GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


FBI Moneygram Virus - Computer Locked / Safe Mode not working at all

2 posters

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyFBI Moneygram Virus - Computer Locked / Safe Mode not working at all8th June 2013, 6:21 pm

more_horiz
Help, I suddenly have the FBI Moneygram virus on my home computer and can't get it off. I can't get into any versions of safe mode, or restore the computer to its previous version. I cannot run any anti-virus software at all. Please help!

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all8th June 2013, 7:04 pm

more_horiz
Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

  • Place a blank CD-R disc in to your CD burning drive.
  • Download OTLPEStd.exe and double-click on it to burn to a CD using an ISO Burner. One can be found here.
  • Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
  • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all8th June 2013, 8:34 pm

more_horiz
Okay, thanks. Here is the report...

OTL logfile created on: 6/8/2013 4:26:06 PM - Run 4
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Ann\Desktop\Anti-Virus Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 5000 5000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 5.53 Gb Free Space | 2.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANN-A26CF12946F
Current User Name: Ann
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2013/06/08 21:01:08 | 000,457,520 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Ann\Local Settings\temp\8862778\0339323.exe
PRC - [2013/06/08 13:39:12 | 004,760,816 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2013/05/08 19:27:16 | 000,216,968 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.21.145\GoogleCrashHandler.exe
PRC - [2013/04/29 17:50:00 | 000,685,936 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK32.EXE
PRC - [2013/02/05 11:48:44 | 000,272,248 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
PRC - [2013/01/12 04:27:33 | 000,170,912 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/11/16 05:09:00 | 000,542,104 | ---- | M] (Lavasoft) -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
PRC - [2012/09/22 03:22:40 | 001,191,768 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2012/09/22 03:22:38 | 001,737,728 | ---- | M] (Lavasoft Limited ) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2012/07/03 10:04:58 | 000,507,312 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2011/10/11 13:49:14 | 001,179,648 | ---- | M] (W3i, LLC) -- C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
PRC - [2011/08/11 19:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2010/06/15 22:11:24 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ann\Desktop\Anti-Virus Programs\OTL.exe
PRC - [2010/01/25 09:22:56 | 000,245,760 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Browny02\BrYNSvc.exe
PRC - [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Ann\Desktop\iexplore.exe
PRC - [2008/08/26 20:02:24 | 000,014,336 | ---- | M] (Agere Systems) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/30 11:50:42 | 000,205,480 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe


========== Modules (SafeList) ==========

MOD - [2012/11/16 05:08:54 | 000,318,872 | ---- | M] (Lavasoft) -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/06/15 22:11:24 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ann\Desktop\Anti-Virus Programs\OTL.exe
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WmiApSrv)
SRV - File not found [Auto | Stopped] -- -- (vToolbarUpdater12.2.0)
SRV - [2013/06/08 14:17:46 | 000,106,280 | ---- | M] (SurfRight B.V.) [Auto | Stopped] -- C:\Program Files\HitmanPro\hmpsched.exe -- (HitmanProScheduler)
SRV - [2013/05/25 14:40:36 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/05/15 11:59:34 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/02/05 11:48:00 | 000,235,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe -- (McComponentHostService)
SRV - [2013/01/12 04:27:33 | 000,170,912 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/09/22 03:22:38 | 001,737,728 | ---- | M] (Lavasoft Limited ) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/09/27 15:03:28 | 000,295,192 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2011/08/11 19:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2010/02/22 11:44:14 | 000,045,312 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Stopped] -- C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe -- (NTI BackupNowEZSvr)
SRV - [2010/01/25 09:22:56 | 000,245,760 | ---- | M] (Brother Industries, Ltd.) [On_Demand | Running] -- C:\Program Files\Browny02\BrYNSvc.exe -- (BrYNSvc)
SRV - [2008/12/23 11:35:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2008/08/26 20:02:24 | 000,014,336 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [File_System | Unknown | Running] -- -- (0339323drv)
DRV - [2013/06/08 20:59:56 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\71875972.sys -- (71875972)
DRV - [2012/11/29 14:26:59 | 000,013,560 | ---- | M] (GFI Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\gfibto.sys -- (gfibto)
DRV - [2012/10/08 19:53:56 | 000,026,080 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Apowersoft_AudioDevice.sys -- (Apowersoft_AudioDevice)
DRV - [2012/09/03 19:55:34 | 000,027,496 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2011/09/02 02:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2011/09/02 02:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2011/09/02 02:31:10 | 000,042,648 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LEqdUsb.sys -- (LEqdUsb)
DRV - [2011/09/02 02:31:10 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidEqd.sys -- (LHidEqd)
DRV - [2011/09/02 02:30:58 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/02/04 10:27:14 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/12/03 05:05:34 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/01/11 16:53:40 | 000,016,512 | ---- | M] (SHAPE Services GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mobiolavs.sys -- (mobiolavs)
DRV - [2009/09/08 21:06:44 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/09/08 21:06:37 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/05/05 17:46:08 | 000,014,464 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2009/05/05 17:46:08 | 000,013,440 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\UBHelper.sys -- (UBHelper)
DRV - [2008/12/23 11:35:02 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2008/12/02 07:05:34 | 000,118,656 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/10/29 21:43:44 | 001,204,128 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/06/19 18:24:30 | 000,028,544 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/04/14 08:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 18:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007/07/23 16:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 16:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 16:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 16:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 16:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 16:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 16:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 16:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 15:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2007/07/23 15:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 15:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/07/23 15:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/04/16 22:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2005/12/12 18:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/08/29 16:11:00 | 003,644,928 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/08/13 22:35:54 | 001,313,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "https://www.google.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.36.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..keyword.URL: "http://safesearchr.lavasoft.com/?source=3336ca5f&tbp=url&toolbarid=adawaretb&u=E4866E676EBFC8A6D7A95650B7A8E064&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2010/03/04 21:21:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1C43BAF1-00C2-40A8-A09E-F84CFD79546D}: C:\Program Files\Coupons.com CouponBar\firefox\{1C43BAF1-00C2-40A8-A09E-F84CFD79546D}\Coupons.com.xpi [2012/01/26 15:18:46 | 000,185,164 | ---- | M] ()
FF - HKLM\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/05/25 14:40:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/05/11 20:59:08 | 000,000,000 | ---D | M]

[2010/07/23 13:02:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\Mozilla\Extensions
[2013/06/08 08:35:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\k5ai1jrq.default\extensions
[2012/11/29 14:26:43 | 000,000,000 | ---D | M] (Ad-Aware Security Add-on) -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\k5ai1jrq.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
[2013/06/08 08:35:58 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\k5ai1jrq.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2013/05/11 20:41:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\k5ai1jrq.default\extensions\crossriderapp4352@crossrider.com
[2012/11/29 14:25:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\k5ai1jrq.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
[2011/02/20 15:59:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\k5ai1jrq.default\extensions\toolbar@shopathome.com
[2013/05/11 20:41:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\k5ai1jrq.default\extensions\crossriderapp4352@crossrider.com\chrome\content\extensionCode
[2012/11/11 18:46:57 | 000,001,673 | ---- | M] () -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\k5ai1jrq.default\searchplugins\web-search.xml
[2013/05/25 14:40:39 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/05/25 14:40:39 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/10/12 20:35:53 | 000,092,584 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2012/10/12 20:35:55 | 000,092,584 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2012/11/29 14:26:46 | 000,000,616 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\adawaretb.xml

O1 HOSTS File: ([2012/10/14 15:25:58 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
O2 - BHO: (Ad-Aware Security Add-on) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (TBSB07898 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Add-on) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKLM\..\Toolbar: (Coupons.com CouponBar) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Coupons.com CouponBar) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll ()
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft Limited)
O4 - HKLM..\Run: [BackupNowEZtray] C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe (NewTech Infosystems, Inc.)
O4 - HKLM..\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [SearchProtection] C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat ()
O4 - HKCU..\Run: [InstallIQUpdater] C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe (W3i, LLC)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
O4 - Startup: C:\Documents and Settings\Ann\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\Ann\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Ann\Start Menu\Programs\Startup\_uninst_71875972.lnk = C:\Documents and Settings\Ann\Local Settings\temp\_uninst_71875972.bat ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1345627392015 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab (GMNRev Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} https://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab (WorldWinner ActiveX Launcher Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - File not found
O20 - HKLM Winlogon: UIHost - (logonui.exe) - File not found
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found
O20 - HKCU Winlogon: Shell - (EXPLORER.EXE) - File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - File not found
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Ann\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ann\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - File not found
O29 - HKLM SecurityProviders - (msapsspc.dll) - File not found
O29 - HKLM SecurityProviders - (schannel.dll) - File not found
O29 - HKLM SecurityProviders - (digest.dll) - File not found
O29 - HKLM SecurityProviders - (msnsspc.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/29 22:05:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2013/06/08 15:03:23 | 000,000,000 | ---D | C] -- C:\JRT
[2013/06/08 15:01:52 | 000,545,954 | ---- | C] (Oleg N. Scherbakov) -- C:\Documents and Settings\Ann\Desktop\JRT.exe
[2013/06/08 14:56:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2013/06/08 14:56:46 | 000,133,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\WINDOWS\System32\drivers\71875972.sys
[2013/06/08 14:17:46 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2013/06/08 14:17:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2013/06/08 11:59:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Captain Planet stuff
[2013/06/08 10:27:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Ben 10 Stuff to upload
[2013/06/08 08:40:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Ben 10 Stuff
[2013/06/03 19:24:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\The Night Stalker Mp3 320
[2013/06/01 21:19:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Time After Time
[2013/06/01 13:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\The Promise
[2013/06/01 13:38:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\The Perfect Storm
[2013/06/01 13:19:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Local Settings\Application Data\WinZip
[2013/06/01 13:18:14 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2013/06/01 12:51:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Brian Tyler - Iron Man 3
[2013/06/01 11:39:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Red Planet - Recording Sessions
[2013/06/01 10:43:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Judy Garland
[2013/06/01 10:16:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Y7343
[2013/06/01 08:39:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Naoki Sato - Space Battleship Yamato
[2013/06/01 08:26:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Star Trek - Into Darkness MP3
[2013/06/01 07:56:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Aliens Colonial Marines Complete Gamerip Album
[2013/06/01 07:52:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Y7343_M
[2013/06/01 07:10:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Local Settings\Application Data\WarThunder
[2013/06/01 07:10:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WarThunder
[2013/05/30 21:22:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\The Bible - Extra Score
[2013/05/30 19:58:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Inception Recording Sessions
[2013/05/27 17:20:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\Babylon 5
[2013/05/25 18:53:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Desktop\New Art 05-25
[2013/05/25 14:16:56 | 000,000,000 | ---D | C] -- C:\Program Files\DVD Audio Extractor
[2013/05/11 20:59:07 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/05/11 20:09:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Application Data\avidemux
[2013/05/11 20:05:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\My Documents\Streaming Audio Recorder
[2013/05/11 20:04:44 | 000,026,080 | ---- | C] (Wondershare) -- C:\WINDOWS\System32\drivers\Apowersoft_AudioDevice.sys
[2013/05/11 20:04:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Application Data\Apowersoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/06/08 20:59:56 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\WINDOWS\System32\drivers\71875972.sys
[2013/06/08 16:13:02 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-515967899-1801674531-1003UA.job
[2013/06/08 15:53:03 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/06/08 15:32:02 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/06/08 15:01:53 | 000,545,954 | ---- | M] (Oleg N. Scherbakov) -- C:\Documents and Settings\Ann\Desktop\JRT.exe
[2013/06/08 14:57:47 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Ann\Start Menu\Programs\Startup\_uninst_71875972.lnk
[2013/06/08 14:54:33 | 171,671,288 | ---- | M] () -- C:\Documents and Settings\Ann\Desktop\setup_11.0.0.1245.x01_2013_06_08_21_01.exe
[2013/06/08 14:28:56 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/08 14:17:46 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2013/06/08 14:16:43 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Ann\Application Data\skype.ini
[2013/06/08 14:14:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/06/08 14:14:36 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/06/08 14:14:33 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\YourFile Update.job
[2013/06/08 14:01:31 | 000,016,400 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\drivers\LNonPnP.sys
[2013/06/08 14:01:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2013/06/08 14:01:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/06/08 14:00:05 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Ann\ntuser.ini
[2013/06/08 14:00:04 | 014,680,064 | -H-- | M] () -- C:\Documents and Settings\Ann\NTUSER.DAT
[2013/06/08 13:50:00 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2013/06/08 13:50:00 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2013/06/08 13:27:47 | 001,664,268 | -H-- | M] () -- C:\Documents and Settings\Ann\Local Settings\Application Data\IconCache.db
[2013/06/08 13:25:34 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2013/06/08 08:41:40 | 003,801,371 | ---- | M] () -- C:\Documents and Settings\Ann\Desktop\Avengers - Fight as One (version fanmade).mp3
[2013/06/08 08:39:42 | 009,495,151 | ---- | M] () -- C:\Documents and Settings\Ann\Desktop\Avengers - Fight as One (version fanmade).flv
[2013/06/08 06:05:51 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/06/07 17:13:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-515967899-1801674531-1003Core.job
[2013/06/05 15:14:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/06/01 13:19:03 | 000,001,732 | ---- | M] () -- C:\Documents and Settings\Ann\My Documents\WinZip.lnk
[2013/06/01 13:19:03 | 000,001,672 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2013/05/27 15:18:04 | 009,835,005 | ---- | M] () -- C:\Documents and Settings\Ann\Desktop\Scarface Opening Titles Music (No Voice overs).mp4
[2013/05/21 20:42:38 | 000,071,680 | ---- | M] () -- C:\Documents and Settings\Ann\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/05/20 19:34:39 | 024,555,357 | ---- | M] () -- C:\Documents and Settings\Ann\Desktop\The Avengers 2012 - _Fight As One_ - Remix Trailer.mp4
[2013/05/16 03:24:05 | 000,192,976 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/05/16 03:07:00 | 000,502,268 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2013/05/16 03:07:00 | 000,441,890 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/05/16 03:07:00 | 000,071,700 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/05/16 03:04:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/05/16 03:01:09 | 002,006,356 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2013/05/15 11:59:33 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/05/15 11:59:33 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\biwinemo
[2013/06/08 14:57:47 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Ann\Start Menu\Programs\Startup\_uninst_71875972.lnk
[2013/06/08 14:54:33 | 171,671,288 | ---- | C] () -- C:\Documents and Settings\Ann\Desktop\setup_11.0.0.1245.x01_2013_06_08_21_01.exe
[2013/06/08 14:17:46 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2013/06/08 12:22:20 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Ann\Application Data\skype.ini
[2013/06/08 08:41:01 | 003,801,371 | ---- | C] () -- C:\Documents and Settings\Ann\Desktop\Avengers - Fight as One (version fanmade).mp3
[2013/06/08 08:36:47 | 009,495,151 | ---- | C] () -- C:\Documents and Settings\Ann\Desktop\Avengers - Fight as One (version fanmade).flv
[2013/06/01 13:18:57 | 000,001,672 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2013/05/27 15:17:55 | 009,835,005 | ---- | C] () -- C:\Documents and Settings\Ann\Desktop\Scarface Opening Titles Music (No Voice overs).mp4
[2013/05/20 19:33:36 | 024,555,357 | ---- | C] () -- C:\Documents and Settings\Ann\Desktop\The Avengers 2012 - _Fight As One_ - Remix Trailer.mp4
[2012/02/15 03:14:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/12/29 21:29:39 | 000,000,242 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2010/12/29 21:29:39 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2010/12/29 21:29:33 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/03/14 11:26:22 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/03/22 21:33:47 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2009/03/22 21:33:35 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2009/03/22 21:29:56 | 000,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2009/03/22 19:38:16 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2009/03/22 19:37:26 | 000,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2009/03/22 19:22:32 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2009/03/14 09:08:17 | 000,223,232 | ---- | C] () -- C:\WINDOWS\System32\sqlite3.dll
[2009/03/14 09:08:15 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\SQLiteWrapper.dll
[2008/12/30 22:37:54 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/12/29 23:02:42 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
< End of report >

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all8th June 2013, 10:41 pm

more_horiz
I take it that you can't boot your computer in Normal Mode? Please let me know. You should take the opportunity, while booted with the rescue disk, to save your important data. The log shows that you only have 5.5 Gb of free space. Windows requires at least 15% (28 Gbs) of free space to operate efficiently. That's probably why your computer won't re-boot. You need to find some free space on your C drive. You can do this by removing/uninstalling unwanted or unused programs. You can save your music, videos, pictures and such to an external harddrive or DVD's. Please let me know what happens after you do this.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all9th June 2013, 6:51 pm

more_horiz
I freed up some space and was able to run OTL, as well as Kaspersky Virus Scanner (from what I saw on another post). That's almost finished running now.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all9th June 2013, 7:13 pm

more_horiz
FBI Moneygram Virus - Computer Locked / Safe Mode not working at all Mbamicontw5 Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
******************************************************
Please download AdwCleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

*********************************************
Please download Junkware Removal Tool to your desktop.

Warning! Once the scan is complete JRT will shut down your browser with NO warning.

Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all9th June 2013, 9:35 pm

more_horiz
Here is the log from MBAM, it found two trojan files. Rebooting now to remove them per MBAM...

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.08.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ann :: ANN-A26CF12946F [administrator]

6/9/2013 3:24:29 PM
MBAM-log-2013-06-09 (17-33-31).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 451933
Time elapsed: 1 hour(s), 39 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$fc0e198886bf115111cd3929cc6fa9b2\n.) Good: (fastprox.dll) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\RECYCLER\S-1-5-18\$fc0e198886bf115111cd3929cc6fa9b2\U\00000001.@ (Trojan.0Access) -> No action taken.

(end)

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all9th June 2013, 11:42 pm

more_horiz
The Junkware Removal Tool software doesn't work on my computer. Even will realtime protection turned off.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all10th June 2013, 12:09 am

more_horiz
You will need to run MBAM again and "Remove the infections" to get rid of those items.

The Junkware Removal Tool software doesn't work on my computer

Ok, please run AdwCleaner

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:

FBI Moneygram Virus - Computer Locked / Safe Mode not working at all NSIS_disclaimer_ENG

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

FBI Moneygram Virus - Computer Locked / Safe Mode not working at all NSIS_extraction

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

FBI Moneygram Virus - Computer Locked / Safe Mode not working at all RcAuto1

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

FBI Moneygram Virus - Computer Locked / Safe Mode not working at all Whatnext

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all10th June 2013, 4:12 pm

more_horiz
Here is the log from Combofix...

ComboFix 13-06-08.02 - Ann 06/10/2013 11:51:09.20.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1800 [GMT -4:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ann\Application Data\dvdae
c:\documents and settings\Ann\Application Data\dvdae\dvdae.config
c:\documents and settings\Ann\Application Data\dvdae\dvdae.lic
c:\documents and settings\Ann\Application Data\skype.ini
c:\documents and settings\Ann\Application Data\Toolbar4
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0533ddea046b79382344642507f45004
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\09243a7e0d5263f96fccb70e16bb0476
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0b9a7a3e0c1c165779dd33b229048b21
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0c74e33c6b89503129478a0eae095b4d
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0e1466e34ff25e57fa813d21ebfe7cf6
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0fb67f15ee619bf63699876db03ab661
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\2612ed9846214cbf7e954476bb044b3b
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\323af8f156d5bb22bb38cd2ce83959de
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\36402215e280142e9fec69a27ce97d32
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\3739298d2bc9d6b94dadd7b19b48ecb3
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\476905aa92e1c9a617bd41ce5318660f
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4c667e8e6ec412f944dcb9352b851013
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4d2e45ddaef75a6d2c9afdbc763c3752
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4e2d5ba12b0ed08ba8960c3e874a01cb
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\560ff84a7533e0f37b61b702a5403538
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\59a443f04bf13d1170b3dfc61f51b928
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5bc8ebf64906d196c815a3f28ee7be81
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5dcc33988f89c01e09411de1fadabde2
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5e4a0304a53d72265f5f470649d2f616
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5fceefa5d8207202cd84891c2e491f65
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\753df778c49000ceb420710ab27250f3
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\7aab54a686f169a739561ca08b97d70b
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\829a174ff56578e2e86c6ea74ceac599
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8c192effd1339f8e52b7695d8409b038
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\97be6f9cdebaa8074491269ce024994b
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\9ac01b227ded0862f1cacbfb3aa57c30
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a03f31127270e5ec9c753d5978824827
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a0c60a9410bfbe84abdf5e97d0c4c25b
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\aa65030026dd406f81e1d2f100fe7920
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b4129101a6dd1056cc66cb8ee0ed07cb
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b576b7d306b9484794e87c4894171e9c
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b8cb931520574f1fbe2d6a417ab188a3
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cadd36508a4b8f2e96e6251f59441e6d
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cf00f968a680ae7de4f426758f29e399
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d210e926e7fc2fc8277b03dcf0f51bf7
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\dd63f857ccdda3776635728c6e9c9da5
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\df93d78ff74b9089b7e56bad7abf8d54
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e0274c4eebf32d7d1bf0e38726e4ea71
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e676561c84d9a41ec2ac1b9379b89748
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fdcfc40763b6755ae687e945adb4dba4
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fe98d58b0232c74e3b47d141e87aaa18
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\merchant_notification
c:\documents and settings\Ann\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\include_files\879ecc39d0be00e1ba71e4872c078138
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 19:03 . 2013-06-09 23:44 -------- d-----w- C:\JRT
2013-06-08 18:17 . 2013-06-08 18:17 -------- d-----w- c:\program files\HitmanPro
2013-06-08 18:17 . 2013-06-08 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-06-01 17:19 . 2013-06-01 17:19 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\WinZip
2013-06-01 11:10 . 2013-06-01 11:10 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\WarThunder
2013-06-01 11:10 . 2013-06-01 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WarThunder
2013-05-25 18:16 . 2013-05-25 18:17 -------- d-----w- c:\program files\DVD Audio Extractor
2013-05-12 00:09 . 2013-05-12 00:14 -------- d-----w- c:\documents and settings\Ann\Application Data\avidemux
2013-05-12 00:04 . 2013-05-12 00:04 -------- d-----w- c:\documents and settings\Ann\Application Data\Apowersoft
2013-05-12 00:04 . 2012-10-08 23:53 26080 ----a-w- c:\windows\system32\drivers\Apowersoft_AudioDevice.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-08 18:01 . 2010-12-30 01:01 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-05-15 15:59 . 2012-05-10 08:58 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-15 15:59 . 2011-05-17 18:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-16 22:17 . 2008-04-14 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2008-04-14 12:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 18:50 . 2010-03-31 02:02 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2012-11-16 87448]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2012-11-16 21:41 87448 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files\Coupons.com CouponBar\tbcore3.dll" [2012-10-13 2701752]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2012-11-16 87448]
.
[HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files\Coupons.com CouponBar\tbcore3.dll" [2012-10-13 2701752]
.
[HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-10-11 1179648]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-06-08 4760816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2012-09-22 1191768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2010-02-22 577792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2012-11-16 542104]
"SearchProtection"="c:\documents and settings\All Users\Application Data\Search Protection\_run.bat" [2012-11-29 179]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\Ann\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
_uninst_71875972.lnk - c:\documents and settings\Ann\Local Settings\temp\_uninst_71875972.bat [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2013-4-29 685936]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [11/29/2012 2:25 PM 13560]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/20/2009 6:21 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/20/2009 5:17 PM 28544]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [8/27/2012 4:00 PM 27496]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [6/8/2013 2:17 PM 106280]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [12/29/2010 9:01 PM 12184]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [3/18/2010 5:01 AM 42648]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [3/18/2010 5:01 AM 12184]
R3 mobiolavs;Mobiola Web Camera Video Source;c:\windows\system32\drivers\mobiolavs.sys [8/28/2010 5:51 PM 16512]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 5:05 AM 1737728]
S2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [2/22/2010 11:44 AM 45312]
S2 vToolbarUpdater12.2.0;vToolbarUpdater12.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.0\ToolbarUpdater.exe [?]
S3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;c:\windows\system32\drivers\Apowersoft_AudioDevice.sys [5/11/2013 8:04 PM 26080]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [12/29/2010 9:29 PM 245760]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 5:05 AM 15232]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [2/5/2013 11:48 AM 235216]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 11:35 AM 50704]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\Drivers\PsSdk30.drv --> c:\windows\system32\Drivers\PsSdk30.drv [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - hitmanpro37
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 07:40]
.
2013-06-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-10 15:59]
.
2013-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2013-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]
.
2013-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]
.
2013-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-515967899-1801674531-1003Core.job
- c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-23 17:08]
.
2013-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-515967899-1801674531-1003UA.job
- c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-23 17:08]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://search.coupons.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\k5ai1jrq.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://safesearchr.lavasoft.com/?source=3336ca5f&tbp=url&toolbarid=adawaretb&u=E4866E676EBFC8A6D7A95650B7A8E064&q=
FF - ExtSQL: !HIDDEN! 2009-09-01 03:00; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-10 12:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}]
@DACL=(02 0000)
@="Group Policy Environment"
"ProcessGroupPolicy"="ProcessGroupPolicyEnviron"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyEnviron"
"ProcessGroupPolicyEx 0"=""
"EventSources"="(Group Policy Environment,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-1"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}]
@DACL=(02 0000)
@="Group Policy Local Users and Groups"
"ProcessGroupPolicy"="ProcessGroupPolicyLocUsAndGroups"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyLocUsAndGroups"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExLocUsAndGroups"
"EventSources"="(Group Policy Local Users and Groups,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-2"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}]
@DACL=(02 0000)
@="Group Policy Device Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyDevices"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDevices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDevices"
"EventSources"="(Group Policy Device Settings,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-3"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}]
@DACL=(02 0000)
@="Group Policy Network Options"
"ProcessGroupPolicy"="ProcessGroupPolicyNetworkOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyNetworkOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetworkOptions"
"EventSources"="(Group Policy Network Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-4"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}]
@DACL=(02 0000)
@="Group Policy Drive Maps"
"ProcessGroupPolicy"="ProcessGroupPolicyDrives"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDrives"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDrives"
"EventSources"="(Group Policy Drive Maps,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-5"
"PerUserLocalSettings"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}]
@DACL=(02 0000)
@="Group Policy Folders"
"ProcessGroupPolicy"="ProcessGroupPolicyFolders"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFolders"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolders"
"EventSources"="(Group Policy Folders,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-6"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=""
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}]
@DACL=(02 0000)
@="Group Policy Network Shares"
"ProcessGroupPolicy"="ProcessGroupPolicyNetShares"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyNetShares"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetShares"
"EventSources"="(Group Policy Network Shares,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-7"
"NoUserPolicy"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}]
@DACL=(02 0000)
@="Group Policy Files"
"ProcessGroupPolicy"="ProcessGroupPolicyFiles"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFiles"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFiles"
"EventSources"="(Group Policy Files,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-8"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}]
@DACL=(02 0000)
@="Group Policy Data Sources"
"ProcessGroupPolicy"="ProcessGroupPolicyDataSources"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDataSources"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDataSources"
"EventSources"="(Group Policy Data Sources,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-9"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}]
@DACL=(02 0000)
@="Group Policy Ini Files"
"ProcessGroupPolicy"="ProcessGroupPolicyIniFile"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyIniFile"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExIniFile"
"EventSources"="(Group Policy Ini Files,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-10"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}]
@DACL=(02 0000)
@="Group Policy Services"
"ProcessGroupPolicy"="ProcessGroupPolicyServices"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyServices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExServices"
"EventSources"="(Group Policy Services,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-11"
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}]
@DACL=(02 0000)
@="Group Policy Folder Options"
"ProcessGroupPolicy"="ProcessGroupPolicyFolderOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFolderOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolderOptions"
"EventSources"="(Group Policy Folder Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-12"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}]
@DACL=(02 0000)
@="Group Policy Scheduled Tasks"
"ProcessGroupPolicy"="ProcessGroupPolicySchedTasks"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicySchedTasks"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExSchedTasks"
"EventSources"="(Group Policy Scheduled Tasks,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-13"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}]
@DACL=(02 0000)
@="Group Policy Registry"
"ProcessGroupPolicy"="ProcessGroupPolicyRegistry"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyRegistry"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegistry"
"EventSources"="(Group Policy Registry,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-14"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}]
@DACL=(02 0000)
@="Group Policy Printers"
"ProcessGroupPolicy"="ProcessGroupPolicyPrinters"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyPrinters"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPrinters"
"EventSources"="(Group Policy Printers,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-16"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}]
@DACL=(02 0000)
@="Group Policy Shortcuts"
"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyShortcuts"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExShortcuts"
"EventSources"="(Group Policy Shortcuts,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-17"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}]
@DACL=(02 0000)
@="Group Policy Internet Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyInternet"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExInternet"
"EventSources"="(Group Policy Internet Settings,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-18"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}]
@DACL=(02 0000)
@="Group Policy Start Menu Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyStartMenu"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyStartMenu"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExStartMenu"
"EventSources"="(Group Policy Start Menu Settings,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-19"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}]
@DACL=(02 0000)
@="Group Policy Regional Options"
"ProcessGroupPolicy"="ProcessGroupPolicyRegionOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyRegionOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegionOptions"
"EventSources"="(Group Policy Regional Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-20"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}]
@DACL=(02 0000)
@="Group Policy Power Options"
"ProcessGroupPolicy"="ProcessGroupPolicyPowerOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyPowerOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPowerOptions"
"EventSources"="(Group Policy Power Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-21"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}]
@DACL=(02 0000)
@="Group Policy Applications"
"ProcessGroupPolicy"="ProcessGroupPolicyApplications"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyApplications"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExApplications"
"EventSources"="(Group Policy Applications,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-15"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2013-06-10 12:09:59
ComboFix-quarantined-files.txt 2013-06-10 16:09
ComboFix2.txt 2012-10-14 19:29
ComboFix3.txt 2012-10-14 08:58
ComboFix4.txt 2010-12-13 03:47
.
Pre-Run: 5,584,527,360 bytes free
Post-Run: 7,565,422,592 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 910D3376ADC0B4C73CC232DC922879DB
8F558EB6672622401DA993E1E865C861

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all10th June 2013, 7:13 pm

more_horiz
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*******************************************

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all10th June 2013, 9:55 pm

more_horiz
I downloaded and ran "Security Check". It ran for a few seconds and quit. I managed to get a screenshot of the error...
[img]FBI Moneygram Virus - Computer Locked / Safe Mode not working at all Securi12[/img]

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all10th June 2013, 10:19 pm

more_horiz
Ok, please proceed with RogueKiller and I'll check out Security Check.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all10th June 2013, 10:22 pm

more_horiz
Okay thanks, here's the Roguekiller log...

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Ann [Admin rights]
Mode : Scan -- Date : 06/10/2013 17:56:57
| ARK || FAK || MBR |

¤¤¤ Bad processes : 3 ¤¤¤
[SUSP PATH] iexplore.exe -- C:\Documents and Settings\Ann\Desktop\iexplore.exe [7] -> KILLED [TermProc]
[SUSP PATH] iexplore.exe -- C:\Documents and Settings\Ann\Desktop\iexplore.exe [7] -> KILLED [TermThr]
[RESIDUE] iexplore.exe -- C:\Documents and Settings\Ann\Desktop\iexplore.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : SearchProtection (C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat) [-] -> FOUND
[STARTUP][SUSP PATH] _uninst_71875972.lnk @Ann : C:\Documents and Settings\Ann\Local Settings\temp\_uninst_71875972.bat [x] -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG SP2004C +++++
--- User ---
[MBR] fdf36bf7cbf080ccf9e85efa4fef1b57
[BSP] 08ad4a436ea9c62a424bc2f87968e8be : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 190771 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_06102013_02d1756.txt >>
RKreport[1]_S_06102013_02d1756.txt

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all10th June 2013, 10:49 pm

more_horiz
Please run RogueKiller again and delete those items.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetOnline button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetSmartInstall to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetSmartInstallDesktopIcon-1 icon on your desktop.

•Check FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetAcceptTerms
•Click the FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetStart button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetScanArchives
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetListThreats
•Push FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetExport, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetBack button.
•Push FBI Moneygram Virus - Computer Locked / Safe Mode not working at all EsetFinish
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all10th June 2013, 11:04 pm

more_horiz
Superdave wrote:
Please run RogueKiller again and delete those items.


Okay I did that and am now running the scanner.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all11th June 2013, 1:08 am

more_horiz
Misteretc wrote:
Superdave wrote:
Please run RogueKiller again and delete those items.


Okay I did that and am now running the scanner.

Also, please tell me how your computer is working.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all11th June 2013, 8:40 am

more_horiz
Here's the report from the scanner...

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Ann [Admin rights]
Mode : Remove -- Date : 06/10/2013 19:02:57
| ARK || FAK || MBR |

¤¤¤ Bad processes : 5 ¤¤¤
[SUSP PATH] iexplore.exe -- C:\Documents and Settings\Ann\Desktop\iexplore.exe [7] -> KILLED [TermProc]
[SUSP PATH] iexplore.exe -- C:\Documents and Settings\Ann\Desktop\iexplore.exe [7] -> KILLED [TermThr]
[RESIDUE] iexplore.exe -- C:\Documents and Settings\Ann\Desktop\iexplore.exe [7] -> KILLED [TermProc]
[RESIDUE] iexplore.exe -- C:\Documents and Settings\Ann\Desktop\iexplore.exe [7] -> KILLED [TermProc]
[RESIDUE] iexplore.exe -- C:\Documents and Settings\Ann\Desktop\iexplore.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : SearchProtection (C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat) [-] -> DELETED
[STARTUP][SUSP PATH] _uninst_71875972.lnk @Ann : C:\Documents and Settings\Ann\Local Settings\temp\_uninst_71875972.bat [x] -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG SP2004C +++++
--- User ---
[MBR] fdf36bf7cbf080ccf9e85efa4fef1b57
[BSP] 08ad4a436ea9c62a424bc2f87968e8be : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 190771 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_06102013_02d1902.txt >>
RKreport[1]_S_06102013_02d1756.txt ; RKreport[2]_D_06102013_02d1902.txt



descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all11th June 2013, 8:41 am

more_horiz
Superdave wrote:
Misteretc wrote:
Superdave wrote:
Please run RogueKiller again and delete those items.


Okay I did that and am now running the scanner.

Also, please tell me how your computer is working.


My computer is running much, much better now thanks.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all11th June 2013, 9:16 pm

more_horiz
Do I need to do anything else?

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all11th June 2013, 11:18 pm

more_horiz
Misteretc wrote:
Do I need to do anything else?

Did you run the ESET scanner?

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all11th June 2013, 11:26 pm

more_horiz
Yes, here were the results...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=f36567a16cc78148b486ee3eb746938b
# engine=14043
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-06-11 12:06:02
# local_time=2013-06-10 08:06:02 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 16777214 0 2 78043935 78043935 0 0
# scanned=59153
# found=2
# cleaned=0
# scan_time=3597
sh=3D8010EC0AA8B40704319AC0DFF6DFA7C6052D34 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Ann\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\23\53d90297-526841de"
sh=225E89F5BE1828A4BEF854184FF816504F7451FC ft=0 fh=0000000000000000 vn="Java/Exploit.CVE-2013-2423.CR trojan" ac=I fn="C:\Documents and Settings\Ann\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\61\2ce3fe3d-3093e281"
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=f36567a16cc78148b486ee3eb746938b
# engine=14043
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-06-11 05:38:48
# local_time=2013-06-11 01:38:48 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 16777214 0 2 78060301 78060301 0 0
# scanned=289615
# found=2
# cleaned=2
# scan_time=18697
sh=3D8010EC0AA8B40704319AC0DFF6DFA7C6052D34 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\Ann\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\23\53d90297-526841de"
sh=225E89F5BE1828A4BEF854184FF816504F7451FC ft=0 fh=0000000000000000 vn="Java/Exploit.CVE-2013-2423.CR trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\Ann\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\61\2ce3fe3d-3093e281"

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all11th June 2013, 11:32 pm

more_horiz
Ok, let's do some cleanup.

To uninstall ComboFix


  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall


FBI Moneygram Virus - Computer Locked / Safe Mode not working at all Combofix_uninstall_image

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

***********************************************
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
*******************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.

FBI Moneygram Virus - Computer Locked / Safe Mode not working at all Diskcleanup2

Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.

FBI Moneygram Virus - Computer Locked / Safe Mode not working at all Diskcleanup

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
**************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all12th June 2013, 3:50 pm

more_horiz
Great, thanks!

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all12th June 2013, 10:12 pm

more_horiz
You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

descriptionFBI Moneygram Virus - Computer Locked / Safe Mode not working at all EmptyRe: FBI Moneygram Virus - Computer Locked / Safe Mode not working at all

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum