MoneyPak Malware

[tara13]

Hi there-

I am trying to fix a FBI MoneyPak Malware on one of the office computers here. It wouldn't let me start in Safe Mode originally, but I have been able to get into the Command Prompt thing. I followed the instructions in this thread: http://forums.malwarebytes.org/index.php?showtopic=122580&hl=&fromsearch=1 and have done everything up until the step that is in Post #4 posted by MrCharlie, which states that the fixlist is computer specific. I am going to paste my FRST.txt here, and hope someone will kindly help me move forward.

Thanks in advance!

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013

Ran by SYSTEM on 16-05-2013 13:04:08

Running from F:\

Windows 7 Professional (X86) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-04-23] (Analog Devices, Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [148888 2009-12-14] (Sun Microsystems, Inc.)

HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [38768 2009-10-03] (Adobe Systems Incorporated)

HKLM\...\Run: [] [x]

HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2009-10-02] (Adobe Systems Inc.)

HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)

HKLM\...\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1468296 2009-06-01] (Microsoft Corporation)

HKLM\...\Run: [Dell PanelMgr] C:\Windows\Dell\PanelMgr\SSMMgr.exe /autorun [541936 2009-09-09] ()

HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)

HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)

HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [1151152 2013-02-19] ()

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [935288 2009-09-04] (Adobe Systems Incorporated)

HKLM\...\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1066504 2013-04-27] (Carbonite, Inc.)

HKLM\...\Winlogon: [system]

HKU\P at\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [ 2009-07-26] (Microsoft Corporation)

HKU\P at\...\Run: [rqrollsys] rundll32.exe "c:\users\pat~1\appdata\local\temp\ursssp.dll",DllRegisterServer [x]

HKU\P at\...\Run: [ctfmon.exe] C:\PROGRA~2\rundll32.exe C:\PROGRA~2\qnibfo.dat,FG00 [ 2013-05-15] (Microsoft Corporation)

HKU\P at\...\Run: [Microsoft] rundll32 "C:\Users\P at\AppData\Local\PowerDVD DX\Microsoft\dvryqsyl.dll",DllRegisterServerW [x]

HKU\P at\...\Run: [AVG Secure Search] rundll32 "C:\Users\PAT~1\AppData\Local\Temp\",NVDisplayCoInstallW [x]

HKU\P at\...\Run: [{471F0BA4-038F-4DBF-B9F7-A350999DF897}] rundll32 "C:\Users\P at\AppData\Local\AVG Secure Search\{471F0BA4-038F-4DBF-B9F7-A350999DF897}\tqpbul.dll",DllRegisterServerW [x]

HKU\P at\...\Run: [HP] rundll32 "C:\Users\P at\AppData\Local\{3183B523-82F1-4C47-8333-DB861AFC6780}\HP\fjismvx.dll",DllRegisterServer [x]

HKU\P at\...\Winlogon: [shell] explorer.exe,C:\Users\P at\AppData\Roaming\skype.dat <==== ATTENTION

Startup: C:\Users\P at\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk

ShortcutTarget: msconfig.lnk -> C:\PROGRA~2\qnibfo.dat (Microsoft Corporation)

BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

========================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\avgidsagent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)

S2 CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [5008904 2013-04-27] (Carbonite, Inc. (www.carbonite.com))

S2 HP DS Service; C:\Program Files\HP\HPBDSService\HPBDSService.exe [13824 2010-10-27] (Hewlett-Packard Company)

S2 HP LaserJet Service; C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe [145920 2010-10-27] (HP)

S3 MSSQL$MSSMLBIZ; c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)

S2 vToolbarUpdater14.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [968880 2013-02-19] ()

S2 sbcssvc; %systemroot%\system32\idechndr.dll [x]

S2 vstor2; %systemroot%\system32\ntgrip.dll [x]

==================== Drivers (Whitelisted) ====================

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [142176 2012-12-10] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )

S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )

S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)

S1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)

S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [302368 2013-04-10] (AVG Technologies CZ, s.r.o.)

S1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [33112 2013-02-19] (AVG Technologies)

S3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [84992 2009-05-11] (Broadcom Corporation)

S3 HPFXBULKLEDM; C:\Windows\System32\drivers\hppcbulkio.sys [20504 2011-05-09] (Hewlett Packard)

S2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2009-09-09] (Samsung Electronics)

S2 DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [x]

S0 eucghoy; System32\drivers\srjacfp.sys [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: vstor2 -> C:\Windows\system32\ntgrip.dll ==> No File.

NETSVC: vncdrv -> No Registry Path.

NETSVC: ghostsec -> No Registry Path.

NETSVC: sbcssvc -> C:\Windows\system32\idechndr.dll ==> No File.

NETSVC: WIBUKEY -> No Registry Path.

NETSVC: nicser_wmp11 -> No Registry Path.

NETSVC: sandradatasrv -> No Registry Path.

==================== One Month Created Files and Folders ========

2013-05-16 08:57 - 2013-05-16 08:57 - 01317283 ____A (Farbar) C:\Users\Tara fix\Downloads\FRST(1).exe

2013-05-16 08:19 - 2013-05-16 08:21 - 00015387 ____A C:\Users\Tara fix\Downloads\Addition.txt

2013-05-16 08:19 - 2013-05-16 08:19 - 00021242 ____A C:\Users\Tara fix\Downloads\FRST.txt

2013-05-16 08:17 - 2013-05-16 08:17 - 00000000 ____D C:\FRST

2013-05-16 08:16 - 2013-05-16 08:16 - 01317283 ____A (Farbar) C:\Users\Tara fix\Downloads\FRST.exe

2013-05-16 08:16 - 2013-05-16 08:16 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\CyberLink

2013-05-16 08:13 - 2013-05-16 08:14 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\Mozilla

2013-05-16 08:13 - 2013-05-16 08:13 - 00000000 ____D C:\Users\Tara fix\AppData\Local\Mozilla

2013-05-16 06:32 - 2013-05-16 06:32 - 00000000 ____D C:\Users\Tara fix\AppData\Local\Google

2013-05-16 05:23 - 2013-05-16 05:24 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\Adobe

2013-05-16 05:23 - 2013-05-16 05:23 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\Malwarebytes

2013-05-16 05:23 - 2013-05-16 05:23 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\AVG2012

2013-05-16 05:23 - 2013-05-16 05:23 - 00000000 ____D C:\Users\Tara fix\AppData\Local\AVG Secure Search

2013-05-16 05:23 - 2013-05-16 05:23 - 00000000 ____D C:\Users\Tara fix\AppData\Local\Adobe

2013-05-16 05:22 - 2013-05-16 05:23 - 00000000 ____D C:\users\Tara fix

2013-05-16 05:22 - 2013-05-16 05:22 - 00000020 ___SH C:\Users\Tara fix\ntuser.ini

2013-05-16 05:22 - 2013-05-16 05:22 - 00000000 ____D C:\Users\Tara fix\AppData\Local\VirtualStore

2013-05-16 05:22 - 2013-02-04 03:34 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\TuneUp Software

2013-05-16 05:22 - 2010-01-15 12:09 - 00000000 ____D C:\Users\Tara fix\AppData\Local\Microsoft Help

2013-05-15 09:42 - 2013-05-16 07:38 - 00000004 ____A C:\Users\P at\AppData\Roaming\skype.ini

2013-05-15 09:40 - 2013-05-16 07:35 - 00000000 ____A C:\ProgramData\as98213.txt

2013-05-15 09:39 - 2013-05-16 07:38 - 95023320 ___AT C:\ProgramData\ofbinq.pad

2013-05-15 09:39 - 2013-05-15 09:39 - 00120832 ____A (Microsoft Corporation) C:\Users\P at\2573668.dll

2013-05-15 09:39 - 2013-05-15 09:39 - 00120832 ____A (Microsoft Corporation) C:\ProgramData\qnibfo.dat

2013-05-15 09:39 - 2013-05-15 09:39 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00097280 ____A (Softline Interacive, LLC) C:\Users\P at\skype.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00000000 ____A C:\Users\P at\vlcplayer.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00000000 ____A C:\Users\P at\mstsc.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00000000 ____A C:\Users\P at\msconfig.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00000000 ____A C:\Users\P at\jucheck.exe

2013-05-13 07:53 - 2013-05-13 07:53 - 00002108 ____A C:\Users\Public\Desktop\Carbonite InfoCenter.lnk

2013-05-08 09:33 - 2013-05-08 09:33 - 00002172 ____A C:\Users\Public\Desktop\Google Earth.lnk

2013-05-07 03:18 - 2013-05-07 03:18 - 00146400 ____A C:\Windows\Minidump\050713-40123-01.dmp

2013-05-06 04:29 - 2013-05-06 04:29 - 00146392 ____A C:\Windows\Minidump\050613-27378-01.dmp

2013-05-02 01:28 - 2013-05-02 01:28 - 00146392 ____A C:\Windows\Minidump\050213-33696-01.dmp

2013-04-29 12:29 - 2009-08-19 19:50 - 00046928 ___RA (Adobe Systems Inc) C:\Windows\System32\AdobePDF.dll

2013-04-29 12:29 - 2009-08-19 19:50 - 00022872 ___RA (Adobe Systems Inc.) C:\Windows\System32\AdobePDFUI.dll

2013-04-24 07:53 - 2013-04-24 07:53 - 00001111 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2013-04-24 07:52 - 2013-04-24 07:52 - 00000000 ____D C:\ProgramData\Carbonite

2013-04-24 07:52 - 2013-04-24 07:52 - 00000000 ____D C:\Program Files\Carbonite

2013-04-23 09:56 - 2013-04-24 07:53 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-04-23 09:56 - 2013-04-24 07:53 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-04-23 09:56 - 2013-04-23 09:57 - 00000000 ____D C:\Users\P at\AppData\Roaming\Mozilla

2013-04-23 09:56 - 2013-04-23 09:56 - 00000000 ____D C:\Users\P at\AppData\Local\Mozilla

2013-04-23 09:56 - 2013-04-23 09:56 - 00000000 ____D C:\ProgramData\Mozilla

2013-04-17 10:42 - 2013-04-17 10:42 - 00000000 ____D C:\Windows\System32\appmgmt

==================== One Month Modified Files and Folders ========

2013-05-16 08:57 - 2013-05-16 08:57 - 01317283 ____A (Farbar) C:\Users\Tara fix\Downloads\FRST(1).exe

2013-05-16 08:35 - 2010-12-08 11:02 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-16 08:21 - 2013-05-16 08:19 - 00015387 ____A C:\Users\Tara fix\Downloads\Addition.txt

2013-05-16 08:19 - 2013-05-16 08:19 - 00021242 ____A C:\Users\Tara fix\Downloads\FRST.txt

2013-05-16 08:17 - 2013-05-16 08:17 - 00000000 ____D C:\FRST

2013-05-16 08:17 - 2009-12-14 21:45 - 00795870 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-16 08:16 - 2013-05-16 08:16 - 01317283 ____A (Farbar) C:\Users\Tara fix\Downloads\FRST.exe

2013-05-16 08:16 - 2013-05-16 08:16 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\CyberLink

2013-05-16 08:16 - 2009-07-13 20:39 - 00079854 ____A C:\Windows\setupact.log

2013-05-16 08:14 - 2013-05-16 08:13 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\Mozilla

2013-05-16 08:13 - 2013-05-16 08:13 - 00000000 ____D C:\Users\Tara fix\AppData\Local\Mozilla

2013-05-16 08:13 - 2010-12-08 11:02 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-16 07:58 - 2012-05-03 05:12 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-16 07:58 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-16 07:58 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-16 07:51 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-16 07:38 - 2013-05-15 09:42 - 00000004 ____A C:\Users\P at\AppData\Roaming\skype.ini

2013-05-16 07:38 - 2013-05-15 09:39 - 95023320 ___AT C:\ProgramData\ofbinq.pad

2013-05-16 07:35 - 2013-05-15 09:40 - 00000000 ____A C:\ProgramData\as98213.txt

2013-05-16 07:35 - 2010-01-07 06:12 - 00000000 ___HD C:\Users\P at\Tracing

2013-05-16 06:32 - 2013-05-16 06:32 - 00000000 ____D C:\Users\Tara fix\AppData\Local\Google

2013-05-16 05:24 - 2013-05-16 05:23 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\Adobe

2013-05-16 05:23 - 2013-05-16 05:23 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\Malwarebytes

2013-05-16 05:23 - 2013-05-16 05:23 - 00000000 ____D C:\Users\Tara fix\AppData\Roaming\AVG2012

2013-05-16 05:23 - 2013-05-16 05:23 - 00000000 ____D C:\Users\Tara fix\AppData\Local\AVG Secure Search

2013-05-16 05:23 - 2013-05-16 05:23 - 00000000 ____D C:\Users\Tara fix\AppData\Local\Adobe

2013-05-16 05:23 - 2013-05-16 05:22 - 00000000 ____D C:\users\Tara fix

2013-05-16 05:22 - 2013-05-16 05:22 - 00000020 ___SH C:\Users\Tara fix\ntuser.ini

2013-05-16 05:22 - 2013-05-16 05:22 - 00000000 ____D C:\Users\Tara fix\AppData\Local\VirtualStore

2013-05-16 05:17 - 2009-12-22 11:26 - 00000000 ____D C:\users\P at

2013-05-16 05:04 - 2012-07-02 10:27 - 00000000 ____D C:\Windows\System32\Drivers\AVG

2013-05-15 09:39 - 2013-05-15 09:39 - 00120832 ____A (Microsoft Corporation) C:\Users\P at\2573668.dll

2013-05-15 09:39 - 2013-05-15 09:39 - 00120832 ____A (Microsoft Corporation) C:\ProgramData\qnibfo.dat

2013-05-15 09:39 - 2013-05-15 09:39 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00097280 ____A (Softline Interacive, LLC) C:\Users\P at\skype.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00000000 ____A C:\Users\P at\vlcplayer.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00000000 ____A C:\Users\P at\mstsc.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00000000 ____A C:\Users\P at\msconfig.exe

2013-05-15 09:38 - 2013-05-15 09:38 - 00000000 ____A C:\Users\P at\jucheck.exe

2013-05-15 05:38 - 2012-07-02 10:30 - 00000937 ____A C:\Users\Public\Desktop\AVG 2012.lnk

2013-05-15 05:38 - 2011-04-14 04:29 - 00000000 ____D C:\ProgramData\MFAData

2013-05-15 03:58 - 2012-05-03 05:12 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-05-15 03:58 - 2012-05-03 05:12 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-05-14 02:59 - 2011-05-24 12:44 - 00000000 ___HD C:\Users\P at\AppData\Local\CrashDumps

2013-05-13 07:53 - 2013-05-13 07:53 - 00002108 ____A C:\Users\Public\Desktop\Carbonite InfoCenter.lnk

2013-05-08 09:33 - 2013-05-08 09:33 - 00002172 ____A C:\Users\Public\Desktop\Google Earth.lnk

2013-05-08 09:33 - 2010-12-06 09:06 - 00000000 ___HD C:\Users\P at\AppData\Local\Google

2013-05-08 09:32 - 2010-12-08 11:02 - 00000000 ____D C:\Program Files\Google

2013-05-08 08:43 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF

2013-05-08 06:54 - 2012-07-02 10:27 - 00000000 ____D C:\ProgramData\AVG2012

2013-05-08 06:54 - 2009-12-14 23:33 - 00320970 ____A C:\Windows\PFRO.log

2013-05-07 03:18 - 2013-05-07 03:18 - 00146400 ____A C:\Windows\Minidump\050713-40123-01.dmp

2013-05-07 03:18 - 2010-03-03 02:56 - 209326467 ____A C:\Windows\MEMORY.DMP

2013-05-07 03:18 - 2010-03-03 02:56 - 00000000 ____D C:\Windows\Minidump

2013-05-07 01:54 - 2011-06-02 11:10 - 00000000 ____D C:\Users\P at\AppData\Local\{3183B523-82F1-4C47-8333-DB861AFC6780}

2013-05-06 04:29 - 2013-05-06 04:29 - 00146392 ____A C:\Windows\Minidump\050613-27378-01.dmp

2013-05-02 01:28 - 2013-05-02 01:28 - 00146392 ____A C:\Windows\Minidump\050213-33696-01.dmp

2013-04-29 12:29 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore

2013-04-29 12:27 - 2009-12-14 21:46 - 00000000 ____D C:\Program Files\Common Files\Adobe

2013-04-24 07:53 - 2013-04-24 07:53 - 00001111 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2013-04-24 07:53 - 2013-04-23 09:56 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-04-24 07:53 - 2013-04-23 09:56 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-04-24 07:52 - 2013-04-24 07:52 - 00000000 ____D C:\ProgramData\Carbonite

2013-04-24 07:52 - 2013-04-24 07:52 - 00000000 ____D C:\Program Files\Carbonite

2013-04-23 10:50 - 2012-07-02 10:29 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search

2013-04-23 10:50 - 2011-12-19 10:40 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-04-23 10:50 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration

2013-04-23 10:50 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat

2013-04-23 09:57 - 2013-04-23 09:56 - 00000000 ____D C:\Users\P at\AppData\Roaming\Mozilla

2013-04-23 09:56 - 2013-04-23 09:56 - 00000000 ____D C:\Users\P at\AppData\Local\Mozilla

2013-04-23 09:56 - 2013-04-23 09:56 - 00000000 ____D C:\ProgramData\Mozilla

2013-04-17 10:42 - 2013-04-17 10:42 - 00000000 ____D C:\Windows\System32\appmgmt

ZeroAccess:

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4}

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4}\@

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4}\L

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4}\U

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4}\U\00000001.@

Other Malware:

===========

C:\ProgramData\rundll32.exe

C:\Users\P at\2178976.exe

C:\Users\P at\2573668.dll

C:\Users\P at\flashplayer.exe

C:\Users\P at\icq.exe

C:\Users\P at\jqs.exe

C:\Users\P at\jucheck.exe

C:\Users\P at\msconfig.exe

C:\Users\P at\mstsc.exe

C:\Users\P at\skype.exe

C:\Users\P at\taskmgr.exe

C:\Users\P at\vlcplayer.exe

C:\Users\P at\windowsupdate.exe

C:\Users\P at\AppData\Roaming\skype.dat

C:\Users\P at\AppData\Roaming\skype.ini

C:\Users\P at\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk

C:\Users\P at\Application Data\skype.dat

C:\Users\P at\Application Data\skype.ini

C:\Users\P at\Start Menu\Programs\Startup\msconfig.lnk

C:\Users\P at\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk

C:\ProgramData\F514PiV8s.dat

C:\ProgramData\l_0_00_re.pad

C:\ProgramData\ofbinq.pad

C:\ProgramData\qnibfo.dat

C:\ProgramData\rundll32.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-15 06:06:17

Restore point made on: 2013-05-15 08:11:27

Restore point made on: 2013-05-15 08:35:12

Restore point made on: 2013-05-15 09:39:16

Restore point made on: 2013-05-16 08:44:21

==================== Memory info ===========================

Percentage of memory in use: 21%

Total physical RAM: 2036.95 MB

Available physical RAM: 1607.75 MB

Total Pagefile: 2036.95 MB

Available Pagefile: 1631.63 MB

Total Virtual: 2047.88 MB

Available Virtual: 1953.8 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:134.32 GB) (Free:0.99 GB) NTFS

Drive f: (KINGSTON) (Removable) (Total:28.88 GB) (Free:27.81 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:10.01 GB) NTFS ==>[system with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (Size: 149 GB) (Disk ID: 298CADC1)

Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)

Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=134 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 29 GB) (Disk ID: 50625949)

Partition 1: (Not Active) - (Size=29 GB) - (Type=0B)

Last Boot: 2013-05-15 05:59

==================== End Of Log ============================

[MrCharlie]

Looking at it now.....MrC

[MrCharlie]

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

[tara13]

Yes, the computer booted normally this time. Here is the fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-05-2013

Ran by SYSTEM at 2013-05-16 14:04:54 Run:1

Running from F:\

Boot Mode: Recovery

==============================================

HKEY_USERS\P at\Software\Microsoft\Windows\CurrentVersion\Run\\rqrollsys => Value deleted successfully.

HKEY_USERS\P at\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft => Value deleted successfully.

HKEY_USERS\P at\Software\Microsoft\Windows\CurrentVersion\Run\\HP => Value deleted successfully.

HKEY_USERS\P at\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\PROGRA~2\qnibfo.dat => Moved successfully.

C:\Users\P at\AppData\Local\{3183B523-82F1-4C47-8333-DB861AFC6780}\HP\fjismvx.dll => File/Directory not found.

C:\Users\P at\AppData\Local\PowerDVD DX\Microsoft\dvryqsyl.dll => File/Directory not found.

c:\users\pat~1\appdata\local\temp\ursssp.dll => File/Directory not found.

C:\PROGRA~2\qnibfo.dat => File/Directory not found.

C:\ProgramData\rundll32.exe => Moved successfully.

C:\Users\P at\2178976.exe => Moved successfully.

C:\Users\P at\2573668.dll => Moved successfully.

C:\Users\P at\flashplayer.exe => Moved successfully.

C:\Users\P at\icq.exe => Moved successfully.

C:\Users\P at\jqs.exe => Moved successfully.

C:\Users\P at\jucheck.exe => Moved successfully.

C:\Users\P at\msconfig.exe => Moved successfully.

C:\Users\P at\mstsc.exe => Moved successfully.

C:\Users\P at\skype.exe => Moved successfully.

C:\Users\P at\taskmgr.exe => Moved successfully.

C:\Users\P at\vlcplayer.exe => Moved successfully.

C:\Users\P at\windowsupdate.exe => Moved successfully.

C:\Users\P at\AppData\Roaming\skype.dat => Moved successfully.

C:\Users\P at\AppData\Roaming\skype.ini => Moved successfully.

C:\Users\P at\Application Data\skype.dat => File/Directory not found.

C:\Users\P at\Application Data\skype.ini => File/Directory not found.

C:\Users\P at\Start Menu\Programs\Startup\msconfig.lnk => Moved successfully.

C:\Users\P at\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk => File/Directory not found.

C:\ProgramData\F514PiV8s.dat => Moved successfully.

C:\ProgramData\l_0_00_re.pad => Moved successfully.

C:\ProgramData\ofbinq.pad => Moved successfully.

C:\ProgramData\qnibfo.dat => File/Directory not found.

C:\ProgramData\rundll32.exe => File/Directory not found.

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4} => Moved successfully.

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4}\@ => File/Directory not found.

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4}\L => File/Directory not found.

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4}\U => File/Directory not found.

C:\Users\P at\AppData\Local\{bcaecf89-41c7-2c02-4c29-b63c82c4fbc4}\U\00000001.@ => File/Directory not found.

The operation completed successfully.

The operation completed successfully.

==== End of Fixlog ====

[MrCharlie]

OK, Good......You were badly infected and please read this:

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan also.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

--------------------------------------------------------

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

[tara13]

Thank you. We are going to move forward with the cleanup. Thankfully, he does not deal with anything sensitive from this computer. We've been having issues with this computer for a while (obviously, I can see why now), so I insisted that we get Carbonite to back up all his files. I am scanning the mbar.exe file now. My question now is, if we end up reinstalling the OS (we have the disks available), would Carbonite have saved whatever brought the malware into the computer to begin with? Obviously, we don't want to reinstall just to make the same mistake again.

Thanks so much for your help

[MrCharlie]

I'm not sure how Carbonite works, could you possible ask them?

It also depends when you downloaded the malware and when was the last backup.

MrC

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!