Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows 7 moneypak virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 tmoney69

tmoney69

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 15 May 2013 - 06:04 PM

Mod Edit:Moved to Virus, Trojan, Spyware, and Malware Removal Logs         

 

 

 

i turned my computer on last night and the moneypak virus showed up.  I cannot start safe mode.  I log in and the computer shuts down.  I have already downloaded the x64 Windows 7 Farbar recovery scan tool. I'm posting the results below:  please tell me the next step

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013
Ran by SYSTEM on 15-05-2013 17:27:44
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2281256 2012-01-12] (Synaptics Incorporated)
HKLM\...\Run: [HP Quick Launch] C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [451072 2010-01-12] (Hewlett-Packard Company)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6489704 2011-03-11] (Realtek Semiconductor)
HKLM\...\Run: [RtkOSD] C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe [995840 2010-02-05] (Realtek Semiconductor Corp.)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-01-27] (Hewlett-Packard)
HKLM\...\Run: [lxbkbmgr.exe] "C:\Program Files (x86)\Lexmark X1100 Series\lxbkbmgr.exe" [74408 2008-02-28] (Lexmark International, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-03-10] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED [3331944 2009-12-03] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2011-01-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-12-07] (Apple Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [296096 2012-09-07] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia)

==================== Services (Whitelisted) =================

S2 HPWMISVC; C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [19968 2010-01-12] ()
S2 lxbk_device; C:\Windows\system32\lxbkcoms.exe [565928 2008-02-19] ( )
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [398184 2012-12-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [682344 2012-12-14] (Malwarebytes Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2009-09-15] (Alcatel-Lucent)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [994360 2011-10-13] (Secunia)
S2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [399416 2011-10-13] (Secunia)

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MREMP50a64; C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [43008 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50a64; C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [40960 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-15 17:24 - 2013-05-15 17:24 - 00000000 ____D C:\FRST
2013-05-14 22:02 - 2013-05-14 22:02 - 00000000 ____D C:\ProgramData\Recovery
2013-05-14 18:47 - 2013-05-14 18:47 - 01096006 ____A C:\ProgramData\2433f433
2013-05-13 19:20 - 2013-05-13 19:20 - 00796104 ____A C:\Windows\Minidump\051313-23540-01.dmp
2013-04-23 18:25 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

==================== One Month Modified Files and Folders =======

2013-05-15 17:24 - 2013-05-15 17:24 - 00000000 ____D C:\FRST
2013-05-14 22:02 - 2013-05-14 22:02 - 00000000 ____D C:\ProgramData\Recovery
2013-05-14 19:07 - 2013-01-28 14:59 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-14 19:06 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-14 19:06 - 2009-07-13 20:51 - 00058024 ____A C:\Windows\setupact.log
2013-05-14 18:54 - 2012-04-01 14:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-14 18:48 - 2010-07-25 14:05 - 01572694 ____A C:\Windows\WindowsUpdate.log
2013-05-14 18:47 - 2013-05-14 18:47 - 01096006 ____A C:\ProgramData\2433f433
2013-05-14 18:46 - 2011-09-07 10:31 - 00001828 ____A C:\Users\Public\Desktop\McAfee Security Center.lnk
2013-05-14 18:41 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-14 18:39 - 2013-01-28 14:59 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-13 19:31 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-13 19:31 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-13 19:20 - 2013-05-13 19:20 - 00796104 ____A C:\Windows\Minidump\051313-23540-01.dmp
2013-05-13 19:20 - 2012-07-01 04:31 - 359178358 ____A C:\Windows\MEMORY.DMP
2013-05-13 19:20 - 2012-07-01 04:31 - 00000000 ____D C:\Windows\Minidump
2013-05-13 16:56 - 2012-11-23 01:08 - 00000324 ____A C:\Windows\Tasks\HPCeeScheduleForTom.job
2013-05-11 07:46 - 2011-03-07 21:14 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-05-08 17:08 - 2010-11-18 03:42 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-05-08 17:07 - 2011-12-07 18:00 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-05-05 16:11 - 2010-11-07 18:41 - 00378004 ____A C:\Windows\PFRO.log

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-03-14 02:13:44
Restore point made on: 2013-03-19 18:38:14
Restore point made on: 2013-03-21 02:43:02
Restore point made on: 2013-04-11 02:32:07
Restore point made on: 2013-04-24 02:28:19

==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 2810.9 MB
Available physical RAM: 2153.32 MB
Total Pagefile: 2809.05 MB
Available Pagefile: 2160.42 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:451.9 GB) (Free:378.86 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:13.57 GB) (Free:1.94 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32 (Disk=0 Partition=4)
Drive h: () (Removable) (Total:3.74 GB) (Free:3.73 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 7BCA3E72)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=452 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)

Last Boot: 2012-03-13 02:19

==================== End Of Log ============================


Edited by boopme, 15 May 2013 - 08:20 PM.


BC AdBot (Login to Remove)

 


#2 tmoney69

tmoney69
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 18 May 2013 - 09:21 AM

Please Help!!!!!



#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:58 PM

Posted 19 May 2013 - 05:16 PM

Hi tmoney69,

:welcome: to BleepingComputer.
We sincerely apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.
  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.
In the upper right hand corner of the topic you will see the Follow This Topic button. Click on this then choose Receive Notification Immediately and then click Follow This Topic and you will be sent an email once I have posted a response and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

Run FRST Fix
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
 
C:\ProgramData\2433f433
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Now please enter System Recovery Options, as you've done previously.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. The tool will make a log on the flash drive (Fixlog.txt) please post its contents in your reply.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 tmoney69

tmoney69
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 22 May 2013 - 07:13 PM

Sorry for the delay i haven't been neara computer for a few days.  I turned the computer back on and now cannot load safemode with command prompt.  It says loading windows files on tp and please wait below.  it has been like that for 2 hours. any suggestions to launch?



#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:58 PM

Posted 22 May 2013 - 07:18 PM

Try running FRST from System Recovery:

Run FRST Fix
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
 

C:\ProgramData\2433f433
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Now please enter System Recovery Options, as you've done previously.

The tool will make a log on the flash drive (Fixlog.txt) please post its contents in your reply.

 


Edited by jntkwx, 23 May 2013 - 11:31 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:58 PM

Posted 29 May 2013 - 04:25 PM

tmoney69,

It has been seven days since my last post.  Do you still need help?
 
If you do, please follow my previous instructions.  :thumbup2:


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:58 PM

Posted 29 May 2013 - 04:26 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users