[NEED HELP with FBI Moneypak Virus]

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

JavaFX 2.1.0

Java 7 Update 4

Java version out of Date!

Adobe Flash Player 11.4.402.287 Flash Player out of Date!

Mozilla Firefox (17.0.1)

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

[NEED HELP with FBI Moneypak Virus]

# AdwCleaner v2.011 - Logfile created 12/07/2012 at 13:16:37

# Updated 02/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Zarko - ZARKO-PC

# Boot Mode : Normal

# Running from : C:\Users\Zarko\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Users\Zarko\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlfienamagdnkekbbbocojppncdambda

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16455

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

Profile name : default

File : C:\Users\Zarko\AppData\Roaming\Mozilla\Firefox\Profiles\iluejcbp.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v23.0.1271.95

File : C:\Users\Zarko\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [10874 octets] - [03/12/2012 13:05:32]

AdwCleaner[R2].txt - [1207 octets] - [06/12/2012 06:07:28]

AdwCleaner[R3].txt - [1267 octets] - [07/12/2012 13:16:07]

AdwCleaner[s1].txt - [11047 octets] - [03/12/2012 13:09:41]

AdwCleaner[s2].txt - [1200 octets] - [07/12/2012 13:16:37]

########## EOF - C:\AdwCleaner[s2].txt - [1260 octets] ##########

[NEED HELP with FBI Moneypak Virus]

# AdwCleaner v2.011 - Logfile created 12/06/2012 at 06:07:28

# Updated 02/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Zarko - ZARKO-PC

# Boot Mode : Normal

# Running from : C:\Users\Zarko\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\Users\Zarko\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlfienamagdnkekbbbocojppncdambda

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16455

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

Profile name : default

File : C:\Users\Zarko\AppData\Roaming\Mozilla\Firefox\Profiles\iluejcbp.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v23.0.1271.95

File : C:\Users\Zarko\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [10874 octets] - [03/12/2012 13:05:32]

AdwCleaner[R2].txt - [1017 octets] - [06/12/2012 06:07:28]

AdwCleaner[s1].txt - [11047 octets] - [03/12/2012 13:09:41]

########## EOF - C:\AdwCleaner[R2].txt - [1138 octets] ##########

[NEED HELP with FBI Moneypak Virus]

Thanks again,

I was able to run ComboFix, attached is the log.

Let me know if I need to do something else.

ComboFix log.txt

[NEED HELP with FBI Moneypak Virus]

What do I need to do next. The OTL files are attached in previous post.

[NEED HELP with FBI Moneypak Virus]

Now in standard mode under the new user log in evry time I try to open a new web page or tab I get this:

Do you want to allow the following program to make changes to this computer?

Program name: ssvagent.exe

Verified Publisher: Oracle America Inc.

File origin: Hard drive on this computer

After clicking NO it opens the web page.

Thank You for all the help

Zarko

[NEED HELP with FBI Moneypak Virus]

I did log-in under new user and did run OTL.

Extras.Txt

OTL.Txt

[NEED HELP with FBI Moneypak Virus]

I am havig problem diactivating Norton in Safe Mode and I am geting this error(see attachment).

Shuld I try to log in under the different user (not in Safe Mode) that I created.

[NEED HELP with FBI Moneypak Virus]

RogueKiller V8.3.1 [Dec 2 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Safe mode with network support

User : Zarko [Admin rights]

Mode : Scan -- Date : 12/03/2012 16:59:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 17 ¤¤¤

[RUN][HJNAME] HKCU\[...]\Run : conhost (C:\Users\Zarko\AppData\Roaming\Microsoft\conhost.exe) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : EPSON Stylus Photo R1800 (C:\Windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE /FU "C:\Windows\TEMP\E_SBCA2.tmp" /EF "HKCU") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : Chinese Reader (C:\Users\Zarko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MDBG\Chinese Reader.appref-ms) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : DW6 ("C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : Adobe ARM ("C:\Users\Zarko\AppData\Roaming\ifgxpers.exe") -> FOUND

[RUN][HJNAME] HKUS\S-1-5-21-3832389784-3191397106-927586553-1000[...]\Run : conhost (C:\Users\Zarko\AppData\Roaming\Microsoft\conhost.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3832389784-3191397106-927586553-1000[...]\Run : EPSON Stylus Photo R1800 (C:\Windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE /FU "C:\Windows\TEMP\E_SBCA2.tmp" /EF "HKCU") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3832389784-3191397106-927586553-1000[...]\Run : Chinese Reader (C:\Users\Zarko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MDBG\Chinese Reader.appref-ms) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3832389784-3191397106-927586553-1000[...]\Run : DW6 ("C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3832389784-3191397106-927586553-1000[...]\Run : Adobe ARM ("C:\Users\Zarko\AppData\Roaming\ifgxpers.exe") -> FOUND

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK5056GSY ATA Device +++++

--- User ---

[MBR] c79f2bd0be0c416046337c7b4be5e0f7

[bSP] 86e0863e50002712c3a8f7a1fcd1f6b6 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_12032012_02d1659.txt >>

RKreport[1]_S_12032012_02d1659.txt

[NEED HELP with FBI Moneypak Virus]

I did download DDS, tryed to run it , notepad opens with strange unreadable text but someware on the top it reads that can not be run in DOS, I am in Safe Mode

[NEED HELP with FBI Moneypak Virus]

Attached is the mbam-log, In the Protection tab - Protection disabled, not able to chech Enable filesystem protection and Enable malicios website blocking

mbam-log-2012-12-03 (15-47-57).txt

[NEED HELP with FBI Moneypak Virus]

I did finaly boot into safe mode and I am runing Malwarebytes scan at the moment

[NEED HELP with FBI Moneypak Virus]

My laptop has the FBI Moneypak Virus, need Help.

Widows 7, I was reading some of the blogs but it will help to have step by step instructions, I am not experience and I am afraid that I may make it worst.

Thank You