Jump to content

FBI Moneypak nightmare - please help!


Recommended Posts

I was infected with the fbi moneypak virus. Couldn't do anything and couldn't boot in safe mode. Using a Spotmau BootSuite cd I was able to get the computer to boot up and run Malwarebytes. It found numerous threats and I removed them - before I found the forum.

Current scan is clean and computer will boot normally and seems fine. It still will NOT boot in safe mode. All attempts to boot in any form of safe mode generate a "Fatal System Error" and blue screen. Doesn't seem like all is fixed if this doesn't work. Should I be worried??

Thanks for any assistance!

Link to post
Share on other sites

Hello lisab90 and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

It is not clean for sure. Please follow the instructions here and post the log files in your next reply:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by Lisa at 13:16:58 on 2013-01-03

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.563 [GMT -8:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Antivirus Smart Protection *Enabled/Updated* {309568B9-1E0B-4A95-89C3-05D944E6AD20}

FW: Antivirus Smart Protection *Enabled*

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

TCP: NameServer = 10.10.100.10 10.10.100.11

TCP: Interfaces\{0FCFDAA6-EB8F-4783-B326-D16F89D9AFD1} : DHCPNameServer = 10.10.100.10 10.10.100.11

mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

.

============= SERVICES / DRIVERS ===============

.

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-1-3 398184]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-1-3 682344]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-3 21104]

.

=============== Created Last 30 ================

.

2013-01-03 21:16:50 -------- d--h--w- c:\windows\PIF

2013-01-03 20:09:29 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-03 15:33:41 -------- d-----w- c:\docume~1\lisa~1.lis\applic~1\Malwarebytes

2013-01-03 15:29:28 -------- d-----w- c:\docume~1\lisa~1.lis\local settings\application data\Mozilla

2013-01-02 21:52:42 -------- d-----w- c:\windows\pss

2013-01-02 20:31:10 -------- d-----w- c:\docume~1\alluse~1\application data\Spybot - Search & Destroy

2013-01-02 20:30:47 15224 ----a-w- c:\windows\system32\sdnclean.exe

2013-01-02 20:30:37 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2013-01-02 19:36:33 -------- d-sh--w- C:\$RECYCLE.BIN

2012-12-18 18:07:36 6812136 ----a-w- c:\docume~1\alluse~1\application data\microsoft\microsoft antimalware\definition updates\{9f9160ae-0915-40ad-a29a-2dd4c191ca7e}\mpengine.dll

2012-12-18 06:25:48 192728 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe

2012-12-17 18:04:27 6812136 ----a-w- c:\docume~1\alluse~1\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

.

==================== Find3M ====================

.

2013-01-02 19:38:54 574464 --s-a-w- c:\windows\system32\drivers\ntfs.sys

2013-01-02 19:38:51 2139256 --s-a-w- c:\windows\system32\ntoskrnl.exe

2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec

.

============= FINISH: 13:17:35.64 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 7/21/2011 4:29:24 PM

System Uptime: 1/3/2013 12:32:03 PM (1 hours ago)

.

Motherboard: Dell Inc. | | 0WJ770

Processor: Intel® Pentium® 4 CPU 3.06GHz | Microprocessor | 3059/533mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 298 GiB total, 241.344 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 53 GiB total, 3.8 GiB free.

F: is FIXED (NTFS) - 18 GiB total, 17.948 GiB free.

G: is Removable

H: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Video Controller (VGA Compatible)

Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_01C41028&REV_04\3&172E68DD&0&10

Manufacturer:

Name: Video Controller (VGA Compatible)

PNP Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_01C41028&REV_04\3&172E68DD&0&10

Service:

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Device

Device ID: PCI\VEN_8086&DEV_2668&SUBSYS_01C41028&REV_04\3&172E68DD&0&D8

Manufacturer:

Name: PCI Device

PNP Device ID: PCI\VEN_8086&DEV_2668&SUBSYS_01C41028&REV_04\3&172E68DD&0&D8

Service:

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Simple Communications Controller

Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10BD256C&0&10F0

Manufacturer:

Name: PCI Simple Communications Controller

PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10BD256C&0&10F0

Service:

.

==== System Restore Points ===================

.

RP1: 1/2/2013 3:01:40 PM - System Checkpoint

.

==== Installed Programs ======================

.

Intel® PRO Network Connections Drivers

Malwarebytes Anti-Malware version 1.70.0.1100

.

==== Event Viewer Messages From Past Week ========

.

1/2/2013 9:46:44 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

1/2/2013 7:05:32 AM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

1/2/2013 12:31:12 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security Center Service service to connect.

1/2/2013 12:31:12 PM, error: Service Control Manager [7000] - The Spybot-S&D 2 Security Center Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/2/2013 12:30:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde

1/1/2013 4:42:17 PM, error: Dhcp [1002] - The IP address lease 10.0.0.6 for the Network Card with network address 001676AB59B0 has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).

.

==== End Of File ===========================

Link to post
Share on other sites

FYI - my network adapter drivers were gone (disabled?) too.

You still have internet connection, right? If yes, so it was not disabled.

Step 1

Please download Rkill to your desktop. There are two main different versions. If one of them won't run then download and try to run the other one. You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

  1. Double-click on the Rkill desktop icon to run the tool.
  2. If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  3. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  4. If not, delete the file, then download and use the second RKill version. Do not reboot until instructed. If the tool does not run from any of the links provided, please let me know.
  5. When the scan is done Notepad will open with rKill log. Post it in your next reply.

NOTE: rKill.txt log will also be present on your desktop.

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Please download and run this tool:

http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

Follow the instructions and finally restart your computer.

In your next reply, post the following log files:

  • RKill log
  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log

Link to post
Share on other sites

OK - here are the logs you asked for:

RKill

Rkill 2.4.5 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2013 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/04/2013 06:46:04 AM in x86 mode.

Windows Version: Microsoft Windows XP Service Pack 2

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* wdmaud [Missing Service]

Searching for Missing Digital Signatures:

* C:\WINDOWS\System32\drivers\mqac.sys [NoSig]

+-> C:\WINDOWS\$hf_mig$\KB971032\SP2QFE\mqac.sys : 91,776 : 06/22/2009 00:30 AM : 9229e191fe206628be17d1e67a5faed9 [Pos Repl]

+-> C:\WINDOWS\ServicePackFiles\i386\mqac.sys : 92,544 : 04/13/2008 00:39 AM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]

+-> C:\WINDOWS\system32\dllcache\mqac.sys : 91,776 : 06/22/2009 00:48 AM : eee50bf24caeedb515a8f3b22756d3bb [Pos Repl]

* C:\WINDOWS\System32\drivers\ntfs.sys [NoSig]

+-> C:\WINDOWS\$NtServicePackUninstall$\ntfs.sys : 574,592 : 08/04/2004 00:00 AM : b78be402c3f63dd55521f73876951cdd [Pos Repl]

+-> C:\WINDOWS\ServicePackFiles\i386\ntfs.sys : 574,976 : 04/13/2008 00:15 AM : 78a08dd6a8d65e697c18e1db01c5cdca [Pos Repl]

* C:\WINDOWS\System32\ntoskrnl.exe [NoSig]

+-> C:\WINDOWS\$hf_mig$\KB2393802\SP3QFE\ntoskrnl.exe : 2,192,768 : 12/09/2010 00:43 AM : a531bbd3de13121c1380ed7dc99082db [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB2633171\SP3QFE\ntoskrnl.exe : 2,192,768 : 10/25/2011 00:34 AM : f512c662874d7545e5bd8005e6800a44 [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB2676562\SP3QFE\ntoskrnl.exe : 2,192,640 : 04/11/2012 00:22 AM : 8d061bb825bc606c2b1c6f7452d1baaa [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB2707511\SP3QFE\ntoskrnl.exe : 2,192,640 : 05/04/2012 00:20 AM : 099a0f80a563ebe935f4a9750f96c219 [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB2724197\SP3QFE\ntoskrnl.exe : 2,193,024 : 08/21/2012 00:48 AM : eca5980e1a78dbf9cb7f49f76791c0d1 [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB914882\SP2QFE\ntoskrnl.exe : 2,180,992 : 02/20/2006 08:01 PM : df4d09b676964646fa166a78c816b4c3 [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe : 2,186,112 : 02/06/2009 08:32 AM : 6a936e9d7badaf3caaeed1e1966ec1b0 [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe : 2,189,056 : 02/06/2009 08:08 AM : 7a95b10a73737ebf24139aaa63f5212b [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe : 2,189,184 : 02/07/2009 06:35 PM : efe8eace83eaad5849a7a548fb75b584 [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB979683\SP2QFE\ntoskrnl.exe : 2,186,880 : 02/16/2010 06:37 AM : 97e2bf68857818a4d142b872404dc41b [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB979683\SP3GDR\ntoskrnl.exe : 2,189,952 : 02/17/2010 06:10 AM : d41c3cbad0e1c0728d1cdfd541f60cfa [Pos Repl]

+-> C:\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe : 2,190,080 : 02/16/2010 06:52 AM : e1f653a542449d54fa2d27463d99b6b6 [Pos Repl]

+-> C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe : 2,137,088 : 02/16/2010 00:17 AM : a63052fa8fb8685382e10ee83c326864 [Pos Repl]

+-> C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe : 2,192,896 : 08/21/2012 00:29 AM : 49fb9f4a7ce25b82b1e00c402783f5c5 [Pos Repl]

+-> C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe : 2,188,928 : 04/13/2008 00:27 AM : 0c89243c7c3ee199b96fcc16990e0679 [Pos Repl]

+-> C:\WINDOWS\system32\dllcache\ntoskrnl.exe : 2,192,896 : 08/21/2012 00:29 AM : 49fb9f4a7ce25b82b1e00c402783f5c5 [Pos Repl]

Checking HOSTS File:

* Cannot edit the HOSTS file.

* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:

127.0.0.1 localhost

::1 localhost

Program finished at: 01/04/2013 06:47:04 AM

Execution time: 0 hours(s), 0 minute(s), and 59 seconds(s)

Malware QuickScan

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.04.05

Windows XP Service Pack 2 x86 NTFS

Internet Explorer 6.0.2900.2180

Lisa :: LISA-8CECD1EA3A [administrator]

1/4/2013 6:50:24 AM

mbam-log-2013-01-04 (06-50-24).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 331175

Time elapsed: 27 minute(s), 11 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 11

C:\Documents and Settings\Keith\Local Settings\Temp\XPI1KI.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\jar_cache4299583501108188422.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\nsg113.tmp\ghfwudvn.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\nsh2B.tmp\ghfwudvn.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\nsp2F.tmp\ghfwudvn.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\nsr5.tmp\ghfwudvn.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\nss5.tmp\ghfwudvn.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\nst2A.tmp\ghfwudvn.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\nst2C.tmp\ghfwudvn.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\nswDB.tmp\ghfwudvn.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Keith\Local Settings\Temp\nsz2E.tmp\ghfwudvn.dll (Trojan.Happili) -> Quarantined and deleted successfully.

(end)

DDS

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by Lisa at 7:36:45 on 2013-01-04

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.508 [GMT -8:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Antivirus Smart Protection *Enabled/Updated* {309568B9-1E0B-4A95-89C3-05D944E6AD20}

FW: Antivirus Smart Protection *Enabled*

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

TCP: NameServer = 10.0.0.1

TCP: Interfaces\{0FCFDAA6-EB8F-4783-B326-D16F89D9AFD1} : DHCPNameServer = 10.0.0.1

mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

.

============= SERVICES / DRIVERS ===============

.

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-1-3 398184]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-1-3 682344]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-3 21104]

.

=============== Created Last 30 ================

.

2013-01-03 21:16:50 -------- d--h--w- c:\windows\PIF

2013-01-03 20:09:29 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-03 15:33:41 -------- d-----w- c:\docume~1\lisa~1.lis\applic~1\Malwarebytes

2013-01-03 15:29:28 -------- d-----w- c:\docume~1\lisa~1.lis\local settings\application data\Mozilla

2013-01-02 21:52:42 -------- d-----w- c:\windows\pss

2013-01-02 20:31:10 -------- d-----w- c:\docume~1\alluse~1\application data\Spybot - Search & Destroy

2013-01-02 20:30:47 15224 ----a-w- c:\windows\system32\sdnclean.exe

2013-01-02 20:30:37 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2013-01-02 19:36:33 -------- d-sh--w- C:\$RECYCLE.BIN

2012-12-18 18:07:36 6812136 ----a-w- c:\docume~1\alluse~1\application data\microsoft\microsoft antimalware\definition updates\{9f9160ae-0915-40ad-a29a-2dd4c191ca7e}\mpengine.dll

2012-12-18 06:25:48 192728 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe

2012-12-17 18:04:27 6812136 ----a-w- c:\docume~1\alluse~1\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

.

==================== Find3M ====================

.

2013-01-02 19:38:54 574464 --s-a-w- c:\windows\system32\drivers\ntfs.sys

2013-01-02 19:38:51 2139256 --s-a-w- c:\windows\system32\ntoskrnl.exe

2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec

.

============= FINISH: 7:37:01.62 ===============

Link to post
Share on other sites

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

Link to post
Share on other sites

It depends on what information you have. There is no way to be sure if you have .exe , .com , .htm , .html and etc files. It is fine for movies, music, pictures and documents.

If you have any kind of suspicious you could check it in www.virustotal.com

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.