Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet Another FBI Moneypak Virus


  • This topic is locked This topic is locked
21 replies to this topic

#1 YunsAvatar

YunsAvatar

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 26 December 2012 - 09:35 AM

Hey everyone!

Several months ago I got the FBI Moneypak Virus, and I used some online directions that I found to kill it.
Ever since then there have been some minor issues and other little infections (I think I killed the primary virus, since it stopped appearing, but I think small portions of it might still be there).

So, last night it came back. I used the same trick as before (safe mode) to get around it and to try to delete it. I followed the directions on a video on YouTube, but when I restarted it was still there.
Now, I can't get access to any form of SafeMode (normal, with networking, or command prompt). It gets part way through loading and hangs.
However, it will still boot up in normal mode, and the virus is still there.

I really want to keep the data on my computer intact. I have a lot of photos that I don't want to lose.

Please help.

EDIT:
I forgot to mention, I'm running windows 7, and I have the Stopzilla system running for my Malware and Spyware Protection.

Edited by YunsAvatar, 26 December 2012 - 09:54 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 PM

Posted 26 December 2012 - 10:52 AM

Hello YunsAvatar,

Welcome to the forum.

Please refrain from doing any fix or making any changes to the system from now on until we are done unless you decide you can do the rest on your own. Thank you.

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]

#3 YunsAvatar

YunsAvatar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 26 December 2012 - 11:04 AM

Thanks for the information.
Will this method lose any of my information that I have on my system?

I'm at work now, so I'll try to do this later tonight... I just need to get the parts to do it.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 PM

Posted 26 December 2012 - 11:07 AM

The tool only scans the system and is designed to rescue the system and the information on it, it doesn't remove anything. The next round we might remove bad entries but we don't remove any personal information.

#5 YunsAvatar

YunsAvatar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 26 December 2012 - 11:10 AM

Sounds good to me.
I'll try to get the information tonight and be back on here tomorrow.

Is the inability to get to the safe mode part of the virus, or an inintended consequence of me trying to fight it?

All I did was delete some of the temporary files on the computer to try to clear out the files that were infected.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 PM

Posted 26 December 2012 - 11:18 AM

In some cases malware prevents the system to enter Safe Mode or is active even in Safe Mode.

Please make sure you don't make any changes to the system from now on and post the log when ready.

#7 YunsAvatar

YunsAvatar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 26 December 2012 - 11:20 AM

I will.
Thank you.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 PM

Posted 26 December 2012 - 11:22 AM

:thumbup2:

#9 YunsAvatar

YunsAvatar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 26 December 2012 - 09:48 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-12-2012 01
Ran by SYSTEM at 26-12-2012 21:45:47
Running from N:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16333856 2009-07-14] (NVIDIA Corporation)
HKLM\...\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe" [3453440 2010-07-27] (Alcatel-Lucent)
HKLM\...\Run: [SBRegRebootCleaner] "c:\Program Files (x86)\Common Files\iS3\Anti-Spyware\sbrc.exe" [200560 2012-01-19] (GFI Software)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [588648 2009-07-24] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe /default [162336 2009-07-21] ()
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe /default [162336 2009-07-21] ()
HKU\Eastland\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [x]
HKU\Eastland\...\Run: [StartNow Search Protect] "C:\Program Files (x86)\StartNow Toolbar\search_protect.exe" /RELAY /REPORT /PROTECT [1327416 2012-07-13] ()
HKU\Eastland\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Eastland\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-11-24] (Google Inc.)
HKU\Eastland\...\Run: [kmecllia] C:\Users\Eastland\AppData\Roaming\Snxtvfntrm [x]
HKU\Eastland\...\Policies\system: [DisableTaskMgr] 1
HKLM-x32\...\Winlogon: [Userinit] c:\windows\syswow64\userinit.exe, [x]
HKLM\...\Winlogon: [Shell] explorer.exe, C:\ProgramData\Snxtvfntrm [x ] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$b432f6885b7f62c66d1a1f5b88596733\n. ATTENTION! ====> ZeroAccess
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HD Writer.lnk
ShortcutTarget: HD Writer.lnk -> C:\Program Files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe (Panasonic Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Monitor.lnk
ShortcutTarget: Monitor.lnk -> C:\Program Files (x86)\USB 2.0 WebCam Device\Monitor.exe ()
Startup: C:\Users\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO 5.0.lnk
ShortcutTarget: PHOTOfunSTUDIO 5.0.lnk -> C:\Program Files (x86)\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe (Panasonic Corporation)
Startup: C:\Users\Eastland\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [625184 2009-04-19] ()
3 GameConsoleService; "C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe" [250616 2009-05-22] (WildTangent, Inc.)
2 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)
2 McciCMService64; "C:\Program Files\Common Files\Motive\McciCMService.exe" [517632 2010-10-16] (Alcatel-Lucent)
2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [207904 2009-04-19] ()
3 StumbleUponUpdateService; "C:\Program Files (x86)\StumbleUpon\StumbleUponUpdateService.exe" [103336 2011-04-14] (stumbleupon.com)
2 szserver; "C:\Program Files (x86)\Common Files\iS3\Anti-Spyware\SZServer.exe" [67408 2012-04-25] (iS3, Inc.)
2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-03] (Acer)
2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [265952 2012-06-22] ()

==================== Drivers (Whitelisted) =====================

3 Ca522bv; C:\Windows\System32\Drivers\Ca522bv.sys [2469760 2007-10-16] (Digital Camera)
0 is3srv; C:\Windows\SysWow64\drivers\is3srv64.sys [74768 2011-09-26] (iS3 Inc.)
3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [43008 2010-07-27] (Printing Communications Assoc., Inc. (PCAUSA))
3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [40960 2010-07-27] (Printing Communications Assoc., Inc. (PCAUSA))
1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [57976 2012-01-12] (GFI Software)
0 szkg5; C:\Windows\SysWow64\DRIVERS\szkg64.sys [74768 2011-09-26] (iS3 Inc.)
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-12-25 20:39 - 2012-12-25 20:39 - 00000704 ____A C:\Windows\System32\Drivers\kgpcpy.cfg
2012-12-25 17:43 - 2012-12-25 20:36 - 00111616 ____A (Yrutaza) C:\Users\Eastland\AppData\Local\Snxtvfntrm.exe
2012-12-25 16:28 - 2012-12-25 20:36 - 00111616 ____A (Yrutaza) C:\Users\Eastland\AppData\Roaming\Snxtvfntrm.exe
2012-12-25 16:26 - 2012-12-25 16:49 - 00111616 ____A (Yrutaza) C:\Users\All Users\Snxtvfntrm.exe
2012-12-16 18:11 - 2012-12-16 18:11 - 00024562 ____A C:\Users\Eastland\Desktop\Tali.odt
2012-12-04 22:48 - 2012-12-04 22:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-12-01 08:21 - 2012-12-01 08:21 - 00002302 ____A C:\Users\Eastland\Desktop\Google Chrome.lnk
2012-12-01 08:19 - 2012-12-01 08:19 - 00763416 ____A (Google Inc.) C:\Users\Eastland\Downloads\ChromeSetup.exe


==================== One Month Modified Files and Folders =======

2012-12-26 21:45 - 2012-12-26 21:45 - 00000000 ____D C:\FRST
2012-12-25 20:40 - 2012-12-25 16:28 - 00111616 ____A (Yrutaza) C:\Users\Eastland\AppData\Roaming\Snxtvfntrm.exe
2012-12-25 20:40 - 2010-11-08 15:13 - 00000000 ____D C:\Users\All Users\STOPzilla!
2012-12-25 20:39 - 2012-12-25 20:39 - 00000704 ____A C:\Windows\System32\Drivers\kgpcpy.cfg
2012-12-25 20:39 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-25 20:39 - 2009-07-13 20:51 - 00053585 ____A C:\Windows\setupact.log
2012-12-25 20:36 - 2012-12-25 17:43 - 00111616 ____A (Yrutaza) C:\Users\Eastland\AppData\Local\Snxtvfntrm.exe
2012-12-25 20:36 - 2010-11-08 00:50 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-12-25 17:43 - 2012-09-15 05:32 - 00000000 ____D C:\Users\Eastland\AppData\Roaming\Skype
2012-12-25 17:08 - 2011-04-13 18:13 - 00000000 ____D C:\Users\Eastland\Documents\Bible
2012-12-25 17:08 - 2010-11-06 16:59 - 00000000 ____D C:\Users\Eastland\AppData\Local\VirtualStore
2012-12-25 17:01 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-25 17:01 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-25 16:57 - 2009-07-13 21:13 - 00726270 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-25 16:49 - 2012-12-25 16:26 - 00111616 ____A (Yrutaza) C:\Users\All Users\Snxtvfntrm.exe
2012-12-25 16:30 - 2009-11-24 09:13 - 00216746 ____A C:\Windows\PFRO.log
2012-12-25 16:25 - 2010-11-08 00:50 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-12-20 16:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\LiveKernelReports
2012-12-18 01:28 - 2010-11-15 21:50 - 00000016 ____A C:\Windows\System32\config\software.szfi
2012-12-16 18:11 - 2012-12-16 18:11 - 00024562 ____A C:\Users\Eastland\Desktop\Tali.odt
2012-12-08 14:11 - 2012-04-30 13:37 - 00000000 ____D C:\HDW30_TMP
2012-12-06 14:59 - 2012-05-08 15:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-12-06 13:03 - 2012-08-11 14:12 - 00010088 ____A C:\Windows\SysWOW64\Drivers\kgpfr2.cfg
2012-12-04 22:48 - 2012-12-04 22:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-12-03 21:04 - 2012-10-16 19:02 - 00000808 ____A C:\Windows\SysWOW64\Drivers\kgpcpy.cfg
2012-12-01 08:21 - 2012-12-01 08:21 - 00002302 ____A C:\Users\Eastland\Desktop\Google Chrome.lnk
2012-12-01 08:21 - 2009-11-24 09:35 - 00000000 ____D C:\Program Files (x86)\Google
2012-12-01 08:19 - 2012-12-01 08:19 - 00763416 ____A (Google Inc.) C:\Users\Eastland\Downloads\ChromeSetup.exe
2012-11-28 14:49 - 2009-11-24 09:42 - 00000000 ____D C:\Users\All Users\Adobe
2012-11-28 14:48 - 2012-04-03 13:50 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-11-28 14:48 - 2011-05-23 16:44 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

ZeroAccess:
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\@
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\L
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\U
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\L\00000004.@
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\L\201d3dde
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\L\4cce1f70
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\L\76603ac3
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\U\00000004.@
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\U\00000008.@
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\U\000000cb.@
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\U\80000000.@
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\U\80000032.@
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2413121843-3373929529-1736265899-1001\$b432f6885b7f62c66d1a1f5b88596733

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$b432f6885b7f62c66d1a1f5b88596733

ZeroAccess:
C:\Users\Eastland\AppData\Local\{b432f688-5b7f-62c6-6d1a-1f5b88596733}
C:\Users\Eastland\AppData\Local\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\@
C:\Users\Eastland\AppData\Local\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\L
C:\Users\Eastland\AppData\Local\{b432f688-5b7f-62c6-6d1a-1f5b88596733}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-19 23:03:24
Restore point made on: 2012-12-24 21:01:03

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3839.37 MB
Available physical RAM: 3133.55 MB
Total Pagefile: 3837.52 MB
Available Pagefile: 3125.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (eMachines) (Fixed) (Total:584.07 GB) (Free:383.09 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:2.93 GB) NTFS
4 Drive g: (WD SmartWare) (CDROM) (Total:0.63 GB) (Free:0 GB) UDF
5 Drive h: (Eastland Backup) (Fixed) (Total:930.86 GB) (Free:917.97 GB) NTFS
11 Drive n: (USB20FD) (Removable) (Total:3.8 GB) (Free:3.79 GB) FAT32
12 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
13 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 930 GB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Disk 6 No Media 0 B 0 B
Disk 7 Online 3894 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 12 GB 1024 KB
Partition 2 Primary 100 MB 12 GB
Partition 3 Primary 584 GB 12 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E PQSERVICE NTFS Partition 12 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C eMachines NTFS Partition 584 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 930 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H Eastland Ba NTFS Partition 930 GB Healthy

=========================================================

Partitions of Disk 7:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3894 MB 28 KB

==================================================================================

Disk: 7
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 11 N USB20FD FAT32 Removable 3894 MB Healthy

=========================================================

Last Boot: 2012-12-24 23:47

==================== End Of Log =============================

#10 YunsAvatar

YunsAvatar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 26 December 2012 - 09:52 PM

I did a little reading in the code there and I think I can see some of the issues already.
I noticed that the last couple times I tried to do something, that the task manager wasn't appearing as an option, and I can see where it has been coded to disable the task manager.
I'm pretty sure that the "StartNow toolbar" is part of this too. I don't recall ever adding an addition like that.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 PM

Posted 27 December 2012 - 04:58 AM

This is more than just FBI Moneypak. After booting normally we might need to repair some damaged Windows services.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Eastland\...\Run: [StartNow Search Protect] "C:\Program Files (x86)\StartNow Toolbar\search_protect.exe" /RELAY /REPORT /PROTECT [1327416 2012-07-13] ()
HKU\Eastland\...\Run: [kmecllia] C:\Users\Eastland\AppData\Roaming\Snxtvfntrm [x]
HKU\Eastland\...\Policies\system: [DisableTaskMgr] 1
HKLM-x32\...\Winlogon: [Userinit] c:\windows\syswow64\userinit.exe, [x]
HKLM\...\Winlogon: [Shell] explorer.exe, C:\ProgramData\Snxtvfntrm [x ] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$b432f6885b7f62c66d1a1f5b88596733\n. ATTENTION! ====> ZeroAccess
C:\Users\Eastland\AppData\Roaming\Snxtvfntrm.exe
C:\ProgramData\Snxtvfntrm.exe
2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [265952 2012-06-22] ()
C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
2012-12-25 17:43 - 2012-12-25 20:36 - 00111616 ____A (Yrutaza) C:\Users\Eastland\AppData\Local\Snxtvfntrm.exe
2012-12-25 16:26 - 2012-12-25 16:49 - 00111616 ____A (Yrutaza) C:\Users\All Users\Snxtvfntrm.exe
C:\Windows\Installer\{b432f688-5b7f-62c6-6d1a-1f5b88596733}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\$Recycle.Bin\S-1-5-21-2413121843-3373929529-1736265899-1001\$b432f6885b7f62c66d1a1f5b88596733
C:\$Recycle.Bin\S-1-5-18\$b432f6885b7f62c66d1a1f5b88596733
C:\Users\Eastland\AppData\Local\{b432f688-5b7f-62c6-6d1a-1f5b88596733}
Replace: X:\Windows\System32\services.exe C:\Windows\System32\services.exe
end

Now please enter System Recovery Options and select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also boot normally and tell me how it went.

#12 YunsAvatar

YunsAvatar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 27 December 2012 - 08:47 AM

Just to be sure, I need to start the computer the same way as before:

F8
Repair your computer
Select US
Select Profile
Select Command Prompt

Then through the command prompt open the FRST program and do Fix, after creating the text file with the information.

Correct?

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 PM

Posted 27 December 2012 - 09:06 AM

Yes that is right. You can create the fixlist.txt and save it to the flash drive where FRST64 tool is saved. Then follow the procedure you have outlined.

After this fix you can boot normally and post the result from the infected computer directly to the forum.

#14 YunsAvatar

YunsAvatar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 27 December 2012 - 09:12 AM

I'll get on it as soon as I get home.

Thanks for the help so far!

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 PM

Posted 27 December 2012 - 09:14 AM

You are quite welcome. :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users