infected with FBI moneypak virus

arnelld · May 14, 2013

I am unable to boot my bosses computer in normal or safe mode. he told me that he was getting the popup with the FBI you owe me money page.

The computer is running windows 7 with 32 bit

Thanks for any help!

MrCharlie · May 14, 2013

Welcome to the forum, here's how we deal with that malware:

Please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Plug the flash drive into the infected PC.
If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
If you are using Vista or Windows 7 enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforu...isc-create.html

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

MrC

On the System Recovery Options menu you will get the following options:
- - Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    Select Command Prompt
    Once in the Command Prompt:
  [*]In the command window type in notepad and press Enter.
  [*]The notepad opens. Under File menu select Open.
  [*]Select "Computer" and find your flash drive letter and close the notepad.
  [*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  [*]The tool will start to run.
  [*]When the tool opens click Yes to disclaimer.
  [*]Press Scan button.
  [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

arnelld · May 15, 2013

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013

Ran by Larry (administrator) on 14-05-2013 16:43:10

Running from E:\

Windows 7 Professional (X86) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\cmd.exe

(Farbar) e:\FRST.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1602856 2010-01-07] (Synaptics Incorporated)

HKLM\...\Run: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe [495708 2010-04-07] (IDT, Inc.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3873648 2010-01-15] (Dell Inc.)

HKLM\...\Run: [FreeFallProtection] C:\Program Files\STMicroelectronics\Accelerometer\FF_Protection.exe [2384896 2009-07-22] ()

HKLM\...\Run: [broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5249024 2010-10-04] (Dell Inc.)

HKLM\...\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)

HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [206336 2010-05-20] (Microsoft)

HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1311312 2010-05-18] (Logitech, Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)

HKLM\...\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe [98304 2006-01-30] (Hewlett-Packard)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM\...\Run: [HP Color LaserJet CM1312 MFP Series Fax] C:\Program Files\HP\HP Color LaserJet CM1312 MFP Series\hppfaxprintersrv.exe "HP Color LaserJet CM1312 MFP Series Fax" [2453504 2009-09-22] (Hewlett-Packard Company)

HKLM\...\Run: [] [x]

HKLM\...\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\" [24576 2009-05-11] (Hewlett-Packard Company)

HKLM\...\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1059472 2011-12-05] (Carbonite, Inc.)

HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [133456 2012-07-25] (Trend Micro Inc.)

HKLM\...\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL "" [1374864 2012-07-25] (Trend Micro Inc.)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)

Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [X]

HKCU\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-13] (Google Inc.)

HKCU\...\Winlogon: [shell] explorer.exe,C:\Users\Larry\AppData\Roaming\skype.dat <==== ATTENTION

HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-747825169-3136433216-3061428978-1000\$5a6b93952095872d74bf54c7b376c65c\n. ATTENTION! ====> ZeroAccess

MountPoints2: {0d1f8c17-19d1-11e1-9667-f04da298ec73} - E:\LaunchU3.exe -a

Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk

ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

HKCU SearchScopes: DefaultScope {04F031E9-5DD7-4EC0-9F36-E61AE8CD8762} URL = http://findgala.com/?&uid=2159&q={searchTerms}

SearchScopes: HKCU - {04F031E9-5DD7-4EC0-9F36-E61AE8CD8762} URL = http://findgala.com/?&uid=2159&q={searchTerms}

BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)

BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)

BHO: TSToolbarBHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)

BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: TmBpIeBHO Class - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1125\7.5.1125\TmBpIe32.dll (Trend Micro Inc.)

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

Toolbar: HKLM - Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKCU -No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

PDF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

PDF: {315E206C-B37E-4F46-A144-5A82DBE79A9D} http://spyware.cymphonix.com/webdeploy.cab

PDF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

PDF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

PDF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

PDF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1125\7.5.1125\TmBpIe32.dll (Trend Micro Inc.)

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)

Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)

Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)

Hosts file not detected in the default directory

Chrome:

=======

CHR Extension: (Google Drive) - C:\Users\Larry\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0

CHR Extension: (YouTube) - C:\Users\Larry\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0

CHR Extension: (Google Search) - C:\Users\Larry\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0

CHR Extension: (Gmail) - C:\Users\Larry\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

========================== Services (Whitelisted) =================

S2 CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [4426384 2011-12-05] (Carbonite, Inc. (www.carbonite.com))

S2 InstallFilterService; C:\Program Files\STMicroelectronics\Accelerometer\InstallFilterService.exe [60928 2009-11-29] ()

S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)

S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4539392 2010-10-04] (Dell Inc.)

S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [x]

==================== Drivers (Whitelisted) ====================

R3 Acceler; C:\Windows\System32\DRIVERS\Acceler.sys [41648 2009-12-03] (ST Microelectronics)

S3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2010-10-04] (Broadcom Corporation)

S3 CtAudDrv; C:\Windows\system32\Drivers\CtAudDrv.sys [134144 2009-05-28] (Creative Technology Ltd.)

S3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.Sys [40912 2010-03-18] (Logitech, Inc.)

S3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.Sys [10448 2010-03-18] (Logitech, Inc.)

S3 LMouFilt; C:\Windows\System32\DRIVERS\LMouFilt.Sys [37328 2010-03-18] (Logitech, Inc.)

S3 LUsbFilt; C:\Windows\System32\Drivers\LUsbFilt.Sys [28624 2010-03-18] (Logitech, Inc.)

S1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [94200 2012-07-12] (Trend Micro Inc.)

R0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [257928 2012-07-12] (Trend Micro Inc.)

R0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC32.sys [38328 2012-08-24] (Trend Micro Inc.)

S3 tmeevw; C:\Windows\System32\DRIVERS\tmeevw.sys [85816 2012-08-25] (Trend Micro Inc.)

S1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [75624 2012-07-12] (Trend Micro Inc.)

S3 tmnciesc; C:\Windows\System32\DRIVERS\tmnciesc.sys [171064 2012-07-05] (Trend Micro Inc.)

S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [92304 2012-05-02] (Trend Micro Inc.)

U2 TMAgent;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-14 17:12 - 2013-05-14 17:29 - 00000000 ____D C:\Windows\Microsoft Antimalware

2013-05-14 16:43 - 2013-05-14 16:43 - 00000000 ____D C:\FRST

2013-05-12 10:05 - 2013-05-14 16:34 - 00000004 ____A C:\Users\Larry\AppData\Roaming\skype.ini

2013-05-12 09:55 - 2013-05-12 09:55 - 00097280 ____A (EA Swiss-Digital LLC) C:\Users\Larry\vlcplayer.exe

2013-05-12 09:55 - 2013-05-12 09:55 - 00097280 ____A (EA Swiss-Digital LLC) C:\Users\Larry\AppData\Roaming\skype.dat

2013-05-12 09:55 - 2013-05-12 09:55 - 00000000 ____A C:\Users\Larry\winlogon.exe

2013-05-12 09:55 - 2013-05-12 09:55 - 00000000 ____A C:\Users\Larry\windowsupdate.exe

2013-05-12 09:55 - 2013-05-12 09:55 - 00000000 ____A C:\Users\Larry\mstsc.exe

2013-05-12 09:55 - 2013-05-12 09:55 - 00000000 ____A C:\Users\Larry\jqs.exe

2013-05-12 09:55 - 2013-05-12 09:55 - 00000000 ____A C:\Users\Larry\googleupdate.exe

2013-05-12 09:55 - 2013-05-12 09:55 - 00000000 ____A C:\Users\Larry\flashplayer.exe

2013-05-03 09:45 - 2013-05-03 09:46 - 00000000 ____D C:\Users\Larry\Documents\SWCCD

2013-05-02 10:22 - 2013-05-02 16:36 - 00000000 ____D C:\Users\Larry\Documents\Coal Culch Oxbow wetland

2013-05-01 17:03 - 2013-05-01 17:03 - 05190405 ____A C:\Users\Larry\Documents\Elk Crossing Out of baggs..MOV

2013-04-24 07:03 - 2013-04-12 07:58 - 01210728 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-04-15 09:36 - 2013-04-15 09:36 - 00000000 ____D C:\Users\Larry\Documents\New folder

==================== One Month Modified Files and Folders ========

2013-05-14 17:29 - 2013-05-14 17:12 - 00000000 ____D C:\Windows\Microsoft Antimalware

2013-05-14 16:43 - 2013-05-14 16:43 - 00000000 ____D C:\FRST

2013-05-14 16:42 - 2010-10-04 21:25 - 00786564 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-14 16:34 - 2013-05-12 10:05 - 00000004 ____A C:\Users\Larry\AppData\Roaming\skype.ini

2013-05-14 16:34 - 2011-01-13 06:46 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-14 16:34 - 2009-07-13 22:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-14 16:34 - 2009-07-13 22:39 - 00051151 ____A C:\Windows\setupact.log

2013-05-14 15:52 - 2009-07-13 22:55 - 01551145 ____A C:\Windows\WindowsUpdate.log

2013-05-14 15:50 - 2009-07-13 22:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-14 15:50 - 2009-07-13 22:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-14 15:46 - 2012-10-29 07:40 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-14 15:44 - 2011-01-13 06:46 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job