Jump to content

Moneypak Virus - Farbar Recovery Scan


Recommended Posts

Hello administrators and thank you for trying to help me :) My brother happen to stumble across this Money Pack virus after trying to download a childish mod pack for a truck simulator game he has on our desktop. Anyways, I finally managed to look into it since college is getting rough but I quickly made a scan using FARBAR and watched a few videos of how to fix this issue and it doesn't seem difficult at all! I actually made a fixlist of what I was able to gather based on the FRST.txt file but I want to MAKE SURE that it's correct based on the experts. I'm curios how you actually find the virus or moreover, identify what is besides random characters for names! What methods do you use to look at the logs? Manual? Anyways here is my log.

 

The virus happened on September 9, 2013 if that helps pinpoint it quickly. 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-09-2013 01
Ran by SYSTEM on MININT-54PONKP on 13-09-2013 16:31:19
Running from F:\
Windows 7 Ultimate (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet003
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13374568 2011-12-13] (Realtek Semiconductor)
HKLM\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe,C:\Windows\system32\Java\JavaUpdate.exe
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-26] (Microsoft Corporation)
HKU\Jona & Tim\...\Run: [uOtstN9gV.exe] - C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exe [79872 2013-09-09] ()
HKU\Jona & Tim\...\Policies\system: [DisableLockWorkstation] 0
HKU\Jona & Tim\...\Policies\system: [EnableLUA] 0
HKU\Jona & Tim\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Jona & Tim\...\Command Processor: "C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exe" <===== ATTENTION!
BootExecute: PDBoot.exeautocheck autochk * 
 
==================== Services (Whitelisted) =================
 
S2 EaseUS Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe [60552 2011-10-21] (CHENGDU YIWO Tech Development Co., Ltd)
S2 Guard Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe [23176 2011-10-21] (CHENGDU YIWO Tech Development Co., Ltd)
 
==================== Drivers (Whitelisted) ====================
 
S3 anvsnddrv; C:\Windows\System32\drivers\anvsnddrv.sys [33872 2011-11-28] (AnvSoft Inc.)
S1 BS_I2cIo; C:\Windows\system32\drivers\BS_I2cIo.sys [15408 2008-06-16] (BIOSTAR Group)
S1 BS_I2cIo; C:\Windows\system32\drivers\BS_I2cIo.sys [15408 2008-06-16] (BIOSTAR Group)
S0 EUBKMON; C:\Windows\System32\drivers\EUBKMON.sys [50312 2011-10-21] ()
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
 
========================== Drivers MD5 =======================
 
C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 1C7857B62DE5994A75B054A9FD4C3825
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D4121AE6D0C0E7E13AA221AA57EF2D49
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 540DAF1CEA6094886D72126FD7C33048
C:\Windows\System32\drivers\anvsnddrv.sys E71711D37C48AC40FD3E2866A5ABBA51
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\athrx.sys 40734F3A5EEC4C4AC6A1FAF10B293714
C:\Windows\system32\DRIVERS\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\BS_I2cIo.sys 83601BBE5563D92C1FDB4E960D84DC77
C:\Windows\system32\drivers\BS_I2cIo.sys 83601BBE5563D92C1FDB4E960D84DC77
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\cdrom.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys AAFCB52FE0037207FB6FBEA070D25EFE
C:\Windows\system32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\System32\Drivers\DefragFS.sys 6EBCE114DD13E4D9CBFD520D4F4BBDA4
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys AF2E16242AA723F68F461B6EAE2EAD3D
C:\Windows\system32\DRIVERS\evbda.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\drivers\eubakup.sys AFB8764E629E81E6F4BDD9252B67AEF3
C:\Windows\System32\drivers\EUBKMON.sys 4DC80FC28D27053497ABC7B1C423CAA7
C:\Windows\system32\drivers\eudskacs.sys 962150F74FF131A330B9C9DD502526AC
C:\Windows\system32\drivers\EuFdDisk.sys 1B55D6F38343904F0D26A5B0744B6BD8
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 6BD9295CC032DD3077C671FCCF579A7B
C:\Windows\System32\DRIVERS\fvevol.sys 8F6322049018354F45F05A2FD2D4E5E0
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HdAudio.sys 975761C778E33CD22498059B91E7373A
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\system32\drivers\iaStorV.sys AAAF44DB3BD0B9D1FB6969B23ECC8366
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHD64.sys 150AC23F21DBDBF8488408BA944B0D65
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys 97A7070AEA4C058B6418519E869A63B4
C:\Windows\System32\Drivers\ksecpkg.sys 7EFB9333E4ECCE6AE4AE9D777D9E553E
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HECIx64.sys 6B01B7414A105B9E51652089A03027CF
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\system32\drivers\mouclass.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys A5D9106A73DC88564C825D317CAC68AC
C:\Windows\System32\DRIVERS\mrxsmb10.sys D711B3C1D5F42C0C2415687BE09FC163
C:\Windows\System32\DRIVERS\mrxsmb20.sys 9423E9D355C8D303E76B8CFBD8A5C30C
C:\Windows\system32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 760E38053BF56E501D562B70AD796B88
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys B98F8C6E31CD07B2E6F71F7F648E38C0
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\System32\drivers\nvhda64v.sys 1F07B814C0BB5AABA703ABFF1F31F2E8
C:\Windows\System32\DRIVERS\nvlddmkm.sys FCBA1C22727939E7CFF9EB08FE9692AB
C:\Windows\system32\drivers\nvraid.sys 0A92CB65770442ED0DC44834632F66AD
C:\Windows\system32\drivers\nvstor.sys DAB0E87525C10052BF65F06152F37E4A
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys E9766131EEADE40A27DC27D2D68FBA9C
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\System32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\PDFsFilter.sys 1A9F1A7DF1E389D092F6514578D50F4F
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpvideominiport.sys 313F68E1A3E6345A4F47A36B07062F34
C:\Windows\System32\Drivers\RDPWD.sys E61608AA35E98999AF9AAEEEA6114B0A
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Rt64win7.sys 7F4F11527AF5A7E4526CB6A146B3E40C
C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\Drivers\SCDEmu.sys 46942B6980B35FFDA6AFA40A8328938C
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 441FBA48BFF01FDB9D5969EBC1838F0B
C:\Windows\System32\DRIVERS\srv2.sys B4ADEBBF5E3677CCE9651E0F01F7CC28
C:\Windows\System32\DRIVERS\srvnet.sys 27E461F0BE5BFF5FC737328F749538C3
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys 9849EA3843A2ADBDD1497E97A85D8CAE
C:\Windows\System32\DRIVERS\tcpip.sys 9849EA3843A2ADBDD1497E97A85D8CAE
C:\Windows\System32\drivers\tcpipreg.sys 1B16D0BD9841794A6E0CDE0CEF744ABC
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 51C5ECEB1CDEE2468A1748BE550CFBC8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\tsusbflt.sys 17C6B51CBCCDED95B3CC14E22791F85E
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbccgp.sys 6F1A3157A1C89435352CEB543CDB359C
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbehci.sys C025055FE7B87701EB042095DF1A2D7B
C:\Windows\System32\DRIVERS\usbhub.sys 287C6C9410B111B68B52CA298F7B8C24
C:\Windows\system32\drivers\usbohci.sys 9840FC418B4CBD632D3D0A667A725C31
C:\Windows\system32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS FED648B01349A3C8395A5169DB5FB7D6
C:\Windows\system32\drivers\usbuhci.sys 62069A34518BCF9C1FD9E74B3F6DB7CD
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\system32\drivers\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys 442783E2CB0DA19873B7A63833FF4CB4
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWow64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys FE88B288356E7B47B74B13372ADD906D
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys AB886378EEB55C6C75B4F2D14B6C869F
C:\Windows\System32\DRIVERS\WUDFRd.sys DDA4CAF29D8C0A297F886BFE561E6659
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\Users\Jona & Tim\AppData\Roaming\oU3M0MAl
2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\Users\Jona & Tim\AppData\Local\uYMN2uaiPF9
2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\ProgramData\VRg4Io2k
2013-09-09 15:55 - 2013-09-09 15:59 - 00000000 ____D C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q
2013-09-09 15:37 - 2013-09-09 15:42 - 659557464 _____ (SCS Software                                                ) C:\Users\Jona & Tim\Downloads\EuroTruckSimulator2_1_4_12_setup.exe
2013-08-16 19:59 - 2013-08-16 20:31 - 00009635 _____ C:\Users\Jona & Tim\Documents\TombRaider.log
2013-08-16 19:59 - 2013-08-16 19:59 - 00000000 ____D C:\ProgramData\Steam
2013-08-16 19:54 - 2013-08-16 19:54 - 00002093 _____ C:\Users\Public\Desktop\Tombraider.lnk
2013-08-16 19:48 - 2013-08-16 19:48 - 00000000 ____D C:\Program Files (x86)\SQUARE ENIX
 
==================== One Month Modified Files and Folders =======
 
2013-09-13 16:30 - 2013-09-13 16:30 - 00000000 ____D C:\FRST
2013-09-10 17:15 - 2013-06-22 08:52 - 00003778 _____ C:\Windows\setupact.log
2013-09-10 17:15 - 2012-08-18 11:47 - 00000902 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-10 17:15 - 2012-08-17 15:35 - 00000000 ____D C:\ProgramData\NVIDIA
2013-09-10 17:15 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-10 17:15 - 2009-07-13 20:45 - 00021504 _____ C:\Windows\System32\umstartup.etl
2013-09-10 17:15 - 2009-07-13 20:45 - 00014192 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-10 17:15 - 2009-07-13 20:45 - 00014192 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-10 17:12 - 2009-07-13 21:13 - 00726444 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-09 15:59 - 2013-09-09 15:55 - 00000000 ____D C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q
2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\Users\Jona & Tim\AppData\Roaming\oU3M0MAl
2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\Users\Jona & Tim\AppData\Local\uYMN2uaiPF9
2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\ProgramData\VRg4Io2k
2013-09-09 15:56 - 2012-08-17 15:23 - 01093534 _____ C:\Windows\WindowsUpdate.log
2013-09-09 15:51 - 2013-04-05 15:04 - 00000000 ____D C:\Users\Jona & Tim\Documents\Euro Truck Simulator 2
2013-09-09 15:45 - 2013-04-05 15:04 - 00001332 _____ C:\Users\Public\Desktop\Euro Truck Simulator 2.lnk
2013-09-09 15:45 - 2013-04-05 15:03 - 00000000 ____D C:\Program Files (x86)\Euro Truck Simulator 2
2013-09-09 15:42 - 2013-09-09 15:37 - 659557464 _____ (SCS Software                                                ) C:\Users\Jona & Tim\Downloads\EuroTruckSimulator2_1_4_12_setup.exe
2013-09-09 15:34 - 2013-07-16 16:44 - 00000000 ____D C:\Users\Jona & Tim\AppData\Roaming\.minecraft
2013-09-08 16:11 - 2012-08-18 11:47 - 00000906 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-08 16:09 - 2012-08-17 19:05 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-05 16:01 - 2013-01-05 17:22 - 00000000 ____D C:\Users\Jona & Tim\Downloads\Minecraft Related
2013-08-20 17:09 - 2012-08-17 19:05 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-20 17:09 - 2012-08-17 19:05 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-20 17:09 - 2012-08-17 19:05 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-18 11:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-08-16 20:31 - 2013-08-16 19:59 - 00009635 _____ C:\Users\Jona & Tim\Documents\TombRaider.log
2013-08-16 19:59 - 2013-08-16 19:59 - 00000000 ____D C:\ProgramData\Steam
2013-08-16 19:54 - 2013-08-16 19:54 - 00002093 _____ C:\Users\Public\Desktop\Tombraider.lnk
2013-08-16 19:48 - 2013-08-16 19:48 - 00000000 ____D C:\Program Files (x86)\SQUARE ENIX
 
Files to move or delete:
====================
C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exe
C:\Users\Jona & Tim\AppData\Roaming\skype.ini
C:\Users\Jona & Tim\AppData\Local\Temp\yedmwbryftykhrdkpcq.dll
C:\Users\Jona & Tim\AppData\Local\Temp\yedmwbryftykhrdkpcq.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== BCD ================================
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=Y:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {56c3b623-e875-11e1-8c8a-a15c5f51043e}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {56c3b623-e875-11e1-8c8a-a15c5f51043e}
nx                      OptIn
numproc                 8
usefirmwarepcisettings  No
 
Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[C:]\Recovery\56c3b625-e875-11e1-8c8a-a15c5f51043e\Winre.wim,{56c3b626-e875-11e1-8c8a-a15c5f51043e}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\56c3b625-e875-11e1-8c8a-a15c5f51043e\Winre.wim,{56c3b626-e875-11e1-8c8a-a15c5f51043e}
systemroot              \windows
nx                      OptIn
winpe                   Yes
 
Resume from Hibernate
---------------------
identifier              {56c3b623-e875-11e1-8c8a-a15c5f51043e}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      Yes
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {emssettings}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {56c3b626-e875-11e1-8c8a-a15c5f51043e}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\56c3b625-e875-11e1-8c8a-a15c5f51043e\boot.sdi
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 10%
Total physical RAM: 8173.15 MB
Available physical RAM: 7354.9 MB
Total Pagefile: 8171.3 MB
Available Pagefile: 7348 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:119.14 GB) (Free:19.73 GB) NTFS
Drive f: (USB) (Removable) (Total:0.98 GB) (Free:0.74 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 119 GB) (Disk ID: 0D9F15E7)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=119 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 1019 MB) (Disk ID: A004BACE)
Partition 1: (Active) - (Size=1012 MB) - (Type=0B)
 
 
LastRegBack: 2013-09-02 15:12
 
==================== End Of Log ============================

 

 

Link to post
Share on other sites

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it and select Copy. Then right click into open open notepad and select Paste. Save it on the flashdrive as fixlist.txt

startHKU\Jona & Tim\...\Run: [uOtstN9gV.exe] - C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exe [79872 2013-09-09] ()HKU\Jona & Tim\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTIONHKU\Jona & Tim\...\Command Processor: "C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exe" <===== ATTENTION!2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\Users\Jona & Tim\AppData\Roaming\oU3M0MAl2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\Users\Jona & Tim\AppData\Local\uYMN2uaiPF92013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\ProgramData\VRg4Io2k2013-09-09 15:55 - 2013-09-09 15:59 - 00000000 ____D C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1qC:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exeC:\Users\Jona & Tim\AppData\Roaming\skype.iniC:\Users\Jona & Tim\AppData\Local\Temp\yedmwbryftykhrdkpcq.dllC:\Users\Jona & Tim\AppData\Local\Temp\yedmwbryftykhrdkpcq.exeend

Now please enter System Recovery Options as you did to get the log.

Run FRST64 or FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
 

Next,

 

See if the system will now boot to normal windows, if so do the following:

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin...

Link to post
Share on other sites

I'm back. Ran the fixlist and all went smooth like butter. After that, I ran "Malwarebytes Anti-Malware" and ran a full scan. Managed to find one threat referred as a Malbot found within the System32 Java files. Removed it, restarted and my pc is running like a champ once again. Thank you very much for the fast reply! Ironically enough, I had the exact fix logs as you except the "start" and "end" lines and in different order. Haha. But always good to get expert advice.

 

Can I ask how you identify which lines of logs are threats beyond what appear to look bad? My own logs in general were easy to pinpoint but I have seen other people's on google and forums with logs that Admins pointed out more lines considered threats than I would have thought to be harmless. An example is an 1.img and 2.img could be a threat. Never knew that. 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-09-2013 01
Ran by SYSTEM at 2013-09-15 12:55:02 Run:1
Running from F:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
start
HKU\Jona & Tim\...\Run: [uOtstN9gV.exe] - C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exe [79872 2013-09-09] ()
HKU\Jona & Tim\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Jona & Tim\...\Command Processor: "C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exe" <===== ATTENTION!
2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\Users\Jona & Tim\AppData\Roaming\oU3M0MAl
2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\Users\Jona & Tim\AppData\Local\uYMN2uaiPF9
2013-09-09 15:56 - 2013-09-09 15:56 - 00183296 _____ C:\ProgramData\VRg4Io2k
2013-09-09 15:55 - 2013-09-09 15:59 - 00000000 ____D C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q
C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exe
C:\Users\Jona & Tim\AppData\Roaming\skype.ini
C:\Users\Jona & Tim\AppData\Local\Temp\yedmwbryftykhrdkpcq.dll
C:\Users\Jona & Tim\AppData\Local\Temp\yedmwbryftykhrdkpcq.exe
end
*****************
 
HKU\Jona & Tim\Software\Microsoft\Windows\CurrentVersion\Run\\uOtstN9gV.exe => Value deleted successfully.
HKU\Jona & Tim\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Jona & Tim\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\Users\Jona & Tim\AppData\Roaming\oU3M0MAl => Moved successfully.
C:\Users\Jona & Tim\AppData\Local\uYMN2uaiPF9 => Moved successfully.
C:\ProgramData\VRg4Io2k => Moved successfully.
C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q => Moved successfully.
"C:\Users\Jona & Tim\AppData\Local\ryjnzWqI1q\uOtstN9gV.exe" => File/Directory not found.
C:\Users\Jona & Tim\AppData\Roaming\skype.ini => Moved successfully.
C:\Users\Jona & Tim\AppData\Local\Temp\yedmwbryftykhrdkpcq.dll => Moved successfully.
C:\Users\Jona & Tim\AppData\Local\Temp\yedmwbryftykhrdkpcq.exe => Moved successfully.
 
==== End of Fixlog ====
Link to post
Share on other sites

 

Can I ask how you identify which lines of logs are threats beyond what appear to look bad?

 

Research combined with time and effort, also help and advice from the developers of the tools we use and other guys who work the forums...

 

Did you follow the rest of my instructions to run FRST from normal windows, can I see both of the produced logs...

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.