Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

FBI moneypack virus, no safe mode access [Solved]


  • This topic is locked This topic is locked

#1
jkabat

jkabat

    Member

  • Member
  • PipPip
  • 98 posts
A laptop in my household has become infected with an FBI money pack virus. It is present in safemode also, even with no internet connection. I ran frst from a usb using command prompts. The logs are attached. Any help is much appreciated.


Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-09-2013 02
Ran by SYSTEM on MININT-M0M64HL on 14-09-2013 17:00:03
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: 0412
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12459112 2012-03-27] (Realtek Semiconductor)
HKLM\...\Run: [BLEServicesCtrl] - C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe [178960 2012-03-15] (Intel Corporation)
HKLM\...\Run: [BTMTrayAgent] - rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2854448 2011-12-01] (Synaptics Incorporated)
HKLM\...\Run: [HotkeyManager] - C:\Program Files\LG Software\LG OSD\HotkeyManager.exe [162376 2012-04-18] (LG Electronics Inc.)
HKLM\...\Run: [PowerManager] - C:\Program Files\LG Software\LG Power Manager Suite\PowerManager.exe [2267136 2012-03-15] (LG Electronics)
HKLM\...\Run: [Korean IME Migration] - C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE [43808 2006-10-26] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-21] (Microsoft Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\Program Files (x86)\Steam\qItaYPgY.exe
HKLM-x32\...\Winlogon: [Userinit] userinit.exe,,C:\Program Files (x86)\Steam\qItaYPgY.exe [x]
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [636032 2012-03-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] - C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [10752 2012-01-31] ()
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-03-13] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-03-27] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [Korean IME Migration] - C:\Program Files (x86)\Common Files\microsoft shared\IME12\IMEKR\IMKRMIG.EXE [26400 2006-10-26] (Microsoft Corporation)
HKLM-x32\...\Run: [HncUpdate] - C:\Program Files (x86)\Hnc\HncUtils\HncChecker.exe [715624 2012-10-17] (Hancom Inc(HNC).)
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2404016 2013-09-02] ()
HKU\Brian\...\Run: [Steam] - C:\Program Files (x86)\Steam\steam.exe [1811880 2013-08-29] (Valve Corporation)
HKU\Brian\...\Run: [uTorrent] - C:\Users\Brian\AppData\Roaming\uTorrent\uTorrent.exe [888152 2013-08-07] (BitTorrent Inc.)
HKU\Brian\...\Run: [DAEMON Tools Lite] - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [1305408 2011-01-20] (DT Soft Ltd)
HKU\Brian\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [20681584 2013-07-25] (Skype Technologies S.A.)
HKU\Brian\...\Run: [kFrYHkhJ] - C:\Users\Brian\AppData\Local\Adobe\JyEgMOdD.exe [157184 2013-09-09] ()
Startup: C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cVuSZFJE.exe ()

==================== Services (Whitelisted) =================

S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [143120 2013-05-24] (SUPERAntiSpyware.com)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165144 2012-03-28] (Intel Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2012-03-29] ()
S2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [110592 2009-05-19] (ArcSoft, Inc.)
S2 vToolbarUpdater15.5.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-08-23] (AVG Secure Search)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2669840 2012-03-29] (Intel® Corporation)
S2 Adobe Licensing Console; %SystemRoot%\system32\msvfd32.exe [x]

==================== Drivers (Whitelisted) ====================

S3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2009-05-27] (ArcSoft, Inc.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-08-23] (AVG Technologies)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [254528 2013-08-02] (DT Soft Ltd)
S3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [104048 2012-03-02] (Qualcomm Atheros Co., Ltd.)
S3 Linksys_adapter_H; C:\Windows\System32\DRIVERS\AE2500w764.sys [1254464 2011-03-29] (Broadcom Corporation)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-14 16:53 - 2013-09-14 16:53 - 00000000 ____D C:\FRST
2013-09-14 14:58 - 2013-09-14 14:58 - 00000000 ____D C:\Users\Brian\AppData\Local\vWwialBc
2013-09-09 16:50 - 2013-09-09 16:50 - 00000000 ____D C:\Users\Brian\AppData\Local\nPzcsddu
2013-09-06 22:03 - 2013-09-10 20:48 - 00063273 _____ C:\Users\Brian\Desktop\dubstep.flp
2013-09-06 18:49 - 2013-09-10 20:49 - 00068602 _____ C:\Users\Brian\Desktop\avicci.flp
2013-09-05 15:54 - 2013-09-05 15:54 - 00000038 _____ C:\Users\Brian\Desktop\amazon.txt
2013-09-03 22:33 - 2013-09-10 20:50 - 00056120 _____ C:\Users\Brian\Desktop\Mammoth.flp
2013-09-03 15:21 - 2013-09-09 16:59 - 00003490 _____ C:\Windows\System32\Tasks\AutoKMS
2013-08-31 08:07 - 2013-08-31 12:20 - 00000000 ____D C:\Users\Brian\Downloads\StarCraft.II.Heart.of.the.Swarm.Proper-RELOADED
2013-08-31 06:58 - 2013-08-31 07:29 - 1919887890 ____R C:\Users\Brian\Desktop\Despicable Me 2 2013 720p TS XviD MP3 MiLLENiUM.avi
2013-08-29 11:48 - 2013-09-10 20:50 - 00057825 _____ C:\Users\Brian\Desktop\tolouse.flp
2013-08-29 04:14 - 2013-08-29 04:14 - 00000997 _____ C:\Users\Public\Desktop\Massive.lnk
2013-08-29 03:40 - 2013-09-01 18:12 - 00053274 _____ C:\Users\Brian\Desktop\untitled.flp
2013-08-29 02:56 - 2013-08-29 02:56 - 01700352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
2013-08-29 02:55 - 2013-08-29 02:55 - 00001153 _____ C:\Users\Brian\Desktop\FL Studio 10.lnk
2013-08-28 10:54 - 2013-08-28 10:54 - 00001021 _____ C:\Users\Brian\Desktop\Massive.lnk
2013-08-28 10:47 - 2013-08-28 10:47 - 00000000 ____D C:\Users\Brian\AppData\Local\Native Instruments
2013-08-28 10:40 - 2013-08-28 10:40 - 00000000 ____D C:\Users\Brian\AppData\Roaming\PoiZone
2013-08-28 10:39 - 2013-08-28 10:39 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Sawer
2013-08-28 10:39 - 2013-08-28 10:39 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Sakura
2013-08-28 08:20 - 2013-08-28 08:20 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Hardcore
2013-08-28 08:09 - 2013-08-29 04:03 - 00078953 _____ C:\Users\Brian\Desktop\Massive.flp
2013-08-28 08:09 - 2013-08-28 08:09 - 00078800 _____ C:\Users\Brian\Downloads\Massive.flp
2013-08-28 08:00 - 2013-08-28 07:59 - 42474960 _____ C:\Users\Brian\Desktop\Massive 1.1.5 (1).zip
2013-08-28 07:58 - 2013-08-28 07:59 - 42474960 _____ C:\Users\Brian\Downloads\Massive 1.1.5 (1).zip
2013-08-28 07:31 - 2013-08-28 07:41 - 312522984 _____ (Image-Line) C:\Users\Brian\Downloads\flstudio_11.0.3.exe
2013-08-28 07:29 - 2013-08-29 04:14 - 00000000 __HDC C:\ProgramData\{13A9B825-42CB-4973-913D-2194B5A4CF94}
2013-08-28 07:29 - 2013-08-28 07:29 - 00003236 _____ C:\Windows\System32\Tasks\{B2000F52-86EB-484D-9C18-E472CDC3B455}
2013-08-28 07:25 - 2013-08-28 07:27 - 42474960 _____ C:\Users\Brian\Downloads\Massive 1.1.5.zip
2013-08-28 07:14 - 2013-08-28 07:14 - 00000000 ____D C:\Program Files (x86)\Outsim
2013-08-28 07:11 - 2013-08-28 07:11 - 00818087 _____ ( ) C:\Windows\SysWOW64\msvfd32.exe
2013-08-27 08:48 - 2013-08-27 08:48 - 00002219 _____ C:\Users\Public\Desktop\Google Earth.lnk
2013-08-27 08:45 - 2013-08-27 08:45 - 00784848 _____ (Google Inc.) C:\Users\Brian\Downloads\GoogleEarthSetup.exe
2013-08-27 06:50 - 2013-08-27 06:50 - 00000060 _____ C:\Users\Brian\Desktop\hello.txt
2013-08-22 08:49 - 2013-08-22 08:49 - 00000000 ____D C:\Users\Brian\AppData\Local\AVG SafeGuard toolbar
2013-08-22 08:48 - 2013-09-02 01:44 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar
2013-08-22 08:48 - 2013-08-29 02:48 - 00000000 ____D C:\Program Files (x86)\VstPlugins
2013-08-22 08:48 - 2013-08-23 09:48 - 00045856 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-08-22 08:48 - 2013-08-22 08:48 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-08-22 08:48 - 2013-08-22 08:48 - 00000000 ____D C:\Program Files (x86)\ASIO4ALL v2
2013-08-19 20:10 - 2013-08-19 20:11 - 01343288 _____ C:\Users\Brian\Downloads\ADD(2단계3차년도)_신규양식.xlsx
2013-08-19 00:37 - 2013-08-19 00:37 - 00872448 _____ C:\Users\Brian\Downloads\ms_course_selection__transition_2013_grad_class_2017.ppt
2013-08-15 21:25 - 2013-07-26 14:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-15 21:25 - 2013-07-26 14:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-15 21:25 - 2013-07-26 14:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-15 21:25 - 2013-07-26 14:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-15 21:25 - 2013-07-26 14:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-15 21:25 - 2013-07-26 12:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-15 21:25 - 2013-07-26 12:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-15 21:25 - 2013-07-26 12:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-15 21:25 - 2013-07-26 12:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-15 21:25 - 2013-07-26 12:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-15 21:25 - 2013-07-26 12:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-15 21:25 - 2013-07-26 12:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-15 21:25 - 2013-07-26 12:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-15 21:25 - 2013-07-26 12:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-15 21:25 - 2013-07-26 12:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-15 21:25 - 2013-07-26 12:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-15 21:25 - 2013-07-26 12:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-15 21:25 - 2013-07-26 12:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-15 21:25 - 2013-07-26 12:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-15 21:25 - 2013-07-26 11:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-15 21:25 - 2013-07-26 11:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-15 21:25 - 2013-07-26 10:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-15 21:20 - 2013-08-15 21:22 - 00000000 ____D C:\Windows\System32\MRT
2013-08-15 20:21 - 2013-07-19 10:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-15 20:21 - 2013-07-19 10:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-15 20:21 - 2013-07-09 14:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-15 20:21 - 2013-07-09 14:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-15 20:21 - 2013-07-09 14:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-15 20:21 - 2013-07-09 14:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-15 20:21 - 2013-07-09 13:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-15 20:21 - 2013-07-09 13:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-15 20:21 - 2013-07-09 13:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-15 20:21 - 2013-07-09 13:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-15 20:20 - 2013-07-25 18:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-15 20:20 - 2013-07-25 17:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-15 20:20 - 2013-07-09 15:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-15 20:20 - 2013-07-09 14:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-15 20:20 - 2013-07-09 14:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-08-15 20:20 - 2013-07-09 14:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-15 20:20 - 2013-07-09 14:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-15 20:20 - 2013-07-09 14:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-15 20:20 - 2013-07-09 13:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-15 20:20 - 2013-07-09 13:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-15 20:20 - 2013-07-09 13:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-15 20:20 - 2013-07-09 11:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-15 20:20 - 2013-07-09 11:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-15 20:20 - 2013-07-09 11:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-15 20:20 - 2013-07-09 11:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-15 20:20 - 2013-07-06 15:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-15 20:20 - 2013-06-15 13:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2013-08-15 08:22 - 2013-08-15 08:22 - 00633360 _____ (Copyright © 2010 eSupport.com. All Rights Reserved.) C:\Users\Brian\Downloads\biosagentplus_1218.exe
2013-08-15 08:22 - 2013-08-15 08:22 - 00041472 _____ C:\Users\Brian\Downloads\launcher64.dll
2013-08-15 08:22 - 2013-08-15 08:22 - 00021712 _____ (Phoenix Technologies) C:\Windows\SysWOW64\Drivers\DrvAgent64.SYS
2013-08-15 08:22 - 2013-08-15 08:22 - 00000000 ____D C:\Users\Brian\AppData\Local\eSupport.com
2013-08-15 08:19 - 2013-08-15 08:19 - 00000937 _____ C:\Users\Public\Desktop\CPUID HWMonitor.lnk
2013-08-15 08:19 - 2013-08-15 08:19 - 00000876 _____ C:\Users\Public\Desktop\CPUID CPU-Z.lnk
2013-08-15 08:19 - 2013-08-15 08:19 - 00000000 ____D C:\Program Files\CPUID

==================== One Month Modified Files and Folders =======

2013-09-14 16:56 - 2013-07-31 20:22 - 00000680 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-14 16:56 - 2013-07-31 18:21 - 00000000 ____D C:\users\Brian
2013-09-14 16:56 - 2009-07-14 14:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-14 16:56 - 2009-07-14 13:51 - 00038599 _____ C:\Windows\setupact.log
2013-09-14 16:53 - 2013-09-14 16:53 - 00000000 ____D C:\FRST
2013-09-14 16:05 - 2013-08-09 21:12 - 00000000 ____D C:\Windows\AutoKMS
2013-09-14 16:05 - 2013-08-09 15:15 - 00000000 ____D C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform
2013-09-14 16:05 - 2013-08-06 10:53 - 00000000 ____D C:\Windows\System32\Macromed
2013-09-14 16:05 - 2013-08-02 22:46 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Skype
2013-09-14 16:05 - 2013-07-31 20:26 - 00000000 ____D C:\Users\Brian\AppData\Roaming\uTorrent
2013-09-14 16:05 - 2013-07-31 20:26 - 00000000 ____D C:\Program Files (x86)\Steam
2013-09-14 16:05 - 2009-07-14 12:20 - 00000000 ____D C:\Windows\registration
2013-09-14 14:58 - 2013-09-14 14:58 - 00000000 ____D C:\Users\Brian\AppData\Local\vWwialBc
2013-09-10 20:50 - 2013-09-03 22:33 - 00056120 _____ C:\Users\Brian\Desktop\Mammoth.flp
2013-09-10 20:50 - 2013-08-29 11:48 - 00057825 _____ C:\Users\Brian\Desktop\tolouse.flp
2013-09-10 20:49 - 2013-09-06 18:49 - 00068602 _____ C:\Users\Brian\Desktop\avicci.flp
2013-09-10 20:48 - 2013-09-06 22:03 - 00063273 _____ C:\Users\Brian\Desktop\dubstep.flp
2013-09-10 06:17 - 2013-07-31 18:13 - 01815646 _____ C:\Windows\WindowsUpdate.log
2013-09-10 06:15 - 2013-08-06 10:53 - 00000622 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-10 06:15 - 2013-07-31 20:22 - 00000684 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-09 20:48 - 2011-04-13 05:58 - 00427180 _____ C:\Windows\System32\perfh012.dat
2013-09-09 20:48 - 2011-04-13 05:58 - 00119410 _____ C:\Windows\System32\perfc012.dat
2013-09-09 20:48 - 2009-07-14 14:13 - 01316820 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-09 17:03 - 2009-07-14 13:45 - 00022080 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-09 17:03 - 2009-07-14 13:45 - 00022080 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-09 16:59 - 2013-09-03 15:21 - 00003490 _____ C:\Windows\System32\Tasks\AutoKMS
2013-09-09 16:50 - 2013-09-09 16:50 - 00000000 ____D C:\Users\Brian\AppData\Local\nPzcsddu
2013-09-09 16:50 - 2013-07-31 20:23 - 00000000 ____D C:\Users\Brian\AppData\Local\Adobe
2013-09-05 15:54 - 2013-09-05 15:54 - 00000038 _____ C:\Users\Brian\Desktop\amazon.txt
2013-09-05 06:16 - 2013-08-12 18:18 - 01304502 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-09-03 21:03 - 2013-07-31 20:22 - 00002190 _____ C:\Users\Public\Desktop\Chrome.lnk
2013-09-02 01:46 - 2013-08-14 08:07 - 00000000 ____D C:\Users\Brian\AppData\Roaming\vlc
2013-09-02 01:44 - 2013-08-22 08:48 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar
2013-09-01 22:34 - 2009-07-14 12:20 - 00000000 __RHD C:\Users\Public\Libraries
2013-09-01 18:12 - 2013-08-29 03:40 - 00053274 _____ C:\Users\Brian\Desktop\untitled.flp
2013-09-01 09:02 - 2013-08-12 18:22 - 00000000 ____D C:\Users\Brian\AppData\Roaming\.minecraft
2013-09-01 08:35 - 2013-08-12 20:11 - 00000000 ____D C:\Users\Brian\Downloads\Despicable Me
2013-08-31 12:20 - 2013-08-31 08:07 - 00000000 ____D C:\Users\Brian\Downloads\StarCraft.II.Heart.of.the.Swarm.Proper-RELOADED
2013-08-31 07:29 - 2013-08-31 06:58 - 1919887890 ____R C:\Users\Brian\Desktop\Despicable Me 2 2013 720p TS XviD MP3 MiLLENiUM.avi
2013-08-29 04:28 - 2013-07-31 18:22 - 00000000 ____D C:\Users\Brian\AppData\Local\VirtualStore
2013-08-29 04:25 - 2010-11-21 12:47 - 00015534 _____ C:\Windows\PFRO.log
2013-08-29 04:19 - 2013-08-14 08:27 - 00000000 ____D C:\Users\Brian\Documents\Native Instruments
2013-08-29 04:14 - 2013-08-29 04:14 - 00000997 _____ C:\Users\Public\Desktop\Massive.lnk
2013-08-29 04:14 - 2013-08-28 07:29 - 00000000 __HDC C:\ProgramData\{13A9B825-42CB-4973-913D-2194B5A4CF94}
2013-08-29 04:14 - 2013-08-14 08:21 - 00000000 ____D C:\Program Files\Native Instruments
2013-08-29 04:03 - 2013-08-28 08:09 - 00078953 _____ C:\Users\Brian\Desktop\Massive.flp
2013-08-29 02:56 - 2013-08-29 02:56 - 01700352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
2013-08-29 02:55 - 2013-08-29 02:55 - 00001153 _____ C:\Users\Brian\Desktop\FL Studio 10.lnk
2013-08-29 02:50 - 2013-08-14 20:47 - 00000000 ____D C:\Program Files (x86)\Image-Line
2013-08-29 02:48 - 2013-08-22 08:48 - 00000000 ____D C:\Program Files (x86)\VstPlugins
2013-08-28 10:54 - 2013-08-28 10:54 - 00001021 _____ C:\Users\Brian\Desktop\Massive.lnk
2013-08-28 10:47 - 2013-08-28 10:47 - 00000000 ____D C:\Users\Brian\AppData\Local\Native Instruments
2013-08-28 10:40 - 2013-08-28 10:40 - 00000000 ____D C:\Users\Brian\AppData\Roaming\PoiZone
2013-08-28 10:39 - 2013-08-28 10:39 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Sawer
2013-08-28 10:39 - 2013-08-28 10:39 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Sakura
2013-08-28 08:20 - 2013-08-28 08:20 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Hardcore
2013-08-28 08:09 - 2013-08-28 08:09 - 00078800 _____ C:\Users\Brian\Downloads\Massive.flp
2013-08-28 07:59 - 2013-08-28 08:00 - 42474960 _____ C:\Users\Brian\Desktop\Massive 1.1.5 (1).zip
2013-08-28 07:59 - 2013-08-28 07:58 - 42474960 _____ C:\Users\Brian\Downloads\Massive 1.1.5 (1).zip
2013-08-28 07:41 - 2013-08-28 07:31 - 312522984 _____ (Image-Line) C:\Users\Brian\Downloads\flstudio_11.0.3.exe
2013-08-28 07:29 - 2013-08-28 07:29 - 00003236 _____ C:\Windows\System32\Tasks\{B2000F52-86EB-484D-9C18-E472CDC3B455}
2013-08-28 07:27 - 2013-08-28 07:25 - 42474960 _____ C:\Users\Brian\Downloads\Massive 1.1.5.zip
2013-08-28 07:14 - 2013-08-28 07:14 - 00000000 ____D C:\Program Files (x86)\Outsim
2013-08-28 07:11 - 2013-08-28 07:11 - 00818087 _____ ( ) C:\Windows\SysWOW64\msvfd32.exe
2013-08-27 08:48 - 2013-08-27 08:48 - 00002219 _____ C:\Users\Public\Desktop\Google Earth.lnk
2013-08-27 08:48 - 2013-07-31 20:22 - 00000000 ____D C:\Users\Brian\AppData\Local\Google
2013-08-27 08:48 - 2013-07-31 20:22 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-27 08:45 - 2013-08-27 08:45 - 00784848 _____ (Google Inc.) C:\Users\Brian\Downloads\GoogleEarthSetup.exe
2013-08-27 06:50 - 2013-08-27 06:50 - 00000060 _____ C:\Users\Brian\Desktop\hello.txt
2013-08-23 09:48 - 2013-08-22 08:48 - 00045856 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-08-22 08:49 - 2013-08-22 08:49 - 00000000 ____D C:\Users\Brian\AppData\Local\AVG SafeGuard toolbar
2013-08-22 08:48 - 2013-08-22 08:48 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-08-22 08:48 - 2013-08-22 08:48 - 00000000 ____D C:\Program Files (x86)\ASIO4ALL v2
2013-08-22 08:48 - 2013-08-14 20:56 - 00000000 ____D C:\Users\Brian\AppData\Roaming\OpenCandy
2013-08-22 08:47 - 2013-08-14 20:55 - 00000000 ____D C:\Program Files\Image-Line
2013-08-22 08:47 - 2013-08-14 20:55 - 00000000 ____D C:\Program Files (x86)\DSPRobotics
2013-08-19 20:11 - 2013-08-19 20:10 - 01343288 _____ C:\Users\Brian\Downloads\ADD(2단계3차년도)_신규양식.xlsx
2013-08-19 20:08 - 2013-08-02 22:45 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-08-19 03:50 - 2013-08-02 11:14 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-08-19 00:37 - 2013-08-19 00:37 - 00872448 _____ C:\Users\Brian\Downloads\ms_course_selection__transition_2013_grad_class_2017.ppt
2013-08-17 09:51 - 2009-07-14 12:20 - 00000000 ____D C:\Windows\rescache
2013-08-16 10:06 - 2013-08-12 18:23 - 00000000 ____D C:\Users\Brian\Documents\VirtualDJ
2013-08-15 21:27 - 2009-07-14 11:34 - 00000478 _____ C:\Windows\win.ini
2013-08-15 21:22 - 2013-08-15 21:20 - 00000000 ____D C:\Windows\System32\MRT
2013-08-15 21:20 - 2013-08-05 13:59 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-08-15 08:22 - 2013-08-15 08:22 - 00633360 _____ (Copyright © 2010 eSupport.com. All Rights Reserved.) C:\Users\Brian\Downloads\biosagentplus_1218.exe
2013-08-15 08:22 - 2013-08-15 08:22 - 00041472 _____ C:\Users\Brian\Downloads\launcher64.dll
2013-08-15 08:22 - 2013-08-15 08:22 - 00021712 _____ (Phoenix Technologies) C:\Windows\SysWOW64\Drivers\DrvAgent64.SYS
2013-08-15 08:22 - 2013-08-15 08:22 - 00000000 ____D C:\Users\Brian\AppData\Local\eSupport.com
2013-08-15 08:19 - 2013-08-15 08:19 - 00000937 _____ C:\Users\Public\Desktop\CPUID HWMonitor.lnk
2013-08-15 08:19 - 2013-08-15 08:19 - 00000876 _____ C:\Users\Public\Desktop\CPUID CPU-Z.lnk
2013-08-15 08:19 - 2013-08-15 08:19 - 00000000 ____D C:\Program Files\CPUID
2013-08-15 08:15 - 2013-07-31 20:30 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

Files to move or delete:
====================
C:\Users\Brian\AppData\Local\Temp\oi_{2017EA78-97B9-4116-A639-384D90AE9816}.exe
C:\Users\Brian\AppData\Local\Temp\oi_{4CD0CF1E-82C5-4659-B09F-53D0F094C638}.exe
C:\Users\Brian\AppData\Local\Temp\ose00000.exe
C:\Users\Brian\AppData\Local\Temp\SRLDetectionLibrary6871398065574144517.dll
C:\Users\Brian\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Brian\AppData\Local\Temp\yghPiexN.exe
C:\Users\Brian\AppData\Local\Temp\_isC4F.exe
C:\Users\Brian\AppData\Local\Temp\_isF852.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-08-29 12:06:06
Restore point made on: 2013-09-03 17:58:50
Restore point made on: 2013-09-05 06:05:00
Restore point made on: 2013-09-10 06:17:17

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 6094.36 MB
Available physical RAM: 5399.07 MB
Total Pagefile: 6092.56 MB
Available Pagefile: 5392.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (FREEDOS) (Fixed) (Total:465.76 GB) (Free:340.28 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: () (Removable) (Total:3.74 GB) (Free:0.68 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 4042348C)
Partition 1: (Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2013-09-01 11:45

==================== End Of Log ============================
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,966 posts
:welcome:

Download the enclosed file. Attached File  fixlist.txt   1013bytes   35 downloads

Save it next to FRST64.

Run FRST64 and click on the Fix button

The tool will make a log next to FRST64 (Fixlog.txt). Please post it to your reply.

Attempt to boot in Normal Mode and let me know the outcome.
  • 0

#3
jkabat

jkabat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Thank you for your response and attention.

I followed your suggestions. The log is attached below.

The attempt to start the computer in normal mode resulted in everything seeming normal. The FBI Moneypak seems to be gone.

I am very thankful. If there is anything else I should do please let me know.





Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-09-2013 02
Ran by SYSTEM at 2013-09-14 20:09:40 Run:1
Running from E:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Start
HKU\Brian\...\Run: [kFrYHkhJ] - C:\Users\Brian\AppData\Local\Adobe\JyEgMOdD.exe [157184 2013-09-09] ()
Startup: C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cVuSZFJE.exe ()
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-21] (Microsoft Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\Program Files (x86)\Steam\qItaYPgY.exe
HKLM-x32\...\Winlogon: [Userinit] userinit.exe,,C:\Program Files (x86)\Steam\qItaYPgY.exe [x]
C:\Users\Brian\AppData\Local\Temp\oi_{2017EA78-97B9-4116-A639-384D90AE9816}.exe
C:\Users\Brian\AppData\Local\Temp\oi_{4CD0CF1E-82C5-4659-B09F-53D0F094C638}.exe
C:\Users\Brian\AppData\Local\Temp\ose00000.exe
C:\Users\Brian\AppData\Local\Temp\SRLDetectionLibrary6871398065574144517.dll
C:\Users\Brian\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Brian\AppData\Local\Temp\yghPiexN.exe
C:\Users\Brian\AppData\Local\Temp\_isC4F.exe
C:\Users\Brian\AppData\Local\Temp\_isF852.exe
End
*****************

HKU\Brian\Software\Microsoft\Windows\CurrentVersion\Run\\kFrYHkhJ => Value deleted successfully.
C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cVuSZFJE.exe => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore => Value deleted successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
C:\Users\Brian\AppData\Local\Temp\oi_{2017EA78-97B9-4116-A639-384D90AE9816}.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\oi_{4CD0CF1E-82C5-4659-B09F-53D0F094C638}.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\SRLDetectionLibrary6871398065574144517.dll => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\UNINSTALL.EXE => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\yghPiexN.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\_isC4F.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\_isF852.exe => Moved successfully.

==== End of Fixlog ====
  • 0

#4
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,966 posts
It would be a good idea to check for malware.

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Download : ADWCleaner to your desktop.

NOTE: If using Internet Explorer and get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs and click on the AdwCleaner icon.

Posted Image

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder. as AdwCleaner[S0].txt

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
  • 0

#5
jkabat

jkabat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Thanks for your help. The computer is working well.


JRT and ADW logs attached. The Malwarebytes program didn't finish and didn't produce a log.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.0 (09.12.2013:1)
OS: Windows 7 Home Premium x64
Ran by Brian on 2013-09-14 at 22:38:16.44
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\scripthelper.exe
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\viprotocol.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\protocols\handler\viprotocol
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\s
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\scripthelper.scripthelperapi
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\scripthelper.scripthelperapi.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\viprotocol.viprotocolole
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\viprotocol.viprotocolole.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\# AdwCleaner v3.004 - Report created 14/09/2013 at 22:54:16
# Updated 15/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Brian - BRIAN-PC
# Running from : C:\Users\Brian\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [[email protected]]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Google Chrome v29.0.1547.66

[ File : C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : icon_url

*************************

AdwCleaner[R0].txt - [2693 octets] - [14/09/2013 22:50:43]
AdwCleaner[S0].txt - [2587 octets] - [14/09/2013 22:54:16]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2647 octets] ##########\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}



~~~ Files





~~~ Folders

Successfully deleted: [Folder] "C:\Users\Brian\AppData\Roaming\opencandy"
Successfully deleted: [Folder] "C:\Users\Brian\AppData\Roaming\pdfforge"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2013-09-14 at 22:45:46.50
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#6
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,966 posts

Thanks for your help. The computer is working well.


Congratulations.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Run AdwCleaner and unisntall

Manually remove any tool left.

Here are some suggestions.

  • Always keep your JAVA updated. Older versions will make your computer vulnerable.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

I will keep the thread open for a couple days, should you need further help.

Best wishes! Posted Image
  • 0

#7
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,966 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP