FBI Moneypac infection

[peacefrog]

I have a machine infected by the moneypac. I have tried malwarebytes from the safemode command prompt. I have tried Kaspersky Recovery. Downloaded frst64 and here is the frst.txt. Can anyone help?

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013

Ran by Susan (administrator) on 15-05-2013 20:10:28

Running from E:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) =================

(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe

(Microsoft Corporation) C:\Windows\system32\cmd.exe

(Farbar) E:\FRST64.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [305664 2009-01-22] (Alps Electric Co., Ltd.)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-28] (IDT, Inc.)

HKLM\...\Run: [broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)

HKLM\...\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)

HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [213856 2012-07-25] (Trend Micro Inc.)

HKLM\...\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL "" [1374864 2012-07-25] (Trend Micro Inc.)

HKLM-x32\...\RunOnce: [*EvtMgr32] C:\Windows\{34184A35-0401-272E-2D29-0C04050EC131}.exe [316416 2013-05-14] (Intuwave Ltd.)

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)

HKLM\...\Winlogon: [shell] C:\Windows\{34184A35-0401-272E-2D29-0C04050EC131}.exe [316416 2013-05-14] (Intuwave Ltd.)

Winlogon\Notify\GoToAssist:

HKCU\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-11-29] (Google Inc.)

HKCU\...\RunOnce: [*EvtMgr32] C:\Windows\{34184A35-0401-272E-2D29-0C04050EC131}.exe [316416 2013-05-14] (Intuwave Ltd.)

HKLM-x32\...\RunOnce: [*EvtMgr32] C:\Windows\{34184A35-0401-272E-2D29-0C04050EC131}.exe [316416 2013-05-14] (Intuwave Ltd.)

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)

HKCU\...\Winlogon: [shell] C:\Windows\{34184A35-0401-272E-2D29-0C04050EC131}.exe [316416 2013-05-14] (Intuwave Ltd.) <==== ATTENTION

HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)

HKLM-x32\...\Run: [DellComms] "C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe" /P DellComms [206064 2009-05-05] (SupportSoft, Inc.)

HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)

HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [151952 2012-11-29] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)

HKLM-x32\...\Run: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [996616 2009-08-30] (Intuit Inc. All rights reserved.)

HKU\Jamie\...\RunOnce: [*EvtMgr32] C:\Windows\{34184A35-0401-272E-2D29-0C04050EC131}.exe [316416 2013-05-14] (Intuwave Ltd.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

Startup: C:\Users\Jamie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

BootExecute: .???0{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB26868272???2User-Agent: Mozilla/3.0 (compatible; Indy Library)???0No dangerous or unnecessary startup items found.e???0{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2686827g???2C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\???1C:\Program Files (x86)\Dell\DellDock\DellDock.exe program.???McCHSvc.exe is a component of McAfee Security Scan, which is software that scans the computer to determine if security software is installed and, if not, suggest McAfee products. This program can be installed separately, but is more commonly packaged with other applications such as Adobe Flash Player. This file provides online connectivity for the program.autocheck smrgdf C:\Users\Susan\AppData\Roaming\iolo\x entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.281886 index entries processed.Index verification completed.Errors found. CHKDSK cannot continue in read-only mode.

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank

URLSearchHook: (No Name) - {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - No File

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKLM-x32 - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=UXxdm011YYus&ptnrS=UXxdm011YYus&si=maps4pc&ptb=ED15A128-56EA-477B-852B-3EF39AEAF72E&ind=2012040419&n=77ed4ce3&psa=&st=sb&searchfor={searchTerms}

HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKCU - {4E944813-A06B-4D5F-84D2-8BB8B4D7F2C9} URL =

SearchScopes: HKCU - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=UXxdm011YYus&ptnrS=UXxdm011YYus&si=maps4pc&ptb=ED15A128-56EA-477B-852B-3EF39AEAF72E&ind=2012040419&n=77ed4ce3&psa=&st=sb&searchfor={searchTerms}

BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)

BHO: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: TmBpIeBHO Class - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1125\7.5.1125\TmBpIe64.dll (Trend Micro Inc.)

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

BHO-x32: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll (Trend Micro Inc.)

BHO-x32: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: TmBpIeBHO Class - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1125\7.5.1125\TmBpIe32.dll (Trend Micro Inc.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File

PDF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

PDF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

PDF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - No File

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - No File

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - No File

Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1125\7.5.1125\TmBpIe64.dll (Trend Micro Inc.)

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)

Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - No File

Handler-x32: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)

Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - No File

Handler-x32: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files (x86)\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\\SysWOW64\mscoree.dll (Microsoft Corporation)

Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1125\7.5.1125\TmBpIe32.dll (Trend Micro Inc.)

Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll (Trend Micro Inc.)

Handler-x32: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)

Winsock: Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [65024] (Microsoft Corporation)

Winsock: Catalog5-x64 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)

Chrome:

=======

CHR HomePage: hxxp://www.google.com

CHR RestoreOnStartup: "hxxp://www.google.com"

CHR DefaultSearchURL: (Google) - {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}

CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\gcswf32.dll No File

CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)

CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File

CHR Plugin: (Java Platform SE 6 U26) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File

CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)

CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.51204.0\npctrl.dll No File

CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll No File

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)

CHR Plugin: (Chrome NaCl) - C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\ppGoogleNaClPluginChrome.dll No File

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\pdf.dll No File

CHR Plugin: (AVG Internet Security) - C:\Users\Susan\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2161_0\plugins/avgnpss.dll No File

CHR Plugin: (Picasa) - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File

CHR Plugin: (MindSpark Toolbar Platform Plugin Stub) - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\NP39Stub.dll (MindSpark)

CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()

CHR Plugin: (Default Plug-in) - default_plugin No File

CHR Extension: (TrendMicro BEP Extension) - C:\Users\Susan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmiabdepfhhiieiipmeecdmeljggmfee\7.5.0.1125_0

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [5814904 2012-11-16] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)

R2 ioloSystemService; C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [1070080 2013-03-17] (iolo technologies, LLC)

S4 MapsGalaxy_39Service; C:\PROGRA~2\MAPSGA~2\bar\1.bin\39barsvc.exe [42504 2012-04-04] (COMPANYVERS_NAME)

S4 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [227232 2010-09-03] (McAfee, Inc.)

S4 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-28] (IDT, Inc.)

S4 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe [3417088 2009-07-16] (Dell Inc.)

S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [x]

==================== Drivers (Whitelisted) ====================

S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )

R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )

S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)

R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)

R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [111968 2012-11-16] (AVG Technologies CZ, s.r.o.)

R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)

S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)

S1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [30752 2012-07-26] (EldoS Corporation)

S1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [106000 2012-07-12] (Trend Micro Inc.)

R0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [173504 2012-07-12] (Trend Micro Inc.)

R0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC64.sys [46392 2012-09-10] (Trend Micro Inc.)

S1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [76672 2012-07-12] (Trend Micro Inc.)

S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105744 2012-05-02] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

Error(0) reading file: "C:\Windows\System32\ "

2013-05-15 20:10 - 2013-05-15 20:10 - 00000000 ____D C:\FRST

2013-05-15 17:38 - 2013-05-15 17:42 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-15 17:17 - 2013-05-14 11:54 - 00316416 ___SH (Intuwave Ltd.) C:\Windows\{34184A35-0401-272E-2D29-0C04050EC131}.exe

2013-05-15 17:09 - 2013-05-15 17:09 - 00000020 ___SH C:\Users\Jamie\ntuser.ini

2013-05-15 17:09 - 2013-05-15 17:09 - 00000000 ____D C:\users\Jamie

2013-05-15 17:09 - 2012-12-08 01:21 - 00000000 ____D C:\Users\Jamie\AppData\Local\Microsoft Help

2013-05-15 17:09 - 2012-10-13 10:33 - 00000000 ____D C:\Users\Jamie\AppData\Roaming\TuneUp Software

2013-05-15 17:09 - 2010-11-29 13:43 - 00000000 ____D C:\Users\Jamie\AppData\Roaming\Macromedia

2013-05-15 17:09 - 2010-03-07 09:49 - 00000000 ____D C:\Users\Jamie\AppData\Local\SoftThinks

2013-04-27 10:46 - 2013-04-27 11:59 - 00000000 ____D C:\Users\Susan\AppData\Roaming\TeamViewer

2013-04-27 10:45 - 2013-04-27 10:45 - 00001164 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk

2013-04-27 10:44 - 2013-04-27 10:44 - 00000000 ____D C:\Program Files (x86)\TeamViewer

2013-04-24 11:19 - 2013-04-12 09:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-04-19 01:10 - 2013-04-19 01:10 - 00000000 ____A C:\Windows\DCEBOOT.LOG

2013-04-19 01:08 - 2013-04-19 01:09 - 00022064 ____A C:\Windows\DCEBoot64.exe

==================== One Month Modified Files and Folders =======

2013-05-15 20:10 - 2013-05-15 20:10 - 00000000 ____D C:\FRST

2013-05-15 19:44 - 2010-11-29 13:42 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-15 19:43 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-15 19:43 - 2009-07-13 23:51 - 00129540 ____A C:\Windows\setupact.log

2013-05-15 18:48 - 2012-07-17 17:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-15 18:48 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-15 18:48 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-15 18:47 - 2009-07-14 00:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-15 18:44 - 2009-07-14 00:10 - 01732388 ____A C:\Windows\WindowsUpdate.log

2013-05-15 17:42 - 2013-05-15 17:38 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-15 17:42 - 2010-07-12 08:19 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-15 17:09 - 2013-05-15 17:09 - 00000020 ___SH C:\Users\Jamie\ntuser.ini

2013-05-15 17:09 - 2013-05-15 17:09 - 00000000 ____D C:\users\Jamie

2013-05-14 12:01 - 2010-11-29 13:42 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-14 11:56 - 2010-03-07 11:12 - 00779930 ____A C:\Windows\PFRO.log

2013-05-14 11:54 - 2013-05-15 17:17 - 00316416 ___SH (Intuwave Ltd.) C:\Windows\{34184A35-0401-272E-2D29-0C04050EC131}.exe

2013-05-14 09:09 - 2010-07-08 13:32 - 00000000 ____D C:\Users\Susan\AppData\Local\SoftThinks

2013-05-14 09:09 - 2010-07-08 13:32 - 00000000 ____D C:\users\Susan

2013-05-12 19:41 - 2013-04-14 12:43 - 00589824 ___RA C:\Users\Susan\Documents\Harland Medical Systems9.QBW.TLG

2013-05-12 19:41 - 2013-04-14 12:42 - 256917504 ___RA C:\Users\Susan\Documents\Harland Medical Systems9.QBW

2013-05-12 19:41 - 2013-04-14 12:42 - 00000355 ____A C:\Users\Susan\Documents\Harland Medical Systems9.QBW.ND

2013-04-27 11:59 - 2013-04-27 10:46 - 00000000 ____D C:\Users\Susan\AppData\Roaming\TeamViewer

2013-04-27 10:45 - 2013-04-27 10:45 - 00001164 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk

2013-04-27 10:44 - 2013-04-27 10:44 - 00000000 ____D C:\Program Files (x86)\TeamViewer

2013-04-25 11:25 - 2009-07-14 00:08 - 00032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-04-23 01:13 - 2012-12-07 21:25 - 00234544 ____A C:\Windows\RegBootClean64.exe

2013-04-19 13:35 - 2012-12-07 12:35 - 00000000 ____D C:\ProgramData\iolo

2013-04-19 13:34 - 2012-12-07 12:41 - 00002221 ____A C:\Users\Susan\Desktop\System Mechanic.lnk

2013-04-19 01:10 - 2013-04-19 01:10 - 00000000 ____A C:\Windows\DCEBOOT.LOG

2013-04-19 01:09 - 2013-04-19 01:08 - 00022064 ____A C:\Windows\DCEBoot64.exe

ZeroAccess:

C:\Windows\Installer\{887202d4-3af8-888f-30e5-b3fb3c2a1f41}

C:\Windows\Installer\{887202d4-3af8-888f-30e5-b3fb3c2a1f41}\L

C:\Windows\Installer\{887202d4-3af8-888f-30e5-b3fb3c2a1f41}\U

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-596367432-2982112876-384251979-1000\$887202d43af8888f30e5b3fb3c2a1f41

ZeroAccess:

C:\Users\Susan\AppData\Local\{887202d4-3af8-888f-30e5-b3fb3c2a1f41}

C:\Users\Susan\AppData\Local\{887202d4-3af8-888f-30e5-b3fb3c2a1f41}\L

C:\Users\Susan\AppData\Local\{887202d4-3af8-888f-30e5-b3fb3c2a1f41}\U

Other Malware:

===========

C:\Users\Susan\195-INST-WIN7-A.EXE

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

Last Boot: 2013-05-14 11:13

==================== End Of Log ============================

[MrCharlie]

Looking at it now......MrC

[MrCharlie]

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan also

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Also there's some funky entries in the log which I'm not sure where they came from or a result of what??

BootExecute: .???0{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB26868272???2User-Agent: Mozilla/3.0 (compatible; Indy Library)???0No dangerous or unnecessary startup items found.e???0{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2686827g???2C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\???1C:\Program Files (x86)\Dell\DellDock\DellDock.exe program.???McCHSvc.exe is a component of McAfee Security Scan, which is software that scans the computer to determine if security software is installed and, if not, suggest McAfee products. This program can be installed separately, but is more commonly packaged with other applications such as Adobe Flash Player. This file provides online connectivity for the program.autocheck smrgdf C:\Users\Susan\AppData\Roaming\iolo\x entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.Repairing C:\ - Index entry ADS_3_~1.JS in index $I30 of file 144927 is incorrect.281886 index entries processed.Index verification completed.Errors found. CHKDSK cannot continue in read-only mode.

and

Error(0) reading file: "C:\Windows\System32\ "

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

[peacefrog]

Thank you very much.

[MrCharlie]

The fix is above your post incase you missed it. MrC

[peacefrog]

That worked! Thank you. This is for a buddy of mine, I am going to suggest a donation... what is a fair amount?

[MrCharlie]

That's up to you...we should run a couple of more scans though:

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!