Jump to content

Another FBI MonkeyPak Virus - Have logs


Recommended Posts

Hello guys, new to the forum but from what I've read so far, you guys are thorough!

Running Windows 7 x64

Keep in mind, I'm not new to computers but this is the first time I've used Hijackthis or similiar tools. I'm hopping i did all right things so far, just going off that other thread.

So I thought I'd be thorough in return for possibly a little help getting rid of this virus. It won't let me run safemode so I've gone to the length of this post:

http://forums.malwar...01

And here are the logs:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-05-2013
Ran by SYSTEM on 17-05-2013 18:56:53
Running from G:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
[b]ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.[/b]

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [609144 2011-04-12] (Alps Electric Co., Ltd.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)
HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()
HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2010-12-15] ()
HKLM\...\Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray [1935120 2011-07-27] (Intel(R) Corporation)
HKLM\...\Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10365952 2011-05-18] (Intel Corporation)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [206336 2010-09-10] (Microsoft)
HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-09-10] (Microsoft)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe, [740688 2010-12-29] (DigitalPersona, Inc.)
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-05-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [39136 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [825560 2012-12-18] (Adobe Systems Inc.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-01] (Research In Motion Limited)
HKLM-x32\...\Run: [CardScanAgent] "C:\Program Files (x86)\CardScan\CardScan\CardScanAgent.exe" [176128 2006-10-20] (CardScan, Inc.)
HKLM-x32\...\Run: [SBAMTray] "C:\Program Files (x86)\GFI Software\GFIAgent\SBAMTray.exe" [3226504 2012-10-16] (GFI Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
HKU\mfadmin\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10v_ActiveX.exe -update activex [x]
HKU\mvolkmann\...\Run: [CardScan AutoSync] [x]
HKU\mvolkmann\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\mvolkmann\Documents\4ee7fcbb.exe [24064 2013-05-16] ()
HKU\mvolkmann\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
Lsa: [Notification Packages] DPPassFilter scecli
Startup: C:\Users\mvolkmann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) =================

S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [375728 2012-11-07] (LogMeIn, Inc.)
S2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [147888 2012-11-07] (LogMeIn, Inc.)
S2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2011-09-16] (LogMeIn, Inc.)
S3 MSSQL$MSSMLBIZ; c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-07-27] ()
S2 SBAMSvc; C:\Program Files (x86)\GFI Software\GFIAgent\SBAMSvc.exe [3675976 2012-10-16] (GFI Software)
S2 SBPIMSvc; C:\Program Files (x86)\GFI Software\GFIAgent\SBPIMSvc.exe [175496 2012-10-16] (GFI Software)

==================== Drivers (Whitelisted) ====================

S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2011-09-16] (LogMeIn, Inc.)
S3 radpms; C:\Windows\System32\DRIVERS\radpms.sys [14944 2011-09-16] (LogMeIn, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74752 2011-07-25] (Research In Motion Limited)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)
S1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [196688 2010-11-08] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [108624 2010-11-08] (Trend Micro Inc.)
S2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [338000 2010-11-08] (Trend Micro Inc.)
S3 btwaudio; system32\drivers\btwaudio.sys [x]
S3 btwavdt; system32\DRIVERS\btwavdt.sys [x]
S3 btwl2cap; system32\DRIVERS\btwl2cap.sys [x]
S3 btwrchid; system32\DRIVERS\btwrchid.sys [x]
S4 LMIRfsClientNP; No ImagePath
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-17 18:54 - 2013-05-17 18:54 - 00000000 ____D C:\FRST
2013-05-17 13:28 - 2013-05-17 13:28 - 00006972 ____A C:\Windows\System32\PerfStringBackup.TMP
2013-05-16 18:41 - 2013-05-16 18:41 - 01096047 ____A C:\Users\mvolkmann\AppData\Roaming\2433f433
2013-05-16 18:41 - 2013-05-16 18:41 - 01096011 ____A C:\ProgramData\2433f433
2013-05-16 18:41 - 2013-05-16 18:41 - 01096003 ____A C:\Users\mvolkmann\AppData\Local\2433f433
2013-05-16 18:41 - 2013-05-16 18:41 - 00024064 ____A C:\Users\mvolkmann\Documents\4ee7fcbb.exe
2013-05-07 08:22 - 2013-05-07 08:22 - 00000000 ____D C:\Users\mvolkmann\AppData\Roaming\Windows Small Bus

==================== One Month Modified Files and Folders =======

2013-05-17 18:54 - 2013-05-17 18:54 - 00000000 ____D C:\FRST
2013-05-17 13:35 - 2012-02-10 08:08 - 00213333 ____A C:\Windows\setupact.log
2013-05-17 13:35 - 2011-11-04 18:54 - 01978739 ____A C:\Windows\WindowsUpdate.log
2013-05-17 13:35 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-17 13:28 - 2013-05-17 13:28 - 00006972 ____A C:\Windows\System32\PerfStringBackup.TMP
2013-05-17 13:26 - 2013-02-18 09:27 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-17 11:55 - 2009-07-13 21:13 - 00879370 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-17 11:50 - 2011-11-24 12:15 - 00000000 ____D C:\ProgramData\LogMeIn
2013-05-16 19:08 - 2011-12-19 08:56 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2013-05-16 19:06 - 2012-06-26 04:03 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-16 19:06 - 2011-12-19 08:56 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2013-05-16 19:05 - 2009-07-13 21:08 - 00032606 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-16 18:42 - 2013-02-18 09:27 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-16 18:41 - 2013-05-16 18:41 - 01096047 ____A C:\Users\mvolkmann\AppData\Roaming\2433f433
2013-05-16 18:41 - 2013-05-16 18:41 - 01096011 ____A C:\ProgramData\2433f433
2013-05-16 18:41 - 2013-05-16 18:41 - 01096003 ____A C:\Users\mvolkmann\AppData\Local\2433f433
2013-05-16 18:41 - 2013-05-16 18:41 - 00024064 ____A C:\Users\mvolkmann\Documents\4ee7fcbb.exe
2013-05-16 17:32 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-16 17:32 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-16 17:29 - 2013-03-13 19:16 - 00000000 ___RD C:\Users\mvolkmann\Dropbox
2013-05-16 17:29 - 2013-03-13 19:13 - 00000000 ____D C:\Users\mvolkmann\AppData\Roaming\Dropbox
2013-05-15 07:03 - 2011-12-20 16:12 - 00000000 ___RD C:\Users\mvolkmann\Virtual Machines
2013-05-15 06:29 - 2011-12-19 16:08 - 00000128 ____A C:\Windows\System32\config\netlogon.ftl
2013-05-15 06:06 - 2012-06-26 04:02 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-15 06:06 - 2012-01-05 11:21 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-10 12:39 - 2012-02-23 12:16 - 00000000 ____D C:\Users\mvolkmann\AppData\Roaming\Skype
2013-05-07 08:22 - 2013-05-07 08:22 - 00000000 ____D C:\Users\mvolkmann\AppData\Roaming\Windows Small Bus

Other Malware:
===========
C:\Users\mvolkmann\g2mdlhlpx.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-19 05:44:17
Restore point made on: 2013-04-26 09:19:40
Restore point made on: 2013-05-06 05:14:53
Restore point made on: 2013-05-13 07:07:58

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 6050.05 MB
Available physical RAM: 4986.85 MB
Total Pagefile: 6048.25 MB
Available Pagefile: 4976.21 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:300.03 GB) NTFS (Disk=0 Partition=3)
Drive e: (ALIENW7SP1X64) (CDROM) (Total:3.75 GB) (Free:0 GB) UDF
Drive g: () (Removable) (Total:0.12 GB) (Free:0.08 GB) FAT (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.02 GB) NTFS
Drive y: (Recovery) (Fixed) (Total:14.65 GB) (Free:5.98 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 1CCBC8D4)
Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=451 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 124 MB) (Disk ID: 7AC2F54D)
Partition 1: (Active) - (Size=124 MB) - (Type=06)


Last Boot: 2013-05-14 05:25

==================== End Of Log ============================

I really appreciate any speedy help, as this is my fathers work laptop and he needs it to run his business this weekend because of deadlines Monday!

Thank you kindly,

Matt.

Link to post
Share on other sites

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.