ICE Virus Removal

J

JSSANDERS11

New Member
Thread author
Aug 21, 2013
1
I have the ICE Virus. I cannot boot up even in any type of safe mode. I am attaching the FRST64 log below.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-08-2013 02
Ran by SYSTEM on 21-08-2013 21:17:42
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8306208 2009-10-20] (Realtek Semiconductor)
HKLM\...\Run: [DellStage] - C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj [207845 2011-05-30] ()
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Dell DataSafe Online] - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [37960 2013-05-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [eMagineTray] - C:\eMagine\eMagineTray.exe [421888 2003-05-29] (Patterson Dental Supply, Inc.)
HKLM-x32\...\Run: [AccuWeatherWidget] - C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj [2825741 2011-05-30] ()
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [ICF] - C:\Program Files (x86)\Internet Content Filter\mfp.exe [3296424 2012-10-13] (McAfee, Inc.)
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKU\Boyd\...\Run: [Google Update] - [x]
HKU\Boyd\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Boyd\AppData\Local\Temp\uqbqtspsgbksqojhc.exe [51712 2013-08-21] (Valve Corporation) <===== ATTENTION
HKU\Boyd\...\RunOnce: [JavaInstallRetry] - C:\Users\Boyd\AppData\LocalLow\Sun\Java\JRERunOnce.exe [903080 2013-06-21] (Oracle Corporation)
HKU\Boyd\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Boyd\...\Command Processor: "C:\Users\Boyd\AppData\Local\Temp\uqbqtspsgbksqojhc.exe" <===== ATTENTION!

==================== Services (Whitelisted) =================

S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [384048 2013-02-25] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfeicfcore; C:\Program Files (x86)\Internet Content Filter\mfeicfcore.exe [2760360 2012-10-13] (McAfee, Inc.)
S2 mfeicfupdate; C:\Program Files (x86)\Internet Content Filter\UpdateService.exe [2259768 2012-10-13] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S3 mfeapfk01; No ImagePath
S3 mfeavfk01; No ImagePath

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-21 19:33 - 2013-08-21 19:33 - 01097700 _____ C:\Users\Boyd\AppData\Roaming\2433f433
2013-08-21 19:33 - 2013-08-21 19:33 - 01097693 _____ C:\Users\Boyd\AppData\Local\2433f433
2013-08-21 19:33 - 2013-08-21 19:33 - 01097692 _____ C:\ProgramData\2433f433
2013-08-21 12:51 - 2013-08-21 12:51 - 00000000 ____D C:\Users\Boyd\AppData\Local\Google
2013-08-15 02:07 - 2013-07-26 00:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-15 02:07 - 2013-07-26 00:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-15 02:07 - 2013-07-26 00:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-15 02:07 - 2013-07-26 00:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-15 02:07 - 2013-07-25 22:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-15 02:07 - 2013-07-25 22:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-15 02:07 - 2013-07-25 22:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-15 02:07 - 2013-07-25 22:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-15 02:07 - 2013-07-25 22:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-15 02:07 - 2013-07-25 21:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-15 02:07 - 2013-07-25 21:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-15 02:07 - 2013-07-25 20:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-15 02:01 - 2013-08-15 02:03 - 00000000 ____D C:\Windows\System32\MRT
2013-08-14 19:03 - 2013-07-25 04:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-14 19:03 - 2013-07-25 03:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 19:03 - 2013-07-18 20:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-14 19:03 - 2013-07-18 20:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 19:03 - 2013-07-09 01:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-14 19:03 - 2013-07-09 00:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-14 19:03 - 2013-07-09 00:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-08-14 19:03 - 2013-07-09 00:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-14 19:03 - 2013-07-09 00:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-14 19:03 - 2013-07-09 00:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-14 19:03 - 2013-07-09 00:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-14 19:03 - 2013-07-09 00:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-14 19:03 - 2013-07-09 00:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 19:03 - 2013-07-09 00:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 19:03 - 2013-07-08 23:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 19:03 - 2013-07-08 23:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 19:03 - 2013-07-08 23:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 19:03 - 2013-07-08 23:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 19:03 - 2013-07-08 23:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 19:03 - 2013-07-08 23:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 19:03 - 2013-07-08 23:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 19:03 - 2013-07-08 21:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 19:03 - 2013-07-08 21:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 19:03 - 2013-07-08 21:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 19:03 - 2013-07-08 21:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 19:03 - 2013-07-06 01:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-14 19:03 - 2013-06-14 23:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2013-08-04 13:44 - 2013-08-04 13:44 - 00010615 _____ C:\Users\Boyd\Documents\homeexpense.xlsx

==================== One Month Modified Files and Folders =======

2013-08-21 21:17 - 2013-08-21 21:17 - 00000000 ____D C:\FRST
2013-08-21 20:02 - 2011-07-11 15:33 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-08-21 20:02 - 2011-07-11 15:33 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-08-21 20:02 - 2011-07-11 15:15 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-08-21 20:01 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-21 20:01 - 2009-07-13 23:51 - 00064649 _____ C:\Windows\setupact.log
2013-08-21 20:00 - 2011-07-11 15:09 - 01903872 _____ C:\Windows\WindowsUpdate.log
2013-08-21 20:00 - 2009-07-13 23:45 - 00021296 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-21 20:00 - 2009-07-13 23:45 - 00021296 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-21 19:59 - 2009-07-14 00:13 - 00779266 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-21 19:33 - 2013-08-21 19:33 - 01097700 _____ C:\Users\Boyd\AppData\Roaming\2433f433
2013-08-21 19:33 - 2013-08-21 19:33 - 01097693 _____ C:\Users\Boyd\AppData\Local\2433f433
2013-08-21 19:33 - 2013-08-21 19:33 - 01097692 _____ C:\ProgramData\2433f433
2013-08-21 18:56 - 2012-07-20 18:57 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-21 12:51 - 2013-08-21 12:51 - 00000000 ____D C:\Users\Boyd\AppData\Local\Google
2013-08-20 20:37 - 2011-08-23 17:27 - 00000000 ____D C:\eMagine
2013-08-20 20:37 - 2011-07-30 12:12 - 00000468 _____ C:\Windows\BRWMARK.INI
2013-08-20 19:59 - 2013-07-02 20:31 - 00086016 _____ C:\Users\Boyd\Documents\3rd qtr payroll 2013.xls
2013-08-20 19:55 - 2013-01-10 19:22 - 00001790 _____ C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2013-08-20 19:55 - 2013-01-10 19:22 - 00001790 _____ C:\ProgramData\Desktop\McAfee AntiVirus Plus.lnk
2013-08-20 19:50 - 2012-07-20 18:57 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-20 19:50 - 2012-05-09 20:47 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-20 19:50 - 2012-02-24 20:32 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-19 19:07 - 2011-07-31 14:13 - 00000000 ____D C:\Users\Boyd\Documents\Outlook Files
2013-08-15 19:04 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-08-15 02:26 - 2013-01-10 14:58 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-08-15 02:03 - 2013-08-15 02:01 - 00000000 ____D C:\Windows\System32\MRT
2013-08-15 02:01 - 2011-07-30 21:25 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-08-04 13:44 - 2013-08-04 13:44 - 00010615 _____ C:\Users\Boyd\Documents\homeexpense.xlsx
2013-07-28 14:31 - 2013-01-10 14:58 - 00000000 ____D C:\Program Files\McAfee
2013-07-28 14:31 - 2011-07-11 15:24 - 00000000 ____D C:\ProgramData\McAfee
2013-07-28 14:16 - 2010-11-20 22:47 - 00075604 _____ C:\Windows\PFRO.log
2013-07-26 00:13 - 2013-08-15 02:07 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-26 00:13 - 2013-08-15 02:07 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-26 00:13 - 2013-08-15 02:07 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-26 00:12 - 2013-08-15 02:07 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-26 00:12 - 2013-08-15 02:07 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-25 22:35 - 2013-08-15 02:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-25 22:13 - 2013-08-15 02:07 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-25 22:13 - 2013-08-15 02:07 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-25 22:12 - 2013-08-15 02:07 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-25 22:12 - 2013-08-15 02:07 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-25 22:12 - 2013-08-15 02:07 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-25 22:12 - 2013-08-15 02:07 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-25 22:12 - 2013-08-15 02:07 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-25 22:12 - 2013-08-15 02:07 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-25 22:12 - 2013-08-15 02:07 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-25 22:12 - 2013-08-15 02:07 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-25 22:12 - 2013-08-15 02:07 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-25 22:11 - 2013-08-15 02:07 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-25 22:11 - 2013-08-15 02:07 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-25 21:49 - 2013-08-15 02:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-25 21:39 - 2013-08-15 02:07 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-25 20:59 - 2013-08-15 02:07 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-25 04:25 - 2013-08-14 19:03 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-25 03:57 - 2013-08-14 19:03 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL

Files to move or delete:
====================
C:\Users\Boyd\AppData\Local\Temp\uqbqtspsgbksqojhc.exe
ZeroAccess:
C:\Users\Boyd\AppData\Local\Google\Desktop\Install\{db74d1a3-fea3-fb4e-5f6b-9e0e827c084e}

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-07-18 20:03:34
Restore point made on: 2013-07-26 08:52:58
Restore point made on: 2013-08-03 12:39:01
Restore point made on: 2013-08-10 14:14:38
Restore point made on: 2013-08-15 02:00:58
Restore point made on: 2013-08-21 18:52:44

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4060.98 MB
Available physical RAM: 3448.75 MB
Total Pagefile: 4059.18 MB
Available Pagefile: 3451.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:916.66 GB) (Free:855.91 GB) NTFS
Drive f: () (Removable) (Total:3.73 GB) (Free:3.04 GB) FAT32
Drive i: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:6.78 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 932 GB) (Disk ID: 27503792)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=917 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2013-08-13 14:25
 

Attachments

  • FRST.txt
    21 KB · Views: 82
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi and welcome to MalwareTips! :)

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Please download the attachment by right-clicking on it and select Save as

[attachment=5384]

and save it onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

AFterwards, attempt to boot normally. If successful,

Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Download TDSSkiller from here
  • Double-Click on TDSSKiller.exe to run the application
  • When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
  • After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
    clip.jpg
  • click Start scan .
  • If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
  • If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
 

Attachments

  • fixlist.txt
    780 bytes · Views: 73

Similar threads

K
  • Locked
PowerShell/MaleficAms Powershell Infection Please Help
Replies
2
Views
2,503
Windows Malware Removal Help & Support
nasdaq
nasdaq
struppigel
    • Like
    • +Reputation
    • Applause
Malware Analysis [Video] D3f@ck loader analysis from InnoSetup to JPHP
Replies
2
Views
628
Malware Analysis
Trident
Trident
J
  • Locked
I need help with a Malware Spanish logs
Replies
2
Views
2,283
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top