FBI Virus Moneypak removal help without safemode already ran FRST

[kjoyner]

Hi please help me - i Have read previous posts on this and have the following scan info from running FRST64 with command prompt: 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-09-2013
Ran by SYSTEM on MININT-2IAHU3H on 04-09-2013 21:39:52
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2785064 2011-05-05] (Synaptics Incorporated)
HKLM\...\Run: [AmIcoSinglun64] - C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [361984 2011-03-21] (Alcor Micro Corp.)
HKLM\...\Run: [synAsusAcpi] - C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [97064 2011-05-05] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2277480 2011-08-15] (Realtek Semiconductor)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1
HKLM-x32\...\Run: [ASUSPRP] - C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3331312 2012-02-17] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUSWebStorage] - C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe [737104 2011-07-29] (ecareme)
HKLM-x32\...\Run: [sonicMasterTray] - C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe [984400 2010-07-09] (Virage Logic Corporation / Sonic Focus)
HKLM-x32\...\Run: [ATKOSD2] - C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [318080 2011-12-22] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKMEDIA] - C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174720 2011-10-24] (ASUS)
HKLM-x32\...\Run: [HControlUser] - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] - C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2319536 2011-10-18] (ASUS)
HKLM-x32\...\Run: [bCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [CitrixReceiver] - "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk" [x]
HKLM-x32\...\Run: [ConnectionCenter] - C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [380088 2012-07-27] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll [257208 2012-07-27] (Citrix Systems, Inc.)

==================== Services (Whitelisted) =================

S2 ASUS InstantOn; C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [277120 2012-02-16] (ASUS)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-03 22:12 - 2013-09-03 22:12 - 00000272 ____H C:\Windows\Tasks\{0C02A81B-844F-42D8-9736-EFB6079D3B48}.job
2013-08-19 19:32 - 2013-08-19 19:32 - 00000000 ____D C:\Windows\System32\MRT

==================== One Month Modified Files and Folders =======

2013-09-04 21:38 - 2013-09-04 21:38 - 00000000 ____D C:\FRST
2013-09-03 22:51 - 2012-06-13 16:19 - 00001984 _____ C:\Windows\System32\AutoRunFilter.ini
2013-09-03 22:50 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-03 22:50 - 2009-07-13 20:51 - 00048883 _____ C:\Windows\setupact.log
2013-09-03 22:12 - 2013-09-03 22:12 - 00000272 ____H C:\Windows\Tasks\{0C02A81B-844F-42D8-9736-EFB6079D3B48}.job
2013-09-03 22:09 - 2012-02-17 23:37 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-03 22:05 - 2012-11-15 10:17 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-03 22:03 - 2012-06-13 16:10 - 01922983 _____ C:\Windows\WindowsUpdate.log
2013-08-30 05:40 - 2013-04-25 09:04 - 00048384 _____ C:\Windows\IE9_main.log
2013-08-21 20:05 - 2012-11-15 10:17 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-21 20:05 - 2012-11-15 10:17 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-19 19:36 - 2009-07-13 21:13 - 00793204 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-19 19:34 - 2013-08-19 19:32 - 00000000 ____D C:\Windows\System32\MRT
2013-08-19 19:32 - 2012-11-15 09:01 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-08-14 17:03 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-14 17:03 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-05 17:49 - 2013-06-01 18:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-05 16:55 - 2012-11-06 20:00 - 00000000 ___HD C:\ASUS.DAT
2013-08-05 16:54 - 2013-04-03 06:39 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-08-05 16:54 - 2013-04-03 06:39 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-08-05 16:54 - 2012-02-17 23:15 - 00051132 _____ C:\Windows\PFRO.log

Files to move or delete:
====================
C:\Windows\Tasks\{0C02A81B-844F-42D8-9736-EFB6079D3B48}.job

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-08-10 17:21:36
Restore point made on: 2013-08-14 16:59:13
Restore point made on: 2013-08-19 19:29:43
Restore point made on: 2013-08-21 19:55:53
Restore point made on: 2013-08-26 06:52:14
Restore point made on: 2013-08-28 18:35:59
Restore point made on: 2013-08-30 05:38:18
Restore point made on: 2013-09-02 12:28:04

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 6048.13 MB
Available physical RAM: 5347.14 MB
Total Pagefile: 6046.27 MB
Available Pagefile: 5348.2 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:119.24 GB) (Free:70.41 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive d: (DATA) (Fixed) (Total:153.85 GB) (Free:153.76 GB) NTFS
Drive f: (CORSAIR) (Removable) (Total:15.05 GB) (Free:14.73 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: E3102A4B)
Partition 1: (Not Active) - (Size=25 GB) - (Type=1C)
Partition 2: (Active) - (Size=119 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=154 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 04DD5721)
Partition 1: (Active) - (Size=15 GB) - (Type=0C)

LastRegBack: 2013-08-28 20:11

==================== End Of Log ============================

 

 

I dont know what to do from here please help

 

Thank you

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
hmmm...that could be difficult. Let´s try that first:
 
 
 
Fix with FRST (Recovery Environment)

• Open notepad (Start =>All Programs => Accessories => Notepad).
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
  
  

  C:\Windows\Tasks\{0C02A81B-844F-42D8-9736-EFB6079D3B48}.job

  
  
  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  
  Now please enter System Recovery Options again.
  
  
• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
• The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
  

 

 

Try to boot into windows and report.

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!