Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with FBI Moneypak virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 ppppesto

ppppesto

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 29 May 2013 - 09:30 PM

Hello,

 

My laptop seems to be the latest victim of the FBI Moneypak virus on these forums. I'm currently running it in Safe Mode with Networking. The version that I got looks like this: 

 

http://www.precisesecurity.com/wp-content/uploads/2013/02/FBI-Cybercrime-Division-Malware.png

 

I am running Malwarebytes Anti-Malware now but I am not sure if it will be enough to get rid of the virus entirely.

 

Please help! Thank you!


Edited by ppppesto, 29 May 2013 - 09:35 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 29 May 2013 - 10:15 PM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 ppppesto

ppppesto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 29 May 2013 - 11:10 PM


 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-05-2013

Ran by ppppesto (administrator) on 30-05-2013 00:02:39

Running from C:\Users\ppppesto\Desktop

Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) =================

 

(Opera Software) C:\Program Files (x86)\Opera\opera.exe

(Google) C:\Users\ppppesto\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe

(Farbar) C:\Users\ppppesto\Desktop\FRST64.exe

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)

HKLM\...\Run: [SoundMAX] C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe /tray [3866624 2009-05-18] (Analog Devices, Inc.)

HKLM\...\Run: [PPlanEx] C:\Program Files\Panasonic\PPlanEx\PPlanEx.exe [650112 2009-11-11] (Panasonic Corporation)

HKLM\...\Run: [WSwitch] C:\Program Files\Panasonic\WSwitch\WSwitch.exe [1258880 2009-12-09] (Panasonic Corporation)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)

HKCU\...\Run: [Google Update] "C:\Users\ppppesto\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-08-15] (Google Inc.)

HKCU\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKLM-x32\...\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2009-08-12] (Analog Devices, Inc.)

HKLM-x32\...\Run: [Panasonic Hotkey Manager] C:\Program Files (x86)\Panasonic\Hotkey Appendix\HKEYAPP.EXE [1064768 2009-08-09] (Panasonic Corporation)

HKLM-x32\...\Run: [PCinfo] C:\Program Files (x86)\Panasonic\pcinfo\PcInfoUt.exe [99136 2009-07-02] (Panasonic Corporation)

HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime [x]

HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]

HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]

Startup: C:\ProgramData\Start Menu\Programs\Startup\Optimized View.lnk

ShortcutTarget: Optimized View.lnk -> C:\Program Files\Panasonic\OptiView\FS_ZOOMFilt.exe (Panasonic Corporation)

Startup: C:\ProgramData\Start Menu\Programs\Startup\PC Information Popup.lnk

ShortcutTarget: PC Information Popup.lnk -> C:\Program Files (x86)\Panasonic\PPopup\ppopup.exe (Panasonic Corporation)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Touch Pad Utility.lnk

ShortcutTarget: Touch Pad Utility.lnk -> C:\Program Files (x86)\Panasonic\WheelPad\Touchpad.exe (Panasonic Corporation)

Startup: C:\Users\ppppesto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> C:\Users\ppppesto\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

Startup: C:\Users\ppppesto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\ppppesto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk

ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\1reni.dat (No File)

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.nytimes.com

BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll (Safer Networking Limited)

BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

BHO-x32: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File

PDF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

Winsock: Catalog5-x64 07 C:\Program Files\Bonjour\mdnsNSP.dll [193024] (Apple Inc.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

Tcpip\Parameters: [DhcpNameServer] 134.174.141.2 134.174.17.6

 

FireFox:

========

FF ProfilePath: C:\Users\ppppesto\AppData\Roaming\Mozilla\Firefox\Profiles\4udgjyrw.default

FF Homepage: hxxp://www.google.com/calendar/

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll ()

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll ()

FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF Plugin-x32: @microsoft.com/GENUINE - disabled No File

FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

FF Extension: Ghostery - C:\Users\ppppesto\AppData\Roaming\Mozilla\Firefox\Profiles\4udgjyrw.default\Extensions\firefox@ghostery.com

FF Extension: WOT - C:\Users\ppppesto\AppData\Roaming\Mozilla\Firefox\Profiles\4udgjyrw.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF Extension: DownloadHelper - C:\Users\ppppesto\AppData\Roaming\Mozilla\Firefox\Profiles\4udgjyrw.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF Extension: No Name - C:\Users\ppppesto\AppData\Roaming\Mozilla\Firefox\Profiles\4udgjyrw.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

 

==================== Services (Whitelisted) =================

 

S2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2009-08-12] (Andrea Electronics Corporation)

S2 ETMService; C:\Windows\SysWOW64\EtmService.exe [223768 2009-07-09] (Intel Corporation)

S2 LPDSVC; C:\Windows\system32\lpdsvc.dll [45568 2009-07-13] (Microsoft Corporation)

R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

S2 OPDOFFSV; C:\Program Files\Panasonic\PPlanEx\opdoffsv.exe [636736 2009-06-17] (Panasonic Corporation)

S2 PcInfoPi; C:\Program Files (x86)\Panasonic\pcinfo\PCInfoPi.exe [46912 2009-09-30] (Panasonic Corporation)

S2 PcInfoSV; C:\Program Files (x86)\Panasonic\pcinfo\PCInfoSV.exe [235392 2009-10-12] (Panasonic Corporation)

S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

S2 SELSUSSV; C:\Program Files (x86)\Panasonic\Selsussv\selsussv.exe [76672 2009-12-25] (Panasonic Corporation)

S2 Task Manager Lite; C:\Windows\SysWOW64\tskman.exe [118784 2009-07-22] ()

 

==================== Drivers (Whitelisted) ====================

 

S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [16776 2011-07-29] ()

S3 EtmCpu; C:\Windows\System32\DRIVERS\EtmDevCpu.sys [32256 2009-07-09] (Intel Corporation)

S3 EtmDevGen; C:\Windows\System32\DRIVERS\EtmDevGen.sys [23552 2009-07-09] (Intel Corporation)

S3 EtmDrvMgr; C:\Windows\System32\DRIVERS\EtmDrvMgr.sys [58368 2009-07-09] (Intel Corporation)

S3 EtmFan; C:\Windows\System32\DRIVERS\EtmDevFan.sys [13824 2009-07-09] (Intel Corporation)

S3 EtmGmchMem; C:\Windows\System32\DRIVERS\EtmDevGmch.sys [108032 2009-07-09] (Intel Corporation)

S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [9096 2011-07-29] ()

R3 HOTKEY; C:\Windows\System32\DRIVERS\hotkey.sys [28992 2009-03-09] (Panasonic Corporation)

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

R3 NewMisc; C:\Windows\System32\DRIVERS\nmisc64.sys [66112 2009-06-29] (Panasonic Corporation)

S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

S3 vpnva; system32\DRIVERS\vpnva64.sys [x]

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-05-29 23:29 - 2013-05-29 23:56 - 00001738 ____A C:\Windows\PFRO.log

2013-05-29 23:29 - 2013-05-29 23:56 - 00000112 ____A C:\Windows\setupact.log

2013-05-29 23:29 - 2013-05-29 23:29 - 00000000 ____A C:\Windows\setuperr.log

2013-05-29 23:18 - 2013-05-29 23:18 - 00000000 ____D C:\FRST

2013-05-29 23:17 - 2013-05-29 23:17 - 01915774 ____A (Farbar) C:\Users\ppppesto\Desktop\FRST64.exe

2013-05-29 22:10 - 2013-05-29 22:11 - 95023320 ___AT C:\ProgramData\rgt2.pad

2013-05-29 22:10 - 2013-05-29 22:10 - 00002645 ____A C:\ProgramData\iner1.js

2013-05-29 22:10 - 2013-05-29 22:10 - 00000151 ____A C:\ProgramData\iner1.reg

2013-05-29 22:10 - 2013-05-29 22:10 - 00000056 ____A C:\ProgramData\iner1.bat

2013-05-29 22:10 - 2013-05-29 22:10 - 00000000 ____A C:\ProgramData\kjhy64.txt

2013-05-29 22:09 - 2013-05-29 22:13 - 95023320 ___AT C:\ProgramData\iner1.pad

2013-05-23 20:58 - 2013-05-23 20:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-05-18 12:25 - 2013-05-18 12:25 - 00483328 ____A (Simon Tatham) C:\Users\ppppesto\Desktop\putty.exe

2013-05-18 12:25 - 2013-05-18 12:25 - 00000600 ____A C:\Users\ppppesto\AppData\Local\PUTTY.RND

2013-05-16 20:39 - 2013-05-05 17:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-16 20:39 - 2013-05-05 17:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-16 20:39 - 2013-05-05 15:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-16 20:39 - 2013-05-05 15:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-16 20:33 - 2013-04-04 21:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-16 20:33 - 2013-04-04 21:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-16 20:33 - 2013-04-04 21:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-16 20:33 - 2013-04-04 21:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-16 20:33 - 2013-04-04 20:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-16 20:33 - 2013-04-04 20:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-16 20:33 - 2013-04-04 20:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-16 20:33 - 2013-04-04 20:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-16 20:33 - 2013-04-04 20:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-16 20:33 - 2013-04-04 20:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-16 20:33 - 2013-04-04 20:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-16 20:33 - 2013-04-04 20:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-16 20:33 - 2013-04-04 20:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-16 20:33 - 2013-04-04 20:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-16 20:33 - 2013-04-04 18:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-16 20:33 - 2013-04-04 18:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-05-16 20:33 - 2013-04-04 18:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-16 20:33 - 2013-04-04 18:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-16 20:33 - 2013-04-04 18:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-05-16 20:33 - 2013-04-04 17:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-16 20:33 - 2013-04-04 17:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-16 20:33 - 2013-04-04 17:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-05-16 20:33 - 2013-04-04 17:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-05-16 20:33 - 2013-04-04 17:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-16 20:33 - 2013-04-04 17:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-16 20:33 - 2013-04-04 17:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-05-16 20:33 - 2013-04-04 17:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-16 20:32 - 2013-04-04 18:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 05:39 - 2013-04-10 02:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 05:39 - 2013-04-10 02:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 05:39 - 2011-02-03 07:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-15 05:38 - 2013-04-09 23:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 05:38 - 2013-03-19 01:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 05:38 - 2013-03-19 01:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-15 05:38 - 2013-02-27 02:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 05:38 - 2013-02-27 01:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 05:38 - 2013-02-27 01:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 05:38 - 2013-02-27 01:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 05:38 - 2013-02-27 01:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-15 05:38 - 2013-02-27 00:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-15 05:38 - 2013-02-27 00:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-15 05:38 - 2013-02-27 00:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-14 23:11 - 2013-05-14 23:12 - 17613192 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

 

==================== One Month Modified Files and Folders =======

 

2013-05-30 00:00 - 2010-03-08 00:41 - 01877755 ____A C:\Windows\WindowsUpdate.log

2013-05-30 00:00 - 2009-07-14 00:45 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-30 00:00 - 2009-07-14 00:45 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-29 23:58 - 2010-06-21 10:34 - 00000000 ____D C:\Users\ppppesto\AppData\Roaming\Dropbox

2013-05-29 23:57 - 2012-03-18 22:55 - 00000000 ___RD C:\Users\ppppesto\Dropbox

2013-05-29 23:56 - 2013-05-29 23:29 - 00001738 ____A C:\Windows\PFRO.log

2013-05-29 23:56 - 2013-05-29 23:29 - 00000112 ____A C:\Windows\setupact.log

2013-05-29 23:56 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-29 23:29 - 2013-05-29 23:29 - 00000000 ____A C:\Windows\setuperr.log

2013-05-29 23:18 - 2013-05-29 23:18 - 00000000 ____D C:\FRST

2013-05-29 23:17 - 2013-05-29 23:17 - 01915774 ____A (Farbar) C:\Users\ppppesto\Desktop\FRST64.exe

2013-05-29 22:14 - 2012-11-01 07:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2013-05-29 22:13 - 2013-05-29 22:09 - 95023320 ___AT C:\ProgramData\iner1.pad

2013-05-29 22:12 - 2013-04-01 14:28 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-29 22:11 - 2013-05-29 22:10 - 95023320 ___AT C:\ProgramData\rgt2.pad

2013-05-29 22:10 - 2013-05-29 22:10 - 00002645 ____A C:\ProgramData\iner1.js

2013-05-29 22:10 - 2013-05-29 22:10 - 00000151 ____A C:\ProgramData\iner1.reg

2013-05-29 22:10 - 2013-05-29 22:10 - 00000056 ____A C:\ProgramData\iner1.bat

2013-05-29 22:10 - 2013-05-29 22:10 - 00000000 ____A C:\ProgramData\kjhy64.txt

2013-05-29 22:01 - 2011-12-01 00:00 - 00000340 ____A C:\Windows\Tasks\At2.job

2013-05-29 21:19 - 2012-08-15 21:13 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3866111677-935689091-1683429776-1001UA.job

2013-05-29 12:09 - 2012-08-15 21:13 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3866111677-935689091-1683429776-1001Core.job

2013-05-25 12:09 - 2010-03-21 21:33 - 00000000 ____D C:\Users\ppppesto\AppData\Roaming\Skype

2013-05-23 20:59 - 2013-05-23 20:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-05-20 21:17 - 2012-11-21 15:27 - 00000000 ____D C:\Windows\rescache

2013-05-18 12:25 - 2013-05-18 12:25 - 00483328 ____A (Simon Tatham) C:\Users\ppppesto\Desktop\putty.exe

2013-05-18 12:25 - 2013-05-18 12:25 - 00000600 ____A C:\Users\ppppesto\AppData\Local\PUTTY.RND

2013-05-18 01:13 - 2009-07-14 00:45 - 00420864 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-16 20:55 - 2010-03-21 21:06 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-16 20:47 - 2010-03-22 03:08 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-16 20:43 - 2009-07-14 01:13 - 00740814 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-14 23:14 - 2012-07-28 18:55 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-14 23:14 - 2011-08-22 15:40 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-14 23:12 - 2013-05-14 23:11 - 17613192 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2013-05-12 20:17 - 2010-03-21 19:05 - 00000000 ____D C:\Users\ppppesto\AppData\Roaming\Mozilla

2013-05-05 17:36 - 2013-05-16 20:39 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-05 17:16 - 2013-05-16 20:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-05 15:25 - 2013-05-16 20:39 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-05 15:12 - 2013-05-16 20:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-02 11:29 - 2010-03-21 14:52 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

 

Other Malware:

===========

C:\ProgramData\iner1.bat

C:\ProgramData\iner1.pad

C:\ProgramData\iner1.reg

C:\ProgramData\rgt2.pad

C:\Windows\Tasks\At1.job

C:\Windows\Tasks\At2.job

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

 

Last Boot: 2013-05-24 01:24

 

==================== End Of Log ============================

 

 

 

 

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 30 May 2013 - 10:36 AM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

2013-05-29 22:10 - 2013-05-29 22:11 - 95023320 ___AT C:\ProgramData\rgt2.pad
2013-05-29 22:10 - 2013-05-29 22:10 - 00002645 ____A C:\ProgramData\iner1.js
2013-05-29 22:10 - 2013-05-29 22:10 - 00000151 ____A C:\ProgramData\iner1.reg
2013-05-29 22:10 - 2013-05-29 22:10 - 00000056 ____A C:\ProgramData\iner1.bat
2013-05-29 22:10 - 2013-05-29 22:10 - 00000000 ____A C:\ProgramData\kjhy64.txt
2013-05-29 22:09 - 2013-05-29 22:13 - 95023320 ___AT C:\ProgramData\iner1.pad
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.

.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:

  • Fixlog.txt
  • ComboFix log

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 ppppesto

ppppesto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 30 May 2013 - 07:55 PM

Thanks for your reply. Attached are Fixlog.txt and Combofix.txt.

Attached Files



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 31 May 2013 - 10:32 AM

Are you still seeing the FBI warning hijack?  Please do this next:

icon11.gif   Download AdwCleaner from  here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

icon11.gif   Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

icon11.gif  You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:\_OTL\MovedFiles or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

  • adwCleaner log
  • JRT log
  • MBAM log

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 ppppesto

ppppesto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 01 June 2013 - 09:00 PM

Attached are the 3 files you requested.

 

I don't see the FBI warning hijack anymore, but every time I start up my computer, I get this popup message:

 

 

There was a problem starting C:\PROGRA~3\1reni.dat

The specified module could not be found.

 

So I think there is still something in my computer trying to start the hijack.

 

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 02 June 2013 - 07:44 AM

Please run a fresh FRST scan for me from the normal mode and post the new log.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 ppppesto

ppppesto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 02 June 2013 - 08:06 AM

FRST.txt attached.

Attached Files

  • Attached File  FRST.txt   23.21KB   1 downloads


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 02 June 2013 - 10:15 AM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

Startup: C:\Users\ppppesto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\1reni.dat (No File)
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • fixlog.txt log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 ppppesto

ppppesto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 02 June 2013 - 06:30 PM

 

C:\FRST\Quarantine\iner1.js Win32/Reveton.R trojan

 

 

Attached Files



#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 02 June 2013 - 10:00 PM

Your logs are looking good now, (that ESET detection is already in quarantine).  All I have left for you is some housekeeping and cleanup:

icon11.gif  Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.  Uninstall Java™ 6 Update 29 via Control Panel > Programs > Uninstall a program, then go to www.java.com and press the "Free Java Download" button near the center of the page.  Follow the prompts to install the latest version.

icon11.gif  Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run.  Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif  Delete the following tools along with any other logs you saved from our work:

  • FRST (you may also delete the c:\FRST folder)
  • AdwCleaner
  • Junkware Removal Tool

icon11.gif  Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't,  manually reboot to ensure a complete clean

icon11.gif  Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated.  Scan with them at least weekly.
  • Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 ppppesto

ppppesto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 02 June 2013 - 10:07 PM

I'm all set. Thanks a lot!



#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 04 June 2013 - 10:56 AM

You're welcome!  Take care.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 04 June 2013 - 09:39 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users