windows\Minidump\Mini050613-02.dmp
2013-05-06 09:29 - 2013-05-06 09:29 - 00106496 ____A C:\Windows\Minidump\Mini050613-01.dmp
2013-05-03 16:36 - 2013-05-03 16:36 - 00106496 ____A C:\Windows\Minidump\Mini050313-03.dmp
2013-05-03 16:31 - 2013-05-03 16:31 - 00001109 ____A C:\Documents and Settings\All Users\Desktop\Anvi AD Blocker.lnk
2013-05-03 16:31 - 2013-05-03 16:31 - 00000837 ____A C:\Documents and Settings\All Users\Desktop\Anvi Smart Defender.lnk
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Program Files\Anvisoft
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Documents and Settings\joe.dickman\Application Data\Anvisoft
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Anvisoft
2013-05-03 16:31 - 2012-11-07 03:16 - 00022864 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrs.sys
2013-05-03 16:31 - 2012-11-07 03:16 - 00016208 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrm.sys
2013-05-03 16:31 - 2012-11-07 03:16 - 00014160 ____A C:\Windows\System32\Drivers\asdws.sys
2013-05-03 16:29 - 2013-05-03 16:29 - 00106496 ____A C:\Windows\Minidump\Mini050313-02.dmp
2013-05-03 16:20 - 2013-05-03 16:21 - 29016792 ____A C:\asdsetup.exe
2013-05-03 16:19 - 2013-05-03 16:19 - 39321600 ____A C:\Windows\System32\config\software.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 08388608 ____A C:\Windows\System32\config\system.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 04980736 ____A C:\Windows\System32\config\default.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 00028672 ____A C:\Windows\System32\config\SAM.bhv
2013-05-03 15:09 - 2013-05-03 15:09 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-05-03 13:25 - 2013-05-03 16:36 - 00000000 ____D C:\Windows\Minidump
2013-05-03 13:25 - 2013-05-03 13:25 - 00106496 ____A C:\Windows\Minidump\Mini050313-01.dmp
2013-05-03 13:15 - 2013-05-03 13:15 - 02250054 ____A C:\Documents and Settings\All Users\Application Data\1.bmp
2013-05-03 13:04 - 2013-05-03 13:04 - 00137728 ____A (Hilgraeve, Inc.) C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
2013-04-13 14:16 - 2013-04-16 08:35 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified Files and Folders ========

2013-05-06 12:51 - 2013-05-06 12:51 - 00000000 ____D C:\FRST
2013-05-06 10:42 - 2013-01-11 09:59 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-06 10:42 - 2011-04-25 12:49 - 00514980 ____A C:\Windows\System32\PerfStringBackup.TMP
2013-05-06 10:42 - 2010-05-06 12:18 - 00032258 ___AH C:\Windows\SchedLgU.Txt
2013-05-06 10:38 - 2010-05-06 14:35 - 00000000 __SHD C:\Windows\CSC
2013-05-06 10:38 - 2010-05-06 05:25 - 00000048 ___AH C:\Windows\wiaservc.log
2013-05-06 10:37 - 2013-05-06 10:37 - 00106496 ____A C:\Windows\Minidump\Mini050613-02.dmp
2013-05-06 10:37 - 2010-05-06 12:18 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-05-06 10:37 - 2010-05-06 12:18 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-06 10:37 - 2010-05-06 12:11 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-05-06 10:36 - 2010-05-06 12:06 - 00496795 ___AH C:\Windows\WindowsUpdate.log
2013-05-06 10:35 - 2010-06-21 17:04 - 00000000 ____A C:\Documents and Settings\joe.dickman\Local Settings\Application Data\WavXMapDrive.bat
2013-05-06 10:34 - 2010-06-21 17:04 - 00000062 __ASH C:\Documents and Settings\joe.dickman\Local Settings\desktop.ini
2013-05-06 09:29 - 2013-05-06 09:29 - 00106496 ____A C:\Windows\Minidump\Mini050613-01.dmp
2013-05-06 09:29 - 2008-04-14 08:00 - 00002206 ___AH C:\Windows\System32\wpa.dbl
2013-05-03 16:36 - 2013-05-03 16:36 - 00106496 ____A C:\Windows\Minidump\Mini050313-03.dmp
2013-05-03 16:36 - 2013-05-03 13:25 - 00000000 ____D C:\Windows\Minidump
2013-05-03 16:31 - 2013-05-03 16:31 - 00001109 ____A C:\Documents and Settings\All Users\Desktop\Anvi AD Blocker.lnk
2013-05-03 16:31 - 2013-05-03 16:31 - 00000837 ____A C:\Documents and Settings\All Users\Desktop\Anvi Smart Defender.lnk
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Program Files\Anvisoft
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Documents and Settings\joe.dickman\Application Data\Anvisoft
2013-05-03 16:31 - 2013-05-03 16:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Anvisoft
2013-05-03 16:29 - 2013-05-03 16:29 - 00106496 ____A C:\Windows\Minidump\Mini050313-02.dmp
2013-05-03 16:21 - 2013-05-03 16:20 - 29016792 ____A C:\asdsetup.exe
2013-05-03 16:19 - 2013-05-03 16:19 - 39321600 ____A C:\Windows\System32\config\software.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 08388608 ____A C:\Windows\System32\config\system.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 04980736 ____A C:\Windows\System32\config\default.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
2013-05-03 16:19 - 2013-05-03 16:19 - 00028672 ____A C:\Windows\System32\config\SAM.bhv
2013-05-03 15:09 - 2013-05-03 15:09 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-05-03 13:26 - 2010-06-21 17:04 - 00000178 ___SH C:\Documents and Settings\joe.dickman\ntuser.ini
2013-05-03 13:25 - 2013-05-03 13:25 - 00106496 ____A C:\Windows\Minidump\Mini050313-01.dmp
2013-05-03 13:22 - 2010-09-22 21:20 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2013-05-03 13:15 - 2013-05-03 13:15 - 02250054 ____A C:\Documents and Settings\All Users\Application Data\1.bmp
2013-05-03 13:04 - 2013-05-03 13:04 - 00137728 ____A (Hilgraeve, Inc.) C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
2013-05-03 11:33 - 2010-06-21 17:04 - 00000000 ____D C:\Documents and Settings\joe.dickman\My Documents\Outlook
2013-04-29 18:36 - 2012-04-24 15:37 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
2013-04-28 22:08 - 2012-07-04 20:35 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-04-16 08:35 - 2013-04-13 14:16 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-04-12 15:16 - 2010-09-15 10:58 - 00151552 __ASH C:\Documents and Settings\joe.dickman\My Documents\Thumbs.db

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2008-04-14 08:00] - [2008-04-14 08:00] - 0108544 ___AH (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-05-02 17:02 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP711

RP: -> 2013-05-01 13:56 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP710

RP: -> 2013-04-30 13:03 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP709

RP: -> 2013-04-29 12:01 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP708

RP: -> 2013-04-18 17:01 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP707

RP: -> 2013-04-17 12:54 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP706

RP: -> 2013-04-16 11:36 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP705

RP: -> 2013-04-15 11:10 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP704

RP: -> 2013-04-13 20:49 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP703

RP: -> 2013-04-12 20:18 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP702

RP: -> 2013-04-11 16:34 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP701

RP: -> 2013-04-10 16:14 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP700

RP: -> 2013-04-09 12:30 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP699

RP: -> 2013-04-08 11:42 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP698

RP: -> 2013-04-07 01:23 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP697

RP: -> 2013-04-05 21:23 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP696

RP: -> 2013-04-04 17:23 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP695

RP: -> 2013-04-03 13:51 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP694

RP: -> 2013-04-02 13:48 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP693

RP: -> 2013-04-01 12:43 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP692

RP: -> 2013-03-29 14:08 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP691

RP: -> 2013-03-28 13:55 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP690

RP: -> 2013-03-27 13:51 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP689

RP: -> 2013-03-26 12:32 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP688

RP: -> 2013-03-25 12:24 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP687

RP: -> 2013-03-23 21:08 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP686

RP: -> 2013-03-22 15:32 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP685

RP: -> 2013-03-21 12:51 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP684

RP: -> 2013-03-20 12:42 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP683

RP: -> 2013-03-19 12:23 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP682

RP: -> 2013-03-17 19:49 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP681

RP: -> 2013-03-16 20:10 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP680

RP: -> 2013-03-15 17:53 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP679

RP: -> 2013-03-14 14:24 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP678

RP: -> 2013-03-13 14:08 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP677

RP: -> 2013-03-12 13:54 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP676

RP: -> 2013-03-11 13:36 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP675

RP: -> 2013-03-09 18:22 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP674

RP: -> 2013-03-08 14:19 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP673

RP: -> 2013-03-07 13:41 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP672

RP: -> 2013-03-06 12:20 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP671

RP: -> 2013-03-04 12:16 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP670

RP: -> 2013-02-28 13:43 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP669

RP: -> 2013-02-27 12:24 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP668

RP: -> 2013-02-25 21:20 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP667

RP: -> 2013-02-24 18:17 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP666

RP: -> 2013-02-21 17:49 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP665

RP: -> 2013-02-20 17:40 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP664

RP: -> 2013-02-19 13:39 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP663

RP: -> 2013-02-18 12:12 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP662

RP: -> 2013-02-15 21:28 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP661

RP: -> 2013-02-14 21:22 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP660

RP: -> 2013-02-13 17:44 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP659

RP: -> 2013-02-12 13:58 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP658

RP: -> 2013-02-11 12:32 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP657

RP: -> 2013-02-07 17:34 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP656

RP: -> 2013-02-06 16:03 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP655

RP: -> 2013-02-05 13:48 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP654

RP: -> 2013-02-04 12:56 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP653

RP: -> 2013-02-03 12:42 - 028672 _restore{FE768671-BE7E-47B3-846A-A3A096E35F32}\RP652


==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 1973.85 MB
Available physical RAM: 1713.02 MB
Total Pagefile: 1804.91 MB
Available Pagefile: 1744.56 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.54 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:146.94 GB) (Free:104.61 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (READER) (Fixed) (Total:2.06 GB) (Free:1.97 GB) FAT32
Drive e: (HITMANPRO) (Removable) (Total:3.76 GB) (Free:3.75 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 147 GB 39 MB
Partition 3 Extended 2118 MB 147 GB
Partition 4 Logical 2118 MB 147 GB
==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 FAT Partition 39 MB Healthy
=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 147 GB Healthy
=========================================================

Disk: 0
Partition 4
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D READER FAT32 Partition 2118 MB Healthy
=========================================================
============================== MBR & Partition Table ==================

====================================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: 123AF4B7)
Partition 1: (Not Active) - (Size=2 GB) - (Type=OF Extended)
Partition 2: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 3: (Active) - (Size=147 GB) - (Type=07 NTFS)

====================================================================
Disk: 1 (Size: 4 GB) (Disk ID: 872059DD)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)

==================== End Of Log ============================

 

[Fiery]

Hi,

On another PC, open notepad and copy & paste the following:

HKLM\...\Run: [DisplaySwitch] "C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe" [137728 2013-05-03] (Hilgraeve, Inc.)
C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

 

[jofuss3232]

Hi,

On another PC, open notepad and copy & paste the following:

HKLM\...\Run: [DisplaySwitch] "C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe" [137728 2013-05-03] (Hilgraeve, Inc.)
C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

Hello.
Are you talking about doing all of this from the disc I burned yesterday? If not I can not boot into anything, I am using xp and as soon as I log in normally, 15 seconds after the DOJ thing comes up an locks everything.

 

[jofuss3232]

Hi,

On another PC, open notepad and copy & paste the following:

HKLM\...\Run: [DisplaySwitch] "C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe" [137728 2013-05-03] (Hilgraeve, Inc.)
C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

Hello.
Are you talking about doing all of this from the disc I burned yesterday? If not I can not boot into anything, I am using xp and as soon as I log in normally, 15 seconds after the DOJ thing comes up an locks everything.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 05-05-2013 02
Ran by SYSTEM at 2013-05-07 09:49:26 Run:1
Running from E:\
Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\DisplaySwitch => Value deleted successfully.
C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe => Moved successfully.

==== End of Fixlog ====

 

[Fiery]

Hi,


Open notepad and copy & paste the following:

S0 fqfhruyy; System32\drivers\krhorans.sys [x]

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then, attempt to boot normally.

 

[jofuss3232]

S0 fqfhruyy; System32\drivers\krhorans.sys [x]


this is all that came up also I was never able to run malware it kept saying something about a drive or something.

 

[jofuss3232]

sorry pasted the wrong thing, this is what came up.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 05-05-2013 02
Ran by SYSTEM at 2013-05-08 12:14:40 Run:2
Running from E:\
Boot Mode: Recovery

==============================================

fqfhruyy => Service deleted successfully.

==== End of Fixlog ====

 

[Fiery]

Are you able to enter into normal mode?