Jump to content

FBI Moneypak Virus - Can't Enter Safe Mode

bigstu
 Share

Recommended Posts

bigstu

bigstu

Posted
Posted

I have the FBI Ransom Moneypak Virus which is locking me out of my computer.

I've attempted to get to the desktop in Safe Mode with Networking and Safe Mode with Command Prompt, but it forces a computer reboot before I can even see the desktop.

The computer does not reboot when I start it up normally, only in safe mode.

The computer system is also windows 7.

 

Since I can't enter safe mode I'm not sure how to go about solving this issue.

Any help or advice you guys can offer me would be extremely appreciated!

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello bigstu and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair

      System Restore

      Windows Complete PC Restore

      Windows Memory Diagnostic Tool

      Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Link to post
Share on other sites
bigstu

bigstu

Posted
  • Author
Posted

Oh wow thanks for replying so quickly!

 

So here is the log, the FRST.txt, that the scan put on my flash drive:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-07-2013
Ran by SYSTEM on 26-07-2013 08:39:29
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [TortoiseHgOverlayIconServer] - C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe [53512 2012-07-02] ()
HKLM\...\Run: [MouseDriver] - C:\Windows\System32\TiltWheelMouse.exe [241152 2012-12-12] (Pixart Imaging Inc)
HKLM\...\Run: [GamecomSound] - C:\Program Files\Plantronics\GameCom780\GameCom780.exe [777448 2011-12-01] ()
HKLM-x32\...\Run: [switchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe [2255184 2013-06-28] (LogMeIn Inc.)
HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-11-16] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] - C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()
HKU\Default\...\Run: [sidebar] - C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\Run: [sidebar] - C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Stuart\...\Run: [Google Update] - C:\Users\Stuart\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-02-24] (Google Inc.)
HKU\Stuart\...\Run: [steam] - C:\Program Files (x86)\Steam\steam.exe [1672616 2013-07-09] (Valve Corporation)
HKU\Stuart\...\Run: [AdobeBridge] -  [x]
HKU\Stuart\...\Run: [spotify Web Helper] - C:\Users\Stuart\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1104384 2013-07-09] (Spotify Ltd)
HKU\Stuart\...\Run: [spotify] - C:\Users\Stuart\AppData\Roaming\Spotify\spotify.exe [4640768 2013-07-09] (Spotify Ltd)
HKU\Stuart\...\Run: [GoogleChromeAutoLaunch_C547D43CD725728C8B60ADB062C7B06A] - C:\Users\Stuart\AppData\Local\Google\Chrome\Application\chrome.exe [846288 2013-07-12] (Google Inc.)
HKU\Stuart\...\Run: [Google Update] - C:\Users\Stuart\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-02-24] (Google Inc.)
HKU\Stuart\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad\eedbcefcdacad.exe [143360 2013-07-26] () <===== ATTENTION
HKU\Stuart\...\RunOnce: [Adobe CSS5.1 Manager] - C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad\eedbcefcdacad.exe [143360 2013-07-26] () <===== ATTENTION
HKU\Stuart\...\Winlogon: [shell] explorer.exe,C:\Users\Stuart\AppData\Roaming\skype.dat [124928 2011-11-16] (ImDev Software Group) <==== ATTENTION 
AlternateShell: C:\ProgramData\DisplaySwitch.exe
 
==================== Services (Whitelisted) =================
 
S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-11-16] (Advanced Micro Devices, Inc.)
S2 mi-raysat_3dsmax2012_64; C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe [86016 2011-02-22] ()
S2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-09-03] ()
S3 TunngleService; C:\Program Files (x86)\Tunngle\TnglCtrl.exe [745880 2013-03-13] (Tunngle.net GmbH)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] ()
 
==================== Drivers (Whitelisted) ====================
 
S2 AODDriver4.01; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
S2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
S3 DAdderFltr; C:\Windows\System32\drivers\dadder.sys [12672 2007-08-02] (Razer (Asia-Pacific) Pte Ltd)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2013-05-13] (DT Soft Ltd)
S3 EvolveVirtualAdapter; C:\Windows\System32\DRIVERS\evolve.sys [21656 2012-03-01] (Echobit, LLC)
S3 PlantronicsGC; C:\Windows\System32\drivers\PLTGC.sys [1327104 2011-11-04] (C-Media Electronics Inc)
S3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [31232 2009-09-16] (Tunngle.net)
S3 t_mouse.sys; C:\Windows\System32\DRIVERS\t_mouse.sys [6144 2012-12-12] ()
S3 XENfiltv; C:\Windows\System32\drivers\XENfiltv.sys [25600 2009-07-31] (Creative Technology Ltd.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-07-26 08:37 - 2013-07-26 08:37 - 00000000 ____D C:\FRST
2013-07-26 01:54 - 2013-07-26 02:10 - 00000004 _____ C:\Users\Stuart\AppData\Roaming\skype.ini
2013-07-26 01:53 - 2013-07-26 02:10 - 00000330 ____H C:\Windows\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}.job
2013-07-26 01:53 - 2013-07-26 01:53 - 00124928 _____ (ImDev Software Group) C:\Users\Stuart\java.exe
2013-07-26 01:53 - 2013-07-26 01:53 - 00117248 _____ (InterVision Software Lab.) C:\Users\Stuart\iexplore.exe
2013-07-26 01:53 - 2013-07-26 01:53 - 00003078 _____ C:\Windows\System32\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}
2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 ____D C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad
2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 ____D C:\Program Files (x86)\Google
2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 _____ C:\Users\Stuart\spoolsv.exe
2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 _____ C:\Users\Stuart\flashplayer.exe
2013-07-19 15:34 - 2013-07-19 15:34 - 00547113 _____ C:\Users\Stuart\Desktop\effectsed.zip
2013-07-15 20:23 - 2013-07-15 20:23 - 16802664 _____ C:\Users\Stuart\Downloads\PLAYA+135+stems.zip
2013-07-11 12:56 - 2013-07-24 23:36 - 00000000 ____D C:\Program Files (x86)\Guild Wars 2
2013-07-11 12:56 - 2013-07-11 12:56 - 00000932 _____ C:\Users\Public\Desktop\Guild Wars 2.lnk
2013-07-11 12:52 - 2013-07-11 12:52 - 22716480 _____ (ArenaNet) C:\Users\Stuart\Downloads\Gw2Setup.exe
2013-07-10 01:46 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-10 01:46 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-10 01:46 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-10 01:46 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-10 01:46 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-10 01:46 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-10 01:46 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-10 01:46 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-10 01:46 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-10 01:46 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-10 01:46 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-10 01:46 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-10 01:46 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-10 01:46 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-10 01:46 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-10 01:46 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-10 01:46 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-10 01:46 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-10 01:46 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-10 01:46 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-10 01:46 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-10 01:46 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-09 14:58 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-09 14:58 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-09 14:58 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-09 14:58 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-09 14:58 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-09 14:57 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-09 14:57 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-09 13:56 - 2013-07-09 13:56 - 00000000 ____D C:\ProgramData\ATI
2013-07-09 13:56 - 2013-07-09 13:56 - 00000000 ____D C:\Program Files (x86)\AMD AVT
2013-07-09 13:43 - 2013-07-09 13:44 - 154092488 _____ (Advanced Micro Devices, Inc.) C:\Users\Stuart\Downloads\13-1-legacy_vista_win7_win8_64_dd_ccc.exe
2013-07-09 13:41 - 2013-07-09 13:41 - 00000000 ____D C:\Users\Stuart\AppData\Local\Red 5 Studios
2013-07-09 13:40 - 2013-07-09 13:40 - 00000000 ____D C:\Users\Stuart\Documents\Firefall
2013-07-09 12:40 - 2013-07-09 12:40 - 00002346 _____ C:\Users\Public\Desktop\Play Firefall.lnk
2013-07-09 11:50 - 2013-07-09 11:50 - 00000000 ____D C:\Program Files (x86)\Xiph.Org
2013-07-09 11:50 - 2013-07-09 11:50 - 00000000 ____D C:\Program Files (x86)\Red 5 Studios
2013-07-09 11:49 - 2013-07-09 11:49 - 17830272 _____ C:\Users\Stuart\Downloads\FirefallInstaller.exe
2013-07-04 09:29 - 2013-07-04 09:29 - 00000000 ____D C:\Program Files (x86)\LogMeIn Hamachi
2013-06-30 13:47 - 2013-06-30 13:47 - 00151312 ____H C:\Windows\SysWOW64\mlfcache.dat
2013-06-30 13:47 - 2013-06-30 13:47 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
 
==================== One Month Modified Files and Folders =======
 
2013-07-26 08:37 - 2013-07-26 08:37 - 00000000 ____D C:\FRST
2013-07-26 02:10 - 2013-07-26 01:54 - 00000004 _____ C:\Users\Stuart\AppData\Roaming\skype.ini
2013-07-26 02:10 - 2013-07-26 01:53 - 00000330 ____H C:\Windows\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}.job
2013-07-26 02:10 - 2012-04-20 18:24 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\TortoiseHg
2013-07-26 02:10 - 2012-02-26 18:35 - 00000000 ____D C:\Users\Stuart\AppData\Local\LogMeIn Hamachi
2013-07-26 02:10 - 2012-02-25 00:38 - 00000000 ____D C:\Program Files (x86)\Steam
2013-07-26 02:10 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-26 02:10 - 2009-07-13 20:51 - 00057138 _____ C:\Windows\setupact.log
2013-07-26 01:53 - 2013-07-26 01:53 - 00124928 _____ (ImDev Software Group) C:\Users\Stuart\java.exe
2013-07-26 01:53 - 2013-07-26 01:53 - 00117248 _____ (InterVision Software Lab.) C:\Users\Stuart\iexplore.exe
2013-07-26 01:53 - 2013-07-26 01:53 - 00003078 _____ C:\Windows\System32\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}
2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 ____D C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad
2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 ____D C:\Program Files (x86)\Google
2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 _____ C:\Users\Stuart\spoolsv.exe
2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 _____ C:\Users\Stuart\flashplayer.exe
2013-07-26 01:53 - 2012-02-24 23:50 - 00000000 ____D C:\Users\Stuart\AppData\Local\Google
2013-07-26 01:53 - 2012-02-24 23:35 - 00000000 ____D C:\users\Stuart
2013-07-26 01:53 - 2012-02-24 23:31 - 01076142 _____ C:\Windows\WindowsUpdate.log
2013-07-26 01:38 - 2012-02-24 23:50 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3376119635-772456243-3827184810-1001UA.job
2013-07-26 01:34 - 2013-05-17 18:29 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\Spotify
2013-07-26 01:13 - 2012-04-03 16:18 - 00000000 ____D C:\Users\Stuart\AppData\Local\PMB Files
2013-07-26 01:13 - 2012-04-03 16:18 - 00000000 ____D C:\ProgramData\PMB Files
2013-07-25 22:43 - 2012-02-25 11:40 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\X-Chat 2
2013-07-25 20:14 - 2012-02-25 14:39 - 00000000 ____D C:\Program Files (x86)\GtkRadiant-1.4
2013-07-25 13:55 - 2009-07-13 20:45 - 00013440 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-25 13:55 - 2009-07-13 20:45 - 00013440 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-25 13:30 - 2012-04-05 11:18 - 00000000 ____D C:\Users\Stuart\AppData\Local\TSVNCache
2013-07-24 23:44 - 2012-02-26 18:47 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\Skype
2013-07-24 23:36 - 2013-07-11 12:56 - 00000000 ____D C:\Program Files (x86)\Guild Wars 2
2013-07-24 19:35 - 2012-04-20 18:44 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\FileZilla
2013-07-24 19:24 - 2012-04-07 17:00 - 00000600 _____ C:\Users\Stuart\AppData\Roaming\winscp.rnd
2013-07-24 12:38 - 2012-02-24 23:50 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3376119635-772456243-3827184810-1001Core.job
2013-07-20 23:42 - 2012-03-13 14:37 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\Mumble
2013-07-20 23:41 - 2012-02-25 12:51 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\TS3Client
2013-07-20 00:01 - 2012-04-05 18:46 - 00000003 _____ C:\Windows\System32\HRUPPROG.TXT
2013-07-19 15:34 - 2013-07-19 15:34 - 00547113 _____ C:\Users\Stuart\Desktop\effectsed.zip
2013-07-19 01:01 - 2012-02-26 16:22 - 00000132 _____ C:\Users\Stuart\AppData\Roaming\Adobe Targa Format CS5 Prefs
2013-07-18 15:27 - 2012-02-25 11:59 - 00333880 _____ C:\Windows\DirectX.log
2013-07-15 20:23 - 2013-07-15 20:23 - 16802664 _____ C:\Users\Stuart\Downloads\PLAYA+135+stems.zip
2013-07-15 10:38 - 2012-02-25 12:00 - 00000000 ____D C:\Users\Stuart\Documents\My Games
2013-07-15 10:37 - 2009-07-13 21:13 - 00807176 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-12 20:57 - 2012-02-24 23:52 - 00002370 _____ C:\Users\Stuart\Desktop\Google Chrome.lnk
2013-07-12 12:33 - 2012-02-24 23:50 - 00003888 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3376119635-772456243-3827184810-1001UA
2013-07-12 12:33 - 2012-02-24 23:50 - 00003492 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3376119635-772456243-3827184810-1001Core
2013-07-11 12:56 - 2013-07-11 12:56 - 00000932 _____ C:\Users\Public\Desktop\Guild Wars 2.lnk
2013-07-11 12:52 - 2013-07-11 12:52 - 22716480 _____ (ArenaNet) C:\Users\Stuart\Downloads\Gw2Setup.exe
2013-07-10 10:46 - 2009-07-13 20:45 - 04905912 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-10 10:43 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-10 10:43 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-10 10:43 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-10 01:48 - 2012-02-25 00:02 - 78185248 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-07-10 01:46 - 2012-03-17 12:57 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-09 21:33 - 2012-03-23 22:07 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\Mozilla
2013-07-09 13:56 - 2013-07-09 13:56 - 00000000 ____D C:\ProgramData\ATI
2013-07-09 13:56 - 2013-07-09 13:56 - 00000000 ____D C:\Program Files (x86)\AMD AVT
2013-07-09 13:56 - 2012-02-24 23:43 - 00000000 ____D C:\ProgramData\AMD
2013-07-09 13:56 - 2012-02-24 23:42 - 00000000 ____D C:\Program Files\ATI Technologies
2013-07-09 13:44 - 2013-07-09 13:43 - 154092488 _____ (Advanced Micro Devices, Inc.) C:\Users\Stuart\Downloads\13-1-legacy_vista_win7_win8_64_dd_ccc.exe
2013-07-09 13:41 - 2013-07-09 13:41 - 00000000 ____D C:\Users\Stuart\AppData\Local\Red 5 Studios
2013-07-09 13:40 - 2013-07-09 13:40 - 00000000 ____D C:\Users\Stuart\Documents\Firefall
2013-07-09 12:40 - 2013-07-09 12:40 - 00002346 _____ C:\Users\Public\Desktop\Play Firefall.lnk
2013-07-09 11:50 - 2013-07-09 11:50 - 00000000 ____D C:\Program Files (x86)\Xiph.Org
2013-07-09 11:50 - 2013-07-09 11:50 - 00000000 ____D C:\Program Files (x86)\Red 5 Studios
2013-07-09 11:50 - 2012-03-01 14:46 - 00000000 ___HD C:\Windows\msdownld.tmp
2013-07-09 11:50 - 2012-03-01 14:46 - 00000000 ____D C:\Windows\SysWOW64\directx
2013-07-09 11:49 - 2013-07-09 11:49 - 17830272 _____ C:\Users\Stuart\Downloads\FirefallInstaller.exe
2013-07-08 12:35 - 2013-05-17 18:29 - 00000000 ____D C:\Users\Stuart\AppData\Local\Spotify
2013-07-04 09:29 - 2013-07-04 09:29 - 00000000 ____D C:\Program Files (x86)\LogMeIn Hamachi
2013-07-04 09:29 - 2013-03-13 14:05 - 00000926 _____ C:\Users\Public\Desktop\LogMeIn Hamachi.lnk
2013-06-30 13:59 - 2012-12-22 20:53 - 00000132 _____ C:\Users\Stuart\AppData\Roaming\Adobe PNG Format CS5 Prefs
2013-06-30 13:53 - 2012-02-24 23:54 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\Adobe
2013-06-30 13:47 - 2013-06-30 13:47 - 00151312 ____H C:\Windows\SysWOW64\mlfcache.dat
2013-06-30 13:47 - 2013-06-30 13:47 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
 
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
 
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
 
Files to move or delete:
====================
C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad\eedbcefcdacad.exe
C:\Users\Stuart\flashplayer.exe
C:\Users\Stuart\iexplore.exe
C:\Users\Stuart\java.exe
C:\Users\Stuart\spoolsv.exe
C:\Users\Stuart\AppData\Roaming\skype.dat
C:\Users\Stuart\AppData\Roaming\skype.ini
C:\Windows\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}.job
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-07-25 18:06:29
 
==================== Memory info =========================== 
 
Percentage of memory in use: 11%
Total physical RAM: 5887.3 MB
Available physical RAM: 5181.11 MB
Total Pagefile: 5885.45 MB
Available Pagefile: 5176.56 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:298.09 GB) (Free:25.54 GB) NTFS (Disk=1 Partition=1)
Drive e: (Plantronics GameCom 780) (CDROM) (Total:0.04 GB) (Free:0 GB) UDF
Drive g: () (Removable) (Total:1.86 GB) (Free:0.14 GB) FAT (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:283.4 GB) (Free:283.29 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 151CF980)
Partition 2: (Active) - (Size=283 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 298 GB) (Disk ID: 62EEAD3C)
Partition 1: (Not Active) - (Size=298 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (Size: 2 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)
 
 
LastRegBack: 2013-07-23 01:14
 
==================== End Of Log ============================
Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

Link to post
Share on other sites
bigstu

bigstu

Posted
  • Author
Posted

Alright thank you for all the information this is extremely helpful.

I'll be taking your advice to help keep my privacy and security.

 

But I'd still like to try and recover the computer if possible and attempt to clean the computer of infections.

I understand that it most likely won't entirely get cleaned, but I'd like to at least be able to copy a couple of important files to me onto a flashdrive - and then I will look into re-formatting.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Okay, let's try. :)

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKU\Stuart\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad\eedbcefcdacad.exe [143360 2013-07-26] () <===== ATTENTION

HKU\Stuart\...\RunOnce: [Adobe CSS5.1 Manager] - C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad\eedbcefcdacad.exe [143360 2013-07-26] () <===== ATTENTION

HKU\Stuart\...\Winlogon: [shell] explorer.exe,C:\Users\Stuart\AppData\Roaming\skype.dat [124928 2011-11-16] (ImDev Software Group) <==== ATTENTION

AlternateShell: C:\ProgramData\DisplaySwitch.exe

2013-07-26 01:54 - 2013-07-26 02:10 - 00000004 _____ C:\Users\Stuart\AppData\Roaming\skype.ini

2013-07-26 01:53 - 2013-07-26 02:10 - 00000330 ____H C:\Windows\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}.job

2013-07-26 01:53 - 2013-07-26 01:53 - 00124928 _____ (ImDev Software Group) C:\Users\Stuart\java.exe

2013-07-26 01:53 - 2013-07-26 01:53 - 00117248 _____ (InterVision Software Lab.) C:\Users\Stuart\iexplore.exe

2013-07-26 01:53 - 2013-07-26 01:53 - 00003078 _____ C:\Windows\System32\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}

2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 ____D C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad

2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 _____ C:\Users\Stuart\spoolsv.exe

2013-07-26 01:53 - 2013-07-26 01:53 - 00000000 _____ C:\Users\Stuart\flashplayer.exe

2013-06-30 13:47 - 2013-06-30 13:47 - 00000000 ____D C:\Users\Stuart\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

C:\Windows\assembly\GAC_32\Desktop.ini

C:\Windows\assembly\GAC_64\Desktop.ini

C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad\eedbcefcdacad.exe

C:\Users\Stuart\flashplayer.exe

C:\Users\Stuart\iexplore.exe

C:\Users\Stuart\java.exe

C:\Users\Stuart\spoolsv.exe

C:\Users\Stuart\AppData\Roaming\skype.dat

C:\Users\Stuart\AppData\Roaming\skype.ini

C:\Windows\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}.job

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites
bigstu

bigstu

Posted
  • Author
Posted

Alright I was able to boot up normally and reach my desktop!

I've made sure that the computer was disconnected from the internet before booting up and I'm going to keep it offline as I copy over the files I want to save. After which I will then try and re-format the system.

 

Thank you so much for the help, I really appreciate it! 

Unless there is something that you think needs to be done after viewing the fixlog, I think I can take care of the rest for myself :)

 

Again, thank you

So here is the fixlog:

 

==============================================
 
HKU\Stuart\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\Stuart\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\Stuart\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
hklm\System\ControlSet002\Control\SafeBoot\\AlternateShell => Value was restored successfully.
C:\Users\Stuart\AppData\Roaming\skype.ini => Moved successfully.
C:\Windows\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}.job => Moved successfully.
C:\Users\Stuart\java.exe => Moved successfully.
C:\Users\Stuart\iexplore.exe => Moved successfully.
C:\Windows\System32\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F} => Moved successfully.
C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad => Moved successfully.
C:\Users\Stuart\spoolsv.exe => Moved successfully.
C:\Users\Stuart\flashplayer.exe => Moved successfully.
C:\Users\Stuart\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 => Moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini => Moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini => Moved successfully.
"C:\Users\Stuart\AppData\Local\75e82ed1-b99c-42ef-8385-1c65d3a1c747ad\eedbcefcdacad.exe" => File/Directory not found.
"C:\Users\Stuart\flashplayer.exe" => File/Directory not found.
"C:\Users\Stuart\iexplore.exe" => File/Directory not found.
"C:\Users\Stuart\java.exe" => File/Directory not found.
"C:\Users\Stuart\spoolsv.exe" => File/Directory not found.
C:\Users\Stuart\AppData\Roaming\skype.dat => Moved successfully.
"C:\Users\Stuart\AppData\Roaming\skype.ini" => File/Directory not found.
"C:\Windows\Tasks\{92A5A594-8F50-412B-8BFC-22FD997D881F}.job" => File/Directory not found.
 
==== End of Fixlog ====
Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

We are working on it. Let's proceed.

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.