Jump to content

infected with FBI Moneypak and can't use Safe Mode

newsoma
 Share

Recommended Posts

newsoma

newsoma

Posted
Posted

Hi I'm running Windows 7 32-bit and have been infected with the FBI Moneypak malware and I can't use Safe Mode. After searching through the forums I have already downloaded the Farbar Recovery Scan Tool and scanned the infected computer and have the text file ready to give to you. Please help! Thanks.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello newsoma and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

After searching through the forums I have already downloaded the Farbar Recovery Scan Tool and scanned the infected computer and have the text file ready to give to you.

That would be great.

Link to post
Share on other sites
newsoma

newsoma

Posted
  • Author
Posted

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-04-2013 (ATTENTION: FRST version is 6 days old)

Ran by SYSTEM at 17-04-2013 11:19:39

Running from F:\

Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe [900160 2012-07-06] (Sophos Limited)

HKLM\...\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe" [401408 2009-12-01] (Intel Corporation)

HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)

HKLM\...\Run: [DagentUI] C:\Program Files\Altiris\Dagent\dagentui.exe [548864 2011-06-10] (Altiris, Inc.)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKU\lstudent.MCCLABS\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [16328976 2012-12-17] (Google)

HKU\lstudent.MCCLABS\...\Run: [msapnf] "C:\Windows\System32\rundll32.exe" "C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll",write_init_2 [774144 2013-04-11] (Technology Co., LTD)

Tcpip\Parameters: [DhcpNameServer] 10.10.0.13 10.10.0.14 10.140.0.13 10.150.0.13

AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

Startup: C:\Users\lstudent.MCCLABS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation)

2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel)

2 SAVAdminService; "C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [216640 2012-09-17] (Sophos Limited)

2 SAVService; "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" [139840 2012-08-20] (Sophos Limited)

2 Sophos Agent; "C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent [289856 2012-09-17] (Sophos Limited)

2 Sophos AutoUpdate Service; "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" [232512 2012-07-06] (Sophos Limited)

2 Sophos Message Router; "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 [818240 2012-09-17] (Sophos Limited)

2 Sophos Web Control Service; "C:\Program Files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" [357400 2012-08-20] (Sophos Limited)

2 swi_service; "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" [2863168 2012-09-17] (Sophos Limited)

2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel)

3 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

2 Altiris Deployment Agent; "C:\Program Files\Altiris\Dagent\dagent.exe" -load=default.dll,config.dll,autoupdate.dll [x]

2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [x]

3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [x]

2 swi_update; "C:\ProgramData\Sophos\Web Intelligence\swi_update.exe" [x]

==================== Drivers (Whitelisted) ====================

1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [123680 2012-08-20] (Sophos Limited)

3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [33696 2012-08-20] (Sophos Limited)

1 SKMScan; C:\Windows\System32\DRIVERS\skmscan.sys [31736 2012-08-20] (Sophos Plc)

4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [22536 2012-08-20] (Sophos Plc)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-04-16 14:55 - 2013-04-16 14:55 - 00053119 ____A C:\Users\lstudent.MCCLABS\9was4t130dw1b.exe

2013-04-15 14:02 - 2013-04-15 14:02 - 00297824 ____A C:\Users\lstudent.MCCLABS\Documents\stress mgt.pptx

2013-04-15 14:00 - 2013-04-15 14:00 - 00297845 ____A C:\Users\lstudent.MCCLABS\Documents\stress management tips.pptx

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Users\lstudent.MCCLABS\AppData\Roaming\Malwarebytes

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-04-12 08:56 - 2013-04-04 10:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-04-11 11:32 - 2013-04-16 14:54 - 00006493 ____A C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx

2013-04-11 11:32 - 2013-04-12 08:26 - 00000000 ____D C:\ProgramData\4EA0441B322DECEF00004E9FF584F6A9

2013-04-11 11:32 - 2013-04-11 11:32 - 00774144 ____A (Technology Co., LTD) C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll

2013-04-11 11:32 - 2013-04-11 11:32 - 00487424 ____A (Corporation) C:\Users\lstudent.MCCLABS\AppData\Roaming\pscdmc.dll

2013-04-10 05:53 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Local\Adobe

2013-04-10 05:42 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Adobe

2013-04-10 05:41 - 2013-04-10 05:41 - 00000822 _RASH C:\Users\russelg\ntuser.pol

2013-04-10 05:41 - 2013-04-10 05:41 - 00000020 __ASH C:\Users\russelg\ntuser.ini

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Apple Computer

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Local\VirtualStore

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\users\russelg

2013-04-10 05:41 - 2013-01-15 10:21 - 00000000 ____D C:\Users\russelg\AppData\LocalGoogle

2013-04-10 05:41 - 2013-01-15 10:21 - 00000000 ____D C:\Users\russelg\AppData\Local\Google

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Macromedia

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Apple Computer

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Adobe

2013-04-03 15:14 - 2013-04-03 15:15 - 00000000 ____D C:\users\bieberl

2013-04-03 15:14 - 2013-04-03 15:14 - 00000822 _RASH C:\Users\bieberl\ntuser.pol

2013-04-03 15:14 - 2013-04-03 15:14 - 00000020 ___SH C:\Users\bieberl\ntuser.ini

2013-04-03 15:14 - 2013-04-03 15:14 - 00000000 ____D C:\Users\bieberl\AppData\Local\VirtualStore

2013-04-03 15:14 - 2013-01-15 10:21 - 00000000 ____D C:\Users\bieberl\AppData\LocalGoogle

2013-04-03 15:14 - 2013-01-15 10:21 - 00000000 ____D C:\Users\bieberl\AppData\Local\Google

==================== One Month Modified Files and Folders ========

2013-04-17 11:18 - 2013-04-17 11:18 - 00000000 ____D C:\FRST

2013-04-17 07:02 - 2010-11-20 13:01 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI

2013-04-17 06:57 - 2012-08-20 15:53 - 01663570 ____A C:\Windows\WindowsUpdate.log

2013-04-17 06:57 - 2009-07-13 20:39 - 00053991 ____A C:\Windows\setupact.log

2013-04-17 06:48 - 2012-12-10 16:08 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-04-17 06:20 - 2012-12-10 16:08 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-04-17 06:20 - 2012-08-20 12:59 - 00000240 ____A C:\Windows\System32\config\netlogon.ftl

2013-04-17 06:05 - 2009-07-13 20:34 - 00026032 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-04-17 06:05 - 2009-07-13 20:34 - 00026032 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-04-17 06:02 - 2012-08-20 13:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-04-17 05:58 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-04-16 14:55 - 2013-04-16 14:55 - 00053119 ____A C:\Users\lstudent.MCCLABS\9was4t130dw1b.exe

2013-04-16 14:55 - 2012-08-20 13:01 - 00000000 ____D C:\users\lstudent.MCCLABS

2013-04-16 14:54 - 2013-04-11 11:32 - 00006493 ____A C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx

2013-04-15 14:02 - 2013-04-15 14:02 - 00297824 ____A C:\Users\lstudent.MCCLABS\Documents\stress mgt.pptx

2013-04-15 14:00 - 2013-04-15 14:00 - 00297845 ____A C:\Users\lstudent.MCCLABS\Documents\stress management tips.pptx

2013-04-13 08:06 - 2010-11-20 13:48 - 00018246 ____A C:\Windows\PFRO.log

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Users\lstudent.MCCLABS\AppData\Roaming\Malwarebytes

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-04-12 08:26 - 2013-04-11 11:32 - 00000000 ____D C:\ProgramData\4EA0441B322DECEF00004E9FF584F6A9

2013-04-11 11:32 - 2013-04-11 11:32 - 00774144 ____A (Technology Co., LTD) C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll

2013-04-11 11:32 - 2013-04-11 11:32 - 00487424 ____A (Corporation) C:\Users\lstudent.MCCLABS\AppData\Roaming\pscdmc.dll

2013-04-10 05:53 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Local\Adobe

2013-04-10 05:53 - 2013-04-10 05:42 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Adobe

2013-04-10 05:41 - 2013-04-10 05:41 - 00000822 _RASH C:\Users\russelg\ntuser.pol

2013-04-10 05:41 - 2013-04-10 05:41 - 00000020 __ASH C:\Users\russelg\ntuser.ini

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Apple Computer

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Local\VirtualStore

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\users\russelg

2013-04-04 10:50 - 2013-04-12 08:56 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Macromedia

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Apple Computer

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Adobe

2013-04-03 15:15 - 2013-04-03 15:14 - 00000000 ____D C:\users\bieberl

2013-04-03 15:14 - 2013-04-03 15:14 - 00000822 _RASH C:\Users\bieberl\ntuser.pol

2013-04-03 15:14 - 2013-04-03 15:14 - 00000020 ___SH C:\Users\bieberl\ntuser.ini

2013-04-03 15:14 - 2013-04-03 15:14 - 00000000 ____D C:\Users\bieberl\AppData\Local\VirtualStore

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-20 12:57:25

==================== Memory info ===========================

Percentage of memory in use: 26%

Total physical RAM: 2013.61 MB

Available physical RAM: 1472.47 MB

Total Pagefile: 2013.61 MB

Available Pagefile: 1473.76 MB

Total Virtual: 2047.88 MB

Available Virtual: 1952.68 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:148.91 GB) (Free:129.45 GB) NTFS

3 Drive f: () (Removable) (Total:0.94 GB) (Free:0.91 GB) FAT

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 Online 964 MB 0 B

Partitions of Disk 0:

===============

Disk ID: 85508550

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 148 GB 101 MB

=========================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 148 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: 00000001

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 964 MB 0 B

=========================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

============================== MBR Partition Table ==================

==============================

Partitions of Disk 0:

===============

Disk ID: 85508550

Partition 1:

=========

Hex: 8020210007DF130C0008000000200300

Active: YES

Type: 07 (NTFS)

Size: 100 MB

Partition 2:

=========

Hex: 00DF140C07FEFFFF0028030000289D12

Active: NO

Type: 07 (NTFS)

Size: 149 GB

==============================

Partitions of Disk 1:

===============

Disk ID: 69737369

Partition 1:

=========

Hex: FF0D0A4469736B206572726F72FF0D0A

Active: NO

Type: 69

Size: 80 GB

Partition 2:

=========

Hex: 507265737320616E79206B657920746F

Active: NO

Type: 73

Size: 892 GB

Partition 3:

=========

Hex: 20726573746172740D0A000000000000

Active: NO

Type: 74

Size: 0 byte

Partition 4:

=========

Hex: 00000000000000000000000000ACBFCC

Active: NO

Type: 00

Size: -440245157888 byte

Last Boot: 2013-04-16 04:18

==================== End Of Log ============================

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKU\lstudent.MCCLABS\...\Run: [msapnf] "C:\Windows\System32\rundll32.exe" "C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll",write_init_2 [774144 2013-04-11] (Technology Co., LTD)

2013-04-16 14:55 - 2013-04-16 14:55 - 00053119 ____A C:\Users\lstudent.MCCLABS\9was4t130dw1b.exe

2013-04-11 11:32 - 2013-04-11 11:32 - 00774144 ____A (Technology Co., LTD) C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll

2013-04-11 11:32 - 2013-04-11 11:32 - 00487424 ____A (Corporation) C:\Users\lstudent.MCCLABS\AppData\Roaming\pscdmc.dll

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites
newsoma

newsoma

Posted
  • Author
Posted

Here's the fixlog.txt, but when I rebooted I'm still getting the FBI lockdown screen.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-04-2013

Ran by SYSTEM at 2013-04-17 11:57:36 Run:1

Running from F:\

==============================================

HKEY_USERS\lstudent.MCCLABS\Software\Microsoft\Windows\CurrentVersion\Run\\msapnf Value deleted successfully.

C:\Users\lstudent.MCCLABS\9was4t130dw1b.exe moved successfully.

C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll moved successfully.

C:\Users\lstudent.MCCLABS\AppData\Roaming\pscdmc.dll moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites
newsoma

newsoma

Posted
  • Author
Posted

I went ahead and ran the scan again. Here's the new frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-04-2013 (ATTENTION: FRST version is 6 days old)

Ran by SYSTEM at 17-04-2013 12:14:07

Running from F:\

Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe [900160 2012-07-06] (Sophos Limited)

HKLM\...\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe" [401408 2009-12-01] (Intel Corporation)

HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)

HKLM\...\Run: [DagentUI] C:\Program Files\Altiris\Dagent\dagentui.exe [548864 2011-06-10] (Altiris, Inc.)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKU\lstudent.MCCLABS\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [16328976 2012-12-17] (Google)

Tcpip\Parameters: [DhcpNameServer] 10.10.0.13 10.10.0.14 10.140.0.13 10.150.0.13

AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

Startup: C:\Users\lstudent.MCCLABS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation)

2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel)

2 SAVAdminService; "C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [216640 2012-09-17] (Sophos Limited)

2 SAVService; "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" [139840 2012-08-20] (Sophos Limited)

2 Sophos Agent; "C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent [289856 2012-09-17] (Sophos Limited)

2 Sophos AutoUpdate Service; "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" [232512 2012-07-06] (Sophos Limited)

2 Sophos Message Router; "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 [818240 2012-09-17] (Sophos Limited)

2 Sophos Web Control Service; "C:\Program Files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" [357400 2012-08-20] (Sophos Limited)

2 swi_service; "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" [2863168 2012-09-17] (Sophos Limited)

2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel)

3 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

2 Altiris Deployment Agent; "C:\Program Files\Altiris\Dagent\dagent.exe" -load=default.dll,config.dll,autoupdate.dll [x]

2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [x]

3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [x]

2 swi_update; "C:\ProgramData\Sophos\Web Intelligence\swi_update.exe" [x]

==================== Drivers (Whitelisted) ====================

1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [123680 2012-08-20] (Sophos Limited)

3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [33696 2012-08-20] (Sophos Limited)

1 SKMScan; C:\Windows\System32\DRIVERS\skmscan.sys [31736 2012-08-20] (Sophos Plc)

4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [22536 2012-08-20] (Sophos Plc)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-04-15 14:02 - 2013-04-15 14:02 - 00297824 ____A C:\Users\lstudent.MCCLABS\Documents\stress mgt.pptx

2013-04-15 14:00 - 2013-04-15 14:00 - 00297845 ____A C:\Users\lstudent.MCCLABS\Documents\stress management tips.pptx

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Users\lstudent.MCCLABS\AppData\Roaming\Malwarebytes

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-04-12 08:56 - 2013-04-04 10:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-04-11 11:32 - 2013-04-16 14:54 - 00006493 ____A C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx

2013-04-11 11:32 - 2013-04-12 08:26 - 00000000 ____D C:\ProgramData\4EA0441B322DECEF00004E9FF584F6A9

2013-04-10 05:53 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Local\Adobe

2013-04-10 05:42 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Adobe

2013-04-10 05:41 - 2013-04-10 05:41 - 00000822 _RASH C:\Users\russelg\ntuser.pol

2013-04-10 05:41 - 2013-04-10 05:41 - 00000020 __ASH C:\Users\russelg\ntuser.ini

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Apple Computer

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Local\VirtualStore

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\users\russelg

2013-04-10 05:41 - 2013-01-15 10:21 - 00000000 ____D C:\Users\russelg\AppData\LocalGoogle

2013-04-10 05:41 - 2013-01-15 10:21 - 00000000 ____D C:\Users\russelg\AppData\Local\Google

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Macromedia

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Apple Computer

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Adobe

2013-04-03 15:14 - 2013-04-03 15:15 - 00000000 ____D C:\users\bieberl

2013-04-03 15:14 - 2013-04-03 15:14 - 00000822 _RASH C:\Users\bieberl\ntuser.pol

2013-04-03 15:14 - 2013-04-03 15:14 - 00000020 ___SH C:\Users\bieberl\ntuser.ini

2013-04-03 15:14 - 2013-04-03 15:14 - 00000000 ____D C:\Users\bieberl\AppData\Local\VirtualStore

2013-04-03 15:14 - 2013-01-15 10:21 - 00000000 ____D C:\Users\bieberl\AppData\LocalGoogle

2013-04-03 15:14 - 2013-01-15 10:21 - 00000000 ____D C:\Users\bieberl\AppData\Local\Google

==================== One Month Modified Files and Folders ========

2013-04-17 11:57 - 2012-08-20 13:01 - 00000000 ____D C:\users\lstudent.MCCLABS

2013-04-17 11:18 - 2013-04-17 11:18 - 00000000 ____D C:\FRST

2013-04-17 08:00 - 2009-07-13 20:39 - 00054841 ____A C:\Windows\setupact.log

2013-04-17 07:59 - 2012-12-10 16:08 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-04-17 07:59 - 2012-08-20 12:59 - 00000240 ____A C:\Windows\System32\config\netlogon.ftl

2013-04-17 07:59 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-04-17 07:02 - 2010-11-20 13:01 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI

2013-04-17 06:57 - 2012-08-20 15:53 - 01663570 ____A C:\Windows\WindowsUpdate.log

2013-04-17 06:48 - 2012-12-10 16:08 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-04-17 06:05 - 2009-07-13 20:34 - 00026032 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-04-17 06:05 - 2009-07-13 20:34 - 00026032 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-04-17 06:02 - 2012-08-20 13:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-04-16 14:54 - 2013-04-11 11:32 - 00006493 ____A C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx

2013-04-15 14:02 - 2013-04-15 14:02 - 00297824 ____A C:\Users\lstudent.MCCLABS\Documents\stress mgt.pptx

2013-04-15 14:00 - 2013-04-15 14:00 - 00297845 ____A C:\Users\lstudent.MCCLABS\Documents\stress management tips.pptx

2013-04-13 08:06 - 2010-11-20 13:48 - 00018246 ____A C:\Windows\PFRO.log

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Users\lstudent.MCCLABS\AppData\Roaming\Malwarebytes

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-04-12 08:26 - 2013-04-11 11:32 - 00000000 ____D C:\ProgramData\4EA0441B322DECEF00004E9FF584F6A9

2013-04-10 05:53 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Local\Adobe

2013-04-10 05:53 - 2013-04-10 05:42 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Adobe

2013-04-10 05:41 - 2013-04-10 05:41 - 00000822 _RASH C:\Users\russelg\ntuser.pol

2013-04-10 05:41 - 2013-04-10 05:41 - 00000020 __ASH C:\Users\russelg\ntuser.ini

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Apple Computer

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Local\VirtualStore

2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\users\russelg

2013-04-04 10:50 - 2013-04-12 08:56 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Macromedia

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Apple Computer

2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Adobe

2013-04-03 15:15 - 2013-04-03 15:14 - 00000000 ____D C:\users\bieberl

2013-04-03 15:14 - 2013-04-03 15:14 - 00000822 _RASH C:\Users\bieberl\ntuser.pol

2013-04-03 15:14 - 2013-04-03 15:14 - 00000020 ___SH C:\Users\bieberl\ntuser.ini

2013-04-03 15:14 - 2013-04-03 15:14 - 00000000 ____D C:\Users\bieberl\AppData\Local\VirtualStore

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-20 12:57:25

==================== Memory info ===========================

Percentage of memory in use: 26%

Total physical RAM: 2013.61 MB

Available physical RAM: 1481.42 MB

Total Pagefile: 2013.61 MB

Available Pagefile: 1486.25 MB

Total Virtual: 2047.88 MB

Available Virtual: 1952.47 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:148.91 GB) (Free:129.45 GB) NTFS

3 Drive f: () (Removable) (Total:0.94 GB) (Free:0.91 GB) FAT

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 Online 964 MB 0 B

Partitions of Disk 0:

===============

Disk ID: 85508550

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 148 GB 101 MB

=========================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 148 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: 00000001

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 964 MB 0 B

=========================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

============================== MBR Partition Table ==================

==============================

Partitions of Disk 0:

===============

Disk ID: 85508550

Partition 1:

=========

Hex: 8020210007DF130C0008000000200300

Active: YES

Type: 07 (NTFS)

Size: 100 MB

Partition 2:

=========

Hex: 00DF140C07FEFFFF0028030000289D12

Active: NO

Type: 07 (NTFS)

Size: 149 GB

==============================

Partitions of Disk 1:

===============

Disk ID: 69737369

Partition 1:

=========

Hex: FF0D0A4469736B206572726F72FF0D0A

Active: NO

Type: 69

Size: 80 GB

Partition 2:

=========

Hex: 507265737320616E79206B657920746F

Active: NO

Type: 73

Size: 892 GB

Partition 3:

=========

Hex: 20726573746172740D0A000000000000

Active: NO

Type: 74

Size: 0 byte

Partition 4:

=========

Hex: 00000000000000000000000000ACBFCC

Active: NO

Type: 00

Size: -440245157888 byte

Last Boot: 2013-04-16 04:18

==================== End Of Log ============================

Link to post
Share on other sites
newsoma

newsoma

Posted
  • Author
Posted

Ok, I found out I'm able to log into the computer under a different profile. So I renamed the infected user folder to <username>.bad and <username>.<domain>.bad until this thing is removed and then I'll rename them back. Right now I'm running MalwareBytes and then from what I've read should I proceed with ComboFix?

Link to post
Share on other sites
newsoma

newsoma

Posted
  • Author
Posted

UPDATE + FIX

I logged in as another user and ran MalwareBytes which found 3 entries which I then deleted. (I will attach the log from this scan)

The issue seems to be with this registry entry: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceActiveDesktopOn (PUM.Hijack.Desktop) -> Bad: (1) Good: (0)

Once that was deleted, I renamed the infected users folder back to just their username, restarted the machine, and logged in as the infected user and voila!! I got control of the desktop back.

I then went to open IE and got the message box asking what program I wanted to use to open it. I then tried several other programs only to get the same message. I did find, however, that when I right click on the program and run as administrator, no problem. So I opened IE as an administrator and googled that issue. It took me to his Microsoft FixIt page: http://support.microsoft.com/kb/2688326

I downloaded and ran the FixIt, rebooted the machine, and FINALLY everything is working as normal again. I also had to reinstall my Sophos Anti-Virus as it had gotten corrupted at some point as well.

Please let me know if you think there is anything else I should do at this point, or if you think I'm ok now.

Thanks for your help.

MalwareBytes Log:

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.12.10

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

lstudent :: LWR-101-27219 [administrator]

4/17/2013 1:39:21 PM

mbam-log-2013-04-17 (13-39-21).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 612021

Time elapsed: 48 minute(s), 11 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceActiveDesktopOn (PUM.Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Users\lstudent.MCCLABS.bad\AppData\Local\Temp\jar_cache8776431484378787633.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\FRST\Quarantine\9was4t130dw1b.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Please run this scan:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites
newsoma

newsoma

Posted
  • Author
Posted

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=d2ce0af8eb3bf840b85edc3cb8b67ee5

# engine=13641

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2013-04-17 11:26:29

# local_time=2013-04-17 07:26:29 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776573 100 94 0 117785980 0 0

# compatibility_mode=8450 16777213 85 99 0 20658238 0 0

# scanned=86469

# found=1

# cleaned=1

# scan_time=2502

sh=ADB18FCCEA79DB3D042B1B6E503AD89F10EE4A61 ft=0 fh=0000000000000000 vn="JS/Redirector.NCG trojan (deleted - quarantined)" ac=C fn="C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx"

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right

AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

avpsettings.gif

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and post it in your next reply.

Link to post
Share on other sites
  • 2 weeks later...
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept