Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is infected with computer crime and intellectual property section virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 DanielHonaker

DanielHonaker

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S
  • Local time:08:33 PM

Posted 12 May 2013 - 01:40 PM

my emachines desktop running windows 8 recently became infected with the greendot moneypak  virus, I have visited many sites claiming to have the fix but none so far have worked.  

 

I try to boot in safe mode but because I have windows 8 I must boot from the advanced options, when I try to boot in safe mode my pc automatically restarts and its back to square one

 

any help would be appreciated.

 



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:33 PM

Posted 12 May 2013 - 05:42 PM

Welcome aboard p22002758.gif

 

I'll report this topic to appropriate helpers.

Hold on....


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 DanielHonaker

DanielHonaker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S
  • Local time:08:33 PM

Posted 13 May 2013 - 02:24 PM

Thank you



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 AM

Posted 14 May 2013 - 02:35 AM

Hello,
  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
    :spacer:
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 DanielHonaker

DanielHonaker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S
  • Local time:08:33 PM

Posted 14 May 2013 - 03:52 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013
Ran by SYSTEM on 14-05-2013 16:46:50
Running from J:\
Windows 8 Pro (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Chad\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [ 2013-04-19] (Valve Corporation)
HKU\Chad\...\Run: [Optimizer Pro] C:\Program Files\Optimizer Pro\OptProLauncher.exe [x]
HKU\Chad\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Chad\Documents\70f1fcc2.exe [ 2013-05-11] ()
HKU\Chad\...\Winlogon: [Shell] cmd.exe [ 2012-07-25] (Microsoft Corporation) <==== ATTENTION
HKU\UpdatusUser\...\RunOnce: [DPAPIKeyMig] %SystemRoot%\system32\dpapimig.exe -quiet [ 2012-07-25] (Microsoft Corporation)
HKU\UpdatusUser\...\RunOnce: [WAB Migrate] %ProgramFiles%\Windows Mail\wab.exe /Upgrade [ 2012-07-25] (Microsoft Corporation)
Startup: C:\Users\Chad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 Updater By SweetPacks; C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe [188760 2013-02-28] ()
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [13344 2013-01-28] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-25] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-14 16:46 - 2013-05-14 16:46 - 00000000 ____D C:\FRST
2013-05-12 03:02 - 2013-05-12 03:02 - 00000000 ____A C:\Recovery.txt
2013-05-12 02:34 - 2013-05-12 03:02 - 00000000 ___HD C:\$SysReset
2013-05-11 20:40 - 2013-05-11 20:40 - 00174393 ____A C:\Users\Chad\AppData\Roaming\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174375 ____A C:\ProgramData\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174337 ____A C:\Users\Chad\AppData\Local\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.exe
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.dll
2013-05-03 02:02 - 2013-05-03 02:02 - 00000000 ____D C:\ProgramData\Google
2013-05-03 02:00 - 2013-05-03 02:00 - 00000000 ____D C:\ProgramData\Adobe

==================== One Month Modified Files and Folders ========

2013-05-14 16:46 - 2013-05-14 16:46 - 00000000 ____D C:\FRST
2013-05-14 12:38 - 2012-07-25 22:04 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-14 12:01 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\System32\sru
2013-05-12 10:26 - 2013-02-20 14:53 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-12 09:30 - 2013-01-31 21:10 - 01917804 ____A C:\Windows\WindowsUpdate.log
2013-05-12 08:31 - 2012-07-25 22:03 - 00100475 ____A C:\Windows\setupact.log
2013-05-12 06:23 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\Microsoft.NET
2013-05-12 03:02 - 2013-05-12 03:02 - 00000000 ____A C:\Recovery.txt
2013-05-12 03:02 - 2013-05-12 02:34 - 00000000 ___HD C:\$SysReset
2013-05-12 02:57 - 2013-01-31 21:09 - 00000000 ____D C:\Program Files\iTunes
2013-05-12 02:57 - 2013-01-31 21:02 - 00000000 ____D C:\users\Chad
2013-05-12 02:57 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\System32\Recovery
2013-05-12 02:57 - 2012-07-25 20:43 - 00000000 ___RD C:\users\Public
2013-05-12 02:47 - 2013-01-31 20:54 - 00000000 ____D C:\Windows.old(1)
2013-05-11 22:10 - 2013-02-20 14:53 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-11 21:28 - 2012-07-25 20:17 - 00524288 __ASH C:\Windows\System32\config\BBI
2013-05-11 21:10 - 2013-01-31 20:56 - 00006090 ____A C:\Windows\PFRO.log
2013-05-11 20:40 - 2013-05-11 20:40 - 00174393 ____A C:\Users\Chad\AppData\Roaming\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174375 ____A C:\ProgramData\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174337 ____A C:\Users\Chad\AppData\Local\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.exe
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.dll
2013-05-11 20:09 - 2013-02-01 19:12 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-11 12:38 - 2013-02-15 23:34 - 00000000 ____D C:\Users\Chad\AppData\Local\DoNotTrackPlus
2013-05-09 16:12 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\AUInstallAgent
2013-05-05 13:52 - 2013-02-22 15:11 - 00000000 ____D C:\Program Files\Steam
2013-05-04 13:36 - 2013-01-31 21:15 - 00000000 ____D C:\Users\Chad\AppData\Local\Packages
2013-05-03 02:04 - 2013-05-03 02:00 - 00000000 ____D C:\ProgramData\Adobe
2013-05-03 02:02 - 2013-05-03 02:02 - 00000000 ____D C:\ProgramData\Google
2013-05-03 02:02 - 2013-02-20 14:53 - 00000000 ____D C:\Program Files\Google
2013-05-02 07:28 - 2013-02-02 00:36 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-04-27 03:40 - 2013-02-22 15:11 - 00000000 ____D C:\Program Files\Common Files\Steam
2013-04-19 20:47 - 2013-01-31 22:01 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-04-19 20:47 - 2013-01-31 22:01 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-04-19 19:35 - 2009-03-15 05:04 - 00000000 ____D C:\Users\Chad\Documents\My Games
2013-04-17 11:07 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\System32\NDF
2013-04-15 11:37 - 2013-01-31 21:11 - 00803370 ____A C:\Windows\System32\PerfStringBackup.INI

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-04-21 05:52:30
Restore point made on: 2013-04-30 02:25:47
Restore point made on: 2013-05-12 06:28:37

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 1918.49 MB
Available physical RAM: 1512.65 MB
Total Pagefile: 1918.49 MB
Available Pagefile: 1524.17 MB
Total Virtual: 2047.88 MB
Available Virtual: 1934.01 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:139.05 GB) (Free:73.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (PQSERVICE) (Fixed) (Total:10 GB) (Free:2.93 GB) NTFS
Drive j: (MONSTER UFD) (Removable) (Total:3.61 GB) (Free:3.6 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 149 GB) (Disk ID: 13C703B5)
Partition 1: (Not Active) - (Size=10 GB) - (Type=27)
Partition 2: (Active) - (Size=139 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0C)

Last Boot: 2013-05-12 06:24

==================== End Of Log ============================



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 AM

Posted 15 May 2013 - 02:22 AM

It looks like we might be dealing with a rootkit as well. First I'd like to get your computer booting again, after which we'll concentrate on that.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
 
HKU\Chad\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Chad\Documents\70f1fcc2.exe [ 2013-05-11] ()
HKU\Chad\...\Winlogon: [Shell] cmd.exe [ 2012-07-25] (Microsoft Corporation) <==== ATTENTION
SaveMBR: Drive=0
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Now please enter System Recovery command prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it in your reply. It will also create an mbr dump on your flashdrive, please zip this up and attach it to your next post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 DanielHonaker

DanielHonaker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S
  • Local time:08:33 PM

Posted 15 May 2013 - 03:08 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-05-2013
Ran by SYSTEM at 2013-05-15 07:00:19 Run:1
Running from J:\
Boot Mode: Recovery

==============================================

HKEY_USERS\Chad\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.
HKEY_USERS\Chad\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
MBRDUMP.txt is made successfully.

==== End of Fixlog ====

 

 

 

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 AM

Posted 15 May 2013 - 03:47 PM

Can you reboot normally now? Likely the desktop won't load, but you should be able to press Windows key + R and execute explorer in order to load this.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 DanielHonaker

DanielHonaker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S
  • Local time:08:33 PM

Posted 15 May 2013 - 03:55 PM

the desktop loads but the computer crime and intellectual property section window is still up and Windows key + R does nothing.



#10 DanielHonaker

DanielHonaker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S
  • Local time:08:33 PM

Posted 15 May 2013 - 04:03 PM

tried again and desktop loads momentarily and then CCIP screen pops up before I have a chance to do anything.



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 AM

Posted 16 May 2013 - 01:48 AM

Could you please create a new FRST log and post it for review?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 DanielHonaker

DanielHonaker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S
  • Local time:08:33 PM

Posted 16 May 2013 - 06:05 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013
Ran by SYSTEM on 16-05-2013 07:02:03
Running from J:\
Windows 8 Pro (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Chad\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [ 2013-04-19] (Valve Corporation)
HKU\Chad\...\Run: [Optimizer Pro] C:\Program Files\Optimizer Pro\OptProLauncher.exe [x]
HKU\UpdatusUser\...\RunOnce: [DPAPIKeyMig] %SystemRoot%\system32\dpapimig.exe -quiet [ 2012-07-25] (Microsoft Corporation)
HKU\UpdatusUser\...\RunOnce: [WAB Migrate] %ProgramFiles%\Windows Mail\wab.exe /Upgrade [ 2012-07-25] (Microsoft Corporation)
Startup: C:\Users\Chad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 Updater By SweetPacks; C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe [188760 2013-02-28] ()
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [13344 2013-01-28] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-25] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-14 16:46 - 2013-05-14 16:46 - 00000000 ____D C:\FRST
2013-05-12 03:02 - 2013-05-12 03:02 - 00000000 ____A C:\Recovery.txt
2013-05-12 02:34 - 2013-05-12 03:02 - 00000000 ___HD C:\$SysReset
2013-05-11 20:40 - 2013-05-11 20:40 - 00174393 ____A C:\Users\Chad\AppData\Roaming\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174375 ____A C:\ProgramData\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174337 ____A C:\Users\Chad\AppData\Local\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.exe
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.dll
2013-05-03 02:02 - 2013-05-03 02:02 - 00000000 ____D C:\ProgramData\Google
2013-05-03 02:00 - 2013-05-03 02:04 - 00000000 ____D C:\ProgramData\Adobe

==================== One Month Modified Files and Folders ========

2013-05-16 02:59 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\System32\sru
2013-05-15 13:00 - 2013-02-20 14:53 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-15 13:00 - 2012-07-25 22:04 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-14 16:46 - 2013-05-14 16:46 - 00000000 ____D C:\FRST
2013-05-12 09:30 - 2013-01-31 21:10 - 01917804 ____A C:\Windows\WindowsUpdate.log
2013-05-12 08:31 - 2012-07-25 22:03 - 00100475 ____A C:\Windows\setupact.log
2013-05-12 06:23 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\Microsoft.NET
2013-05-12 03:02 - 2013-05-12 03:02 - 00000000 ____A C:\Recovery.txt
2013-05-12 03:02 - 2013-05-12 02:34 - 00000000 ___HD C:\$SysReset
2013-05-12 02:57 - 2013-01-31 21:09 - 00000000 ____D C:\Program Files\iTunes
2013-05-12 02:57 - 2013-01-31 21:02 - 00000000 ____D C:\users\Chad
2013-05-12 02:57 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\System32\Recovery
2013-05-12 02:57 - 2012-07-25 20:43 - 00000000 ___RD C:\users\Public
2013-05-12 02:47 - 2013-01-31 20:54 - 00000000 ____D C:\Windows.old(1)
2013-05-11 22:10 - 2013-02-20 14:53 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-11 21:28 - 2012-07-25 20:17 - 00524288 __ASH C:\Windows\System32\config\BBI
2013-05-11 21:10 - 2013-01-31 20:56 - 00006090 ____A C:\Windows\PFRO.log
2013-05-11 20:40 - 2013-05-11 20:40 - 00174393 ____A C:\Users\Chad\AppData\Roaming\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174375 ____A C:\ProgramData\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174337 ____A C:\Users\Chad\AppData\Local\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.exe
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.dll
2013-05-11 20:09 - 2013-02-01 19:12 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-11 12:38 - 2013-02-15 23:34 - 00000000 ____D C:\Users\Chad\AppData\Local\DoNotTrackPlus
2013-05-09 16:12 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\AUInstallAgent
2013-05-05 13:52 - 2013-02-22 15:11 - 00000000 ____D C:\Program Files\Steam
2013-05-04 13:36 - 2013-01-31 21:15 - 00000000 ____D C:\Users\Chad\AppData\Local\Packages
2013-05-03 02:04 - 2013-05-03 02:00 - 00000000 ____D C:\ProgramData\Adobe
2013-05-03 02:02 - 2013-05-03 02:02 - 00000000 ____D C:\ProgramData\Google
2013-05-03 02:02 - 2013-02-20 14:53 - 00000000 ____D C:\Program Files\Google
2013-05-02 07:28 - 2013-02-02 00:36 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-04-27 03:40 - 2013-02-22 15:11 - 00000000 ____D C:\Program Files\Common Files\Steam
2013-04-19 20:47 - 2013-01-31 22:01 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-04-19 20:47 - 2013-01-31 22:01 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-04-19 19:35 - 2009-03-15 05:04 - 00000000 ____D C:\Users\Chad\Documents\My Games
2013-04-17 11:07 - 2012-07-25 22:53 - 00000000 ____D C:\Windows\System32\NDF

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-04-21 05:52:30
Restore point made on: 2013-04-30 02:25:47
Restore point made on: 2013-05-12 06:28:37

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 1918.49 MB
Available physical RAM: 1508.91 MB
Total Pagefile: 1918.49 MB
Available Pagefile: 1515.37 MB
Total Virtual: 2047.88 MB
Available Virtual: 1937.07 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:139.05 GB) (Free:73.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (PQSERVICE) (Fixed) (Total:10 GB) (Free:2.93 GB) NTFS
Drive j: (MONSTER UFD) (Removable) (Total:3.61 GB) (Free:3.6 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 149 GB) (Disk ID: 13C703B5)
Partition 1: (Not Active) - (Size=10 GB) - (Type=27)
Partition 2: (Active) - (Size=139 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0C)

Last Boot: 2013-05-12 06:24

==================== End Of Log ============================

 



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 AM

Posted 16 May 2013 - 10:14 AM

Please save the following as fixlist.txt and run FRST with the Fix button again. Post the resulting log and let me know if you can access normal mode now.



2013-05-11 20:40 - 2013-05-11 20:40 - 00174393 ____A C:\Users\Chad\AppData\Roaming\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174375 ____A C:\ProgramData\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00174337 ____A C:\Users\Chad\AppData\Local\2433f433
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.exe
2013-05-11 20:40 - 2013-05-11 20:40 - 00030720 ____A C:\Users\Chad\Documents\70f1fcc2.dll

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 DanielHonaker

DanielHonaker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S
  • Local time:08:33 PM

Posted 16 May 2013 - 03:58 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-05-2013
Ran by SYSTEM at 2013-05-16 16:57:00 Run:2
Running from F:\
Boot Mode: Recovery

==============================================

C:\Users\Chad\AppData\Roaming\2433f433 => Moved successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\Chad\AppData\Local\2433f433 => Moved successfully.
C:\Users\Chad\Documents\70f1fcc2.exe => Moved successfully.
C:\Users\Chad\Documents\70f1fcc2.dll => Moved successfully.

==== End of Fixlog ====

 

 



#15 DanielHonaker

DanielHonaker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S
  • Local time:08:33 PM

Posted 16 May 2013 - 04:00 PM

Yes I can access normal mode now






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users