MoneyPak Virus

BrianS6565

New Member
Thread author
Apr 13, 2014
3
Please help. I've contracted a virus that is keeping me from using my computer at all. Any help would be appreciated.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hi,


Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.
  • Plug the flashdrive into the infected PC.
  • Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
  • Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • When notepad opens, click File and select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run. When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.
 

BrianS6565

New Member
Thread author
Apr 13, 2014
3
Thanks for the prompt response. Here is the copy of the log.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01
Ran by SYSTEM on MININT-MUOKFIB on 13-04-2014 17:06:32
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [170264 2012-01-29] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [398616 2012-01-29] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [440600 2012-01-29] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-13] (Synaptics Incorporated)
HKLM\...\Run: [SetDefault] => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [44880 2011-12-19] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2013-03-01] (IDT, Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291096 2011-12-05] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1343904 2012-11-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [295072 2013-03-10] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [300400 2010-03-10] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-01] (Apple Inc.)
HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1801168 2014-04-10] (APN)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Brian Sager\...\Run: [Google Update*] => [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\Default\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)
Startup: C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffifr29.lnk
ShortcutTarget: ffifr29.lnk -> C:\ProgramData\2992199F9A\92rfiff.cpp (Microsoft Corporation)
Startup: C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk
ShortcutTarget: NexDef Plug-in.lnk -> (No File)
==================== Services (Whitelisted) =================
S2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2014-04-10] (APN LLC.)
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1363584 2014-03-03] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1748608 2014-03-03] (Microsoft Corporation)
S2 FPLService; C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [1641768 2013-06-07] (HP)
S2 hpsrv; C:\Windows\SysWOW64\Hpservice.exe [0 2013-05-12] ()
S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128280 2011-12-16] ()
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation)
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-11-29] ()
S2 Spooler; C:\Windows\SysWOW64\spoolsv.exe [0 2013-05-12] ()
S3 TrueService; C:\Program Files\Common Files\AuthenTec\TrueService.exe [401856 2013-01-07] (AuthenTec, Inc.)
S2 Winmgmt; C:\ProgramData\2992199F9A\ffifr29.faa [332036 2014-04-10] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
S3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130322.001\BHDrvx64.sys [1387608 2013-03-21] (Symantec Corporation)
S3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation)
S3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-02-07] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-02-07] (Symantec Corporation)
S3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130405.001\IDSvia64.sys [513184 2013-02-07] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130408.016\ENG64.SYS [126192 2013-02-07] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130408.016\EX64.SYS [2087664 2013-02-07] (Symantec Corporation)
S3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [259688 2011-10-27] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\Windows\system32\drivers\Smb_driver.sys [20016 2011-10-13] (Synaptics Incorporated)
S3 SRTSP; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSP64.SYS [729720 2011-08-02] (Symantec Corporation)
S3 SRTSPX; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSPX64.SYS [37496 2011-08-02] (Symantec Corporation)
S3 SymDS; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)
S3 SymEFA; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [1084536 2011-07-28] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2013-02-05] (Symantec Corporation)
S3 SymIRON; C:\Windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS [189560 2011-07-25] (Symantec Corporation)
S3 SymNetS; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMNETS.SYS [401016 2011-07-25] (Symantec Corporation)
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2014-04-13 17:06 - 2014-04-13 17:06 - 00000000 ____D () C:\FRST
2014-04-10 11:30 - 2014-04-13 13:43 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-04-09 10:59 - 2014-03-12 22:33 - 02238976 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-04-09 10:59 - 2014-03-12 22:33 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-04-09 10:59 - 2014-03-12 22:33 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-04-09 10:59 - 2014-03-12 22:32 - 19273728 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-04-09 10:59 - 2014-03-12 22:32 - 03959808 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-04-09 10:59 - 2014-03-12 22:32 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2014-04-09 10:59 - 2014-03-12 22:32 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-04-09 10:59 - 2014-03-12 22:32 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-04-09 10:59 - 2014-03-12 22:32 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-04-09 10:59 - 2014-03-12 22:31 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-04-09 10:59 - 2014-03-12 22:31 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-04-09 10:59 - 2014-03-12 22:31 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-04-09 10:59 - 2014-03-12 22:31 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2014-04-09 10:59 - 2014-03-12 22:31 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-04-09 10:59 - 2014-03-12 22:31 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-04-09 10:59 - 2014-03-12 21:10 - 01766400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-04-09 10:59 - 2014-03-12 21:10 - 01140736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 14358016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 02049536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-04-09 10:59 - 2014-03-12 21:09 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-04-09 10:59 - 2014-03-12 20:57 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-04-09 10:59 - 2014-03-12 20:47 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-09 10:59 - 2014-03-12 19:59 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2014-04-09 10:59 - 2014-03-12 19:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2014-04-09 10:58 - 2014-03-04 01:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2014-04-09 10:58 - 2014-03-04 01:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2014-04-09 10:58 - 2014-03-04 01:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2014-04-09 10:58 - 2014-03-04 01:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2014-04-09 10:58 - 2014-03-04 01:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2014-04-09 10:58 - 2014-03-04 01:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2014-04-09 10:58 - 2014-03-04 01:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-04-09 10:58 - 2014-03-04 01:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2014-04-09 10:58 - 2014-03-04 01:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2014-04-09 10:58 - 2014-03-04 00:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2014-04-09 10:58 - 2014-03-04 00:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2014-04-09 10:58 - 2014-02-03 18:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\msiscsi.sys
2014-04-09 10:58 - 2014-02-03 18:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\storport.sys
2014-04-09 10:58 - 2014-02-03 18:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Diskdump.sys
2014-04-09 10:58 - 2014-02-03 18:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\iologmsg.dll
2014-04-09 10:58 - 2014-02-03 18:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll
2014-04-09 10:58 - 2014-01-23 18:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2014-04-06 20:17 - 2014-04-06 20:17 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (2).xlsx
2014-04-06 20:16 - 2014-04-06 20:16 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (1).xlsx
2014-04-06 20:13 - 2014-04-13 13:43 - 00000400 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager.job
2014-04-06 20:13 - 2014-04-13 08:42 - 00003002 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateXML_Brian Sager
2014-04-06 20:13 - 2014-04-13 08:42 - 00000390 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Brian Sager.job
2014-04-06 20:13 - 2014-04-12 10:42 - 00003006 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateFiles_Brian Sager
2014-04-06 20:13 - 2014-04-12 10:42 - 00000394 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Brian Sager.job
2014-04-06 20:13 - 2014-04-06 20:13 - 00003646 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperResumePrompt_Brian Sager
2014-04-06 20:13 - 2014-04-06 20:13 - 00002710 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager
2014-04-04 14:23 - 2014-04-04 14:23 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014.xlsx
2014-03-30 08:12 - 2014-03-30 15:07 - 00153162 _____ () C:\Users\Brian Sager\Documents\e2list3.30.xlsx
2014-03-24 13:57 - 2014-03-24 13:57 - 00014058 _____ () C:\Users\Brian Sager\Downloads\Children%27s House Staff Schedule April 2014.xlsx
2014-03-16 20:07 - 2014-04-13 08:00 - 00003362 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1596818072-1018057494-116439080-1001
2014-03-14 16:43 - 2014-04-12 12:59 - 00000356 _____ () C:\Windows\Tasks\HPCeeScheduleForBrian Sager.job
2014-03-14 16:43 - 2014-04-12 08:42 - 00003222 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForBrian Sager
==================== One Month Modified Files and Folders =======
2014-04-13 17:06 - 2014-04-13 17:06 - 00000000 ____D () C:\FRST
2014-04-13 13:47 - 2009-07-13 20:45 - 00031472 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-13 13:47 - 2009-07-13 20:45 - 00031472 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-13 13:46 - 2013-02-07 15:10 - 00003970 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{88F222FE-40D9-4533-9708-FEFB116E7767}
2014-04-13 13:43 - 2014-04-10 11:30 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-04-13 13:43 - 2014-04-06 20:13 - 00000400 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager.job
2014-04-13 13:43 - 2013-03-10 15:24 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-13 13:42 - 2013-11-04 12:35 - 00003628 _____ () C:\Windows\setupact.log
2014-04-13 13:42 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-13 13:41 - 2013-03-10 15:24 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-13 13:41 - 2012-10-22 16:22 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-13 11:57 - 2013-02-06 14:24 - 01796070 _____ () C:\Windows\WindowsUpdate.log
2014-04-13 09:34 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2014-04-13 08:42 - 2014-04-06 20:13 - 00003002 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateXML_Brian Sager
2014-04-13 08:42 - 2014-04-06 20:13 - 00000390 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Brian Sager.job
2014-04-13 08:16 - 2013-12-25 19:00 - 00113260 _____ () C:\Windows\IE11_main.log
2014-04-13 08:00 - 2014-03-16 20:07 - 00003362 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1596818072-1018057494-116439080-1001
2014-04-13 08:00 - 2013-11-04 12:37 - 00003240 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1596818072-1018057494-116439080-1001
2014-04-12 13:44 - 2013-10-10 07:28 - 00003384 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1596818072-1018057494-116439080-1001
2014-04-12 13:44 - 2013-10-10 07:28 - 00003262 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1596818072-1018057494-116439080-1001
2014-04-12 12:59 - 2014-03-14 16:43 - 00000356 _____ () C:\Windows\Tasks\HPCeeScheduleForBrian Sager.job
2014-04-12 10:42 - 2014-04-06 20:13 - 00003006 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateFiles_Brian Sager
2014-04-12 10:42 - 2014-04-06 20:13 - 00000394 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Brian Sager.job
2014-04-12 08:42 - 2014-03-14 16:43 - 00003222 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForBrian Sager
2014-04-12 08:42 - 2013-04-05 13:52 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-04-12 08:42 - 2013-02-13 05:08 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-04-10 11:19 - 2013-02-16 18:17 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-09 16:00 - 2013-03-10 15:24 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-04-09 15:54 - 2013-07-27 17:04 - 00000000 ____D () C:\Users\Brian Sager\Citrix
2014-04-09 00:57 - 2013-02-17 08:05 - 00000000 ____D () C:\Users\Brian Sager\AppData\Local\CrashDumps
2014-04-06 20:17 - 2014-04-06 20:17 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (2).xlsx
2014-04-06 20:16 - 2014-04-06 20:16 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (1).xlsx
2014-04-06 20:13 - 2014-04-06 20:13 - 00003646 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperResumePrompt_Brian Sager
2014-04-06 20:13 - 2014-04-06 20:13 - 00002710 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager
2014-04-04 14:23 - 2014-04-04 14:23 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014.xlsx
2014-03-30 15:07 - 2014-03-30 08:12 - 00153162 _____ () C:\Users\Brian Sager\Documents\e2list3.30.xlsx
2014-03-30 07:21 - 2013-03-10 15:24 - 00003904 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-30 07:21 - 2013-03-10 15:24 - 00003652 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-28 11:31 - 2014-03-01 20:44 - 00000000 ____D () C:\Bovada
2014-03-26 16:08 - 2009-07-13 21:13 - 00781298 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-03-24 13:57 - 2014-03-24 13:57 - 00014058 _____ () C:\Users\Brian Sager\Downloads\Children%27s House Staff Schedule April 2014.xlsx
2014-03-16 20:06 - 2009-07-13 20:45 - 00414704 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-03-16 20:05 - 2013-03-18 12:24 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-16 20:05 - 2013-03-18 12:24 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-16 19:49 - 2013-03-10 11:27 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-16 19:49 - 2012-10-22 16:34 - 00000000 ____D () C:\ProgramData\Skype
2014-03-14 16:38 - 2013-02-06 14:24 - 00000000 ____D () C:\users\Brian Sager
ZeroAccess:
C:\Users\Brian Sager\AppData\Local\Google\Desktop\Install
Some content of TEMP:
====================
C:\Users\Brian Sager\AppData\Local\Temp\setup.exe
C:\Users\Brian Sager\AppData\Local\Temp\sp64126.exe
C:\Users\Brian Sager\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Brian Sager\AppData\Local\Temp\~+JF8179645312642104323.dll

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2014-03-21 13:50:15
Restore point made on: 2014-03-22 06:15:19
Restore point made on: 2014-03-25 19:06:46
Restore point made on: 2014-03-27 13:33:51
Restore point made on: 2014-03-28 10:53:43
Restore point made on: 2014-03-31 12:58:44
Restore point made on: 2014-04-03 06:05:41
Restore point made on: 2014-04-04 06:14:45
Restore point made on: 2014-04-05 06:42:31
Restore point made on: 2014-04-06 08:14:40
Restore point made on: 2014-04-09 10:54:21
Restore point made on: 2014-04-10 11:16:51
Restore point made on: 2014-04-12 13:40:24
Restore point made on: 2014-04-13 08:12:51
Restore point made on: 2014-04-13 09:37:14
Restore point made on: 2014-04-13 09:37:18
Restore point made on: 2014-04-13 09:37:19
Restore point made on: 2014-04-13 09:37:20
Restore point made on: 2014-04-13 09:37:25
Restore point made on: 2014-04-13 09:37:27
Restore point made on: 2014-04-13 09:37:27
==================== Memory info ===========================
Percentage of memory in use: 11%
Total physical RAM: 8087.31 MB
Available physical RAM: 7143.91 MB
Total Pagefile: 8085.46 MB
Available Pagefile: 7137.81 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:910.28 GB) (Free:823.93 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (Recovery) (Fixed) (Total:20.94 GB) (Free:2.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.07 GB) FAT32
Drive h: () (Removable) (Total:0.98 GB) (Free:0.97 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 8A469346)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=910 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=21 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=102 MB) - (Type=0C)
========================================================
Disk: 1 (Size: 1003 MB) (Disk ID: 003068C2)
Partition 1: (Active) - (Size=1003 MB) - (Type=06)

LastRegBack: 2014-04-13 09:23
==================== End Of Log ============================
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Download attached fixlist.txt and save it to your USB flashdrive as fixlist.txt

>> Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your USB flashdrive.


>> Exit out of Recovery Environment and post me the log please.



Try to boot Windows normally...
 

Attachments

  • fixlist.txt
    977 bytes · Views: 124

BrianS6565

New Member
Thread author
Apr 13, 2014
3
Thanks, computer booted up great.


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-04-2014 01
Ran by SYSTEM at 2014-04-14 18:51:36 Run:1
Running from H:\
Boot Mode: Recovery
==============================================
Content of fixlist:
*****************
HKU\Brian Sager\...\Run: [Google Update*] => [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
Startup: C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffifr29.lnk
ShortcutTarget: ffifr29.lnk -> C:\ProgramData\2992199F9A\92rfiff.cpp (Microsoft Corporation)
Startup: C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk
ShortcutTarget: NexDef Plug-in.lnk -> (No File)
S2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2014-04-10] (APN LLC.)
C:\Program Files (x86)\AskPartnerNetwork
2014-04-10 11:30 - 2014-04-13 13:43 - 00000000 ____D () C:\ProgramData\2992199F9A
C:\Users\Brian Sager\AppData\Local\Google\Desktop\Install
C:\Users\Brian Sager\AppData\Local\Temp\setup.exe
C:\Users\Brian Sager\AppData\Local\Temp\sp64126.exe
C:\Users\Brian Sager\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Brian Sager\AppData\Local\Temp\~+JF8179645312642104323.dll
*****************
HKU\Brian Sager\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffifr29.lnk => Moved successfully.
C:\ProgramData\2992199F9A\92rfiff.cpp => Moved successfully.
C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk => Moved successfully.
ShortcutTarget: NexDef Plug-in.lnk -> (No File) not found.
APNMCP => Service deleted successfully.
C:\Program Files (x86)\AskPartnerNetwork => Moved successfully.
C:\ProgramData\2992199F9A => Moved successfully.
C:\Users\Brian Sager\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Users\Brian Sager\AppData\Local\Temp\setup.exe => Moved successfully.
C:\Users\Brian Sager\AppData\Local\Temp\sp64126.exe => Moved successfully.
C:\Users\Brian Sager\AppData\Local\Temp\UninstallHPSA.exe => Moved successfully.
C:\Users\Brian Sager\AppData\Local\Temp\~+JF8179645312642104323.dll => Moved successfully.
==== End of Fixlog ====
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top