Jump to content

HomeLand security/FBI Moneypak virus


goodbar
 Share

Recommended Posts

Hello - I have this Homeland Security / FBI Moneypak virus and it won't let me boot to safe mode.  I saw on other forums that you requested a Farbar log, so I was able to follow those steps and supply the below log.  Are you able to help me clean up this computer?

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-09-2013
Ran by SYSTEM on MINWINPC on 24-09-2013 20:03:35
Running from D:\
Windows Vista Home Premium (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4297136 2012-10-30] (AVAST Software)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [RegWork] - C:\Program Files\RegWork\RegWork.exe
HKLM\...\Run: [] - [x]
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1646216 2013-01-24] (Ask)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNzQ1ODYyNzA3LVQxNi1LVjMrNy1CQSsxLVhMKzEtRlA5KzYtVEI5KzItRkwrOS1GMTBNKzUtUUlYMSs0LVgyMDEwKzItRjEwTTEwRCsyLUxJQys3LUZMMTArMS1TUDErMS1UVUcrMy1TUDFTMisxLVNVRCsxLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ"&"prod=90"&"ver=2012.0.1809"&"mid=edb25a48c3b0ad4250e3220dfcf3eb28-e9f8851e23746e64914e03e9f46496ac9f613789
HKU\Cynthia\...\Run: [Facebook Update] - C:\Users\Cynthia\AppData\Local\Facebook\Update\FacebookUpdate.exe [ 2012-07-11] (Facebook Inc.)
HKU\Cynthia\...\Run: [GarminExpressTrayApp] - C:\Program Files\Garmin\Express Tray\ExpressTray.exe [ 2013-03-27] (Garmin Ltd or its subsidiaries)
HKU\Cynthia\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Default\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2007-01-22] (TOSHIBA)
HKU\Default\...\Run: [EasyLinkAdvisor] - C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [ 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\Default User\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2007-01-22] (TOSHIBA)
HKU\Default User\...\Run: [EasyLinkAdvisor] - C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [ 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\Guest\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2007-01-22] (TOSHIBA)
HKU\Guest\...\Run: [EasyLinkAdvisor] - C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [ 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\Guest\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Guest\...\Run: [MyWebSearch Email Plugin] - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
HKU\Guest\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Guest\...\Run: [swg] - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
HKU\Guest\...\RunOnce: [AVG Security Toolbar_updatecleanup] - "C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe" /CLEANUP
HKU\Guest\...\RunOnce: [spchecker] - "C:\Program Files\AVG\AVG10\Notification\SPCheckerTE.exe"
Startup: C:\Users\Cynthia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4vrj4wld.lnk
ShortcutTarget: 4vrj4wld.lnk -> C:\PROGRA~2\dlw4jrv4.plz ()
 
========================== Services (Whitelisted) =================
 
S4 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [44808 2012-10-30] (AVAST Software)
S2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [185688 2013-03-27] (Garmin Ltd or its subsidiaries)
S4 pinger; C:\TOSHIBA\IVP\ISM\pinger.exe [136816 2007-01-25] ()
S4 Swupdtmr; c:\TOSHIBA\IVP\swupdate\swupdtmr.exe [63096 2007-01-25] ()
S4 TNaviSrv; C:\Program Files\Toshiba\TOSHIBA HD DVD PLAYER\TNaviSrv.exe [77824 2007-06-15] (TOSHIBA Corporation)
S4 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
S2 Winmgmt; C:\PROGRA~2\dlw4jrv4.plz [155648 2013-09-24] ()
 
==================== Drivers (Whitelisted) ====================
 
S2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [21256 2012-10-30] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [58680 2012-10-30] (AVAST Software)
S1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [35928 2012-10-30] (AVAST Software)
S1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [738504 2012-10-30] (AVAST Software)
S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [361032 2012-10-30] (AVAST Software)
S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [54232 2012-10-30] (AVAST Software)
S1 BRCMDECO; C:\Windows\System32\DRIVERS\BRCMHD32.sys [70528 2007-07-13] (Broadcom Corporation)
S0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-10] (Microsoft Corporation)
S2 elagopro; C:\Windows\System32\DRIVERS\elagopro.sys [28672 2007-03-22] (Gteko Ltd.)
S2 elaunidr; C:\Windows\System32\DRIVERS\elaunidr.sys [5376 2007-03-22] (Gteko Ltd.)
S0 LPCFilter; C:\Windows\System32\DRIVERS\LPCFilter.sys [19456 2006-07-28] (COMPAL ELECTRONIC INC.)
S2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2008-05-07] (RealNetworks, Inc.)
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-08] (Microsoft Corporation)
S3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [11776 2007-04-16] (Chicony Electronics Co., Ltd.)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 Tosrfcom; No ImagePath
S3 TpChoice; system32\DRIVERS\TpChoice.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-09-24 20:03 - 2013-09-24 20:03 - 00000000 ____D C:\FRST
2013-09-24 03:53 - 2013-09-24 03:53 - 00143280 _____ C:\Windows\Minidump\Mini092413-01.dmp
2013-09-24 03:03 - 2013-09-24 03:03 - 00016181 ____T C:\ProgramData\va3.exe
2013-09-24 02:55 - 2013-09-24 16:50 - 00000000 _____ C:\ProgramData\4vrj4wld.ctrl
2013-09-24 02:55 - 2013-09-24 15:34 - 95025368 ____T C:\ProgramData\4vrj4wld.pff
2013-09-24 02:55 - 2013-09-24 02:55 - 00155648 _____ C:\ProgramData\dlw4jrv4.plz
2013-09-14 16:06 - 2013-07-31 02:30 - 12335104 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-09-14 16:06 - 2013-07-31 02:05 - 09738752 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-09-14 16:06 - 2013-07-31 02:00 - 01800704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-09-14 16:06 - 2013-07-31 01:53 - 01104896 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-09-14 16:06 - 2013-07-31 01:52 - 01427968 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-09-14 16:06 - 2013-07-31 01:52 - 01129472 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-09-14 16:06 - 2013-07-31 01:51 - 00231936 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2013-09-14 16:06 - 2013-07-31 01:49 - 00065024 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-09-14 16:06 - 2013-07-31 01:48 - 00717824 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-09-14 16:06 - 2013-07-31 01:48 - 00420864 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-09-14 16:06 - 2013-07-31 01:48 - 00142848 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-09-14 16:06 - 2013-07-31 01:47 - 00607744 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-09-14 16:06 - 2013-07-31 01:46 - 01796096 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-09-14 16:06 - 2013-07-31 01:45 - 02382848 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-09-14 16:06 - 2013-07-31 01:45 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-09-14 16:06 - 2013-07-31 01:42 - 00176640 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-09-12 02:10 - 2013-08-07 17:45 - 02049536 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-09-12 02:10 - 2013-07-15 20:35 - 00615936 _____ (Microsoft Corporation) C:\Windows\System32\themeui.dll
2013-08-29 09:18 - 2013-08-01 20:09 - 01548288 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
 
==================== One Month Modified Files and Folders =======
 
2013-09-24 20:03 - 2013-09-24 20:03 - 00000000 ____D C:\FRST
2013-09-24 16:58 - 2007-12-27 10:40 - 01336161 _____ C:\Windows\WindowsUpdate.log
2013-09-24 16:58 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-24 16:58 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-24 16:50 - 2013-09-24 02:55 - 00000000 _____ C:\ProgramData\4vrj4wld.ctrl
2013-09-24 15:34 - 2013-09-24 02:55 - 95025368 ____T C:\ProgramData\4vrj4wld.pff
2013-09-24 03:53 - 2013-09-24 03:53 - 00143280 _____ C:\Windows\Minidump\Mini092413-01.dmp
2013-09-24 03:53 - 2011-10-04 11:39 - 00000000 ____D C:\Windows\Minidump
2013-09-24 03:53 - 2011-10-04 11:38 - 277138536 _____ C:\Windows\MEMORY.DMP
2013-09-24 03:03 - 2013-09-24 03:03 - 00016181 ____T C:\ProgramData\va3.exe
2013-09-24 02:55 - 2013-09-24 02:55 - 00155648 _____ C:\ProgramData\dlw4jrv4.plz
2013-09-20 22:05 - 2012-07-13 07:14 - 00001982 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-09-20 09:01 - 2012-05-07 10:33 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-09-20 09:01 - 2011-05-14 16:11 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-09-14 20:21 - 2006-11-02 04:47 - 00403592 _____ C:\Windows\System32\FNTCACHE.DAT
2013-09-14 16:09 - 2007-12-27 10:50 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-14 16:01 - 2013-08-16 08:39 - 00000000 ____D C:\Windows\System32\MRT
2013-09-14 15:57 - 2006-11-02 02:24 - 76725432 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-09-14 15:54 - 2012-11-29 08:05 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-08-30 06:53 - 2012-04-21 08:53 - 00000000 ____D C:\Users\Cynthia\Documents\My Scans
 
Files to move or delete:
====================
C:\Users\Cynthia\AppData\Roaming\desktop.ini
C:\ProgramData\4vrj4wld.ctrl
C:\ProgramData\4vrj4wld.pff
C:\ProgramData\dlw4jrv4.plz
C:\ProgramData\PKP_DLdu.DAT
C:\ProgramData\PKP_DLes.DAT
C:\ProgramData\PKP_DLet.DAT
C:\ProgramData\PKP_DLev.DAT
C:\ProgramData\va3.exe
 
 
Some content of TEMP:
====================
C:\Users\Cynthia\AppData\Local\Temp\0.5863474924875889.exe
C:\Users\Cynthia\AppData\Local\Temp\0.7481529780457172.exe
C:\Users\Cynthia\AppData\Local\Temp\lignpyhpojttaxdrcet.exe
C:\Users\Cynthia\AppData\Local\Temp\nscF983.tmp.tbWise.dll
C:\Users\Cynthia\AppData\Local\Temp\nswDDA9.tmp.tbWise.dll
C:\Users\Cynthia\AppData\Local\Temp\setup.exe
C:\Users\Cynthia\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Cynthia\AppData\Local\Temp\tmp31A7.exe
C:\Users\Cynthia\AppData\Local\Temp\tmp88C7.exe
 
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-09-09 23:02:52
Restore point made on: 2013-09-10 21:00:38
Restore point made on: 2013-09-11 21:00:28
Restore point made on: 2013-09-12 21:00:35
Restore point made on: 2013-09-13 21:46:16
Restore point made on: 2013-09-14 15:56:53
Restore point made on: 2013-09-15 21:00:29
Restore point made on: 2013-09-16 21:00:31
Restore point made on: 2013-09-17 21:00:31
Restore point made on: 2013-09-18 21:00:36
Restore point made on: 2013-09-19 21:00:36
Restore point made on: 2013-09-19 22:56:20
Restore point made on: 2013-09-20 21:00:36
Restore point made on: 2013-09-21 21:00:31
Restore point made on: 2013-09-22 21:00:28
Restore point made on: 2013-09-23 21:00:33
Restore point made on: 2013-09-23 22:56:14
 
==================== Memory info =========================== 
 
Percentage of memory in use: 19%
Total physical RAM: 2037.81 MB
Available physical RAM: 1649.03 MB
Total Pagefile: 1866.29 MB
Available Pagefile: 1720.3 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.72 MB
 
==================== Drives ================================
 
Drive c: (SQ008691V02) (Fixed) (Total:184.84 GB) (Free:110.91 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Sep 24 2013) (CDROM) (Total:0.69 GB) (Free:0.66 GB) UDF
Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 186 GB) (Disk ID: E7A78905)
Partition 1: (Not Active) - (Size=1 GB) - (Type=27)
Partition 2: (Active) - (Size=185 GB) - (Type=07 NTFS)
 
 
LastRegBack: 2013-09-24 16:57
 
==================== End Of Log ============================
Link to post
Share on other sites

  • Root Admin

Hello and :welcome:
 
Please save the attached file fixlist.txt to a flash drive in the same location with FRST.EXE


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Now please enter System Recovery Options and select "Command Prompt"

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt)  please post its contents in your next reply. It will also produce another file, MBRDUMP.txt, on the flash drive that although it may look a text file, it is a hex file. You must attach this report on your reply instead of posting its contents.

 

fixlist.txt

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.