FBI Moneypak virus infected safe mode will not boot after password

[nick22]

Hello, my Windows 7 Ultimate 64-bit pc is infected with the FBI MoneyPak virus and the virus has blocked my safe mode. When it boots up normal the screen freezes after I type in my credentials. I would appreciate your help

[MrCharlie]

Welcome to the forum, here's how we deal with that malware:

1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
   Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
   Plug the flash drive into the infected PC.
   
2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
   If you are using Vista or Windows 7 enter System Recovery Options.
   To enter System Recovery Options from the Advanced Boot Options:
   
   • Restart the computer.
     
   • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
     
   • Use the arrow keys to select the Repair your computer menu item.
     
   • Select US as the keyboard language settings, and then click Next.
     
   • Select the operating system you want to repair, and then click Next.
     
   • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    Select Command Prompt
    Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[nick22]

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-04-2013 01

Ran by SYSTEM on 01-05-2013 12:28:11

Running from F:\

Windows 7 Ultimate (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet003

==================== Registry (Whitelisted) ==================

HKLM\...\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce [296960 2010-11-20] (Microsoft Corporation)

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1127496 2013-04-04] (Malwarebytes Corporation)

HKLM\...\Winlogon: [shell] regsvr32 /n /i /s "C:\Users\administrator.LACASA\AppData\Local\wfcsfrqf.noi" [x ] ()

HKU\Administrator.george\...\Run: [ROC_JAN2013_TB] "C:\Program Files (x86)\AVG Secure Search\ROC_JAN2013_TB.exe" /PROMPT /CMPID=JAN2013_TB [x]

HKU\Administrator.george\...\Run: [ROC_PAID_JAN2013_TB] "C:\Program Files (x86)\AVG Secure Search\ROC_PAID_JAN2013_TB.exe" /PROMPT /CMPID=PAID_JAN2013_TB [x]

HKU\administrator.lacasa\...\Run: [AdobeBridge] [x]

HKU\gloyola\...\Run: [ROC_JAN2013_TB] "C:\Program Files (x86)\AVG Secure Search\ROC_JAN2013_TB.exe" /PROMPT /CMPID=JAN2013_TB [x]

HKU\gloyola\...\Run: [ROC_PAID_JAN2013_TB] "C:\Program Files (x86)\AVG Secure Search\ROC_PAID_JAN2013_TB.exe" /PROMPT /CMPID=PAID_JAN2013_TB [x]

HKU\LogMeInRemoteUser\...\Run: [ROC_JAN2013_TB] "C:\Program Files (x86)\AVG Secure Search\ROC_JAN2013_TB.exe" /PROMPT /CMPID=JAN2013_TB [x]

HKU\LogMeInRemoteUser\...\Run: [ROC_PAID_JAN2013_TB] "C:\Program Files (x86)\AVG Secure Search\ROC_PAID_JAN2013_TB.exe" /PROMPT /CMPID=PAID_JAN2013_TB [x]

==================== Services (Whitelisted) =================

S4 AdvancedSystemCareService6; C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [465216 2013-01-15] (IObit)

S4 ekrn; C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [1333424 2012-12-21] (ESET)

S4 FreeSSHDService; C:\Program Files (x86)\freeSSHd\FreeSSHDService.exe [1360072 2009-09-09] ()

S4 IMFservice; C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [821592 2012-01-09] (IObit)

S4 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [375728 2012-11-06] (LogMeIn, Inc.)

S4 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [147888 2012-11-06] (LogMeIn, Inc.)

S4 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2010-11-08] (LogMeIn, Inc.)

S4 Markit WSO Batch Service; C:\Program Files (x86)\Markit\WSO Batch\WSO.Batch.Services.Windows.exe [8704 2011-04-12] (Markit WSO Corporation)

S4 Markit WSO Core Service; C:\Program Files (x86)\Markit\WSO Tools\WSO.Core.Services.Windows.exe [9728 2011-04-18] (Markit WSO Corporation)

S4 Markit WSO Notification Service; C:\Program Files (x86)\Markit\WSO Notification Services\WSO.NotificationService.Host.exe [9216 2011-03-10] (Markit WSO Corporation)

S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)

S4 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)

S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

S4 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [61916000 2011-04-23] (Microsoft Corporation)

S4 MSSQL$UKSQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.UKSQLEXPRESS\MSSQL\Binn\sqlservr.exe [61913952 2010-04-03] (Microsoft Corporation)

S4 NasPmService; C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe [251760 2012-03-29] (BUFFALO INC.)

S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

S4 NitroDriverReadSpool2; C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [216072 2012-09-05] (Nitro PDF Software)

S4 NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [537896 2008-06-24] (Nero AG)

S4 ReportServer$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSRS10_50.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2175328 2011-04-23] (Microsoft Corporation)

S4 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390672 2012-09-11] ()

S4 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [428384 2011-04-23] (Microsoft Corporation)

S4 SQLAgent$UKSQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.UKSQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [428384 2010-04-03] (Microsoft Corporation)

S4 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)

S4 MSSQLFDLauncher$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe" -s MSSQL10_50.SQLEXPRESS [x]

==================== Drivers (Whitelisted) ====================

S3 appliand; C:\Windows\System32\DRIVERS\appliand.sys [33888 2011-06-25] (Applian Technologies Inc.)

S3 appliandMP; C:\Windows\System32\DRIVERS\appliand.sys [33888 2011-06-25] (Applian Technologies Inc.)

S2 cpuz135; C:\Windows\system32\drivers\cpuz135_x64.sys [21992 2011-09-21] (CPUID)

S1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [213416 2012-12-21] (ESET)

S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [150616 2012-12-21] (ESET)

S2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [190232 2012-12-21] (ESET)

S1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [59440 2012-12-21] (ESET)

S0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [57904 2012-12-21] (ESET)

S3 FileMonitor; C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [21384 2012-01-05] (IObit)

S3 KeyScrambler; C:\Windows\System32\drivers\keyscrambler.sys [222904 2011-12-14] (QFX Software Corporation)

S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2010-09-17] (LogMeIn, Inc.)

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

S3 MSI_MSIBIOS_010507; C:\Program Files (x86)\MSI\Live Update 5\msibios64_100507.sys [33592 2010-05-10] (Your Corporation)

S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

S3 NTIOLib_1_0_4; C:\Program Files (x86)\MSI\Live Update 5\NTIOLib_X64.sys [14136 2010-10-22] (MSI)

S3 NTIOLib_1_0_8; C:\PROGRA~1\MSI\MSIWDev\NTIOLib_X64.sys [11888 2011-01-27] (MSI)

S3 radpms; C:\Windows\System32\DRIVERS\radpms.sys [14944 2010-12-08] (LogMeIn, Inc.)

S3 RegFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [33224 2012-07-05] (IObit.com)

S3 UrlFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [21904 2012-07-05] (IObit.com)

S3 WsAudio_Device; C:\Windows\System32\drivers\VirtualAudio.sys [31080 2012-11-20] (Wondershare)

S3 cpudrv64; No ImagePath

S1 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [x]

S4 LMIRfsClientNP; No ImagePath

S3 MsibiosDevice; No ImagePath

S2 npf; system32\drivers\npf.sys [x]

S0 SmartDefragDriver; System32\Drivers\SmartDefragDriver.sys [x]

S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]

S3 tsusbhub; system32\drivers\tsusbhub.sys [x]

S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-01 12:27 - 2013-05-01 12:27 - 00000000 ____D C:\FRST

2013-04-30 16:11 - 2013-04-30 16:11 - 00000020 __ASH C:\Users\dog\ntuser.ini

2013-04-30 16:11 - 2013-04-30 16:11 - 00000000 ____D C:\users\dog

2013-04-30 16:11 - 2013-01-14 19:06 - 00000000 ____D C:\Users\dog\AppData\Roaming\IObit

2013-04-30 16:11 - 2012-10-13 13:59 - 00000000 ____D C:\Users\dog\AppData\Roaming\TuneUp Software

2013-04-30 16:11 - 2011-06-14 18:45 - 00000000 ____D C:\Users\dog\Documents\Visual Studio 2005

2013-04-30 16:11 - 2011-03-16 19:28 - 00086480 ____A C:\Users\dog\AppData\Local\GDIPFONTCACHEV1.DAT

2013-04-30 16:11 - 2011-03-16 19:27 - 00000000 ____D C:\Users\dog\Documents\Visual Studio 2008

2013-04-30 16:11 - 2011-03-16 19:27 - 00000000 ____D C:\Users\dog\AppData\Local\Microsoft Help

2013-04-30 16:11 - 2011-03-13 06:43 - 00000000 ____D C:\Users\dog\AppData\Roaming\Macromedia

2013-04-30 16:08 - 2013-04-30 18:29 - 00003258 ____A C:\Windows\PFRO.log

2013-04-30 16:03 - 2013-04-30 16:03 - 00000000 ____D C:\New folder

2013-04-30 07:02 - 2013-04-30 07:03 - 00000004 ____A C:\Users\administrator\AppData\Roaming\skype.ini

2013-04-30 07:02 - 2013-04-30 07:03 - 00000004 ____A C:\Users\administrator.lacasa\Application Data\skype.ini

2013-04-30 06:52 - 2013-04-30 06:52 - 00124928 ____A (Lotum GmbH) C:\Users\administrator.lacasa\notepad.exe

2013-04-30 06:52 - 2013-04-30 06:52 - 00000000 ____A C:\Users\administrator.lacasa\teamviewer.exe

2013-04-30 06:52 - 2013-04-30 06:52 - 00000000 ____A C:\Users\administrator.lacasa\flashplayer.exe

2013-04-30 06:52 - 2013-04-30 06:52 - 00000000 ____A C:\Users\administrator.lacasa\acrobatreader.exe

2013-04-29 10:02 - 2013-04-29 10:03 - 227836060 ____A C:\Users\administrator.lacasa\Documents\Image.nrg

2013-04-27 20:57 - 2013-04-27 20:57 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\rockin body

2013-04-27 20:43 - 2013-04-27 20:43 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\Shaun T's Rockin' Body

2013-04-27 20:36 - 2013-04-27 21:42 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\Beachbody - Rockin' Body

2013-04-27 16:18 - 2013-04-30 16:26 - 00000784 ____A C:\Windows\setupact.log

2013-04-27 16:18 - 2013-04-27 16:18 - 00000000 ____A C:\Windows\setuperr.log

2013-04-27 08:28 - 2013-04-27 08:28 - 00004540 ____A C:\Users\administrator.lacasa\Desktop\cc_20130427_112815.reg

2013-04-27 08:28 - 2013-04-27 08:28 - 00000434 ____A C:\Users\administrator.lacasa\Desktop\cc_20130427_112845.reg

2013-04-23 19:12 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-04-18 18:02 - 2013-04-18 18:02 - 00000000 ____D C:\Users\administrator.lacasa\Desktop\nircmd-x64

2013-04-18 13:52 - 2013-04-18 13:52 - 00001147 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-04-18 13:44 - 2013-04-18 13:44 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\Security Task Manager 1.8d+Serial

2013-04-16 06:53 - 2013-04-22 19:30 - 00000116 ____A C:\Users\administrator.lacasa\Desktop\SPF record.txt

2013-04-10 08:26 - 2013-02-21 22:57 - 17817088 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-04-10 08:26 - 2013-02-21 22:29 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-04-10 08:26 - 2013-02-21 22:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-04-10 08:26 - 2013-02-21 22:21 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-04-10 08:26 - 2013-02-21 22:20 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-04-10 08:26 - 2013-02-21 22:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-04-10 08:26 - 2013-02-21 22:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-04-10 08:26 - 2013-02-21 22:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-04-10 08:26 - 2013-02-21 22:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-04-10 08:26 - 2013-02-21 22:15 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-04-10 08:26 - 2013-02-21 22:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-04-10 08:26 - 2013-02-21 22:14 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-04-10 08:26 - 2013-02-21 22:13 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-04-10 08:26 - 2013-02-21 22:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-04-10 08:26 - 2013-02-21 22:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-04-10 08:26 - 2013-02-21 22:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-04-10 08:26 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-04-10 08:26 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-04-10 08:26 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-04-10 08:26 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-04-10 08:26 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-04-10 08:26 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-04-10 08:26 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-04-10 08:26 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-04-10 08:26 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-04-10 08:26 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-04-10 08:26 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-04-10 08:26 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-04-10 08:26 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-04-10 08:26 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-04-10 08:26 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-04-10 08:26 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-04-10 05:13 - 2013-03-18 22:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2013-04-10 05:13 - 2013-03-18 21:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll

2013-04-10 05:13 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2013-04-10 05:13 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2013-04-10 05:13 - 2013-03-18 20:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll

2013-04-10 05:13 - 2013-03-18 19:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe

2013-04-10 05:13 - 2013-02-28 19:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-04-10 05:13 - 2013-01-23 22:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys

2013-04-07 12:59 - 2013-04-07 12:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_point64_01011.Wdf

2013-04-07 12:58 - 2013-04-07 12:58 - 00000000 ____D C:\Program Files\Microsoft Mouse and Keyboard Center

2013-04-04 05:09 - 2010-07-27 21:15 - 03144336 ____A C:\Users\administrator.lacasa\Desktop\PFConfig 1.0.295 Setup.exe

2013-04-03 08:21 - 2013-04-07 12:58 - 00000000 ____D C:\Program Files (x86)\SpeedFan

2013-04-03 08:21 - 2013-04-03 08:21 - 00001045 ____A C:\Users\LogMeInRemoteUser\Desktop\SpeedFan.lnk

2013-04-03 08:21 - 2013-04-03 08:21 - 00001045 ____A C:\Users\gloyola\Desktop\SpeedFan.lnk

2013-04-03 08:21 - 2013-04-03 08:21 - 00001045 ____A C:\Users\administrator.lacasa\Desktop\SpeedFan.lnk

2013-04-03 08:21 - 2013-04-03 08:21 - 00001045 ____A C:\Users\Administrator.george\Desktop\SpeedFan.lnk

2013-04-03 08:21 - 2013-04-03 08:21 - 00000045 ____A C:\Windows\SysWOW64\initdebug.nfo

==================== One Month Modified Files and Folders =======

2013-05-01 12:27 - 2013-05-01 12:27 - 00000000 ____D C:\FRST

2013-05-01 08:26 - 2011-03-12 06:17 - 01625272 ____A C:\Windows\WindowsUpdate.log

2013-04-30 19:01 - 2009-07-13 20:45 - 00021680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-04-30 19:01 - 2009-07-13 20:45 - 00021680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-04-30 18:39 - 2013-02-22 07:53 - 00000000 ____D C:\Windows\pss

2013-04-30 18:29 - 2013-04-30 16:08 - 00003258 ____A C:\Windows\PFRO.log

2013-04-30 16:27 - 2013-01-30 19:16 - 00000354 ____A C:\Windows\Tasks\ROC_PAID_JAN2013_TB_rmv.job

2013-04-30 16:27 - 2013-01-24 14:55 - 00000354 ____A C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job

2013-04-30 16:26 - 2013-04-27 16:18 - 00000784 ____A C:\Windows\setupact.log

2013-04-30 16:26 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-04-30 16:11 - 2013-04-30 16:11 - 00000020 __ASH C:\Users\dog\ntuser.ini

2013-04-30 16:11 - 2013-04-30 16:11 - 00000000 ____D C:\users\dog

2013-04-30 16:03 - 2013-04-30 16:03 - 00000000 ____D C:\New folder

2013-04-30 15:56 - 2013-01-16 13:32 - 00000000 ___AD C:ProgramData\TEMP

2013-04-30 11:45 - 2012-03-30 03:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-04-30 07:03 - 2013-04-30 07:02 - 00000004 ____A C:\Users\administrator\AppData\Roaming\skype.ini

2013-04-30 07:03 - 2013-04-30 07:02 - 00000004 ____A C:\Users\administrator.lacasa\Application Data\skype.ini

2013-04-30 07:03 - 2013-02-22 08:23 - 00000000 ____D C:\Users\administrator.lacasa\AppData\Roaming\DMCache

2013-04-30 06:52 - 2013-04-30 06:52 - 00124928 ____A (Lotum GmbH) C:\Users\administrator.lacasa\notepad.exe

2013-04-30 06:52 - 2013-04-30 06:52 - 00000000 ____A C:\Users\administrator.lacasa\teamviewer.exe

2013-04-30 06:52 - 2013-04-30 06:52 - 00000000 ____A C:\Users\administrator.lacasa\flashplayer.exe

2013-04-30 06:52 - 2013-04-30 06:52 - 00000000 ____A C:\Users\administrator.lacasa\acrobatreader.exe

2013-04-30 06:52 - 2011-03-12 17:26 - 00000000 ____D C:\users\administrator.lacasa

2013-04-29 19:35 - 2012-07-11 17:34 - 00012297 ____A C:\Users\administrator.lacasa\Desktop\RDC Manager.rdg

2013-04-29 10:03 - 2013-04-29 10:02 - 227836060 ____A C:\Users\administrator.lacasa\Documents\Image.nrg

2013-04-29 09:48 - 2012-07-13 10:25 - 00000000 ____D C:\Program Files (x86)\TorrentSearch

2013-04-29 09:48 - 2012-07-13 10:24 - 00000000 ____D C:\Program Files (x86)\intellidownload

2013-04-28 21:59 - 2013-02-22 08:23 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\Compressed

2013-04-28 14:29 - 2011-04-30 19:02 - 00000000 ____D C:\Users\administrator.lacasa\AppData\Roaming\vlc

2013-04-28 14:25 - 2013-02-26 09:01 - 00000000 ____D C:ProgramData\xml_param

2013-04-28 14:03 - 2013-02-26 08:42 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\Video

2013-04-28 13:13 - 2013-01-27 13:58 - 00000000 ____D C:ProgramData\Wondershare Video Converter Ultimate

2013-04-28 13:05 - 2011-03-14 16:45 - 00000069 ____A C:\Windows\NeroDigital.ini

2013-04-28 11:21 - 2013-02-22 08:17 - 00000000 ____D C:\Users\administrator.lacasa\AppData\Roaming\vso

2013-04-28 08:19 - 2013-02-22 08:23 - 00000000 ____D C:\Users\administrator.lacasa\AppData\Roaming\IDM

2013-04-27 21:46 - 2011-04-01 19:50 - 00000000 ___HD C:\Users\administrator.lacasa\AppData\Roaming\BitTorrent

2013-04-27 21:42 - 2013-04-27 20:36 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\Beachbody - Rockin' Body

2013-04-27 20:57 - 2013-04-27 20:57 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\rockin body

2013-04-27 20:43 - 2013-04-27 20:43 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\Shaun T's Rockin' Body

2013-04-27 16:18 - 2013-04-27 16:18 - 00000000 ____A C:\Windows\setuperr.log

2013-04-27 08:31 - 2013-03-01 09:17 - 00000000 ____D C:\Users\administrator.lacasa\Desktop\UndeleteFiles

2013-04-27 08:28 - 2013-04-27 08:28 - 00004540 ____A C:\Users\administrator.lacasa\Desktop\cc_20130427_112815.reg

2013-04-27 08:28 - 2013-04-27 08:28 - 00000434 ____A C:\Users\administrator.lacasa\Desktop\cc_20130427_112845.reg

2013-04-27 08:26 - 2013-02-10 08:34 - 00000000 ____D C:\Users\administrator.lacasa\AppData\Local\CrashDumps

2013-04-25 08:50 - 2012-11-20 22:30 - 00000000 ____D C:\Program Files (x86)\Simple Port Forwarding

2013-04-24 17:55 - 2012-09-09 08:31 - 00000000 ____D C:\Users\administrator.lacasa\Desktop\RESUMES 2012

2013-04-24 12:26 - 2011-03-12 20:31 - 00000000 ____D C:ProgramData\Adobe

2013-04-24 12:25 - 2011-03-12 20:06 - 00000000 ____D C:\Users\administrator.lacasa\AppData\Roaming\Adobe

2013-04-23 18:55 - 2011-04-02 07:29 - 00000000 ___HD C:\Users\administrator.lacasa\Desktop\TRAINING

2013-04-23 18:32 - 2011-03-13 13:46 - 00000071 ____A C:\Users\administrator.lacasa\AppData\Roaming\default.pls

2013-04-23 17:53 - 2013-01-27 14:12 - 00000000 ____D C:\Users\administrator.lacasa\AppData\Roaming\AVS4YOU

2013-04-23 08:48 - 2012-12-23 21:01 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\TEST

2013-04-23 08:48 - 2012-12-21 08:03 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\TO DELETE

2013-04-22 19:30 - 2013-04-16 06:53 - 00000116 ____A C:\Users\administrator.lacasa\Desktop\SPF record.txt

2013-04-18 18:02 - 2013-04-18 18:02 - 00000000 ____D C:\Users\administrator.lacasa\Desktop\nircmd-x64

2013-04-18 16:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-04-18 13:52 - 2013-04-18 13:52 - 00001147 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-04-18 13:52 - 2012-05-14 11:06 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-04-18 13:44 - 2013-04-18 13:44 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\Security Task Manager 1.8d+Serial

2013-04-18 13:27 - 2011-04-01 19:51 - 00000000 ____D C:\Program Files (x86)\BitTorrent

2013-04-18 11:19 - 2013-03-01 18:03 - 00000000 ____D C:\Users\administrator.lacasa\Desktop\a

2013-04-12 21:21 - 2011-06-06 17:33 - 00000000 ____D C:\BGINFO

2013-04-12 06:45 - 2013-04-23 19:12 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-04-10 21:34 - 2012-03-30 03:32 - 00691592 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-04-10 21:34 - 2011-05-17 04:10 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-04-10 10:50 - 2009-07-13 20:45 - 04978608 ____A C:\Windows\System32\FNTCACHE.DAT

2013-04-10 08:29 - 2011-03-12 17:51 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-04-10 08:28 - 2011-03-15 16:18 - 00000000 ____D C:ProgramData\Microsoft Help

2013-04-07 12:59 - 2013-04-07 12:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_point64_01011.Wdf

2013-04-07 12:58 - 2013-04-07 12:58 - 00000000 ____D C:\Program Files\Microsoft Mouse and Keyboard Center

2013-04-07 12:58 - 2013-04-03 08:21 - 00000000 ____D C:\Program Files (x86)\SpeedFan

2013-04-07 12:54 - 2011-03-13 10:52 - 00007613 ___AH C:\Users\administrator.lacasa\AppData\Local\Resmon.ResmonCfg

2013-04-06 08:42 - 2012-11-01 11:21 - 00000000 ____D C:\Users\administrator.lacasa\Downloads\TECHNICAL SOFTWARE

2013-04-04 11:50 - 2012-12-15 12:11 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-04-03 08:21 - 2013-04-03 08:21 - 00001045 ____A C:\Users\LogMeInRemoteUser\Desktop\SpeedFan.lnk

2013-04-03 08:21 - 2013-04-03 08:21 - 00001045 ____A C:\Users\gloyola\Desktop\SpeedFan.lnk

2013-04-03 08:21 - 2013-04-03 08:21 - 00001045 ____A C:\Users\administrator.lacasa\Desktop\SpeedFan.lnk

2013-04-03 08:21 - 2013-04-03 08:21 - 00001045 ____A C:\Users\Administrator.george\Desktop\SpeedFan.lnk

2013-04-03 08:21 - 2013-04-03 08:21 - 00000045 ____A C:\Windows\SysWOW64\initdebug.nfo

2013-04-02 02:34 - 2011-03-12 16:54 - 00282744 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

ZeroAccess:

C:\Windows\Installer\{130d9a8c-7e38-3c96-77d0-543647b9b223}

C:\Windows\Installer\{130d9a8c-7e38-3c96-77d0-543647b9b223}\L

ZeroAccess:

C:\Users\administrator.lacasa\AppData\Local\{130d9a8c-7e38-3c96-77d0-543647b9b223}

C:\Users\administrator.lacasa\AppData\Local\{130d9a8c-7e38-3c96-77d0-543647b9b223}\L

C:\Users\administrator.lacasa\AppData\Local\{130d9a8c-7e38-3c96-77d0-543647b9b223}\U

Other Malware:

===========

C:\Users\administrator\AppData\Roaming\skype.ini

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-18 06:05:33

Restore point made on: 2013-04-21 14:24:58

Restore point made on: 2013-04-22 05:28:04

Restore point made on: 2013-04-23 09:00:21

Restore point made on: 2013-04-24 05:23:04

Restore point made on: 2013-04-27 07:50:57

Restore point made on: 2013-04-27 08:18:32

Restore point made on: 2013-04-28 20:07:19

Restore point made on: 2013-04-29 04:34:03

Restore point made on: 2013-04-30 07:52:25

Restore point made on: 2013-04-30 15:44:03

Restore point made on: 2013-04-30 15:44:05

Restore point made on: 2013-04-30 15:44:05

Restore point made on: 2013-04-30 15:44:06

Restore point made on: 2013-04-30 15:44:09

Restore point made on: 2013-04-30 15:44:10

Restore point made on: 2013-04-30 15:44:11

==================== Memory info ===========================

Percentage of memory in use: 10%

Total physical RAM: 8191.18 MB

Available physical RAM: 7295.64 MB

Total Pagefile: 8189.33 MB

Available Pagefile: 7291.13 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.4 GB) (Free:209.8 GB) NTFS (Disk=0 Partition=2)

Drive f: () (Removable) (Total:14.98 GB) (Free:14.98 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 13 MB

Disk 1 Online 15 GB 0 B

Partitions of Disk 0:

===============

Disk ID: 4367A08E

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 931 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: D09C564A

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 14 GB 1144 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT32 Removable 14 GB Healthy

=========================================================

============================== MBR & Partition Table ==================

====================================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 4367A08E)

Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)

====================================================================

Disk: 1 (Size: 15 GB) (Disk ID: D09C564A)

Partition 1: (Not Active) - (Size=15 GB) - (Type=0B)

Last Boot: 2013-02-02 22:46

==================== End Of Log ============================

[nick22]

Welcome to the forum, here's how we deal with that malware:

1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
   Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
   Plug the flash drive into the infected PC.
   
2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
   If you are using Vista or Windows 7 enter System Recovery Options.
   To enter System Recovery Options from the Advanced Boot Options:
   
   • Restart the computer.
     
   • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
     
   • Use the arrow keys to select the Repair your computer menu item.
     
   • Select US as the keyboard language settings, and then click Next.
     
   • Select the operating system you want to repair, and then click Next.
     
   • Select your user account an click Next.
     

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforu...isc-create.html

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

• On the System Recovery Options menu you will get the following options:
  
  • 
    
    • 
      Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
      Select Command Prompt
      Once in the Command Prompt:
      

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  MrC

Sorry MrC, please see my reply above. Thanks

[MrCharlie]

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

[nick22]

Please read the following information first.

-----------------------------------------

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Thanks for this fix. I was able to login successfully. Is there anything else that I should do? I am planning on running a full virus and malware scan, and re-installing in the next week. In the meantime I can save information I need.Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-04-2013 01

Ran by SYSTEM at 2013-05-01 13:15:18 Run:1

Running from F:\

Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.

C:\Users\administrator.LACASA\AppData\Local\wfcsfrqf.noi => File not found.

C:\Users\administrator\AppData\Roaming\skype.ini => Moved successfully.

C:\Users\administrator.lacasa\Application Data\skype.ini => File not found.

C:\Users\administrator.lacasa\notepad.exe => Moved successfully.

C:\Users\administrator.lacasa\teamviewer.exe => Moved successfully.

C:\Users\administrator.lacasa\flashplayer.exe => Moved successfully.

C:\Users\administrator.lacasa\acrobatreader.exe => Moved successfully.

C:\Windows\Installer\{130d9a8c-7e38-3c96-77d0-543647b9b223} => Moved successfully.

C:\Users\administrator.lacasa\AppData\Local\{130d9a8c-7e38-3c96-77d0-543647b9b223} => Moved successfully.

==== End of Fixlog ====

[MrCharlie]

We can run a couple of scans:

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

MrC

[nick22]

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Administrator [Admin rights]

Mode : Scan -- Date : 05/01/2013 14:15:31

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤

[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{8C970729-AB4C-44E3-9543-6F3D0BE8ADD3} : NameServer (192.168.1.2,12.127.16.67,12.127.17.71) -> FOUND

[DNS] HKLM\[...]\ControlSet003\Services\Tcpip\Interfaces\{8C970729-AB4C-44E3-9543-6F3D0BE8ADD3} : NameServer (192.168.1.2,12.127.16.67,12.127.17.71) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\Command Processor : AutoRun (regsvr32 /n /i /s "C:\Users\administrator.LACASA\AppData\Local\wfcsfrqf.noi") -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] 5b5a75bef52e825b2d8d5f9a85ee0ff6

[bSP] 6cd63e6c4c60b0cb9de50f6f251f3914 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953753 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_05012013_02d1415.txt >>

RKreport[1]_S_05012013_02d1415.txt

[MrCharlie]

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJ] HKCU\[...]\Command Processor : AutoRun (regsvr32 /n /i /s "C:\Users\administrator.LACASA\AppData\Local\wfcsfrqf.noi") -> FOUND

Now click Delete on the right hand column under Options

-------------

Next:

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

[nick22]

Attached are the results. I am rebooting and testing the pc. Thanks

mbar-log-2013-05-01 (16-10-06).txt

mbar-log-2013-05-01 (16-22-58).txt

system-log.txt

[MrCharlie]

Well if you're definitely going to format and re-install we can stop here.

Let me know....MrC

[nick22]

Hi MrC, I tested pc and have had no problems. I won't be able to format and re-install until about a week or so, is there anything in the meantime I should do. Thanks

[MrCharlie]

We can run ComboFix, check for adware and check your security:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[nick22]

Attached is the ComboFix.txt file. Let me know if there is anything else to do. Thanks

ComboFix.txt

[MrCharlie]

Looks Good......Next:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
   
2. Now click on the Search tab.
   
3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.

MrC

[nick22]

Here you go. I looked thru log there is nothing I need to keep. Thanks # AdwCleaner v2.300 - Logfile created 05/05/2013 at 12:57:32

# Updated 28/04/2013 by Xplode

# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)

# User : Administrator - GEORGE

# Boot Mode : Normal

# Running from : C:\Users\administrator.lacasa\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\END

File Found : C:\Windows\SysWOW64\conduitEngine.tmp

Folder Found : C:\Program Files (x86)\Conduit

Folder Found : C:\Program Files (x86)\Red Sky

Folder Found : C:\ProgramData\Tarma Installer

***** [Registry] *****

Key Found : HKCU\Software\1ClickDownload

Key Found : HKCU\Software\APN PIP

Key Found : HKCU\Software\AppDataLow\Software\AskToolbar

Key Found : HKCU\Software\AppDataLow\Software\Conduit

Key Found : HKCU\Software\AppDataLow\Software\Fun Web Products

Key Found : HKCU\Software\AppDataLow\Software\FunWebProducts

Key Found : HKCU\Software\AppDataLow\Software\PriceGong

Key Found : HKCU\Software\Ask.com

Key Found : HKCU\Software\InstallCore

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A26ABCF0-1C8F-46E7-A67C-0489DC21B9CC}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}

Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

Key Found : HKLM\SOFTWARE\Classes\FCSBLGeneralPV.BreakageFees

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.BLTradeBuy

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.BLTradeBuys

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.BLTradeSell

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.BLTradeSells

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.BLTranBuy

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.BLTranBuys

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.BLTranSell

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.BLTranSells

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.ClearParInfo

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeData.ClearParTradeInfo

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeWiz.BuySettleRV

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeWiz.BuySettleTL

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeWiz.EconomicBenefit

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeWiz.RevolverIncrease

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeWiz.SellSettleRV

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeWiz.SellSettleTL

Key Found : HKLM\SOFTWARE\Classes\FCSBLTradeWiz.TermLoanIncrease

Key Found : HKLM\SOFTWARE\Classes\FCSBondTradesPV.TradeTicket

Key Found : HKLM\SOFTWARE\Classes\FCSBondUtilities.BondCouponDataSet

Key Found : HKLM\SOFTWARE\Classes\FCSBondWiz.ABSClaimback

Key Found : HKLM\SOFTWARE\Classes\FCSBondWiz.ABSPaymentWizard

Key Found : HKLM\SOFTWARE\Classes\FCSBondWiz.CDSPayment

Key Found : HKLM\SOFTWARE\Classes\FCSBondWiz.CDSSettlement

Key Found : HKLM\SOFTWARE\Classes\FCSBondWiz.ReceiveCoupon

Key Found : HKLM\SOFTWARE\Classes\FCSBondWiz.ReceiveCouponAll

Key Found : HKLM\SOFTWARE\Classes\FCSBondWiz.RedeemBond

Key Found : HKLM\SOFTWARE\Classes\FCSBOUtilities.ContractChecker

Key Found : HKLM\SOFTWARE\Classes\FCSBOUtilities.ContractLinker

Key Found : HKLM\SOFTWARE\Classes\FCSBOUtilities.ObjectMerge

Key Found : HKLM\SOFTWARE\Classes\FCSBOUtilities.ObjectMove

Key Found : HKLM\SOFTWARE\Classes\FCSBOUtilities.PortfolioChanger

Key Found : HKLM\SOFTWARE\Classes\FCSBOUtilities.PositionRollback

Key Found : HKLM\SOFTWARE\Classes\FCSBOUtilities.PrimeRateChange

Key Found : HKLM\SOFTWARE\Classes\FCSBOUtilities.SequenceUpdate

Key Found : HKLM\SOFTWARE\Classes\oneclick

Key Found : HKLM\SOFTWARE\Classes\oneclickmg

Key Found : HKLM\Software\Conduit

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46E7-A67C-0489DC21B9CC}

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Found : HKLM\Software\PIP

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jbpkiefagocgkmemidfngdkamloieekf

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pmlghpafmmnmmkjdhacccolfgnkiboco

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{154D339E-CCAA-49A5-9B38-6878AD4220BC}

Key Found : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}

Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}

Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}

Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}

Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}

Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}

Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}

Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}

Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}

Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}

Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}

Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}

Key Found : HKLM\SOFTWARE\Classes\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}

Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}

Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{154D339E-CCAA-49A5-9B38-6878AD4220BC}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true

-\\ Mozilla Firefox v20.0.1 (en-US)

-\\ Google Chrome v [unable to get version]

*************************

AdwCleaner[R1].txt - [7397 octets] - [05/05/2013 12:57:32]

########## EOF - C:\AdwCleaner[R1].txt - [7457 octets] ##########

[MrCharlie]

Lots of adware found....lets clear it out.....

1. Please re-run AdwCleaner
   
2. Click on Delete button.
   
3. Confirm each time with OK if asked.
   
4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
   

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt.
  
• Please Post the contents of that document.
  
• Do Not Attach It!!!
  

MrC

[nick22]

The AdwCleaner looks much better. Following are the two results:

# AdwCleaner v2.300 - Logfile created 05/05/2013 at 13:21:40

# Updated 28/04/2013 by Xplode

# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)

# User : Administrator - GEORGE

# Boot Mode : Normal

# Running from : C:\Users\administrator.lacasa\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

-\\ Google Chrome v [unable to get version]

*************************

AdwCleaner[R1].txt - [7490 octets] - [05/05/2013 12:57:32]

AdwCleaner[R2].txt - [7550 octets] - [05/05/2013 13:11:24]

AdwCleaner[R3].txt - [739 octets] - [05/05/2013 13:21:40]

AdwCleaner[s1].txt - [7695 octets] - [05/05/2013 13:11:43]

########## EOF - C:\AdwCleaner[R3].txt - [858 octets] ########## Results of screen317's Security Check version 0.99.63

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.75.0.1300

AVS Registry Cleaner version 2.2

Adobe Flash Player 11.7.700.169

Adobe Reader XI

Mozilla Firefox (20.0.1)

````````Process Check: objlist.exe by Laurent````````

ESET NOD32 Antivirus egui.exe

ESET NOD32 Antivirus ekrn.exe

Spybot Teatimer.exe is disabled!

IObit IObit Malware Fighter IMFsrv.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:

````````````````````End of Log``````````````````````

[MrCharlie]

It all looks good.......

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassociates.com/OT-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!