Jump to content

FBI MoneyPak Virus attack

vikk

By vikk
in Resolved Malware Removal Logs

 Share

Recommended Posts

vikk

vikk

Posted
Posted

Hello,

My windows 7, 64 bit machine has been locked up by the FBI MoneyPak virus asking for money. The machine does not even startup in 'safe mode' or 'safe mode with networking'.  I already downloaded and ran the FRST64 utility from this site and below the report for the same. I have also attached the search services file.  I would really appreciate any help that anyone can provide in resolving this issue.  Thank you in advance!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-07-2013
Ran by SYSTEM on 08-07-2013 20:36:41
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2028328 2010-01-22] (Synaptics Incorporated)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323072 2009-08-17] (AlcorMicro Co., Ltd.)
HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-02-01] (IDT, Inc.)
HKLM\...\Run: [smartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-01-20] ()
HKLM\...\Run: [HP Quick Launch] C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [451072 2010-01-18] (Hewlett-Packard Company)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2009-12-16] (Hewlett-Packard)
HKLM\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe,
HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED [3331944 2009-12-03] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [indexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe" [46368 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe" [29984 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun [143360 2012-09-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [brStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN [3076096 2012-06-06] (Brother Industries, Ltd.)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [x]
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [x]
HKU\vikkapur\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [x]
HKU\vikkapur\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
HKU\vikkapur\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
HKU\vikkapur\...\Run: [Consumer Input Update] C:\Program Files (x86)\Consumer Input\dca-ua.exe [251824 2012-11-23] (Compete, Inc.)
HKU\vikkapur\...\Run: [Deployment] rundll32 "C:\Users\vikkapur\AppData\Local\VirtualStore\Deployment\mdidpd.dll",DllRegisterServer [1841664 2013-06-14] () <===== ATTENTION
HKU\vikkapur\...\Run: [JASC] Regsvr32.exe C:\Users\vikkapur\AppData\Local\JASC\nmtjzwlq.dll [519680 2013-06-14] (Wacom, Inc.) <===== ATTENTION
HKU\vikkapur\...\Run: [Adobe CSS5.1 Manager] C:\Users\vikkapur\AppData\Local\f6e004ab-058a-4a2d-9358-86725eac6d05ad\feabaadeacdad.exe [172544 2013-06-30] () <===== ATTENTION
HKU\vikkapur\...\RunOnce: [Adobe CSS5.1 Manager] C:\Users\vikkapur\AppData\Local\f6e004ab-058a-4a2d-9358-86725eac6d05ad\feabaadeacdad.exe [172544 2013-06-30] () <===== ATTENTION
HKU\vikkapur\...\Winlogon: [shell] C:\Users\vikkapur\AppData\Roaming\dbu32.ocx,explorer.exe <==== ATTENTION
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\WDDMStatus.lnk
ShortcutTarget: WDDMStatus.lnk -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (Western Digital Technologies, Inc.)

==================== Services (Whitelisted) =================

S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_471277d5d45019ea\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation)
S2 DefaultTabUpdate; C:\Users\vikkapur\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-02-03] ()
S2 DvmMDES; C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe [338168 2010-03-31] (DeviceVM, Inc.)
S2 HPWMISVC; C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [20480 2010-01-18] ()
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe [126392 2009-08-24] (Symantec Corporation)
S2 NitroReaderDriverReadSpool3; C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [230416 2012-10-30] (Nitro PDF Software)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.)
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_471277d5d45019ea\STacSV64.exe [244736 2010-02-01] (IDT, Inc.)
S2 WDFME; C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [1066896 2011-03-09] ()
S2 WDSC; C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [491920 2011-03-09] ()
S2 Browser32; c:\programdata\capisp32.exe [x]

==================== Drivers (Whitelisted) ====================

S1 DVMIO; C:\Windows\System32\DRIVERS\dvmio.sys [20056 2009-11-11] (DeviceVM, Inc.)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20090829.019\ENG64.SYS [116272 2009-08-29] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20090829.019\ENG64.SYS [116272 2009-08-29] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20090829.019\EX64.SYS [1742896 2009-08-29] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20090829.019\EX64.SYS [1742896 2009-08-29] (Symantec Corporation)
S1 SRTSP; C:\Windows\system32\drivers\NISx64\1100000.088\SRTSP64.SYS [504880 2009-08-29] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1100000.088\SRTSPX64.SYS [32304 2009-08-29] (Symantec Corporation)
S1 lzxtybdr; \??\C:\Windows\system32\drivers\lzxtybdr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-08 13:46 - 2013-07-08 13:46 - 00000000 ____D C:\ProgramData\ovu
2013-07-08 07:26 - 2013-07-08 07:26 - 00000000 ____D C:\Users\vikkapur\Desktop\Aarti_Manish
2013-07-07 07:03 - 2013-07-07 07:03 - 00008103 ____A C:\Users\vikkapur\.recently-used.xbel
2013-07-02 11:45 - 2013-07-04 09:21 - 00000000 ____D C:\Users\vikkapur\Desktop\Waqas_Kanwal_642Fawn
2013-06-30 13:30 - 2013-06-30 13:58 - 00000000 ____D C:\ProgramData\Recovery
2013-06-30 08:56 - 2013-06-30 10:20 - 00000004 ____A C:\Users\vikkapur\AppData\Roaming\skype.ini
2013-06-30 08:52 - 2013-07-08 13:23 - 00000338 ___AH C:\Windows\Tasks\{19A699E6-5868-4E4D-810B-2616FF6DEF30}.job
2013-06-30 08:52 - 2013-06-30 08:52 - 00000000 ____D C:\Users\vikkapur\AppData\Local\f6e004ab-058a-4a2d-9358-86725eac6d05ad
2013-06-30 08:50 - 2013-06-30 08:50 - 00000000 ____A C:\Users\vikkapur\msconfig.exe
2013-06-30 08:50 - 2013-06-30 08:50 - 00000000 ____A C:\Users\vikkapur\jucheck.exe
2013-06-29 04:58 - 2013-06-30 19:02 - 00000821 ____A C:\Users\vikkapur\Desktop\12Arthur_Inspection.txt
2013-06-26 17:23 - 2013-06-27 20:21 - 00000000 ____D C:\Users\vikkapur\Desktop\Sankar
2013-06-23 09:53 - 2013-06-25 09:32 - 00000000 ____D C:\Users\vikkapur\Desktop\Parameswari
2013-06-19 05:24 - 2013-06-30 08:50 - 00000793 ____A C:\Users\vikkapur\Desktop\Internet Security PRO.lnk
2013-06-19 05:24 - 2013-06-19 05:24 - 00459257 ____A C:\Users\vikkapur\acrobat.exe
2013-06-17 04:46 - 2013-06-08 06:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-17 04:46 - 2013-06-08 06:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-17 04:46 - 2013-06-08 06:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-17 04:46 - 2013-06-08 06:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-17 04:46 - 2013-06-08 06:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-17 04:46 - 2013-06-08 04:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-17 04:46 - 2013-06-08 03:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-17 04:46 - 2013-06-08 03:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-17 04:46 - 2013-06-08 03:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-17 04:46 - 2013-06-08 03:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-17 04:46 - 2013-06-08 03:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-17 04:46 - 2013-06-08 03:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-16 19:37 - 2013-06-16 19:37 - 00000000 ____D C:\Users\vikkapur\AppData\Roaming\wabEventSupport16
2013-06-14 10:07 - 2013-06-16 19:31 - 00000000 ____D C:\Users\vikkapur\AppData\Local\JASC
2013-06-14 04:24 - 2013-05-16 17:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-14 04:24 - 2013-05-16 17:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-14 04:24 - 2013-05-16 17:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-14 04:24 - 2013-05-16 17:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-14 04:24 - 2013-05-16 17:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-14 04:24 - 2013-05-16 17:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-14 04:24 - 2013-05-16 17:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-14 04:24 - 2013-05-16 17:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-14 04:24 - 2013-05-16 16:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-14 04:24 - 2013-05-16 16:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-14 04:24 - 2013-05-16 16:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-14 04:24 - 2013-05-16 16:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-14 04:24 - 2013-05-16 16:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-14 04:24 - 2013-05-16 16:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-14 04:24 - 2013-05-16 16:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-14 04:24 - 2013-05-16 16:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-14 04:24 - 2013-05-16 16:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-14 04:24 - 2013-05-14 04:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-14 04:24 - 2013-05-14 00:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-06-12 03:59 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-12 03:56 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-12 03:56 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-12 03:56 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-12 03:56 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-12 03:56 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-12 03:56 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-12 03:55 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-12 03:55 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-12 03:55 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-12 03:55 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-12 03:55 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-12 03:55 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-12 03:55 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-12 03:55 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-12 03:55 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-12 03:55 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-12 03:55 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-12 03:55 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-11 14:02 - 2013-06-18 19:21 - 00005305 ____A C:\Users\vikkapur\Desktop\Prius.txt

==================== One Month Modified Files and Folders =======

2013-07-08 14:33 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-08 14:33 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-08 14:32 - 2013-03-28 20:39 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-08 14:30 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-08 14:30 - 2009-07-13 20:51 - 00057097 ____A C:\Windows\setupact.log
2013-07-08 13:59 - 2010-09-01 17:12 - 02052353 ____A C:\Windows\WindowsUpdate.log
2013-07-08 13:46 - 2013-07-08 13:46 - 00000000 ____D C:\ProgramData\ovu
2013-07-08 13:36 - 2013-04-04 20:35 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-08 13:29 - 2013-05-03 07:00 - 00000000 ____D C:\Users\vikkapur\Desktop\Titul_65Quail
2013-07-08 13:23 - 2013-06-30 08:52 - 00000338 ___AH C:\Windows\Tasks\{19A699E6-5868-4E4D-810B-2616FF6DEF30}.job
2013-07-08 13:23 - 2013-03-28 20:39 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-08 07:26 - 2013-07-08 07:26 - 00000000 ____D C:\Users\vikkapur\Desktop\Aarti_Manish
2013-07-07 16:17 - 2012-02-21 19:52 - 00011958 ____A C:\Users\vikkapur\Desktop\TO_DO_Mar13th.txt
2013-07-07 07:03 - 2013-07-07 07:03 - 00008103 ____A C:\Users\vikkapur\.recently-used.xbel
2013-07-07 07:03 - 2013-05-26 16:19 - 00000000 ____D C:\Users\vikkapur\.gimp-2.6
2013-07-07 07:03 - 2010-09-07 19:56 - 00000000 ____D C:\users\vikkapur
2013-07-07 07:02 - 2013-05-26 16:36 - 00000000 ____D C:\Users\vikkapur\AppData\Roaming\gtk-2.0
2013-07-06 10:03 - 2013-05-06 15:06 - 00000000 ____D C:\Users\vikkapur\Desktop\ZahraJaffri_715Whitetail
2013-07-06 09:36 - 2011-12-13 07:58 - 00000880 ____A C:\Users\vikkapur\Desktop\Appointments.txt
2013-07-05 08:34 - 2013-03-20 12:32 - 00000858 ____A C:\Users\vikkapur\Desktop\Inspectors&MortgBrokers.txt
2013-07-04 09:21 - 2013-07-02 11:45 - 00000000 ____D C:\Users\vikkapur\Desktop\Waqas_Kanwal_642Fawn
2013-07-02 16:27 - 2011-04-21 16:49 - 00000000 ____D C:\Users\vikkapur\Desktop\MY FLYER
2013-07-02 11:38 - 2013-04-13 15:26 - 00000000 ____D C:\Users\vikkapur\Desktop\ShvetaSamarth
2013-06-30 19:02 - 2013-06-29 04:58 - 00000821 ____A C:\Users\vikkapur\Desktop\12Arthur_Inspection.txt
2013-06-30 16:55 - 2013-05-23 07:47 - 00000000 ____D C:\Users\vikkapur\Desktop\Mike_Cami_Winter_425LynnRose
2013-06-30 13:58 - 2013-06-30 13:30 - 00000000 ____D C:\ProgramData\Recovery
2013-06-30 13:49 - 2010-09-01 17:20 - 00028412 ____A C:\Windows\PFRO.log
2013-06-30 10:20 - 2013-06-30 08:56 - 00000004 ____A C:\Users\vikkapur\AppData\Roaming\skype.ini
2013-06-30 08:52 - 2013-06-30 08:52 - 00000000 ____D C:\Users\vikkapur\AppData\Local\f6e004ab-058a-4a2d-9358-86725eac6d05ad
2013-06-30 08:50 - 2013-06-30 08:50 - 00000000 ____A C:\Users\vikkapur\msconfig.exe
2013-06-30 08:50 - 2013-06-30 08:50 - 00000000 ____A C:\Users\vikkapur\jucheck.exe
2013-06-30 08:50 - 2013-06-19 05:24 - 00000793 ____A C:\Users\vikkapur\Desktop\Internet Security PRO.lnk
2013-06-30 06:26 - 2013-04-09 18:40 - 00000000 ____D C:\Users\vikkapur\Desktop\Manish
2013-06-28 19:26 - 2013-05-07 16:47 - 00000000 ____D C:\Users\vikkapur\Desktop\Scans
2013-06-28 09:12 - 2013-03-25 08:36 - 00000000 ____D C:\Users\vikkapur\AppData\Roaming\Nitro PDF
2013-06-27 20:21 - 2013-06-26 17:23 - 00000000 ____D C:\Users\vikkapur\Desktop\Sankar
2013-06-25 09:32 - 2013-06-23 09:53 - 00000000 ____D C:\Users\vikkapur\Desktop\Parameswari
2013-06-24 16:43 - 2013-05-26 18:04 - 00000000 ____D C:\Users\vikkapur\Desktop\Rashi_and_Vinay_Bansal
2013-06-22 19:10 - 2010-11-04 05:34 - 00000000 ____D C:\Users\vikkapur\Desktop\OFFER_and_DATES_to_REMEMBER
2013-06-21 17:34 - 2013-03-28 20:39 - 00000000 ____D C:\ProgramData\Google
2013-06-21 17:34 - 2013-03-28 20:39 - 00000000 ____D C:\Program Files\Google
2013-06-21 17:34 - 2013-03-28 20:39 - 00000000 ____D C:\Program Files (x86)\Google
2013-06-20 17:21 - 2012-03-20 13:48 - 00000000 ____D C:\Users\vikkapur\Desktop\Realtor Magazine
2013-06-20 04:17 - 2009-07-13 21:13 - 00745618 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-19 05:24 - 2013-06-19 05:24 - 00459257 ____A C:\Users\vikkapur\acrobat.exe
2013-06-18 19:21 - 2013-06-11 14:02 - 00005305 ____A C:\Users\vikkapur\Desktop\Prius.txt
2013-06-17 17:52 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-06-17 15:24 - 2013-04-21 08:37 - 00000000 ____D C:\Users\vikkapur\Desktop\Mike_Irene
2013-06-16 19:37 - 2013-06-16 19:37 - 00000000 ____D C:\Users\vikkapur\AppData\Roaming\wabEventSupport16
2013-06-16 19:31 - 2013-06-14 10:07 - 00000000 ____D C:\Users\vikkapur\AppData\Local\JASC
2013-06-14 10:07 - 2010-09-07 20:01 - 00000000 ____D C:\Users\vikkapur\AppData\Local\VirtualStore
2013-06-14 04:25 - 2010-09-13 16:38 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-06-13 17:28 - 2013-01-12 21:06 - 00000000 ____D C:\Users\vikkapur\Desktop\TinaSurendran_MangattBiju
2013-06-12 06:37 - 2013-04-04 20:35 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-12 06:37 - 2013-04-04 20:35 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-08 20:09 - 2013-06-07 08:21 - 00000000 ____D C:\Users\vikkapur\Desktop\Ashish_Pachauri_514Benson
2013-06-08 09:02 - 2012-10-20 06:32 - 00002363 ____A C:\Users\vikkapur\Desktop\GLENN_ROSE_LEADS.txt
2013-06-08 06:08 - 2013-06-17 04:46 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 06:07 - 2013-06-17 04:46 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 06:06 - 2013-06-17 04:46 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 06:06 - 2013-06-17 04:46 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 06:06 - 2013-06-17 04:46 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 04:28 - 2013-06-17 04:46 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-08 03:42 - 2013-06-17 04:46 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-08 03:40 - 2013-06-17 04:46 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-08 03:40 - 2013-06-17 04:46 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-08 03:40 - 2013-06-17 04:46 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-08 03:40 - 2013-06-17 04:46 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-08 03:13 - 2013-06-17 04:46 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

ZeroAccess:
C:\Users\vikkapur\AppData\Local\Temp\sbeirww\spssuch\wow.dll

ZeroAccess:
C:\Users\vikkapur\AppData\Local\Temp\sbeirww\spssuch\wow64.dll

Files to move or delete:
====================
C:\Users\vikkapur\acrobat.exe
C:\Users\vikkapur\jucheck.exe
C:\Users\vikkapur\msconfig.exe
C:\Users\vikkapur\AppData\Roaming\skype.ini
C:\Windows\Tasks\{19A699E6-5868-4E4D-810B-2616FF6DEF30}.job

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-06-11 04:37:06
Restore point made on: 2013-06-14 04:23:14
Restore point made on: 2013-06-17 04:45:56
Restore point made on: 2013-06-20 04:15:19
Restore point made on: 2013-06-25 04:26:44
Restore point made on: 2013-06-28 11:49:48
Restore point made on: 2013-06-30 10:15:28
Restore point made on: 2013-07-02 05:35:34
Restore point made on: 2013-07-02 14:54:11
Restore point made on: 2013-07-05 06:26:51

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3893.86 MB
Available physical RAM: 3185.2 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3182.47 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:279.33 GB) (Free:47.4 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:18.46 GB) (Free:2.68 GB) NTFS (Disk=0 Partition=3) ==>[system with boot components (obtained from reading drive)]
Drive g: (HITMANPRO) (Removable) (Total:14.91 GB) (Free:14.91 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: B9FBEADB)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=279 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=18 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 15 GB) (Disk ID: C4ADD773)
Partition 1: (Active) - (Size=15 GB) - (Type=0B)

LastRegBack: 2013-07-03 11:11

==================== End Of Log ============================

FRST.txt

Search.txt

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

Hello vikk and welcome to Malwarebytes!

Please do the following:

  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the flashdrive as fixlist.txt

HKLM-x32\...\Run: [] [x]

HKU\vikkapur\...\Run: [Deployment] rundll32 "C:\Users\vikkapur\AppData\Local\VirtualStore\Deployment\mdidpd.dll",DllRegisterServer [1841664 2013-06-14] () <===== ATTENTION

HKU\vikkapur\...\Run: [JASC] Regsvr32.exe C:\Users\vikkapur\AppData\Local\JASC\nmtjzwlq.dll [519680 2013-06-14] (Wacom, Inc.) <===== ATTENTION

HKU\vikkapur\...\Run: [Adobe CSS5.1 Manager] C:\Users\vikkapur\AppData\Local\f6e004ab-058a-4a2d-9358-86725eac6d05ad\feabaadeacdad.exe [172544 2013-06-30] () <===== ATTENTION

HKU\vikkapur\...\RunOnce: [Adobe CSS5.1 Manager] C:\Users\vikkapur\AppData\Local\f6e004ab-058a-4a2d-9358-86725eac6d05ad\feabaadeacdad.exe [172544 2013-06-30] () <===== ATTENTION

HKU\vikkapur\...\Winlogon: [shell] C:\Users\vikkapur\AppData\Roaming\dbu32.ocx,explorer.exe <==== ATTENTION

S1 lzxtybdr; \??\C:\Windows\system32\drivers\lzxtybdr.sys [x]

2013-07-08 14:32 - 2013-03-28 20:39 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-07-08 14:30 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-07-08 13:36 - 2013-04-04 20:35 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-07-08 13:23 - 2013-06-30 08:52 - 00000338 ___AH C:\Windows\Tasks\{19A699E6-5868-4E4D-810B-2616FF6DEF30}.job

C:\Users\vikkapur\acrobat.exe

C:\Users\vikkapur\jucheck.exe

C:\Users\vikkapur\msconfig.exe

C:\Users\vikkapur\AppData\Roaming\skype.ini

C:\Windows\Tasks\{19A699E6-5868-4E4D-810B-2616FF6DEF30}.job

C:\Users\vikkapur\AppData\Local\Temp\sbeirww\spssuch\wow64.dll

C:\Users\vikkapur\AppData\Local\Temp\sbeirww\spssuch\wow.dll

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

After that- are you able to boot into normal mode? Let me know when you can as we have more malware to remove.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

 

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites
vikk

vikk

Posted
  • Author
Posted

Thanks DFB.

 

It seems it worked since I can now boot in normal mode. 

 

Please see below the fixlog.txt file.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-07-2013
Ran by SYSTEM at 2013-07-08 23:18:41 Run:2
Running from G:\
Boot Mode: Recovery
==============================================

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKU\vikkapur\Software\Microsoft\Windows\CurrentVersion\Run\\Deployment] rundll32 "C:\Users\vikkapur\AppData\Local\VirtualStore\Deployment\mdidpd.dll",DllRegisterServer [1841664 2013-06-14 => Value not found.
HKU\vikkapur\Software\Microsoft\Windows\CurrentVersion\Run\\JASC] Regsvr32.exe C:\Users\vikkapur\AppData\Local\JASC\nmtjzwlq.dll [519680 2013-06-14 => Value not found.
HKU\vikkapur\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager] C:\Users\vikkapur\AppData\Local\f6e004ab-058a-4a2d-9358-86725eac6d05ad\feabaadeacdad.exe [172544 2013-06-30 => Value not found.
HKU\vikkapur\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe CSS5.1 Manager] C:\Users\vikkapur\AppData\Local\f6e004ab-058a-4a2d-9358-86725eac6d05ad\feabaadeacdad.exe [172544 2013-06-30 => Value not found.
HKU\vikkapur\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
lzxtybdr => Service deleted successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
C:\Windows\Tasks\SA.DAT => Moved successfully.
C:\Windows\Tasks\Adobe Flash Player Updater.job => Moved successfully.
C:\Windows\Tasks\{19A699E6-5868-4E4D-810B-2616FF6DEF30}.job => Moved successfully.
C:\Users\vikkapur\acrobat.exe => Moved successfully.
C:\Users\vikkapur\jucheck.exe => Moved successfully.
C:\Users\vikkapur\msconfig.exe => Moved successfully.
C:\Users\vikkapur\AppData\Roaming\skype.ini => Moved successfully.
"C:\Windows\Tasks\{19A699E6-5868-4E4D-810B-2616FF6DEF30}.job" => File/Directory not found.
C:\Users\vikkapur\AppData\Local\Temp\sbeirww\spssuch\wow64.dll => Moved successfully.
C:\Users\vikkapur\AppData\Local\Temp\sbeirww\spssuch\wow.dll => Moved successfully.

==== End of Fixlog ====

 

Thanks again for your help!

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

Glad to hear you can boot.  Let's start getting rid of the rest of it:

----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


----------Step 4----------------
Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------
In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.