Jump to content

Moneypak Virus - Farbar Recovery Scan

Flash4Ever84

By Flash4Ever84
in Resolved Malware Removal Logs

 Share

Recommended Posts

Flash4Ever84

Flash4Ever84

Posted
Posted

Hi there,

 

I stumbled upon these forums after having a laptop receiving the dreaded moneypak FBI Virus.  I downloaded and ran the Farbar Recovery Scan and here are my results:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-09-2013 01
Ran by SYSTEM on MININT-KOQGCH6 on 10-09-2013 16:12:48
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)
HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe [349480 2009-09-10] (Egis Technology Inc.)
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [Windows Mobile Device Center] - C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [EKIJ5000StatusMonitor] - C:\Windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe [2045440 2010-09-02] (Eastman Kodak Company)
HKLM\...\RunOnce: [*WerKernelReporting] - %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [415232 2009-07-13] (Microsoft Corporation)
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1
HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1157128 2009-08-18] (Dritek System Inc.)
HKLM-x32\...\Run: [EgisTecLiveUpdate] - C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe [199464 2009-08-03] (Egis Technology Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-07-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [RemoteControl8] - C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe [91432 2009-04-15] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD8LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe [50472 2009-04-15] (CyberLink Corp.)
HKLM-x32\...\Run: [Acer Assist Launcher] - C:\Program Files (x86)\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()
HKLM-x32\...\Run: [iSTray] - C:\Program Files (x86)\Spyware Doctor\pctsTray.exe [1243088 2009-11-18] (PC Tools)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-03-12] (Hewlett-Packard)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [Conime] - %windir%\system32\conime.exe [x]
HKLM-x32\...\Run: [AppleSyncNotifier] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-04-30] (Apple Inc.)
HKU\Stacie\...\Run: [msnmsgr] - "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
HKU\Stacie\...\Run: [b3dSbFq9.exe] - C:\Users\Stacie\AppData\Local\wPqiqhAQ0\B3dSbFq9.exe [123248 2013-09-07] (Microsoft Corporation)
HKU\Stacie\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Stacie\...\Command Processor: "C:\Users\Stacie\AppData\Local\wPqiqhAQ0\B3dSbFq9.exe" <===== ATTENTION!
 
==================== Services (Whitelisted) =================
 
S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-05-13] (Alcatel-Lucent)
S3 MWLService; C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [305448 2009-09-10] (Egis Technology Inc.)
S2 sdAuxService; C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe [359624 2009-10-30] (PC Tools)
S2 sdCoreService; C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe [1141712 2009-11-06] (PC Tools)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] ()
S2 ADExchange; C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [x]
 
==================== Drivers (Whitelisted) ====================
 
S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2010-03-02] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2010-03-02] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2010-03-02] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2010-03-02] (Printing Communications Assoc., Inc. (PCAUSA))
S0 PCTCore; C:\Windows\System32\drivers\PCTCore64.sys [218056 2009-11-09] (PC Tools)
S1 gqffoziw; \??\C:\Windows\system32\drivers\gqffoziw.sys [x]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-09-07 15:36 - 2013-09-07 15:36 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\W5qTcdgO
2013-09-07 15:36 - 2013-09-07 15:36 - 00183296 _____ C:\Users\Stacie\AppData\Local\p1kW2wMqxLy
2013-09-07 14:10 - 2013-09-07 14:10 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\1pRWPSYFfe
2013-09-07 14:10 - 2013-09-07 14:10 - 00183296 _____ C:\Users\Stacie\AppData\Local\GgGtDowPdm
2013-09-07 14:08 - 2013-09-07 14:08 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\qxjCkbbDfY
2013-09-07 14:08 - 2013-09-07 14:08 - 00183296 _____ C:\Users\Stacie\AppData\Local\gUR5tj0ED
2013-09-07 13:56 - 2013-09-07 13:56 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\TpWqJ8i2Ml
2013-09-07 13:56 - 2013-09-07 13:56 - 00183296 _____ C:\Users\Stacie\AppData\Local\CWxjwzd2tg0
2013-09-07 13:46 - 2013-09-07 13:46 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\3tT6BZGijoB
2013-09-07 13:46 - 2013-09-07 13:46 - 00183296 _____ C:\Users\Stacie\AppData\Local\tyVHl6Fk
2013-09-07 10:36 - 2013-09-07 10:36 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\d9ce2GSTZ
2013-09-07 10:36 - 2013-09-07 10:36 - 00183296 _____ C:\Users\Stacie\AppData\Local\GUIJMDfz
2013-09-07 10:10 - 2013-09-07 10:10 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\SNrw3ts0s8g
2013-09-07 10:10 - 2013-09-07 10:10 - 00183296 _____ C:\Users\Stacie\AppData\Local\4VVCXWWIs
2013-09-07 09:57 - 2013-09-07 09:57 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\6Q2gCiNZ
2013-09-07 09:57 - 2013-09-07 09:57 - 00183296 _____ C:\Users\Stacie\AppData\Local\BY4NYFAHlh
2013-09-07 09:20 - 2013-09-07 09:20 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\qQQSOhdXy
2013-09-07 09:20 - 2013-09-07 09:20 - 00183296 _____ C:\Users\Stacie\AppData\Local\MskOdsRos
2013-09-07 09:11 - 2013-09-07 09:11 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\V2zLjxriFF
2013-09-07 09:11 - 2013-09-07 09:11 - 00183296 _____ C:\Users\Stacie\AppData\Local\Flz9bxn6OFE
2013-09-07 09:06 - 2013-09-07 09:06 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\xbRjPQhO7
2013-09-07 09:06 - 2013-09-07 09:06 - 00183296 _____ C:\Users\Stacie\AppData\Local\rQ6brKEafK
2013-09-07 07:39 - 2013-09-07 07:39 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\ORJxiQnZ
2013-09-07 07:39 - 2013-09-07 07:39 - 00183296 _____ C:\Users\Stacie\AppData\Local\yFR3o0IHMMS
2013-09-07 05:40 - 2013-09-07 05:40 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\NRDoSzz3
2013-09-07 05:40 - 2013-09-07 05:40 - 00183296 _____ C:\Users\Stacie\AppData\Local\0xGhPYemGx
2013-09-07 05:26 - 2013-09-07 05:26 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\R5D5UvQKuy
2013-09-07 05:26 - 2013-09-07 05:26 - 00183296 _____ C:\Users\Stacie\AppData\Local\QIXjpIdr1jq
2013-09-07 05:19 - 2013-09-07 05:19 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\dMdlTwJM
2013-09-07 05:19 - 2013-09-07 05:19 - 00183296 _____ C:\Users\Stacie\AppData\Local\J8GQuiH3Fj
2013-09-07 05:15 - 2013-09-07 05:15 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\OgJMbd0vS
2013-09-07 05:15 - 2013-09-07 05:15 - 00183296 _____ C:\Users\Stacie\AppData\Local\jm2cQ1KT
2013-09-07 04:54 - 2013-09-07 04:54 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\tlGWZ510QGJ
2013-09-07 04:54 - 2013-09-07 04:54 - 00183296 _____ C:\Users\Stacie\AppData\Local\rbPvYMAa
2013-09-07 04:46 - 2013-09-07 04:54 - 00000000 ____D C:\Users\Stacie\AppData\Local\wPqiqhAQ0
2013-09-07 04:46 - 2013-09-07 04:46 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\JNLoJWZ1Cr
2013-09-07 04:46 - 2013-09-07 04:46 - 00183296 _____ C:\Users\Stacie\AppData\Local\VX61Sytyf
2013-08-22 04:14 - 2013-08-22 04:14 - 00001809 _____ C:\Users\Public\Desktop\QuickTime Player.lnk
2013-08-13 23:32 - 2013-07-25 21:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-13 23:32 - 2013-07-25 21:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-13 23:32 - 2013-07-25 21:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-13 23:32 - 2013-07-25 21:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-13 23:32 - 2013-07-25 21:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-13 23:32 - 2013-07-25 21:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-13 23:32 - 2013-07-25 21:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-13 23:32 - 2013-07-25 21:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-13 23:32 - 2013-07-25 21:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-13 23:32 - 2013-07-25 21:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-13 23:32 - 2013-07-25 21:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-13 23:32 - 2013-07-25 21:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-13 23:32 - 2013-07-25 19:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-13 23:32 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-13 23:32 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-13 23:32 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-13 23:32 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-13 23:32 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-13 23:32 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-13 23:32 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-13 23:32 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-13 23:32 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-13 23:32 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-13 23:32 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-13 23:32 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-13 23:32 - 2013-07-25 18:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-13 23:32 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-13 23:31 - 2013-07-25 21:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-13 23:31 - 2013-07-25 21:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-13 23:31 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-13 23:31 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-13 17:10 - 2013-07-08 21:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-13 17:10 - 2013-07-08 21:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-13 17:10 - 2013-07-08 21:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-13 17:10 - 2013-07-08 21:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-13 17:10 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-13 17:10 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-13 17:10 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-13 17:10 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-13 16:59 - 2013-07-08 22:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-13 16:59 - 2013-07-08 21:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-13 16:59 - 2013-07-08 21:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-08-13 16:59 - 2013-07-08 21:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-13 16:59 - 2013-07-08 21:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-13 16:59 - 2013-07-08 20:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-13 16:59 - 2013-07-08 20:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-13 16:59 - 2013-07-08 18:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-13 16:59 - 2013-07-08 18:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-13 16:59 - 2013-07-08 18:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-13 16:59 - 2013-07-08 18:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-13 16:16 - 2013-07-25 01:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-13 16:16 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-13 16:15 - 2013-07-18 17:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-13 16:15 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-13 16:15 - 2013-07-08 21:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-13 16:15 - 2013-07-08 20:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-13 13:56 - 2013-07-05 22:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-13 13:56 - 2013-06-14 20:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
 
==================== One Month Modified Files and Folders =======
 
2013-09-10 16:07 - 2013-09-10 16:07 - 00000000 ____D C:\FRST
2013-09-10 11:55 - 2009-12-28 15:22 - 00000000 ____D C:\Program Files (x86)\Spyware Doctor
2013-09-10 11:54 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-10 11:54 - 2009-07-13 20:51 - 00104930 _____ C:\Windows\setupact.log
2013-09-07 15:36 - 2013-09-07 15:36 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\W5qTcdgO
2013-09-07 15:36 - 2013-09-07 15:36 - 00183296 _____ C:\Users\Stacie\AppData\Local\p1kW2wMqxLy
2013-09-07 14:10 - 2013-09-07 14:10 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\1pRWPSYFfe
2013-09-07 14:10 - 2013-09-07 14:10 - 00183296 _____ C:\Users\Stacie\AppData\Local\GgGtDowPdm
2013-09-07 14:08 - 2013-09-07 14:08 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\qxjCkbbDfY
2013-09-07 14:08 - 2013-09-07 14:08 - 00183296 _____ C:\Users\Stacie\AppData\Local\gUR5tj0ED
2013-09-07 13:56 - 2013-09-07 13:56 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\TpWqJ8i2Ml
2013-09-07 13:56 - 2013-09-07 13:56 - 00183296 _____ C:\Users\Stacie\AppData\Local\CWxjwzd2tg0
2013-09-07 13:48 - 2012-05-30 15:21 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-07 13:48 - 2009-12-08 07:56 - 01555608 _____ C:\Windows\WindowsUpdate.log
2013-09-07 13:46 - 2013-09-07 13:46 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\3tT6BZGijoB
2013-09-07 13:46 - 2013-09-07 13:46 - 00183296 _____ C:\Users\Stacie\AppData\Local\tyVHl6Fk
2013-09-07 13:10 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-07 13:10 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-07 10:36 - 2013-09-07 10:36 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\d9ce2GSTZ
2013-09-07 10:36 - 2013-09-07 10:36 - 00183296 _____ C:\Users\Stacie\AppData\Local\GUIJMDfz
2013-09-07 10:10 - 2013-09-07 10:10 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\SNrw3ts0s8g
2013-09-07 10:10 - 2013-09-07 10:10 - 00183296 _____ C:\Users\Stacie\AppData\Local\4VVCXWWIs
2013-09-07 09:57 - 2013-09-07 09:57 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\6Q2gCiNZ
2013-09-07 09:57 - 2013-09-07 09:57 - 00183296 _____ C:\Users\Stacie\AppData\Local\BY4NYFAHlh
2013-09-07 09:20 - 2013-09-07 09:20 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\qQQSOhdXy
2013-09-07 09:20 - 2013-09-07 09:20 - 00183296 _____ C:\Users\Stacie\AppData\Local\MskOdsRos
2013-09-07 09:11 - 2013-09-07 09:11 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\V2zLjxriFF
2013-09-07 09:11 - 2013-09-07 09:11 - 00183296 _____ C:\Users\Stacie\AppData\Local\Flz9bxn6OFE
2013-09-07 09:06 - 2013-09-07 09:06 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\xbRjPQhO7
2013-09-07 09:06 - 2013-09-07 09:06 - 00183296 _____ C:\Users\Stacie\AppData\Local\rQ6brKEafK
2013-09-07 07:39 - 2013-09-07 07:39 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\ORJxiQnZ
2013-09-07 07:39 - 2013-09-07 07:39 - 00183296 _____ C:\Users\Stacie\AppData\Local\yFR3o0IHMMS
2013-09-07 05:40 - 2013-09-07 05:40 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\NRDoSzz3
2013-09-07 05:40 - 2013-09-07 05:40 - 00183296 _____ C:\Users\Stacie\AppData\Local\0xGhPYemGx
2013-09-07 05:26 - 2013-09-07 05:26 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\R5D5UvQKuy
2013-09-07 05:26 - 2013-09-07 05:26 - 00183296 _____ C:\Users\Stacie\AppData\Local\QIXjpIdr1jq
2013-09-07 05:19 - 2013-09-07 05:19 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\dMdlTwJM
2013-09-07 05:19 - 2013-09-07 05:19 - 00183296 _____ C:\Users\Stacie\AppData\Local\J8GQuiH3Fj
2013-09-07 05:15 - 2013-09-07 05:15 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\OgJMbd0vS
2013-09-07 05:15 - 2013-09-07 05:15 - 00183296 _____ C:\Users\Stacie\AppData\Local\jm2cQ1KT
2013-09-07 05:01 - 2010-10-26 18:19 - 00000000 ____D C:\Users\Stacie\AppData\Roaming\Azureus
2013-09-07 04:54 - 2013-09-07 04:54 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\tlGWZ510QGJ
2013-09-07 04:54 - 2013-09-07 04:54 - 00183296 _____ C:\Users\Stacie\AppData\Local\rbPvYMAa
2013-09-07 04:54 - 2013-09-07 04:46 - 00000000 ____D C:\Users\Stacie\AppData\Local\wPqiqhAQ0
2013-09-07 04:46 - 2013-09-07 04:46 - 00183296 _____ C:\Users\Stacie\AppData\Roaming\JNLoJWZ1Cr
2013-09-07 04:46 - 2013-09-07 04:46 - 00183296 _____ C:\Users\Stacie\AppData\Local\VX61Sytyf
2013-09-06 10:40 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-09-04 15:21 - 2010-04-26 20:00 - 00000000 ____D C:\Users\Stacie\Documents\Stacie
2013-09-03 17:47 - 2011-09-20 11:18 - 00001057 _____ C:\Users\Stacie\AppData\Roaming\vso_ts_preview.xml
2013-09-03 17:47 - 2010-11-12 16:20 - 00000000 ____D C:\Users\Stacie\AppData\Roaming\Vso
2013-09-03 16:35 - 2012-03-25 10:25 - 00000000 ____D C:\Users\Stacie\Documents\ConvertXToDVD
2013-08-25 13:17 - 2012-06-04 08:46 - 00000000 ____D C:\Users\Stacie\Documents\Photography
2013-08-22 04:14 - 2013-08-22 04:14 - 00001809 _____ C:\Users\Public\Desktop\QuickTime Player.lnk
2013-08-22 04:14 - 2010-12-25 05:03 - 00000000 ____D C:\Program Files (x86)\QuickTime
2013-08-20 16:10 - 2012-05-30 15:21 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-20 16:10 - 2012-05-30 15:20 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-20 16:10 - 2011-06-10 07:17 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-20 06:55 - 2012-12-03 05:47 - 00000000 ____D C:\Users\Stacie\Documents\dad
2013-08-20 06:55 - 2010-01-11 19:26 - 00060928 ___SH C:\Users\Stacie\Documents\Thumbs.db
2013-08-20 06:53 - 2011-10-26 05:47 - 00000000 ____D C:\Users\Stacie\Documents\Pool
2013-08-14 01:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-08-13 23:22 - 2009-07-13 21:13 - 00747008 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-13 23:15 - 2013-07-30 23:07 - 00000000 ____D C:\Windows\System32\MRT
2013-08-13 23:10 - 2009-12-28 14:20 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2846166303-1931590329-3316870314-1000\$6815bc7161c6db50b797b2ad9fbba668
 
Files to move or delete:
====================
C:\Users\Stacie\AppData\Local\wPqiqhAQ0\B3dSbFq9.exe
C:\Users\Stacie\AppData\Local\Temp\ApnToolbarInstaller.exe
C:\Users\Stacie\AppData\Local\Temp\btw8_installer.exe
C:\Users\Stacie\AppData\Local\Temp\candyUpdate.exe
C:\Users\Stacie\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Stacie\AppData\Local\Temp\FlashPlayerUpdate01.exe
C:\Users\Stacie\AppData\Local\Temp\FlashPlayerUpdate02.exe
C:\Users\Stacie\AppData\Local\Temp\GLF5ED6.tmp.ConduitEngineSetup.exe
C:\Users\Stacie\AppData\Local\Temp\GLF7090.tmp.ConduitEngineSetup.exe
C:\Users\Stacie\AppData\Local\Temp\hellskitchen-115189690-setup.s115189690.c110268333.r110268333.len.u930e589a7492849fe62caffad7d3abc7988556dc.dl.exe
C:\Users\Stacie\AppData\Local\Temp\i4jdel0.exe
C:\Users\Stacie\AppData\Local\Temp\i4jdel1.exe
C:\Users\Stacie\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Stacie\AppData\Local\Temp\jre-6u19-windows-i586-iftw-rv.exe
C:\Users\Stacie\AppData\Local\Temp\jre-6u20-windows-i586-iftw-rv.exe
C:\Users\Stacie\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe
C:\Users\Stacie\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Stacie\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Stacie\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Stacie\AppData\Local\Temp\MSN5630.exe
C:\Users\Stacie\AppData\Local\Temp\MSN7B09.exe
C:\Users\Stacie\AppData\Local\Temp\MSN865A.exe
C:\Users\Stacie\AppData\Local\Temp\musirausicnnbjahbcf.dll
C:\Users\Stacie\AppData\Local\Temp\musirausicnnbjahbcf.exe
C:\Users\Stacie\AppData\Local\Temp\ose00000.exe
C:\Users\Stacie\AppData\Local\Temp\prxGLF6769.tmp.tbVuze.dll
C:\Users\Stacie\AppData\Local\Temp\prxGLF7090.tmp.tbSwag.dll
C:\Users\Stacie\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\Stacie\AppData\Local\Temp\tbFb-F.dll
C:\Users\Stacie\AppData\Local\Temp\TB_9B4D.exe
C:\Users\Stacie\AppData\Local\Temp\vzf-5800398657983653372.dll
C:\Users\Stacie\AppData\Local\Temp\vzf-931659054473667362.dll
C:\Users\Stacie\AppData\Local\Temp\Zynga.exe
C:\Users\Stacie\AppData\Local\Temp\_is1FB0.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-08-20 18:14:23
Restore point made on: 2013-08-24 04:02:29
Restore point made on: 2013-08-30 08:25:19
Restore point made on: 2013-09-03 03:08:36
Restore point made on: 2013-09-06 16:32:02
 
==================== Memory info =========================== 
 
Percentage of memory in use: 34%
Total physical RAM: 1788.05 MB
Available physical RAM: 1169.22 MB
Total Pagefile: 1788.05 MB
Available Pagefile: 1164.21 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (Acer) (Fixed) (Total:136.95 GB) (Free:10.34 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:2.35 GB) NTFS
Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.32 GB) (Free:0 GB) UDF
Drive g: (FreeAgent GoFlex Drive) (Fixed) (Total:1863.01 GB) (Free:457.07 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: C49F5773)
Partition 1: (Not Active) - (Size=12 GB) - (Type=27)
Partition 2: (Active) - (Size=102 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=137 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 1863 GB) (Disk ID: A4B57300)
Partition 1: (Not Active) - (Size=-198626934272) - (Type=07 NTFS)
 
 
LastRegBack: 2013-08-31 20:31
 
==================== End Of Log ============================
 
Any help would be appreciated!  Thanks!
Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........run MBAR
If not...rescan with FRST and post the new log

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.
reply1.jpg

New window that comes up.
replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note: You Must Run This!!!
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall
If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.


MrC

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.