FBI Moneypack Instructions (already have

[ydna2211]

Hello, I have followed the excellent instructions provided by expert gringo_pr http://forums.malwarebytes.org/index.php?showuser=24489 for the exact same issue found here: http://forums.malwarebytes.org/index.php?showtopic=117917 Below is a copy of my log, can someone please help me with the next steps?

Te machine is on Win7

Copy of frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013

Ran by SYSTEM on 15-05-2013 11:02:01

Running from F:\

Windows 7 Professional (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet002

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-06-22] (Analog Devices, Inc.)

HKLM\...\Run: [iAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)

HKLM\...\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe [147840 2010-07-21] (Wave Systems Corp.)

HKLM\...\Run: [uSCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-06-22] (Broadcom Corporation)

HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)

HKLM\...\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [49152 2007-01-19] (Wireless Service)

HKLM\...\Run: [D-Link D-Link Xtreme N Dual Band DWA-160] C:\Program Files\D-Link\D-Link Xtreme N Dual Band DWA-160\AirNCFG.exe [1679360 2008-07-11] (D-Link)

HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [206336 2010-05-20] (Microsoft)

HKLM\...\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [2771832 2012-12-07] (Intuit Inc. All rights reserved.)

HKLM\...\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1167360 2009-08-03] (Brother Industries, Ltd.)

HKLM\...\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [413696 2008-09-06] (Apple Inc.)

HKLM\...\Run: [] [x]

HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask)

HKLM\...\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [1313640 2011-08-10] (Microsoft Corporation)

HKLM\...\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)

HKLM\...\Run: [DisplaySwitch] "C:\ProgramData\DisplaySwitch.exe" [58648 2013-04-07] ()

HKLM\...\Runonce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNjM5MTg3NjM0LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrMjItRkwxMCsxLVNQMSsxLVNQMVRCKzEtU1AxUzMrMS1TVUQrMS1UVUcrMy1TMUkrMS1TVTMrMS1ERFQrOTk0NS1ERDEwRisx"&"prod=90"&"ver=10.0.1392 [x]

HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)

HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]

HKLM\...\Winlogon: [shell] C:\ProgramData\DisplaySwitch.exe [x ] ()

Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll [X]

HKU\Barrington\...\Run: [Corel Photo Downloader] "c:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup [x]

Lsa: [Authentication Packages] msv1_0 wvauth

Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\TdmNotify.lnk

ShortcutTarget: TdmNotify.lnk -> C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe (Wave Systems Corp.)

Startup: C:\Users\Barrington\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk

ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S3 jswpsapi; C:\Program Files\D-Link\D-Link Xtreme N Dual Band DWA-160\JSWUtilVst\jswpsapi.exe [954368 2008-05-19] (Atheros Communications, Inc.)

S2 N360; C:\Program Files\Norton 360 Premier Edition\Engine\20.3.0.36\diMaster.dll [551728 2013-02-06] (Symantec Corporation)

S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [1032192 2010-02-03] (Wave Systems Corp.)

S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1273856 2008-11-12] ()

S2 TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [1164648 2010-03-29] (Wave Systems Corp.)

==================== Drivers (Whitelisted) ====================

S3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [5281792 2010-01-13] (ATI Technologies Inc.)

S3 arusb_lh; C:\Windows\System32\DRIVERS\arusb_lh.sys [435200 2008-06-12] (Atheros Communications, Inc.)

S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\BASHDefs\20130322.001\BHDrvx86.sys [997464 2013-03-21] (Symantec Corporation)

S1 ccSet_N360; C:\Windows\system32\drivers\N360\1403000.024\ccSetx86.sys [134304 2012-11-15] (Symantec Corporation)

S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-08] (Symantec Corporation)

S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)

S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\IPSDefs\20130405.001\IDSvix86.sys [386720 2013-03-01] (Symantec Corporation)

S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [162928 2011-01-19] (McAfee, Inc.)

S3 NAL; C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-02] (Intel Corporation )

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\VirusDefs\20130406.008\NAVENG.SYS [93296 2013-02-28] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\VirusDefs\20130406.008\NAVEX15.SYS [1603824 2013-02-28] (Symantec Corporation)

S0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)

S3 SRTSP; C:\Windows\System32\Drivers\N360\1403000.024\SRTSP.SYS [602712 2013-01-28] (Symantec Corporation)

S1 SRTSPX; C:\Windows\system32\drivers\N360\1403000.024\SRTSPX.SYS [32344 2013-01-28] (Symantec Corporation)

S0 SymDS; C:\Windows\System32\drivers\N360\1403000.024\SYMDS.SYS [367704 2013-01-21] (Symantec Corporation)

S0 SymEFA; C:\Windows\System32\drivers\N360\1403000.024\SYMEFA.SYS [934488 2013-01-30] (Symantec Corporation)

S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-03-02] (Symantec Corporation)

S1 SymIRON; C:\Windows\system32\drivers\N360\1403000.024\Ironx86.SYS [175264 2012-11-15] (Symantec Corporation)

S1 SymNetS; C:\Windows\System32\Drivers\N360\1403000.024\SYMNETS.SYS [338592 2013-01-30] (Symantec Corporation)

S2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [229888 2010-01-19] (Wave Systems Corp.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-15 11:00 - 2013-05-15 11:00 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders ========

2013-05-15 11:00 - 2013-05-15 11:00 - 00000000 ____D C:\FRST

2013-05-15 07:42 - 2009-07-13 20:39 - 00044552 ____A C:\Windows\setupact.log

Other Malware:

===========

C:\ProgramData\DisplaySwitch.exe

C:\Users\Barrington\GoToAssistDownloadHelper.exe

C:\ProgramData\dsgsdgdsgdsgw.pad

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-24 22:00:14

Restore point made on: 2013-01-31 22:00:15

Restore point made on: 2013-02-07 22:00:15

Restore point made on: 2013-02-14 01:00:26

Restore point made on: 2013-02-21 22:00:16

Restore point made on: 2013-03-01 22:00:13

Restore point made on: 2013-03-08 22:00:16

Restore point made on: 2013-03-14 00:00:25

Restore point made on: 2013-03-21 00:00:25

Restore point made on: 2013-03-28 21:00:17

Restore point made on: 2013-04-05 21:00:15

==================== Memory info ===========================

Percentage of memory in use: 12%

Total physical RAM: 4029.59 MB

Available physical RAM: 3514.91 MB

Total Pagefile: 4027.87 MB

Available Pagefile: 3511.49 MB

Total Virtual: 2047.88 MB

Available Virtual: 1960.7 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:290.05 GB) (Free:246.04 GB) NTFS

Drive f: (KINGSTON) (Removable) (Total:14.9 GB) (Free:14.84 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (RECOVERY) (Fixed) (Total:7.93 GB) (Free:4.3 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 10000000)

Partition 1: (Not Active) - (Size=110 MB) - (Type=DE)

Partition 2: (Active) - (Size=8 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=290 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18)

Partition 1: (Active) - (Size=15 GB) - (Type=0C)

Last Boot: 2013-04-03 21:23

==================== End Of Log ============================

[MrCharlie]

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

[ydna2211]

Thanks so much. I made a small donation. Thanks for your time.

[MrCharlie]

OK...Thanks.....

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!