Logs for MrC (FBI Virus)

[cj27]

Hi Charlie,

 

Here is the text you requested. As I stated earlier, it's the FBI MoneyPak virus. Thank you for your help.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-06-2013 01

Ran by SYSTEM on 24-06-2013 22:44:40

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

 

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: []  [x]

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-06] (Realtek Semiconductor)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2107176 2010-03-11] (Synaptics Incorporated)

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [505768 2010-06-29] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)

HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)

HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1504608 2010-04-23] (TOSHIBA Corporation)

HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]

HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705432 2010-05-10] (TOSHIBA Corporation)

HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)

HKLM\...\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)

HKLM\...\Run: [DLBTCATS] rundll32 C:\windows\system32\spool\DRIVERS\x64\3\DLBTtime.dll,RunDLLEntry [28672 2007-02-12] ()

HKLM\...\Run: [dlbtmon.exe] "C:\Program Files (x86)\Dell Photo AIO Printer 922\dlbtmon.exe" [431600 2007-02-28] (Lexmark International, Inc.)

HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)

HKLM\...\Winlogon: [shell]  [x ] () <=== ATTENTION

HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2596984 2012-07-31] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKU\Chris\...\Run: [Google Update] "C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-06] (Google Inc.)

HKU\Chris\...\Run: [RESTART_STICKY_NOTES] C:\windows\system32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

HKU\Chris\...\Policies\system: [DisableChangePassword] 0

HKU\Chris\...\Policies\system: [DisableLockWorkstation] 0

HKU\Chris\...\Winlogon: [shell] explorer.exe,C:\Users\Chris\AppData\Roaming\skype.dat [81408 2011-11-16] () <==== ATTENTION 

HKU\Chris\...\Command Processor: "C:\Users\Chris\AppData\Local\aezzmpqgpiy.exe" <===== ATTENTION!

BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

 

==================== Services (Whitelisted) =================

 

S2 ADExchange; C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [43112 2012-02-15] (ArcSoft Inc.)

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [5167736 2012-08-13] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)

S2 dlbt_device; C:\windows\system32\dlbtcoms.exe [567280 2007-02-28] ( )

S2 hasplms; C:\windows\system32\hasplms.exe [4889032 2011-12-30] (SafeNet Inc.)

S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()

S3 w7Svc; C:\Program Files (x86)\webcam 7\wService.exe [5094200 2012-03-26] (Moonware Studios)

 

==================== Drivers (Whitelisted) ====================

 

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )

S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )

S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [291680 2012-07-26] (AVG Technologies CZ, s.r.o.)

S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)

S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384352 2012-08-24] (AVG Technologies CZ, s.r.o.)

S3 camdrv42; C:\Windows\System32\DRIVERS\camdrv42.sys [1533952 2007-04-23] ()

S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-05-19] (DT Soft Ltd)

S2 hardlock; C:\windows\system32\drivers\hardlock.sys [321536 2011-09-28] (SafeNet Inc.)

S3 Sockblkd; C:\Program Files\Extegrity\Exam4\Sockblkd.sys [6784 2011-09-27] (DataWizard Technologies, Inc.)

S3 Sockblkd; C:\Program Files\Extegrity\Exam4\Sockblkd.sys [6784 2011-09-27] (DataWizard Technologies, Inc.)

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-06-24 22:44 - 2013-06-24 22:44 - 00000000 ____D C:\FRST

 

==================== One Month Modified Files and Folders =======

 

2013-06-24 22:44 - 2013-06-24 22:44 - 00000000 ____D C:\FRST

2013-06-24 22:07 - 2012-04-10 20:40 - 00000000 ____D C:\Users\Chris\AppData\Roaming\vlc

2013-06-24 22:07 - 2012-04-07 10:25 - 00000000 ____D C:\Users\Chris\AppData\Roaming\uTorrent

2013-06-24 22:07 - 2012-04-07 00:09 - 00000000 ____D C:\Windows\System32\Drivers\AVG

2013-06-24 22:07 - 2012-04-06 16:01 - 00000000 ____D C:\users\Chris

2013-06-24 22:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-06-24 22:06 - 2012-08-20 19:27 - 00000000 ____D C:\Program Files\Dl_cats

2013-06-24 22:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-06-24 22:05 - 2012-04-24 14:10 - 00000000 ____D C:\Windows\System32\Macromed

2013-06-24 22:05 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing

 

Files to move or delete:

====================

C:\ProgramData\lsass.exe

C:\Users\Chris\AppData\Roaming\skype.dat

C:\Users\Chris\AppData\Roaming\skype.ini

C:\ProgramData\23lldnur.pad

C:\ProgramData\dsgsdgdsgdsgw.pad

 

==================== Known DLLs (Whitelisted) ================

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

==================== EXE ASSOCIATION =====================

 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

 

==================== Restore Points  =========================

 

Restore point made on: 2012-12-04 21:05:48

Restore point made on: 2012-12-11 23:39:41

Restore point made on: 2012-12-16 23:30:35

 

==================== Memory info =========================== 

 

Percentage of memory in use: 15%

Total physical RAM: 3824.43 MB

Available physical RAM: 3242.43 MB

Total Pagefile: 3822.57 MB

Available Pagefile: 3220.99 MB

Total Virtual: 8192 MB

Available Virtual: 8191.85 MB

 

==================== Drives ================================

 

Drive c: (TI105967W0B) (Fixed) (Total:454.39 GB) (Free:61.06 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

Drive f: () (Removable) (Total:0.94 GB) (Free:0.93 GB) FAT (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 3400B8E8)

Partition 1: (Active) - (Size=1 GB) - (Type=27)

Partition 2: (Not Active) - (Size=454 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=10 GB) - (Type=17)

 

========================================================

Disk: 1 (Size: 966 MB) (Disk ID: B422EBC8)

Partition 1: (Not Active) - (Size=966 MB) - (Type=06)

 

 

LastRegBack: 2012-12-05 20:19

 

==================== End Of Log ============================

FRST.txt

[MrCharlie]

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

[cj27]

Great, thanks! Once I get home from work I'll test it out.

[cj27]

Charlie, it worked perfectly. Thank you so much. Attached are the logs.

mbar-log-2013-06-25 (21-07-34).txt

mbar-log-2013-06-25 (21-58-49).txt

system-log.txt

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[gringo_pr]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!