FBI Moneypak Please help.

brandon3420 · May 24, 2013

Hello I am trying to fix my sisters computer. It is a Windows 7 x32 lenovo. She apparently got the FBI Moneypak virus/malware. Noob Ok I'm a new noob too since I'm here asking for help.

Anyhow I ran FRST and and got the txt file (attached) so I think all I need is some help with the frstfix.txt file. Then probably run the normal scans you guys recommend. I really appreciate any help and I apologize if my post isn't in the correct format.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-05-2013 03
Ran by SYSTEM on 24-05-2013 21:45:27
Running from G:\
Windows 7 Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Daemon for Mouse Suite] C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.EXE 60 [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [Conime] %windir%\system32\conime.exe [x]
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4297136 2012-10-30] (AVAST Software)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart [x]
HKLM\...\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe [1638400 2010-09-02] (Eastman Kodak Company)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [262656 2010-11-20] (Microsoft Corporation)
HKU\Ceci\...\Run: [googletalk] C:\Users\Ceci\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [ 2007-01-01] (Google)
HKU\Ceci\...\Run: [Amazon Cloud Drive] C:\Users\Ceci\AppData\Local\Amazon\Cloud Drive\AmazonCloudDrive.exe [ 2012-11-12] ()
HKU\Ceci\...\Run: [CPN Notifier] C:\Program Files\Lock Poker\PokerNotifier.exe [x]
HKU\Ceci\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe [ 2009-07-17] (Adobe Systems, Inc.)
HKU\Default\...\RunOnce: [] [x]
HKU\Default\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~1\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [ 2009-03-24] ()
HKU\Default User\...\RunOnce: [] [x]
HKU\Default User\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~1\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [ 2009-03-24] ()
Startup: C:\Users\Ceci\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [44808 2012-10-30] (AVAST Software)
S2 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe [394712 2012-06-18] (Eastman Kodak Company)
S2 Kodak AiO Status Monitor Service; C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [777728 2012-06-19] (Eastman Kodak Company)
S2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-07-20] (Intel Corporation)

==================== Drivers (Whitelisted) ====================

S2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [21256 2012-10-30] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [58680 2012-10-30] (AVAST Software)
S1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [44784 2012-10-15] (AVAST Software)
S1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [738504 2012-10-30] (AVAST Software)
S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [361032 2012-10-30] (AVAST Software)
S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [54232 2012-10-30] (AVAST Software)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-24 21:40 - 2013-05-24 21:40 - 00000000 ____D C:\FRST
2013-05-24 18:08 - 2013-05-24 18:28 - 95023320 ___AT C:\ProgramData\eq3i2.pad
2013-05-24 18:08 - 2013-05-24 18:14 - 00000000 ____A C:\ProgramData\as98213.txt
2013-05-24 18:08 - 2013-05-24 18:08 - 00151552 ____A (Hilgraeve, Inc.) C:\ProgramData\2i3qe.dat
2013-05-20 07:03 - 2013-05-20 07:26 - 00000000 ____D C:\Users\Ceci\Desktop\reyes
2013-05-20 05:48 - 2013-05-20 06:58 - 00000000 ____D C:\Users\Ceci\Desktop\nietos
2013-05-16 00:21 - 2013-05-16 00:21 - 00000000 ____A C:\Windows\System32\sho8711.tmp
2013-05-16 00:04 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-16 00:04 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-16 00:04 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-16 00:04 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-16 00:04 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-16 00:04 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-16 00:04 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-16 00:04 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-16 00:04 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-16 00:04 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-16 00:04 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-16 00:04 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-16 00:04 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-16 00:04 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-16 00:02 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-16 00:02 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-15 22:41 - 2013-04-09 21:18 - 00728424 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-15 22:41 - 2013-04-09 21:18 - 00218984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-15 22:41 - 2013-04-09 19:14 - 02347520 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-15 22:41 - 2013-03-18 20:53 - 00186368 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-15 22:41 - 2013-03-18 19:33 - 00040960 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-15 22:41 - 2013-02-26 21:05 - 00101720 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-15 22:41 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-15 22:41 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-15 22:41 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-15 22:41 - 2013-02-26 20:49 - 00047104 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-04-29 14:19 - 2013-05-24 18:15 - 00000000 ____D C:\Users\Ceci\AppData\Local\Deployment
2013-04-29 14:19 - 2013-04-29 14:19 - 00000000 ____D C:\Users\Ceci\AppData\Local\Apps\2.0
2013-04-28 07:06 - 2013-04-28 07:47 - 00000000 ____D C:\Users\Ceci\Documents\brandon

==================== One Month Modified Files and Folders ========

2013-05-24 21:40 - 2013-05-24 21:40 - 00000000 ____D C:\FRST
2013-05-24 21:34 - 2013-04-11 16:23 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-05-24 21:34 - 2012-05-06 07:12 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-05-24 21:34 - 2012-02-17 15:31 - 00000000 ____D C:\ProgramData\Kodak
2013-05-24 21:34 - 2012-02-08 14:39 - 00000000 ____D C:\users\Ceci
2013-05-24 21:34 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\Offline Web Pages
2013-05-24 21:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2013-05-24 21:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-05-24 21:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-05-24 21:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2013-05-24 21:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2013-05-24 21:34 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2013-05-24 18:28 - 2013-05-24 18:08 - 95023320 ___AT C:\ProgramData\eq3i2.pad
2013-05-24 18:15 - 2013-04-29 14:19 - 00000000 ____D C:\Users\Ceci\AppData\Local\Deployment
2013-05-24 18:14 - 2013-05-24 18:08 - 00000000 ____A C:\ProgramData\as98213.txt
2013-05-24 18:08 - 2013-05-24 18:08 - 00151552 ____A (Hilgraeve, Inc.) C:\ProgramData\2i3qe.dat
2013-05-23 00:00 - 2012-08-20 13:53 - 00000326 ____A C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2013-05-23 00:00 - 2011-12-10 21:01 - 01260150 ____A C:\Windows\WindowsUpdate.log
2013-05-22 23:55 - 2012-06-20 13:22 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-22 23:20 - 2011-12-10 21:23 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-22 18:40 - 2012-02-18 00:35 - 00000000 ____D C:\Users\Ceci\Desktop\Adele
2013-05-22 18:38 - 2012-04-22 06:04 - 00000000 ____D C:\Users\Ceci\Desktop\Spring Semester2012
2013-05-22 18:26 - 2010-11-20 13:01 - 00727182 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-22 17:53 - 2011-12-10 21:23 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-22 11:44 - 2009-07-13 20:34 - 00027984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-22 11:44 - 2009-07-13 20:34 - 00027984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-22 11:37 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-22 11:36 - 2009-07-13 20:39 - 00071890 ____A C:\Windows\setupact.log
2013-05-20 07:26 - 2013-05-20 07:03 - 00000000 ____D C:\Users\Ceci\Desktop\reyes
2013-05-20 06:58 - 2013-05-20 05:48 - 00000000 ____D C:\Users\Ceci\Desktop\nietos
2013-05-19 14:45 - 2012-02-18 00:35 - 00000000 ____D C:\Users\Ceci\Desktop\My Playlists
2013-05-16 19:55 - 2012-06-20 13:22 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-16 19:55 - 2012-02-15 18:48 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-05-16 00:29 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-05-16 00:22 - 2009-07-13 20:33 - 00691272 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-16 00:21 - 2013-05-16 00:21 - 00000000 ____A C:\Windows\System32\sho8711.tmp
2013-05-16 00:00 - 2012-02-08 15:20 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-15 17:45 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-05-10 13:18 - 2013-04-21 10:02 - 00001377 ____A C:\Users\Ceci\Desktop\ROBLOX Studio 2013.lnk
2013-05-05 11:25 - 2013-05-16 00:02 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-05 11:12 - 2013-05-16 00:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-02 14:27 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-05-01 23:06 - 2012-02-08 16:24 - 00238872 ____A (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-04-29 14:19 - 2013-04-29 14:19 - 00000000 ____D C:\Users\Ceci\AppData\Local\Apps\2.0
2013-04-28 07:47 - 2013-04-28 07:06 - 00000000 ____D C:\Users\Ceci\Documents\brandon

Other Malware:
===========
C:\ProgramData\2i3qe.dat
C:\ProgramData\eq3i2.pad

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-24 00:00:18
Restore point made on: 2013-04-30 05:44:52
Restore point made on: 2013-05-03 15:44:58
Restore point made on: 2013-05-07 01:42:33
Restore point made on: 2013-05-10 09:43:55
Restore point made on: 2013-05-15 22:41:29
Restore point made on: 2013-05-16 00:00:14
Restore point made on: 2013-05-21 04:02:45
Restore point made on: 2013-05-23 00:00:23

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 3551.17 MB
Available physical RAM: 2859.63 MB
Total Pagefile: 3549.46 MB
Available Pagefile: 2874.7 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.6 MB

==================== Drives ================================

Drive c: (Windows7_OS) (Fixed) (Total:221.95 GB) (Free:128.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (Lenovo_Recovery) (Fixed) (Total:9.77 GB) (Free:3.14 GB) NTFS
Drive g: () (Removable) (Total:3.73 GB) (Free:2.69 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM_DRV) (Fixed) (Total:1.17 GB) (Free:0.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: 6F7820E2)
Partition 1: (Active) - (Size=1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=222 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)

Last Boot: 2013-05-23 21:11

==================== End Of Log ============================

TimW · May 25, 2013

Please do not post logs inline.

Save fixlist.txt to your flash drive.

You should now have both fixlist.txt and FRST.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Running MGTools.

Log in or Sign up

FBI Moneypak Please help.

brandon3420 Malware Magnet

Attached Files:

FRST.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Attached Files:

Fixlist.txt