fbi moneypak virus

P

pfeifwa

New Member
Thread author
May 20, 2013
14
need help with next steps. I have read forum posts and have a log file but don't know what to do now.
 
P

pfeifwa

New Member
Thread author
May 20, 2013
14
pfeifwa said:
need help with next steps. I have read forum posts and have a log file but don't know what to do now.
Click to expand...

here is my log file... from FRST

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-05-2013
Ran by SYSTEM on 20-05-2013 13:06:19
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe [621440 2009-09-29] (ELAN Microelectronic Corp.)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-08-31] (AlcorMicro Co., Ltd.)
HKLM\...\Run: [GUCI_AVS] C:\Windows\PixArt\PAP7501\GUCI_AVS.exe [314880 2009-09-16] (PixArt Imaging Incorporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$1730a923dc455de520baeecb8e25b4b7\n. ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-07-12] ()
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [6937216 2009-10-09] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2009-08-19] (ASUS)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r [2244608 2009-09-11] (VIA)
HKLM-x32\...\Run: [AmazonGSDownloaderTray] C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [326144 2009-10-23] (Amazon.com)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [246504 2010-01-11] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKU\Owner\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Owner\...\Run: [GoToMeeting] "C:\Program Files (x86)\Citrix\GoToMeeting\457\g2mstart.exe" "/Trigger RunAtLogon" [39816 2010-06-03] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\Owner\...\Run: [MediaGet2] C:\Users\Owner\AppData\Local\MediaGet2\mediaget.exe --minimized [10847976 2013-02-17] (MediaGet LLC)
HKU\Owner\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Owner\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18642024 2013-02-28] (Skype Technologies S.A.)
HKU\Owner\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-04-05] (Apple Inc.)
HKU\Owner\...\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-04-05] (Apple Inc.)
HKU\Owner\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Owner\Documents\259c64b6.exe [27136 2013-05-18] ()
HKU\Owner\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
Startup: C:\ProgramData\Start Menu\Programs\Startup\FancyStart daemon.lnk
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{F0DF4513-3C4C-4EB8-8012-2C5F70AF3988}\_A1DDD39913A1970387B7B3.exe ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) =================

S2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96824 2009-07-21] (ASUS)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 N360; C:\Program Files (x86)\Norton 360\Engine\5.2.2.3\diMaster.dll [262584 2011-03-31] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20130515.001\BHDrvx64.sys [1390680 2013-04-12] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-08] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-08] (Symantec Corporation)
S3 GUCI_AVS; C:\Windows\System32\DRIVERS\GUCI_AVS.sys [692736 2009-10-28] (PixArt Imaging Incorporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20130517.001\IDSvia64.sys [513184 2012-08-31] (Symantec Corporation)
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20130520.003\ENG64.SYS [126192 2013-01-16] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20130520.003\EX64.SYS [2087664 2013-01-16] (Symantec Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-06-03] (Symantec Corporation)
S3 SRTSP; \SystemRoot\System32\Drivers\N360x64\0502020.003\SRTSP64.SYS [x]
S1 SRTSPX; \SystemRoot\system32\drivers\N360x64\0502020.003\SRTSPX64.SYS [x]
S0 SymDS; system32\drivers\N360x64\0502020.003\SYMDS64.SYS [x]
S0 SymEFA; system32\drivers\N360x64\0502020.003\SYMEFA64.SYS [x]
S1 SymIRON; \SystemRoot\system32\drivers\N360x64\0502020.003\Ironx64.SYS [x]
S1 SymNetS; \SystemRoot\System32\Drivers\N360x64\0502020.003\SYMNETS.SYS [x]
S3 tmlwf;
S3 tmwfp;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-20 13:06 - 2013-05-20 13:06 - 00000000 ____D C:\FRST
2013-05-18 14:55 - 2013-05-18 14:55 - 01096080 ____A C:\ProgramData\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 01096036 ____A C:\Users\Owner\AppData\Roaming\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 01096018 ____A C:\Users\Owner\AppData\Local\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 00027136 ____A C:\Users\Owner\Documents\259c64b6.exe
2013-05-17 13:48 - 2013-05-17 13:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{FAF31FA2-8AD8-4B3A-9468-9345B2730063}
2013-05-17 01:48 - 2013-05-17 01:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{C3E68DC7-F9DE-4AC1-94DA-5AF12DCA1B07}
2013-05-16 13:47 - 2013-05-16 13:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{2A382BCA-7B38-4E33-8A4D-8A0AC8ED008D}
2013-05-16 02:02 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-16 02:02 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-16 02:02 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-05-16 02:02 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-05-16 02:02 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-16 02:02 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-05-16 02:02 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-16 02:02 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-16 02:02 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-16 02:02 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-05-16 02:01 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-16 02:01 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-15 13:42 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-15 13:42 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-15 13:42 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-15 13:41 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-15 13:41 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-15 13:41 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-15 13:41 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-15 13:41 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-15 13:41 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-15 13:41 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-15 13:41 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-15 13:41 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-15 13:41 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-15 13:41 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-10 00:44 - 2013-05-16 00:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{FDDE7A0E-32BA-4968-A62D-5C91C91DC3A4}
2013-05-08 20:43 - 2013-05-08 20:43 - 00046080 ____A C:\Users\Owner\Documents\Copy of wade golf hcap may 2013.xls
2013-04-29 12:37 - 2013-05-09 12:44 - 00000000 ____D C:\Users\Owner\AppData\Local\{FCE94C1F-8C9F-484E-8F76-EBCBB5B457EB}
2013-04-25 12:35 - 2013-04-25 12:35 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Tific
2013-04-25 12:34 - 2013-04-29 00:37 - 00000000 ____D C:\Users\Owner\AppData\Local\{CE1E70FF-5E15-493F-A267-F0E7006F3DFA}
2013-04-24 02:08 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-23 09:36 - 2013-04-23 09:36 - 00002046 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk

==================== One Month Modified Files and Folders =======

2013-05-20 13:06 - 2013-05-20 13:06 - 00000000 ____D C:\FRST
2013-05-20 12:03 - 2010-03-14 11:13 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-20 12:03 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-20 12:03 - 2009-07-13 20:51 - 00116603 ____A C:\Windows\setupact.log
2013-05-20 10:48 - 2010-03-26 14:13 - 00045056 ____A C:\Windows\System32\acovcnt.exe
2013-05-20 10:48 - 2009-12-17 17:52 - 01852264 ____A C:\Windows\WindowsUpdate.log
2013-05-20 10:47 - 2010-03-14 11:13 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-19 18:06 - 2012-08-06 08:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-18 16:36 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-18 16:36 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-18 16:32 - 2009-07-13 21:13 - 00730448 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-18 15:04 - 2009-12-17 18:14 - 00002190 ____A C:\Windows\System32\AutoRunFilter.ini
2013-05-18 15:02 - 2009-12-17 18:09 - 01044628 ____A C:\Windows\PFRO.log
2013-05-18 14:55 - 2013-05-18 14:55 - 01096080 ____A C:\ProgramData\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 01096036 ____A C:\Users\Owner\AppData\Roaming\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 01096018 ____A C:\Users\Owner\AppData\Local\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 00027136 ____A C:\Users\Owner\Documents\259c64b6.exe
2013-05-18 14:52 - 2011-09-06 22:06 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype
2013-05-18 14:46 - 2010-11-03 21:10 - 00000000 ____D C:\Users\Owner\Documents\SafeHarbor
2013-05-17 13:48 - 2013-05-17 13:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{FAF31FA2-8AD8-4B3A-9468-9345B2730063}
2013-05-17 01:48 - 2013-05-17 01:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{C3E68DC7-F9DE-4AC1-94DA-5AF12DCA1B07}
2013-05-16 13:53 - 2010-12-28 12:17 - 00000000 ____D C:\Users\Owner\AppData\Local\Windows Live
2013-05-16 13:48 - 2013-05-16 13:47 - 00000000 ____D C:\Users\Owner\AppData\Local\{2A382BCA-7B38-4E33-8A4D-8A0AC8ED008D}
2013-05-16 06:33 - 2010-07-07 17:59 - 00000000 ___RD C:\Users\Owner\Documents\My Dropbox
2013-05-16 06:33 - 2010-07-07 17:56 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Dropbox
2013-05-16 06:33 - 2010-04-16 19:58 - 00000000 ____D C:\Users\Owner\Tracing
2013-05-16 03:19 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-05-16 02:42 - 2009-07-13 20:45 - 00351720 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-16 02:20 - 2009-12-17 17:49 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-16 02:12 - 2010-03-03 09:05 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-16 00:48 - 2013-05-10 00:44 - 00000000 ____D C:\Users\Owner\AppData\Local\{FDDE7A0E-32BA-4968-A62D-5C91C91DC3A4}
2013-05-14 10:05 - 2012-08-06 08:47 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-14 10:05 - 2011-08-14 21:13 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-09 12:44 - 2013-04-29 12:37 - 00000000 ____D C:\Users\Owner\AppData\Local\{FCE94C1F-8C9F-484E-8F76-EBCBB5B457EB}
2013-05-08 20:43 - 2013-05-08 20:43 - 00046080 ____A C:\Users\Owner\Documents\Copy of wade golf hcap may 2013.xls
2013-04-29 00:37 - 2013-04-25 12:34 - 00000000 ____D C:\Users\Owner\AppData\Local\{CE1E70FF-5E15-493F-A267-F0E7006F3DFA}
2013-04-25 12:35 - 2013-04-25 12:35 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Tific
2013-04-25 12:35 - 2010-03-10 02:31 - 00000000 ____D C:\Users\Owner\AppData\Local\Symantec
2013-04-24 21:24 - 2013-04-16 09:20 - 00000000 ____D C:\Users\Owner\AppData\Local\{5E9AF335-7F2A-4965-83E2-AF3BB142D68A}
2013-04-23 09:36 - 2013-04-23 09:36 - 00002046 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2013-04-23 09:35 - 2013-04-16 09:34 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4008674046-2340072865-576989462-1000\$1730a923dc455de520baeecb8e25b4b7

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$1730a923dc455de520baeecb8e25b4b7

Other Malware:
===========
C:\Users\Owner\g2mdlhlpx.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-23 16:23:15
Restore point made on: 2013-04-25 02:00:50
Restore point made on: 2013-05-03 20:28:29
Restore point made on: 2013-05-10 23:00:36
Restore point made on: 2013-05-16 02:01:15

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4061.09 MB
Available physical RAM: 3478.1 MB
Total Pagefile: 4059.23 MB
Available Pagefile: 3470.11 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:451.11 GB) (Free:280.08 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive e: (USB DISK) (Removable) (Total:3.82 GB) (Free:3.81 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 76692CA8)
Partition 1: (Not Active) - (Size=15 GB) - (Type=1C)
Partition 2: (Active) - (Size=451 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


Last Boot: 2013-05-13 23:38

==================== End Of Log ============================
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Now please download this file and save it to your Flash Drive.

[attachment=4555]

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.
 

Attachments

  • fixlist.txt
    1 KB · Views: 74
P

pfeifwa

New Member
Thread author
May 20, 2013
14
kuttus said:
Now please download this file and save it to your Flash Drive.



Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.
Click to expand...

thanks... but I need a little more help. I don't know how to open frst from command prompt? or what should I be in?. I can get back to system recovery options but stuck here.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.
 
P

pfeifwa

New Member
Thread author
May 20, 2013
14
here is the scan

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-05-2013
Ran by SYSTEM on 20-05-2013 13:06:19
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe [621440 2009-09-29] (ELAN Microelectronic Corp.)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-08-31] (AlcorMicro Co., Ltd.)
HKLM\...\Run: [GUCI_AVS] C:\Windows\PixArt\PAP7501\GUCI_AVS.exe [314880 2009-09-16] (PixArt Imaging Incorporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$1730a923dc455de520baeecb8e25b4b7\n. ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-07-12] ()
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [6937216 2009-10-09] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2009-08-19] (ASUS)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r [2244608 2009-09-11] (VIA)
HKLM-x32\...\Run: [AmazonGSDownloaderTray] C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [326144 2009-10-23] (Amazon.com)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [246504 2010-01-11] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKU\Owner\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Owner\...\Run: [GoToMeeting] "C:\Program Files (x86)\Citrix\GoToMeeting\457\g2mstart.exe" "/Trigger RunAtLogon" [39816 2010-06-03] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\Owner\...\Run: [MediaGet2] C:\Users\Owner\AppData\Local\MediaGet2\mediaget.exe --minimized [10847976 2013-02-17] (MediaGet LLC)
HKU\Owner\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Owner\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18642024 2013-02-28] (Skype Technologies S.A.)
HKU\Owner\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-04-05] (Apple Inc.)
HKU\Owner\...\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-04-05] (Apple Inc.)
HKU\Owner\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Owner\Documents\259c64b6.exe [27136 2013-05-18] ()
HKU\Owner\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
Startup: C:\ProgramData\Start Menu\Programs\Startup\FancyStart daemon.lnk
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{F0DF4513-3C4C-4EB8-8012-2C5F70AF3988}\_A1DDD39913A1970387B7B3.exe ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) =================

S2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96824 2009-07-21] (ASUS)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 N360; C:\Program Files (x86)\Norton 360\Engine\5.2.2.3\diMaster.dll [262584 2011-03-31] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20130515.001\BHDrvx64.sys [1390680 2013-04-12] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-08] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-08] (Symantec Corporation)
S3 GUCI_AVS; C:\Windows\System32\DRIVERS\GUCI_AVS.sys [692736 2009-10-28] (PixArt Imaging Incorporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20130517.001\IDSvia64.sys [513184 2012-08-31] (Symantec Corporation)
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20130520.003\ENG64.SYS [126192 2013-01-16] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20130520.003\EX64.SYS [2087664 2013-01-16] (Symantec Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-06-03] (Symantec Corporation)
S3 SRTSP; \SystemRoot\System32\Drivers\N360x64\0502020.003\SRTSP64.SYS [x]
S1 SRTSPX; \SystemRoot\system32\drivers\N360x64\0502020.003\SRTSPX64.SYS [x]
S0 SymDS; system32\drivers\N360x64\0502020.003\SYMDS64.SYS [x]
S0 SymEFA; system32\drivers\N360x64\0502020.003\SYMEFA64.SYS [x]
S1 SymIRON; \SystemRoot\system32\drivers\N360x64\0502020.003\Ironx64.SYS [x]
S1 SymNetS; \SystemRoot\System32\Drivers\N360x64\0502020.003\SYMNETS.SYS [x]
S3 tmlwf;
S3 tmwfp;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-20 13:06 - 2013-05-20 13:06 - 00000000 ____D C:\FRST
2013-05-18 14:55 - 2013-05-18 14:55 - 01096080 ____A C:\ProgramData\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 01096036 ____A C:\Users\Owner\AppData\Roaming\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 01096018 ____A C:\Users\Owner\AppData\Local\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 00027136 ____A C:\Users\Owner\Documents\259c64b6.exe
2013-05-17 13:48 - 2013-05-17 13:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{FAF31FA2-8AD8-4B3A-9468-9345B2730063}
2013-05-17 01:48 - 2013-05-17 01:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{C3E68DC7-F9DE-4AC1-94DA-5AF12DCA1B07}
2013-05-16 13:47 - 2013-05-16 13:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{2A382BCA-7B38-4E33-8A4D-8A0AC8ED008D}
2013-05-16 02:02 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-16 02:02 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-16 02:02 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-05-16 02:02 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-16 02:02 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-05-16 02:02 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-16 02:02 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-16 02:02 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-05-16 02:02 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-16 02:02 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-16 02:02 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-16 02:02 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-05-16 02:01 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-16 02:01 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-15 13:42 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-15 13:42 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-15 13:42 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-15 13:41 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-15 13:41 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-15 13:41 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-15 13:41 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-15 13:41 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-15 13:41 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-15 13:41 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-15 13:41 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-15 13:41 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-15 13:41 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-15 13:41 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-10 00:44 - 2013-05-16 00:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{FDDE7A0E-32BA-4968-A62D-5C91C91DC3A4}
2013-05-08 20:43 - 2013-05-08 20:43 - 00046080 ____A C:\Users\Owner\Documents\Copy of wade golf hcap may 2013.xls
2013-04-29 12:37 - 2013-05-09 12:44 - 00000000 ____D C:\Users\Owner\AppData\Local\{FCE94C1F-8C9F-484E-8F76-EBCBB5B457EB}
2013-04-25 12:35 - 2013-04-25 12:35 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Tific
2013-04-25 12:34 - 2013-04-29 00:37 - 00000000 ____D C:\Users\Owner\AppData\Local\{CE1E70FF-5E15-493F-A267-F0E7006F3DFA}
2013-04-24 02:08 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-23 09:36 - 2013-04-23 09:36 - 00002046 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk

==================== One Month Modified Files and Folders =======

2013-05-20 13:06 - 2013-05-20 13:06 - 00000000 ____D C:\FRST
2013-05-20 12:03 - 2010-03-14 11:13 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-20 12:03 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-20 12:03 - 2009-07-13 20:51 - 00116603 ____A C:\Windows\setupact.log
2013-05-20 10:48 - 2010-03-26 14:13 - 00045056 ____A C:\Windows\System32\acovcnt.exe
2013-05-20 10:48 - 2009-12-17 17:52 - 01852264 ____A C:\Windows\WindowsUpdate.log
2013-05-20 10:47 - 2010-03-14 11:13 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-19 18:06 - 2012-08-06 08:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-18 16:36 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-18 16:36 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-18 16:32 - 2009-07-13 21:13 - 00730448 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-18 15:04 - 2009-12-17 18:14 - 00002190 ____A C:\Windows\System32\AutoRunFilter.ini
2013-05-18 15:02 - 2009-12-17 18:09 - 01044628 ____A C:\Windows\PFRO.log
2013-05-18 14:55 - 2013-05-18 14:55 - 01096080 ____A C:\ProgramData\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 01096036 ____A C:\Users\Owner\AppData\Roaming\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 01096018 ____A C:\Users\Owner\AppData\Local\2433f433
2013-05-18 14:55 - 2013-05-18 14:55 - 00027136 ____A C:\Users\Owner\Documents\259c64b6.exe
2013-05-18 14:52 - 2011-09-06 22:06 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype
2013-05-18 14:46 - 2010-11-03 21:10 - 00000000 ____D C:\Users\Owner\Documents\SafeHarbor
2013-05-17 13:48 - 2013-05-17 13:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{FAF31FA2-8AD8-4B3A-9468-9345B2730063}
2013-05-17 01:48 - 2013-05-17 01:48 - 00000000 ____D C:\Users\Owner\AppData\Local\{C3E68DC7-F9DE-4AC1-94DA-5AF12DCA1B07}
2013-05-16 13:53 - 2010-12-28 12:17 - 00000000 ____D C:\Users\Owner\AppData\Local\Windows Live
2013-05-16 13:48 - 2013-05-16 13:47 - 00000000 ____D C:\Users\Owner\AppData\Local\{2A382BCA-7B38-4E33-8A4D-8A0AC8ED008D}
2013-05-16 06:33 - 2010-07-07 17:59 - 00000000 ___RD C:\Users\Owner\Documents\My Dropbox
2013-05-16 06:33 - 2010-07-07 17:56 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Dropbox
2013-05-16 06:33 - 2010-04-16 19:58 - 00000000 ____D C:\Users\Owner\Tracing
2013-05-16 03:19 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-05-16 02:42 - 2009-07-13 20:45 - 00351720 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-16 02:20 - 2009-12-17 17:49 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-16 02:12 - 2010-03-03 09:05 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-16 00:48 - 2013-05-10 00:44 - 00000000 ____D C:\Users\Owner\AppData\Local\{FDDE7A0E-32BA-4968-A62D-5C91C91DC3A4}
2013-05-14 10:05 - 2012-08-06 08:47 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-14 10:05 - 2011-08-14 21:13 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-09 12:44 - 2013-04-29 12:37 - 00000000 ____D C:\Users\Owner\AppData\Local\{FCE94C1F-8C9F-484E-8F76-EBCBB5B457EB}
2013-05-08 20:43 - 2013-05-08 20:43 - 00046080 ____A C:\Users\Owner\Documents\Copy of wade golf hcap may 2013.xls
2013-04-29 00:37 - 2013-04-25 12:34 - 00000000 ____D C:\Users\Owner\AppData\Local\{CE1E70FF-5E15-493F-A267-F0E7006F3DFA}
2013-04-25 12:35 - 2013-04-25 12:35 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Tific
2013-04-25 12:35 - 2010-03-10 02:31 - 00000000 ____D C:\Users\Owner\AppData\Local\Symantec
2013-04-24 21:24 - 2013-04-16 09:20 - 00000000 ____D C:\Users\Owner\AppData\Local\{5E9AF335-7F2A-4965-83E2-AF3BB142D68A}
2013-04-23 09:36 - 2013-04-23 09:36 - 00002046 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2013-04-23 09:35 - 2013-04-16 09:34 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4008674046-2340072865-576989462-1000\$1730a923dc455de520baeecb8e25b4b7

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$1730a923dc455de520baeecb8e25b4b7

Other Malware:
===========
C:\Users\Owner\g2mdlhlpx.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-23 16:23:15
Restore point made on: 2013-04-25 02:00:50
Restore point made on: 2013-05-03 20:28:29
Restore point made on: 2013-05-10 23:00:36
Restore point made on: 2013-05-16 02:01:15

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4061.09 MB
Available physical RAM: 3478.1 MB
Total Pagefile: 4059.23 MB
Available Pagefile: 3470.11 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:451.11 GB) (Free:280.08 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive e: (USB DISK) (Removable) (Total:3.82 GB) (Free:3.81 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 76692CA8)
Partition 1: (Not Active) - (Size=15 GB) - (Type=1C)
Partition 2: (Active) - (Size=451 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


Last Boot: 2013-05-13 23:38

==================== End Of Log ============================
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
kuttus said:
Now please download this file and save it to your Flash Drive.

[attachment=4558]

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.
Click to expand...


Now try this steps...
 

Attachments

  • fixlist.txt
    1 KB · Views: 93
P

pfeifwa

New Member
Thread author
May 20, 2013
14
thanks Kuttus. but like before I don't understand enough to follow your steps. how do I open FRST from command prompt?
 
P

pfeifwa

New Member
Thread author
May 20, 2013
14
kuttus I don't know how to run the above fix. I need more detailed steps. c an you please provide?
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
You already done that 2 times...... You have to do the same steps this time...

The only Difference is you press on Scan 2 times... This time you need to press on Fix..
 
P

pfeifwa

New Member
Thread author
May 20, 2013
14
ah, ok. I may have done it. here is the fixlog file.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-05-2013
Ran by SYSTEM at 2013-05-20 18:21:30 Run:1
Running from E:\
Boot Mode: Recovery
==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\Owner\AppData\Roaming\2433f433 => Moved successfully.
C:\Users\Owner\AppData\Local\2433f433 => Moved successfully.
C:\Users\Owner\Documents\259c64b6.exe => Moved successfully.
C:\ProgramData\2433f433 => File/Directory not found.
C:\Users\Owner\AppData\Roaming\2433f433 => File/Directory not found.
C:\Users\Owner\AppData\Local\2433f433 => File/Directory not found.
C:\Users\Owner\Documents\259c64b6.exe => File/Directory not found.
C:\$Recycle.Bin\S-1-5-21-4008674046-2340072865-576989462-1000\$1730a923dc455de520baeecb8e25b4b7 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$1730a923dc455de520baeecb8e25b4b7 => Moved successfully.
C:\Users\Owner\g2mdlhlpx.exe => Moved successfully.

==== End of Fixlog ====
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Now please start the computer in Normal mode and do the following steps.........

STEP 1: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>

STEP 2: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply





Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)


Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • When it prompts you to try their 30-day trail, click decline
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 
Last edited by a moderator:
P

pfeifwa

New Member
Thread author
May 20, 2013
14
thanks. I am further along but getting a black screen now with the command prompt when I open in normal mode. I can run an alt-ctrl-delete and open task manager etc. but not sure how to get to my normal screen?
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Now press on Ctrl + Alt + Delete key on Your Keyboard.... Now it will show you one Task manager. In the task manager Click on File -- > New Task. Inside the New Task Window Type c:\WINDOWS\explorer.exe and press on Ok.

Now you will get your desktop back.... Let me know after that.....
 
P

pfeifwa

New Member
Thread author
May 20, 2013
14
ok. hold on. Norton says its got an error but then launched an explorer window . I should be able to proceed
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay Cool.... Now try the above fix and following regfix also...

STEP 1: Repair your Windows Registry from this infection malicious changes.

This infection has changed your Windows registry settings so that when you try to start the computer it will load the infections instead of your Windows Desktop.

  1. Download the WinlogOnFix.reg file to fix the malicious registry changes from This infection.
    REGISTRYFIX.REG DOWNLOAD LINK (This link will automatically download the registry fix called WinlogonFix.reg)
  2. Double-click on WinlogonFix.reg file to run it. Click “Yes” for Registry Editor prompt window,then click OK.
<hr />
 
P

pfeifwa

New Member
Thread author
May 20, 2013
14
here is the file I got from running adwcleaner

# AdwCleaner v2.301 - Logfile created 05/20/2013 at 18:42:37
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Owner - COMP
# Boot Mode : Normal
# Running from : C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PV70LA5F\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Windows\Uninstall.exe

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16576

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [804 octets] - [20/05/2013 18:42:37]

########## EOF - C:\AdwCleaner[S1].txt - [863 octets] ##########
 

Similar threads

L
  • Locked
Waiting for reply I have my first virus
Replies
1
Views
152
Windows Malware Removal Help & Support
nasdaq
nasdaq
blackmonkey445
  • Locked
I tried factory resetting and reinstalling windows using media creation tool and i have no clue what to do
Replies
2
Views
329
Windows Malware Removal Help & Support
nasdaq
nasdaq
C
  • Locked
Emsisoft Emergency Kit's temp files detected as Trojan:Script/Wacatac.B!ml by Windows Security
Replies
8
Views
697
Windows Malware Removal Help & Support
Can't Decide
C

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top