Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ICE Moneypack Virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 tomlawncare

tomlawncare

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 07 August 2013 - 09:23 PM

I have the ICE Moneypack Virus on Windows 7 Home 64bit. I have tried a number of options I have read about that include logging into safemode and running malware. However, I guess the newer version of this virus does not let you enter safemode. Upon logging in safemode, as soon as it starts, it cylces back to a reboot. I have the Malwarebytes exe setup file saved to my flashdrive. Any advice on how to open that up and run it on the infected computer when I cannot log into safemode?

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 08 August 2013 - 12:48 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 tomlawncare

tomlawncare
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 08 August 2013 - 07:21 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-08-2013
Ran by SYSTEM on 08-08-2013 07:15:40
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvCplDaemon] - C:\Windows\system32\NvCpl.dll [16333856 2009-07-29] (NVIDIA Corporation)
HKLM\...\Run: [SmartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-09-14] ()
HKLM\...\Run: [PC-Doctor for Windows localizer] - C:\Program Files\PC-Doctor for Windows\localizer.exe [95728 2009-09-16] (PC-Doctor, Inc.)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2726728 2010-03-24] (CANON INC.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [Autodesk Sync] - C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [415680 2012-02-05] (Autodesk, Inc.)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1356240 2013-06-20] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] - C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] - c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe [600936 2009-06-29] (Symantec Corporation)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Intuit SyncManager] - C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1087752 2009-11-25] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [ANIWZCS2Service] - C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe [49152 2007-01-19] (Wireless Service)
HKLM-x32\...\Run: [D-Link D-Link Xtreme N Dual Band DWA-160] - C:\Program Files (x86)\D-Link\D-Link Xtreme N Dual Band DWA-160\AirNCFG.exe [1679360 2008-07-11] (D-Link)
HKLM-x32\...\Run: [CanonSolutionMenuEx] - C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073352 2012-06-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NUSB3MON] - C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [106496 2009-11-20] (NEC Electronics Corporation)
HKLM-x32\...\Run: [Monitor] - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe [298616 2013-02-16] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [WD Quick View] - C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5234072 2012-02-27] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD UDS Control Center] - C:\Program Files (x86)\Western Digital\WD Print Share\WDPrintShare.exe [19841536 2012-04-18] ()
HKLM-x32\...\Run: [DivXMediaServer] - C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-01-29] (DivX, LLC)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-12] ()
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Tom\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW [x]
HKU\Tom\...\Run: [DAEMON Tools Lite] - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [369200 2009-10-30] (DT Soft Ltd)
HKU\Tom\...\Run: [PRO Landscape Dashboard] - C:\Program Files (x86)\Drafix\PRO Landscape\PRO Landscape Dashboard.exe [3596288 2005-12-26] (Drafix Software, Inc.)
HKU\Tom\...\Run: [DW6] - "C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
HKU\Tom\...\Run: [AdobeBridge] -  [x]
HKU\Tom\...\Run: [Browser Infrastructure Helper] - C:\Users\Tom\AppData\Local\Smartbar\Application\QuickShare.exe [13824 2013-02-18] (Smartbar)
HKU\Tom\...\Run: [StartNow Search Protect] - C:\Program Files (x86)\StartNow Toolbar\search_protect.exe [1352048 2012-09-06] ()
HKU\Tom\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-03-11] (Google Inc.)
HKU\Tom\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Tom\AppData\Local\Temp\ywogtwmijwbtxpcrleb.bfg [75776 2013-08-07] (Valve Corporation) <===== ATTENTION
HKU\Tom\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Tom\...\Command Processor: "C:\Users\Tom\AppData\Local\Temp\ywogtwmijwbtxpcrleb.bfg" <===== ATTENTION!
Startup: C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk
ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe ()

==================== Services (Whitelisted) =================

S2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [572928 2013-02-10] ()
S2 DefaultTabUpdate; C:\Users\Tom\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-03-06] ()
S3 jswpsapi; C:\Program Files (x86)\D-Link\D-Link Xtreme N Dual Band DWA-160\JSWUtilVst\jswpsapi.exe [954368 2008-05-19] (Atheros Communications, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 mitsijm2013; C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe [339776 2012-01-30] ( )
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-06-20] (Microsoft Corporation)
S2 NgVpnMgr; C:\Windows\system32\ngvpnmgr.exe [436808 2011-02-21] (Aventail Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-06-20] (Microsoft Corporation)
S2 NWVZHelper; C:\Program Files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe [270848 2010-06-14] (Novatel Wireless Inc.)
S2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [80896 2011-03-31] ()
S2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [247704 2012-02-27] (Western Digital)

==================== Drivers (Whitelisted) ====================

S3 arusb_lhx; C:\Windows\System32\DRIVERS\arusb_lhx.sys [537088 2008-06-12] (Atheros Communications, Inc.)
S3 DSI_SiUSBXp_3_1; C:\Windows\System32\drivers\DSI_SiUSBXp_3_1.sys [16384 2007-09-06] (Silicon Laboratories)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247216 2013-06-18] (Microsoft Corporation)
S3 NgFilter; C:\Windows\System32\DRIVERS\ngfilter.sys [25672 2011-02-21] (Aventail Corporation)
S3 NgLog; C:\Windows\System32\DRIVERS\nglog.sys [31304 2011-02-21] (Aventail Corporation)
S3 NgVpn; C:\Windows\System32\DRIVERS\ngvpn.sys [102984 2011-02-21] (Aventail Corporation)
S3 NgWfp; C:\Windows\System32\DRIVERS\ngwfp.sys [28744 2011-02-21] (Aventail Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-02-14] (Duplex Secure Ltd.)
S3 StkCMini; C:\Windows\System32\Drivers\StkCMini.sys [1816968 2010-04-16] (Syntek)
S3 WDUDSMBus; C:\Windows\SysWow64\Drivers\WDUDSMBus.sys [105568 2012-04-16] (Windows ® Codename Longhorn DDK provider)
S3 WDUDSTcpBus; C:\Windows\SysWow64\Drivers\WDUDSTcpBus.sys [174176 2012-04-16] (Windows ® Codename Longhorn DDK provider)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-08 07:15 - 2013-08-08 07:15 - 00000000 ____D C:\FRST
2013-08-07 20:21 - 2013-08-07 20:21 - 00000000 ____D C:\ProgramData\Recovery
2013-08-07 15:14 - 2013-08-07 15:14 - 01097732 _____ C:\ProgramData\2433f433
2013-08-07 15:14 - 2013-08-07 15:14 - 01097668 _____ C:\Users\Tom\AppData\Local\2433f433
2013-08-07 15:14 - 2013-08-07 15:14 - 01097653 _____ C:\Users\Tom\AppData\Roaming\2433f433
2013-08-06 18:37 - 2013-08-06 18:37 - 00000874 _____ C:\Users\Tom\Desktop\BitTorrent.lnk
2013-08-06 18:36 - 2013-08-06 22:12 - 328061523 _____ C:\Users\Tom\Downloads\Under.the.Dome.S01E07.HDTV.x264-LOL.mp4
2013-08-05 05:33 - 2013-08-06 00:05 - 514206991 _____ C:\Users\Tom\Downloads\True.Blood.S06E08.HDTV.x264-2HD.mp4
2013-08-05 05:30 - 2013-08-05 05:30 - 00000000 ____D C:\Users\Tom\Downloads\The Newsroom 2012 S02E04 HDTV x264-2HD[ettv]
2013-08-05 05:28 - 2013-08-05 05:31 - 00000000 ____D C:\Users\Tom\Downloads\Ray Donovan S01E06 HDTV x264-ASAP[ettv]
2013-08-05 05:25 - 2013-08-05 23:29 - 377822339 _____ C:\Users\Tom\Downloads\Dexter.S08E06.HDTV.x264-EVOLVE.mp4
2013-07-30 19:10 - 2013-07-30 19:10 - 00000000 ____D C:\Users\Tom\Downloads\Suits S03E03 HDTV x264-EVOLVE[ettv]
2013-07-30 16:09 - 2013-07-30 18:17 - 384655854 _____ C:\Users\Tom\Downloads\under.the.dome.106.hdtv-lol.mp4
2013-07-28 19:16 - 2013-07-28 22:03 - 00000000 ____D C:\Users\Tom\Downloads\True Blood S06E07 In the Evening WEB-DL x264-FU[ettv]
2013-07-28 19:15 - 2013-07-28 19:15 - 00000000 ____D C:\Users\Tom\Downloads\The Newsroom 2012 S02E03 HDTV x264-2HD[ettv]
2013-07-28 19:13 - 2013-07-28 19:13 - 00000000 ____D C:\Users\Tom\Downloads\Ray Donovan S01E05 HDTV x264-ASAP[ettv]
2013-07-28 19:12 - 2013-07-28 19:12 - 00000000 ____D C:\Users\Tom\Downloads\Dexter S08E05 HDTV x264-ASAP[ettv]
2013-07-26 16:34 - 2013-07-30 08:06 - 00000000 ____D C:\Users\Tom\Downloads\Supernatural
2013-07-26 16:23 - 2013-07-28 06:22 - 00000000 ____D C:\Users\Tom\Downloads\Under The Dome
2013-07-26 09:31 - 2013-07-26 09:53 - 00000000 ____D C:\Users\Tom\Downloads\The Oranges (2011)
2013-07-25 16:03 - 2013-07-25 16:03 - 00000000 ____D C:\Users\Tom\Downloads\What Maisie Knew (2012)
2013-07-25 16:00 - 2013-07-26 00:03 - 00000000 ____D C:\Users\Tom\Downloads\Mud (2012)
2013-07-25 16:00 - 2013-07-25 18:05 - 00000000 ____D C:\Users\Tom\Downloads\The First Time (2012)
2013-07-24 16:42 - 2013-07-24 16:42 - 00000000 ____D C:\Users\Tom\Downloads\Suits S03E02 HDTV x264-EVOLVE[ettv]
2013-07-22 04:53 - 2013-07-22 11:31 - 370075328 _____ C:\Users\Tom\Downloads\S08E04.mp4
2013-07-21 20:11 - 2013-07-22 05:13 - 00000000 ____D C:\Users\Tom\Downloads\Ray Donovan S01E04 HDTV x264-EVOLVE[ettv]
2013-07-21 20:09 - 2013-07-22 22:40 - 00000000 ____D C:\Users\Tom\Downloads\The Newsroom 2012 S02E02 HDTV x264-EVOLVE[ettv]
2013-07-21 18:06 - 2013-07-21 22:42 - 00000000 ____D C:\Users\Tom\Downloads\True Blood S06E06 Dont You Feel Me WEB-DL x264-FU[ettv]
2013-07-21 16:44 - 2013-07-21 22:22 - 00000000 ____D C:\Users\Tom\Downloads\Dexter.S08E04.HDTV.x264-EVOLVE
2013-07-20 17:15 - 2013-07-22 22:49 - 00000000 ____D C:\Users\Tom\Downloads\Oblivion.2013.HDRip.XviD-THGF
2013-07-20 17:10 - 2013-07-20 17:58 - 00000000 ____D C:\Users\Tom\Downloads\The Sapphires (2012)
2013-07-16 19:21 - 2013-07-21 06:45 - 00000000 ____D C:\Users\Tom\Downloads\Suits S03E01 HDTV x264-EVOLVE[ettv]
2013-07-15 13:24 - 2013-07-15 13:28 - 00000000 ____D C:\Windows\System32\MRT
2013-07-14 19:15 - 2013-07-21 06:48 - 00000000 ____D C:\Users\Tom\Downloads\The Newsroom 2012 S02E01 HDTV x264-2HD[ettv]
2013-07-14 19:14 - 2013-07-21 06:42 - 00000000 ____D C:\Users\Tom\Downloads\Ray Donovan S01E03 HDTV x264-ASAP[ettv]
2013-07-14 18:17 - 2013-07-21 06:52 - 00000000 ____D C:\Users\Tom\Downloads\True Blood S06E05 WEB-DL XviD-3LT0N[ettv]
2013-07-14 18:15 - 2013-07-21 06:22 - 00000000 ____D C:\Users\Tom\Downloads\Dexter S08E03 HDTV x264-ASAP[ettv]
2013-07-13 16:27 - 2013-07-21 06:43 - 00000000 ____D C:\Users\Tom\Downloads\Spring Breakers (2012)
2013-07-13 16:24 - 2013-07-21 06:32 - 00000000 ____D C:\Users\Tom\Downloads\Evil Dead (2013)
2013-07-13 16:23 - 2013-07-21 06:17 - 00000000 ____D C:\Users\Tom\Downloads\Assault on Wall Street (2013)
2013-07-11 00:10 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-11 00:10 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-11 00:10 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-11 00:10 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-11 00:10 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-11 00:10 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-11 00:10 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-11 00:10 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-11 00:10 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-11 00:10 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-11 00:10 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-11 00:10 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-11 00:10 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-11 00:10 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-11 00:10 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-11 00:10 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-11 00:09 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-11 00:09 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-11 00:09 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-11 00:09 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-11 00:09 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-11 00:09 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-11 00:09 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-11 00:09 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-11 00:09 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-11 00:09 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-11 00:09 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-11 00:09 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-11 00:09 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-11 00:09 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-11 00:09 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-10 18:44 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-10 18:44 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-10 18:44 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-10 18:44 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-10 18:43 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-10 18:38 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-10 18:38 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-10 17:20 - 2013-07-21 06:35 - 00000000 ____D C:\Users\Tom\Downloads\Family Tree S01E08 HDTV x264-EVOLVE[ettv]
2013-07-10 17:20 - 2013-07-11 04:42 - 250079932 _____ C:\Users\Tom\Downloads\S01E07.mp4
2013-07-10 17:20 - 2013-07-10 20:03 - 234414128 _____ C:\Users\Tom\Downloads\S01E06.mp4
2013-07-10 17:18 - 2013-07-11 04:37 - 208347244 _____ C:\Users\Tom\Downloads\S01E05.mp4
2013-07-10 17:17 - 2013-07-10 17:48 - 221729847 _____ C:\Users\Tom\Downloads\S01E04.mp4
2013-07-10 17:16 - 2013-07-10 17:45 - 230346639 _____ C:\Users\Tom\Downloads\S01E03.mp4
2013-07-10 16:42 - 2013-07-21 06:39 - 00000000 ____D C:\Users\Tom\Downloads\Lay the Favorite (2012)
2013-07-10 16:39 - 2013-07-21 06:18 - 00000000 ____D C:\Users\Tom\Downloads\Dead Man Down (2013)
2013-07-10 16:38 - 2013-07-21 06:16 - 00000000 ____D C:\Users\Tom\Downloads\Admission (2013)
2013-07-10 16:37 - 2013-07-21 06:15 - 00000000 ____D C:\Users\Tom\Downloads\42 (2013)

==================== One Month Modified Files and Folders =======

2013-08-07 20:21 - 2013-08-07 20:21 - 00000000 ____D C:\ProgramData\Recovery
2013-08-07 17:55 - 2012-12-25 17:09 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-07 17:55 - 2010-03-15 13:41 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-07 17:24 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-07 17:23 - 2009-07-13 20:51 - 00089421 _____ C:\Windows\setupact.log
2013-08-07 16:20 - 2010-03-15 13:41 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-07 15:56 - 2009-07-13 21:13 - 00779306 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-07 15:55 - 2009-12-25 11:24 - 01253917 _____ C:\Windows\WindowsUpdate.log
2013-08-07 15:22 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-07 15:22 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-07 15:16 - 2009-11-11 01:37 - 00281690 _____ C:\Windows\PFRO.log
2013-08-07 15:14 - 2013-08-07 15:14 - 01097732 _____ C:\ProgramData\2433f433
2013-08-07 15:14 - 2013-08-07 15:14 - 01097668 _____ C:\Users\Tom\AppData\Local\2433f433
2013-08-07 15:14 - 2013-08-07 15:14 - 01097653 _____ C:\Users\Tom\AppData\Roaming\2433f433
2013-08-07 15:14 - 2010-02-17 16:41 - 00000000 ____D C:\Users\Tom\AppData\Roaming\BitTorrent
2013-08-06 23:00 - 2010-02-17 16:43 - 00000000 ____D C:\Users\Tom\AppData\Local\Adobe
2013-08-06 22:12 - 2013-08-06 18:36 - 328061523 _____ C:\Users\Tom\Downloads\Under.the.Dome.S01E07.HDTV.x264-LOL.mp4
2013-08-06 18:37 - 2013-08-06 18:37 - 00000874 _____ C:\Users\Tom\Desktop\BitTorrent.lnk
2013-08-06 18:37 - 2010-02-17 17:18 - 00000000 ____D C:\Program Files (x86)\BitTorrent
2013-08-06 00:05 - 2013-08-05 05:33 - 514206991 _____ C:\Users\Tom\Downloads\True.Blood.S06E08.HDTV.x264-2HD.mp4
2013-08-05 23:29 - 2013-08-05 05:25 - 377822339 _____ C:\Users\Tom\Downloads\Dexter.S08E06.HDTV.x264-EVOLVE.mp4
2013-08-05 05:31 - 2013-08-05 05:28 - 00000000 ____D C:\Users\Tom\Downloads\Ray Donovan S01E06 HDTV x264-ASAP[ettv]
2013-08-05 05:30 - 2013-08-05 05:30 - 00000000 ____D C:\Users\Tom\Downloads\The Newsroom 2012 S02E04 HDTV x264-2HD[ettv]
2013-08-04 18:43 - 2011-09-02 10:19 - 00000324 _____ C:\Windows\Tasks\HPCeeScheduleForTom.job
2013-08-02 05:40 - 2011-10-28 18:58 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-08-02 05:40 - 2010-03-02 06:13 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2013-08-02 05:39 - 2010-02-15 14:11 - 00000000 ____D C:\Users\Tom\AppData\Roaming\HpUpdate
2013-07-31 16:07 - 2010-02-14 14:23 - 00000544 _____ C:\Windows\Tasks\PCDRScheduledMaintenance.job
2013-07-30 19:10 - 2013-07-30 19:10 - 00000000 ____D C:\Users\Tom\Downloads\Suits S03E03 HDTV x264-EVOLVE[ettv]
2013-07-30 18:17 - 2013-07-30 16:09 - 384655854 _____ C:\Users\Tom\Downloads\under.the.dome.106.hdtv-lol.mp4
2013-07-30 08:06 - 2013-07-26 16:34 - 00000000 ____D C:\Users\Tom\Downloads\Supernatural
2013-07-30 05:29 - 2012-11-15 19:55 - 00000000 ____D C:\Users\Tom\Downloads\Photoshop
2013-07-28 22:03 - 2013-07-28 19:16 - 00000000 ____D C:\Users\Tom\Downloads\True Blood S06E07 In the Evening WEB-DL x264-FU[ettv]
2013-07-28 19:15 - 2013-07-28 19:15 - 00000000 ____D C:\Users\Tom\Downloads\The Newsroom 2012 S02E03 HDTV x264-2HD[ettv]
2013-07-28 19:13 - 2013-07-28 19:13 - 00000000 ____D C:\Users\Tom\Downloads\Ray Donovan S01E05 HDTV x264-ASAP[ettv]
2013-07-28 19:12 - 2013-07-28 19:12 - 00000000 ____D C:\Users\Tom\Downloads\Dexter S08E05 HDTV x264-ASAP[ettv]
2013-07-28 06:22 - 2013-07-26 16:23 - 00000000 ____D C:\Users\Tom\Downloads\Under The Dome
2013-07-27 20:58 - 2010-03-04 16:49 - 00000000 ____D C:\Program Files (x86)\Google
2013-07-26 09:53 - 2013-07-26 09:31 - 00000000 ____D C:\Users\Tom\Downloads\The Oranges (2011)
2013-07-26 09:26 - 2011-09-02 10:19 - 00003174 _____ C:\Windows\System32\Tasks\HPCeeScheduleForTom
2013-07-26 09:26 - 2010-02-14 13:47 - 00000000 ____D C:\users\Tom
2013-07-26 00:03 - 2013-07-25 16:00 - 00000000 ____D C:\Users\Tom\Downloads\Mud (2012)
2013-07-25 18:05 - 2013-07-25 16:00 - 00000000 ____D C:\Users\Tom\Downloads\The First Time (2012)
2013-07-25 16:03 - 2013-07-25 16:03 - 00000000 ____D C:\Users\Tom\Downloads\What Maisie Knew (2012)
2013-07-24 16:42 - 2013-07-24 16:42 - 00000000 ____D C:\Users\Tom\Downloads\Suits S03E02 HDTV x264-EVOLVE[ettv]
2013-07-23 13:34 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-07-22 22:49 - 2013-07-20 17:15 - 00000000 ____D C:\Users\Tom\Downloads\Oblivion.2013.HDRip.XviD-THGF
2013-07-22 22:40 - 2013-07-21 20:09 - 00000000 ____D C:\Users\Tom\Downloads\The Newsroom 2012 S02E02 HDTV x264-EVOLVE[ettv]
2013-07-22 11:31 - 2013-07-22 04:53 - 370075328 _____ C:\Users\Tom\Downloads\S08E04.mp4
2013-07-22 05:13 - 2013-07-21 20:11 - 00000000 ____D C:\Users\Tom\Downloads\Ray Donovan S01E04 HDTV x264-EVOLVE[ettv]
2013-07-21 22:42 - 2013-07-21 18:06 - 00000000 ____D C:\Users\Tom\Downloads\True Blood S06E06 Dont You Feel Me WEB-DL x264-FU[ettv]
2013-07-21 22:22 - 2013-07-21 16:44 - 00000000 ____D C:\Users\Tom\Downloads\Dexter.S08E04.HDTV.x264-EVOLVE
2013-07-21 06:52 - 2013-07-14 18:17 - 00000000 ____D C:\Users\Tom\Downloads\True Blood S06E05 WEB-DL XviD-3LT0N[ettv]
2013-07-21 06:50 - 2013-07-07 18:12 - 00000000 ____D C:\Users\Tom\Downloads\S06E04
2013-07-21 06:48 - 2013-07-14 19:15 - 00000000 ____D C:\Users\Tom\Downloads\The Newsroom 2012 S02E01 HDTV x264-2HD[ettv]
2013-07-21 06:45 - 2013-07-16 19:21 - 00000000 ____D C:\Users\Tom\Downloads\Suits S03E01 HDTV x264-EVOLVE[ettv]
2013-07-21 06:43 - 2013-07-13 16:27 - 00000000 ____D C:\Users\Tom\Downloads\Spring Breakers (2012)
2013-07-21 06:42 - 2013-07-14 19:14 - 00000000 ____D C:\Users\Tom\Downloads\Ray Donovan S01E03 HDTV x264-ASAP[ettv]
2013-07-21 06:42 - 2013-07-07 19:05 - 00000000 ____D C:\Users\Tom\Downloads\Ray Donovan S01E02 HDTV x264-ASAP[ettv]
2013-07-21 06:39 - 2013-07-10 16:42 - 00000000 ____D C:\Users\Tom\Downloads\Lay the Favorite (2012)
2013-07-21 06:35 - 2013-07-10 17:20 - 00000000 ____D C:\Users\Tom\Downloads\Family Tree S01E08 HDTV x264-EVOLVE[ettv]
2013-07-21 06:34 - 2013-07-01 13:50 - 00000000 ____D C:\Users\Tom\Downloads\Family Tree S01E02 HDTV x264-EVOLVE[ettv]
2013-07-21 06:32 - 2013-07-13 16:24 - 00000000 ____D C:\Users\Tom\Downloads\Evil Dead (2013)
2013-07-21 06:22 - 2013-07-14 18:15 - 00000000 ____D C:\Users\Tom\Downloads\Dexter S08E03 HDTV x264-ASAP[ettv]
2013-07-21 06:22 - 2013-07-07 18:12 - 00000000 ____D C:\Users\Tom\Downloads\Dexter S08E02 HDTV x264-ASAP[ettv]
2013-07-21 06:18 - 2013-07-10 16:39 - 00000000 ____D C:\Users\Tom\Downloads\Dead Man Down (2013)
2013-07-21 06:17 - 2013-07-13 16:23 - 00000000 ____D C:\Users\Tom\Downloads\Assault on Wall Street (2013)
2013-07-21 06:16 - 2013-07-10 16:38 - 00000000 ____D C:\Users\Tom\Downloads\Admission (2013)
2013-07-21 06:15 - 2013-07-10 16:37 - 00000000 ____D C:\Users\Tom\Downloads\42 (2013)
2013-07-20 17:58 - 2013-07-20 17:10 - 00000000 ____D C:\Users\Tom\Downloads\The Sapphires (2012)
2013-07-15 13:28 - 2013-07-15 13:24 - 00000000 ____D C:\Windows\System32\MRT
2013-07-13 05:02 - 2012-12-25 17:09 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-07-13 05:01 - 2012-12-25 17:09 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-07-13 05:01 - 2011-11-25 07:39 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-07-12 18:15 - 2010-03-15 13:41 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-12 18:15 - 2010-03-15 13:41 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-12 18:08 - 2013-06-09 06:54 - 00001945 _____ C:\Windows\epplauncher.mif
2013-07-12 18:08 - 2013-06-09 06:54 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-07-12 18:08 - 2013-06-09 06:54 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-07-12 05:16 - 2010-03-02 06:12 - 00000000 ____D C:\Users\Tom\AppData\Roaming\HP Support Assistant
2013-07-11 04:42 - 2013-07-10 17:20 - 250079932 _____ C:\Users\Tom\Downloads\S01E07.mp4
2013-07-11 04:37 - 2013-07-10 17:18 - 208347244 _____ C:\Users\Tom\Downloads\S01E05.mp4
2013-07-11 00:38 - 2009-07-13 20:45 - 05175272 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-11 00:37 - 2013-03-14 00:01 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-11 00:37 - 2013-03-14 00:01 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-07-11 00:35 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-11 00:35 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-11 00:35 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-11 00:12 - 2010-02-14 18:33 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-10 20:03 - 2013-07-10 17:20 - 234414128 _____ C:\Users\Tom\Downloads\S01E06.mp4
2013-07-10 17:48 - 2013-07-10 17:17 - 221729847 _____ C:\Users\Tom\Downloads\S01E04.mp4
2013-07-10 17:45 - 2013-07-10 17:16 - 230346639 _____ C:\Users\Tom\Downloads\S01E03.mp4

Files to move or delete:
====================
C:\Users\Tom\AppData\Local\Temp\ywogtwmijwbtxpcrleb.bfg

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 3839.3 MB
Available physical RAM: 3056.14 MB
Total Pagefile: 3837.45 MB
Available Pagefile: 3047.59 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (HP) (Fixed) (Total:585.31 GB) (Free:121.6 GB) NTFS (Disk=0 Partition=2)
Drive e: (FACTORY_IMAGE) (Fixed) (Total:10.77 GB) (Free:1.56 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
Drive h: (Lexar) (Removable) (Total:59.69 GB) (Free:0.01 GB) FAT32 (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 596 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=585 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=11 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 60 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=60 GB) - (Type=0C)

LastRegBack: 2013-08-04 19:40

==================== End Of Log ============================



#4 tomlawncare

tomlawncare
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 08 August 2013 - 04:31 PM

Is this the correct information you need above, if not please let me know.

 

thank you!



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 09 August 2013 - 01:47 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKU\Tom\...\Run: [Browser Infrastructure Helper] - C:\Users\Tom\AppData\Local\Smartbar\Application\QuickShare.exe [13824 2013-02-18] (Smartbar)
    HKU\Tom\...\Run: [AdobeBridge] -  [x]
    HKU\Tom\...\Run: [StartNow Search Protect] - C:\Program Files (x86)\StartNow Toolbar\search_protect.exe [1352048 2012-09-06] ()
    HKU\Tom\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Tom\AppData\Local\Temp\ywogtwmijwbtxpcrleb.bfg [75776 2013-08-07] (Valve Corporation) <===== ATTENTION
    HKU\Tom\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
    HKU\Tom\...\Command Processor: "C:\Users\Tom\AppData\Local\Temp\ywogtwmijwbtxpcrleb.bfg" <===== ATTENTION!
    
    S2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [572928 2013-02-10] ()
    S2 DefaultTabUpdate; C:\Users\Tom\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-03-06] ()
    
    C:\Program Files (x86)\DefaultTab
    C:\Users\Tom\AppData\Roaming\DefaultTab
    C:\Users\Tom\AppData\Local\Temp\ywogtwmijwbtxpcrleb.bfg
    C:\Users\Tom\AppData\Local\Smartbar
    C:\Program Files (x86)\StartNow Toolbar
    C:\ProgramData\2433f433
    C:\Users\Tom\AppData\Local\2433f433
    C:\Users\Tom\AppData\Roaming\2433f433
     
    

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

 

Start your system in normal mode now!

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

 

Scan with aswMBR


Please download aswMBR.exe to your desktop.

  • Double-click the aswMBR.exe to run it
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
  • Now click on the Scan button to start scan
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply

Note: There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 tomlawncare

tomlawncare
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 09 August 2013 - 03:49 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-08-2013
Ran by SYSTEM at 2013-08-09 15:47:06 Run:1
Running from H:\
Boot Mode: Recovery
==============================================

HKU\Tom\Software\Microsoft\Windows\CurrentVersion\Run\\Browser Infrastructure Helper => Value deleted successfully.
HKU\Tom\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => Value deleted successfully.
HKU\Tom\Software\Microsoft\Windows\CurrentVersion\Run\\StartNow Search Protect => Value deleted successfully.
HKU\Tom\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.
HKU\Tom\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Tom\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
DefaultTabSearch => Service deleted successfully.
DefaultTabUpdate => Service deleted successfully.
C:\Program Files (x86)\DefaultTab => Moved successfully.
C:\Users\Tom\AppData\Roaming\DefaultTab => Moved successfully.
C:\Users\Tom\AppData\Local\Temp\ywogtwmijwbtxpcrleb.bfg => Moved successfully.
C:\Users\Tom\AppData\Local\Smartbar => Moved successfully.
C:\Program Files (x86)\StartNow Toolbar => Moved successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\Tom\AppData\Local\2433f433 => Moved successfully.
C:\Users\Tom\AppData\Roaming\2433f433 => Moved successfully.

==== End of Fixlog ====



#7 tomlawncare

tomlawncare
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 09 August 2013 - 07:18 PM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.09.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Tom :: TOM-DESKTOP [administrator]

8/9/2013 3:58:41 PM
mbam-log-2013-08-09 (15-58-41).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 596766
Time elapsed: 2 hour(s), 53 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 15
HKCR\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0} (PUP.Optional.QuickShare.A) -> Quarantined and deleted successfully.
HKCR\IESmartBar.BHO (PUP.Optional.QuickShare.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31AD400D-1B06-4E33-A59A-90C2C140CBA0} (PUP.Optional.QuickShare.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{31AD400D-1B06-4E33-A59A-90C2C140CBA0} (PUP.Optional.QuickShare.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{31AD400D-1B06-4E33-A59A-90C2C140CBA0} (PUP.Optional.QuickShare.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKCR\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKCR\DefaultTabBHO.DefaultTabBrowser.1 (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKCR\DefaultTabBHO.DefaultTabBrowser (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\FRST\Quarantine\ywogtwmijwbtxpcrleb.bfg (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTab\DefaultTabBHO.dll (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTab\DefaultTabStart.exe (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTab\DefaultTabStart64.exe (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTab\DefaultTabWrap.dll (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTab\DefaultTabWrap64.dll (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\Users\Tom\AppData\Local\Temp\Updater.exe (PUP.Optional.Amonetize) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\updater-startnow-200-2.5-f[1].exe (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.
C:\Windows\Temp\TBU002\ToolbarUpdate.exe (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.
C:\Users\Tom\Templates\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.

(end)



#8 tomlawncare

tomlawncare
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 09 August 2013 - 08:02 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-08-09 19:56:47
-----------------------------
19:56:47.808    OS Version: Windows x64 6.1.7601 Service Pack 1
19:56:47.808    Number of processors: 2 586 0x602
19:56:47.808    ComputerName: TOM-DESKTOP  UserName: Tom
19:56:49.477    Initialize success
19:57:15.806    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000060
19:57:15.806    Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
19:57:15.853    Disk 0 MBR read error 0
19:57:15.853    Disk 0 MBR scan
19:57:15.853    Disk 0 unknown MBR code
19:57:15.853    MBR BIOS signature not found 0
19:57:15.884    Disk 0 scanning C:\Windows\system32\drivers
19:57:25.681    Service scanning
19:57:40.017    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
19:57:44.105    Modules scanning
19:57:44.105    Disk 0 trace - called modules:
19:57:44.136    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80043d62c0]<<spip.sys storport.sys hal.dll nvstor64.sys
19:57:44.167    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800467e790]
19:57:44.183    3 CLASSPNP.SYS[fffff88001ae443f] -> nt!IofCallDriver -> [0xfffffa80044f66e0]
19:57:44.682    5 ACPI.sys[fffff880011777a1] -> nt!IofCallDriver -> \Device\00000060[0xfffffa80044f7060]
19:57:44.697    \Driver\nvstor64[0xfffffa80044ea7e0] -> IRP_MJ_CREATE -> 0xfffffa80043d62c0
19:57:44.713    Scan finished successfully
19:58:18.393    Disk 0 MBR has been saved successfully to "C:\Users\Tom\Desktop\MBR.dat"
19:58:18.425    The log file has been saved successfully to "C:\Users\Tom\Desktop\aswMBR.txt"

 



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 12 August 2013 - 03:21 AM

Disable CD Emulation with DeFogger

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK


IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

 

 

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 19 August 2013 - 01:25 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users