FBI MoneyPak Not even able to enter safemode

Hi Guys,
I am having a problem with FBI Money Pak virus.The problem is I am not able to login to my system even in safe mode.I have lenovo notebook and Operating system is windows7 SP1.I am not even able to Login into safe mode.I tried to work with safe mode with networking but it shows the same FBI screen and I am not able to see anything else like start options and so on.
When I try to login to safe mode it just hangs up with white screen.

Please help.

Thanks

Hi there invisible016!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:

• Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  
• Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  
• I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  
• Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

OK, so you are currently unable to get your computer working in any way?
Do you have access to a clean computer to burn some boot CDs that can help us access your computer?
If so, please proceed with the following:

====================

Please download the 32-bit version of the Recovery Scan Tool by Farbar from here and save it to a USB memory stick.

====================

• You will need a blank CD to burn the boot CD
  
• Download OTLPEStd.exe by OldTimer from here (a big download)
  
• Double-click on OTLPEStd.exe to burn the boot CD
  
• Reboot your infected system using the boot CD you just created. If you don´t know how to boot from CD, check out this page
  
• Booting will take quite some time, so please be patient
  
• Finally you should see the REATOGO-X-PE desktop. Find the OTLPE icon and double click it to run OTLPE
  
• Answer Yes and OK to all prompts
  
• Ensure the option Automatically Load All Remaining Users is checked
  
• OTL should now start. Set the option Drivers to Non-Microsoft
  
• Copy and paste the following text into the Custom Scans/Fixes field:
  

  /md5start
  atapi.sys
  iastor.sys
  ndis.sys
  userinit.exe
  winlogon.exe
  services.exe
  /md5stop

  
  
• Click Run Scan to start the scan
  
• When finished, a log file C:\OTL.txt will be created
  
• Please post the contents of the file in your next reply

====================

• Insert the USB drive with the Farbar Recovery Scan tool in your computer (while you are in REATOGO-X-PE mode)
  
• Copy FRST.exe to the root directory of your hard disk.
  
• Browse to your harddisk, find FRST.exe and doubleclick to run the tool
  
• Run the scan without changing any of the options
  
• A log will be created (FRST.txt), please post that here.
  

====================

The best way to get the logs is probably to copy them to the USB drive and post them from the clean computer.

Hi,

Thanks for the help.

My notebook does not show the option for USB wen I try to insert it wen REATOGO-X-PE is active.I got the OTL log file but to continue further I need the USB to be seen in My computer.I see other drives B C D E and REATOGO-X-PE also How ever at the bottom green icon is coming and says safe to remove hardware.I have tried cpl of USB and they work on the other systems.So USB is not the problem.
I have tried every port on the system but no use.

Waiting for suggestions,
Thanks.

OK, so you got he boot disk running and the OTLPE, but you are unable to get the log onto a USB drive, because the computer is not recognizing them.

Ugh - do you have some older USB drive? The REATOGO-X-PE operating system is kinda oldish and new USB drives, especially the high capacity ones might not be recognized.

Are you normally able to work with USB drives on this computer?

If they do and your computer allows booting from USB drives, you could try and create an OTLPE boot USB drive. This has the advantage that any log file you create can be written to the USB drive and read from a clean computer.

Create OTLPE USB bootable USB stick

Hi,
Please find the files OTL.txt and FRST.txt

OTL.txt

OTL logfile created on: 10/15/2012 9:19:43 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\Windows | %ProgramFiles% = E:\Program Files
Drive C: | 200.00 Mb Total Space | 170.08 Mb Free Space | 85.04% Space Free | Partition Type: NTFS
Drive D: | 30.25 Gb Total Space | 28.96 Gb Free Space | 95.75% Space Free | Partition Type: NTFS
Drive E: | 252.89 Gb Total Space | 128.07 Gb Free Space | 50.64% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2012/10/09 06:42:16 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- E:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto] -- E:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/13 15:14:14 | 000,160,944 | R--- | M] (Skype Technologies) [Auto] -- E:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/06/15 22:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto] -- E:\Program Files\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe -- (NIS)
SRV - [2011/12/17 08:02:00 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/03/25 18:32:02 | 000,445,496 | ---- | M] (Conexant Systems, Inc.) [Auto] -- E:\Windows\System32\SASrv.exe -- (SAService)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2008/10/09 10:07:56 | 000,107,912 | ---- | M] () [Auto] -- E:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)


========== Driver Services (SafeList) ==========

DRV - [2012/10/03 23:55:40 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\Definitions\VirusDefs\20121014.006\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/10/03 23:55:40 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\Definitions\VirusDefs\20121014.006\NAVENG.SYS -- (NAVENG)
DRV - [2012/09/06 05:54:30 | 000,386,720 | ---- | M] (Symantec Corporation) [Kernel | System] -- E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\Definitions\IPSDefs\20121012.001\IDSvix86.sys -- (IDSVix86)
DRV - [2012/08/31 18:09:14 | 000,995,488 | ---- | M] (Symantec Corporation) [Kernel | System] -- E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\Definitions\BASHDefs\20120928.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/08/22 23:58:15 | 000,141,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2012/08/22 02:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System] -- E:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/22 02:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- E:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/05 22:17:57 | 000,574,112 | ---- | M] (Symantec Corporation) [File_System | On_Demand] -- E:\Windows\System32\Drivers\NIS\1309000.009\SRTSP.SYS -- (SRTSP)
DRV - [2012/07/05 22:17:57 | 000,032,928 | ---- | M] (Symantec Corporation) [Kernel | System] -- E:\Windows\system32\drivers\NIS\1309000.009\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2012/06/07 00:43:43 | 000,132,768 | ---- | M] (Symantec Corporation) [Kernel | System] -- E:\Windows\system32\drivers\NIS\1309000.009\ccSetx86.sys -- (ccSet_NIS)
DRV - [2012/05/21 21:37:12 | 000,924,320 | ---- | M] (Symantec Corporation) [File_System | Boot] -- E:\Windows\System32\drivers\NIS\1309000.009\symefa.sys -- (SymEFA)
DRV - [2012/04/17 22:13:32 | 000,318,584 | ---- | M] (Symantec Corporation) [Kernel | System] -- E:\Windows\System32\Drivers\NIS\1309000.009\SYMNETS.SYS -- (SymNetS)
DRV - [2012/04/17 22:13:22 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot] -- E:\Windows\System32\drivers\NIS\1309000.009\symds.sys -- (SymDS)
DRV - [2012/04/17 21:42:14 | 000,149,624 | ---- | M] (Symantec Corporation) [Kernel | System] -- E:\Windows\system32\drivers\NIS\1309000.009\Ironx86.SYS -- (SymIRON)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/03/31 15:49:52 | 000,517,688 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2009/07/13 19:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\Owner_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Owner_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\Owner_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Owner_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A C5 AA 5B B8 BA CC 01 [binary data]
IE - HKU\Owner_ON_E\..\URLSearchHook: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - Reg Error: Key error. File not found
IE - HKU\Owner_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\System32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: E:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: E:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: E:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: E:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\IPSFFPlgn\ [2012/08/22 23:58:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\coFFPlgn\ [2012/10/15 19:33:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/04/10 17:36:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/04/19 06:02:13 | 000,000,000 | ---D | M] (No name found) -- E:\Program Files\Mozilla Firefox\extensions
[2011/12/25 13:29:38 | 000,000,000 | ---D | M] (Skype Click to Call) -- E:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/04/19 06:02:13 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/04/10 17:36:32 | 000,134,104 | ---- | M] (Mozilla Foundation) -- E:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/10 17:36:27 | 000,002,252 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/04/10 17:36:27 | 000,002,040 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - E:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - E:\Program Files\Norton Internet Security\Engine\19.9.0.9\coieplg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - E:\Program Files\Norton Internet Security\Engine\19.9.0.9\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - E:\Program Files\Norton Internet Security\Engine\19.9.0.9\coieplg.dll (Symantec Corporation)
O3 - HKU\Owner_ON_E\..\Toolbar\WebBrowser: (no name) - {CD90BF73-20F6-44EF-993D-BB920303BD2E} - No CLSID value found.
O4 - HKLM..\Run: [CanonMyPrinter] E:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] E:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [SmartAudio] E:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
O4 - HKU\Owner_ON_E..\Run: [Cofiu] E:\Users\Owner\AppData\Roaming\Amru\vuop.exe ()
O4 - HKU\Owner_ON_E..\Run: [Huakbig] E:\Users\Owner\AppData\Roaming\Qoapzu\riny.exe ()
O4 - HKU\Owner_ON_E..\Run: [Octoshape Streaming Services] E:\Users\Owner\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (Octoshape ApS)
O4 - HKU\Owner_ON_E..\Run: [SmartAudio] E:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
O4 - HKU\Owner_ON_E..\Run: [VeohPlugin] E:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)
O4 - HKU\LocalService_ON_E..\RunOnce: [mctadmin] E:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_E..\RunOnce: [mctadmin] E:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - Startup: Error locating startup folders.
F3 - HKU\Owner_ON_E WinNT: Load - (C:\Users\Owner\LOCALS~1\Temp\msteyia.com) - File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - File not found
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://gateway.wipro.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - E:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - E:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKU\Owner_ON_E Winlogon: Shell - (explorer.exe) - E:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\Owner_ON_E Winlogon: Shell - (C:\Users\Owner\AppData\Roaming\msconfig.dat) - E:\Users\Owner\AppData\Roaming\msconfig.dat ()
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/10/14 20:30:35 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Teib
[2012/10/14 20:30:35 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Qoapzu
[2012/10/14 20:30:35 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Okdi
[2012/10/14 19:00:33 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Ms_dir_
[2012/10/14 19:00:01 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Omwe
[2012/10/14 19:00:00 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Ywhyk
[2012/10/14 19:00:00 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Teug
[2012/10/14 18:59:35 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Wyze
[2012/10/14 18:59:35 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Uzysyv
[2012/10/14 18:59:35 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Roaming\Amru
[2012/10/09 05:42:07 | 010,220,472 | ---- | C] (Adobe Systems Incorporated) -- E:\Windows\System32\FlashPlayerInstaller.exe
[2012/10/08 06:56:05 | 000,000,000 | ---D | C] -- E:\Users\Owner\Desktop\Adil
[2012/09/28 08:02:27 | 000,000,000 | ---D | C] -- E:\Users\Owner\Desktop\sept 28
[2012/09/25 11:07:37 | 000,000,000 | ---D | C] -- E:\Users\Owner\Desktop\Sept 25
[2012/09/24 18:42:13 | 000,000,000 | ---D | C] -- E:\Users\Owner\Desktop\Lenova Space
[2012/09/24 14:52:07 | 000,000,000 | ---D | C] -- E:\Users\Owner\AppData\Local\CrashDumps
[2012/09/24 13:41:53 | 000,000,000 | ---D | C] -- E:\Users\Owner\Desktop\Mallikarjun
[2012/09/24 11:55:47 | 000,000,000 | ---D | C] -- E:\Users\Owner\Desktop\safe flash
[2012/09/24 11:52:48 | 000,000,000 | ---D | C] -- E:\Users\Owner\Desktop\blue flashdrive
[2012/09/19 10:33:52 | 000,000,000 | ---D | C] -- E:\Users\Owner\Desktop\sept 19

========== Files - Modified Within 30 Days ==========

[2012/10/15 19:35:23 | 000,067,584 | --S- | M] () -- E:\Windows\bootstat.dat
[2012/10/15 19:35:23 | 000,000,047 | ---- | M] () -- E:\Users\Owner\AppData\Roaming\msconfig.ini
[2012/10/15 19:32:56 | 2362,912,768 | -HS- | M] () -- E:\hiberfil.sys
[2012/10/14 22:40:10 | 000,019,520 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/14 22:40:10 | 000,019,520 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/14 21:42:00 | 000,000,830 | ---- | M] () -- E:\Windows\tasks\Adobe Flash Player Updater.job
[2012/10/14 19:00:49 | 000,000,000 | ---- | M] () -- E:\ProgramData\1VjM2R.dat
[2012/10/14 19:00:28 | 000,000,001 | ---- | M] () -- E:\ProgramData\2jFf5J64.exe_.b
[2012/10/14 19:00:28 | 000,000,001 | ---- | M] () -- E:\ProgramData\2jFf5J64.exe.b
[2012/10/14 19:00:14 | 000,109,568 | -HS- | M] () -- E:\ProgramData\2jFf5J64.exe
[2012/10/09 06:42:15 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- E:\Windows\System32\FlashPlayerApp.exe
[2012/10/09 06:42:15 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- E:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/10/09 06:42:13 | 010,220,472 | ---- | M] (Adobe Systems Incorporated) -- E:\Windows\System32\FlashPlayerInstaller.exe
[2012/10/08 06:57:30 | 000,253,111 | ---- | M] () -- E:\Users\Owner\Desktop\Sept 2012 Timesheet.pdf
[2012/10/07 21:31:40 | 000,002,414 | ---- | M] () -- E:\Users\Public\Desktop\Norton Internet Security.lnk
[2012/10/07 21:31:40 | 000,000,000 | R--D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
[2012/10/07 21:31:10 | 001,497,491 | ---- | M] () -- E:\Windows\System32\drivers\NIS\1309000.009\Cat.DB
[2012/10/02 21:45:44 | 000,009,103 | ---- | M] () -- E:\Windows\System32\drivers\NIS\1309000.009\VT20121002.018
[2012/09/26 06:34:14 | 000,000,172 | ---- | M] () -- E:\Windows\System32\drivers\NIS\1309000.009\isolate.ini
[2012/09/19 22:41:11 | 324,636,522 | ---- | M] () -- E:\Windows\MEMORY.DMP

========== Files Created - No Company Name ==========

[2012/10/14 19:00:49 | 000,000,000 | ---- | C] () -- E:\ProgramData\1VjM2R.dat
[2012/10/14 19:00:28 | 000,000,001 | ---- | C] () -- E:\ProgramData\2jFf5J64.exe_.b
[2012/10/14 19:00:28 | 000,000,001 | ---- | C] () -- E:\ProgramData\2jFf5J64.exe.b
[2012/10/14 19:00:27 | 000,109,568 | -HS- | C] () -- E:\ProgramData\2jFf5J64.exe
[2012/10/14 18:59:58 | 000,000,047 | ---- | C] () -- E:\Users\Owner\AppData\Roaming\msconfig.ini
[2012/10/08 06:57:47 | 000,253,111 | ---- | C] () -- E:\Users\Owner\Desktop\Sept 2012 Timesheet.pdf
[2012/01/11 00:19:29 | 000,098,816 | -HS- | C] () -- E:\Users\Owner\AppData\Roaming\msconfig.dat
[2012/01/01 19:16:08 | 000,098,304 | ---- | C] () -- E:\Windows\System32\redmonnt.dll
[2011/12/17 17:16:07 | 000,252,928 | ---- | C] () -- E:\Windows\System32\DShowRdpFilter.dll
[2009/07/19 05:59:56 | 000,336,704 | ---- | C] () -- E:\Windows\System32\perfi019.dat
[2009/07/19 05:59:55 | 000,662,450 | ---- | C] () -- E:\Windows\System32\perfh019.dat
[2009/07/19 05:59:55 | 000,124,802 | ---- | C] () -- E:\Windows\System32\perfc019.dat
[2009/07/19 05:59:55 | 000,039,446 | ---- | C] () -- E:\Windows\System32\perfd019.dat
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- E:\Windows\bootstat.dat
[2009/07/14 00:33:53 | 000,409,752 | ---- | C] () -- E:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,615,360 | ---- | C] () -- E:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- E:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,103,702 | ---- | C] () -- E:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- E:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- E:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- E:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- E:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- E:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- E:\Windows\System32\BWContextHandler.dll
[2009/07/13 18:09:19 | 000,982,196 | ---- | C] () -- E:\Windows\System32\igkrng500.bin
[2009/07/13 18:09:19 | 000,417,344 | ---- | C] () -- E:\Windows\System32\igcompkrng500.bin
[2009/07/13 18:09:19 | 000,139,824 | ---- | C] () -- E:\Windows\System32\igfcg500.bin
[2009/07/13 18:09:19 | 000,097,448 | ---- | C] () -- E:\Windows\System32\igfcg500m.bin
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- E:\Windows\System32\mlang.dat

========== LOP Check ==========

[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Application Data
[2012/01/01 13:36:27 | 000,000,000 | -H-D | M] -- E:\ProgramData\CanonBJ
[2012/10/14 22:24:52 | 000,000,000 | ---D | M] -- E:\ProgramData\CanonIJ
[2012/07/25 06:10:53 | 000,000,000 | -H-D | M] -- E:\ProgramData\CanonIJEGV
[2012/02/20 14:41:10 | 000,000,000 | -H-D | M] -- E:\ProgramData\CanonIJEPPEX
[2012/01/01 13:41:15 | 000,000,000 | -H-D | M] -- E:\ProgramData\CanonIJMyPrinter
[2012/10/14 22:24:55 | 000,000,000 | ---D | M] -- E:\ProgramData\CanonIJPLM
[2012/01/09 10:14:45 | 000,000,000 | -H-D | M] -- E:\ProgramData\CanonIJScan
[2012/01/01 13:41:17 | 000,000,000 | -H-D | M] -- E:\ProgramData\CanonIJSolutionMenu
[2012/08/20 14:36:32 | 000,000,000 | ---D | M] -- E:\ProgramData\Conexant
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Desktop
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Documents
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Favorites
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Start Menu
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Templates
[2009/07/14 00:53:46 | 000,031,410 | ---- | M] () -- E:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: ATAPI.SYS >
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- E:\Windows\System32\drivers\atapi.sys
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- E:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_fab873f3e8a3315c\atapi.sys
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- E:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- E:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_df3f92057fcbe7a7\atapi.sys

< MD5 for: IASTOR.SYS >
[2009/06/04 14:54:36 | 000,408,600 | ---- | M] (Intel Corporation) MD5=1D004CB1DA6323B1F55CAEF7F94B61D9 -- E:\Program Files (x86)\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys
[2009/06/04 14:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- E:\Program Files (x86)\Intel\Intel Matrix Storage Manager\driver\IaStor.sys

< MD5 for: NDIS.SYS >
[2009/07/13 21:20:44 | 000,710,720 | ---- | M] (Microsoft Corporation) MD5=23759D175A0A9BAAF04D05047BC135A8 -- E:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.1.7600.16385_none_a79d81ea7d62a289\ndis.sys
[2010/11/20 08:30:06 | 000,712,576 | ---- | M] (Microsoft Corporation) MD5=E7C54812A2AAF43316EB6930C1FFA108 -- E:\Windows\System32\drivers\ndis.sys
[2010/11/20 08:30:06 | 000,712,576 | ---- | M] (Microsoft Corporation) MD5=E7C54812A2AAF43316EB6930C1FFA108 -- E:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.1.7601.17514_none_a9ce95b27a512623\ndis.sys

< MD5 for: SERVICES.EXE >
[2009/07/13 21:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- E:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009/07/13 21:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=A302BBFF2A7278C0E239EE5D471D86A9 -- E:\Windows\System32\services.exe

< MD5 for: USERINIT.EXE >
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- E:\Windows\System32\userinit.exe
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- E:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2009/07/13 21:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- E:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/10/28 02:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- E:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009/10/28 01:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- E:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- E:\Windows\System32\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- E:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2009/07/13 21:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- E:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
< End of report >

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

FRST.txt


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-10-2012
Ran by SYSTEM at 18-10-2012 01:16:11
Running from E:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-10-18 01:15 - 2012-10-18 01:15 - 00000000 ____D C:\FRST
2012-10-18 01:15 - 2012-10-15 18:06 - 00906326 ____A (Farbar) C:\FRST.exe
2012-10-15 21:19 - 2012-10-15 21:19 - 00058340 ____A C:\OTL no skipping.txt
2012-10-15 21:17 - 2012-10-15 21:21 - 00058338 ____A C:\OTL.Txt
2012-10-14 20:30 - 2012-10-14 20:40 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Okdi
2012-10-14 20:30 - 2012-10-14 20:30 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Teib
2012-10-14 20:30 - 2012-10-14 20:30 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Qoapzu
2012-10-14 19:00 - 2012-10-14 19:04 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Teug
2012-10-14 19:00 - 2012-10-14 19:00 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Ywhyk
2012-10-14 19:00 - 2012-10-14 19:00 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Omwe
2012-10-14 19:00 - 2012-10-14 19:00 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Ms_dir_
2012-10-14 18:59 - 2012-10-15 19:35 - 00000047 ____A C:\Users\Owner\AppData\Roaming\msconfig.ini
2012-10-14 18:59 - 2012-10-14 19:02 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Wyze
2012-10-14 18:59 - 2012-10-14 18:59 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Uzysyv
2012-10-14 18:59 - 2012-10-14 18:59 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Amru
2012-10-14 11:53 - 2012-10-14 11:54 - 00000013 ____A C:\Users\Owner\Desktop\saudi.txt
2012-10-09 05:42 - 2012-10-09 06:42 - 10220472 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-10-08 06:56 - 2012-10-08 06:56 - 00000000 ____D C:\Users\Owner\Desktop\Adil
2012-09-30 02:50 - 2012-09-30 02:50 - 00000058 ____A C:\Users\Owner\Desktop\journey.txt
2012-09-28 17:44 - 2012-09-28 17:44 - 00004001 ____A C:\Users\Owner\Desktop\BOA.txt
2012-09-28 08:02 - 2012-09-28 08:37 - 00000000 ____D C:\Users\Owner\Desktop\sept 28
2012-09-25 11:07 - 2012-09-28 08:32 - 00000000 ____D C:\Users\Owner\Desktop\Sept 25
2012-09-25 11:07 - 2012-09-25 11:07 - 01147392 ____A C:\Users\Owner\Downloads\Confirmation of hours booked for weekended 23rd Sep'12.xls
2012-09-25 09:36 - 2012-09-25 09:36 - 00000407 ____A C:\Users\Owner\Desktop\error.txt
2012-09-24 18:42 - 2012-09-24 18:46 - 00000000 ____D C:\Users\Owner\Desktop\Lenova Space
2012-09-24 14:52 - 2012-10-01 18:20 - 00000000 ____D C:\Users\Owner\AppData\Local\CrashDumps
2012-09-24 13:41 - 2012-09-24 14:31 - 00000000 ____D C:\Users\Owner\Desktop\Mallikarjun
2012-09-24 11:55 - 2012-09-24 11:57 - 00000000 ____D C:\Users\Owner\Desktop\safe flash
2012-09-24 11:52 - 2012-09-24 11:54 - 00000000 ____D C:\Users\Owner\Desktop\blue flashdrive
2012-09-22 10:06 - 2012-09-22 12:37 - 00000000 ____D C:\Users\Owner\Citrix
2012-09-19 22:41 - 2012-09-19 22:41 - 01509160 ____A C:\Windows\Minidump\091912-24336-01.dmp
2012-09-19 10:33 - 2012-09-19 10:37 - 00000000 ____D C:\Users\Owner\Desktop\sept 19

==================== 3 Months Modified Files ==================

2012-10-15 21:21 - 2012-10-15 21:17 - 00058338 ____A C:\OTL.Txt
2012-10-15 21:19 - 2012-10-15 21:19 - 00058340 ____A C:\OTL no skipping.txt
2012-10-15 19:35 - 2012-10-14 18:59 - 00000047 ____A C:\Users\Owner\AppData\Roaming\msconfig.ini
2012-10-15 19:33 - 2009-07-14 00:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-15 19:33 - 2009-07-14 00:39 - 00176614 ____A C:\Windows\setupact.log
2012-10-15 18:06 - 2012-10-18 01:15 - 00906326 ____A (Farbar) C:\FRST.exe
2012-10-14 22:40 - 2009-07-14 00:34 - 00019520 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-14 22:40 - 2009-07-14 00:34 - 00019520 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-14 22:25 - 2011-12-14 18:00 - 00013656 ____A C:\Windows\PFRO.log
2012-10-14 21:42 - 2012-08-18 19:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-14 11:54 - 2012-10-14 11:53 - 00000013 ____A C:\Users\Owner\Desktop\saudi.txt
2012-10-09 06:42 - 2012-10-09 05:42 - 10220472 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-10-09 06:42 - 2012-08-18 19:49 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-10-09 06:42 - 2011-12-14 17:31 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-10-07 22:55 - 2012-08-27 10:58 - 00000428 ____A C:\Users\Owner\Desktop\link.txt
2012-10-07 21:31 - 2012-08-22 23:58 - 00002414 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk
2012-09-30 02:50 - 2012-09-30 02:50 - 00000058 ____A C:\Users\Owner\Desktop\journey.txt
2012-09-28 17:44 - 2012-09-28 17:44 - 00004001 ____A C:\Users\Owner\Desktop\BOA.txt
2012-09-25 11:07 - 2012-09-25 11:07 - 01147392 ____A C:\Users\Owner\Downloads\Confirmation of hours booked for weekended 23rd Sep'12.xls
2012-09-25 09:36 - 2012-09-25 09:36 - 00000407 ____A C:\Users\Owner\Desktop\error.txt
2012-09-19 22:41 - 2012-09-19 22:41 - 01509160 ____A C:\Windows\Minidump\091912-24336-01.dmp
2012-09-19 22:41 - 2012-06-08 00:24 - 324636522 ____A C:\Windows\MEMORY.DMP
2012-09-17 21:32 - 2012-09-17 21:31 - 01508520 ____A C:\Windows\Minidump\091712-25459-01.dmp
2012-09-15 21:08 - 2012-09-15 21:08 - 01506136 ____A C:\Windows\Minidump\091512-24570-01.dmp
2012-09-14 06:44 - 2012-09-14 06:44 - 01505992 ____A C:\Windows\Minidump\091412-24398-01.dmp
2012-09-13 04:17 - 2012-09-13 04:17 - 01506272 ____A C:\Windows\Minidump\091312-34195-01.dmp
2012-09-11 08:31 - 2012-09-11 08:30 - 00000059 ____A C:\Users\Owner\Desktop\temp.txt
2012-09-10 21:33 - 2012-09-10 21:33 - 01508904 ____A C:\Windows\Minidump\091012-25896-01.dmp
2012-09-04 07:07 - 2012-09-04 07:07 - 01506160 ____A C:\Windows\Minidump\090412-36644-01.dmp
2012-09-03 19:59 - 2012-09-03 19:59 - 01506896 ____A C:\Windows\Minidump\090312-44959-01.dmp
2012-09-02 12:39 - 2012-09-02 12:34 - 00000072 ____A C:\Users\Owner\Desktop\karamath.txt
2012-08-26 08:13 - 2012-08-26 08:13 - 00000000 ____A C:\Users\Owner\Desktop\field.txt
2012-08-23 08:04 - 2012-08-23 08:04 - 06255080 ____A (Symantec Corporation) C:\Users\Owner\Downloads\NRnR.exe
2012-08-23 06:45 - 2012-08-23 06:45 - 00002639 ____A C:\Users\Owner\Desktop\Instructions.txt
2012-08-23 00:11 - 2011-12-14 17:31 - 00713714 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-23 00:00 - 2012-08-23 00:00 - 02841104 ____A (Symantec Corporation) C:\Users\Owner\Downloads\NPE.exe
2012-08-22 23:58 - 2012-08-22 23:58 - 00141944 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-08-22 23:58 - 2012-08-22 23:58 - 00007468 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-08-22 23:56 - 2011-12-16 05:11 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-17 20:42 - 2011-12-25 13:27 - 00002503 ____A C:\Users\Public\Desktop\Skype.lnk
2012-08-17 14:26 - 2012-08-17 14:26 - 00001989 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-08-16 10:09 - 2011-12-14 18:59 - 01174144 ____A C:\Windows\WindowsUpdate.log
2012-08-16 04:23 - 2009-07-14 00:33 - 00409752 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 04:04 - 2011-12-30 20:36 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

ZeroAccess:
C:\Windows\Installer\{68cac7a3-bc00-a020-1551-be4be81b71de}
C:\Windows\Installer\{68cac7a3-bc00-a020-1551-be4be81b71de}\L
C:\Windows\Installer\{68cac7a3-bc00-a020-1551-be4be81b71de}\L\201d3dde

ZeroAccess:
C:\Users\Owner\AppData\Local\{68cac7a3-bc00-a020-1551-be4be81b71de}
C:\Users\Owner\AppData\Local\{68cac7a3-bc00-a020-1551-be4be81b71de}\@
C:\Users\Owner\AppData\Local\{68cac7a3-bc00-a020-1551-be4be81b71de}\L
C:\Users\Owner\AppData\Local\{68cac7a3-bc00-a020-1551-be4be81b71de}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points (XP) =====================


==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 3004.53 MB
Available physical RAM: 2725.14 MB
Total Pagefile: 2829.62 MB
Available Pagefile: 2762.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.02 MB

==================== Partitions =============================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: () (Fixed) (Total:252.89 GB) (Free:128.03 GB) NTFS
3 Drive d: (Lenovo) (Fixed) (Total:30.25 GB) (Free:28.96 GB) NTFS
4 Drive e: () (Fixed) (Total:252.89 GB) (Free:128.03 GB) NTFS
5 Drive f: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS
6 Drive x: (OTLPE) (Removable) (Total:1.87 GB) (Free:1.53 GB) FAT
7 Drive y: () (Fixed) (Total:0.2 GB) (Free:0.17 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 1 Online 298 GB 0 B

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 200 MB 1024 KB
Partition 2 Primary 253 GB 201 MB
Partition 3 Extended 30 GB 253 GB
Partition 4 Logical 30 GB 253 GB
Partition 5 OEM 15 GB 283 GB
=========================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y NTFS Partition 200 MB Healthy
=========================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 253 GB Healthy
=========================================================

Disk: 1
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D Lenovo NTFS Partition 30 GB Healthy
=========================================================

Disk: 1
Partition 5
Type : 12
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 LENOVO_PART NTFS Partition 15 GB Healthy
=========================================================

Last Boot: 2012-10-06 01:18

==================== End Of Log ============================


Thanks.

Interesting logs. Lotsa nasty buggers!

We´re going to run a fix with OTLPE.

• In REATOGO-X-PE environment, double click OTLPE to run
  
• Under the Custom Scans/Fixes box at the bottom, type or copy/paste the following:
  

  :files
  E:\Users\Owner\AppData\Roaming\Teib
  E:\Users\Owner\AppData\Roaming\Qoapzu
  E:\Users\Owner\AppData\Roaming\Okdi
  E:\Users\Owner\AppData\Roaming\Ms_dir_
  E:\Users\Owner\AppData\Roaming\Omwe
  E:\Users\Owner\AppData\Roaming\Ywhyk
  E:\Users\Owner\AppData\Roaming\Teug
  E:\Users\Owner\AppData\Roaming\Wyze
  E:\Users\Owner\AppData\Roaming\Uzysyv
  E:\Users\Owner\AppData\Roaming\Amru
  E:\ProgramData\2jFf5J64.exe_.b
  E:\ProgramData\2jFf5J64.exe.b
  E:\ProgramData\2jFf5J64.exe
  E:\ProgramData\1VjM2R.dat
  C:\Windows\Installer\{68cac7a3-bc00-a020-1551-be4be81b71de}
  C:\Windows\Installer\{68cac7a3-bc00-a020-1551-be4be81b71de}\L
  C:\Windows\Installer\{68cac7a3-bc00-a020-1551-be4be81b71de}\L\201d3dde
  C:\Users\Owner\AppData\Local\{68cac7a3-bc00-a020-1551-be4be81b71de}
  C:\Users\Owner\AppData\Local\{68cac7a3-bc00-a020-1551-be4be81b71de}\@
  C:\Users\Owner\AppData\Local\{68cac7a3-bc00-a020-1551-be4be81b71de}\L
  C:\Users\Owner\AppData\Local\{68cac7a3-bc00-a020-1551-be4be81b71de}\U
  C:\Windows\assembly\GAC\Desktop.ini
  E:\Windows\System32\services.exe|E:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe /replace
  
  :otl
  O3 - HKU\Owner_ON_E\..\Toolbar\WebBrowser: (no name) - {CD90BF73-20F6-44EF-993D-BB920303BD2E} - No CLSID value found.
  O4 - HKU\Owner_ON_E..\Run: [Cofiu] E:\Users\Owner\AppData\Roaming\Amru\vuop.exe ()
  O4 - HKU\Owner_ON_E..\Run: [Huakbig] E:\Users\Owner\AppData\Roaming\Qoapzu\riny.exe ()
  F3 - HKU\Owner_ON_E WinNT: Load - (C:\Users\Owner\LOCALS~1\Temp\msteyia.com) - File not found
  O20 - HKU\Owner_ON_E Winlogon: Shell - (C:\Users\Owner\AppData\Roaming\msconfig.dat) - E:\Users\Owner\AppData\Roaming\msconfig.dat ()
  
  
  

  
  
• Then click the Run Fix button at the top.
  
• Allow it to run. If you get any error message or your computer freezes, let me know.
  
• Finally, post the contents of the log (located at C:\_OTL\Moved Files)

====================

The script is a lot of stuff to type, so you probably want to save it into some .txt file and open that in REATOGO-X-PE mode and copy it into the OTLPE text field.

====================
ALLRIGHT
If that went well, you should try and reboot into normal mode. If you are able to boot normally, 90% of your troubles are over.
In that case, please run Combofix:

Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Hi,

Please find combofix log file

ComboFix 12-10-18.03 - Owner 10/19/2012 5:52.1.2 - x86
Running from: c:\users\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Roaming\msconfig.ini
c:\windows\assembly\GAC\Desktop.ini
c:\windows\system32\FlashPlayerInstaller.exe
c:\windows\system32\msstdfmt.dll

.
((((((((((((((((((((((((( Files Created from 2012-09-19 to 2012-10-19 )))))))))))))))))))))))))))))))
.
.
2012-10-19 10:59 . 2012-10-19 10:59 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F7387E7-6D25-440D-9E5E-26B71B98F7B9}\offreg.dll
2012-10-19 10:57 . 2012-10-19 11:00 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-10-19 10:57 . 2012-10-19 10:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-18 23:39 . 2012-10-18 23:39 -------- d-----w- C:\_OTL
2012-10-18 05:15 . 2012-10-18 05:15 -------- d-----w- C:\FRST
2012-10-02 01:46 . 2012-10-08 01:30 -------- d-----w- c:\windows\system32\drivers\NIS\1309000.009
2012-09-24 18:52 . 2012-10-01 22:20 -------- d-----w- c:\users\Owner\AppData\Local\CrashDumps
2012-09-22 14:06 . 2012-09-22 16:37 -------- d-----w- c:\users\Owner\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 10:42 . 2012-08-18 23:49 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 10:42 . 2011-12-14 21:31 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-23 03:58 . 2012-08-23 03:58 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-10 21:36 . 2011-12-14 21:46 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2012-01-02 4692296]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17420464]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"Octoshape Streaming Services"="c:\users\Owner\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1309000.009\SYMDS.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1309000.009\SYMEFA.SYS [x]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\Definitions\BASHDefs\20120928.001\BHDrvx86.sys [x]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NIS\1309000.009\ccSetx86.sys [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\Definitions\IPSDefs\20121012.001\IDSvix86.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1309000.009\Ironx86.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NIS\1309000.009\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [x]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPNAT
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-18 10:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\z4ytdtpi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2653012&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-08-23 04:37; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\IPSFFPlgn
FF - ExtSQL: 2012-08-23 06:32; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.8.0.14\coFFPlgn
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{cd90bf73-20f6-44ef-993d-bb920303bd2e} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\19.9.0.9\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\taskhost.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\sppsvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-10-19 06:05:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-19 11:05
.
Pre-Run: 137,371,783,168 bytes free
Post-Run: 137,598,861,312 bytes free
.
- - End Of File - - DAB0CBD747CD1FA9854B3BEEBE271705



Thanks.

wooohooohooooo

Looks like we exterminated it with root and twig.
How is your computer running now?

Hi,
Right now I am away from the infected system.I shall go and check as soon as I can.And will keep you posted as soon as I do.

Really appreciate all the help,
Thanks once again for all the time and effort.

Hi there,

Oh, I hope you can help me. Such a mess. My desktop was taken over by a similar plague before Thanksgiving and now my (new used) laptop. I went through all the steps and saved the reports to a usb disk and though they are super long, I cant post them since I am not permitted so I am attaching them (sorry... warning you).

Id apprecaite any help you can offer!!! Im using my kids laptop but all of my writing and photos to write about are on that laptop.

Happy Ides of March. lol

ty

mabb4wharton, please start a new thread of your own if you need help.