FBI Money PAK Malware infection

dollarbang · June 12, 2013

My desktop is infected with the Moneypak malware and I could use some help in resolving.

The PC is a DualBoot capable (XP and Windows 7 Home Premium 32bit OS). I have been reading some of the posts, and this looks like a nasty one.

Right now, I am using my LAPTOP to communicate, and the affected PC is in a power down state.

D-FRED-BROWN · June 12, 2013

Hello dollarbang and welcome to Malwarebytes!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select English as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select English as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Let me know how things go. If you at any point have trouble using FRST, please stop and post back here to let me know.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

dollarbang · June 12, 2013

For Notepad, do I call the file something before I close it?

D-FRED-BROWN · June 12, 2013

No, that step is only to find the correct drive letter corresponding to your flash drive

dollarbang · June 12, 2013

Oops...finally figured out what was being researched....where is the flashdrive ;-).

dollarbang · June 12, 2013

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04

Ran by SYSTEM on 12-06-2013 19:53:16

Running from H:\

Windows 7 Home Premium (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet002

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)

HKLM\...\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [50472 2007-12-14] ()

HKLM\...\Run: [PCTVOICE] pctspk.exe [x]

HKLM\...\Run: [PV92TRAY] PV92Tray.exe [x]

HKLM\...\Run: [ArcSoft MediaImpression Monitor] C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe [73728 2010-11-12] (ArcSoft, Inc.)

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7514656 2009-05-22] (Realtek Semiconductor)

HKLM\...\Run: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-05-22] (Realtek Semiconductor Corp.)

HKLM\...\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-03-08] (Advanced Micro Devices, Inc.)

HKLM\...\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1159168 2009-05-26] (Brother Industries, Ltd.)

HKLM\...\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)

HKLM\...\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe [20480 2005-10-03] ()

HKLM\...\Run: [tsnp2std] C:\Windows\tsnp2std.exe [102400 2005-09-09] (sonix)

HKLM\...\Run: [] [x]

HKLM\...\Run: [Display] C:\Program Files\APC\PowerChute Personal Edition\DataCollectionLauncher.exe [284024 2012-01-24] (Schneider Electric)

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947152 2013-01-27] (Microsoft Corporation)

HKLM\...\Run: [CCEnhancer] E:\Archive\Mozilla Downloads\CCEnhancer.exe /AUTO [x]

HKLM\...\Run: [Eraser] "C:\PROGRA~1\Eraser\Eraser.exe" --atRestart [980920 2012-05-22] (The Eraser Project)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKU\Harold\...\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO [ 2013-03-25] (Piriform Ltd)

HKU\Harold\...\Run: [MP3 Skype Recorder] C:\Program Files\MP3 Skype Recorder\MP3 Skype Recorder.exe [ 2011-11-17] (Alexander Nikiforov)

HKU\Harold\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [ 2013-04-16] (Google)

HKU\Harold\...\Run: [5CFC264D1C97FB0AC657A58A0D014754D6FBBBED._service_run] "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=service [ 2013-05-28] (Google Inc.)

HKU\Harold\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]

HKU\Harold\...\Run: [GarminExpressTrayApp] "C:\Program Files\Garmin\Express Tray\ExpressTray.exe" [x]

HKU\Harold\...\Winlogon: [shell] explorer.exe,C:\Users\Harold\AppData\Roaming\skype.dat <==== ATTENTION

Startup: C:\ProgramData\Start Menu\Programs\Startup\APC UPS Status.lnk

ShortcutTarget: APC UPS Status.lnk -> C:\Program Files\APC\PowerChute Personal Edition\Display.exe (Schneider Electric)

Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Button Manager.lnk

ShortcutTarget: HP Button Manager.lnk -> C:\Program Files\HP\Button Manager\BM.exe ()

Startup: C:\Users\Harold\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FAXRX.lnk

ShortcutTarget: FAXRX.lnk -> C:\Program Files\Brother\Brmfl06a\FAXRX.exe (Brother Industries Ltd.)

========================== Services (Whitelisted) =================

S2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

S2 APC Data Service; C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe [21880 2012-01-24] (Schneider Electric)

S2 APC UPS Service; C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe [705912 2012-01-24] (Schneider Electric)

S3 BrlAPI; C:\Util\Cygwin\bin\cygrunsrv.exe [68096 2008-03-18] ()

S2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [186200 2013-03-20] (Garmin Ltd or its subsidiaries)

S2 M4-Service; C:\Users\Harold\AppData\Local\Mikogo4\Viewer\Service\M4-Service.exe [1008032 2013-02-24] ()

S2 Motorola Device Manager; C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [121144 2013-03-25] (Motorola Mobility LLC)

S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)

S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)

S2 PST Service; C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola)

S2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [272024 2007-05-14] ()

S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [993848 2011-04-18] (Secunia)

S3 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-04-18] (Secunia)

S2 uCamMonitor; C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)

S2 VMAuthdService; C:\Program Files\VMware\VMware Workstation\vmware-authd.exe [113200 2009-10-22] (VMware, Inc.)

S2 VMnetDHCP; C:\Windows\system32\vmnetdhcp.exe [334384 2009-10-22] (VMware, Inc.)

S2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [563760 2009-10-21] (VMware, Inc.)

S2 VMware NAT Service; C:\Windows\system32\vmnat.exe [395824 2009-10-22] (VMware, Inc.)

S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [x]

S3 ufad-ws60; "C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml [x]

==================== Drivers (Whitelisted) ====================

S3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)

S3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [17408 2009-05-26] (ArcSoft, Inc.)

S2 hcmon; C:\Windows\system32\drivers\hcmon.sys [32304 2009-10-21] (VMware, Inc.)

S1 HWiNFO32; C:\Program Files\HWiNFO32\HWiNFO32.SYS [20088 2010-09-29] (REALiX)

S3 motandroidusb; C:\Windows\System32\Drivers\motoandroid.sys [25856 2009-07-10] (Motorola)

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)

S3 mv2; C:\Windows\System32\DRIVERS\mv2.sys [12904 2012-01-24] (UVNC BVBA)

S2 NPF; C:\Windows\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)

S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)

S3 Ptserial; C:\Windows\System32\DRIVERS\ptserial.sys [356159 2003-11-25] (PCTEL, INC.)

S1 RapportKELL; C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys [59240 2010-04-22] (Trusteer Ltd.)

S1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [157160 2010-04-22] (Trusteer Ltd.)

S3 vmkbd; C:\Windows\system32\drivers\VMkbd.sys [23216 2009-10-22] (VMware, Inc.)

S3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [16560 2009-10-21] (VMware, Inc.)

S2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [36400 2009-10-21] (VMware, Inc.)

S2 VMnetuserif; C:\Windows\system32\drivers\vmnetuserif.sys [26288 2009-10-22] (VMware, Inc.)

S3 Vmodem; C:\Windows\System32\DRIVERS\vmodem.sys [703673 2003-10-30] (PCTEL, INC.)

S2 VMparport; C:\Windows\system32\Drivers\VMparport.sys [14896 2009-10-22] (VMware, Inc.)

S2 vmx86; C:\Windows\system32\Drivers\vmx86.sys [853936 2009-10-22] (VMware, Inc.)

S3 Vpctcom; C:\Windows\System32\DRIVERS\vpctcom.sys [801778 2003-11-25] (PCtel, Inc.)

S2 vstor2-ws60; C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [22448 2009-10-12] (VMware, Inc.)

S3 Vvoice; C:\Windows\System32\DRIVERS\vvoice.sys [70320 2003-10-30] (PCtel, Inc.)

S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; C:\Program Files\CyberLink\PowerDVD8\000.fcl [41456 2008-02-01] (Cyberlink Corp.)

S3 ALSysIO; \??\C:\Users\Harold\AppData\Local\Temp\ALSysIO.sys [x]

S3 BTCFilterService; system32\DRIVERS\motfilt.sys [x]

S3 motccgp; system32\DRIVERS\motccgp.sys [x]

S3 motccgpfl; system32\DRIVERS\motccgpfl.sys [x]

S3 motmodem; system32\DRIVERS\motmodem.sys [x]

S3 MotoSwitchService; system32\DRIVERS\motswch.sys [x]

S3 Motousbnet; system32\DRIVERS\Motousbnet.sys [x]

S3 motport; system32\DRIVERS\motport.sys [x]

S3 motusbdevice; system32\DRIVERS\motusbdevice.sys [x]

S3 RimUsb; System32\Drivers\RimUsb.sys [x]

S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\Sandra.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-12 19:52 - 2013-06-12 19:52 - 00000000 ____D C:\FRST

2013-06-12 11:55 - 2013-06-12 15:27 - 00000112 ____A C:\Windows\setupact.log

2013-06-12 11:55 - 2013-06-12 11:55 - 00000000 ____A C:\Windows\setuperr.log

2013-06-12 08:29 - 2013-06-12 11:46 - 00000004 ____A C:\Users\Harold\AppData\Roaming\skype.ini

2013-06-08 19:15 - 2013-06-08 19:15 - 00008874 ____A C:\Users\Harold\Downloads\lgeccu_billpay_history.csv

2013-06-08 14:52 - 2013-06-08 14:55 - 51933696 ____A C:\Users\Harold\Downloads\calibre-0.9.34.msi

2013-06-07 18:07 - 2013-06-07 18:51 - 903217152 ____A C:\Users\Harold\Downloads\tails-i386-0.18.iso

2013-06-06 18:04 - 2013-06-06 18:04 - 00002008 ____A C:\Users\Public\Desktop\Foxit Reader.lnk

2013-05-28 13:42 - 2013-05-28 13:42 - 01725320 ____A C:\Users\Harold\Downloads\DesktopUploader1.2.0.0.exe

2013-05-23 21:38 - 2013-05-23 21:39 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-05-17 12:50 - 2013-05-17 12:52 - 26957289 ____A (Igor Pavlov) C:\Users\Harold\Downloads\tor-browser-2.3.25-8_en-US.exe

2013-05-17 11:06 - 2013-05-17 11:07 - 00000000 ____D C:\Users\Harold\AppData\Local\{EBF6ED97-4A84-4276-985B-34A9E488F32D}

2013-05-15 23:14 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 23:14 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 23:14 - 2013-04-04 21:28 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-15 23:14 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 23:14 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 23:14 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 23:14 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 23:14 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 23:14 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 23:14 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-15 23:14 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-15 23:14 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 23:14 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-15 23:14 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 23:14 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-15 23:13 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 15:22 - 2013-04-09 21:18 - 00728424 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 15:22 - 2013-04-09 21:18 - 00218984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 15:22 - 2013-04-09 19:14 - 02347520 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 15:22 - 2013-03-18 20:53 - 00186368 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 15:22 - 2013-03-18 19:33 - 00040960 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-15 15:21 - 2013-02-26 21:05 - 00101720 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 15:21 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 15:21 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 15:21 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 15:21 - 2013-02-26 20:49 - 00047104 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-15 04:53 - 2013-05-16 02:58 - 00000000 ____D C:\Program Files\Mozilla Thunderbird

==================== One Month Modified Files and Folders ========

2013-06-12 19:52 - 2013-06-12 19:52 - 00000000 ____D C:\FRST

2013-06-12 15:27 - 2013-06-12 11:55 - 00000112 ____A C:\Windows\setupact.log

2013-06-12 11:55 - 2013-06-12 11:55 - 00000000 ____A C:\Windows\setuperr.log

2013-06-12 11:55 - 2012-09-23 14:33 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-06-12 11:55 - 2010-07-08 08:24 - 00000000 ____D C:\ProgramData\VMware

2013-06-12 11:55 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-12 11:55 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Registration

2013-06-12 11:46 - 2013-06-12 08:29 - 00000004 ____A C:\Users\Harold\AppData\Roaming\skype.ini

2013-06-12 11:46 - 2010-01-09 08:50 - 01334646 ____A C:\Windows\WindowsUpdate.log

2013-06-12 11:46 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles

2013-06-12 11:43 - 2009-07-13 20:34 - 00020128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-06-12 11:43 - 2009-07-13 20:34 - 00020128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-06-12 11:36 - 2011-01-03 16:35 - 00001536 ____A C:\Windows\System32\TrueSoft.dat

2013-06-12 11:25 - 2012-08-07 12:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-12 10:57 - 2010-04-28 03:29 - 00000000 ____D C:\Users\Harold\Documents\Calibre Library

2013-06-12 10:54 - 2010-04-06 11:03 - 00000000 ____D C:\Users\Harold\AppData\Roaming\.purple

2013-06-12 10:53 - 2012-09-23 14:33 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-06-12 08:09 - 2010-12-06 17:44 - 00000000 ____D C:\Users\Harold\AppData\Roaming\Abine

2013-06-11 23:25 - 2012-04-12 04:02 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-06-11 23:25 - 2011-05-20 03:29 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-06-11 15:38 - 2010-04-28 03:26 - 00000000 ____D C:\Users\Harold\AppData\Roaming\calibre

2013-06-10 02:23 - 2011-11-21 13:30 - 00016551 ____A C:\Users\Harold\Documents\Clive Cussler Books.xlsx

2013-06-08 20:41 - 2012-09-23 14:39 - 00000000 ___SD C:\Users\Harold\Google Drive

2013-06-08 19:15 - 2013-06-08 19:15 - 00008874 ____A C:\Users\Harold\Downloads\lgeccu_billpay_history.csv

2013-06-08 15:01 - 2010-04-28 03:25 - 00000000 ____D C:\Program Files\Calibre2

2013-06-08 15:00 - 2013-02-04 18:35 - 00000930 ____A C:\Users\Public\Desktop\calibre - E-book management.lnk

2013-06-08 14:55 - 2013-06-08 14:52 - 51933696 ____A C:\Users\Harold\Downloads\calibre-0.9.34.msi

2013-06-08 14:49 - 2010-03-05 13:17 - 00000000 ____D C:\Users\Harold\AppData\Roaming\Notepad++

2013-06-08 14:43 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp

2013-06-07 18:51 - 2013-06-07 18:07 - 903217152 ____A C:\Users\Harold\Downloads\tails-i386-0.18.iso

2013-06-06 18:04 - 2013-06-06 18:04 - 00002008 ____A C:\Users\Public\Desktop\Foxit Reader.lnk

2013-05-29 07:45 - 2010-04-16 10:03 - 00000000 ____D C:\ProgramData\Skype

2013-05-28 13:42 - 2013-05-28 13:42 - 01725320 ____A C:\Users\Harold\Downloads\DesktopUploader1.2.0.0.exe

2013-05-28 13:28 - 2010-04-16 10:04 - 00000000 ____D C:\Users\Harold\AppData\Roaming\Skype

2013-05-28 13:18 - 2012-04-24 17:14 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-05-24 15:50 - 2010-01-09 05:58 - 00730592 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-23 21:39 - 2013-05-23 21:38 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-05-21 13:20 - 2013-01-14 16:57 - 00016774 ____A C:\Users\Harold\Documents\Employment Search.xlsx

2013-05-17 12:52 - 2013-05-17 12:50 - 26957289 ____A (Igor Pavlov) C:\Users\Harold\Downloads\tor-browser-2.3.25-8_en-US.exe

2013-05-17 11:07 - 2013-05-17 11:06 - 00000000 ____D C:\Users\Harold\AppData\Local\{EBF6ED97-4A84-4276-985B-34A9E488F32D}

2013-05-17 11:07 - 2010-09-30 19:28 - 00000000 ____D C:\Users\Harold\AppData\Local\Windows Live

2013-05-16 03:03 - 2010-01-09 08:47 - 00000000 ____D C:\Windows\Panther

2013-05-16 02:58 - 2013-05-15 04:53 - 00000000 ____D C:\Program Files\Mozilla Thunderbird

2013-05-15 23:44 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET

2013-05-15 23:36 - 2009-07-13 20:33 - 00443656 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 23:09 - 2011-01-11 12:48 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-15 23:03 - 2010-01-09 06:13 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

Files to move or delete:

====================

C:\Users\Harold\PCPE Setup.exe

C:\Users\Harold\AppData\Roaming\skype.dat

C:\Users\Harold\AppData\Roaming\skype.ini

C:\Users\Harold\Application Data\skype.dat

C:\Users\Harold\Application Data\skype.ini

C:\ProgramData\ism_0_llatsni.pad

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-15 10:34:25

Restore point made on: 2013-05-15 23:00:40

Restore point made on: 2013-05-18 23:47:52

Restore point made on: 2013-05-22 02:46:50

Restore point made on: 2013-05-25 18:17:10

Restore point made on: 2013-05-29 08:08:22

Restore point made on: 2013-06-01 18:07:31

Restore point made on: 2013-06-05 08:10:18

Restore point made on: 2013-06-08 14:59:32

Restore point made on: 2013-06-08 18:11:00

==================== Memory info ===========================

Percentage of memory in use: 15%

Total physical RAM: 3327.24 MB

Available physical RAM: 2824.11 MB

Total Pagefile: 3323.46 MB

Available Pagefile: 2835.23 MB

Total Virtual: 2047.88 MB

Available Virtual: 1935.3 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:221.61 GB) (Free:142.43 GB) NTFS

Drive d: () (Fixed) (Total:244.14 GB) (Free:237.69 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive e: () (Fixed) (Total:221.61 GB) (Free:41.43 GB) NTFS

Drive h: (PENDRIVE) (Removable) (Total:3.78 GB) (Free:3.58 GB) NTFS

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: () (Fixed) (Total:244.14 GB) (Free:59.62 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: 772E772E)

Partition 1: (Active) - (Size=244 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=222 GB) - (Type=OF Extended)

========================================================

Disk: 1 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 3D1C3D1B)

Partition 1: (Active) - (Size=244 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=222 GB) - (Type=OF Extended)

========================================================

Disk: 2 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: C941C941)

Partition 1: (Active) - (Size=4 GB) - (Type=07 NTFS)

LastRegBack: 2012-08-02 13:55

==================== End Of Log ============================

D-FRED-BROWN · June 13, 2013

On the clean computer,

</p><p>
Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
Right-click in the open notepad and select Paste).
Save it on the flashdrive as fixlist.txt

2013-06-12 11:43 - 2009-07-13 20:34 - 00020128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-06-12 11:43 - 2009-07-13 20:34 - 00020128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-17 11:06 - 2013-05-17 11:07 - 00000000 ____D C:\Users\Harold\AppData\Local\{EBF6ED97-4A84-4276-985B-34A9E488F32D}
HKLM\...\Run: [] [x]

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7
Now please enter System Recovery Options on the infected computer.
Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply. Afterwards, are you able to boot into Normal Mode now?

dollarbang · June 13, 2013

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-06-2013 04

Ran by SYSTEM at 2013-06-12 20:10:24 Run:1

Running from H:\

Boot Mode: Recovery

==============================================

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.

C:\Users\Harold\AppData\Local\{EBF6ED97-4A84-4276-985B-34A9E488F32D} => Moved successfully.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.

==== End of Fixlog ====

D-FRED-BROWN · June 13, 2013

are you able to boot into Normal Mode now?

dollarbang · June 13, 2013

Rebooting...Windows is reporting a failure to start. It has suggested two options:

Launch Startup Repair (recommended)

Start Windows Normally.

I'll wait until I hear from you.

D-FRED-BROWN · June 13, 2013

Try Start Normally

dollarbang · June 13, 2013

It's still there

D-FRED-BROWN · June 13, 2013

My bad, try it with the following fixlist script:

S3 ALSysIO; \??\C:\Users\Harold\AppData\Local\Temp\ALSysIO.sys [x]
2013-06-12 11:55 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-12 11:43 - 2009-07-13 20:34 - 00020128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-12 11:43 - 2009-07-13 20:34 - 00020128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-17 11:06 - 2013-05-17 11:07 - 00000000 ____D C:\Users\Harold\AppData\Local\{EBF6ED97-4A84-4276-985B-34A9E488F32D}
HKLM\...\Run: [] [x]
2013-06-12 11:36 - 2011-01-03 16:35 - 00001536 ____A C:\Windows\System32\TrueSoft.dat
2013-06-12 10:53 - 2012-09-23 14:33 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-12 11:25 - 2012-08-07 12:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

Save it as fixlist.txt and run it just as before

D-FRED-BROWN · June 13, 2013

I edited the above fix just now, try that one

dollarbang · June 13, 2013

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-06-2013 04

Ran by SYSTEM at 2013-06-12 20:33:48 Run:2

Running from H:\

Boot Mode: Recovery

==============================================

ALSysIO => Service deleted successfully.

C:\Windows\Tasks\SA.DAT => Moved successfully.

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.

C:\Users\Harold\AppData\Local\{EBF6ED97-4A84-4276-985B-34A9E488F32D} => File/Directory not found.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value not found.

C:\Windows\System32\TrueSoft.dat => Moved successfully.

==== End of Fixlog ====

dollarbang · June 13, 2013

It's asking for my Windows key....

D-FRED-BROWN · June 13, 2013

Is it prompting you for that within Normal Mode?

dollarbang · June 13, 2013

it's back >:-)

dollarbang · June 13, 2013

Right after asking, the PC was still booting. Now the infamous screen is still there. My other monitor (the affected PC has dual screens) has the information that the Windows 7 Build 7601 is no genuine.

I can wait for that issue.

This malware is the top priority.

D-FRED-BROWN · June 13, 2013

Okay let's try something else. Are you able to boot back into System Recovery options?

dollarbang · June 13, 2013

Yes, if I remember which computer I'm on. ;-).

dollarbang · June 13, 2013

What would you like me to do? I have the SRO screen up.

D-FRED-BROWN · June 13, 2013

I'd like to try performing a System Restore with Windows. Please familiarize yourself with the instructions for doing so here: http://pcsupport.about.com/od/fixtheproblem/ht/system-restore-windows-7.htm

The restore point I'd like you to attempt to use is dated: 2013-06-08 14:59:32

Keep me posted on how it goes

dollarbang · June 13, 2013

Running. I started it from the SRO menu.

dollarbang · June 13, 2013

System Restore failed. The RP was damaged or deleted during the restore.

FBI Money PAK Malware infection

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information