Jump to content

Can't get into safe mode because of the "Ransomware" virus

Nsch_24
 Share

Recommended Posts

Nsch_24

Nsch_24

Posted
Posted

Hi earlier today I got infected with a version of the FBI moneypak virus which displays a white screen asking for $200 via moneypak whenever I boot my computer. I've tried reading around for solutions and it seems that most people start with entering safemode and running antimalware from there. The problem is I cannot enter safemode or safemode with command prompt or networking so I can't run malwarebytes. The ransomware pops up each time. My computer is completely frozen and I am borrowing another computer to write this. I am using windows 7. PLEASE any help you can give me would be greatly appreciated.

 

I have read a previous post to this and have followed all the instructions up to the point where I need to post my logs and then have to save a fixlist.exe. Can you assist?
 

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum, here's how we deal with that malware:

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:

      • Startup Repair

        System Restore

        Windows Complete PC Restore

        Windows Memory Diagnostic Tool

        Command Prompt

        Select Command Prompt

        Once in the Command Prompt:

    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
MrC
Link to post
Share on other sites
Nsch_24

Nsch_24

Posted
  • Author
Posted

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-07-2013 02
Ran by SYSTEM on 12-07-2013 19:09:53
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] -  [x]
HKLM\...\Run: [igfxTray] - C:\windows\system32\igfxtray.exe [166424 2010-03-18] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [391192 2010-03-18] (Intel Corporation)
HKLM\...\Run: [Persistence] - C:\windows\system32\igfxpers.exe [410648 2010-03-18] (Intel Corporation)
HKLM\...\Run: [smartAudio] - C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [x]
HKLM\...\Run: [synTPEnh] - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [smartFaceVWatcher] - %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [505696 2009-11-05] (TOSHIBA Corporation)
HKLM\...\Run: [smoothView] - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [913720 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] - C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] - %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] - %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [AllShare Play] - C:\Program Files\Samsung\AllShare Play\utils\AllShare Play Launcher.exe [407384 2013-01-24] (Samsung Electronics)
HKLM-x32\...\Run: [ToshibaServiceStation] - "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)
HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] -  [x]
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Nicole\...\Run: [swg] - "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-06-15] (Google Inc.)
HKU\Nicole\...\Run: [HP Deskjet 3520 series (NET)] - "C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN25O1G2YZ05SY:NW" -scfn "HP Deskjet 3520 series (NET)" -AutoStart 1 [2551656 2012-01-31] (Hewlett-Packard Co.)
HKU\Nicole\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Nicole\AppData\Local\Temp\okbyrhxywlhwjydokph.bfg [52736 2013-07-11] (NVIDIA Corporation) <===== ATTENTION
HKU\Nicole\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Nicole\...\Command Processor: "C:\Users\Nicole\AppData\Local\Temp\okbyrhxywlhwjydokph.bfg" <===== ATTENTION!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

==================== Services (Whitelisted) =================

S2 AllShare Framework DMS; C:\Program Files\Samsung\AllShare Framework DMS\1.3.06\AllShareFrameworkManagerDMS.exe [408184 2012-10-23] (Samsung)
S2 AllShare Play Service; C:\Program Files\Samsung\AllShare Play\AllShare Play Service.exe [662600 2013-01-24] (Copyright 2013 SAMSUNG)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 L1C; system32\DRIVERS\L1C62x64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-12 19:09 - 2013-07-12 19:09 - 00000000 ____D C:\FRST
2013-07-11 22:15 - 2013-07-11 22:15 - 00000461 _____ C:\Users\Public\Desktop\Emergency Backup.lnk
2013-07-11 21:51 - 2013-07-11 22:05 - 00000000 ____D C:\System Recovery
2013-07-11 20:59 - 2013-07-11 21:51 - 00000000 ____D C:\Emergency
2013-07-11 16:12 - 2013-07-11 16:12 - 00000000 ____D C:\a6d55769c86b8272313ac3c5cb22cd
2013-07-11 16:04 - 2013-07-11 16:04 - 02019340 _____ C:\Users\Nicole\AppData\Roaming\2433f433
2013-07-11 16:04 - 2013-07-11 16:04 - 02019331 _____ C:\Users\Nicole\AppData\Local\2433f433
2013-07-11 16:04 - 2013-07-11 16:04 - 02019282 _____ C:\Users\All Users\2433f433
2013-07-10 19:27 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-10 19:27 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-10 19:12 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-10 19:12 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-10 18:27 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-06-17 15:45 - 2013-06-08 04:28 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-17 15:45 - 2013-06-08 03:13 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-17 15:44 - 2013-06-08 06:08 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-17 15:44 - 2013-06-08 06:07 - 19233792 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-17 15:44 - 2013-06-08 06:06 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-17 15:44 - 2013-06-08 06:06 - 02648064 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-17 15:44 - 2013-06-08 06:06 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-17 15:44 - 2013-06-08 03:42 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-17 15:44 - 2013-06-08 03:40 - 14327808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-17 15:44 - 2013-06-08 03:40 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-17 15:44 - 2013-06-08 03:40 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-17 15:44 - 2013-06-08 03:40 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-12 00:01 - 2013-05-16 17:25 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-12 00:01 - 2013-05-16 17:25 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-12 00:01 - 2013-05-16 17:25 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-12 00:01 - 2013-05-16 17:25 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-12 00:01 - 2013-05-16 17:25 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-12 00:01 - 2013-05-16 17:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-12 00:01 - 2013-05-16 17:25 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-12 00:01 - 2013-05-16 17:25 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-12 00:01 - 2013-05-16 16:59 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-12 00:01 - 2013-05-16 16:59 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-12 00:01 - 2013-05-16 16:58 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-12 00:01 - 2013-05-16 16:58 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-12 00:01 - 2013-05-16 16:58 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-12 00:01 - 2013-05-16 16:58 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-12 00:01 - 2013-05-16 16:58 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-12 00:01 - 2013-05-16 16:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-12 00:01 - 2013-05-16 16:58 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-12 00:01 - 2013-05-14 04:23 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-12 00:01 - 2013-05-14 00:40 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

==================== One Month Modified Files and Folders =======

2013-07-12 19:09 - 2013-07-12 19:09 - 00000000 ____D C:\FRST
2013-07-12 16:06 - 2009-07-13 20:51 - 00054163 _____ C:\Windows\setupact.log
2013-07-12 16:05 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-11 22:15 - 2013-07-11 22:15 - 00000461 _____ C:\Users\Public\Desktop\Emergency Backup.lnk
2013-07-11 22:05 - 2013-07-11 21:51 - 00000000 ____D C:\System Recovery
2013-07-11 21:51 - 2013-07-11 20:59 - 00000000 ____D C:\Emergency
2013-07-11 19:20 - 2011-10-21 17:10 - 00000342 _____ C:\Windows\Tasks\DriverScanner.job
2013-07-11 19:17 - 2011-06-15 10:48 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-11 16:14 - 2009-07-13 21:13 - 00741416 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-11 16:14 - 2009-07-13 20:45 - 00024608 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-11 16:14 - 2009-07-13 20:45 - 00024608 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-11 16:13 - 2011-06-15 10:21 - 02041703 _____ C:\Windows\WindowsUpdate.log
2013-07-11 16:12 - 2013-07-11 16:12 - 00000000 ____D C:\a6d55769c86b8272313ac3c5cb22cd
2013-07-11 16:07 - 2009-07-13 20:45 - 00275712 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-11 16:06 - 2010-11-20 23:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-11 16:06 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-11 16:06 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-11 16:04 - 2013-07-11 16:04 - 02019340 _____ C:\Users\Nicole\AppData\Roaming\2433f433
2013-07-11 16:04 - 2013-07-11 16:04 - 02019331 _____ C:\Users\Nicole\AppData\Local\2433f433
2013-07-11 16:04 - 2013-07-11 16:04 - 02019282 _____ C:\Users\All Users\2433f433
2013-07-11 16:03 - 2012-01-17 13:59 - 00000000 ____D C:\Users\Nicole\AppData\Local\CrashDumps
2013-07-11 16:00 - 2011-09-20 12:56 - 00003934 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{F6C95EB4-20F4-4F00-A7F7-24F7F5F93052}
2013-07-11 15:58 - 2011-06-15 10:48 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-10 18:43 - 2013-02-03 15:27 - 00000000 ____D C:\AllShare Play
2013-07-08 20:23 - 2011-06-15 10:48 - 00003908 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-08 20:23 - 2011-06-15 10:48 - 00003656 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-06-27 14:40 - 2011-09-20 12:15 - 00000000 ____D C:\Users\Nicole\AppData\Roaming\SoftGrid Client
2013-06-24 20:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-06-21 15:09 - 2011-09-20 12:23 - 00000000 ____D C:\Users\Nicole\AppData\Local\Google
2013-06-14 18:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-06-12 00:19 - 2010-11-20 19:47 - 00275882 _____ C:\Windows\PFRO.log

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-06-16 15:47:53
Restore point made on: 2013-06-16 15:48:52
Restore point made on: 2013-06-16 16:03:30
Restore point made on: 2013-06-17 15:44:25
Restore point made on: 2013-06-20 19:32:46
Restore point made on: 2013-06-23 19:45:05
Restore point made on: 2013-06-27 07:17:44
Restore point made on: 2013-06-30 13:13:11
Restore point made on: 2013-07-04 09:31:17
Restore point made on: 2013-07-07 16:31:38
Restore point made on: 2013-07-10 18:24:45
Restore point made on: 2013-07-10 19:26:20
Restore point made on: 2013-07-11 15:58:28
Restore point made on: 2013-07-11 16:11:49

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3963.97 MB
Available physical RAM: 3390.51 MB
Total Pagefile: 3962.17 MB
Available Pagefile: 3384.37 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (TI106140W0C) (Fixed) (Total:285.45 GB) (Free:179.36 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]
Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:7.45 GB) (Free:4.15 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: 5A9912A7)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=17)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

LastRegBack: 2013-07-04 21:10

==================== End Of Log ============================

Link to post
Share on other sites
Nsch_24

Nsch_24

Posted
  • Author
Posted

Farbar Recovery Scan Tool (x64) Version: 12-07-2013 02
Ran by SYSTEM at 2013-07-12 19:12:47
Running from F:\
Boot Mode: Recovery

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites
Nsch_24

Nsch_24

Posted
  • Author
Posted

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-07-2013 02
Ran by SYSTEM at 2013-07-12 20:13:37 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

HKU\Nicole\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.
HKU\Nicole\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Nicole\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\Users\Nicole\AppData\Roaming\2433f433 => Moved successfully.
C:\Users\Nicole\AppData\Local\2433f433 => Moved successfully.
C:\Users\All Users\2433f433 => Moved successfully.
C:\Users\Nicole\AppData\Local\Temp\okbyrhxywlhwjydokph.bfg => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites
Nsch_24

Nsch_24

Posted
  • Author
Posted

It appears that everything seems to be working! Thanks so much for all your help! Here are the logs for the last scan and removal:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.12.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
Nicole :: NICOLE-PC [administrator]

7/12/2013 8:27:43 PM
mbar-log-2013-07-12 (20-27-43).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 241829
Time elapsed: 47 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 17
HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\TYPELIB\{3BF3DED5-0FC8-4207-AC09-AA7B5AF4E408} (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\INTERFACE\{1B97A696-5576-43AC-A73B-E1D2C78F21E8} (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\INTERFACE\{75BF416E-4326-45B5-8A2D-AE32D05B930B} (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{1B97A696-5576-43AC-A73B-E1D2C78F21E8} (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{75BF416E-4326-45B5-8A2D-AE32D05B930B} (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{3BF3DED5-0FC8-4207-AC09-AA7B5AF4E408} (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\PricePeep.PricePeepBho.1 (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\PricePeep.PricePeepBho (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\PricePeep.PricePeepBho (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\PricePeep.PricePeepBho.1 (Adware.Agent) -> Delete on reboot.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} (Adware.Agent) -> Delete on reboot.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} (Adware.Agent) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\APPID\activex.DLL (Adware.180Solutions) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\MossySky (Adware.HotBar.MS) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\activex.DLL (Adware.180Solutions) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
c:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Delete on reboot.
c:\ProgramData\MossySkySA (Adware.HotBar.MS) -> Delete on reboot.

Files Detected: 9
c:\$Recycle.Bin\S-1-5-21-1658378478-262696625-2177746141-1000\$RD1HYLQ.exe (Adware.Agent) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-1658378478-262696625-2177746141-1000\$RV43388\epicRemoval.exe (Adware.Gamevance) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-1658378478-262696625-2177746141-1000\$RKM90VZ\YontooIEClient.dll (Adware.Yontoo) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-1658378478-262696625-2177746141-1000\$RXS3SYO\pricepeep.dll (Adware.Agent) -> Delete on reboot.
c:\Users\Nicole\AppData\Local\Temp\is1438683437\IWantThis.exe (Adware.GamePlayLabs) -> Delete on reboot.
c:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Templates\2433f433 (Trojan.Agent.TPL) -> Delete on reboot.
c:\ProgramData\MossySkySA\MossySkySA.dat (Adware.HotBar.MS) -> Delete on reboot.
c:\ProgramData\MossySkySA\MossySkySAau.dat (Adware.HotBar.MS) -> Delete on reboot.
c:\ProgramData\MossySkySA\MossySkySA_kyf.dat (Adware.HotBar.MS) -> Delete on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.13.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
Nicole :: NICOLE-PC [administrator]

7/12/2013 9:19:45 PM
mbar-log-2013-07-12 (21-19-45).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 241129
Time elapsed: 46 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16618

Java version: 1.6.0_17

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.294000 GHz
Memory total: 4156522496, free: 2057134080

Downloaded database version: v2013.07.12.05
Initializing...
------------ Kernel report ------------
     07/12/2013 20:27:34
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\pciide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\TVALZ_O.SYS
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\FwLnk.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\tdcmdpst.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\pgeffect.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\CHDRT64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\Sftvollh.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\DRIVERS\Sftfslh.sys
\SystemRoot\system32\DRIVERS\Sftplaylh.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\Sftredirlh.sys
\??\C:\windows\system32\drivers\mbamchameleon.sys
\??\C:\windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\setupapi.dll
\Windows\System32\kernel32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\advapi32.dll
\Windows\System32\sechost.dll
\Windows\System32\imm32.dll
\Windows\System32\iertutil.dll
\Windows\System32\msvcrt.dll
\Windows\System32\user32.dll
\Windows\System32\nsi.dll
\Windows\System32\usp10.dll
\Windows\System32\shell32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\normaliz.dll
\Windows\System32\gdi32.dll
\Windows\System32\msctf.dll
\Windows\System32\psapi.dll
\Windows\System32\lpk.dll
\Windows\System32\wininet.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\Wldap32.dll
\Windows\System32\ole32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\difxapi.dll
\Windows\System32\comdlg32.dll
\Windows\System32\urlmon.dll
\Windows\System32\clbcatq.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\comctl32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\devobj.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004be0530
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa80046db050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004be0530, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004be1040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004be0530, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80046db050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 5A9912A7

Partition information:

    Partition 0 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3072000
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3074048  Numsec = 598626304

    Partition 2 type is HIDDEN (0x17)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 601700352  Numsec = 23441408
    Partition is not bootable
Hidden partition VBR is not infected.

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} --> [Adware.Agent]
Infected: HKLM\SOFTWARE\CLASSES\TYPELIB\{3BF3DED5-0FC8-4207-AC09-AA7B5AF4E408} --> [Adware.Agent]
Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{1B97A696-5576-43AC-A73B-E1D2C78F21E8} --> [Adware.Agent]
Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{75BF416E-4326-45B5-8A2D-AE32D05B930B} --> [Adware.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{1B97A696-5576-43AC-A73B-E1D2C78F21E8} --> [Adware.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{75BF416E-4326-45B5-8A2D-AE32D05B930B} --> [Adware.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{3BF3DED5-0FC8-4207-AC09-AA7B5AF4E408} --> [Adware.Agent]
Infected: HKLM\SOFTWARE\CLASSES\PricePeep.PricePeepBho.1 --> [Adware.Agent]
Infected: HKLM\SOFTWARE\CLASSES\PricePeep.PricePeepBho --> [Adware.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\PricePeep.PricePeepBho --> [Adware.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} --> [Adware.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\PricePeep.PricePeepBho.1 --> [Adware.Agent]
Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} --> [Adware.Agent]
Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} --> [Adware.Agent]
Infected: c:\$Recycle.Bin\S-1-5-21-1658378478-262696625-2177746141-1000\$RD1HYLQ.exe --> [Adware.Agent]
Infected: c:\$Recycle.Bin\S-1-5-21-1658378478-262696625-2177746141-1000\$RV43388\epicRemoval.exe --> [Adware.Gamevance]
Infected: c:\$Recycle.Bin\S-1-5-21-1658378478-262696625-2177746141-1000\$RKM90VZ\YontooIEClient.dll --> [Adware.Yontoo]
Infected: c:\$Recycle.Bin\S-1-5-21-1658378478-262696625-2177746141-1000\$RXS3SYO\pricepeep.dll --> [Adware.Agent]
Infected: c:\Users\Nicole\AppData\Local\Temp\is1438683437\IWantThis.exe --> [Adware.GamePlayLabs]
Infected: c:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Templates\2433f433 --> [Trojan.Agent.TPL]
Infected: HKLM\SOFTWARE\CLASSES\APPID\activex.DLL --> [Adware.180Solutions]
Infected: HKLM\SOFTWARE\WOW6432NODE\MossySky --> [Adware.HotBar.MS]
Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\activex.DLL --> [Adware.180Solutions]
Infected: c:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 --> [Adware.Seekmo]
Infected: c:\ProgramData\MossySkySA --> [Adware.HotBar.MS]
Infected: c:\ProgramData\MossySkySA\MossySkySA.dat --> [Adware.HotBar.MS]
Infected: c:\ProgramData\MossySkySA\MossySkySAau.dat --> [Adware.HotBar.MS]
Infected: c:\ProgramData\MossySkySA\MossySkySA_kyf.dat --> [Adware.HotBar.MS]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================

Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_2_601700352_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16618

Java version: 1.6.0_17

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.294000 GHz
Memory total: 4156522496, free: 2935078912

Downloaded database version: v2013.07.13.01
Initializing...
------------ Kernel report ------------
     07/12/2013 21:19:38
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\pciide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\TVALZ_O.SYS
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\FwLnk.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\tdcmdpst.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\pgeffect.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\CHDRT64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\Sftvollh.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\DRIVERS\Sftfslh.sys
\SystemRoot\system32\DRIVERS\Sftplaylh.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\Sftredirlh.sys
\??\C:\windows\system32\drivers\mbamchameleon.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004865580
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004699050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004865580, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004866040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004865580, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004699050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 5A9912A7

Partition information:

    Partition 0 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3072000
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3074048  Numsec = 598626304

    Partition 2 type is HIDDEN (0x17)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 601700352  Numsec = 23441408
    Partition is not bootable
Hidden partition VBR is not infected.

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Scan finished
=======================================

Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_2_601700352_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Good....

Lets check for any adware while you're here:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

  • Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  • Now click on the Search tab.
  • Please post the contents of the log-file created in your next post.
Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

You can follow these steps but you have to start your own new topic:

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:

      • Startup Repair

        System Restore

        Windows Complete PC Restore

        Windows Memory Diagnostic Tool

        Command Prompt

        Select Command Prompt

        Once in the Command Prompt:

    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
MrC
Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept