Jump to content

FBI Moneypak Removal Help Needed


Recommended Posts

My son made the mistake of clicking on a malicious pop-up, and now my wife's laptop is infected with the fbi moneypack virus. We are not able to boot up in safe mode. I have looked through other posts and am impressed with how helpful everyone is. It appears a custom cleanup script needs to be created, and thought I had better not try that myself. I have already run the Farbar Recovery Scan tool. The result have been pasted below. Any help you can provide would be greatly appreciated.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-05-2013

Ran by SYSTEM on 16-05-2013 14:20:11

Running from H:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

HKLM-x32\...\Run: [sDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3825176 2012-11-13] (Safer-Networking Ltd.)

HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1065480 2013-02-05] (Carbonite, Inc.)

HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe" [1219248 2013-05-02] ()

HKU\Des\...\Run: [Google Update] "C:\Users\Des\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-15] (Google Inc.)

HKU\Des\...\Run: [spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean [3713032 2012-11-13] (Safer-Networking Ltd.)

HKU\Des\...\Run: [ROC_ROC_APR2013_AV] C:\Users\Des\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid d8d5dca7322c47d1b596d16ffffa6a08-b081eb5f4c44309a0771667404bef0637bb46070 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2012 [1277464 2013-03-27] ()

HKU\Des\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Des\Documents\13673a97.exe [24064 2013-05-16] ()

HKU\Des\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION

AppInit_DLLs: C:\PROGRA~3\Wincert\WIN64C~1.DLL [8704 2012-12-20] ()

Startup: C:\ProgramData\Start Menu\Programs\Startup\AtHomeConnect.lnk

ShortcutTarget: AtHomeConnect.lnk -> C:\Program Files (x86)\AtHomeConnect\AtHomeConnect.exe (HR Block )

Startup: C:\ProgramData\Start Menu\Programs\Startup\MozyHome Status.lnk

ShortcutTarget: MozyHome Status.lnk -> C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)

Startup: C:\Users\Des\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

BootExecute: autocheck autochk * sdnclean64.exeC:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)

S2 Basics Service; C:\Program Files (x86)\Seagate\Basics\Service\SyncServicesBasics.exe [124280 2007-10-09] (Seagate Technology LLC)

S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.285\McCHSvc.exe [234776 2012-09-05] (McAfee, Inc.)

S2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [214896 2011-12-06] ()

S2 mozybackup; C:\Program Files\MozyHome\mozybackup.exe [54040 2011-07-27] (Mozy, Inc.)

S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)

S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)

S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)

S2 Sonexis Application Sharing Driver Service; C:\Program Files (x86)\Sonexis\ApplicationSharing\AppDriverService.exe [188416 2010-01-11] (Sonexis, Inc.)

S2 vToolbarUpdater15.0.1; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.0.1\ToolbarUpdater.exe [990896 2013-05-02] ()

S2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe [3417088 2009-07-16] (Dell Inc.)

S3 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

==================== Drivers (Whitelisted) ====================

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )

S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )

S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)

S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)

S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2013-04-11] (AVG Technologies CZ, s.r.o.)

S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-05-02] (AVG Technologies)

S1 mozyFilter; C:\Windows\System32\DRIVERS\mozy.sys [66552 2011-07-27] (Mozy, Inc.)

S3 MusCAudio; C:\Windows\System32\drivers\MusCAudio.sys [34088 2012-06-05] (Windows ® Win 7 DDK provider)

S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)

S3 SonMirrorftas; C:\Windows\System32\DRIVERS\SonMirrorftas.sys [7168 2010-01-05] (Sonexis, Inc.)

S3 SonVMDas; C:\Windows\System32\DRIVERS\SonVMDas.sys [4608 2010-01-05] (Sonexis)

S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-16 14:20 - 2013-05-16 14:20 - 00000000 ____D C:\FRST

2013-05-16 05:36 - 2013-05-16 05:36 - 01096032 ____A C:\Users\Des\AppData\Roaming\2433f433

2013-05-16 05:36 - 2013-05-16 05:36 - 01096025 ____A C:\Users\Des\AppData\Local\2433f433

2013-05-16 05:36 - 2013-05-16 05:36 - 01096024 ____A C:\ProgramData\2433f433

2013-05-16 05:36 - 2013-05-16 05:36 - 00024064 ____A C:\Users\Des\Documents\13673a97.exe

2013-05-16 05:35 - 2013-05-16 05:35 - 00000000 ____D C:\Windows\Sun

2013-05-15 20:14 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 20:14 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 20:14 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-15 20:14 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 20:14 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-15 20:14 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-15 20:14 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-15 20:14 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-05-15 20:14 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 20:14 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-15 20:14 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-15 20:14 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-05-15 11:17 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 11:17 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 11:17 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 11:17 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 11:17 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-15 11:17 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 11:17 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 11:17 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 11:17 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 11:17 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-15 11:17 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-15 11:17 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-15 11:17 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-15 11:17 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-14 13:38 - 2013-05-14 13:38 - 17613192 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2013-05-11 06:09 - 2013-05-11 06:09 - 00010353 ____A C:\Users\Des\Downloads\Amazon-MP3-1368281363.amz

2013-05-10 12:42 - 2013-05-10 12:42 - 00215943 ____A C:\Users\Des\Downloads\firstdescentsphysicalexamformimportant.zip

2013-05-02 18:47 - 2013-05-02 18:47 - 00000000 ____D C:\Users\Des\AppData\Local\AVG SafeGuard toolbar

2013-05-02 18:37 - 2013-05-02 18:37 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar

2013-05-02 18:37 - 2013-05-02 18:36 - 00039768 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys

2013-05-02 18:36 - 2013-05-02 18:37 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar

2013-05-02 18:20 - 2013-05-02 18:21 - 00000000 ____D C:\Users\Des\AppData\Roaming\AVG April 2013 Campaign

2013-05-02 16:46 - 2013-05-02 16:46 - 00000406 ____A C:\Windows\Tasks\ROC_SYS_TASK.job

2013-05-02 16:44 - 2013-05-02 18:19 - 00000336 ____A C:\Windows\Tasks\ROC_SYS_TASK_DELETE.job

2013-05-02 16:44 - 2013-05-02 16:44 - 00000000 ____D C:\ProgramData\AVG April 2013 Campaign

2013-05-02 05:37 - 2013-05-02 16:17 - 00017879 ____A C:\Users\Des\Documents\extra credit.odt

2013-05-02 05:25 - 2013-05-02 05:29 - 158067944 ____A C:\Users\Des\Desktop\OOo_3.3.0_Win_x86_install-wJRE_en-US.exe

2013-05-01 19:15 - 2013-05-01 19:15 - 00002098 ____A C:\Users\Public\Desktop\Carbonite InfoCenter.lnk

2013-05-01 19:15 - 2013-05-01 19:15 - 00000000 ____D C:\ProgramData\Carbonite

2013-05-01 19:15 - 2013-05-01 19:15 - 00000000 ____D C:\Program Files\Carbonite

2013-05-01 19:15 - 2013-05-01 19:15 - 00000000 ____D C:\Program Files (x86)\Carbonite

2013-05-01 18:56 - 2013-05-16 12:14 - 00000952 ____A C:\Windows\setupact.log

2013-05-01 11:37 - 2013-05-01 11:37 - 00000203 ____A C:\Windows\wininit.ini

2013-04-28 14:27 - 2013-04-28 14:27 - 00012845 ____A C:\Users\Des\Downloads\ASPENVIEW AGENDA 2013.odt

2013-04-26 14:26 - 2013-04-26 14:26 - 00000000 ____D C:\Users\Des\AppData\Local\{FE1BCA42-B0B7-40B7-B0A4-C38CCA39D859}

2013-04-25 15:34 - 2013-04-25 15:55 - 00002038 ___AH C:\Users\Des\Documents\Default.rdp

2013-04-24 05:22 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

==================== One Month Modified Files and Folders =======

2013-05-16 14:20 - 2013-05-16 14:20 - 00000000 ____D C:\FRST

2013-05-16 12:15 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-16 12:14 - 2013-05-01 18:56 - 00000952 ____A C:\Windows\setupact.log

2013-05-16 11:10 - 2009-07-13 21:10 - 01895574 ____A C:\Windows\WindowsUpdate.log

2013-05-16 11:00 - 2011-10-02 08:41 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1578273402-3808444598-2322840874-1003UA.job

2013-05-16 10:59 - 2011-11-15 17:35 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-16 05:36 - 2013-05-16 05:36 - 01096032 ____A C:\Users\Des\AppData\Roaming\2433f433

2013-05-16 05:36 - 2013-05-16 05:36 - 01096025 ____A C:\Users\Des\AppData\Local\2433f433

2013-05-16 05:36 - 2013-05-16 05:36 - 01096024 ____A C:\ProgramData\2433f433

2013-05-16 05:36 - 2013-05-16 05:36 - 00024064 ____A C:\Users\Des\Documents\13673a97.exe

2013-05-16 05:35 - 2013-05-16 05:35 - 00000000 ____D C:\Windows\Sun

2013-05-16 05:34 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp

2013-05-16 05:32 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-16 05:32 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-16 05:30 - 2012-11-25 19:20 - 00000000 ___RD C:\Users\Des\Dropbox

2013-05-16 05:30 - 2012-11-25 19:17 - 00000000 ____D C:\Users\Des\AppData\Roaming\Dropbox

2013-05-16 05:28 - 2009-07-13 20:45 - 00553248 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 20:25 - 2011-07-15 10:41 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1578273402-3808444598-2322840874-1000UA.job

2013-05-15 20:19 - 2010-05-22 15:40 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-15 20:17 - 2009-07-13 21:13 - 00760482 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-15 19:38 - 2012-04-12 09:53 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-15 19:38 - 2011-11-15 17:36 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-15 19:25 - 2011-07-15 10:41 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1578273402-3808444598-2322840874-1000Core.job

2013-05-15 18:41 - 2011-10-21 10:50 - 00000000 ____D C:\Windows\System32\Drivers\AVG

2013-05-15 18:37 - 2011-10-02 08:41 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1578273402-3808444598-2322840874-1003Core.job

2013-05-14 13:38 - 2013-05-14 13:38 - 17613192 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2013-05-14 13:38 - 2012-04-12 09:53 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-14 13:38 - 2011-06-13 07:37 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-14 06:04 - 2011-10-21 10:45 - 00000000 ____D C:\ProgramData\MFAData

2013-05-14 06:03 - 2011-10-21 10:50 - 00000927 ____A C:\Users\Public\Desktop\AVG 2012.lnk

2013-05-14 05:34 - 2011-08-04 13:15 - 00003620 ____A C:\Windows\mozy.blk

2013-05-14 05:34 - 2011-08-04 13:15 - 00000366 ____A C:\Windows\mozy.flt

2013-05-12 18:54 - 2010-05-20 19:03 - 00000000 ____D C:\Users\Des\AppData\Roaming\Mozilla

2013-05-11 06:09 - 2013-05-11 06:09 - 00010353 ____A C:\Users\Des\Downloads\Amazon-MP3-1368281363.amz

2013-05-10 12:42 - 2013-05-10 12:42 - 00215943 ____A C:\Users\Des\Downloads\firstdescentsphysicalexamformimportant.zip

2013-05-02 18:47 - 2013-05-02 18:47 - 00000000 ____D C:\Users\Des\AppData\Local\AVG SafeGuard toolbar

2013-05-02 18:37 - 2013-05-02 18:37 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar

2013-05-02 18:37 - 2013-05-02 18:36 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar

2013-05-02 18:36 - 2013-05-02 18:37 - 00039768 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys

2013-05-02 18:21 - 2013-05-02 18:20 - 00000000 ____D C:\Users\Des\AppData\Roaming\AVG April 2013 Campaign

2013-05-02 18:19 - 2013-05-02 16:44 - 00000336 ____A C:\Windows\Tasks\ROC_SYS_TASK_DELETE.job

2013-05-02 16:46 - 2013-05-02 16:46 - 00000406 ____A C:\Windows\Tasks\ROC_SYS_TASK.job

2013-05-02 16:44 - 2013-05-02 16:44 - 00000000 ____D C:\ProgramData\AVG April 2013 Campaign

2013-05-02 16:17 - 2013-05-02 05:37 - 00017879 ____A C:\Users\Des\Documents\extra credit.odt

2013-05-02 05:29 - 2013-05-02 05:25 - 158067944 ____A C:\Users\Des\Desktop\OOo_3.3.0_Win_x86_install-wJRE_en-US.exe

2013-05-01 19:15 - 2013-05-01 19:15 - 00002098 ____A C:\Users\Public\Desktop\Carbonite InfoCenter.lnk

2013-05-01 19:15 - 2013-05-01 19:15 - 00000000 ____D C:\ProgramData\Carbonite

2013-05-01 19:15 - 2013-05-01 19:15 - 00000000 ____D C:\Program Files\Carbonite

2013-05-01 19:15 - 2013-05-01 19:15 - 00000000 ____D C:\Program Files (x86)\Carbonite

2013-05-01 18:56 - 2010-01-22 04:18 - 00488076 ____A C:\Windows\PFRO.log

2013-05-01 11:37 - 2013-05-01 11:37 - 00000203 ____A C:\Windows\wininit.ini

2013-05-01 11:36 - 2012-11-25 17:14 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy

2013-04-28 14:27 - 2013-04-28 14:27 - 00012845 ____A C:\Users\Des\Downloads\ASPENVIEW AGENDA 2013.odt

2013-04-28 07:40 - 2013-01-29 16:01 - 00000720 ____A C:\Users\Public\Desktop\Amazon Music Importer.lnk

2013-04-26 14:26 - 2013-04-26 14:26 - 00000000 ____D C:\Users\Des\AppData\Local\{FE1BCA42-B0B7-40B7-B0A4-C38CCA39D859}

2013-04-25 15:55 - 2013-04-25 15:34 - 00002038 ___AH C:\Users\Des\Documents\Default.rdp

2013-04-17 18:55 - 2010-01-22 02:43 - 00000000 ____D C:\ProgramData\Adobe

Other Malware:

===========

C:\Users\Des\g2mdlhlpx.exe

C:\ProgramData\ezsidmv.dat

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 15%

Total physical RAM: 3892.54 MB

Available physical RAM: 3277.45 MB

Total Pagefile: 3890.69 MB

Available Pagefile: 3267.25 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:58.59 GB) (Free:1.48 GB) NTFS (Disk=0 Partition=3)

Drive d: () (Fixed) (Total:229.63 GB) (Free:178.5 GB) NTFS (Disk=0 Partition=4)

Drive h: () (Removable) (Total:0.98 GB) (Free:0.98 GB) FAT (Disk=2 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:3.49 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: E635605C)

Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)

Partition 2: (Active) - (Size=10 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=59 GB) - (Type=07 NTFS)

Partition 4: (Not Active) - (Size=230 GB) - (Type=OF Extended)

========================================================

Disk: 2 (Size: 1008 MB) (Disk ID: C03C0F39)

Partition 1: (Not Active) - (Size=1007 MB) - (Type=06)

Last Boot: 2013-05-14 06:32

==================== End Of Log ============================

FRST.txt

Link to post
Share on other sites

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

You're awesome!! I'm logged in now. Here are the results of the fix.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-05-2013

Ran by SYSTEM at 2013-05-16 16:16:13 Run:1

Running from H:\

Boot Mode: Recovery

==============================================

HKEY_USERS\Des\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.

HKEY_USERS\Des\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\Users\Des\AppData\Roaming\2433f433 => Moved successfully.

C:\Users\Des\AppData\Local\2433f433 => Moved successfully.

C:\ProgramData\2433f433 => Moved successfully.

C:\Users\Des\Documents\13673a97.exe => Moved successfully.

C:\Users\Des\g2mdlhlpx.exe => Moved successfully.

C:\ProgramData\ezsidmv.dat => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Great, it's important to follow up with some additional scans to ensure you're clean:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.