Jump to content

FBI Moneypak Virus Infected my laptop


Recommended Posts

So my laptop has been infected with the FBI moneyppak virus. I have tried using ctrl+alt+del to get to task manager but it wont work. I cant boot to any type of safe mode either. If anyone can help me that would be more than appreciated. I have looked up what the others have done and I have gone into the startup repair and run the FRST.exe program and done the required searches. they are as follows:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013

Ran by SYSTEM on 15-05-2013 22:08:10

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [309760 2009-03-11] (Alps Electric Co., Ltd.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [171520 2010-02-05] (Sun Microsystems, Inc.)

HKLM\...\Run: [broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-17] (Dell Inc.)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-29] (IDT, Inc.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)

HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()

HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [286720 2007-12-11] (Apple Inc.)

HKLM-x32\...\Run: [Nikon Transfer Monitor] C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe [479232 2009-09-15] (Nikon Corporation)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1561768 2012-05-04] (Ask)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)

HKU\gary\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)

HKU\gary\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)

HKU\gary\...\Run: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US [3951976 2009-12-01] (AOL LLC)

HKU\gary\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59872 2012-12-17] (Apple Inc.)

HKU\gary\...\Run: [com.apple.dav.bookmarks.daemon] C:\Program Files (x86)\Common Files\Apple\Internet Services\BookmarkDAV_client.exe [59872 2012-12-17] (Apple Inc.)

HKU\gary\...\Run: [Facebook Update] "C:\Users\gary\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2013-04-09] (Facebook Inc.)

HKU\gary\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18642024 2013-02-28] (Skype Technologies S.A.)

HKU\gary\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\gary\Documents\4f42515e.exe [25088 2013-05-14] ()

HKU\gary\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil64_11_6_602_180_ActiveX.exe -update activex [429784 2013-03-12] (Adobe Systems Incorporated)

HKU\gary\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION

Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.)

==================== Services (Whitelisted) =================

S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)

S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [398184 2012-12-14] (Malwarebytes Corporation)

S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [682344 2012-12-14] (Malwarebytes Corporation)

S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [227232 2010-09-02] (McAfee, Inc.)

S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-29] (IDT, Inc.)

S2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe [3417088 2009-07-17] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

S1 igxkychz; \??\C:\Windows\system32\drivers\igxkychz.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-15 22:07 - 2013-05-15 22:07 - 00000000 ____D C:\FRST

2013-05-15 17:48 - 2013-05-15 17:47 - 02986440 ____A (Symantec Corporation) C:\Users\gary\Desktop\NPE.exe

2013-05-14 19:26 - 2013-05-14 19:26 - 01096089 ____A C:\ProgramData\2433f433

2013-05-14 19:26 - 2013-05-14 19:26 - 01096080 ____A C:\Users\gary\AppData\Local\2433f433

2013-05-14 19:26 - 2013-05-14 19:26 - 01096050 ____A C:\Users\gary\AppData\Roaming\2433f433

2013-05-14 19:26 - 2013-05-14 19:26 - 00025088 ____A C:\Users\gary\Documents\4f42515e.exe

2013-04-23 23:19 - 2013-04-23 23:19 - 00000000 ____D C:\Users\gary\AppData\Local\{C5B7D559-717F-4770-B0E7-272FE65ADF08}

2013-04-23 09:14 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-04-22 16:48 - 2013-04-22 16:48 - 00000205 ____A C:\Users\gary\Desktop\1989 Sunlite Pop up camper.url

2013-04-15 17:51 - 2013-04-15 18:08 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-04-15 11:26 - 2013-04-15 11:26 - 00000000 ____D C:\Users\gary\AppData\Local\{439A7479-C130-4383-82F8-B4143BD3F27E}

2013-04-15 10:54 - 2013-04-15 10:54 - 00000000 ____D C:\Users\gary\AppData\Local\{80EB94D6-B39C-46E2-AC5A-07979A7CC169}

2013-04-15 10:24 - 2013-04-15 10:24 - 00000000 ____D C:\Users\gary\AppData\Local\{F1FD7986-404A-45AA-8326-5901405C7321}

2013-04-15 10:06 - 2013-04-15 10:07 - 00000000 ____D C:\Users\gary\AppData\Local\{3AB258B5-E102-428A-89A2-0BF7EBD6BABE}

==================== One Month Modified Files and Folders =======

2013-05-15 22:07 - 2013-05-15 22:07 - 00000000 ____D C:\FRST

2013-05-15 18:02 - 2010-03-10 14:52 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-15 18:01 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-15 18:01 - 2009-07-13 20:51 - 00058107 ____A C:\Windows\setupact.log

2013-05-15 17:47 - 2013-05-15 17:48 - 02986440 ____A (Symantec Corporation) C:\Users\gary\Desktop\NPE.exe

2013-05-15 16:43 - 2009-07-13 21:10 - 01183674 ____A C:\Windows\WindowsUpdate.log

2013-05-15 16:43 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-15 16:43 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-14 19:26 - 2013-05-14 19:26 - 01096089 ____A C:\ProgramData\2433f433

2013-05-14 19:26 - 2013-05-14 19:26 - 01096080 ____A C:\Users\gary\AppData\Local\2433f433

2013-05-14 19:26 - 2013-05-14 19:26 - 01096050 ____A C:\Users\gary\AppData\Roaming\2433f433

2013-05-14 19:26 - 2013-05-14 19:26 - 00025088 ____A C:\Users\gary\Documents\4f42515e.exe

2013-05-14 19:15 - 2010-03-10 14:52 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-14 19:03 - 2012-08-08 16:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-14 17:17 - 2013-04-09 14:12 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2466015473-647803514-2192938318-1001UA.job

2013-05-14 15:36 - 2013-04-09 14:12 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2466015473-647803514-2192938318-1001Core.job

2013-05-05 09:10 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-02 07:29 - 2010-02-17 14:34 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2013-04-24 08:22 - 2010-05-03 06:48 - 00000000 ____D C:\Users\gary\AppData\Roaming\Skype

2013-04-23 23:19 - 2013-04-23 23:19 - 00000000 ____D C:\Users\gary\AppData\Local\{C5B7D559-717F-4770-B0E7-272FE65ADF08}

2013-04-23 23:18 - 2010-02-17 14:28 - 00000000 ____D C:\Users\gary\Tracing

2013-04-22 16:48 - 2013-04-22 16:48 - 00000205 ____A C:\Users\gary\Desktop\1989 Sunlite Pop up camper.url

2013-04-15 18:08 - 2013-04-15 17:51 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-04-15 18:08 - 2010-05-03 06:47 - 00000000 ____D C:\ProgramData\Skype

2013-04-15 18:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-04-15 11:26 - 2013-04-15 11:26 - 00000000 ____D C:\Users\gary\AppData\Local\{439A7479-C130-4383-82F8-B4143BD3F27E}

2013-04-15 10:54 - 2013-04-15 10:54 - 00000000 ____D C:\Users\gary\AppData\Local\{80EB94D6-B39C-46E2-AC5A-07979A7CC169}

2013-04-15 10:24 - 2013-04-15 10:24 - 00000000 ____D C:\Users\gary\AppData\Local\{F1FD7986-404A-45AA-8326-5901405C7321}

2013-04-15 10:07 - 2013-04-15 10:06 - 00000000 ____D C:\Users\gary\AppData\Local\{3AB258B5-E102-428A-89A2-0BF7EBD6BABE}

Other Malware:

===========

C:\ProgramData\ezsidmv.dat

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-09 23:00:56

Restore point made on: 2013-04-13 10:03:29

Restore point made on: 2013-04-16 11:19:17

Restore point made on: 2013-04-20 09:18:56

Restore point made on: 2013-04-23 19:23:52

Restore point made on: 2013-04-23 23:00:31

Restore point made on: 2013-04-27 14:43:35

Restore point made on: 2013-05-01 03:44:45

Restore point made on: 2013-05-05 09:20:06

Restore point made on: 2013-05-08 17:53:11

Restore point made on: 2013-05-12 13:11:55

==================== Memory info ===========================

Percentage of memory in use: 19%

Total physical RAM: 3034.36 MB

Available physical RAM: 2454.51 MB

Total Pagefile: 3032.51 MB

Available Pagefile: 2452.69 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:224.4 GB) (Free:122.15 GB) NTFS (Disk=0 Partition=3)

Drive f: (UBUNTU 1304) (Removable) (Total:7.44 GB) (Free:6.66 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (RECOVERY) (Fixed) (Total:8.42 GB) (Free:4.48 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: E0000000)

Partition 1: (Not Active) - (Size=71 MB) - (Type=DE)

Partition 2: (Active) - (Size=8 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=224 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 7 GB) (Disk ID: 001EED5B)

Partition 1: (Active) - (Size=7 GB) - (Type=0C)

Last Boot: 2013-05-14 08:01

==================== End Of Log ============================

Farbar Recovery Scan Tool (x64) Version: 14-05-2013

Ran by SYSTEM at 2013-05-15 22:16:07

Running from F:\

Boot Mode: Recovery

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

YES!!! it worked thank you so much.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-05-2013

Ran by SYSTEM at 2013-05-17 18:38:32 Run:1

Running from F:\

Boot Mode: Recovery

==============================================

HKEY_USERS\gary\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.

HKEY_USERS\gary\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\ProgramData\2433f433 => Moved successfully.

C:\Users\gary\AppData\Local\2433f433 => Moved successfully.

C:\Users\gary\AppData\Roaming\2433f433 => Moved successfully.

C:\Users\gary\Documents\4f42515e.exe => Moved successfully.

C:\ProgramData\ezsidmv.dat => Moved successfully.

igxkychz => Service deleted successfully.

C:\Windows\system32\drivers\igxkychz.sys => File/Directory not found.

==== End of Fixlog ====

Link to post
Share on other sites

OK.....Next:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.