Mini Spy

Loading...

Latest Threads

Loading...
 
  1. Before you start!
    All given instructions in this forum are customized for each help request, the tools used may cause damage if used on a computer with different infections. If you think you have similar issues, please post the appropriate logs in our Malware Removal Assistance forum and wait for help.

    Please be aware that removing Malware is a potentially hazardous undertaking. We will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for us to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and we cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
    We strongly advise you to backup any personal files and folders before you start.

Moneypak Ransomware virus

Discussion in 'Malware Removal Assistance' started by thelongshot, May 12, 2013.

  1. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    I couldn't run OTL in regular mode. I'll run it in safe mode when I get a chance.
     

    Attached Files:

  2. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Hi thelongshot and welcome to MalwareTips! :)

    I'm Fiery and I would gladly assist you in removing the malware on your computer.

    PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

    Before we start:
    • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
    • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
    • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
    • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
    • The absence of symptoms does not mean your PC is fully disinfected.
    • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
    • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

    <hr>
    Download Farbar Recovery Scan Tool from the below link:
    <ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

    <li>Plug the flashdrive into the infected PC.</li>

    <li>Enter <>System Recovery Options</>.</li>

    <>To enter System Recovery Options from the Advanced Boot Options:</>
    <ul>
    <li>Restart the computer.</li>
    <li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
    <li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
    <li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
    <li>Select the operating system you want to repair, and then click <>Next</>.</li>
    <li>Select your user account an click <>Next</>.</li>
    </ul>

    <li>On the System Recovery Options menu you will get the following options:</span>
    <pre>Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt</pre>
    <ol>
    <li>Select <>Command Prompt</></li>
    <li>In the command window type in <[b]>notepad</[b]> and press <[b]>Enter</[b]>.</li>
    <li>The notepad opens. Under File menu select <[b]>Open</[b]>.</li>
    <li>Select "Computer" and find your flash drive letter and close the notepad.</li>
    <li>In the command window type <[b]><span style="color: #ff0000;">e</span>:\frst64</[b]> and press <[b]>Enter</[b]>
    <[b]>Note:</[b]><span style="color: #ff0000;"> Replace letter <[b]>e</[b]> with the drive letter of your flash drive.</span></li>
    <li>The tool will start to run.</li>
    <li>When the tool opens click <[b]>Yes</[b]> to disclaimer.</li>
    <li>Press <[b]>Scan</[b]> button.</li>
    <li><[b]>FRST</[b]> will let you know when the scan is complete and has written the <[b]>FRST.txt</[b]> to file, close the message.
    <li>Type [b]exit[/b]</li>
    <li>Please copy and paste [b]FRST.txt[/b] in your next reply</li></li>
    </ol>
    </ul>[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]
     
    Last edited by a moderator: Mar 13, 2014
  3. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    Ok, "Repair Your Computer" isn't an option in Advanced Boot Options, so I went with "Safe Mode With Command Line" instead.

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-05-2013
    Ran by jason.birzer (administrator) on 12-05-2013 23:35:04
    Running from H:\
    Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
    Internet Explorer Version 8
    Boot Mode: Safe Mode (minimal)
    ==================== Processes (Whitelisted) =================

    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    (Microsoft Corporation) C:\Windows\system32\cmd.exe
    (Farbar) H:\FRST64.exe

    ==================== Registry (Whitelisted) ==================

    MountPoints2: F - F:\.\Bin\ASSETUP.exe
    HKLM-x32\...\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3825176 2012-11-13] (Safer-Networking Ltd.)
    HKU\adm\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\adm\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-05-18] (Hewlett-Packard Company)
    HKU\Administrator\...\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silent [1635752 2013-05-03] (Valve Corporation)
    HKU\Administrator\...\Run: [TivoServer] C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer [2264336 2010-08-24] (TiVo Inc.)
    HKU\Administrator\...\Run: [TivoTransfer] C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe [608528 2010-08-24] (TiVo Inc.)
    HKU\Administrator\...\Run: [TivoNotify] C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify [437520 2010-08-24] (TiVo Inc.)
    HKU\Administrator\...\Run: [TranscodingService] C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe [856336 2010-08-24] (TiVo Inc.)
    HKU\Administrator\...\Run: [F.lux] "C:\Users\jason.birzer\Local Settings\Apps\F.lux\flux.exe" /noshow [x]
    HKU\Administrator\...\Run: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe [6377120 2012-09-20] (SlySoft, Inc.)
    HKU\Administrator\...\Run: [Desura] C:\Program Files (x86)\Desura\desura.exe -autostart [2529096 2012-03-24] (Desura Pty Ltd)
    HKU\Administrator\...\Run: [Akamai NetSession Interface] "C:\Users\jason.birzer\AppData\Local\Akamai\netsession_win.exe" [4441920 2012-10-09] (Akamai Technologies, Inc.)
    HKU\bogus\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\bogus\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-05-18] (Hewlett-Packard Company)
    HKU\Classic .NET AppPool\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\DefaultAppPool\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\UpdatusUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    BootExecute: autocheck autochk * sdnclean64.exe

    ==================== Internet (Whitelisted) ====================

    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
    HKLM-x32 SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1
    BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
    BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    BHO-x32: Qwiklinx - {3E7C8B5A-96AB-438F-BF9B-782400655440} - C:\Users\jason.birzer\AppData\Roaming\Qwiklinx\Qwiklinx.dll (Qwiklinx, Inc.)
    BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
    BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    PDF: HKLM-x32 {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    PDF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    PDF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    Winsock: Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation)
    Winsock: Catalog5-x64 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    FireFox:
    ========
    FF ProfilePath: C:\Users\jason.birzer\AppData\Roaming\Mozilla\Firefox\Profiles\8nmd9h63.default
    FF Homepage: hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    FF SelectedSearchEngine: Search
    FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll ()
    FF Plugin: @microsoft.com/GENUINE - C:\windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin-x32: @mcafee.com/McAfeeMssPlugin - C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
    FF Plugin-x32: @microsoft.com/GENUINE - C:\windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @nosltd.com/getPlus+(R),version=1.6.2.103 - C:\Program Files (x86)\NOS\bin\np_gp.dll No File
    FF Plugin-x32: @playstation.com/PsndlCheck,version=1.00 - C:\Program Files (x86)\Sony\PLAYSTATION Network Downloader\nppsndl.dll (Sony Computer Entertainment Inc.)
    FF Plugin-x32: @SonyCreativeSoftware.com/Media Go,version=1.0 - C:\Program Files (x86)\Sony\Media Go\npmediago.dll (Sony Network Entertainment International LLC)
    FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF Extension: No Name - C:\Users\jason.birzer\AppData\Roaming\Mozilla\Firefox\Profiles\8nmd9h63.default\Extensions\staged

    ==================== Services (Whitelisted) =================

    S3 Droppix Service; C:\Program Files (x86)\Common Files\Droppix\DxService.exe [221184 2009-08-28] (Droppix)
    S2 hasplms; C:\Windows\system32\hasplms.exe [4180576 2010-09-27] (SafeNet Inc.)
    S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
    S3 Media Center 16 Service; C:\Program Files (x86)\J River\Media Center 16\JRService.exe [384136 2011-10-18] (J. River, Inc.)
    S2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [67400 2011-04-01] (Microsoft Corporation)
    R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [12784 2011-04-27] (Microsoft Corporation)
    S2 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [57617752 2009-03-30] (Microsoft Corporation)
    S3 NisSrv; C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [288272 2011-04-27] (Microsoft Corporation)
    S2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [301760 2012-12-10] ()
    S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
    S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
    S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)
    S2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1024384 2013-01-14] (Enigma Software Group USA, LLC.)
    S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [427880 2009-03-30] (Microsoft Corporation)
    S2 TivoBeacon2; C:\Program Files (x86)\TiVo\Desktop\TiVoBeacon.exe [1104656 2010-08-24] (TiVo Inc.)
    S3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [x]
    S3 SymSnapService; "C:\Program Files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe" [x]

    ==================== Drivers (Whitelisted) ====================

    R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138400 2012-08-26] (SlySoft, Inc.)
    S1 archlp; C:\Windows\System32\drivers\archlp.sys [136192 2010-07-07] ()
    S3 dgderdrv; C:\Windows\SysWow64\drivers\dgderdrv.sys [20032 2011-05-08] (Devguru Co., Ltd)
    S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
    S3 GenericMount; C:\Windows\System32\DRIVERS\GenericMount.sys [66608 2010-02-12] (Symantec Corporation)
    S1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [189440 2011-04-18] (Microsoft Corporation)
    S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
    S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [84864 2011-04-27] (Microsoft Corporation)
    S3 pwdrvio; C:\windows\system32\pwdrvio.sys [19032 2013-01-11] ()
    S3 pwdspio; C:\windows\system32\pwdspio.sys [12384 2013-01-11] ()
    S3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
    S3 ADIHdAudAddService; system32\drivers\ADIHdAud.sys [x]
    S2 Aspi32; System32\drivers\aspi32.sys [x]
    S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [x]
    S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
    S1 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [x]
    S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [x]
    S3 X6va005; \??\C:\Users\JASON~1.BIR\AppData\Local\Temp\005F834.tmp [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-05-12 23:35 - 2013-05-12 23:35 - 00000000 ____D C:\FRST
    2013-05-12 09:36 - 2013-05-12 09:36 - 00000000 ____D C:\Users\adm\AppData\Local\Apple
    2013-05-12 01:57 - 2013-05-12 23:28 - 00000000 ____D C:\Users\adm\AppData\Local\TSVNCache
    2013-05-12 01:57 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Roaming\Subversion
    2013-05-11 23:45 - 2013-05-11 23:45 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Malwarebytes
    2013-05-11 23:43 - 2013-05-11 23:43 - 00000020 ___SH C:\Users\adm\ntuser.ini
    2013-05-11 23:43 - 2013-05-11 23:43 - 00000000 ____D C:\users\adm
    2013-05-11 23:43 - 2010-01-25 02:24 - 00000000 ____D C:\Users\adm\AppData\Roaming\Macromedia
    2013-05-11 23:13 - 2013-05-12 01:56 - 00000000 ____D C:\Users\bogus\AppData\Local\TSVNCache
    2013-05-11 23:13 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Subversion
    2013-05-11 23:12 - 2013-05-11 23:30 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\NPE
    2013-05-11 23:12 - 2013-05-11 23:12 - 00000000 ____D C:\ProgramData\Norton
    2013-05-11 23:02 - 2013-05-12 23:31 - 00000336 ____A C:\Windows\setupact.log
    2013-05-11 23:02 - 2013-05-11 23:02 - 00000020 ___SH C:\Users\bogus\ntuser.ini
    2013-05-11 23:02 - 2013-05-11 23:02 - 00000000 ____D C:\users\bogus
    2013-05-11 23:02 - 2010-01-25 02:24 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Macromedia
    2013-05-11 23:01 - 2013-05-11 23:01 - 00000318 ____A C:\Windows\wininit.ini
    2013-05-11 22:47 - 2013-05-11 23:02 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2013-05-11 22:46 - 2013-05-11 22:46 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000632 ____A C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000628 ____A C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000458 ____A C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-05-11 22:46 - 2009-01-25 12:14 - 00017272 ____A (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe
    2013-05-11 15:39 - 2013-05-11 15:39 - 00002272 ____A C:\Users\jason.birzer\Desktop\SpyHunter.lnk
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Windows\22B3AE667A374118BADB3680C15CA366.TMP
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\sh4ldr
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Program Files\Enigma Software Group
    2013-05-11 15:39 - 2012-06-22 11:01 - 00022704 ____A C:\Windows\System32\Drivers\EsgScanner.sys
    2013-05-11 12:59 - 2013-05-11 12:59 - 00003078 ____A C:\Users\jason.birzer\Desktop\Rkill.txt
    2013-05-11 12:59 - 2013-05-11 12:59 - 00000000 ____D C:\Users\jason.birzer\Desktop\rkill
    2013-05-11 12:12 - 2013-05-11 12:44 - 00000000 ____D C:\ProgramData\HitmanPro
    2013-05-11 11:57 - 2013-05-11 11:57 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Malwarebytes
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-05-11 11:57 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2013-05-11 01:16 - 2013-05-11 01:16 - 00000000 ___HD C:\Users\Public\Documents\Report
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Greenshot
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\Greenshot
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Program Files\Greenshot
    2013-04-27 01:33 - 2013-04-27 01:33 - 00002127 ____A C:\Users\Public\Desktop\Venetica.lnk
    2013-04-27 01:21 - 2013-04-27 01:33 - 00000000 ____D C:\Program Files (x86)\Venetica
    2013-04-25 09:53 - 2013-05-02 10:13 - 00002010 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
    2013-04-25 09:53 - 2013-05-02 10:13 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
    2013-04-25 09:53 - 2013-04-25 09:53 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2013-04-24 05:18 - 2013-04-12 10:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
    2013-04-19 16:54 - 2013-04-19 16:54 - 03867442 ____A C:\Users\jason.birzer\Desktop\Mycomputer.nfo
    2013-04-19 16:52 - 2013-04-19 16:52 - 00036538 ____A C:\Users\jason.birzer\Desktop\DxDiag.txt

    ==================== One Month Modified Files and Folders =======

    2013-05-12 23:35 - 2013-05-12 23:35 - 00000000 ____D C:\FRST
    2013-05-12 23:31 - 2013-05-11 23:02 - 00000336 ____A C:\Windows\setupact.log
    2013-05-12 23:31 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-05-12 23:30 - 2010-01-25 03:35 - 00523388 ____A C:\Windows\PFRO.log
    2013-05-12 23:28 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Local\TSVNCache
    2013-05-12 23:28 - 2012-10-14 17:07 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\TSVNCache
    2013-05-12 23:28 - 2010-01-24 14:19 - 01153146 ____A C:\Windows\WindowsUpdate.log
    2013-05-12 23:28 - 2009-07-14 01:13 - 00957134 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-05-12 23:28 - 2009-07-14 00:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-05-12 23:28 - 2009-07-14 00:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-05-12 22:51 - 2012-04-01 21:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-05-12 22:43 - 2012-06-20 00:23 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\CrashDumps
    2013-05-12 09:36 - 2013-05-12 09:36 - 00000000 ____D C:\Users\adm\AppData\Local\Apple
    2013-05-12 02:36 - 2010-02-02 02:08 - 00000000 ____D C:\ProgramData\Zoom Player
    2013-05-12 01:57 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Roaming\Subversion
    2013-05-12 01:56 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Local\TSVNCache
    2013-05-11 23:45 - 2013-05-11 23:45 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Malwarebytes
    2013-05-11 23:43 - 2013-05-11 23:43 - 00000020 ___SH C:\Users\adm\ntuser.ini
    2013-05-11 23:43 - 2013-05-11 23:43 - 00000000 ____D C:\users\adm
    2013-05-11 23:30 - 2013-05-11 23:12 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\NPE
    2013-05-11 23:13 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Subversion
    2013-05-11 23:12 - 2013-05-11 23:12 - 00000000 ____D C:\ProgramData\Norton
    2013-05-11 23:02 - 2013-05-11 23:02 - 00000020 ___SH C:\Users\bogus\ntuser.ini
    2013-05-11 23:02 - 2013-05-11 23:02 - 00000000 ____D C:\users\bogus
    2013-05-11 23:02 - 2013-05-11 22:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2013-05-11 23:01 - 2013-05-11 23:01 - 00000318 ____A C:\Windows\wininit.ini
    2013-05-11 22:46 - 2013-05-11 22:46 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000632 ____A C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000628 ____A C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000458 ____A C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-05-11 15:39 - 2013-05-11 15:39 - 00002272 ____A C:\Users\jason.birzer\Desktop\SpyHunter.lnk
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Windows\22B3AE667A374118BADB3680C15CA366.TMP
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\sh4ldr
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Program Files\Enigma Software Group
    2013-05-11 12:59 - 2013-05-11 12:59 - 00003078 ____A C:\Users\jason.birzer\Desktop\Rkill.txt
    2013-05-11 12:59 - 2013-05-11 12:59 - 00000000 ____D C:\Users\jason.birzer\Desktop\rkill
    2013-05-11 12:44 - 2013-05-11 12:12 - 00000000 ____D C:\ProgramData\HitmanPro
    2013-05-11 12:35 - 2011-02-13 19:04 - 00016384 __ASH C:\Users\jason.birzer\Thumbs.db
    2013-05-11 11:57 - 2013-05-11 11:57 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Malwarebytes
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-05-11 11:48 - 2011-06-13 00:03 - 00000000 ____D C:\Windows\pss
    2013-05-11 01:16 - 2013-05-11 01:16 - 00000000 ___HD C:\Users\Public\Documents\Report
    2013-05-09 20:36 - 2010-01-25 10:44 - 00000000 ____D C:\Program Files (x86)\Steam
    2013-05-08 19:10 - 2010-08-29 23:20 - 00107971 ____A C:\Windows\cdplayer.ini
    2013-05-07 00:00 - 2010-02-02 02:19 - 00000410 ____A C:\Windows\Tasks\updater.exe.job
    2013-05-03 00:51 - 2012-04-26 02:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-05-02 11:29 - 2010-01-24 14:33 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2013-05-02 10:13 - 2013-04-25 09:53 - 00002010 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
    2013-05-02 10:13 - 2013-04-25 09:53 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
    2013-04-30 17:10 - 2011-05-01 10:59 - 00000000 ____D C:\Program Files (x86)\Luxor
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Greenshot
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\Greenshot
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Program Files\Greenshot
    2013-04-30 01:39 - 2012-03-18 01:35 - 00000000 ____D C:\Program Files (x86)\Screenshot Pilot
    2013-04-27 01:33 - 2013-04-27 01:33 - 00002127 ____A C:\Users\Public\Desktop\Venetica.lnk
    2013-04-27 01:33 - 2013-04-27 01:21 - 00000000 ____D C:\Program Files (x86)\Venetica
    2013-04-25 09:53 - 2013-04-25 09:53 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2013-04-25 09:53 - 2012-04-01 21:10 - 00691592 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-04-25 09:53 - 2011-07-06 20:28 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-04-25 09:53 - 2010-01-25 02:25 - 00000000 ____D C:\ProgramData\Adobe
    2013-04-25 09:51 - 2013-04-11 23:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-04-19 16:54 - 2013-04-19 16:54 - 03867442 ____A C:\Users\jason.birzer\Desktop\Mycomputer.nfo
    2013-04-19 16:52 - 2013-04-19 16:52 - 00036538 ____A C:\Users\jason.birzer\Desktop\DxDiag.txt
    2013-04-18 14:10 - 2011-10-22 23:41 - 00000000 ____D C:\Program Files (x86)\Origin
    2013-04-12 10:45 - 2013-04-24 05:18 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

    Other Malware:
    ===========
    C:\ProgramData\hash.dat

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll
    [2011-04-02 16:51] - [2012-10-04 12:47] - 0869376 ____A (Microsoft Corporation) 47F6DD86DDCAD50F2DC1E3652728F01E

    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


    Last Boot: 2013-05-04 00:23

    ==================== End Of Log ============================
     
  4. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Hi,
    Open notepad and copy & paste the following:

    and save it as fixlist.txt onto your flash drive.

    Then, boot to safe mode, plug in your flash drive, open FRST and click fix. Post the generated log.

    Next,
    • Double click the RKill desktop icon.
    • It will quickly run. If it does not run, try another download link from above.
    <img title="RKILL Command prompt" src="http://malwaretips.com/images/removalguide/rkill2.png" alt="[Image: run-rkill-2.png]" width="507" height="256" border="0" />
    • When Rkill has completed its task, it will <>generate a log</>. You can then <>proceed with the rest of the guide</>.

    <img title="RKILL LOG" src="http://malwaretips.com/images/removalguide/rkill3.png" alt="[Image: XP Defender 2013 rkill3.jpg]" width="414" height="187" border="0" /></li>
    </ol><br>
    <br><>WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.</>

    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
    • Click delete
    • Please post the content of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt

    Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select Run as Administrator to start
    • Wait until Prescan has finished, then click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • Click delete and wait until it saids deleting finished
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
      Exit/Close RogueKiller+

    Download Malwarebytes Anti-Rootkit from here to your Desktop
    • Unzip the contents to a folder on your Desktop.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
    • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
    • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
     
    Last edited by a moderator: Mar 13, 2014
  5. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    Ok, no change with any of these tools. Attaching requested logs.
     

    Attached Files:

  6. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Did you run the FRST fix? If so, run a scan with OTL in safe mode.

    Download OTL by Old Timer from here and save it to your Desktop.
    • Double click on OTL.exe to run it.
    • Click the Scan All Users checkbox.
    • Check the boxes beside LOP Check and Purity Check
    • Click on Run Scan at the top left hand corner.
    • When done, two Notepad files will open.
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Please attach the contents of these 2 Notepad files in your next reply.
     
  7. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    Sorry, I did run it, but I couldn't figure out which was the log file last night. Did figure it out today, tho, and attached it.

    Couldn't run OTL. It crashed with an error: Exception EOleSysError in module OTL.exe at 00584A5. Class not registered.
     

    Attached Files:

  8. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Please download ComboFix from one of these locations:

    <a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
    <a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>
    <ul>
    <li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
    <li>Double click on Combo-Fix & follow the prompts.</li>
    </ul>

    When finished, ComboFix will produce a log.

    <>Note:</>
    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
     
    Last edited by a moderator: Mar 13, 2014
  9. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    Tried running ComboFix, but it triggered the popup when I ran it, including in Safe Mode.
     
  10. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Did the window pop up and then closed itself?

    Download TDSSkiller from here
    • Double-Click on TDSSKiller.exe to run the application
    • click Start scan .
    • If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
    • If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

    Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
     
  11. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    No, the popup stayed up, not letting me see any results.

    TDSSKiller didn't seem to find anything. Here's the log.
     

    Attached Files:

  12. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Can you give me an update on your PC? Is the moneypak ransomeware still there or just the white screen?
     
  13. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    It has been a white screen since before I started with you.
     
  14. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Ok.

    Can you do a fresh FRST scan?
     
  15. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    Here it is:

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-05-2013
    Ran by jason.birzer (administrator) on 13-05-2013 17:26:37
    Running from H:\
    Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
    Internet Explorer Version 8
    Boot Mode: Safe Mode (minimal)
    ==================== Processes (Whitelisted) =================

    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    (Microsoft Corporation) C:\windows\system32\cmd.exe
    (Farbar) H:\FRST64.exe

    ==================== Registry (Whitelisted) ==================

    HKLM-x32\...\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3825176 2012-11-13] (Safer-Networking Ltd.)
    HKU\adm\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\adm\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-05-18] (Hewlett-Packard Company)
    HKU\Administrator\...\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silent [1635752 2013-05-03] (Valve Corporation)
    HKU\Administrator\...\Run: [TivoServer] C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer [2264336 2010-08-24] (TiVo Inc.)
    HKU\Administrator\...\Run: [TivoTransfer] C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe [608528 2010-08-24] (TiVo Inc.)
    HKU\Administrator\...\Run: [TivoNotify] C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify [437520 2010-08-24] (TiVo Inc.)
    HKU\Administrator\...\Run: [TranscodingService] C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe [856336 2010-08-24] (TiVo Inc.)
    HKU\Administrator\...\Run: [F.lux] "C:\Users\jason.birzer\Local Settings\Apps\F.lux\flux.exe" /noshow [x]
    HKU\Administrator\...\Run: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe [6377120 2012-09-20] (SlySoft, Inc.)
    HKU\Administrator\...\Run: [Desura] C:\Program Files (x86)\Desura\desura.exe -autostart [2529096 2012-03-24] (Desura Pty Ltd)
    HKU\Administrator\...\Run: [Akamai NetSession Interface] "C:\Users\jason.birzer\AppData\Local\Akamai\netsession_win.exe" [4441920 2012-10-09] (Akamai Technologies, Inc.)
    HKU\bogus\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\bogus\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-05-18] (Hewlett-Packard Company)
    HKU\Classic .NET AppPool\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\DefaultAppPool\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    HKU\UpdatusUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
    BootExecute: autocheck autochk * sdnclean64.exe

    ==================== Internet (Whitelisted) ====================

    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
    SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtD0AyByCzytB0EtByEyCtN0D0Tzu0CtBtAyBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=593045297
    SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1
    BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
    BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
    BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    PDF: HKLM-x32 {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    PDF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    PDF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    Winsock: Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation)
    Winsock: Catalog5-x64 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    FireFox:
    ========
    FF ProfilePath: C:\Users\jason.birzer\AppData\Roaming\Mozilla\Firefox\Profiles\8nmd9h63.default
    FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll ()
    FF Plugin: @microsoft.com/GENUINE - C:\windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin-x32: @mcafee.com/McAfeeMssPlugin - C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
    FF Plugin-x32: @microsoft.com/GENUINE - C:\windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @nosltd.com/getPlus+(R),version=1.6.2.103 - C:\Program Files (x86)\NOS\bin\np_gp.dll No File
    FF Plugin-x32: @playstation.com/PsndlCheck,version=1.00 - C:\Program Files (x86)\Sony\PLAYSTATION Network Downloader\nppsndl.dll (Sony Computer Entertainment Inc.)
    FF Plugin-x32: @SonyCreativeSoftware.com/Media Go,version=1.0 - C:\Program Files (x86)\Sony\Media Go\npmediago.dll (Sony Network Entertainment International LLC)
    FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    ==================== Services (Whitelisted) =================

    S3 Droppix Service; C:\Program Files (x86)\Common Files\Droppix\DxService.exe [221184 2009-08-28] (Droppix)
    S2 hasplms; C:\Windows\system32\hasplms.exe [4180576 2010-09-27] (SafeNet Inc.)
    S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
    S3 Media Center 16 Service; C:\Program Files (x86)\J River\Media Center 16\JRService.exe [384136 2011-10-18] (J. River, Inc.)
    S2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [67400 2011-04-01] (Microsoft Corporation)
    R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [12784 2011-04-27] (Microsoft Corporation)
    S2 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [57617752 2009-03-30] (Microsoft Corporation)
    S3 NisSrv; C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [288272 2011-04-27] (Microsoft Corporation)
    S2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [301760 2012-12-10] ()
    S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
    S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
    S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)
    S2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1024384 2013-01-14] (Enigma Software Group USA, LLC.)
    S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [427880 2009-03-30] (Microsoft Corporation)
    S2 TivoBeacon2; C:\Program Files (x86)\TiVo\Desktop\TiVoBeacon.exe [1104656 2010-08-24] (TiVo Inc.)
    S3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [x]
    S3 SymSnapService; "C:\Program Files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe" [x]

    ==================== Drivers (Whitelisted) ====================

    R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138400 2012-08-26] (SlySoft, Inc.)
    S1 archlp; C:\Windows\System32\drivers\archlp.sys [136192 2010-07-07] ()
    S3 dgderdrv; C:\Windows\SysWow64\drivers\dgderdrv.sys [20032 2011-05-08] (Devguru Co., Ltd)
    S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
    S3 GenericMount; C:\Windows\System32\DRIVERS\GenericMount.sys [66608 2010-02-12] (Symantec Corporation)
    S1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [189440 2011-04-18] (Microsoft Corporation)
    S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
    S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [84864 2011-04-27] (Microsoft Corporation)
    S3 pwdrvio; C:\windows\system32\pwdrvio.sys [19032 2013-01-11] ()
    S3 pwdspio; C:\windows\system32\pwdspio.sys [12384 2013-01-11] ()
    S3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
    S3 ADIHdAudAddService; system32\drivers\ADIHdAud.sys [x]
    S2 Aspi32; System32\drivers\aspi32.sys [x]
    S3 catchme; \??\C:\ComboFix\catchme.sys [x]
    S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [x]
    S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
    S1 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [x]
    S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-05-13 13:56 - 2013-05-13 13:56 - 00017617 ____A C:\ComboFix.txt
    2013-05-13 13:49 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
    2013-05-13 13:49 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
    2013-05-13 13:49 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2013-05-13 13:49 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2013-05-13 13:49 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2013-05-13 13:49 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
    2013-05-13 13:49 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
    2013-05-13 13:49 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
    2013-05-13 13:46 - 2013-05-13 13:56 - 00000000 ___AD C:\Qoobox
    2013-05-13 13:46 - 2013-05-13 13:55 - 00000000 ____D C:\Windows\erdnt
    2013-05-13 00:12 - 2013-05-13 00:12 - 00002577 ____A C:\Users\jason.birzer\Desktop\RKreport[1]_S_05132013_02d0012.txt
    2013-05-13 00:12 - 2013-05-13 00:12 - 00002460 ____A C:\Users\jason.birzer\Desktop\RKreport[2]_D_05132013_02d0012.txt
    2013-05-13 00:12 - 2013-05-13 00:12 - 00000000 ____D C:\Users\jason.birzer\Desktop\RK_Quarantine
    2013-05-13 00:08 - 2013-05-13 00:08 - 00014236 ____A C:\AdwCleaner[S1].txt
    2013-05-13 00:07 - 2013-05-13 00:01 - 00816128 ____A C:\Users\jason.birzer\Desktop\RogueKiller.exe
    2013-05-13 00:07 - 2013-05-13 00:00 - 00628743 ____A C:\Users\jason.birzer\Desktop\AdwCleaner.exe
    2013-05-13 00:06 - 2013-05-12 23:55 - 01752992 ____A (Bleeping Computer, LLC) C:\Users\jason.birzer\Desktop\rkill.com
    2013-05-12 23:35 - 2013-05-12 23:35 - 00000000 ____D C:\FRST
    2013-05-12 09:36 - 2013-05-12 09:36 - 00000000 ____D C:\Users\adm\AppData\Local\Apple
    2013-05-12 01:57 - 2013-05-12 23:28 - 00000000 ____D C:\Users\adm\AppData\Local\TSVNCache
    2013-05-12 01:57 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Roaming\Subversion
    2013-05-11 23:45 - 2013-05-11 23:45 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Malwarebytes
    2013-05-11 23:43 - 2013-05-11 23:43 - 00000020 ___SH C:\Users\adm\ntuser.ini
    2013-05-11 23:43 - 2013-05-11 23:43 - 00000000 ____D C:\users\adm
    2013-05-11 23:43 - 2010-01-25 02:24 - 00000000 ____D C:\Users\adm\AppData\Roaming\Macromedia
    2013-05-11 23:13 - 2013-05-13 17:24 - 00000000 ____D C:\Users\bogus\AppData\Local\TSVNCache
    2013-05-11 23:13 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Subversion
    2013-05-11 23:12 - 2013-05-11 23:30 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\NPE
    2013-05-11 23:12 - 2013-05-11 23:12 - 00000000 ____D C:\ProgramData\Norton
    2013-05-11 23:02 - 2013-05-13 14:41 - 00000784 ____A C:\Windows\setupact.log
    2013-05-11 23:02 - 2013-05-11 23:02 - 00000020 ___SH C:\Users\bogus\ntuser.ini
    2013-05-11 23:02 - 2013-05-11 23:02 - 00000000 ____D C:\users\bogus
    2013-05-11 23:02 - 2010-01-25 02:24 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Macromedia
    2013-05-11 22:47 - 2013-05-11 23:02 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2013-05-11 22:46 - 2013-05-11 22:46 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000632 ____A C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000628 ____A C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000458 ____A C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-05-11 22:46 - 2009-01-25 12:14 - 00017272 ____A (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe
    2013-05-11 15:39 - 2013-05-11 15:39 - 00002272 ____A C:\Users\jason.birzer\Desktop\SpyHunter.lnk
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\sh4ldr
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Program Files\Enigma Software Group
    2013-05-11 15:39 - 2012-06-22 11:01 - 00022704 ____A C:\Windows\System32\Drivers\EsgScanner.sys
    2013-05-11 12:59 - 2013-05-11 12:59 - 00000000 ____D C:\Users\jason.birzer\Desktop\rkill
    2013-05-11 12:12 - 2013-05-11 12:44 - 00000000 ____D C:\ProgramData\HitmanPro
    2013-05-11 11:57 - 2013-05-11 11:57 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Malwarebytes
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-05-11 11:57 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2013-05-11 01:16 - 2013-05-11 01:16 - 00000000 ___HD C:\Users\Public\Documents\Report
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Greenshot
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\Greenshot
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Program Files\Greenshot
    2013-04-27 01:33 - 2013-04-27 01:33 - 00002127 ____A C:\Users\Public\Desktop\Venetica.lnk
    2013-04-27 01:21 - 2013-04-27 01:33 - 00000000 ____D C:\Program Files (x86)\Venetica
    2013-04-25 09:53 - 2013-05-02 10:13 - 00002010 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
    2013-04-25 09:53 - 2013-05-02 10:13 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
    2013-04-25 09:53 - 2013-04-25 09:53 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2013-04-24 05:18 - 2013-04-12 10:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
    2013-04-19 16:54 - 2013-04-19 16:54 - 03867442 ____A C:\Users\jason.birzer\Desktop\Mycomputer.nfo
    2013-04-19 16:52 - 2013-04-19 16:52 - 00036538 ____A C:\Users\jason.birzer\Desktop\DxDiag.txt

    ==================== One Month Modified Files and Folders =======

    2013-05-13 17:24 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Local\TSVNCache
    2013-05-13 17:24 - 2012-10-14 17:07 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\TSVNCache
    2013-05-13 17:24 - 2010-01-24 14:19 - 01318193 ____A C:\Windows\WindowsUpdate.log
    2013-05-13 16:51 - 2012-04-01 21:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-05-13 15:43 - 2010-01-25 10:44 - 00000000 ____D C:\Program Files (x86)\Steam
    2013-05-13 14:48 - 2009-07-14 00:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-05-13 14:48 - 2009-07-14 00:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-05-13 14:46 - 2009-07-14 01:13 - 00957134 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-05-13 14:41 - 2013-05-11 23:02 - 00000784 ____A C:\Windows\setupact.log
    2013-05-13 14:41 - 2010-01-25 03:35 - 00523940 ____A C:\Windows\PFRO.log
    2013-05-13 14:41 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-05-13 13:56 - 2013-05-13 13:56 - 00017617 ____A C:\ComboFix.txt
    2013-05-13 13:56 - 2013-05-13 13:46 - 00000000 ___AD C:\Qoobox
    2013-05-13 13:55 - 2013-05-13 13:46 - 00000000 ____D C:\Windows\erdnt
    2013-05-13 13:54 - 2010-01-24 14:19 - 00000000 ____D C:\users\jason.birzer
    2013-05-13 13:54 - 2009-07-13 22:34 - 00000215 ____A C:\Windows\system.ini
    2013-05-13 13:14 - 2012-06-20 00:23 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\CrashDumps
    2013-05-13 10:57 - 2010-02-02 02:08 - 00000000 ____D C:\ProgramData\Zoom Player
    2013-05-13 00:12 - 2013-05-13 00:12 - 00002577 ____A C:\Users\jason.birzer\Desktop\RKreport[1]_S_05132013_02d0012.txt
    2013-05-13 00:12 - 2013-05-13 00:12 - 00002460 ____A C:\Users\jason.birzer\Desktop\RKreport[2]_D_05132013_02d0012.txt
    2013-05-13 00:12 - 2013-05-13 00:12 - 00000000 ____D C:\Users\jason.birzer\Desktop\RK_Quarantine
    2013-05-13 00:08 - 2013-05-13 00:08 - 00014236 ____A C:\AdwCleaner[S1].txt
    2013-05-13 00:01 - 2013-05-13 00:07 - 00816128 ____A C:\Users\jason.birzer\Desktop\RogueKiller.exe
    2013-05-13 00:00 - 2013-05-13 00:07 - 00628743 ____A C:\Users\jason.birzer\Desktop\AdwCleaner.exe
    2013-05-12 23:55 - 2013-05-13 00:06 - 01752992 ____A (Bleeping Computer, LLC) C:\Users\jason.birzer\Desktop\rkill.com
    2013-05-12 23:35 - 2013-05-12 23:35 - 00000000 ____D C:\FRST
    2013-05-12 23:28 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Local\TSVNCache
    2013-05-12 09:36 - 2013-05-12 09:36 - 00000000 ____D C:\Users\adm\AppData\Local\Apple
    2013-05-12 01:57 - 2013-05-12 01:57 - 00000000 ____D C:\Users\adm\AppData\Roaming\Subversion
    2013-05-11 23:45 - 2013-05-11 23:45 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Malwarebytes
    2013-05-11 23:43 - 2013-05-11 23:43 - 00000020 ___SH C:\Users\adm\ntuser.ini
    2013-05-11 23:43 - 2013-05-11 23:43 - 00000000 ____D C:\users\adm
    2013-05-11 23:30 - 2013-05-11 23:12 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\NPE
    2013-05-11 23:13 - 2013-05-11 23:13 - 00000000 ____D C:\Users\bogus\AppData\Roaming\Subversion
    2013-05-11 23:12 - 2013-05-11 23:12 - 00000000 ____D C:\ProgramData\Norton
    2013-05-11 23:02 - 2013-05-11 23:02 - 00000020 ___SH C:\Users\bogus\ntuser.ini
    2013-05-11 23:02 - 2013-05-11 23:02 - 00000000 ____D C:\users\bogus
    2013-05-11 23:02 - 2013-05-11 22:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2013-05-11 22:46 - 2013-05-11 22:46 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000632 ____A C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000628 ____A C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000458 ____A C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
    2013-05-11 22:46 - 2013-05-11 22:46 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-05-11 15:39 - 2013-05-11 15:39 - 00002272 ____A C:\Users\jason.birzer\Desktop\SpyHunter.lnk
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\sh4ldr
    2013-05-11 15:39 - 2013-05-11 15:39 - 00000000 ____D C:\Program Files\Enigma Software Group
    2013-05-11 12:59 - 2013-05-11 12:59 - 00000000 ____D C:\Users\jason.birzer\Desktop\rkill
    2013-05-11 12:44 - 2013-05-11 12:12 - 00000000 ____D C:\ProgramData\HitmanPro
    2013-05-11 12:35 - 2011-02-13 19:04 - 00016384 __ASH C:\Users\jason.birzer\Thumbs.db
    2013-05-11 11:57 - 2013-05-11 11:57 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Malwarebytes
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-05-11 11:57 - 2013-05-11 11:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-05-11 11:48 - 2011-06-13 00:03 - 00000000 ____D C:\Windows\pss
    2013-05-11 01:16 - 2013-05-11 01:16 - 00000000 ___HD C:\Users\Public\Documents\Report
    2013-05-08 19:10 - 2010-08-29 23:20 - 00107971 ____A C:\Windows\cdplayer.ini
    2013-05-07 00:00 - 2010-02-02 02:19 - 00000410 ____A C:\Windows\Tasks\updater.exe.job
    2013-05-03 00:51 - 2012-04-26 02:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-05-02 11:29 - 2010-01-24 14:33 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2013-05-02 10:13 - 2013-04-25 09:53 - 00002010 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
    2013-05-02 10:13 - 2013-04-25 09:53 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
    2013-04-30 17:10 - 2011-05-01 10:59 - 00000000 ____D C:\Program Files (x86)\Luxor
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Roaming\Greenshot
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Users\jason.birzer\AppData\Local\Greenshot
    2013-04-30 01:46 - 2013-04-30 01:46 - 00000000 ____D C:\Program Files\Greenshot
    2013-04-30 01:39 - 2012-03-18 01:35 - 00000000 ____D C:\Program Files (x86)\Screenshot Pilot
    2013-04-27 01:33 - 2013-04-27 01:33 - 00002127 ____A C:\Users\Public\Desktop\Venetica.lnk
    2013-04-27 01:33 - 2013-04-27 01:21 - 00000000 ____D C:\Program Files (x86)\Venetica
    2013-04-25 09:53 - 2013-04-25 09:53 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2013-04-25 09:53 - 2012-04-01 21:10 - 00691592 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-04-25 09:53 - 2011-07-06 20:28 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-04-25 09:53 - 2010-01-25 02:25 - 00000000 ____D C:\ProgramData\Adobe
    2013-04-25 09:51 - 2013-04-11 23:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-04-19 16:54 - 2013-04-19 16:54 - 03867442 ____A C:\Users\jason.birzer\Desktop\Mycomputer.nfo
    2013-04-19 16:52 - 2013-04-19 16:52 - 00036538 ____A C:\Users\jason.birzer\Desktop\DxDiag.txt
    2013-04-18 14:10 - 2011-10-22 23:41 - 00000000 ____D C:\Program Files (x86)\Origin

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll
    [2011-04-02 16:51] - [2012-10-04 12:47] - 0869376 ____A (Microsoft Corporation) 47F6DD86DDCAD50F2DC1E3652728F01E

    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


    Last Boot: 2013-05-04 00:23

    ==================== End Of Log ============================
     
  16. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Open notepad and copy & paste the following:

    and save it as fixlist.txt onto your flash drive.

    Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

    Then in FRST, typle User32.dll in the search box and click search. Another log will appear, please post that one also.
     
  17. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    Here are the logs.
     

    Attached Files:

  18. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Open notepad and copy & paste the following:

    and save it as fixlist.txt onto your flash drive.

    Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

    Now see if you still have the white screen
     
  19. thelongshot

    thelongshot New Member

    Reputation:
    0
    Joined:
    May 12, 2013
    Messages:
    11
    Likes Received:
    0
    Yeah, that seems to be it. White screen is gone, and I can access task manager now.

    Let me know if there are other things I need to clean up.
     

    Attached Files:

  20. Fiery

    Fiery 1 of the 4 MalwareTips Founder

    Reputation:
    1,000
    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    12
    Good :D

    A few more steps before I say you are clean.

    Please download Malwarebytes' Anti-Malware from here to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • When it prompts you to try their 30-day trail, click decline
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Run Eset NOD32 Online AntiVirus here

    Note: You will need to use Internet Explorer for this scan.
    Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
    • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
      • Scan unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Click Scan
    • Wait for the scan to finish
    • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
    • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt


    Download Security Check by screen317 from here or here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A notepad document should open automatically called checkup.txt.
    • Please post the contents of that document in your next reply. Please do not attach it!
     

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads: Moneypak Ransomware
Forum Title Date
The Community Video Reviews Remove FBI MoneyPak Ransomware [Britec09] Jul 1, 2013
Malware Removal Guides How to remove FBI Virus - Anti-Piracy MoneyPak Ransomware (Removal Guide) Jan 13, 2013
Malware Removal Assistance Moneypak Virus - Dept of Justice Aug 12, 2014
Malware Removal Assistance FBI Moneypak did not detect or remove with Hitman Aug 11, 2014
Malware Removal Assistance Win XP “Your computer has been blocked” virus (MoneyPak Scam) Aug 10, 2014

MalwareTips.com is an independent website.All trademarks mentioned on this page are the property of their respective owners.