Solve : malware/virus started with ransom from moneypak now won't boot

1.	Solve : malware/virus started with ransom from moneypak now won't boot safe mode?
Answer» My computer won't boot in safe mode it keeps returning to the screen that wants to know if I want safe mode or whatever. If I don't select normal it keeps going in circles. It started with moneypak ransom note now shows can't find web page. Will not let me do anything, goes quickly to the page and freezes out. Can some one please save me? ComboFix scan Please download ComboFix by sUBs From BleepingComputer.com Please save the file to your Desktop. Important information about ComboFix After the download: Close any open browsers. Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished. If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection. Running ComboFix: Double click on ComboFix.exe & follow the prompts. When ComboFix finishes, it will produce a report for you. Please post the report, which will launch or be FOUND at "C:\Combo-Fix.txt" in your next reply. Troubleshooting ComboFix Safe Mode: If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there. (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode.") Re-downloading: If this doesn't work either, try the same method (above method), but try to download it again, except name ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe. Malware is KNOWN for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe. NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.thanks for responding, but I can not do anything once I get to the windows because the screen is blocked. Also I can't get to safe mode, it keeps sending me in a circle until I push normalOTLPE + Farbar Recovery Scan Tool Download OTLPENet.exe to your desktop Download Farbar Recovery Scan Tool and save it to a flash drive. Ensure that you have a blank CD in the drive Double click OTLPENet.exe and this will then open imgburn to burn the file to CD Reboot your system using the boot CD you just created. *Note : If you do not know how to set your computer to boot from CD follow the steps here* As the CD needs to detect your hardware and load the operating system, I would recommend a nice CUP of tea whilst it loads Your system should now display a Reatogo desktop. *Note : as you are running from CD it is not exactly speedy* Insert the flash drive with FRST on it Locate the flash drive and run FSRT The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will do its scan and save a log on your flash drive. Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below: When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive. Type exit in the Command Prompt window and reboot the computer normally FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply. First I want to say Thank You for your help so far. I did all you told me. When I rebooted I was not able to go to safe mode and normal still gives me the page of that won't let do anything further. Here is the logfile. What now? Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2012 Ran by SYSTEM at 31-10-2012 13:32:07 Running from J:\ Microsoft Windows XP (X86) OS Language: English(US) The current controlset is ControlSet004 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [CHotkey] zHotkey.exe HKLM\...\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime [98304 2010-01-21] (Apple Computer, Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated) HKLM\...\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot [296056 2012-07-02] (RealNetworks, Inc.) HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.) HKLM\...\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe [135168 2004-10-18] (Alcor Micro, Corp.) HKLM\...\Run: [SoundMan] SOUNDMAN.EXE HKLM\...\Run: [ShowWnd] ShowWnd.exe HKLM\...\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE [212992 2002-09-13] () HKLM\...\Run: [Philips Device Listener] "C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe" [375296 2010-05-27] () HKLM\...\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [50688 2003-06-07] (Microsoft® Corporation) HKLM\...\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe HKLM\...\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon [86016 2012-10-01] (alch) HKLM\...\Run: [AllShareAgent] C:\Program Files\Samsung\AllShare\AllShareAgent.exe [282512 2011-07-16] (Samsung Electronics Co., Ltd.) HKLM\...\Run: [AlcWzrd] ALCWZRD.EXE HKLM\...\Run: [Alcmtr] ALCMTR.EXE HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-10-14] (Hewlett-Packard) HKLM\...\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [1111432 2012-10-16] (Spigot, Inc.) HKLM\...\Run: [Windows Service] C:\Documents and Settings\Owner\Application Data\ukovn\ukovn.exe [154624 2012-10-29] (Auslogics) HKU\Owner\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation) HKU\Owner\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [1695232 2008-04-13] (Microsoft Corporation) HKU\Owner\...\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c [116648 2012-09-20] (Google Inc.) HKU\Owner\...\Run: [Windows Service] C:\Documents and Settings\Owner\Application Data\ukovn\ukovn.exe [154624 2012-10-29] (Auslogics) Winlogon\Notify\igfxcui: igfxsrvc.dll (Intel Corporation) AppInit_DLLs: Tcpip\..\Interfaces\{F7274D1D-E0A8-433A-937A-57259744774F}: [NameServer]156.154.70.22,156.154.71.22 Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DisplayKEY eSYNC Info.lnk ShortcutTarget: DisplayKEY eSYNC Info.lnk -> C:\dKEYUSBCradle\SyncInfoApp.exe (Supra) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk ShortcutTarget: NETGEAR WPN111 Smart Wizard.lnk -> C:\Program Files\NETGEAR\WPN111\wpn111.exe (NETGEAR) Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe () ==================== Services (Whitelisted) =================== 2 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [1026432 2012-10-12] (IObit) 2 Application Updater; "C:\Program Files\Application Updater\ApplicationUpdater.exe" [799112 2012-10-09] (Spigot, Inc.) 3 AppMgmt; C:\Windows\System32\svchost.exe -k netsvcs [14336 2008-04-13] (Microsoft Corporation) 2 dKeySync; C:\dKEYUSBCradle\SyncService.exe [42496 2011-11-11] (Supra) 2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation) 4 HidServ; C:\Windows\System32\svchost.exe -k netsvcs [14336 2008-04-13] (Microsoft Corporation) 2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [820568 2011-07-20] (IObit) 2 MSSQL$OASIS; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sOASIS [29293408 2010-12-10] (Microsoft Corporation) 2 SamsungAllShareV2.0; "C:\Program Files\Samsung\AllShare\AllShareDMS\AllShareDMS.exe" [24992 2011-07-16] (Samsung Electronics Co., Ltd.) 3 SimpleSlideShowServer; "C:\Program Files\Samsung\AllShare\AllShareSlideShowService.exe" [27584 2011-07-16] (Samsung Electronics Co., Ltd.) 3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 3 idsvc; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows COMMUNICATION Foundation\infocard.exe" 2 JavaQuickStarterService; "C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe" -service -config "C:\Program Files\Oracle\JavaFX 2.1 Runtime\lib\deploy\jqs\jqs.conf" 4 NetTcpPortSharing; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" ==================== Drivers (Whitelisted) ==================== 2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [21275 2010-01-29] (Meetinghouse Data Communications) 3 DNINDIS5; \??\C:\WINDOWS\system32\DNINDIS5.SYS [17149 2003-07-24] (Printing Communications Assoc., Inc. (PCAUSA)) 4 FileMonitor; \??\C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [239600 2011-07-11] () 3 HdAudAddService; C:\Windows\System32\drivers\HdAudio.sys [113664 2004-03-17] (Windows (R) Server 2003 DDK provider) 3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider) 3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-01-17] (HP) 3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [737874 2004-08-20] (Intel Corporation) 3 mxnic; C:\Windows\System32\DRIVERS\mxnic.sys [19968 2001-08-17] (Macronix International Co., Ltd. ) 1 P3; C:\Windows\System32\DRIVERS\p3.sys [42752 2008-04-13] (Microsoft Corporation) 2 PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [172032 2010-01-21] (New Boundary Technologies, Inc.) 3 RegFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys [30368 2011-03-23] (IObit.com) 3 ROCKEYNT; C:\Windows\System32\DRIVERS\Rockey4.sys [22016 2004-02-13] (Feitian Technologies Co., Ltd.) 3 Rockey_USB; C:\Windows\System32\DRIVERS\Rockey4USB.sys [12928 2004-02-13] (Feitian Technologies Co., Ltd.) 1 SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys [93872 2009-08-05] (Sunbelt Software) 3 silabenm; C:\Windows\System32\DRIVERS\silabenm.sys [49416 2011-11-11] (Silicon Laboratories) 3 silabser; C:\Windows\System32\DRIVERS\silabser.sys [66568 2011-11-11] (Silicon Laboratories) 0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [13496 2011-02-23] () 3 SunkFilt; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys [40724 2004-10-20] (Alcor Micro Corp.) 3 SunkFilt39; \??\C:\WINDOWS\System32\Drivers\sunkfilt39.sys [42968 2004-10-18] (Alcor Micro Corp.) 3 UrlFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys [16080 2011-03-23] (IObit.com) 3 WPN111; C:\Windows\System32\DRIVERS\WPN111.sys [384608 2008-04-18] (Atheros Communications, Inc.) 4 Abiosdsk; 4 Atdisk; 1 Changer; 3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys 3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys 1 lbrtfdc; 1 PCIDump; 3 PDCOMP; 3 PDFRAME; 3 PDRELI; 3 PDRFRAME; 4 Simbad; 3 slabbus; C:\Windows\System32\DRIVERS\slabbus.sys 3 slabser; C:\Windows\System32\DRIVERS\slabser.sys 3 Sunkfiltp; 3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys 3 WDICA; ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2012-10-31 11:23 - 2012-10-31 11:23 - 00000000 ____D C:\FRST 2012-10-29 17:47 - 2012-10-29 17:47 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\ukovn 2012-10-28 16:50 - 2012-10-30 10:22 - 00014662 ____A C:\Windows\setupapi.log 2012-10-28 13:30 - 2012-10-28 13:33 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\taftplan1_files 2012-10-24 11:24 - 2012-10-24 11:24 - 00000874 ____A C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 6.lnk 2012-10-24 11:24 - 2012-10-24 11:24 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\IObit 2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\IObit Toolbar 2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\Common Files\Spigot 2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\Application Updater 2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Search Settings 2012-10-17 19:11 - 2007-11-06 22:10 - 00271704 ___RA (Hewlett-Packard) C:\Windows\System32\hpzids01.dll 2012-10-17 19:10 - 2007-10-31 06:35 - 00729088 ___RA (Hewlett-Packard) C:\Windows\System32\hpwwiax4.dll 2012-10-17 19:10 - 2007-10-31 06:35 - 00593920 ___RA (Hewlett-Packard Co.) C:\Windows\System32\hpwtscl3.dll 2012-10-17 19:10 - 2007-01-17 12:37 - 00364544 ___RA (Hewlett-Packard) C:\Windows\System32\hppldcoi.dll 2012-10-17 19:10 - 2007-01-17 12:37 - 00309760 ___RA (Microsoft Corporation) C:\Windows\System32\difxapi.dll 2012-10-17 19:10 - 2007-01-17 12:31 - 00294912 ___RA (Hewlett-Packard Co.) C:\Windows\System32\hpovst11.dll 2012-10-17 19:07 - 2012-10-17 19:07 - 00001968 ____A C:\Documents and Settings\All Users\Desktop\HP Document Manager.lnk 2012-10-17 19:07 - 2012-10-17 19:07 - 00001858 ____A C:\Documents and Settings\All Users\Desktop\HP Photosmart Essential 2.5.lnk 2012-10-17 19:06 - 2012-10-17 19:06 - 00000984 ____A C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk 2012-10-17 19:06 - 2012-10-17 19:06 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HP Product Assistant 2012-10-17 19:04 - 2012-10-17 19:04 - 00000000 ____D C:\Program Files\Common Files\HP 2012-10-17 18:58 - 2012-10-17 19:15 - 00178364 ____A C:\Windows\hpwins20.dat 2012-10-17 18:58 - 2008-01-08 08:42 - 00002428 ___RA C:\Windows\hpwmdl20.dat 2012-10-10 12:38 - 2012-10-10 12:38 - 00000000 __HDC C:\Windows\$NtUninstallKB2724197$ 2012-10-10 12:36 - 2012-10-10 12:36 - 00000000 __HDC C:\Windows\$NtUninstallKB2756822$ 2012-10-10 12:36 - 2012-10-10 12:36 - 00000000 __HDC C:\Windows\$NtUninstallKB2749655$ 2012-10-10 12:35 - 2012-10-10 12:35 - 00000000 __HDC C:\Windows\$NtUninstallKB2661254-v2$ 2012-10-10 11:51 - 2012-10-10 11:51 - 00197908 ____A C:\Documents and Settings\Owner\My Documents\verification WORKSHEET - Dep.prn 2012-10-09 16:53 - 2012-10-09 16:53 - 00018944 ____A C:\Documents and Settings\Owner\My Documents\ltr painter remae.wps 2012-10-08 15:28 - 2012-10-08 15:28 - 10220472 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe 2012-10-04 13:57 - 2012-10-04 13:57 - 08429932 ____A C:\Documents and Settings\Owner\My Documents\hooperbankdocs7 ==================== 3 Months Modified Files ================== 2012-10-31 12:54 - 2010-02-01 13:55 - 00000274 ____A C:\Windows\wiadebug.log 2012-10-31 12:54 - 2010-02-01 13:55 - 00000050 ____A C:\Windows\wiaservc.log 2012-10-31 12:54 - 2010-01-22 23:49 - 00000374 ____A C:\Windows\System32\Drivers\etc\hosts.ics 2012-10-31 12:54 - 2004-08-26 14:09 - 00000178 __ASH C:\Documents and Settings\Owner\ntuser.ini 2012-10-31 12:54 - 2004-08-26 14:08 - 00031904 ____A C:\Windows\SchedLgU.Txt 2012-10-31 12:54 - 2004-08-26 14:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-10-31 12:54 - 2004-08-26 14:02 - 01360477 ____A C:\Windows\WindowsUpdate.log 2012-10-31 12:53 - 2011-07-27 13:24 - 00000280 ____A C:\Windows\Tasks\SmartDefrag_Startup.job 2012-10-31 12:52 - 2012-01-01 18:28 - 00000278 ____A C:\Windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2615104831-1368381422-192617974-1003.job 2012-10-31 12:52 - 2004-08-26 14:09 - 00000062 __ASH C:\Documents and Settings\Owner\Local Settings\desktop.ini 2012-10-31 12:52 - 2004-08-26 14:08 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini 2012-10-31 12:52 - 2004-08-26 14:08 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini 2012-10-30 10:22 - 2012-10-28 16:50 - 00014662 ____A C:\Windows\setupapi.log 2012-10-30 09:41 - 2004-08-26 12:12 - 00001170 ____A C:\Windows\System32\wpa.dbl 2012-10-29 19:41 - 2012-09-20 12:31 - 00000978 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2615104831-1368381422-192617974-1003UA.job 2012-10-29 16:25 - 2012-05-11 12:16 - 00000392 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{B1DA1CAD-FBC4-4C41-8FEF-946DF398194F}.job 2012-10-28 16:42 - 2010-02-01 13:55 - 00000000 ____A C:\Windows\Sti_Trace.log 2012-10-28 13:08 - 2011-10-09 15:38 - 00000286 ____A C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2615104831-1368381422-192617974-1003.job 2012-10-27 11:15 - 2012-09-13 12:45 - 00149168 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2012-10-27 10:41 - 2012-09-20 12:31 - 00000926 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2615104831-1368381422-192617974-1003Core.job 2012-10-24 11:24 - 2012-10-24 11:24 - 00000874 ____A C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 6.lnk 2012-10-18 16:33 - 2012-07-02 12:20 - 29356032 ____A C:\Windows\System32\config\software.iobit 2012-10-18 16:33 - 2012-07-02 12:20 - 09592832 ____A C:\Windows\System32\config\system.iobit 2012-10-18 16:33 - 2012-07-02 12:20 - 00651264 ____A C:\Windows\System32\config\default.iobit 2012-10-18 16:33 - 2012-07-02 12:20 - 00061440 ____A C:\Windows\System32\config\SECURITY.iobit 2012-10-18 16:33 - 2012-07-02 12:20 - 00028672 ____A C:\Windows\System32\config\SAM.iobit 2012-10-17 19:15 - 2012-10-17 18:58 - 00178364 ____A C:\Windows\hpwins20.dat 2012-10-17 19:15 - 2010-02-04 12:23 - 00008916 ____A C:\Documents and Settings\All Users\Application Data\hpzinstall.log 2012-10-17 19:14 - 2004-08-26 12:12 - 00000616 ____A C:\Windows\win.ini 2012-10-17 19:07 - 2012-10-17 19:07 - 00001968 ____A C:\Documents and Settings\All Users\Desktop\HP Document Manager.lnk 2012-10-17 19:07 - 2012-10-17 19:07 - 00001858 ____A C:\Documents and Settings\All Users\Desktop\HP Photosmart Essential 2.5.lnk 2012-10-17 19:06 - 2012-10-17 19:06 - 00000984 ____A C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk 2012-10-11 16:13 - 2010-05-06 00:25 - 00019968 ____A C:\Documents and Settings\Owner\My Documents\Ltr Head.wps 2012-10-11 16:13 - 2010-02-09 18:50 - 00001618 ____A C:\Documents and Settings\Owner\Application Data\wklnhst.dat 2012-10-11 11:51 - 2012-09-20 12:32 - 00002284 ____A C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk 2012-10-10 12:36 - 2010-01-31 05:04 - 00035396 ____A C:\Windows\System32\TZLog.log 2012-10-10 12:36 - 2010-01-30 11:36 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-10-10 11:51 - 2012-10-10 11:51 - 00197908 ____A C:\Documents and Settings\Owner\My Documents\verification worksheet - Dep.prn 2012-10-09 16:53 - 2012-10-09 16:53 - 00018944 ____A C:\Documents and Settings\Owner\My Documents\ltr painter remae.wps 2012-10-08 15:28 - 2012-10-08 15:28 - 10220472 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe 2012-10-08 15:28 - 2012-03-30 10:20 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2012-10-08 15:28 - 2011-05-18 18:42 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2012-10-04 14:48 - 2012-03-04 18:00 - 00000682 ____A C:\Documents and Settings\All Users\Desktop\CCleaner.lnk 2012-10-04 13:57 - 2012-10-04 13:57 - 08429932 ____A C:\Documents and Settings\Owner\My Documents\hooperbankdocs7 2012-09-30 09:29 - 2012-03-30 10:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-09-26 15:43 - 2012-04-06 12:47 - 00054156 ___AH C:\Windows\QTFont.qfn 2012-09-11 21:14 - 2004-08-26 12:12 - 00000227 ____A C:\Windows\system.ini 2012-09-11 21:14 - 2004-08-26 12:12 - 00000211 _RASH C:\boot.ini 2012-09-11 08:34 - 2008-04-13 20:12 - 00046080 ____N (Microsoft Corporation) C:\Windows\System32\tzchange.exe 2012-08-28 21:44 - 2010-01-30 11:51 - 11111424 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ieframe.dll 2012-08-28 21:44 - 2009-03-08 06:39 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-08-28 11:14 - 2012-07-12 19:41 - 00521728 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\jsdbgui.dll 2012-08-28 11:14 - 2010-11-22 11:47 - 00743424 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iedvtool.dll 2012-08-28 11:14 - 2010-01-30 11:52 - 00012800 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\xpshims.dll 2012-08-28 11:14 - 2010-01-30 11:51 - 02000384 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iertutil.dll 2012-08-28 11:14 - 2010-01-30 11:51 - 00630272 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\msfeeds.dll 2012-08-28 11:14 - 2010-01-30 11:51 - 00247808 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ieproxy.dll 2012-08-28 11:14 - 2010-01-30 11:51 - 00055296 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\msfeedsbs.dll 2012-08-28 11:14 - 2009-03-08 06:32 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-08-28 11:14 - 2009-03-08 06:32 - 00630272 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2012-08-28 11:14 - 2009-03-08 06:31 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 06008832 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 06008832 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 01212416 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\urlmon.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00916992 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\wininet.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00611840 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\mstime.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00206848 ____N (Microsoft Corporation) C:\Windows\System32\occache.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00206848 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\occache.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00105984 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\url.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00067072 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\mshtmled.dll 2012-08-28 11:14 - 2004-08-26 12:12 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-08-28 11:14 - 2004-08-26 12:11 - 01469440 ____N (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-08-28 11:14 - 2004-08-26 12:11 - 01469440 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\inetcpl.cpl 2012-08-28 11:14 - 2004-08-26 12:11 - 00387584 ____N (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll 2012-08-28 11:14 - 2004-08-26 12:11 - 00387584 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iedkcs32.dll 2012-08-28 11:14 - 2004-08-26 12:11 - 00184320 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iepeers.dll 2012-08-28 11:14 - 2004-08-26 12:11 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll 2012-08-28 11:14 - 2004-08-26 12:11 - 00043520 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\licmgr10.dll 2012-08-28 11:14 - 2004-08-26 12:11 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll 2012-08-28 11:14 - 2004-08-26 12:11 - 00025600 ____N (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-08-28 11:14 - 2004-08-26 12:11 - 00025600 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\jsproxy.dll 2012-08-28 08:07 - 2004-08-26 12:11 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec 2012-08-28 08:07 - 2004-08-26 12:11 - 00174080 ____N (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2012-08-28 08:07 - 2004-08-26 12:11 - 00174080 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ie4uinit.exe 2012-08-24 09:53 - 2009-12-24 02:59 - 00177664 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\wintrust.dll 2012-08-24 09:53 - 2004-08-26 12:12 - 00177664 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll 2012-08-21 09:33 - 2010-01-30 05:29 - 02148864 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlmp.exe 2012-08-21 09:29 - 2010-01-30 05:29 - 02192896 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntoskrnl.exe 2012-08-21 09:29 - 2004-08-26 12:12 - 02192896 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe 2012-08-21 08:58 - 2010-01-30 05:29 - 02027520 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrpamp.exe 2012-08-21 08:58 - 2009-02-07 21:02 - 02069632 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlpa.exe 2012-08-21 08:58 - 2004-08-04 01:59 - 02069632 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe 2012-08-15 19:07 - 2004-08-26 06:54 - 00245512 ____A C:\Windows\System32\FNTCACHE.DAT 2012-08-13 12:13 - 2012-08-13 12:13 - 00622003 ____A C:\Documents and Settings\Owner\My Documents\annuitygpdisclesaud.zip ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points (XP) ===================== RP: -> 2012-10-29 19:53 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP281 RP: -> 2012-10-27 20:20 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP280 RP: -> 2012-10-26 19:46 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP279 RP: -> 2012-10-25 15:30 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP278 RP: -> 2012-10-23 18:45 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP277 RP: -> 2012-10-21 19:37 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP276 RP: -> 2012-10-17 19:14 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP275 RP: -> 2012-10-17 18:01 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP274 RP: -> 2012-10-16 15:42 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP273 RP: -> 2012-10-11 17:52 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP272 RP: -> 2012-10-10 12:35 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP271 RP: -> 2012-10-09 18:24 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP270 RP: -> 2012-10-08 18:12 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP269 RP: -> 2012-10-07 15:01 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP268 RP: -> 2012-10-05 12:00 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP267 RP: -> 2012-10-04 11:29 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP266 RP: -> 2012-10-03 14:40 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP265 RP: -> 2012-10-01 19:58 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP264 RP: -> 2012-09-30 11:24 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263 RP: -> 2012-09-28 10:35 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262 RP: -> 2012-09-26 16:59 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP261 RP: -> 2012-09-25 14:51 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260 RP: -> 2012-09-24 09:56 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP259 RP: -> 2012-09-22 20:57 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258 RP: -> 2012-09-21 19:20 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP257 RP: -> 2012-09-21 13:49 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP256 RP: -> 2012-09-20 13:31 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP255 RP: -> 2012-09-18 20:19 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP254 RP: -> 2012-09-17 19:45 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP253 RP: -> 2012-09-16 12:06 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP252 RP: -> 2012-09-14 17:48 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP251 RP: -> 2012-09-12 21:52 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP250 RP: -> 2012-09-11 21:44 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP249 RP: -> 2012-09-11 14:28 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP248 RP: -> 2012-09-10 12:33 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP247 RP: -> 2012-09-09 11:00 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP246 RP: -> 2012-09-07 14:22 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP245 RP: -> 2012-09-06 11:30 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP244 RP: -> 2012-09-05 11:16 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP243 RP: -> 2012-09-03 16:41 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP242 RP: -> 2012-09-01 19:26 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP241 RP: -> 2012-08-30 21:02 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP240 RP: -> 2012-08-29 20:36 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP239 RP: -> 2012-08-21 17:31 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP238 RP: -> 2012-08-20 16:35 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP237 RP: -> 2012-08-18 16:40 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP236 RP: -> 2012-08-17 00:07 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP235 RP: -> 2012-08-16 12:19 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP234 RP: -> 2012-08-15 11:18 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP233 RP: -> 2012-08-15 11:18 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP232 RP: -> 2012-08-15 11:17 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP231 RP: -> 2012-08-15 11:16 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP230 RP: -> 2012-08-15 11:15 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP229 RP: -> 2012-08-14 13:15 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP228 RP: -> 2012-08-13 12:56 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP227 RP: -> 2012-08-12 11:44 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP226 RP: -> 2012-08-11 10:14 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP225 RP: -> 2012-08-09 18:44 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP224 RP: -> 2012-08-07 18:14 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP223 RP: -> 2012-08-06 17:17 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP222 RP: -> 2012-08-04 21:38 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP221 RP: -> 2012-08-03 20:48 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP220 RP: -> 2012-08-02 13:07 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP219 RP: -> 2012-07-31 18:35 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP218 ==================== Memory info =========================== Percentage of memory in use: 42% Total physical RAM: 501.75 MB Available physical RAM: 288.37 MB Total Pagefile: 453.51 MB Available Pagefile: 319.86 MB Total Virtual: 2047.88 MB Available Virtual: 2002.54 MB ==================== Partitions ============================= 1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS 2 Drive c: () (Fixed) (Total:144.83 GB) (Free:79.16 GB) NTFS ==>[Drive with boot components (Windows XP)] 7 Drive h: () (Fixed) (Total:4.2 GB) (Free:1.68 GB) FAT32 9 Drive j: (USB MEMORY) (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT 10 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS Disk ### Status Size Free Dyn Gpt -------- ---------- ------- ------- --- --- Disk 0 Online 149 GB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 4314 MB 32 KB Partition 2 Primary 145 GB 4314 MB ========================================================= Disk: 0 Partition 1 Type : 0B Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 H FAT32 Partition 4314 MB Healthy ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 C NTFS Partition 145 GB Healthy =========================================================FRST Fixlist Please run the following: Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt Quote start 2012-10-29 17:47 - 2012-10-29 17:47 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\ukovn 2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\IObit Toolbar 2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\Common Files\Spigot 2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\Application Updater 2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Search Settings HKLM\...\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [1111432 2012-10-16] (Spigot, Inc.) HKLM\...\Run: [Windows Service] C:\Documents and Settings\Owner\Application Data\ukovn\ukovn.exe [154624 2012-10-29] (Auslogics) HKU\Owner\...\Run: [Windows Service] C:\Documents and Settings\Owner\Application Data\ukovn\ukovn.exe [154624 2012-10-29] (Auslogics) AppInit_DLLs: 2 Application Updater; "C:\Program Files\Application Updater\ApplicationUpdater.exe" [799112 2012-10-09] (Spigot, Inc.) end NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system Now, please enter OTLPE and access the flash drive. Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. Now restart, let it boot normally and tell me how it went.You are amazing, thank you so very much. What could I do to prevent this in the future? Here is the fixlog Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-10-2012 Ran by SYSTEM at 2012-10-31 17:12:35 Run:1 Running from J:\ ============================================== C:\Documents and Settings\Owner\Application Data\ukovn moved successfully. C:\Program Files\IObit Toolbar moved successfully. C:\Program Files\Common Files\Spigot moved successfully. C:\Program Files\Application Updater moved successfully. C:\Documents and Settings\Owner\Application Data\Search Settings moved successfully. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchSettings Value deleted successfully. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Service Value deleted successfully. HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Service Value deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs Value was restored successfully . Application Updater service deleted successfully. ==== End of Fixlog ====It's good that it helped fix the main issue, but I want to make sure the other viruses are gone too that may have come "bundled" with this threat (MoneyPak FBI) ComboFix scan Please download ComboFix by sUBs From BleepingComputer.com Please save the file to your Desktop. Important information about ComboFix After the download: Close any open browsers. Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished. If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection. Running ComboFix: Double click on ComboFix.exe & follow the prompts. When ComboFix finishes, it will produce a report for you. Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply. Troubleshooting ComboFix Safe Mode: If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there. (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode.") Re-downloading: If this doesn't work either, try the same method (above method), but try to download it again, except name ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe. Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe. NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Solve : malware/virus started with ransom from moneypak now won't boot safe mode?

Answer»

My computer won't boot in safe mode it keeps returning to the screen that wants to know if I want safe mode or whatever. If I don't select normal it keeps going in circles. It started with moneypak ransom note now shows can't find web page. Will not let me do anything, goes quickly to the page and freezes out. Can some one please save me?
ComboFix scan

Please download ComboFix by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix

After the download:

Close any open browsers.
Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on ComboFix.exe & follow the prompts.
When ComboFix finishes, it will produce a report for you.
Please post the report, which will launch or be FOUND at "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is KNOWN for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.thanks for responding, but I can not do anything once I get to the windows because the screen is blocked. Also I can't get to safe mode, it keeps sending me in a circle until I push normalOTLPE + Farbar Recovery Scan Tool

Download OTLPENet.exe to your desktop
Download Farbar Recovery Scan Tool and save it to a flash drive.
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

As the CD needs to detect your hardware and load the operating system, I would recommend a nice CUP of tea whilst it loads
Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

Insert the flash drive with FRST on it
Locate the flash drive and run FSRT
The tool will start to run.

When the tool opens click Yes to disclaimer.
Press Scan button. It will do its scan and save a log on your flash drive.
Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:

When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
Type exit in the Command Prompt window and reboot the computer normally
FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.

First I want to say Thank You for your help so far. I did all you told me. When I rebooted I was not able to go to safe mode and normal still gives me the page of that won't let do anything further. Here is the logfile. What now?

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2012
Ran by SYSTEM at 31-10-2012 13:32:07
Running from J:\
Microsoft Windows XP (X86) OS Language: English(US)
The current controlset is ControlSet004

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [CHotkey] zHotkey.exe

HKLM\...\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime [98304 2010-01-21] (Apple Computer, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot [296056 2012-07-02] (RealNetworks, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe [135168 2004-10-18] (Alcor Micro, Corp.)
HKLM\...\Run: [SoundMan] SOUNDMAN.EXE

HKLM\...\Run: [ShowWnd] ShowWnd.exe

HKLM\...\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE [212992 2002-09-13] ()
HKLM\...\Run: [Philips Device Listener] "C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe" [375296 2010-05-27] ()
HKLM\...\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [50688 2003-06-07] (Microsoft® Corporation)
HKLM\...\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

HKLM\...\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon [86016 2012-10-01] (alch)
HKLM\...\Run: [AllShareAgent] C:\Program Files\Samsung\AllShare\AllShareAgent.exe [282512 2011-07-16] (Samsung Electronics Co., Ltd.)
HKLM\...\Run: [AlcWzrd] ALCWZRD.EXE

HKLM\...\Run: [Alcmtr] ALCMTR.EXE

HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-10-14] (Hewlett-Packard)
HKLM\...\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [1111432 2012-10-16] (Spigot, Inc.)
HKLM\...\Run: [Windows Service] C:\Documents and Settings\Owner\Application Data\ukovn\ukovn.exe [154624 2012-10-29] (Auslogics)
HKU\Owner\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
HKU\Owner\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [1695232 2008-04-13] (Microsoft Corporation)
HKU\Owner\...\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c [116648 2012-09-20] (Google Inc.)
HKU\Owner\...\Run: [Windows Service] C:\Documents and Settings\Owner\Application Data\ukovn\ukovn.exe [154624 2012-10-29] (Auslogics)
Winlogon\Notify\igfxcui: igfxsrvc.dll (Intel Corporation)
AppInit_DLLs:
Tcpip\..\Interfaces\{F7274D1D-E0A8-433A-937A-57259744774F}: [NameServer]156.154.70.22,156.154.71.22
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DisplayKEY eSYNC Info.lnk
ShortcutTarget: DisplayKEY eSYNC Info.lnk -> C:\dKEYUSBCradle\SyncInfoApp.exe (Supra)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk
ShortcutTarget: NETGEAR WPN111 Smart Wizard.lnk -> C:\Program Files\NETGEAR\WPN111\wpn111.exe (NETGEAR)
Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [1026432 2012-10-12] (IObit)
2 Application Updater; "C:\Program Files\Application Updater\ApplicationUpdater.exe" [799112 2012-10-09] (Spigot, Inc.)
3 AppMgmt; C:\Windows\System32\svchost.exe -k netsvcs [14336 2008-04-13] (Microsoft Corporation)
2 dKeySync; C:\dKEYUSBCradle\SyncService.exe [42496 2011-11-11] (Supra)
2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
4 HidServ; C:\Windows\System32\svchost.exe -k netsvcs [14336 2008-04-13] (Microsoft Corporation)
2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [820568 2011-07-20] (IObit)
2 MSSQL$OASIS; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sOASIS [29293408 2010-12-10] (Microsoft Corporation)
2 SamsungAllShareV2.0; "C:\Program Files\Samsung\AllShare\AllShareDMS\AllShareDMS.exe" [24992 2011-07-16] (Samsung Electronics Co., Ltd.)
3 SimpleSlideShowServer; "C:\Program Files\Samsung\AllShare\AllShareSlideShowService.exe" [27584 2011-07-16] (Samsung Electronics Co., Ltd.)
3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

3 idsvc; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows COMMUNICATION Foundation\infocard.exe"

2 JavaQuickStarterService; "C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe" -service -config "C:\Program Files\Oracle\JavaFX 2.1 Runtime\lib\deploy\jqs\jqs.conf"

4 NetTcpPortSharing; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

==================== Drivers (Whitelisted) ====================

2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [21275 2010-01-29] (Meetinghouse Data Communications)
3 DNINDIS5; \??\C:\WINDOWS\system32\DNINDIS5.SYS [17149 2003-07-24] (Printing Communications Assoc., Inc. (PCAUSA))
4 FileMonitor; \??\C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [239600 2011-07-11] ()
3 HdAudAddService; C:\Windows\System32\drivers\HdAudio.sys [113664 2004-03-17] (Windows (R) Server 2003 DDK provider)
3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider)
3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-01-17] (HP)
3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [737874 2004-08-20] (Intel Corporation)
3 mxnic; C:\Windows\System32\DRIVERS\mxnic.sys [19968 2001-08-17] (Macronix International Co., Ltd. )
1 P3; C:\Windows\System32\DRIVERS\p3.sys [42752 2008-04-13] (Microsoft Corporation)
2 PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [172032 2010-01-21] (New Boundary Technologies, Inc.)
3 RegFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys [30368 2011-03-23] (IObit.com)
3 ROCKEYNT; C:\Windows\System32\DRIVERS\Rockey4.sys [22016 2004-02-13] (Feitian Technologies Co., Ltd.)
3 Rockey_USB; C:\Windows\System32\DRIVERS\Rockey4USB.sys [12928 2004-02-13] (Feitian Technologies Co., Ltd.)
1 SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys [93872 2009-08-05] (Sunbelt Software)
3 silabenm; C:\Windows\System32\DRIVERS\silabenm.sys [49416 2011-11-11] (Silicon Laboratories)
3 silabser; C:\Windows\System32\DRIVERS\silabser.sys [66568 2011-11-11] (Silicon Laboratories)
0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [13496 2011-02-23] ()
3 SunkFilt; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys [40724 2004-10-20] (Alcor Micro Corp.)
3 SunkFilt39; \??\C:\WINDOWS\System32\Drivers\sunkfilt39.sys [42968 2004-10-18] (Alcor Micro Corp.)
3 UrlFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys [16080 2011-03-23] (IObit.com)
3 WPN111; C:\Windows\System32\DRIVERS\WPN111.sys [384608 2008-04-18] (Atheros Communications, Inc.)
4 Abiosdsk;

4 Atdisk;

1 Changer;

3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys

3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys

1 lbrtfdc;

1 PCIDump;

3 PDCOMP;

3 PDFRAME;

3 PDRELI;

3 PDRFRAME;

4 Simbad;

3 slabbus; C:\Windows\System32\DRIVERS\slabbus.sys

3 slabser; C:\Windows\System32\DRIVERS\slabser.sys

3 Sunkfiltp;

3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys

3 WDICA;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2012-10-31 11:23 - 2012-10-31 11:23 - 00000000 ____D C:\FRST
2012-10-29 17:47 - 2012-10-29 17:47 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\ukovn
2012-10-28 16:50 - 2012-10-30 10:22 - 00014662 ____A C:\Windows\setupapi.log
2012-10-28 13:30 - 2012-10-28 13:33 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\taftplan1_files
2012-10-24 11:24 - 2012-10-24 11:24 - 00000874 ____A C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 6.lnk
2012-10-24 11:24 - 2012-10-24 11:24 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\IObit
2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\IObit Toolbar
2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\Common Files\Spigot
2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\Application Updater
2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Search Settings
2012-10-17 19:11 - 2007-11-06 22:10 - 00271704 ___RA (Hewlett-Packard) C:\Windows\System32\hpzids01.dll
2012-10-17 19:10 - 2007-10-31 06:35 - 00729088 ___RA (Hewlett-Packard) C:\Windows\System32\hpwwiax4.dll
2012-10-17 19:10 - 2007-10-31 06:35 - 00593920 ___RA (Hewlett-Packard Co.) C:\Windows\System32\hpwtscl3.dll
2012-10-17 19:10 - 2007-01-17 12:37 - 00364544 ___RA (Hewlett-Packard) C:\Windows\System32\hppldcoi.dll
2012-10-17 19:10 - 2007-01-17 12:37 - 00309760 ___RA (Microsoft Corporation) C:\Windows\System32\difxapi.dll
2012-10-17 19:10 - 2007-01-17 12:31 - 00294912 ___RA (Hewlett-Packard Co.) C:\Windows\System32\hpovst11.dll
2012-10-17 19:07 - 2012-10-17 19:07 - 00001968 ____A C:\Documents and Settings\All Users\Desktop\HP Document Manager.lnk
2012-10-17 19:07 - 2012-10-17 19:07 - 00001858 ____A C:\Documents and Settings\All Users\Desktop\HP Photosmart Essential 2.5.lnk
2012-10-17 19:06 - 2012-10-17 19:06 - 00000984 ____A C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
2012-10-17 19:06 - 2012-10-17 19:06 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2012-10-17 19:04 - 2012-10-17 19:04 - 00000000 ____D C:\Program Files\Common Files\HP
2012-10-17 18:58 - 2012-10-17 19:15 - 00178364 ____A C:\Windows\hpwins20.dat
2012-10-17 18:58 - 2008-01-08 08:42 - 00002428 ___RA C:\Windows\hpwmdl20.dat
2012-10-10 12:38 - 2012-10-10 12:38 - 00000000 __HDC C:\Windows\$NtUninstallKB2724197$
2012-10-10 12:36 - 2012-10-10 12:36 - 00000000 __HDC C:\Windows\$NtUninstallKB2756822$
2012-10-10 12:36 - 2012-10-10 12:36 - 00000000 __HDC C:\Windows\$NtUninstallKB2749655$
2012-10-10 12:35 - 2012-10-10 12:35 - 00000000 __HDC C:\Windows\$NtUninstallKB2661254-v2$
2012-10-10 11:51 - 2012-10-10 11:51 - 00197908 ____A C:\Documents and Settings\Owner\My Documents\verification WORKSHEET - Dep.prn
2012-10-09 16:53 - 2012-10-09 16:53 - 00018944 ____A C:\Documents and Settings\Owner\My Documents\ltr painter remae.wps
2012-10-08 15:28 - 2012-10-08 15:28 - 10220472 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-10-04 13:57 - 2012-10-04 13:57 - 08429932 ____A C:\Documents and Settings\Owner\My Documents\hooperbankdocs7

==================== 3 Months Modified Files ==================

2012-10-31 12:54 - 2010-02-01 13:55 - 00000274 ____A C:\Windows\wiadebug.log
2012-10-31 12:54 - 2010-02-01 13:55 - 00000050 ____A C:\Windows\wiaservc.log
2012-10-31 12:54 - 2010-01-22 23:49 - 00000374 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2012-10-31 12:54 - 2004-08-26 14:09 - 00000178 __ASH C:\Documents and Settings\Owner\ntuser.ini
2012-10-31 12:54 - 2004-08-26 14:08 - 00031904 ____A C:\Windows\SchedLgU.Txt
2012-10-31 12:54 - 2004-08-26 14:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-31 12:54 - 2004-08-26 14:02 - 01360477 ____A C:\Windows\WindowsUpdate.log
2012-10-31 12:53 - 2011-07-27 13:24 - 00000280 ____A C:\Windows\Tasks\SmartDefrag_Startup.job
2012-10-31 12:52 - 2012-01-01 18:28 - 00000278 ____A C:\Windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2615104831-1368381422-192617974-1003.job
2012-10-31 12:52 - 2004-08-26 14:09 - 00000062 __ASH C:\Documents and Settings\Owner\Local Settings\desktop.ini
2012-10-31 12:52 - 2004-08-26 14:08 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-10-31 12:52 - 2004-08-26 14:08 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-10-30 10:22 - 2012-10-28 16:50 - 00014662 ____A C:\Windows\setupapi.log
2012-10-30 09:41 - 2004-08-26 12:12 - 00001170 ____A C:\Windows\System32\wpa.dbl
2012-10-29 19:41 - 2012-09-20 12:31 - 00000978 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2615104831-1368381422-192617974-1003UA.job
2012-10-29 16:25 - 2012-05-11 12:16 - 00000392 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{B1DA1CAD-FBC4-4C41-8FEF-946DF398194F}.job
2012-10-28 16:42 - 2010-02-01 13:55 - 00000000 ____A C:\Windows\Sti_Trace.log
2012-10-28 13:08 - 2011-10-09 15:38 - 00000286 ____A C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2615104831-1368381422-192617974-1003.job
2012-10-27 11:15 - 2012-09-13 12:45 - 00149168 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2012-10-27 10:41 - 2012-09-20 12:31 - 00000926 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2615104831-1368381422-192617974-1003Core.job
2012-10-24 11:24 - 2012-10-24 11:24 - 00000874 ____A C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 6.lnk
2012-10-18 16:33 - 2012-07-02 12:20 - 29356032 ____A C:\Windows\System32\config\software.iobit
2012-10-18 16:33 - 2012-07-02 12:20 - 09592832 ____A C:\Windows\System32\config\system.iobit
2012-10-18 16:33 - 2012-07-02 12:20 - 00651264 ____A C:\Windows\System32\config\default.iobit
2012-10-18 16:33 - 2012-07-02 12:20 - 00061440 ____A C:\Windows\System32\config\SECURITY.iobit
2012-10-18 16:33 - 2012-07-02 12:20 - 00028672 ____A C:\Windows\System32\config\SAM.iobit
2012-10-17 19:15 - 2012-10-17 18:58 - 00178364 ____A C:\Windows\hpwins20.dat
2012-10-17 19:15 - 2010-02-04 12:23 - 00008916 ____A C:\Documents and Settings\All Users\Application Data\hpzinstall.log
2012-10-17 19:14 - 2004-08-26 12:12 - 00000616 ____A C:\Windows\win.ini
2012-10-17 19:07 - 2012-10-17 19:07 - 00001968 ____A C:\Documents and Settings\All Users\Desktop\HP Document Manager.lnk
2012-10-17 19:07 - 2012-10-17 19:07 - 00001858 ____A C:\Documents and Settings\All Users\Desktop\HP Photosmart Essential 2.5.lnk
2012-10-17 19:06 - 2012-10-17 19:06 - 00000984 ____A C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
2012-10-11 16:13 - 2010-05-06 00:25 - 00019968 ____A C:\Documents and Settings\Owner\My Documents\Ltr Head.wps
2012-10-11 16:13 - 2010-02-09 18:50 - 00001618 ____A C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2012-10-11 11:51 - 2012-09-20 12:32 - 00002284 ____A C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
2012-10-10 12:36 - 2010-01-31 05:04 - 00035396 ____A C:\Windows\System32\TZLog.log
2012-10-10 12:36 - 2010-01-30 11:36 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-10-10 11:51 - 2012-10-10 11:51 - 00197908 ____A C:\Documents and Settings\Owner\My Documents\verification worksheet - Dep.prn
2012-10-09 16:53 - 2012-10-09 16:53 - 00018944 ____A C:\Documents and Settings\Owner\My Documents\ltr painter remae.wps
2012-10-08 15:28 - 2012-10-08 15:28 - 10220472 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-10-08 15:28 - 2012-03-30 10:20 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-10-08 15:28 - 2011-05-18 18:42 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-10-04 14:48 - 2012-03-04 18:00 - 00000682 ____A C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2012-10-04 13:57 - 2012-10-04 13:57 - 08429932 ____A C:\Documents and Settings\Owner\My Documents\hooperbankdocs7
2012-09-30 09:29 - 2012-03-30 10:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-26 15:43 - 2012-04-06 12:47 - 00054156 ___AH C:\Windows\QTFont.qfn
2012-09-11 21:14 - 2004-08-26 12:12 - 00000227 ____A C:\Windows\system.ini
2012-09-11 21:14 - 2004-08-26 12:12 - 00000211 _RASH C:\boot.ini
2012-09-11 08:34 - 2008-04-13 20:12 - 00046080 ____N (Microsoft Corporation) C:\Windows\System32\tzchange.exe
2012-08-28 21:44 - 2010-01-30 11:51 - 11111424 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ieframe.dll
2012-08-28 21:44 - 2009-03-08 06:39 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-28 11:14 - 2012-07-12 19:41 - 00521728 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\jsdbgui.dll
2012-08-28 11:14 - 2010-11-22 11:47 - 00743424 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iedvtool.dll
2012-08-28 11:14 - 2010-01-30 11:52 - 00012800 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\xpshims.dll
2012-08-28 11:14 - 2010-01-30 11:51 - 02000384 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iertutil.dll
2012-08-28 11:14 - 2010-01-30 11:51 - 00630272 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\msfeeds.dll
2012-08-28 11:14 - 2010-01-30 11:51 - 00247808 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ieproxy.dll
2012-08-28 11:14 - 2010-01-30 11:51 - 00055296 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\msfeedsbs.dll
2012-08-28 11:14 - 2009-03-08 06:32 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-28 11:14 - 2009-03-08 06:32 - 00630272 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-28 11:14 - 2009-03-08 06:31 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 06008832 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 06008832 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 01212416 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\urlmon.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00916992 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\wininet.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00611840 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\mstime.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00206848 ____N (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00206848 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\occache.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00105984 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\url.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00067072 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\mshtmled.dll
2012-08-28 11:14 - 2004-08-26 12:12 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-28 11:14 - 2004-08-26 12:11 - 01469440 ____N (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-28 11:14 - 2004-08-26 12:11 - 01469440 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\inetcpl.cpl
2012-08-28 11:14 - 2004-08-26 12:11 - 00387584 ____N (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-08-28 11:14 - 2004-08-26 12:11 - 00387584 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iedkcs32.dll
2012-08-28 11:14 - 2004-08-26 12:11 - 00184320 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iepeers.dll
2012-08-28 11:14 - 2004-08-26 12:11 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-08-28 11:14 - 2004-08-26 12:11 - 00043520 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\licmgr10.dll
2012-08-28 11:14 - 2004-08-26 12:11 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-08-28 11:14 - 2004-08-26 12:11 - 00025600 ____N (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-28 11:14 - 2004-08-26 12:11 - 00025600 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\jsproxy.dll
2012-08-28 08:07 - 2004-08-26 12:11 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-08-28 08:07 - 2004-08-26 12:11 - 00174080 ____N (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-08-28 08:07 - 2004-08-26 12:11 - 00174080 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ie4uinit.exe
2012-08-24 09:53 - 2009-12-24 02:59 - 00177664 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\wintrust.dll
2012-08-24 09:53 - 2004-08-26 12:12 - 00177664 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-08-21 09:33 - 2010-01-30 05:29 - 02148864 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlmp.exe
2012-08-21 09:29 - 2010-01-30 05:29 - 02192896 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntoskrnl.exe
2012-08-21 09:29 - 2004-08-26 12:12 - 02192896 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-08-21 08:58 - 2010-01-30 05:29 - 02027520 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrpamp.exe
2012-08-21 08:58 - 2009-02-07 21:02 - 02069632 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlpa.exe
2012-08-21 08:58 - 2004-08-04 01:59 - 02069632 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-08-15 19:07 - 2004-08-26 06:54 - 00245512 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-13 12:13 - 2012-08-13 12:13 - 00622003 ____A C:\Documents and Settings\Owner\My Documents\annuitygpdisclesaud.zip

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2012-10-29 19:53 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP281

RP: -> 2012-10-27 20:20 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP280

RP: -> 2012-10-26 19:46 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP279

RP: -> 2012-10-25 15:30 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP278

RP: -> 2012-10-23 18:45 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP277

RP: -> 2012-10-21 19:37 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP276

RP: -> 2012-10-17 19:14 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP275

RP: -> 2012-10-17 18:01 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP274

RP: -> 2012-10-16 15:42 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP273

RP: -> 2012-10-11 17:52 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP272

RP: -> 2012-10-10 12:35 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP271

RP: -> 2012-10-09 18:24 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP270

RP: -> 2012-10-08 18:12 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP269

RP: -> 2012-10-07 15:01 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP268

RP: -> 2012-10-05 12:00 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP267

RP: -> 2012-10-04 11:29 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP266

RP: -> 2012-10-03 14:40 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP265

RP: -> 2012-10-01 19:58 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP264

RP: -> 2012-09-30 11:24 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263

RP: -> 2012-09-28 10:35 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262

RP: -> 2012-09-26 16:59 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP261

RP: -> 2012-09-25 14:51 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260

RP: -> 2012-09-24 09:56 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP259

RP: -> 2012-09-22 20:57 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258

RP: -> 2012-09-21 19:20 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP257

RP: -> 2012-09-21 13:49 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP256

RP: -> 2012-09-20 13:31 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP255

RP: -> 2012-09-18 20:19 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP254

RP: -> 2012-09-17 19:45 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP253

RP: -> 2012-09-16 12:06 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP252

RP: -> 2012-09-14 17:48 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP251

RP: -> 2012-09-12 21:52 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP250

RP: -> 2012-09-11 21:44 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP249

RP: -> 2012-09-11 14:28 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP248

RP: -> 2012-09-10 12:33 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP247

RP: -> 2012-09-09 11:00 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP246

RP: -> 2012-09-07 14:22 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP245

RP: -> 2012-09-06 11:30 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP244

RP: -> 2012-09-05 11:16 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP243

RP: -> 2012-09-03 16:41 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP242

RP: -> 2012-09-01 19:26 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP241

RP: -> 2012-08-30 21:02 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP240

RP: -> 2012-08-29 20:36 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP239

RP: -> 2012-08-21 17:31 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP238

RP: -> 2012-08-20 16:35 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP237

RP: -> 2012-08-18 16:40 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP236

RP: -> 2012-08-17 00:07 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP235

RP: -> 2012-08-16 12:19 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP234

RP: -> 2012-08-15 11:18 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP233

RP: -> 2012-08-15 11:18 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP232

RP: -> 2012-08-15 11:17 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP231

RP: -> 2012-08-15 11:16 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP230

RP: -> 2012-08-15 11:15 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP229

RP: -> 2012-08-14 13:15 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP228

RP: -> 2012-08-13 12:56 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP227

RP: -> 2012-08-12 11:44 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP226

RP: -> 2012-08-11 10:14 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP225

RP: -> 2012-08-09 18:44 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP224

RP: -> 2012-08-07 18:14 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP223

RP: -> 2012-08-06 17:17 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP222

RP: -> 2012-08-04 21:38 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP221

RP: -> 2012-08-03 20:48 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP220

RP: -> 2012-08-02 13:07 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP219

RP: -> 2012-07-31 18:35 - 028672 _restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP218

==================== Memory info ===========================

Percentage of memory in use: 42%
Total physical RAM: 501.75 MB
Available physical RAM: 288.37 MB
Total Pagefile: 453.51 MB
Available Pagefile: 319.86 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.54 MB

==================== Partitions =============================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: () (Fixed) (Total:144.83 GB) (Free:79.16 GB) NTFS ==>[Drive with boot components (Windows XP)]
7 Drive h: () (Fixed) (Total:4.2 GB) (Free:1.68 GB) FAT32
9 Drive j: (USB MEMORY) (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT
10 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 4314 MB 32 KB
Partition 2 Primary 145 GB 4314 MB
=========================================================

Disk: 0
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 H FAT32 Partition 4314 MB Healthy
=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 145 GB Healthy
=========================================================FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

Quote

start
2012-10-29 17:47 - 2012-10-29 17:47 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\ukovn
2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\IObit Toolbar
2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\Common Files\Spigot
2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Program Files\Application Updater
2012-10-20 13:22 - 2012-10-20 13:22 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Search Settings
HKLM\...\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [1111432 2012-10-16] (Spigot, Inc.)
HKLM\...\Run: [Windows Service] C:\Documents and Settings\Owner\Application Data\ukovn\ukovn.exe [154624 2012-10-29] (Auslogics)
HKU\Owner\...\Run: [Windows Service] C:\Documents and Settings\Owner\Application Data\ukovn\ukovn.exe [154624 2012-10-29] (Auslogics)
AppInit_DLLs:
2 Application Updater; "C:\Program Files\Application Updater\ApplicationUpdater.exe" [799112 2012-10-09] (Spigot, Inc.)
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter OTLPE and access the flash drive.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.You are amazing, thank you so very much. What could I do to prevent this in the future?
Here is the fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-10-2012
Ran by SYSTEM at 2012-10-31 17:12:35 Run:1
Running from J:\

==============================================

C:\Documents and Settings\Owner\Application Data\ukovn moved successfully.
C:\Program Files\IObit Toolbar moved successfully.
C:\Program Files\Common Files\Spigot moved successfully.
C:\Program Files\Application Updater moved successfully.
C:\Documents and Settings\Owner\Application Data\Search Settings moved successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchSettings Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Service Value deleted successfully.
HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Service Value deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs Value was restored successfully .
Application Updater service deleted successfully.

==== End of Fixlog ====It's good that it helped fix the main issue, but I want to make sure the other viruses are gone too that may have come "bundled" with this threat (MoneyPak FBI)

ComboFix scan

Please download ComboFix by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix

After the download:

Close any open browsers.
Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on ComboFix.exe & follow the prompts.
When ComboFix finishes, it will produce a report for you.
Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Solve : malware/virus started with ransom from moneypak now won't boot safe mode?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment