Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak virus HELP!!! SOS!!!


  • This topic is locked This topic is locked
40 replies to this topic

#1 metmaniac88

metmaniac88

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 14 May 2013 - 01:53 PM

I have a toshiba satellite laptop running windows vista basic. I became infected with the moneypak virus yesterday. I have had it before and have been able to get rid of it. But this time, I can't seem to get anything to work! I can't get into safe mode except with command prompt, but it even pops up there depending on what I do. I tried the usb drive option but both the anvisoft rescue disk and hitman jumpstart arent working! Hitman tells me its uploading to cloud computers but then it fails to upload any of the files and claims there is no infection and the 2 or 3 files it actually gives me an option to delete, I go to delete them and after clicking the free registration button it says it cant do anything because windows firewall is blocking it! As for the anvisoft option, it says it has no connection to the cloud server and I can't figure out how to establish any kind of wireless connection and i currently have no option to get a wired connection. So I have been looking all over the internet and havent been able to find anything helpful. PLEASE HELP ME!!! I have no money for a new laptop and I am now clueless as to getting rid of this version of the moneypak infection! So SOS!!!



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 14 May 2013 - 02:04 PM

Hi metmaniac88,

 

My name is etavares and I'll be helping you with this computer.  First things first, do you 1 ) have a spare blank USB drive we can use?  and 2 ) What exactly does the moneypak screen say?  It is department of Justice, Interpol, etc.?  That will help tell me which variant it is and direct you where to look.  Also, 3 ) try unplugging from the internet, then booting up.  Can you access normal mode without getting locked out?  Some variants require internet access when loading to activate the lockout.

 

-etavares



If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 metmaniac88

metmaniac88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 14 May 2013 - 02:13 PM

I do have a USB drive available. I can use the one I tried using for the hitman fix that failed or I have a completely separate one as well if there is some reason I can't use the first one. I have tried switching off the wireless button on the laptop but the virus message still pops up every time. The message I get is a white screen with the words FBI. Cybercrime Division. Underneath that it says International Cyber Security Protection Alliance. Undewr that it reads Supported and Protected by (windows logo here) Then it lists an IP address, country, state and city, provider, and my computer name. Then it gives the message about my computer being locked.



#4 metmaniac88

metmaniac88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 14 May 2013 - 02:16 PM

Also, I don't know if the amount they want matters, but the amount requested is $500. Which seems to be more than in the past. There is also a logo for Interpol in the lower right hand side of the message.



#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 14 May 2013 - 04:22 PM

How comfortable are you with command prompt commands?  We can look for the loader via Safe Mode w/ Command Prompt, or I can use a more automated tool.



If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 metmaniac88

metmaniac88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 14 May 2013 - 05:35 PM

I have some basic experience with the command prompt but I am by no means fluid with it.

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 14 May 2013 - 07:09 PM

OK, let's start with the command prompt.  Please note that the file we are looking for may not be present, this is the likely variant given the screen you describe.

  1. Launch Safe Mode w/ command prompt.
  2. At the prompt type cd \ and press Enter (note the space between cd and \)
  3. The prompt will change to C:\> if it wasn't already.
  4. Type cd users and press Enter.  The prompt will change to C:\Users
  5. Type dir and press Enter.  It will list the folders.  Look for your username in the list.
  6. Type cd "username" and press Enter.  Replace "username" with your username in quotes (e.g. cd "metmaniac88")
  7. Type cd appdata and press Enter.  The prompt should change to C:\users\username\AppData\>
  8. Type cd roaming and press Enter.  The prompt should change to C:\users\username\AppData\Roaming\>
  9. Type ren skype.dat skype.old and press Enter.  If there is no message and it just returns to a prompt, reboot and try to boot normally and it should be disabled (note...NOT removed, just disabled from locking you out).  If you get an error message, write the error message here.

 

Let me know how it goes.

 

-etavares



If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 metmaniac88

metmaniac88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 14 May 2013 - 07:37 PM

I did all that but it said the system cannot find the file specified

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 14 May 2013 - 08:12 PM

Hello, metmaniac88.
Please download Farbar Recovery Scan Tool and save it to a flash drive.
 
Plug the flashdrive into the infected PC.
 
If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
 
If you are using Vista or Windows 7 enter System Recovery Options
 
To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  •  
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  •  
    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
     
    Select Command Prompt
     
    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64)  and press Enter 
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  •  
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #10 metmaniac88

    metmaniac88
    • Topic Starter

    • Members
    • 22 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 15 May 2013 - 11:56 AM

    Here is the log as requested. NOTE: Viruskiller is an account on my computer that i created during a separate failed attempt to get rid of the virus just in case there is any confusion.

     

     

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013
    Ran by SYSTEM on 15-05-2013 12:51:48
    Running from F:\
    Windows Vista ™ Home Basic Service Pack 1 (X86) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Recovery
    The current controlset is ControlSet001
    ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-04-15] (Intel Corporation)
    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1029416 2007-12-06] (Synaptics, Inc.)
    HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [431456 2008-02-06] (TOSHIBA Corporation)
    HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [54608 2007-10-31] (TOSHIBA Corporation)
    HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [505720 2008-06-02] (TOSHIBA Corporation)
    HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [716800 2008-05-09] (TOSHIBA Corporation)
    HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]
    HKLM\...\Run: [cfFncEnabler.exe] cfFncEnabler.exe [x]
    HKLM\...\Run: [Skytel] Skytel.exe [x]
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
    HKLM\...\Run: []  [x]
    HKLM\...\Run: [DivXMediaServer] C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe [450560 2012-11-13] ()
    HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1263512 2012-11-29] ()
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947152 2013-01-27] (Microsoft Corporation)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
    HKLM\...\RunOnce: [*EvtMgr32] C:\Windows\{3EC82846-2429-0502-1835-1F112B273C08}.exe [672768 2013-05-13] (VietSoftT3)
    HKLM\...\RunOnce: [asdsetup] C:\asdsetup.exe [0 2013-05-14] ()
    HKLM\...\Winlogon: [System]
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
    HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
    HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
    HKU\Rich\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
    HKU\Rich\...\RunOnce: [*EvtMgr32] C:\Windows\{3EC82846-2429-0502-1835-1F112B273C08}.exe [ 2013-05-13] (VietSoftT3)
    HKU\Rich\...\Policies\system: [DisableCMD] 0
    HKU\Rich\...\Policies\system: [NoDispAppearancePage] 0
    HKU\Rich\...\Policies\system: [NoDispBackgroundPage] 0
    HKU\Rich\...\Policies\system: [NoDispSettingsPage] 0
    HKU\Rich\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [25088 2008-01-20] (Microsoft Corporation)
    HKU\Rich\...\Winlogon: [Shell] C:\Windows\{3EC82846-2429-0502-1835-1F112B273C08}.exe [25088 2013-05-13] (VietSoftT3) <==== ATTENTION
    HKU\VirusDestroyer\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [25088 2008-04-24] (TOSHIBA)
    HKU\VirusDestroyer\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [25088 2008-01-20] (Microsoft Corporation)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\Microsoft Office.lnk
    ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
    BootExecute: autocheck autochk * sdnclean.exe

    ========================== Services (Whitelisted) =================

    S2 ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2008-04-16] (TOSHIBA CORPORATION)
    S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
    S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
    S2 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [46392 2008-08-04] (TOSHIBA Corporation)
    S2 TOSHIBA SMART Log Service; C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [126976 2007-12-03] (TOSHIBA Corporation)
    S2 ADBlockerSrv; C:\Program Files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerSrv.exe [x]
    S2 msiserver; %systemroot%\system32\msiexec /V [x]
    S4 oracleorahome92pagingserver; %systemroot%\system32\PD0620VID.dll [x]
    S4 pktfilter; %systemroot%\system32\MaxtorFrontPanel1.dll [x]
    S2 Winmgmt; C:\PROGRA~2\ms0064F355.dat [x]

    ==================== Drivers (Whitelisted) ====================

    S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [30464 2013-05-14] ()
    S3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [25112 2010-07-28] (Initio Corporation)
    S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-01-21] (Malwarebytes Corporation)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
    S3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [290304 2007-12-26] (Realtek Semiconductor Corporation                           )
    S1 RtlProt; C:\Windows\System32\DRIVERS\rtlprot.sys [25896 2007-04-23] (Windows ® Codename Longhorn DDK provider)
    S3 SVRPEDRV; C:\Windows\System32\sysprep\PEDrv.sys [9216 2008-01-18] (Inventec Corporation)
    S3 t_mobile_zte_cpo; C:\Windows\System32\DRIVERS\t_mobile_zte_cpo.sys [9984 2011-01-18] (T-Mobile)
    S1 asdnet; \??\C:\Program Files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\sys\x86\asdnet.sys [x]
    S3 GEARAspiWDM; System32\Drivers\GEARAspiWDM.sys [x]
    S3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
    S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
    S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
    S0 sfsync02; System32\drivers\sfsync02.sys [x]
    S1 szmugtdd; \??\C:\Windows\system32\drivers\szmugtdd.sys [x]
    S0 yHqSZYxM; System32\drivers\yHqSZYxM.sys [x]

    ==================== NetSvcs (Whitelisted) ===================

    NETSVC: pktfilter -> C:\Windows\system32\MaxtorFrontPanel1.dll ==> No File.
    NETSVC: oracleorahome92pagingserver -> C:\Windows\system32\PD0620VID.dll ==> No File.
    NETSVC: omsad -> No Registry Path.

    ==================== One Month Created Files and Folders ========

    2013-05-15 12:51 - 2013-05-15 12:51 - 00000000 ____D C:\FRST
    2013-05-14 10:11 - 2013-05-14 10:11 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
    2013-05-14 09:58 - 2013-05-14 09:58 - 00000000 __SHD C:\found.002
    2013-05-14 09:44 - 2013-05-14 09:44 - 00000000 ____A C:\asdsetup.exe
    2013-05-14 09:38 - 2013-05-14 09:38 - 43253760 ____A C:\Windows\System32\config\SOFTWARE.bhv
    2013-05-14 09:38 - 2013-05-14 09:38 - 19136512 ____A C:\Windows\System32\config\SYSTEM.bhv
    2013-05-14 09:38 - 2013-05-14 09:38 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
    2013-05-14 09:38 - 2013-05-14 09:38 - 00262144 ____A C:\Windows\System32\config\SAM.bhv
    2013-05-14 09:38 - 2013-05-14 09:38 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bhv
    2013-05-14 09:30 - 2013-05-14 09:30 - 00000000 ___AD C:\$Anvi Rescue Disk$
    2013-05-13 13:44 - 2013-05-13 13:44 - 00000000 ____D C:\Program Files\HitmanPro
    2013-05-13 13:06 - 2013-05-13 13:28 - 00000000 ____D C:\ProgramData\HitmanPro
    2013-05-13 11:26 - 2013-05-14 09:38 - 00000000 ____D C:\users\VirusDestroyer
    2013-05-13 11:26 - 2013-05-13 11:26 - 00000020 __ASH C:\Users\VirusDestroyer\ntuser.ini
    2013-05-13 10:59 - 2013-05-13 10:25 - 00672768 ___SH (VietSoftT3) C:\Windows\{3EC82846-2429-0502-1835-1F112B273C08}.exe
    2013-05-13 10:31 - 2013-05-13 10:32 - 00134896 ____A C:\Windows\Minidump\Mini051313-01.dmp
    2013-04-24 16:58 - 2013-04-24 16:58 - 00000000 ____D C:\Users\Rich\AppData\Roaming\NCdownloader
    2013-04-24 16:57 - 2013-04-24 16:57 - 00000000 ____D C:\ProgramData\SoftSafe
    2013-04-24 16:51 - 2013-04-24 16:57 - 00000000 ____D C:\ProgramData\Browsee22saaeviee
    2013-04-24 16:51 - 2013-04-24 16:51 - 00000000 ____D C:\Program Files\BrowseToSave
    2013-04-24 16:50 - 2013-04-24 16:57 - 00000000 ____D C:\ProgramData\InstallMate

    ==================== One Month Modified Files and Folders ========

    2013-05-15 12:51 - 2013-05-15 12:51 - 00000000 ____D C:\FRST
    2013-05-14 16:40 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-05-14 16:40 - 2006-11-02 04:45 - 00003616 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2013-05-14 16:40 - 2006-11-02 04:45 - 00003616 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2013-05-14 11:14 - 2009-06-23 23:00 - 01317901 ____A C:\Windows\WindowsUpdate.log
    2013-05-14 10:11 - 2013-05-14 10:11 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
    2013-05-14 10:08 - 2006-11-02 04:58 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2013-05-14 09:58 - 2013-05-14 09:58 - 00000000 __SHD C:\found.002
    2013-05-14 09:44 - 2013-05-14 09:44 - 00000000 ____A C:\asdsetup.exe
    2013-05-14 09:38 - 2013-05-14 09:38 - 43253760 ____A C:\Windows\System32\config\SOFTWARE.bhv
    2013-05-14 09:38 - 2013-05-14 09:38 - 19136512 ____A C:\Windows\System32\config\SYSTEM.bhv
    2013-05-14 09:38 - 2013-05-14 09:38 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
    2013-05-14 09:38 - 2013-05-14 09:38 - 00262144 ____A C:\Windows\System32\config\SAM.bhv
    2013-05-14 09:38 - 2013-05-14 09:38 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bhv
    2013-05-14 09:38 - 2013-05-13 11:26 - 00000000 ____D C:\users\VirusDestroyer
    2013-05-14 09:38 - 2009-07-31 08:42 - 00000000 ____D C:\users\Rich
    2013-05-14 09:30 - 2013-05-14 09:30 - 00000000 ___AD C:\$Anvi Rescue Disk$
    2013-05-13 13:44 - 2013-05-13 13:44 - 00000000 ____D C:\Program Files\HitmanPro
    2013-05-13 13:28 - 2013-05-13 13:06 - 00000000 ____D C:\ProgramData\HitmanPro
    2013-05-13 13:06 - 2006-11-02 04:44 - 00436776 ____A C:\Windows\System32\FNTCACHE.DAT
    2013-05-13 11:26 - 2013-05-13 11:26 - 00000020 __ASH C:\Users\VirusDestroyer\ntuser.ini
    2013-05-13 11:00 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At40.job
    2013-05-13 11:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At16.job
    2013-05-13 10:32 - 2013-05-13 10:31 - 00134896 ____A C:\Windows\Minidump\Mini051313-01.dmp
    2013-05-13 10:31 - 2013-01-21 13:19 - 128868071 ____A C:\Windows\MEMORY.DMP
    2013-05-13 10:31 - 2012-03-24 06:38 - 00000000 ____D C:\Windows\Minidump
    2013-05-13 10:25 - 2013-05-13 10:59 - 00672768 ___SH (VietSoftT3) C:\Windows\{3EC82846-2429-0502-1835-1F112B273C08}.exe
    2013-05-12 10:00 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At39.job
    2013-05-12 10:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At15.job
    2013-05-12 09:00 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At38.job
    2013-05-12 09:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At14.job
    2013-05-12 08:08 - 2009-08-03 05:15 - 00066048 ____A C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2013-05-12 08:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At13.job
    2013-05-12 07:59 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At37.job
    2013-05-09 17:59 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At47.job
    2013-05-09 17:59 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At23.job
    2013-05-09 16:59 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At46.job
    2013-05-09 16:59 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At22.job
    2013-05-09 15:59 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At45.job
    2013-05-09 15:59 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At21.job
    2013-05-09 06:59 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At36.job
    2013-05-09 06:59 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At12.job
    2013-05-08 19:00 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At48.job
    2013-05-08 19:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At24.job
    2013-05-08 12:00 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At41.job
    2013-05-08 12:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At17.job
    2013-05-07 18:29 - 2012-03-22 11:03 - 00000000 ___RD C:\Users\Rich\Desktop\cpugrab
    2013-05-02 15:00 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At44.job
    2013-05-02 15:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At20.job
    2013-05-02 07:28 - 2011-01-11 11:23 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2013-04-30 18:26 - 2012-05-06 06:39 - 00000000 ____D C:\Users\Rich\AppData\Local\CrashDumps
    2013-04-29 22:00 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At27.job
    2013-04-29 22:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At3.job
    2013-04-29 20:35 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At1.job
    2013-04-29 20:06 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At25.job
    2013-04-28 21:00 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At26.job
    2013-04-28 21:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At2.job
    2013-04-26 13:59 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At43.job
    2013-04-26 13:59 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At19.job
    2013-04-25 15:36 - 2013-03-07 18:00 - 00000000 ____D C:\Program Files\Fighter Ace Anniversary Edition
    2013-04-25 10:02 - 2008-01-20 19:02 - 00585622 ____A C:\Windows\PFRO.log
    2013-04-24 18:43 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
    2013-04-24 17:12 - 2006-11-02 02:33 - 00751200 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-04-24 16:58 - 2013-04-24 16:58 - 00000000 ____D C:\Users\Rich\AppData\Roaming\NCdownloader
    2013-04-24 16:57 - 2013-04-24 16:57 - 00000000 ____D C:\ProgramData\SoftSafe
    2013-04-24 16:57 - 2013-04-24 16:51 - 00000000 ____D C:\ProgramData\Browsee22saaeviee
    2013-04-24 16:57 - 2013-04-24 16:50 - 00000000 ____D C:\ProgramData\InstallMate
    2013-04-24 16:51 - 2013-04-24 16:51 - 00000000 ____D C:\Program Files\BrowseToSave
    2013-04-24 16:51 - 2009-07-31 08:44 - 00000000 ____D C:\Users\Rich\AppData\Local\Google
    2013-04-24 13:00 - 2012-04-22 15:00 - 00000342 ____A C:\Windows\Tasks\At42.job
    2013-04-24 13:00 - 2012-04-22 15:00 - 00000340 ____A C:\Windows\Tasks\At18.job
    2013-04-18 13:10 - 2008-09-30 11:54 - 00000000 ____D C:\Program Files\Common Files\Adobe

    Other Malware:
    ===========
    C:\ProgramData\553F4600sm.pad
    C:\ProgramData\BCA.pad
    C:\ProgramData\SMRResults311.dat
    C:\Windows\Tasks\At1.job
    C:\Windows\Tasks\At10.job
    C:\Windows\Tasks\At11.job
    C:\Windows\Tasks\At12.job
    C:\Windows\Tasks\At13.job
    C:\Windows\Tasks\At14.job
    C:\Windows\Tasks\At15.job
    C:\Windows\Tasks\At16.job
    C:\Windows\Tasks\At17.job
    C:\Windows\Tasks\At18.job
    C:\Windows\Tasks\At19.job
    C:\Windows\Tasks\At2.job
    C:\Windows\Tasks\At20.job
    C:\Windows\Tasks\At21.job
    C:\Windows\Tasks\At22.job
    C:\Windows\Tasks\At23.job
    C:\Windows\Tasks\At24.job
    C:\Windows\Tasks\At25.job
    C:\Windows\Tasks\At26.job
    C:\Windows\Tasks\At27.job
    C:\Windows\Tasks\At28.job
    C:\Windows\Tasks\At29.job
    C:\Windows\Tasks\At3.job
    C:\Windows\Tasks\At30.job
    C:\Windows\Tasks\At31.job
    C:\Windows\Tasks\At32.job
    C:\Windows\Tasks\At33.job
    C:\Windows\Tasks\At34.job
    C:\Windows\Tasks\At35.job
    C:\Windows\Tasks\At36.job
    C:\Windows\Tasks\At37.job
    C:\Windows\Tasks\At38.job
    C:\Windows\Tasks\At39.job
    C:\Windows\Tasks\At4.job
    C:\Windows\Tasks\At40.job
    C:\Windows\Tasks\At41.job
    C:\Windows\Tasks\At42.job
    C:\Windows\Tasks\At43.job
    C:\Windows\Tasks\At44.job
    C:\Windows\Tasks\At45.job
    C:\Windows\Tasks\At46.job
    C:\Windows\Tasks\At47.job
    C:\Windows\Tasks\At48.job
    C:\Windows\Tasks\At5.job
    C:\Windows\Tasks\At6.job
    C:\Windows\Tasks\At7.job
    C:\Windows\Tasks\At8.job
    C:\Windows\Tasks\At9.job

    ==================== Known DLLs (Whitelisted) ============

    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points  =========================

    ==================== Memory info ===========================

    Percentage of memory in use: 18%
    Total physical RAM: 1915.26 MB
    Available physical RAM: 1561.83 MB
    Total Pagefile: 1743.81 MB
    Available Pagefile: 1615.11 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1967.56 MB

    ==================== Drives ================================

    Drive c: (SQ004981V02) (Fixed) (Total:140.37 GB) (Free:86.21 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    Drive d: (MOHAA_DISK2) (CDROM) (Total:0.62 GB) (Free:0 GB) CDFS
    Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.31 GB) NTFS
    Drive f: () (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
    Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows Vista) (Size: 149 GB) (Disk ID: 63276A7F)
    Partition 1: (Not Active) - (Size=1 GB) - (Type=27)
    Partition 2: (Active) - (Size=140 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=7 GB) - (Type=17)

    ========================================================
    Disk: 1 (Size: 4 GB) (Disk ID: 6F20736B)
    Partition 1: (Not Active) - (Size=544 GB) - (Type=72)
    Partition 2: (Not Active) - (Size=923 GB) - (Type=65)
    Partition 3: (Not Active) - (Size=923 GB) - (Type=79)
    Partition 4: (Not Active) - (Size=27 MB) - (Type=0D)

    Last Boot: 2013-05-13 13:49

    ==================== End Of Log ============================



    #11 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:11:06 PM

    Posted 15 May 2013 - 04:22 PM

    Hello, metmaniac88.
     
    You were actually infected a few weeks before the Moneypak was downloaded.  I do need to warn you:
     
    Backdoor Warning
    One or more of the identified infections is a backdoor trojan.
     
    This allows hackers to remotely control your computer, steal critical system information and download and execute files.
     
    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
     
    Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
     
     
    We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.  If you do decide to proceed, please continue with the fix below.
     
     
    Step 1
     
    OK, please save the attached file (fixlist.txt) to the flash drive you installed FRST on.  Boot into FRST as before, but this time click Fix.  It will run and create a log (fixlog.txt) on the flash drive.  Please copy/paste the contents of that log in your reply.  Next, try to boot into Windows on the infected computer.  It's not clean, but it should be usable to finish cleaning the computer.  Please let me know.
     
    etavares
    Attached File  fixlist.txt   2.13KB   19 downloads


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #12 metmaniac88

    metmaniac88
    • Topic Starter

    • Members
    • 22 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 15 May 2013 - 05:09 PM

    Here is log after fix. Computer booted up and went into windows without the ransomware screen popping up. Background is plain white instead of my previous background but aside from that everything seems to be working. I could do a format of the OS but the problem is I don't have a CD to reinstall the OS from. When I bought my laptop they didn't include one which I think is cheating a little but can't do anything about it now. I am going to keep using my laptop but I can use my fiancee's laptop for sensitive stuff. Hers is the one I've been using to access this forum, etc. Do I need to do anything else? Should I run anti-virus software? Maybe malwarebyes? Or is the virus gone from my computer now? Either way thank you so much for your help!!!!

     

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-05-2013
    Ran by SYSTEM at 2013-05-15 18:02:57 Run:1
    Running from F:\
    Boot Mode: Recovery

    ==============================================

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*EvtMgr32 => Value deleted successfully.
    C:\Windows\{3EC82846-2429-0502-1835-1F112B273C08}.exe => Moved successfully.
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\asdsetup => Value deleted successfully.
    C:\asdsetup.exe => Moved successfully.
    HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
    HKEY_USERS\Rich\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*EvtMgr32 => Value deleted successfully.
    HKEY_USERS\Rich\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
    szmugtdd => Service deleted successfully.
    C:\Windows\system32\drivers\szmugtdd.sys => File/Directory not found.
    yHqSZYxM => Service deleted successfully.
    C:\windows\system32\drivers\yHqSZYxM.sys => File/Directory not found.
    C:\ProgramData\553F4600sm.pad => Moved successfully.
    C:\ProgramData\BCA.pad => Moved successfully.
    C:\ProgramData\SMRResults311.dat => Moved successfully.
    C:\Windows\Tasks\At1.job => Moved successfully.
    C:\Windows\Tasks\At10.job => Moved successfully.
    C:\Windows\Tasks\At11.job => Moved successfully.
    C:\Windows\Tasks\At12.job => Moved successfully.
    C:\Windows\Tasks\At13.job => Moved successfully.
    C:\Windows\Tasks\At14.job => Moved successfully.
    C:\Windows\Tasks\At15.job => Moved successfully.
    C:\Windows\Tasks\At16.job => Moved successfully.
    C:\Windows\Tasks\At17.job => Moved successfully.
    C:\Windows\Tasks\At18.job => Moved successfully.
    C:\Windows\Tasks\At19.job => Moved successfully.
    C:\Windows\Tasks\At2.job => Moved successfully.
    C:\Windows\Tasks\At20.job => Moved successfully.
    C:\Windows\Tasks\At21.job => Moved successfully.
    C:\Windows\Tasks\At22.job => Moved successfully.
    C:\Windows\Tasks\At23.job => Moved successfully.
    C:\Windows\Tasks\At24.job => Moved successfully.
    C:\Windows\Tasks\At25.job => Moved successfully.
    C:\Windows\Tasks\At26.job => Moved successfully.
    C:\Windows\Tasks\At27.job => Moved successfully.
    C:\Windows\Tasks\At28.job => Moved successfully.
    C:\Windows\Tasks\At29.job => Moved successfully.
    C:\Windows\Tasks\At3.job => Moved successfully.
    C:\Windows\Tasks\At30.job => Moved successfully.
    C:\Windows\Tasks\At31.job => Moved successfully.
    C:\Windows\Tasks\At32.job => Moved successfully.
    C:\Windows\Tasks\At33.job => Moved successfully.
    C:\Windows\Tasks\At34.job => Moved successfully.
    C:\Windows\Tasks\At35.job => Moved successfully.
    C:\Windows\Tasks\At36.job => Moved successfully.
    C:\Windows\Tasks\At37.job => Moved successfully.
    C:\Windows\Tasks\At38.job => Moved successfully.
    C:\Windows\Tasks\At39.job => Moved successfully.
    C:\Windows\Tasks\At4.job => Moved successfully.
    C:\Windows\Tasks\At40.job => Moved successfully.
    C:\Windows\Tasks\At41.job => Moved successfully.
    C:\Windows\Tasks\At42.job => Moved successfully.
    C:\Windows\Tasks\At43.job => Moved successfully.
    C:\Windows\Tasks\At44.job => Moved successfully.
    C:\Windows\Tasks\At45.job => Moved successfully.
    C:\Windows\Tasks\At46.job => Moved successfully.
    C:\Windows\Tasks\At47.job => Moved successfully.
    C:\Windows\Tasks\At48.job => Moved successfully.
    C:\Windows\Tasks\At5.job => Moved successfully.
    C:\Windows\Tasks\At6.job => Moved successfully.
    C:\Windows\Tasks\At7.job => Moved successfully.
    C:\Windows\Tasks\At8.job => Moved successfully.
    C:\Windows\Tasks\At9.job => Moved successfully.

    ==== End of Fixlog ====



    #13 metmaniac88

    metmaniac88
    • Topic Starter

    • Members
    • 22 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 15 May 2013 - 05:14 PM

    Actually none of my programs seem to be working. Tried to load windows Security Essentials and then Internet Explorer and neither of them work. What do I do?

    #14 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:11:06 PM

    Posted 15 May 2013 - 06:57 PM

    Hello, metmaniac88.
     
     
    Next, please download ComboFix from one of these locations:
    * IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
       
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  •    
  • Double click on etavaresCF.exe & follow the prompts.
  •    
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  •    
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
     
     
    RcAuto1.gif
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
     
    whatnext.png
     
    Click on Yes, to continue scanning for malware.
     
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.
     
    Note:  After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion."  If you receive this error, please reboot and it should disappear.
     
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #15 metmaniac88

    metmaniac88
    • Topic Starter

    • Members
    • 22 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 17 May 2013 - 01:20 PM

    I've tried to run combofix twice now. Both times I get to the blue screen where it says scanning for infected files, this typically takes ten minutes however scan times for badly infected machines may easily double." However nothing happens after I get to this point. I have waited upwards of an hour and nothing further happens. Is something wrong or is it just taking a very long time to scan?






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users