[Logs for MrC (FBI Virus)]

Charlie, it worked perfectly. Thank you so much. Attached are the logs.

mbar-log-2013-06-25 (21-07-34).txt

mbar-log-2013-06-25 (21-58-49).txt

system-log.txt

[Logs for MrC (FBI Virus)]

Great, thanks! Once I get home from work I'll test it out.

[Logs for MrC (FBI Virus)]

Hi Charlie,

 

Here is the text you requested. As I stated earlier, it's the FBI MoneyPak virus. Thank you for your help.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-06-2013 01

Ran by SYSTEM on 24-06-2013 22:44:40

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

 

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: []  [x]

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-06] (Realtek Semiconductor)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2107176 2010-03-11] (Synaptics Incorporated)

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [505768 2010-06-29] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)

HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)

HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1504608 2010-04-23] (TOSHIBA Corporation)

HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]

HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705432 2010-05-10] (TOSHIBA Corporation)

HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)

HKLM\...\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)

HKLM\...\Run: [DLBTCATS] rundll32 C:\windows\system32\spool\DRIVERS\x64\3\DLBTtime.dll,RunDLLEntry [28672 2007-02-12] ()

HKLM\...\Run: [dlbtmon.exe] "C:\Program Files (x86)\Dell Photo AIO Printer 922\dlbtmon.exe" [431600 2007-02-28] (Lexmark International, Inc.)

HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)

HKLM\...\Winlogon: [shell]  [x ] () <=== ATTENTION

HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2596984 2012-07-31] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKU\Chris\...\Run: [Google Update] "C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-06] (Google Inc.)

HKU\Chris\...\Run: [RESTART_STICKY_NOTES] C:\windows\system32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

HKU\Chris\...\Policies\system: [DisableChangePassword] 0

HKU\Chris\...\Policies\system: [DisableLockWorkstation] 0

HKU\Chris\...\Winlogon: [shell] explorer.exe,C:\Users\Chris\AppData\Roaming\skype.dat [81408 2011-11-16] () <==== ATTENTION 

HKU\Chris\...\Command Processor: "C:\Users\Chris\AppData\Local\aezzmpqgpiy.exe" <===== ATTENTION!

BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

 

==================== Services (Whitelisted) =================

 

S2 ADExchange; C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [43112 2012-02-15] (ArcSoft Inc.)

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [5167736 2012-08-13] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)

S2 dlbt_device; C:\windows\system32\dlbtcoms.exe [567280 2007-02-28] ( )

S2 hasplms; C:\windows\system32\hasplms.exe [4889032 2011-12-30] (SafeNet Inc.)

S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()

S3 w7Svc; C:\Program Files (x86)\webcam 7\wService.exe [5094200 2012-03-26] (Moonware Studios)

 

==================== Drivers (Whitelisted) ====================

 

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )

S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )

S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [291680 2012-07-26] (AVG Technologies CZ, s.r.o.)

S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)

S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384352 2012-08-24] (AVG Technologies CZ, s.r.o.)

S3 camdrv42; C:\Windows\System32\DRIVERS\camdrv42.sys [1533952 2007-04-23] ()

S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-05-19] (DT Soft Ltd)

S2 hardlock; C:\windows\system32\drivers\hardlock.sys [321536 2011-09-28] (SafeNet Inc.)

S3 Sockblkd; C:\Program Files\Extegrity\Exam4\Sockblkd.sys [6784 2011-09-27] (DataWizard Technologies, Inc.)

S3 Sockblkd; C:\Program Files\Extegrity\Exam4\Sockblkd.sys [6784 2011-09-27] (DataWizard Technologies, Inc.)

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-06-24 22:44 - 2013-06-24 22:44 - 00000000 ____D C:\FRST

 

==================== One Month Modified Files and Folders =======

 

2013-06-24 22:44 - 2013-06-24 22:44 - 00000000 ____D C:\FRST

2013-06-24 22:07 - 2012-04-10 20:40 - 00000000 ____D C:\Users\Chris\AppData\Roaming\vlc

2013-06-24 22:07 - 2012-04-07 10:25 - 00000000 ____D C:\Users\Chris\AppData\Roaming\uTorrent

2013-06-24 22:07 - 2012-04-07 00:09 - 00000000 ____D C:\Windows\System32\Drivers\AVG

2013-06-24 22:07 - 2012-04-06 16:01 - 00000000 ____D C:\users\Chris

2013-06-24 22:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-06-24 22:06 - 2012-08-20 19:27 - 00000000 ____D C:\Program Files\Dl_cats

2013-06-24 22:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-06-24 22:05 - 2012-04-24 14:10 - 00000000 ____D C:\Windows\System32\Macromed

2013-06-24 22:05 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing

 

Files to move or delete:

====================

C:\ProgramData\lsass.exe

C:\Users\Chris\AppData\Roaming\skype.dat

C:\Users\Chris\AppData\Roaming\skype.ini

C:\ProgramData\23lldnur.pad

C:\ProgramData\dsgsdgdsgdsgw.pad

 

==================== Known DLLs (Whitelisted) ================

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

==================== EXE ASSOCIATION =====================

 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

 

==================== Restore Points  =========================

 

Restore point made on: 2012-12-04 21:05:48

Restore point made on: 2012-12-11 23:39:41

Restore point made on: 2012-12-16 23:30:35

 

==================== Memory info =========================== 

 

Percentage of memory in use: 15%

Total physical RAM: 3824.43 MB

Available physical RAM: 3242.43 MB

Total Pagefile: 3822.57 MB

Available Pagefile: 3220.99 MB

Total Virtual: 8192 MB

Available Virtual: 8191.85 MB

 

==================== Drives ================================

 

Drive c: (TI105967W0B) (Fixed) (Total:454.39 GB) (Free:61.06 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

Drive f: () (Removable) (Total:0.94 GB) (Free:0.93 GB) FAT (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 3400B8E8)

Partition 1: (Active) - (Size=1 GB) - (Type=27)

Partition 2: (Not Active) - (Size=454 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=10 GB) - (Type=17)

 

========================================================

Disk: 1 (Size: 966 MB) (Disk ID: B422EBC8)

Partition 1: (Not Active) - (Size=966 MB) - (Type=06)

 

 

LastRegBack: 2012-12-05 20:19

 

==================== End Of Log ============================

FRST.txt