Logs for MrC (Ransomware)

[bergnutz]

Related to the moneypak virus, this is the frst.txt file that it came up with.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-05-2013

Ran by Owner (administrator) on 27-05-2013 19:33:58

Running from E:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\system32\cmd.exe

(Farbar) E:\FRST64.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11448424 2010-08-20] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [2120808 2010-08-20] (Realtek Semiconductor)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1894696 2010-01-07] (Synaptics Incorporated)

HKLM\...\Run: [OnekeyStudio] C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [776608 2009-12-18] (Lenovo)

HKLM\...\Run: [MRT] "C:\windows\system32\MRT.exe" /R [75016696 2013-05-15] (Microsoft Corporation)

HKCU\...\Run: [best Buy pc app] C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x]

HKCU\...\Run: [Realtek] Regsvr32.exe C:\Users\Owner\AppData\Local\Realtek\rhyiijlr.dll [681984 2013-05-22] (CANON INC.)

HKCU\...\RunOnce: [FlashPlayerUpdate] C:\windows\system32\Macromed\Flash\FlashUtil64_11_4_402_287_ActiveX.exe -update activex [421304 2012-10-21] (Adobe Systems Incorporated)

HKCU\...\Winlogon: [shell] explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat [146944 2011-11-17] (AutoRix Software LLC) <==== ATTENTION

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-07-19] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)

HKLM-x32\...\Run: [updateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0" [218408 2008-12-03] (CyberLink Corp.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

==================== Internet (Whitelisted) ====================

BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

BHO-x32: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\IPS\IPSBHO.DLL (Symantec Corporation)

BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)

BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO-x32: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)

Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Winsock: Catalog5 10 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation)

Winsock: Catalog5-x64 10 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) =================

S3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited)

S2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [352248 2012-08-03] (Verizon)

S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited)

S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited)

S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-03-17] (Alcatel-Lucent)

S2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\diMaster.dll [262584 2011-03-31] (Symantec Corporation)

S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited)

S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited)

==================== Drivers (Whitelisted) ====================

S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20110518.001\BHDrvx64.sys [1127032 2011-04-15] (Symantec Corporation)

S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo)

S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-10] (Symantec Corporation)

S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110518.001\IDSvia64.sys [476792 2011-03-14] (Symantec Corporation)

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\ENG64.SYS [117880 2011-05-17] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\EX64.SYS [2011768 2011-05-17] (Symantec Corporation)

S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-10] (Symantec Corporation)

S3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo)

U3 BcmSqlStartupSvc;

U2 IAStorDataMgrSvc;

U2 IviRegMgr;

U2 RichVideo;

U3 SQLWriter;

S3 SRTSP; \SystemRoot\System32\Drivers\NAVx64\1207010.003\SRTSP64.SYS [x]

S1 SRTSPX; \SystemRoot\system32\drivers\NAVx64\1207010.003\SRTSPX64.SYS [x]

R0 SymDS; system32\drivers\NAVx64\1207010.003\SYMDS64.SYS [x]

R0 SymEFA; system32\drivers\NAVx64\1207010.003\SYMEFA64.SYS [x]

S1 SymIRON; \SystemRoot\system32\drivers\NAVx64\1207010.003\Ironx64.SYS [x]

S1 SymNetS; \SystemRoot\System32\Drivers\NAVx64\1207010.003\SYMNETS.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-27 19:21 - 2013-05-27 19:21 - 00000000 ____D C:\FRST

2013-05-27 09:50 - 2013-05-27 10:22 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

2013-05-22 01:38 - 2013-05-22 10:50 - 00000000 ____D C:\Users\Owner\AppData\Local\Realtek

2013-05-22 01:37 - 2013-05-22 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\Windows Live Writer

2013-05-15 03:01 - 2013-04-05 02:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 03:01 - 2013-04-05 02:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 03:01 - 2013-04-05 02:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-15 03:01 - 2013-04-05 02:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 03:01 - 2013-04-05 02:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-15 03:01 - 2013-04-05 01:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-15 03:01 - 2013-04-05 01:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-15 03:01 - 2013-04-05 01:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-05-15 03:01 - 2013-04-05 00:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 03:01 - 2013-04-05 00:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-15 03:01 - 2013-04-04 23:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-15 03:01 - 2013-04-04 23:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-05-14 20:37 - 2013-04-10 02:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-14 20:37 - 2013-04-10 02:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-14 20:37 - 2011-02-03 07:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-14 20:36 - 2013-04-09 23:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-14 20:36 - 2013-03-19 01:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-14 20:36 - 2013-03-19 01:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-14 20:36 - 2013-02-27 02:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-14 20:36 - 2013-02-27 01:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-14 20:36 - 2013-02-27 01:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-14 20:36 - 2013-02-27 01:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-14 20:36 - 2013-02-27 01:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-14 20:36 - 2013-02-27 00:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-14 20:36 - 2013-02-27 00:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-14 20:36 - 2013-02-27 00:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-04-27 12:30 - 2013-04-27 12:30 - 00001502 ____A C:\ProgramData\SMRResults322.dat

2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\spoolsv.exe

2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\skype.exe

2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\msconfig.exe

==================== One Month Modified Files and Folders =======

2013-05-27 19:21 - 2013-05-27 19:21 - 00000000 ____D C:\FRST

2013-05-27 10:22 - 2013-05-27 09:50 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

2013-05-27 10:22 - 2011-11-23 00:59 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-27 10:21 - 2013-04-09 09:49 - 00001120 ____A C:\Windows\setupact.log

2013-05-27 10:21 - 2013-04-09 09:39 - 00254551 ____A C:\FaceProv.log

2013-05-27 10:21 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-27 09:34 - 2011-11-23 00:59 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-27 09:06 - 2013-04-09 10:06 - 01290486 ____A C:\Windows\WindowsUpdate.log

2013-05-22 10:50 - 2013-05-22 01:38 - 00000000 ____D C:\Users\Owner\AppData\Local\Realtek

2013-05-22 01:37 - 2013-05-22 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\Windows Live Writer

2013-05-22 01:37 - 2011-07-08 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\CrashDumps

2013-05-18 23:08 - 2009-07-14 00:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-18 23:08 - 2009-07-14 00:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-15 04:39 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache

2013-05-15 03:37 - 2009-07-14 00:45 - 00282960 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 03:09 - 2011-04-20 08:11 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-02 02:06 - 2011-04-20 06:59 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2013-04-28 04:01 - 2013-04-09 10:11 - 00005354 ____A C:\Windows\System32\PerfStringBackup.TMP

2013-04-27 12:30 - 2013-04-27 12:30 - 00001502 ____A C:\ProgramData\SMRResults322.dat

2013-04-27 12:30 - 2011-04-20 06:07 - 00000000 ____D C:\users\Owner

2013-04-27 12:28 - 2013-04-09 10:17 - 00000000 ____D C:\Users\Owner\AppData\Local\NPE

2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\spoolsv.exe

2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\skype.exe

2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\msconfig.exe

Other Malware:

===========

C:\Users\Owner\msconfig.exe

C:\Users\Owner\skype.exe

C:\Users\Owner\spoolsv.exe

C:\Users\Owner\AppData\Roaming\skype.dat

C:\Users\Owner\AppData\Roaming\skype.ini

C:\ProgramData\SMRResults322.dat

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

Last Boot: 2013-05-24 02:09

==================== End Of Log ============================

[DarkSnakeKobra]

Please see this topic for support instructions and where to post.

http://forums.malwarebytes.org/index.php?showtopic=119858

[Maurice Naggar]

Member being helped by MrC at this thread => http://forums.malwarebytes.org/index.php?showtopic=126903

I am closing this.

Cheers.