Jump to content

Moneypak Virus


Razion

Recommended Posts

Hello! I seem to have aquired a rather nasty version of the moneypak fake fbi virus that prevents me from doing anything (including booting in safe mode). I've gone ahead and made proper FRST logs to save some time. Any assistance would be brilliant.

Thanks!

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013

Ran by SYSTEM at 12-01-2013 18:04:20

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [bins] "C:\Program Files\1UPIndustries\Bins\BinsLauncher.exe" /startup [1141952 2012-08-25] ()

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8321568 2009-11-10] (Realtek Semiconductor)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [642728 2012-09-28] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [PSUAMain] "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUAMain.exe" /LaunchSysTray [32032 2012-11-14] (Panda Security, S.L.)

HKLM-x32\...\Run: [Razer Nostromo Driver] C:\Program Files (x86)\Razer\Nostromo\RazerNostromoSysTray.exe [978840 2011-07-19] (Razer USA Ltd)

HKLM-x32\...\Run: [Razer Orochi Driver] C:\Program Files (x86)\Razer\Orochi\RazerOrochiTray.exe [2548056 2009-10-22] (Razer USA Ltd)

HKU\Chris Vitale\...\Run: [AdobeBridge] [x]

HKU\Chris Vitale\...\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1354736 2012-12-24] (Valve Corporation)

HKU\Chris Vitale\...\Run: [spotify Web Helper] "C:\Users\Chris Vitale\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-12-14] (Spotify Ltd)

HKU\Chris Vitale\...\Run: [unified Remote v2] C:\Program Files (x86)\Unified Remote\RemoteServer.exe [275544 2013-01-03] (Unified Intents AB)

HKU\Chris Vitale\...\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [3093624 2013-01-11] ()

HKU\Chris Vitale\...\Policies\system: [DisableTaskMgr] 1

HKLM\...\Winlogon: [shell] explorer.exe, C:\Users\Chris Vitale\AppData\Roaming\_gzysxapmk [x ] ()

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

==================== Services (Whitelisted) ===================

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()

2 NanoServiceMain; "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSANHost.exe" [140064 2012-11-12] (Panda Security, S.L.)

2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-12-24] ()

2 PSUAService; "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUAService.exe" [36640 2012-11-14] (Panda Security, S.L.)

==================== Drivers (Whitelisted) =====================

1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-12-24] (DT Soft Ltd)

1 NNSALPC; C:\Windows\System32\Drivers\NNSALPC.sys [127016 2012-11-09] (Panda Security, S.L.)

1 NNSHTTP; C:\Windows\System32\Drivers\NNSHTTP.sys [136232 2012-11-09] (Panda Security, S.L.)

1 NNSIDS; C:\Windows\System32\Drivers\NNSIDS.sys [154152 2012-11-09] (Panda Security, S.L.)

1 NNSNAHSL; C:\Windows\System32\Drivers\NNSNAHSL.sys [33320 2012-10-22] (Panda Security, S.L.)

1 NNSPICC; C:\Windows\System32\Drivers\NNSPICC.sys [134696 2012-11-09] (Panda Security, S.L.)

4 NNSPIHSW; C:\Windows\System32\Drivers\NNSPIHSW.sys [83496 2012-11-09] (Panda Security, S.L.)

1 NNSPOP3; C:\Windows\System32\Drivers\NNSPOP3.sys [139304 2012-11-09] (Panda Security, S.L.)

1 NNSPROT; C:\Windows\System32\Drivers\NNSPROT.sys [397864 2012-11-09] (Panda Security, S.L.)

1 NNSPRV; C:\Windows\System32\Drivers\NNSPRV.sys [150568 2012-11-09] (Panda Security, S.L.)

1 NNSSMTP; C:\Windows\System32\Drivers\NNSSMTP.sys [135208 2012-11-09] (Panda Security, S.L.)

1 NNSSTRM; C:\Windows\System32\Drivers\NNSSTRM.sys [291368 2012-11-09] (Panda Security, S.L.)

1 NNSTLSC; C:\Windows\System32\Drivers\NNSTLSC.sys [148520 2012-11-09] (Panda Security, S.L.)

2 PSINAflt; C:\Windows\System32\Drivers\PSINAflt.sys [167976 2012-11-09] (Panda Security, S.L.)

2 PSINFile; C:\Windows\System32\Drivers\PSINFile.sys [119848 2012-11-09] (Panda Security, S.L.)

1 PSINKNC; C:\Windows\System32\Drivers\PSINKNC.sys [204328 2012-11-09] (Panda Security, S.L.)

2 PSINProc; C:\Windows\System32\Drivers\PSINProc.sys [123944 2012-11-09] (Panda Security, S.L.)

2 PSINProt; C:\Windows\System32\Drivers\PSINProt.sys [133160 2012-11-09] (Panda Security, S.L.)

3 PSKMAD; C:\Windows\System32\Drivers\PSKMAD.sys [58360 2012-11-07] (Panda Security, S.L.)

3 rzjoystk; C:\Windows\System32\Drivers\rzjoystk.sys [19968 2011-03-24] (Razer USA Ltd)

3 RzSynapse; C:\Windows\System32\Drivers\RzSynapse.sys [157184 2011-07-14] (Razer USA Ltd)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-12 17:45 - 2013-01-12 17:58 - 00115200 ____A (Iwu) C:\Users\Chris Vitale\AppData\Local\_gzysxapmk.exe

2013-01-12 08:56 - 2013-01-12 09:04 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0

2013-01-12 04:08 - 2013-01-12 04:08 - 00000000 ____D C:\FRST

2013-01-12 03:19 - 2013-01-12 17:57 - 00115200 ____A (Iwu) C:\Users\Chris Vitale\AppData\Roaming\_gzysxapmk.exe

2013-01-12 02:55 - 2013-01-12 17:57 - 00115200 ____A (Iwu) C:\Users\All Users\_gzysxapmk.exe

==================== One Month Modified Files and Folders =======

2013-01-12 17:58 - 2013-01-12 17:45 - 00115200 ____A (Iwu) C:\Users\Chris Vitale\AppData\Local\_gzysxapmk.exe

2013-01-12 17:58 - 2013-01-12 03:19 - 00115200 ____A (Iwu) C:\Users\Chris Vitale\AppData\Roaming\_gzysxapmk.exe

2013-01-12 17:57 - 2013-01-12 02:55 - 00115200 ____A (Iwu) C:\Users\All Users\_gzysxapmk.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-14 03:10] - [2012-09-06 09:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1

testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!

nointegritychecks: ==> Integrity Checks is disabled <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-10 00:24:18

Restore point made on: 2013-01-10 12:20:46

Restore point made on: 2013-01-10 19:28:55

Restore point made on: 2013-01-11 12:28:05

Restore point made on: 2013-01-11 21:07:27

Restore point made on: 2013-01-12 00:44:36

==================== Memory info ===========================

Percentage of memory in use: 11%

Total physical RAM: 6068.55 MB

Available physical RAM: 5340.39 MB

Total Pagefile: 6066.7 MB

Available Pagefile: 5325.75 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:596.07 GB) (Free:456.09 GB) NTFS

4 Drive g: () (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 596 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 Online 7629 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 596 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 596 GB Healthy

=========================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 7629 MB 0 B

==================================================================================

Disk: 2

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

Last Boot: 2013-01-04 14:16

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 09-01-2013

Ran by SYSTEM at 2013-01-12 18:06:27

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.