Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Virus / Missing Desktop Icons


  • This topic is locked This topic is locked
13 replies to this topic

#1 deedubbadoo

deedubbadoo

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana
  • Local time:07:54 PM

Posted 13 March 2013 - 03:37 PM

Just started in the Malware removal program, so I'm hoping some of the much wisers, will be able to help me remove this nasty virus plaguing my wife's work machine.  There are no icons on the desktop and the browser seems to be redirecting.  Here is the DDS log, thanks in advance!

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16470  BrowserJavaVersion: 10.7.2
Run by QB Server at 16:17:45 on 2013-03-13
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4061.1945 [GMT -4:00]
.
AV: Lavasoft Ad-Aware *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
SP: Lavasoft Ad-Aware *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\program files (x86)\teamviewer\version7\TeamViewer_Desktop.exe
C:\PROGRA~2\Intuit\QUICKB~1.0\QBDBMgrN.exe
C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\QB Server\Downloads\TDSS_Undetectable (1).exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ami-crushers.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
uRun: [ctfmdiag] C:\Windows\System32\setueout.exe
uRun: [Tuebik] "C:\Users\QB Server\AppData\Roaming\Ihga\igah.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
mRun: [hpbdfawep] C:\Program Files (x86)\HP\Dfawep\bin\hpbdfawep.exe 1
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
StartupFolder: C:\Users\QBSERV~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files\Dell\DellDock\DellDock.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 192.168.250.254
TCP: Interfaces\{1CF17BCE-BADB-45DA-8AFA-400B7F5F7FFF} : DHCPNameServer = 192.168.250.254
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 10.0\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
SSODL: WebCheck - <orphaned>
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
x64-Run: [HPUsageTracking] "\HP UT\bin\hppusg.exe" "\HP UT"
x64-Run: [SBRegRebootCleaner] "C:\Program Files (x86)\Ad-Aware Antivirus\SBRC.exe"
x64-Run: [MRT] "C:\Windows\System32\MRT.exe" /R
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - <orphaned>
x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\QB Server\AppData\Roaming\Mozilla\Firefox\Profiles\60vryqvr.default\
FF - prefs.js: browser.startup.homepage - www.ami-crushers.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-10-14 55280]
R1 SBRE;SBRE;C:\Windows\System32\drivers\sbredrv.sys [2012-10-5 57976]
R2 Ad-Aware Service;Ad-Aware Service;C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-9-20 1236368]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-10-5 398184]
R2 QBVSS;QBIDPService;C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-8-19 1248256]
R2 sbapifs;sbapifs;C:\Windows\System32\drivers\sbapifs.sys [2011-11-29 74872]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-10-14 705856]
R2 sprtsvc_DellComms;SupportSoft Sprocket Service (DellComms);C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe [2009-5-5 206064]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-4-10 2666880]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2010-10-14 138752]
R3 QuickBooksDB22;QuickBooksDB22;C:\PROGRA~2\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB22 --> C:\PROGRA~2\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB22 [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-10-14 236544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-10-14 13336]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-10-5 682344]
S2 SBAMSvc;Ad-Aware;C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2011-12-19 3289032]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-18 169312]
S3 sbhips;sbhips;C:\Windows\System32\drivers\sbhips.sys [2012-10-5 60536]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-1-13 1255736]
.
=============== Created Last 30 ================
.
2013-03-13 17:38:32    --------    d-----w-    C:\Users\QB Server\AppData\Local\Programs
2013-03-13 14:35:53    --------    d-----w-    C:\Windows\System32\SPReview
2013-03-13 14:33:34    --------    d-----w-    C:\Windows\System32\EventProviders
2013-03-13 07:36:34    35624    ---ha-w-    C:\Users\QB Server\lulkbneizttry.exe
2013-02-14 11:09:41    --------    d--h--w-    C:\Users\QB Server\AppData\Roaming\Hybu
2013-02-14 11:09:40    --------    d--h--w-    C:\Users\QB Server\AppData\Roaming\Ihga
2013-02-14 11:09:40    --------    d--h--w-    C:\Users\QB Server\AppData\Roaming\Asmoso
2013-02-14 08:32:38    --------    d--h--w-    C:\Users\QB Server\AppData\Roaming\6ce961be-11b6-43d1-ac0f-c09c4ffbadb7ad
2013-02-14 08:03:32    996352    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 08:03:32    768000    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
.
==================== Find3M  ====================
.
2013-03-13 15:21:44    152064    ----a-w-    C:\Windows\SysWow64\msclmd.dll
2013-03-13 15:21:42    175104    ----a-w-    C:\Windows\System32\msclmd.dll
2013-03-13 03:50:26    73432    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-13 03:50:26    693976    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-03-13 03:50:19    16486616    ----a-w-    C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-02-02 06:57:02    2312704    ----a-w-    C:\Windows\System32\jscript9.dll
2013-02-02 06:47:24    1494528    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-02-02 06:47:19    1392128    ----a-w-    C:\Windows\System32\wininet.dll
2013-02-02 06:42:18    173056    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-02-02 06:41:51    599040    ----a-w-    C:\Windows\System32\vbscript.dll
2013-02-02 06:38:01    2382848    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-02-02 03:38:35    1800704    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-02-02 03:30:32    1427968    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-02-02 03:30:21    1129472    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-02-02 03:26:47    142848    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-02-02 03:26:21    420864    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2013-02-02 03:23:28    2382848    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-01-05 05:57:43    5500776    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-01-05 05:02:17    3957608    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:02:17    3902312    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-01-04 05:41:01    1893224    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-01-04 05:40:54    287576    ----a-w-    C:\Windows\System32\drivers\FWPKCLNT.SYS
2013-01-04 05:37:01    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2013-01-04 05:37:00    243200    ----a-w-    C:\Windows\System32\wow64.dll
2013-01-04 05:37:00    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2013-01-04 05:36:33    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-01-04 05:33:49    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2013-01-04 05:30:34    424960    ----a-w-    C:\Windows\System32\KernelBase.dll
2013-01-04 05:27:03    6144    ---ha-w-    C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-01-04 05:27:03    3072    ---ha-w-    C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-01-04 05:27:03    3072    ---ha-w-    C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-01-04 05:27:02    4608    ---ha-w-    C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-04 05:27:02    4096    ---ha-w-    C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-01-04 05:27:02    4096    ---ha-w-    C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-01-04 05:27:01    3584    ---ha-w-    C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-01-04 05:27:01    3072    ---ha-w-    C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-01-04 05:27:00    4608    ---ha-w-    C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-01-04 05:27:00    3584    ---ha-w-    C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-01-04 05:27:00    3072    ---ha-w-    C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-01-04 04:51:09    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-01-04 04:51:08    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2013-01-04 03:22:49    3150848    ----a-w-    C:\Windows\System32\win32k.sys
2013-01-04 03:19:55    338432    ----a-w-    C:\Windows\System32\conhost.exe
2013-01-04 02:48:37    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-01-04 02:48:34    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-01-04 02:48:34    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-01-04 02:48:33    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-01-04 02:43:35    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-01-04 02:43:34    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-01-04 02:43:34    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-04 02:43:34    3072    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-12-16 16:52:02    46080    ----a-w-    C:\Windows\System32\atmlib.dll
2012-12-16 14:40:45    367616    ----a-w-    C:\Windows\System32\atmfd.dll
2012-12-16 14:25:27    295424    ----a-w-    C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:25:19    34304    ----a-w-    C:\Windows\SysWow64\atmlib.dll
.
============= FINISH: 16:21:06.92 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:54 PM

Posted 13 March 2013 - 05:40 PM

Hello deedubbadoo,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

Do you have a USB Flash Drive you can use?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 deedubbadoo

deedubbadoo
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana
  • Local time:07:54 PM

Posted 13 March 2013 - 08:17 PM

Hello Fireman! Yes we have plenty of thumb drives! Thanks in advance!

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:54 PM

Posted 13 March 2013 - 08:54 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Edited by fireman4it, 13 March 2013 - 08:57 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 deedubbadoo

deedubbadoo
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana
  • Local time:07:54 PM

Posted 16 March 2013 - 08:36 PM

Hey fireman4it!  I apologize for the delay in getting back with you.  For some reason that machine wouldn't launch repair from the F8 menu.  It would just hang on windows is loading files.  So I had to track down a Windows 7 Home Premium 64 bit disc.  Anyway, here is the log from the Farbar scan:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013
Ran by SYSTEM at 16-03-2013 21:31:37
Running from F:\
Windows 7 Home Premium  Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8306208 2009-10-20] (Realtek Semiconductor)
HKLM\...\Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe [1238528 2007-08-29] (Marvell Semiconductor, Inc.)
HKLM\...\Run: [HPUsageTracking] "\HP UT\bin\hppusg.exe" "\HP UT" [x]
HKLM\...\Run: [SBRegRebootCleaner] "C:\Program Files (x86)\Ad-Aware Antivirus\SBRC.exe" [200560 2011-12-19] (GFI Software)
HKLM\...\Run: [MRT] "C:\Windows\system32\MRT.exe" /R [72013344 2013-03-04] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup [2215768 2011-12-06] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [hpbdfawep] C:\Program Files (x86)\HP\Dfawep\bin\hpbdfawep.exe 1 [1214976 2007-04-25] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\QB Server\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\QB Server\...\Run: [ctfmdiag] C:\Windows\system32\setueout.exe [x]
HKU\QB Server\...\Run: [Tuebik] "C:\Users\QB Server\AppData\Roaming\Ihga\igah.exe" [x]
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-12-27] (Dell)
HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$51a58741142c5df500cad93dc5f9b23a\n. ATTENTION! ====> ZeroAccess
Tcpip\Parameters: [DhcpNameServer] 192.168.250.254
AppInit_DLLs: C:\Windows\System32\acaptuser64.dll
Startup: C:\ProgramData\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk
ShortcutTarget: QuickBooks Web Connector.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe (Intuit)
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 10.0\QBW32.EXE (Intuit Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\QB Server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\QBDataServiceUser20\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\QBDataServiceUser22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ===================

2 Ad-Aware Service; "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe" [1236368 2012-09-20] (Lavasoft Limited)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 nvsvcs; C:\Windows\nvsvcs.exe [222384 2013-03-13] ()
3 QuickBooksDB22; C:\PROGRA~2\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB22 [679936 2011-08-19] (Intuit, Inc.)
2 SBAMSvc; "C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe" [3289032 2011-12-19] (GFI Software)

==================== Drivers (Whitelisted) =====================

1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [57976 2011-10-26] (GFI Software)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-03-15 03:56 - 2013-03-15 09:58 - 00000336 ____A C:\Windows\Tasks\HP WEP.job
2013-03-14 05:00 - 2013-03-14 05:00 - 00000176 ____A C:\ProgramData\-VITgUNNHaVnuar
2013-03-14 05:00 - 2013-03-14 05:00 - 00000176 ____A C:\ProgramData\-VITgUNNHaVnua
2013-03-14 05:00 - 2013-03-14 05:00 - 00000088 ____A C:\ProgramData\VITgUNNHaVnua
2013-03-13 13:39 - 2013-03-13 13:39 - 00222384 ____A () C:\Windows\nvsvcs.exe
2013-03-13 13:39 - 2013-03-13 13:39 - 00000176 ____A C:\ProgramData\-gWNnUdoytjr
2013-03-13 13:39 - 2013-03-13 13:39 - 00000176 ____A C:\ProgramData\-gWNnUdoytj
2013-03-13 13:39 - 2013-03-13 13:39 - 00000088 ____A C:\ProgramData\gWNnUdoytj
2013-03-13 13:36 - 2013-03-13 13:36 - 00051840 ____A C:\Users\QB Server\dwnyshtqsifsr.exe
2013-03-13 12:35 - 2013-03-14 08:00 - 00001907 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2013-03-13 12:35 - 2012-10-05 04:32 - 00001169 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-03-13 12:35 - 2012-04-10 06:49 - 00001213 ____A C:\Users\QB Server\Desktop\TeamViewer 7.lnk
2013-03-13 12:35 - 2012-04-10 06:49 - 00001201 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
2013-03-13 12:35 - 2011-10-20 03:31 - 00002381 ____A C:\Users\Public\Desktop\Intuit QuickBooks Enterprise Solutions - Manufacturing and Wholesale Edition 12.0.lnk
2013-03-13 12:29 - 2013-03-14 07:41 - 00009358 ____A C:\Users\QB Server\Desktop\unhide.txt
2013-03-13 12:29 - 2013-03-13 12:29 - 00398752 ____A (Bleeping Computer, LLC) C:\Users\QB Server\Downloads\unhide.exe
2013-03-13 12:24 - 2013-03-13 12:24 - 00007644 ____A C:\Users\QB Server\Documents\Attach.txt
2013-03-13 12:23 - 2013-03-13 12:23 - 00016687 ____A C:\Users\QB Server\Documents\DDS.txt
2013-03-13 12:21 - 2013-03-13 12:21 - 00016687 ____A C:\Users\QB Server\Desktop\dds.txt
2013-03-13 12:21 - 2013-03-13 12:21 - 00007644 ____A C:\Users\QB Server\Desktop\attach.txt
2013-03-13 12:17 - 2013-03-13 12:17 - 00688992 ____R (Swearware) C:\Users\QB Server\Desktop\dds.com
2013-03-13 12:03 - 2013-03-13 12:03 - 02126936 ____A C:\Users\QB Server\Downloads\TDSS_Undetectable (1).exe
2013-03-13 11:55 - 2013-03-13 11:56 - 02126936 ____A C:\Users\QB Server\Downloads\TDSS_Undetectable.exe
2013-03-13 09:39 - 2012-10-05 04:47 - 00001148 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-03-13 09:37 - 2013-03-13 09:38 - 10156344 ____A (Malwarebytes Corporation                                    ) C:\Users\QB Server\Desktop\runaway.exe
2013-03-13 07:40 - 2013-03-14 06:09 - 00001543 ____A C:\Users\QB Server\Desktop\System Repair.lnk
2013-03-13 06:54 - 2013-03-13 06:54 - 00000197 ____A C:\Windows\System32\MRT.INI
2013-03-13 06:52 - 2013-03-04 10:53 - 72013344 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-03-13 06:35 - 2013-03-13 06:35 - 00000000 ____D C:\Windows\System32\SPReview
2013-03-13 06:33 - 2013-03-13 06:33 - 00000000 ____D C:\Windows\System32\EventProviders
2013-03-12 23:39 - 2013-03-13 00:00 - 00000088 ____A C:\ProgramData\gerUBBrbrNl
2013-03-12 23:39 - 2013-03-12 23:39 - 00000176 ____A C:\ProgramData\-gerUBBrbrNlr
2013-03-12 23:39 - 2013-03-12 23:39 - 00000176 ____A C:\ProgramData\-gerUBBrbrNl
2013-03-12 23:36 - 2013-03-12 23:58 - 00035624 ____A C:\Users\QB Server\lulkbneizttry.exe
2013-03-12 23:00 - 2013-02-01 23:31 - 17815040 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-03-12 23:00 - 2013-02-01 22:58 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-03-12 23:00 - 2013-02-01 22:57 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-03-12 23:00 - 2013-02-01 22:48 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-03-12 23:00 - 2013-02-01 22:47 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-03-12 23:00 - 2013-02-01 22:47 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-03-12 23:00 - 2013-02-01 22:46 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-03-12 23:00 - 2013-02-01 22:43 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-03-12 23:00 - 2013-02-01 22:42 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-03-12 23:00 - 2013-02-01 22:42 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-03-12 23:00 - 2013-02-01 22:41 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-03-12 23:00 - 2013-02-01 22:40 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-03-12 23:00 - 2013-02-01 22:39 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-03-12 23:00 - 2013-02-01 22:38 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-03-12 23:00 - 2013-02-01 22:38 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-03-12 23:00 - 2013-02-01 22:34 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-03-12 23:00 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-03-12 23:00 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-03-12 23:00 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-03-12 23:00 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-03-12 23:00 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-03-12 23:00 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-03-12 23:00 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-03-12 23:00 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-03-12 23:00 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-03-12 23:00 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-03-12 23:00 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-03-12 23:00 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-03-12 23:00 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-03-12 23:00 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-03-12 23:00 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-03-12 23:00 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-02-19 14:06 - 2013-02-19 14:06 - 00016384 ____A C:\Users\QB Server\Desktop\QBTempBackup.tmp Tue, Feb 19 2013 05 06 07 PM
2013-02-14 03:09 - 2013-03-12 23:20 - 00000000 ____D C:\Users\QB Server\AppData\Roaming\Ihga
2013-02-14 03:09 - 2013-02-20 00:00 - 00000000 ____D C:\Users\QB Server\AppData\Roaming\Asmoso
2013-02-14 03:09 - 2013-02-14 03:09 - 00000000 ____D C:\Users\QB Server\AppData\Roaming\Hybu
2013-02-14 00:32 - 2013-03-13 04:49 - 00000000 ____D C:\Users\QB Server\AppData\Roaming\6ce961be-11b6-43d1-ac0f-c09c4ffbadb7ad

==================== One Month Modified Files and Folders =======

2013-03-15 12:48 - 2012-10-04 12:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-15 12:47 - 2009-07-13 21:10 - 01640237 ____A C:\Windows\WindowsUpdate.log
2013-03-15 12:42 - 2009-07-13 21:13 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-15 09:58 - 2013-03-15 03:56 - 00000336 ____A C:\Windows\Tasks\HP WEP.job
2013-03-15 04:00 - 2010-10-14 18:40 - 00000000 ____D C:\dell
2013-03-15 03:53 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-15 03:53 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-15 03:46 - 2010-10-14 16:11 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-03-15 03:45 - 2012-10-05 23:32 - 00004686 ____A C:\Windows\setupact.log
2013-03-15 03:45 - 2012-10-05 23:30 - 00726600 ____A C:\Windows\PFRO.log
2013-03-15 03:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-14 08:00 - 2013-03-13 12:35 - 00001907 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2013-03-14 07:41 - 2013-03-13 12:29 - 00009358 ____A C:\Users\QB Server\Desktop\unhide.txt
2013-03-14 07:28 - 2011-01-11 08:13 - 00000000 ____D C:\users\QB Server
2013-03-14 06:09 - 2013-03-13 07:40 - 00001543 ____A C:\Users\QB Server\Desktop\System Repair.lnk
2013-03-14 05:00 - 2013-03-14 05:00 - 00000176 ____A C:\ProgramData\-VITgUNNHaVnuar
2013-03-14 05:00 - 2013-03-14 05:00 - 00000176 ____A C:\ProgramData\-VITgUNNHaVnua
2013-03-14 05:00 - 2013-03-14 05:00 - 00000088 ____A C:\ProgramData\VITgUNNHaVnua
2013-03-13 13:39 - 2013-03-13 13:39 - 00222384 ____A () C:\Windows\nvsvcs.exe
2013-03-13 13:39 - 2013-03-13 13:39 - 00000176 ____A C:\ProgramData\-gWNnUdoytjr
2013-03-13 13:39 - 2013-03-13 13:39 - 00000176 ____A C:\ProgramData\-gWNnUdoytj
2013-03-13 13:39 - 2013-03-13 13:39 - 00000088 ____A C:\ProgramData\gWNnUdoytj
2013-03-13 13:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-03-13 13:36 - 2013-03-13 13:36 - 00051840 ____A C:\Users\QB Server\dwnyshtqsifsr.exe
2013-03-13 13:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-03-13 12:29 - 2013-03-13 12:29 - 00398752 ____A (Bleeping Computer, LLC) C:\Users\QB Server\Downloads\unhide.exe
2013-03-13 12:24 - 2013-03-13 12:24 - 00007644 ____A C:\Users\QB Server\Documents\Attach.txt
2013-03-13 12:23 - 2013-03-13 12:23 - 00016687 ____A C:\Users\QB Server\Documents\DDS.txt
2013-03-13 12:21 - 2013-03-13 12:21 - 00016687 ____A C:\Users\QB Server\Desktop\dds.txt
2013-03-13 12:21 - 2013-03-13 12:21 - 00007644 ____A C:\Users\QB Server\Desktop\attach.txt
2013-03-13 12:17 - 2013-03-13 12:17 - 00688992 ____R (Swearware) C:\Users\QB Server\Desktop\dds.com
2013-03-13 12:03 - 2013-03-13 12:03 - 02126936 ____A C:\Users\QB Server\Downloads\TDSS_Undetectable (1).exe
2013-03-13 11:56 - 2013-03-13 11:55 - 02126936 ____A C:\Users\QB Server\Downloads\TDSS_Undetectable.exe
2013-03-13 11:49 - 2012-10-30 04:17 - 00000000 ____D C:\Users\QB Server\Desktop\tdsskiller
2013-03-13 09:39 - 2012-10-04 10:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-13 09:38 - 2013-03-13 09:37 - 10156344 ____A (Malwarebytes Corporation                                    ) C:\Users\QB Server\Desktop\runaway.exe
2013-03-13 09:24 - 2009-07-13 20:45 - 00388328 ____A C:\Windows\System32\FNTCACHE.DAT
2013-03-13 09:19 - 2012-10-10 07:18 - 00271360 ____A C:\Users\QB Server\Documents\backup.pst
2013-03-13 07:25 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-03-13 07:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-03-13 07:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2013-03-13 07:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2013-03-13 07:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-03-13 07:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
2013-03-13 07:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2013-03-13 07:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2013-03-13 07:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2013-03-13 07:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2013-03-13 07:25 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sppui
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sppui
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism
2013-03-13 07:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2013-03-13 07:21 - 2009-07-13 18:36 - 00175104 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2013-03-13 07:21 - 2009-07-13 18:36 - 00152064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2013-03-13 07:02 - 2012-12-22 00:42 - 00005057 ____A C:\Users\QB Server\AppData\Local\58598aaa-f59f-4927-9bbe-ec222868b5c6.crx
2013-03-13 06:54 - 2013-03-13 06:54 - 00000197 ____A C:\Windows\System32\MRT.INI
2013-03-13 06:35 - 2013-03-13 06:35 - 00000000 ____D C:\Windows\System32\SPReview
2013-03-13 06:33 - 2013-03-13 06:33 - 00000000 ____D C:\Windows\System32\EventProviders
2013-03-13 04:49 - 2013-02-14 00:32 - 00000000 ____D C:\Users\QB Server\AppData\Roaming\6ce961be-11b6-43d1-ac0f-c09c4ffbadb7ad
2013-03-13 00:00 - 2013-03-12 23:39 - 00000088 ____A C:\ProgramData\gerUBBrbrNl
2013-03-12 23:58 - 2013-03-12 23:36 - 00035624 ____A C:\Users\QB Server\lulkbneizttry.exe
2013-03-12 23:39 - 2013-03-12 23:39 - 00000176 ____A C:\ProgramData\-gerUBBrbrNlr
2013-03-12 23:39 - 2013-03-12 23:39 - 00000176 ____A C:\ProgramData\-gerUBBrbrNl
2013-03-12 23:20 - 2013-02-14 03:09 - 00000000 ____D C:\Users\QB Server\AppData\Roaming\Ihga
2013-03-12 19:50 - 2012-10-08 10:49 - 16486616 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-03-12 19:50 - 2012-10-04 12:14 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-03-12 19:50 - 2012-03-01 05:30 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-03-04 10:53 - 2013-03-13 06:52 - 72013344 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-02-20 00:00 - 2013-02-14 03:09 - 00000000 ____D C:\Users\QB Server\AppData\Roaming\Asmoso
2013-02-19 14:06 - 2013-02-19 14:06 - 00016384 ____A C:\Users\QB Server\Desktop\QBTempBackup.tmp Tue, Feb 19 2013 05 06 07 PM
2013-02-14 03:09 - 2013-02-14 03:09 - 00000000 ____D C:\Users\QB Server\AppData\Roaming\Hybu
2013-02-14 00:24 - 2013-01-10 05:02 - 00000000 ____D C:\Users\QB Server\AppData\Local\{A708A7D1-5248-4910-0271-14A0E21089CD}


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-870958723-1830273672-141859770-1000\$51a58741142c5df500cad93dc5f9b23a

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$51a58741142c5df500cad93dc5f9b23a

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-03-13 06:35:48

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4060.98 MB
Available physical RAM: 3444.53 MB
Total Pagefile: 4059.18 MB
Available Pagefile: 3433.56 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:453.68 GB) (Free:369.94 GB) NTFS
2 Drive e: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
3 Drive f: () (Removable) (Total:0.93 GB) (Free:0.93 GB) FAT
4 Drive g: () (Removable) (Total:0.01 GB) (Free:0 GB) FAT
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
10 Drive y: (RECOVERY) (Fixed) (Total:12.03 GB) (Free:5.38 GB) NTFS ==>[System with boot components (obtained from reading drive)]

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    Online          951 MB      0 B         
  Disk 2    Online           10 MB      0 B         
  Disk 3    No Media           0 B      0 B         
  Disk 4    No Media           0 B      0 B         
  Disk 5    No Media           0 B      0 B         
  Disk 6    No Media           0 B      0 B         

Partitions of Disk 0:
===============

Disk ID: 259D4594

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             12 GB    40 MB
  Partition 3    Primary            453 GB    12 GB
  Partition 4    Primary             10 MB   465 GB

==================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 9                      FAT    Partition     39 MB  Healthy    Hidden  

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   RECOVERY     NTFS   Partition     12 GB  Healthy            

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    453 GB  Healthy            

=========================================================

Disk: 0
Partition 4
Type  : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Disk ID: 91F72D24

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            951 MB    31 KB

==================================================================================

Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F                FAT    Removable    951 MB  Healthy            

=========================================================

Partitions of Disk 2:
===============

Disk ID: 00000001

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
* Partition 1    Primary             10 MB      0 B

==================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 259D4594

Partition 1:
=========
Hex: 00010100DEFE3F043F00000086390100
Active: NO
Type: DE
Size: 39 MB

Partition 2:
=========
Hex: 0019150507FEFFFF0040010000F08001
Active: NO
Type: 07 (NTFS)
Size: 12 GB

Partition 3:
=========
Hex: 00FEFFFF07FEFFFF0030820130B8B538
Active: NO
Type: 07 (NTFS)
Size: 454 GB

Partition 4:
=========
Hex: 80FEFFFF17FEFFFF00F0373A00500000
Active: YES
Type: 17
Size: 10 MB
ATTENTION ===> Suspicious partition bootkit on partition 4

==============================
Partitions of Disk 1:
===============
Disk ID: 91F72D24

Partition 1:
=========
Hex: 0001010006FE3F783F000000C0BF1D00
Active: NO
Type: 06
Size: 952 MB

==============================
Partitions of Disk 2:
===============
Disk ID: 6B736964

Partition 1:
=========
Hex: 616E64207468656E2070726573732061
Active: NO
Type: 74
Size: 777 GB

Partition 2:
=========
Hex: 6E79206B65790D0A0000494F20202020
Active: NO
Type: 65
Size: 257 GB

Partition 3:
=========
Hex: 20205359534D53444F53202020535953
Active: NO
Type: 53
Size: 667 GB

Partition 4:
=========
Hex: 7F010041BB0007807E020EE940FF0000
Active: NO
Type: BB
Size: 32 MB


Last Boot: 2013-03-15 04:06

==================== End Of Log =============================



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:54 PM

Posted 17 March 2013 - 09:11 AM

Hello,

 

 

1.

IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

  • When should I re-format? How should I reinstall?
  • Where to draw the line? When to recommend a format and reinstall?
  • Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
    Reimaging the system
    Restoring the entire system using a full system backup from before the backdoor infection
    Reformatting and reinstalling the systemBackdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

 

 

2.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM-x32\...\Run: []  [x]
HKU\QB Server\...\Run: [ctfmdiag] C:\Windows\system32\setueout.exe [x]
HKU\QB Server\...\Run: [Tuebik] "C:\Users\QB Server\AppData\Roaming\Ihga\igah.exe" [x]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]

C:\$Recycle.Bin\S-1-5-18\$51a58741142c5df500cad93dc5f9b23a\n. ATTENTION! ====> ZeroAccess
C:\ProgramData\-VITgUNNHaVnuar
C:\ProgramData\-VITgUNNHaVnua
C:\ProgramData\VITgUNNHaVnua
C:\ProgramData\-gWNnUdoytjr
C:\ProgramData\-gWNnUdoytj
C:\ProgramData\gWNnUdoytj
C:\Users\QB Server\dwnyshtqsifsr.exe
C:\ProgramData\gerUBBrbrNl
C:\ProgramData\-gerUBBrbrNlr
C:\ProgramData\-gerUBBrbrNl
C:\Users\QB Server\lulkbneizttry.exe
C:\Users\QB Server\AppData\Roaming\Ihga
C:\Users\QB Server\AppData\Roaming\Asmoso
C:\Users\QB Server\AppData\Roaming\Hybu
C:\$Recycle.Bin\S-1-5-21-870958723-1830273672-141859770-1000\$51a58741142c5df500cad93dc5f9b23a
C:\$Recycle.Bin\S-1-5-18\$51a58741142c5df500cad93dc5f9b23a



NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

3.
Please download  Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.


 

Things to include in your next reply::

Fixlog.txt

Results.txt


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 deedubbadoo

deedubbadoo
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana
  • Local time:07:54 PM

Posted 17 March 2013 - 05:07 PM

Thanks again Fireman!  Here's the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-03-17 18:00:05 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_USERS\QB Server\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmdiag Value deleted successfully.
HKEY_USERS\QB Server\Software\Microsoft\Windows\CurrentVersion\Run\\Tuebik Value deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
C:\$Recycle.Bin\S-1-5-18\$51a58741142c5df500cad93dc5f9b23a\n. ATTENTION! ====> ZeroAccess not found.
C:\ProgramData\-VITgUNNHaVnuar moved successfully.
C:\ProgramData\-VITgUNNHaVnua moved successfully.
C:\ProgramData\VITgUNNHaVnua moved successfully.
C:\ProgramData\-gWNnUdoytjr moved successfully.
C:\ProgramData\-gWNnUdoytj moved successfully.
C:\ProgramData\gWNnUdoytj moved successfully.
C:\Users\QB Server\dwnyshtqsifsr.exe moved successfully.
C:\ProgramData\gerUBBrbrNl moved successfully.
C:\ProgramData\-gerUBBrbrNlr moved successfully.
C:\ProgramData\-gerUBBrbrNl moved successfully.
C:\Users\QB Server\lulkbneizttry.exe moved successfully.
C:\Users\QB Server\AppData\Roaming\Ihga moved successfully.
C:\Users\QB Server\AppData\Roaming\Asmoso moved successfully.
C:\Users\QB Server\AppData\Roaming\Hybu moved successfully.
C:\$Recycle.Bin\S-1-5-21-870958723-1830273672-141859770-1000\$51a58741142c5df500cad93dc5f9b23a moved successfully.
C:\$Recycle.Bin\S-1-5-18\$51a58741142c5df500cad93dc5f9b23a moved successfully.

==== End of Fixlog ====

 

And here is the "Results" log:

 

ListParts by Farbar Version: 10-03-2013
Ran by QB Server (administrator) on 17-03-2013 at 18:02:46
Windows 7 (X64)
Running From: I:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 27%
Total physical RAM: 4060.98 MB
Available physical RAM: 2932.08 MB
Total Pagefile: 8120.11 MB
Available Pagefile: 6759.98 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:453.68 GB) (Free:369.93 GB) NTFS
2 Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
7 Drive i: () (Removable) (Total:1.86 GB) (Free:0.66 GB) FAT

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    No Media           0 B      0 B         
  Disk 2    No Media           0 B      0 B         
  Disk 3    No Media           0 B      0 B         
  Disk 4    No Media           0 B      0 B         
  Disk 5    Online         1908 MB      0 B         

Partitions of Disk 0:
===============

Disk ID: 259D4594

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             12 GB    40 MB
  Partition 3    Primary            453 GB    12 GB
  Partition 4    Primary             10 MB   465 GB

======================================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1         RECOVERY     NTFS   Partition     12 GB  Healthy    System (partition with boot components)  

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    453 GB  Healthy    Boot    

======================================================================================================

Disk: 0
Partition 4
Type  : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 5:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1907 MB    64 KB

======================================================================================================

Disk: 5
Partition 1
Type  : 06
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 7     I                FAT    Removable   1907 MB  Healthy            

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 259D4594

Partition 1:
===========
Hex: 00010100DEFE3F043F00000086390100
Active: NO
Type: DE
Size: 39 MB

Partition 2:
===========
Hex: 8019150507FEFFFF0040010000F08001
Active: YES
Type: 07 (NTFS)
Size: 12 GB

Partition 3:
===========
Hex: 00FEFFFF07FEFFFF0030820130B8B538
Active: NO
Type: 07 (NTFS)
Size: 454 GB

==============================
Partitions of Disk 5:
===============
Disk ID: 00000000

Partition 1:
===========
Hex: 00020400063FFFC8810000003F9D3B00
Active: NO
Type: 06
Size: 2 GB

The boot configuration data store could not be opened.
The system cannot find the file specified.


****** End Of Log ******



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:54 PM

Posted 18 March 2013 - 07:16 PM

  • Click Start and in the Search Programs and files box type Notepad.exe then hit Enter.
  • An empty Notepad file will open.
  • Copy and paste the contents of the code box below into Notepad.


Disk=0 Partition=4 type=07



  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fix.txt to your Desktop (must be in this location).


Next

  • Double click ListParts.exe to launch the program.
  • Double click ListParts64.exe to launch the program.
  • Press the Fix button.
  • ListParts will process the script in Fix.txt
  • When finished please press the Scan button.
  • A log Result.txt will open on your Desktop.
  • Please post me the contents of the log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 deedubbadoo

deedubbadoo
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana
  • Local time:07:54 PM

Posted 18 March 2013 - 07:45 PM

Fireman, I'm unable to run the listparts64.exe software because I'm immediately greeted with the FBI Moneypak screen upon boot. I can't bypass it.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:54 PM

Posted 18 March 2013 - 09:12 PM

Please post a new FRST log.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 deedubbadoo

deedubbadoo
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana
  • Local time:07:54 PM

Posted 19 March 2013 - 07:28 AM

I will try to get that posted as soon as possible.  I'm trying to talk her boss into a wipe and re-install.  But, in the meantime, I'll do everything I can.  Thanks again!



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:54 PM

Posted 19 March 2013 - 07:29 PM

A wipe and reinstall would be a good thing if they could.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 deedubbadoo

deedubbadoo
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana
  • Local time:07:54 PM

Posted 22 March 2013 - 09:48 AM

Fireman,

 

Thank you for all of your help, it looks like they have decided to do a wipe and restore on the machine.  I appreciate you looking into the problem!  This thread can be closed.

 

Thanks again!

 

-Dom



#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:54 PM

Posted 23 March 2013 - 01:07 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users