Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI MoneyPak - Help!


  • This topic is locked This topic is locked
2 replies to this topic

#1 pcpaulinoii

pcpaulinoii

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 18 June 2013 - 10:23 AM

An employee's computer recently became affected with the FBI MoneyPak Virus/Malware.

 

Looking at other posts on this forum I went ahead and ran the FRST64.exe program, the log is as follows (also attached as a text file):

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-06-2013 01
Ran by SYSTEM on 18-06-2013 08:14:53
Running from F:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [7214696 2011-05-25] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" [617120 2011-03-31] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe" [379552 2011-03-31] (Atheros Commnucations)
HKLM\...\Run: [DCHostUI] "C:\Program Files (x86)\Atheros Direct Connect\P2PUIMain.exe" -nogui [366592 2011-03-31] (Atheros Communication)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [219480 2011-10-17] (Trend Micro Inc.)
HKLM\...\RunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [415232 2009-07-13] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [DELLOSD] C:\Program Files (x86)\DELL\DELLOSD\FastUserSwitching.exe [49152 2010-12-06] ()
HKLM-x32\...\Run: [Chicony_OSD] "C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\LaunchOSDSrv.exe" [53248 2011-01-12] ()
HKLM-x32\...\Run: [FATrayAlert] C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe [96240 2011-08-19] (Sensible Vision )
HKLM-x32\...\Run: [FAStartup]  [x]
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKU\gcastro\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex [247968 2012-03-26] (Adobe Systems, Inc.)
Lsa: [Notification Packages] scecli FAPassSync
 
==================== Services (Whitelisted) =================
 
S2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Dell Wireless\Ath_CoexAgent.exe [135168 2011-02-16] (Atheros)
S3 DCDhcpService; C:\Program Files (x86)\Atheros Direct Connect\DCDhcpService.exe [100352 2011-03-31] (Atheros Communication Inc.)
S2 Dell WMI Service; C:\Program Files (x86)\DELL\DELLOSD\DellOSDService.exe [98304 2011-05-27] ()
S2 OSDSvc; C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\OSDSrv.exe [176128 2010-12-01] (Chicony)
S3 TmListen; C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe [1017360 2011-11-17] (Trend Micro Inc.)
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=qb -dt=60000 [x]
 
==================== Drivers (Whitelisted) ====================
 
S2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [90896 2011-06-24] (Trend Micro Inc.)
S2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [146192 2011-06-24] (Trend Micro Inc.)
S2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [69904 2011-06-24] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105552 2010-10-01] (Trend Micro Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-06-18 08:14 - 2013-06-18 08:14 - 00000000 ____D C:\FRST
2013-06-17 15:17 - 2013-06-18 08:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-06-17 15:17 - 2013-06-17 15:17 - 00000000 ____D C:\Users\administrator\Application Data\Malwarebytes
2013-06-17 15:17 - 2013-06-17 15:17 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Malwarebytes
2013-06-17 15:17 - 2013-06-17 15:17 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-17 15:17 - 2013-06-17 15:17 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes
2013-06-17 15:15 - 2013-06-17 15:15 - 00000000 ____D C:\Users\administrator\Application Data\Macromedia
2013-06-17 15:15 - 2013-06-17 15:15 - 00000000 ____D C:\Users\administrator\Application Data\Adobe
2013-06-17 15:15 - 2013-06-17 15:15 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Macromedia
2013-06-17 15:15 - 2013-06-17 15:15 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Adobe
2013-06-17 15:10 - 2013-06-17 15:11 - 00001984 ___AH C:\Users\swells\My Documents\Default.rdp
2013-06-17 15:10 - 2013-06-17 15:11 - 00001984 ___AH C:\Users\swells\Documents\Default.rdp
2013-06-17 15:10 - 2011-06-27 08:44 - 01040384 ____A (The Binding Site Ltd.) C:\Program Files\Line500FCE
2013-06-17 15:09 - 2013-06-17 15:09 - 00000000 ____D C:\Users\swells\Application Data\Atheros Communication
2013-06-17 15:09 - 2013-06-17 15:09 - 00000000 ____D C:\Users\swells\AppData\Roaming\Atheros Communication
2013-06-17 15:06 - 2013-06-17 15:06 - 00000000 ____D C:\Users\swells\Application Data\Macromedia
2013-06-17 15:06 - 2013-06-17 15:06 - 00000000 ____D C:\Users\swells\Application Data\Adobe
2013-06-17 15:06 - 2013-06-17 15:06 - 00000000 ____D C:\Users\swells\AppData\Roaming\Macromedia
2013-06-17 15:06 - 2013-06-17 15:06 - 00000000 ____D C:\Users\swells\AppData\Roaming\Adobe
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\My Documents\Bluetooth Folder
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Local Settings\BMExplorer
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Local Settings\Atheros
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Local Settings\Application Data\BMExplorer
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Local Settings\Application Data\Atheros
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Documents\Bluetooth Folder
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Application Data\Roxio
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\AppData\Roaming\Roxio
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\AppData\Local\BMExplorer
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\AppData\Local\Atheros
2013-06-17 15:02 - 2013-06-18 08:04 - 00000000 ___RD C:\Users\swells\Virtual Machines
2013-06-17 15:02 - 2013-06-17 15:02 - 00000000 ____D C:\Users\swells\Local Settings\VirtualStore
2013-06-17 15:02 - 2013-06-17 15:02 - 00000000 ____D C:\Users\swells\Local Settings\Application Data\VirtualStore
2013-06-17 15:02 - 2013-06-17 15:02 - 00000000 ____D C:\Users\swells\AppData\Local\VirtualStore
2013-06-17 15:01 - 2013-06-18 08:04 - 00000000 ____D C:\users\swells
2013-06-17 15:01 - 2012-06-13 13:07 - 00000000 ____D C:\Users\swells\Local Settings\SoftThinks
2013-06-17 15:01 - 2012-06-13 13:07 - 00000000 ____D C:\Users\swells\Local Settings\Application Data\SoftThinks
2013-06-17 15:01 - 2012-06-13 13:07 - 00000000 ____D C:\Users\swells\AppData\Local\SoftThinks
2013-06-17 14:57 - 2013-06-17 14:57 - 02019305 ____A C:\Users\gcastro\Local Settings\Application Data\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019305 ____A C:\Users\gcastro\Local Settings\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019305 ____A C:\Users\gcastro\AppData\Local\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019291 ____A C:\Users\gcastro\Application Data\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019291 ____A C:\Users\gcastro\AppData\Roaming\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019286 ____A C:\ProgramData\Application Data\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019286 ____A C:\ProgramData\2433f433
 
==================== One Month Modified Files and Folders =======
 
2013-06-18 08:14 - 2013-06-18 08:14 - 00000000 ____D C:\FRST
2013-06-18 08:06 - 2009-07-13 22:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-18 08:06 - 2009-07-13 21:51 - 00034042 ____A C:\Windows\setupact.log
2013-06-18 08:05 - 2013-06-17 15:17 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-06-18 08:05 - 2012-06-13 12:51 - 00000000 ___RD C:\Users\gcastro\Virtual Machines
2013-06-18 08:05 - 2012-06-13 12:51 - 00000000 ____D C:\Users\gcastro\Application Data\Creative
2013-06-18 08:05 - 2012-06-13 12:51 - 00000000 ____D C:\Users\gcastro\AppData\Roaming\Creative
2013-06-18 08:05 - 2012-06-13 12:51 - 00000000 ____D C:\users\gcastro
2013-06-18 08:05 - 2012-06-13 12:34 - 00000000 ____D C:\users\administrator
2013-06-18 08:05 - 2012-06-13 08:48 - 00000000 ____D C:\users\TBS
2013-06-18 08:05 - 2012-03-26 18:14 - 00000000 ____D C:\ProgramData\Atheros
2013-06-18 08:05 - 2012-03-26 18:14 - 00000000 ____D C:\ProgramData\Application Data\Atheros
2013-06-18 08:05 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\security
2013-06-18 08:05 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-18 08:04 - 2013-06-17 15:02 - 00000000 ___RD C:\Users\swells\Virtual Machines
2013-06-18 08:04 - 2013-06-17 15:01 - 00000000 ____D C:\users\swells
2013-06-18 08:04 - 2012-06-13 13:14 - 00000000 ____D C:\Users\gcastro\Application Data\Adobe
2013-06-18 08:04 - 2012-06-13 13:14 - 00000000 ____D C:\Users\gcastro\AppData\Roaming\Adobe
2013-06-18 08:04 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\registration
2013-06-18 08:02 - 2012-06-13 12:51 - 00000000 ____D C:\Users\gcastro\Local Settings\Atheros
2013-06-18 08:02 - 2012-06-13 12:51 - 00000000 ____D C:\Users\gcastro\Local Settings\Application Data\Atheros
2013-06-18 08:02 - 2012-06-13 12:51 - 00000000 ____D C:\Users\gcastro\AppData\Local\Atheros
2013-06-18 07:41 - 2012-06-13 12:28 - 00000200 ____A C:\Windows\System32\config\netlogon.ftl
2013-06-17 15:17 - 2013-06-17 15:17 - 00000000 ____D C:\Users\administrator\Application Data\Malwarebytes
2013-06-17 15:17 - 2013-06-17 15:17 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Malwarebytes
2013-06-17 15:17 - 2013-06-17 15:17 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-17 15:17 - 2013-06-17 15:17 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes
2013-06-17 15:15 - 2013-06-17 15:15 - 00000000 ____D C:\Users\administrator\Application Data\Macromedia
2013-06-17 15:15 - 2013-06-17 15:15 - 00000000 ____D C:\Users\administrator\Application Data\Adobe
2013-06-17 15:15 - 2013-06-17 15:15 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Macromedia
2013-06-17 15:15 - 2013-06-17 15:15 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Adobe
2013-06-17 15:11 - 2013-06-17 15:10 - 00001984 ___AH C:\Users\swells\My Documents\Default.rdp
2013-06-17 15:11 - 2013-06-17 15:10 - 00001984 ___AH C:\Users\swells\Documents\Default.rdp
2013-06-17 15:09 - 2013-06-17 15:09 - 00000000 ____D C:\Users\swells\Application Data\Atheros Communication
2013-06-17 15:09 - 2013-06-17 15:09 - 00000000 ____D C:\Users\swells\AppData\Roaming\Atheros Communication
2013-06-17 15:06 - 2013-06-17 15:06 - 00000000 ____D C:\Users\swells\Application Data\Macromedia
2013-06-17 15:06 - 2013-06-17 15:06 - 00000000 ____D C:\Users\swells\Application Data\Adobe
2013-06-17 15:06 - 2013-06-17 15:06 - 00000000 ____D C:\Users\swells\AppData\Roaming\Macromedia
2013-06-17 15:06 - 2013-06-17 15:06 - 00000000 ____D C:\Users\swells\AppData\Roaming\Adobe
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\My Documents\Bluetooth Folder
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Local Settings\BMExplorer
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Local Settings\Atheros
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Local Settings\Application Data\BMExplorer
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Local Settings\Application Data\Atheros
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Documents\Bluetooth Folder
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\Application Data\Roxio
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\AppData\Roaming\Roxio
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\AppData\Local\BMExplorer
2013-06-17 15:03 - 2013-06-17 15:03 - 00000000 ____D C:\Users\swells\AppData\Local\Atheros
2013-06-17 15:02 - 2013-06-17 15:02 - 00000000 ____D C:\Users\swells\Local Settings\VirtualStore
2013-06-17 15:02 - 2013-06-17 15:02 - 00000000 ____D C:\Users\swells\Local Settings\Application Data\VirtualStore
2013-06-17 15:02 - 2013-06-17 15:02 - 00000000 ____D C:\Users\swells\AppData\Local\VirtualStore
2013-06-17 14:57 - 2013-06-17 14:57 - 02019305 ____A C:\Users\gcastro\Local Settings\Application Data\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019305 ____A C:\Users\gcastro\Local Settings\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019305 ____A C:\Users\gcastro\AppData\Local\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019291 ____A C:\Users\gcastro\Application Data\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019291 ____A C:\Users\gcastro\AppData\Roaming\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019286 ____A C:\ProgramData\Application Data\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019286 ____A C:\ProgramData\2433f433
2013-06-17 07:20 - 2009-07-08 08:57 - 00248320 ____A C:\Users\gcastro\Desktop\Timesheet 5.23 -  8.14.xls
2013-06-07 09:44 - 2012-03-26 17:52 - 01766581 ____A C:\Windows\WindowsUpdate.log
2013-06-05 13:00 - 2012-06-13 08:52 - 00000422 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2013-06-05 08:59 - 2007-04-05 13:03 - 00140288 ____A C:\Users\gcastro\Desktop\ORDER FORM.xls
2013-06-03 07:47 - 2009-11-09 11:58 - 00240128 ____A C:\Users\gcastro\Desktop\Timesheet 11.07.09 - 01.29.10.xls
2013-05-31 13:12 - 2012-06-13 12:51 - 00000000 ____D C:\Users\gcastro\My Documents\Bluetooth Folder
2013-05-31 13:12 - 2012-06-13 12:51 - 00000000 ____D C:\Users\gcastro\Documents\Bluetooth Folder
2013-05-30 10:45 - 2009-07-13 22:13 - 00794430 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-28 07:07 - 2009-07-13 21:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-28 07:07 - 2009-07-13 21:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1482476501-1957994488-725345543-1194\$e16ed0d82472cca6ec5bc4e7ad170a1a
C:\$Recycle.Bin\S-1-5-21-1482476501-1957994488-725345543-1194\$e16ed0d82472cca6ec5bc4e7ad170a1a\L
C:\$Recycle.Bin\S-1-5-21-1482476501-1957994488-725345543-1194\$e16ed0d82472cca6ec5bc4e7ad170a1a\U
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-03-27 09:01:16
Restore point made on: 2013-04-04 07:52:50
Restore point made on: 2013-04-12 08:49:49
Restore point made on: 2013-04-19 15:40:17
Restore point made on: 2013-04-29 08:38:12
Restore point made on: 2013-05-07 07:14:42
Restore point made on: 2013-05-14 08:22:55
Restore point made on: 2013-05-22 07:49:29
Restore point made on: 2013-05-30 11:16:36
Restore point made on: 2013-06-07 10:02:35
Restore point made on: 2013-06-17 10:10:45
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 4001.09 MB
Available physical RAM: 3380.11 MB
Total Pagefile: 3999.29 MB
Available Pagefile: 3353.71 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:449.57 GB) (Free:405.39 GB) NTFS (Disk=0 Partition=3)
Drive d: (RECOVERY) (Fixed) (Total:16.15 GB) (Free:7.51 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:1.86 GB) (Free:1.85 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 37B8201B)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=16 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 01A76FC7)
Partition 1: (Active) - (Size=2 GB) - (Type=06)
 
 
LastRegBack: 2013-06-13 07:37
 
==================== End Of Log ============================

 

Attached Files

  • Attached File  FRST.txt   18.04KB   0 downloads


BC AdBot (Login to Remove)

 


#2 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:07:04 PM

Posted 18 June 2013 - 11:21 AM

Hy
my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • I am currently visiting an evening school and working nightshift only which might be evening for you. In this time I am mostly online with my mobile devices and won't be able to reply.
Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

2013-06-17 14:57 - 2013-06-17 14:57 - 02019305 ____A C:\Users\gcastro\Local Settings\Application Data\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019305 ____A C:\Users\gcastro\Local Settings\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019305 ____A C:\Users\gcastro\AppData\Local\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019291 ____A C:\Users\gcastro\Application Data\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019291 ____A C:\Users\gcastro\AppData\Roaming\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019286 ____A C:\ProgramData\Application Data\2433f433
2013-06-17 14:57 - 2013-06-17 14:57 - 02019286 ____A C:\ProgramData\2433f433
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST by typing F:\frst64 and press the Fix button just once and wait.
Note: You might need to choose a different drive letter.
The tool will make a log on the flashdrive ( Fixlog.txt ) please post it to your reply.
:spacer:
:spacer:
Try to reboot in Normal Mode now. If you are not able to boot in Normal Mode, stop here and let me know.
:spacer:
:spacer:
:spacer:
Download ComboFix from this location:

Link 1



* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic %5BB%5D How to disable your security applications[/b]


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#3 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:07:04 PM

Posted 26 June 2013 - 01:38 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users