FBI Moneypak virus has infected safe mode

[kyleashland]

Hello there MB community!

My PC running Windows 7 64-bit has caught the nasty FBI virus, and need some assistance removing it.

I need my computer up and running as fast as possible, so I already created logs using FRST.exe.

Thanks again!

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 23 days old)

Ran by SYSTEM at 05-04-2013 22:52:53

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)

HKLM\...\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)

HKLM\...\Run: [mwlDaemon] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe [349480 2009-09-10] (Egis Technology Inc.)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)

HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [200704 2010-03-01] ()

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Acer Assist Launcher] C:\Program Files (x86)\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()

HKLM-x32\...\Run: [Driver Fetch] "C:\Program Files (x86)\Driver Fetch\2.0.0.0\DriverFetch.exe" --start-trayed [798176 2010-01-13] ()

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [248040 2010-02-18] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)

HKU\Lyndon\...\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" [x]

HKU\Lyndon\...\RunOnce: [*EvtMgr6] C:\Users\Lyndon\AppData\Roaming\{112C4A02-1112-2F13-0E23-18030D01093F}.exe [404992 2013-03-29] ()

HKU\Lyndon\...\Winlogon: [shell] Explorer.exe

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

==================== Services (Whitelisted) ===================

2 avast! Antivirus; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [40384 2010-02-11] (ALWIL Software)

3 avast! Mail Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [40384 2010-02-11] (ALWIL Software)

3 avast! Web Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [40384 2010-02-11] (ALWIL Software)

3 MWLService; C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [305448 2009-09-10] (Egis Technology Inc.)

3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [x]

4 NMIndexingService; "C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe" [x]

==================== Drivers (Whitelisted) =====================

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [22096 2010-02-11] (ALWIL Software)

2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [63568 2010-02-11] (ALWIL Software)

1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [28752 2010-02-11] (ALWIL Software)

1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [120912 2010-02-11] (ALWIL Software)

1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [51280 2010-02-11] (ALWIL Software)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-04-05 22:52 - 2013-04-05 22:52 - 00000000 ____D C:\FRST

2013-03-29 07:04 - 2013-03-29 07:04 - 00404992 ___SH C:\Users\Lyndon\AppData\Roaming\{112C4A02-1112-2F13-0E23-18030D01093F}.exe

2013-03-25 16:20 - 2013-02-11 20:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys

2013-03-22 12:56 - 2013-03-27 12:35 - 00000000 ___HD C:\Users\Lyndon\AppData\Roaming\865DE5BF

2013-03-22 12:56 - 2013-03-22 12:56 - 00135168 ____A (Microsoft Corporation) C:\Users\Lyndon\AppData\Roaming\KB00940466.exe

2013-03-14 13:17 - 2013-02-01 22:57 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-03-14 13:17 - 2013-02-01 22:48 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-03-14 13:17 - 2013-02-01 22:47 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-03-14 13:17 - 2013-02-01 22:47 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-03-14 13:17 - 2013-02-01 22:46 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-03-14 13:17 - 2013-02-01 22:43 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-03-14 13:17 - 2013-02-01 22:42 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-03-14 13:17 - 2013-02-01 22:42 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-03-14 13:17 - 2013-02-01 22:41 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-03-14 13:17 - 2013-02-01 22:40 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-03-14 13:17 - 2013-02-01 22:39 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-03-14 13:17 - 2013-02-01 22:38 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-03-14 13:17 - 2013-02-01 22:38 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-03-14 13:17 - 2013-02-01 22:34 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-03-14 13:17 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-03-14 13:17 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-03-14 13:17 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-03-14 13:17 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-03-14 13:17 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-03-14 13:17 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-03-14 13:17 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-03-14 13:17 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-03-14 13:17 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-03-14 13:17 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-03-14 13:17 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-03-14 13:17 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-03-14 13:17 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-03-14 13:17 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-03-14 13:17 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-03-14 13:16 - 2013-02-01 23:31 - 17815040 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-03-14 13:16 - 2013-02-01 22:58 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-03-14 13:16 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-03-14 03:21 - 2013-03-14 03:21 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2013-03-14 03:21 - 2013-03-14 03:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

==================== One Month Modified Files and Folders =======

2013-04-05 22:52 - 2013-04-05 22:52 - 00000000 ____D C:\FRST

2013-04-05 19:19 - 2009-07-13 21:13 - 00818664 ____A C:\Windows\System32\PerfStringBackup.INI

2013-04-04 19:27 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-04-04 19:27 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-04-04 19:23 - 2009-11-24 21:44 - 01305090 ____A C:\Windows\WindowsUpdate.log

2013-04-04 19:20 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-04-04 19:19 - 2009-07-13 20:51 - 00134545 ____A C:\Windows\setupact.log

2013-03-29 07:04 - 2013-03-29 07:04 - 00404992 ___SH C:\Users\Lyndon\AppData\Roaming\{112C4A02-1112-2F13-0E23-18030D01093F}.exe

2013-03-27 12:35 - 2013-03-22 12:56 - 00000000 ___HD C:\Users\Lyndon\AppData\Roaming\865DE5BF

2013-03-22 12:56 - 2013-03-22 12:56 - 00135168 ____A (Microsoft Corporation) C:\Users\Lyndon\AppData\Roaming\KB00940466.exe

2013-03-17 22:23 - 2010-01-19 20:57 - 00000000 ____D C:\Users\Lyndon\Documents\LG

2013-03-16 06:13 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-03-14 13:25 - 2010-02-12 13:13 - 72013344 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-03-14 13:25 - 2009-11-05 23:05 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-03-14 03:21 - 2013-03-14 03:21 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2013-03-14 03:21 - 2013-03-14 03:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-26 12:07:39

Restore point made on: 2013-03-26 12:19:31

==================== Memory info ===========================

Percentage of memory in use: 32%

Total physical RAM: 1788.05 MB

Available physical RAM: 1206.39 MB

Total Pagefile: 1788.05 MB

Available Pagefile: 1189.93 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (Acer) (Fixed) (Total:136.95 GB) (Free:63.48 GB) NTFS

2 Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:2.19 GB) NTFS

3 Drive f: (KRD10) (CDROM) (Total:0.27 GB) (Free:0 GB) CDFS

4 Drive g: (PENDRIVE) (Removable) (Total:0.95 GB) (Free:0.2 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 Online 977 MB 0 B

Partitions of Disk 0:

===============

Disk ID: E2665D55

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 12 GB 31 KB

Partition 2 Primary 101 MB 12 GB

Partition 3 Primary 136 GB 12 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E PQSERVICE NTFS Partition 12 GB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM RESE NTFS Partition 101 MB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C Acer NTFS Partition 136 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: 00000001

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 977 MB 0 B

==================================================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

============================== MBR Partition Table ==================

==============================

Partitions of Disk 0:

===============

Disk ID: E2665D55

Partition 1:

=========

Hex: 0001010027FEFFFF3F000000201F8001

Active: NO

Type: 27

Size: 12 GB

Partition 2:

=========

Hex: 80FEFFFF07FEFFFF5F1F8001CD2F0300

Active: YES

Type: 07 (NTFS)

Size: 102 MB

Partition 3:

=========

Hex: 00FEFFFF07FEFFFF2C4F830184471E11

Active: NO

Type: 07 (NTFS)

Size: 137 GB

==============================

Partitions of Disk 1:

===============

Disk ID: B0BCD68E

Partition 1:

=========

Hex: DE668F067800BEE77DAC20C07409B40E

Active: NO

Type: 78

Size: 118 GB

Partition 2:

=========

Hex: BB0700CD10EBF298CD16CD19EBFE3B2E

Active: NO

Type: 10

Size: 370 GB

Partition 3:

=========

Hex: FC7D76048B2EFC7DC3426F6F74206572

Active: NO

Type: 8B

Size: 915 GB

Partition 4:

=========

Hex: 726F720D0A0000000000082000007F00

Active: NO

Type: 0A

Size: 4 GB

Last Boot: 2013-03-25 06:53

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 13-03-2013

Ran by SYSTEM at 2013-04-05 22:58:29

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

[gringo_pr]

Hello kyleashland

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• 
  
• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
    

  [*]Please do not attach logs or use code boxes, just copy and paste the text.

  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
    

  [*]Please read every post completely before doing anything.

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
    

  [*]Please provide feedback about your experience as we go.

  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
  
  

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
HKU\Lyndon\...\RunOnce: [*EvtMgr6] C:\Users\Lyndon\AppData\Roaming\{112C4A02-1112-2F13-0E23-18030D01093F}.exe [404992 2013-03-29] ()
C:\Users\Lyndon\AppData\Roaming\KB00940466.exe
C:\Users\Lyndon\AppData\Roaming\{112C4A02-1112-2F13-0E23-18030D01093F}.exe
C:\Users\Lyndon\AppData\Roaming\865DE5BF

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

[kyleashland]

I've acquired safe mode again without the virus running instantly. Thanks!

Also here is the log file:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013

Ran by SYSTEM at 2013-04-05 23:43:08 Run:1

Running from G:\

==============================================

HKEY_USERS\Lyndon\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*EvtMgr6 Value deleted successfully.

C:\Users\Lyndon\AppData\Roaming\KB00940466.exe moved successfully.

C:\Users\Lyndon\AppData\Roaming\{112C4A02-1112-2F13-0E23-18030D01093F}.exe moved successfully.

C:\Users\Lyndon\AppData\Roaming\865DE5BF moved successfully.

==== End of Fixlog ====

[kyleashland]

Normal mode looks good also.

Any cleaners now?

[kyleashland]

Hmm... for some reason I can't run .exe files. It prompts with "open with"

This might be a problem....

[gringo_pr]

Scan with exeHelper:

Please download exeHelper to your desktop.

• Double-click on exeHelper.com to run the fix.
  
• A black window should pop up, press any key to close once the fix is completed.
  
• Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
  

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

[kyleashland]

exeHelper by Raktor

Build 20100414

Run at 00:39:01 on 04/06/13

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

[kyleashland]

Alright up and running!

What's next?

[gringo_pr]

Hello kyleashland

These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.

-AdwCleaner-

• Please download

AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
  
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
  
• Please post the content of that logfile with your next answer.
  
• You can find the logfile at C:\AdwCleaner[s1].txt as well.
  

--RogueKiller--

• Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  
  • Quit all programs that you may have started.
    
  • Please disconnect any USB or external drives from the computer before you run this scan!
    
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    
  • For Windows XP, double-click to start.
    
  • Wait until Prescan has finished ...
    
  • Then Click on "Scan" button
    
  • Wait until the Status box shows "Scan Finished"
    
  • click on "delete"
    
  • Wait until the Status box shows "Deleting Finished"
    
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    
  • The log should be found in RKreport[1].txt on your Desktop
    
  • Exit/Close RogueKiller+
    

Gringo

[kyleashland]

# AdwCleaner v2.200 - Logfile created 04/06/2013 at 00:22:54

# Updated 02/04/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Lyndon - LYNDON-PC

# Boot Mode : Normal

# Running from : C:\Users\Lyndon\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Celebrity Toolbar

Folder Deleted : C:\ProgramData\Partner

Folder Deleted : C:\Users\Lyndon\AppData\LocalLow\BabylonToolbar

Folder Deleted : C:\Users\Lyndon\AppData\Roaming\Mozilla\Firefox\Profiles\sw8t6240.default\extensions\ffxtlbr@babylon.com

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\BabylonHelper.EXE

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL

Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr

Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1

Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler

Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler.1

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BabylonTC_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BabylonTC_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BabylonToolbarsrv_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BabylonToolbarsrv_RASMANCS

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}]

Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

-\\ Mozilla Firefox v3.5.7 (en-US)

File : C:\Users\Lyndon\AppData\Roaming\Mozilla\Firefox\Profiles\sw8t6240.default\prefs.js

Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");

Deleted : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");

Deleted : user_pref("browser.search.defaulturl", "hxxp://search.babylon.com/web/{searchTerms}?babsrc=browserse[...]

Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");

Deleted : user_pref("browser.search.selectedEngine", "Search the web (Babylon)");

Deleted : user_pref("extensions.BabylonToolbar.bbDpng", 27);

Deleted : user_pref("extensions.BabylonToolbar.cntry", "US");

Deleted : user_pref("extensions.BabylonToolbar.hdrMd5", "57A975007CDB331BCA973DE37A0206C1");

Deleted : user_pref("extensions.BabylonToolbar.lastActv", "27");

Deleted : user_pref("extensions.BabylonToolbar.lastDP", 27);

Deleted : user_pref("keyword.URL", "hxxp://search.babylon.com/?babsrc=adbartrp&AF=17710-nodi&q=");

*************************

AdwCleaner[R1].txt - [4487 octets] - [06/04/2013 00:22:14]

AdwCleaner[s1].txt - [4362 octets] - [06/04/2013 00:22:54]

########## EOF - C:\AdwCleaner[s1].txt - [4422 octets] ##########

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Lyndon [Admin rights]

Mode : Scan -- Date : 04/06/2013 00:28:16

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK1655GSX ATA Device +++++

--- User ---

[MBR] 90352cd71cc85e91e20dcf855c307c1d

[bSP] 63abc1fbe74fb46aff103fbada22f068 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 12291 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25173855 | Size: 101 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25382700 | Size: 140232 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: MobileMate USB Device +++++

--- User ---

[MBR] bdb113fa88fffbe89c50180adecd7a6e

[bSP] 059280bb6fdb7d2be5eda5d2f16423ce : MBR Code unknown

Partition table:

0 - [XXXXXX] UNKNOWN (0x78) [VISIBLE] Offset (sectors): 3223366781 | Size: 120449 Mo

1 - [XXXXXX] UNKNOWN (0x10) [VISIBLE] Offset (sectors): 432871117 | Size: 378751 Mo

2 - [XXXXXX] UNKNOWN (0x8b) [VISIBLE] Offset (sectors): 1869562563 | Size: 937124 Mo

3 - [XXXXXX] OS/2 (0x0a) [VISIBLE] Offset (sectors): 537395200 | Size: 4064 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_04062013_02d0028.txt >>

RKreport[1]_S_04062013_02d0028.txt

[gringo_pr]

Hello kyleashland

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?
  

Gringo

[gringo_pr]

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

[gringo_pr]

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!
  

Gringo

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!