1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

FBI Visits a Friend - Help!

Discussion in 'Virus & Other Malware Removal' started by GreyGuy, Jun 22, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. GreyGuy

    GreyGuy Thread Starter

    Joined:
    Dec 19, 2006
    Messages:
    79
    A friend of mine got hit with the FBI virus. (I know the Feds are hurting for money but give me a break! :rolleyes:) So here we go with some logs...

    On a side note... how might I get started becoming as Malware Avenger?


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:28:08 PM, on 6/22/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16490)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
    C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Ask.com\Updater\Updater.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
    C:\Users\Jeff\Desktop\Ken\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jaureg.exe" -u auto-update
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey
    O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

    --
    End of file - 5480 bytes
    _____________________________________________________________________________________________________

    GMER 2.1.19163 - http://www.gmer.net
    Rootkit scan 2013-06-22 12:26:05
    Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 WDC_WD800BD-22LRA0 rev.06.01D06 74.53GB
    Running: erzhmqj278.exe; Driver: C:\Users\Jerry\AppData\Local\Temp\fgloypob.sys


    ---- Kernel code sections - GMER 2.1 ----

    .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A5B9F5 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A951F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    ? C:\Users\Jerry\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

    ---- Devices - GMER 2.1 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys

    ---- EOF - GMER 2.1 ----
    _____________________________________________________________________________________________________

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16490
    Run by Jerry at 10:34:47 on 2013-06-22
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2558.1796 [GMT -7:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
    SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Microsoft Security Client\NisSrv.exe
    C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
    C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Ask.com\Updater\Updater.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k SDRSVC
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uWindow Title = Internet Explorer, optimized for Bing and MSN
    uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    BHO: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
    uRun: [ctfmon.exe] c:\progra~2\rundll32.exe c:\progra~2\qeqjmj.dat,FG00
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jaureg.exe" -u auto-update
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [MSC] "c:\program files\microsoft security client\mssecex.exe" -hide -runkey
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: NameServer = 208.186.46.5 208.186.47.5
    TCP: Interfaces\{1BE54896-FBE0-47BE-B806-51DDBD48442D} : DHCPNameServer = 208.186.46.5 208.186.47.5
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
    R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
    R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 100328]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-3-11 14848]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-3-11 49664]
    S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-3-11 27136]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-15 1343400]
    .
    =============== Created Last 30 ================
    .
    2013-06-20 23:27:45 -------- d-----w- c:\users\jerry\appdata\local\ElevatedDiagnostics
    2013-06-20 21:10:05 44544 ----a-w- c:\programdata\rundll32.exe
    2013-06-20 21:10:05 163840 ----a-w- c:\programdata\qeqjmj.dat
    2013-06-20 02:10:21 7068072 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{70130cfc-e341-436a-b0f8-c7958be91d43}\mpengine.dll
    2013-06-19 02:04:31 7068072 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2013-06-14 15:36:23 724464 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f9b86e15-5a6b-4473-80ca-fe1ae40184f1}\gapaengine.dll
    2013-06-12 02:01:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2013-06-12 00:42:28 1505280 ----a-w- c:\windows\system32\d3d11.dll
    2013-06-12 00:42:23 24576 ----a-w- c:\windows\system32\cryptdlg.dll
    2013-06-12 00:42:20 492544 ----a-w- c:\windows\system32\win32spl.dll
    2013-06-12 00:42:17 903168 ----a-w- c:\windows\system32\certutil.exe
    2013-06-12 00:42:16 43008 ----a-w- c:\windows\system32\certenc.dll
    2013-06-12 00:42:16 140288 ----a-w- c:\windows\system32\cryptsvc.dll
    2013-06-12 00:42:16 1160192 ----a-w- c:\windows\system32\crypt32.dll
    2013-06-12 00:42:16 103936 ----a-w- c:\windows\system32\cryptnet.dll
    2013-06-12 00:42:11 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2013-06-12 00:42:10 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-06-12 00:42:10 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-06-12 00:42:08 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2013-06-01 17:43:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2013-06-01 17:43:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2013-06-01 17:43:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2013-06-01 17:43:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2013-06-01 17:43:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2013-06-01 17:40:56 -------- d-----w- c:\program files\iPod
    2013-06-01 17:40:55 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2013-06-01 17:40:55 -------- d-----w- c:\program files\iTunes
    .
    ==================== Find3M ====================
    .
    2013-06-12 16:20:17 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-06-12 16:20:17 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-05-16 22:39:39 1800704 ----a-w- c:\windows\system32\jscript9.dll
    2013-05-16 22:28:26 1129472 ----a-w- c:\windows\system32\wininet.dll
    2013-05-16 22:27:30 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-05-16 22:21:37 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2013-05-16 22:20:30 420864 ----a-w- c:\windows\system32\vbscript.dll
    2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
    2013-05-01 10:59:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2013-05-01 10:59:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
    2013-04-12 13:45:29 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2013-04-10 05:18:40 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2013-04-10 05:18:40 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2013-04-10 03:14:06 2347520 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 10:35:18.17 ===============
     
  2. Sponsor

  3. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Run the following;

    Please download Farbar Recovery Scan Tool and save it to your desktop.

    Note: You need to run the version compatibale with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

    Kevin
     
  4. GreyGuy

    GreyGuy Thread Starter

    Joined:
    Dec 19, 2006
    Messages:
    79
    Here ya go... and BTW, Thanx!

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-06-2013
    Ran by Jeff (ATTENTION: The logged in user is not administrator) on 24-06-2013 11:56:54
    Running from C:\Users\Jeff\Desktop\Ken
    Microsoft Windows 7 Home Premium Service Pack 1 (X86) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Normal

    ==================== Processes (Whitelisted) ===================

    (Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
    (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    (Ask) C:\Program Files\Ask.com\Updater\Updater.exe
    (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
    HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jaureg.exe" -u auto-update [237800 2010-10-29] (Sun Microsystems, Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
    HKLM\...\Run: [] [x]
    HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1564872 2012-06-06] (Ask)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-05-15] (Apple Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2013-05-01] (Apple Inc.)

    ==================== Internet (Whitelisted) ====================

    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=OIE9HP
    SearchScopes: HKCU - {90D99C69-B894-4CDE-844C-653ADE5D8572} URL = http://websearch.ask.com/redirect?client=ie&tb=FWV5&o=14193&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=FM&apn_dtid=TES002YYUS&apn_uid=57251ceb-9caa-41f3-a42f-ff7e3caa82dc&apn_sauid=9ECB201A-19DE-4A2D-B147-611873C27A20
    BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
    Toolbar: HKLM - FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    Toolbar: HKCU -FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
    Tcpip\Parameters: [DhcpNameServer] 208.186.46.5 208.186.47.5

    Chrome:
    =======
    CHR HomePage: hxxp://www.google.com
    CHR RestoreOnStartup: "hxxp://www.google.com"
    CHR Extension: (Docs) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0

    ========================== Services (Whitelisted) =================

    R2 lmhosts; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
    R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
    R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
    R2 NlaSvc; C:\Windows\System32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
    R2 nsi; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
    S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [25712 2013-01-29] (Microsoft Corporation)
    S3 Lavasoft Kernexplorer; \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
    S1 ltpwqfku; \??\C:\Windows\system32\drivers\ltpwqfku.sys [x]
    S1 stezfppu; \??\C:\Windows\system32\drivers\stezfppu.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-06-24 11:56 - 2013-06-24 11:56 - 00000000 ____D C:\FRST
    2013-06-22 10:47 - 2013-06-22 10:47 - 00000000 ____D C:\Users\Jeff\AppData\Local\Google
    2013-06-20 14:10 - 2013-06-20 18:52 - 95023320 ___AT C:\ProgramData\jmjqeq.pad
    2013-06-20 14:10 - 2013-06-20 18:52 - 00000000 ____A C:\ProgramData\as98213.txt
    2013-06-20 14:10 - 2013-06-20 14:10 - 00163840 ____A C:\ProgramData\qeqjmj.dat
    2013-06-20 14:10 - 2013-06-20 14:10 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe
    2013-06-11 19:01 - 2013-05-16 15:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2013-06-11 19:01 - 2013-05-16 15:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-06-11 19:00 - 2013-05-16 16:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-06-11 19:00 - 2013-05-16 15:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2013-06-11 19:00 - 2013-05-16 15:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2013-06-11 19:00 - 2013-05-16 15:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2013-06-11 19:00 - 2013-05-16 15:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2013-06-11 19:00 - 2013-05-16 15:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2013-06-11 19:00 - 2013-05-16 15:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2013-06-11 19:00 - 2013-05-16 15:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2013-06-11 19:00 - 2013-05-16 15:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2013-06-11 19:00 - 2013-05-16 15:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2013-06-11 19:00 - 2013-05-16 15:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2013-06-11 19:00 - 2013-05-16 15:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2013-06-11 19:00 - 2013-05-16 15:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2013-06-11 19:00 - 2013-05-16 15:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2013-06-11 17:42 - 2013-05-12 21:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2013-06-11 17:42 - 2013-05-12 21:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2013-06-11 17:42 - 2013-05-12 21:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2013-06-11 17:42 - 2013-05-12 20:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
    2013-06-11 17:42 - 2013-05-12 20:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
    2013-06-11 17:42 - 2013-05-09 20:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
    2013-06-11 17:42 - 2013-05-07 22:38 - 01293672 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2013-06-11 17:42 - 2013-05-05 22:06 - 03968872 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
    2013-06-11 17:42 - 2013-05-05 22:06 - 03913576 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2013-06-11 17:42 - 2013-04-25 21:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
    2013-06-11 17:42 - 2013-04-25 16:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
    2013-06-11 17:42 - 2013-04-17 00:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
    2013-06-01 10:43 - 2013-06-01 10:43 - 00000000 ____D C:\Program Files\QuickTime
    2013-06-01 10:41 - 2013-06-01 10:41 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
    2013-06-01 10:40 - 2013-06-01 10:41 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2013-06-01 10:40 - 2013-06-01 10:41 - 00000000 ____D C:\Program Files\iTunes
    2013-06-01 10:40 - 2013-06-01 10:40 - 00000000 ____D C:\Program Files\iPod

    ==================== One Month Modified Files and Folders ========

    2013-06-24 11:56 - 2013-06-24 11:56 - 00000000 ____D C:\FRST
    2013-06-24 11:55 - 2012-03-18 10:09 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-06-24 11:54 - 2009-07-13 21:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-06-24 11:54 - 2009-07-13 21:39 - 00062745 ____A C:\Windows\setupact.log
    2013-06-24 11:51 - 2012-03-15 17:35 - 01248430 ____A C:\Windows\WindowsUpdate.log
    2013-06-24 11:45 - 2012-03-18 10:09 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-06-24 11:44 - 2009-07-13 21:34 - 00021888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-06-24 11:44 - 2009-07-13 21:34 - 00021888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-06-24 11:41 - 2010-11-20 14:01 - 00730320 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-06-22 22:20 - 2012-04-09 12:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-06-22 10:47 - 2013-06-22 10:47 - 00000000 ____D C:\Users\Jeff\AppData\Local\Google
    2013-06-22 10:47 - 2013-01-13 18:35 - 00002205 ____A C:\Users\Jeff\Desktop\Google Chrome.lnk
    2013-06-22 10:31 - 2012-03-20 16:40 - 00000000 ____D C:\Users\Jeff\AppData\Local\VirtualStore
    2013-06-22 10:27 - 2012-03-15 19:50 - 00000000 ____D C:\users\Jerry
    2013-06-20 19:05 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\Microsoft.NET
    2013-06-20 18:52 - 2013-06-20 14:10 - 95023320 ___AT C:\ProgramData\jmjqeq.pad
    2013-06-20 18:52 - 2013-06-20 14:10 - 00000000 ____A C:\ProgramData\as98213.txt
    2013-06-20 14:10 - 2013-06-20 14:10 - 00163840 ____A C:\ProgramData\qeqjmj.dat
    2013-06-20 14:10 - 2013-06-20 14:10 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe
    2013-06-20 14:03 - 2012-03-21 12:22 - 00000000 ___RD C:\Users\Jerry\Documents\Outlook Files
    2013-06-12 09:45 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\rescache
    2013-06-12 09:20 - 2012-04-09 12:20 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2013-06-12 09:20 - 2012-03-18 12:24 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2013-06-11 19:01 - 2012-03-15 20:15 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-06-01 10:43 - 2013-06-01 10:43 - 00000000 ____D C:\Program Files\QuickTime
    2013-06-01 10:41 - 2013-06-01 10:41 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
    2013-06-01 10:41 - 2013-06-01 10:40 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2013-06-01 10:41 - 2013-06-01 10:40 - 00000000 ____D C:\Program Files\iTunes
    2013-06-01 10:40 - 2013-06-01 10:40 - 00000000 ____D C:\Program Files\iPod
    2013-06-01 10:40 - 2012-03-20 17:10 - 00000000 ____D C:\Program Files\Common Files\Apple
    2013-05-28 09:25 - 2013-01-21 14:16 - 00732672 __ASH C:\Users\Jerry\Documents\Thumbs.db

    Files to move or delete:
    ====================
    C:\ProgramData\rundll32.exe
    C:\ProgramData\jmjqeq.pad
    C:\ProgramData\qeqjmj.dat

    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== End Of Log ============================



    Additional scan result of Farbar Recovery Scan Tool (x86) Version: 22-06-2013
    Ran by Jeff at 2013-06-24 11:57:38
    Running from C:\Users\Jeff\Desktop\Ken
    Boot Mode: Normal
    ==========================================================


    ==================== Installed Programs =======================

    Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
    Adobe Reader X (10.1.7) (Version: 10.1.7)
    Apple Application Support (Version: 2.3.4)
    Apple Mobile Device Support (Version: 6.1.0.13)
    Apple Software Update (Version: 2.1.3.127)
    Ask Toolbar (Version: 1.15.4.0)
    Ask Toolbar Updater (HKCU Version: 1.2.0.20007)
    Bonjour (Version: 3.0.0.10)
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    FrostWire 5.5.5 (Version: 5.5.5.0)
    Google Chrome (Version: 27.0.1453.116)
    Google Update Helper (Version: 1.3.21.145)
    iCloud (Version: 2.1.2.8)
    iTunes (Version: 11.0.3.42)
    Java Auto Updater (Version: 2.0.3.1)
    Java(TM) 6 Update 24 (Version: 6.0.240)
    Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
    Microsoft Application Error Reporting (Version: 12.0.6012.5000)
    Microsoft Mouse and Keyboard Center (Version: 2.1.177.0)
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
    Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Security Client (Version: 4.2.0223.1)
    Microsoft Security Essentials (Version: 4.2.223.1)
    Microsoft Silverlight (Version: 5.1.20125.0)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
    NVIDIA Control Panel 307.83 (Version: 307.83)
    NVIDIA Display Control Panel (Version: 6.14.12.5896)
    NVIDIA Graphics Driver 307.83 (Version: 307.83)
    NVIDIA Install Application (Version: 2.1002.109.706)
    NVIDIA Update 1.10.8 (Version: 1.10.8)
    NVIDIA Update Components (Version: 1.10.8)
    PVSonyDll (Version: 1.00.0001)
    QuickTime (Version: 7.74.80.86)
    RayTech RNS (Version: 6.00.000)
    Safari (Version: 5.34.57.2)
    TurboTax 2011
    TurboTax 2011 WinPerFedFormset (Version: 011.000.2999)
    TurboTax 2011 WinPerReleaseEngine (Version: 011.000.0495)
    TurboTax 2011 WinPerTaxSupport (Version: 011.000.0214)
    TurboTax 2011 wrapper (Version: 011.000.0121)
    TurboTax 2012 (Version: 2012.0)
    TurboTax 2012 WinPerFedFormset (Version: 012.000.2083)
    TurboTax 2012 WinPerReleaseEngine (Version: 012.000.0451)
    TurboTax 2012 WinPerTaxSupport (Version: 012.000.0179)
    TurboTax 2012 wrapper (Version: 012.000.0127)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
    Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
    Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
    Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition

    ==================== Restore Points =========================

    Could not list Restore Points.


    ==================== Scheduled Tasks (whitelisted) =============


    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (06/22/2013 10:41:13 AM) (Source: Application Error) (User: )
    Description: Faulting application name: gmerzhmqj278.exe, version: 2.1.19163.0, time stamp: 0x515d31f0
    Faulting module name: gmerzhmqj278.exe, version: 2.1.19163.0, time stamp: 0x515d31f0
    Exception code: 0xc0000005
    Fault offset: 0x00012288
    Faulting process id: 0x484
    Faulting application start time: 0xgmerzhmqj278.exe0
    Faulting application path: gmerzhmqj278.exe1
    Faulting module path: gmerzhmqj278.exe2
    Report Id: gmerzhmqj278.exe3

    Error: (06/17/2013 09:53:45 AM) (Source: Windows Backup) (User: )
    Description: The backup was not successful. The error is: Windows Backup failed while trying to read from the shadow copy on one of the volumes being backed up. Please check in the event logs for any relevant errors. (0x81000037).

    Error: (06/09/2013 07:12:00 PM) (Source: Windows Backup) (User: )
    Description: The backup was not successful. The error is: Windows Backup failed while trying to read from the shadow copy on one of the volumes being backed up. Please check in the event logs for any relevant errors. (0x81000037).

    Error: (06/02/2013 07:09:32 PM) (Source: Windows Backup) (User: )
    Description: The backup was not successful. The error is: Windows Backup failed while trying to read from the shadow copy on one of the volumes being backed up. Please check in the event logs for any relevant errors. (0x81000037).

    Error: (05/26/2013 07:10:21 PM) (Source: Windows Backup) (User: )
    Description: The backup was not successful. The error is: Windows Backup failed while trying to read from the shadow copy on one of the volumes being backed up. Please check in the event logs for any relevant errors. (0x81000037).

    Error: (05/23/2013 01:58:45 PM) (Source: Application Error) (User: )
    Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
    Faulting module name: KERNELBASE.dll, version: 6.1.7601.18015, time stamp: 0x50b83b16
    Exception code: 0x0eedfade
    Fault offset: 0x0000812f
    Faulting process id: 0x400
    Faulting application start time: 0xsvchost.exe0
    Faulting application path: svchost.exe1
    Faulting module path: svchost.exe2
    Report Id: svchost.exe3

    Error: (03/20/2013 09:01:21 AM) (Source: Application Hang) (User: )
    Description: The program iexplore.exe version 9.0.8112.16470 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: d1c

    Start Time: 01ce25800829ed1e

    Termination Time: 0

    Application Path: C:\Program Files\Internet Explorer\iexplore.exe

    Report Id:

    Error: (03/13/2013 03:25:47 PM) (Source: Application Hang) (User: )
    Description: The program iexplore.exe version 9.0.8112.16464 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: 1734

    Start Time: 01ce202d46b203c7

    Termination Time: 31

    Application Path: C:\Program Files\Internet Explorer\iexplore.exe

    Report Id:

    Error: (01/04/2013 04:21:01 PM) (Source: MsiInstaller) (User: Jerry-PC)
    Description: Product: Windows Phone -- Windows Phone requires .Net framework 4.0. Please install from 'http://go.microsoft.com/fwlink/?LinkID=186913/' and restart setup

    Error: (01/04/2013 04:11:24 PM) (Source: MsiInstaller) (User: Jerry-PC)
    Description: Product: Windows Phone -- Windows Phone requires .Net framework 4.0. Please install from 'http://go.microsoft.com/fwlink/?LinkID=186913/' and restart setup


    System errors:
    =============
    Error: (06/24/2013 11:47:45 AM) (Source: Microsoft Antimalware) (User: )
    Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.153.188.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.2.0223.00

    Source Path: 4.2.0223.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

    Error: (06/22/2013 07:29:44 PM) (Source: Microsoft Antimalware) (User: )
    Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.153.188.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.2.0223.00

    Source Path: 4.2.0223.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

    Error: (06/22/2013 00:36:49 PM) (Source: Microsoft Antimalware) (User: )
    Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.153.188.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.2.0223.00

    Source Path: 4.2.0223.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

    Error: (06/22/2013 10:27:40 AM) (Source: Microsoft Antimalware) (User: )
    Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.153.188.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.2.0223.00

    Source Path: 4.2.0223.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

    Error: (06/22/2013 09:21:30 AM) (Source: Microsoft Antimalware) (User: )
    Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.153.188.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.2.0223.00

    Source Path: 4.2.0223.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

    Error: (06/20/2013 07:22:22 PM) (Source: Microsoft Antimalware) (User: )
    Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.153.188.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.2.0223.00

    Source Path: 4.2.0223.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

    Error: (06/20/2013 04:33:52 PM) (Source: Service Control Manager) (User: )
    Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
    %%1068

    Error: (06/20/2013 04:33:52 PM) (Source: Service Control Manager) (User: )
    Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
    %%1068

    Error: (06/20/2013 04:33:52 PM) (Source: Service Control Manager) (User: )
    Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
    %%1068

    Error: (06/20/2013 04:31:45 PM) (Source: Service Control Manager) (User: )
    Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
    %%1068


    Microsoft Office Sessions:
    =========================
    Error: (06/22/2013 10:41:13 AM) (Source: Application Error)(User: )
    Description: gmerzhmqj278.exe2.1.19163.0515d31f0gmerzhmqj278.exe2.1.19163.0515d31f0c00000050001228848401ce6f6f4dd2a84fC:\Users\Jeff\Desktop\Ken\gmerzhmqj278.exeC:\Users\Jeff\Desktop\Ken\gmerzhmqj278.exeee239b08-db62-11e2-af0d-0013207255c4

    Error: (06/17/2013 09:53:45 AM) (Source: Windows Backup)(User: )
    Description: Windows Backup failed while trying to read from the shadow copy on one of the volumes being backed up. Please check in the event logs for any relevant errors. (0x81000037)

    Error: (06/09/2013 07:12:00 PM) (Source: Windows Backup)(User: )
    Description: Windows Backup failed while trying to read from the shadow copy on one of the volumes being backed up. Please check in the event logs for any relevant errors. (0x81000037)

    Error: (06/02/2013 07:09:32 PM) (Source: Windows Backup)(User: )
    Description: Windows Backup failed while trying to read from the shadow copy on one of the volumes being backed up. Please check in the event logs for any relevant errors. (0x81000037)

    Error: (05/26/2013 07:10:21 PM) (Source: Windows Backup)(User: )
    Description: Windows Backup failed while trying to read from the shadow copy on one of the volumes being backed up. Please check in the event logs for any relevant errors. (0x81000037)

    Error: (05/23/2013 01:58:45 PM) (Source: Application Error)(User: )
    Description: svchost.exe6.1.7600.163854a5bc100KERNELBASE.dll6.1.7601.1801550b83b160eedfade0000812f40001ce57f8421d7881C:\Windows\system32\svchost.exeC:\Windows\system32\KERNELBASE.dll8e4c21a6-c3eb-11e2-aa0a-0013207255c4

    Error: (03/20/2013 09:01:21 AM) (Source: Application Hang)(User: )
    Description: iexplore.exe9.0.8112.16470d1c01ce25800829ed1e0C:\Program Files\Internet Explorer\iexplore.exe

    Error: (03/13/2013 03:25:47 PM) (Source: Application Hang)(User: )
    Description: iexplore.exe9.0.8112.16464173401ce202d46b203c731C:\Program Files\Internet Explorer\iexplore.exe

    Error: (01/04/2013 04:21:01 PM) (Source: MsiInstaller)(User: Jerry-PC)
    Description: Product: Windows Phone -- Windows Phone requires .Net framework 4.0. Please install from 'http://go.microsoft.com/fwlink/?LinkID=186913/' and restart setup(NULL)(NULL)(NULL)(NULL)(NULL)

    Error: (01/04/2013 04:11:24 PM) (Source: MsiInstaller)(User: Jerry-PC)
    Description: Product: Windows Phone -- Windows Phone requires .Net framework 4.0. Please install from 'http://go.microsoft.com/fwlink/?LinkID=186913/' and restart setup(NULL)(NULL)(NULL)(NULL)(NULL)


    ==================== Memory info ===========================

    Percentage of memory in use: 32%
    Total physical RAM: 2557.79 MB
    Available physical RAM: 1727.34 MB
    Total Pagefile: 5113.86 MB
    Available Pagefile: 4294.62 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1906.43 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:74.43 GB) (Free:41.23 GB) NTFS
    Drive f: (New Volume) (Fixed) (Total:465.76 GB) (Free:268.56 GB) NTFS
    Drive g: () (Removable) (Total:1.9 GB) (Free:1.88 GB) FAT

    ==================== MBR & Partition Table ==================

    ==================== End Of Log ============================
     
  5. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Download attached fixlist.txt file and save it to the Desktop.

    NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

    Run FRST and press the Fix button just once and wait.

    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

    Next,

    Open Malwarebytes, check for updates then run Quick scan. Full instructions follow if Malwarebytes is not installed:

    Download Malwarebytes from one of the following links and save it to your desktop.:


    http://www.malwarebytes.org/mbam.php
    http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml
    http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Let me see those two logs..
     

    Attached Files:

  6. GreyGuy

    GreyGuy Thread Starter

    Joined:
    Dec 19, 2006
    Messages:
    79
    here we go again...

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-06-2013
    Ran by Jeff at 2013-06-24 13:04:13 Run:1
    Running from C:\Users\Jeff\Desktop\Ken
    Boot Mode: Normal

    ==============================================

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater => Value not found.
    ltpwqfku => Service not found.
    stezfppu => Service not found.
    C:\Windows\system32\drivers\ltpwqfku.sys => File/Directory not found.
    C:\Windows\system32\drivers\stezfppu.sys => File/Directory not found.
    Could not move C:\ProgramData\jmjqeq.pad. => Scheduled to move on reboot.
    Could not move C:\ProgramData\as98213.txt. => Scheduled to move on reboot.
    Could not move C:\ProgramData\qeqjmj.dat. => Scheduled to move on reboot.
    Could not move C:\ProgramData\rundll32.exe. => Scheduled to move on reboot.

    =========== Result of Scheduled Files to move ===========
    C:\ProgramData\jmjqeq.pad => File could not move.
    C:\ProgramData\as98213.txt => File could not move.
    C:\ProgramData\qeqjmj.dat => File could not move.
    C:\ProgramData\rundll32.exe => File could not move.

    ==== End of Fixlog ====

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.06.24.06

    Windows 7 Service Pack 1 x86 FAT
    Internet Explorer 9.0.8112.16421
    Jerry :: JERRY-PC [administrator]

    6/24/2013 1:14:53 PM
    MBAM-log-2013-06-24 (13-25-00).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 252187
    Time elapsed: 8 minute(s), 48 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ctfmon.exe (Trojan.Agent.Gen) -> Data: C:\PROGRA~2\rundll32.exe C:\PROGRA~2\qeqjmj.dat,FG00 -> No action taken.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 6
    C:\ProgramData\qeqjmj.dat (Trojan.Ransom) -> No action taken.
    C:\Users\Jerry\AppData\Local\Temp\1E95.tmp (Rootkit.0Access) -> No action taken.
    C:\Users\Jerry\AppData\Local\Temp\CE1.tmp (Trojan.FakeAlert.ED) -> No action taken.
    C:\Users\Jerry\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> No action taken.
    C:\Users\Jerry\AppData\Local\Temp\xopcmqkhitayebrfoql.bfg (Trojan.Ransom) -> No action taken.
    C:\ProgramData\rundll32.exe (Trojan.Agent.Gen) -> No action taken.

    (end)
     
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Why no action taken with Malwarebyets? also very strange why the FRST finds none of the entries in fixlist.txt

    Can you re-run Malwarebytes and deal with the entries it finds, post new log
     
  8. GreyGuy

    GreyGuy Thread Starter

    Joined:
    Dec 19, 2006
    Messages:
    79
    Looks promising...

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.06.24.06

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Jeff :: JERRY-PC [limited]

    6/24/2013 7:05:19 PM
    mbam-log-2013-06-24 (19-05-19).txt

    Scan type: Full scan (C:\|F:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 296520
    Time elapsed: 42 minute(s), 47 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Yep sure does, run the following :-

    Download http://www.bleepingcomputer.com/download/adwcleaner/ by Xplode onto your Desktop.

    • Please close all open programs and internet browsers.
    • Double click on Adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

    Next,

    This one will take several hours...

    Run Eset Online Scanner

    **Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

    Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • click on the Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
      Click Start
    • When asked, allow the add/on to be installed
      Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
      Click Scan
    • wait for the virus definitions to be downloaded
    • Wait for the scan to finish
    When the scan is complete

    • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
    If threats were found

    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    close program
    copy and paste the report here

    Lett me see those logs, also give update on any remaining issues or concerns..

    Kevin
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Apologies I will be offline for mabe next 24 hours
     
  11. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    Please continue with Kevin's instructions, I will be here to help while he is offline.
     
  12. GreyGuy

    GreyGuy Thread Starter

    Joined:
    Dec 19, 2006
    Messages:
    79
    My friend was happy with the results before the esat scans and he took his PC home. Thanx for all your time and energy. So how can I start on the road to becoming a Malware Ninja? I remember reading about some sort of training/apprentice thing but how does one actually get started here with TSG?
     
  13. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    As you have not completed the scans requested by Kevinf80 I would cast serious doubt on that PC being clean considering it had a ZeroAccess Rootkit which is a serious infection that can compromise the system. Your friend should be on high alert to any unusual behaviour.

    I don't think training is available on this site at present, but this would be a good place to start: http://www.malwareremoval.com/forum/viewtopic.php?f=201&t=61859#.UcP0MTswcyg

    If you need some more information you can send a PM to Cookiegal.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1101857

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice