FBI Moneypak

Maelli · Sep 20, 2012

I have Windows 7 Home Premier 64-bit, and I contracted an FBI Moneypak virus on the evening of the 17th and am only able to use my computer now because I rebooted in safe-mode and very irresponsibly deleted an application and two application extensions because their creation date and time was moments before the crash. I no longer remember the names of these but when I reboot my computer I am informed that one of them failed to run and can snag its name from there if it's needed.

In addition to this error which began yesterday, I have been having a fatal error for the last several months when I log in, and have not been able to create a restore point or do a system restore since May. Attached are the logs from running through your procedure, minus one because it found no threats.
Screenshots of the error messages I have been getting are posted in the software section under "catastrophic failure" because until looking at more threads I was unaware the issues could be related.

Kestrel13! · Sep 20, 2012

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 9 detections:

[RUN][SUSP PATH] HKCU\[...]\Run : SessEnv (C:\Users\Wildflower\AppData\Local\Microsoft\Windows\4384\SessEnv.exe) -> FOUND

[RUN][BLACKLIST DLL] HKCU\[...]\Run : sibtws ("C:\Windows\System32\rundll32.exe" "C:\Users\Wildflower\AppData\Roaming\sibtws.dll",FromFile) -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-2690355529-209094352-1316587796-1001[...]\Run : SessEnv (C:\Users\Wildflower\AppData\Local\Microsoft\Windows\4384\SessEnv.exe) -> FOUND

[RUN][BLACKLIST DLL] HKUS\S-1-5-21-2690355529-209094352-1316587796-1001[...]\Run : sibtws ("C:\Windows\System32\rundll32.exe" "C:\Users\Wildflower\AppData\Roaming\sibtws.dll",FromFile) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{eaa6ee55-f780-5852-a878-cffa2c6baa4a}\n.) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Wildflower\AppData\Local\{eaa6ee55-f780-5852-a878-cffa2c6baa4a}\n.) -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{eaa6ee55-f780-5852-a878-cffa2c6baa4a}\n.) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.

...and the same for these Files/Folders tab entries please.

[ZeroAccess][FILE] @ : C:\Windows\Installer\{eaa6ee55-f780-5852-a878-cffa2c6baa4a}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{eaa6ee55-f780-5852-a878-cffa2c6baa4a}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{eaa6ee55-f780-5852-a878-cffa2c6baa4a}\L --> FOUND

[ZeroAccess][FILE] @ : C:\Users\Wildflower\AppData\Local\{eaa6ee55-f780-5852-a878-cffa2c6baa4a}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\Wildflower\AppData\Local\{eaa6ee55-f780-5852-a878-cffa2c6baa4a}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\Wildflower\AppData\Local\{eaa6ee55-f780-5852-a878-cffa2c6baa4a}\L --> FOUND

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)

Delete this file:
C:\Users\Wildflower\AppData\Roaming\Microsoft\Windows\Templates\9a991e5d

Reboot the machine.

Re run RogueKiller and attach the log

Re run HitmanPro and attach that log too please.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Maelli · Sep 20, 2012

Okay, so I was a little confused about how to delete the second list but I believe I got it done. If I didn't, I hope it will be noticeable so you can tell me I messed up and let me know how to finish. The two RK logs are from before and after rebooting and the other two are both from after.

And I want to mention how beautiful it is that you take the time to help complete strangers - I am really humbled regardless of whether or not I continue to have problems (which could only be my own fault). Thank you very, very much for your time.

Kestrel13! · Sep 21, 2012

You are *most* welcome.

Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Maelli · Sep 21, 2012

How do I look? Good to go?

Kestrel13! · Sep 22, 2012

Delete this file:
C:\Users\Wildflower\AppData\Roaming\SIBTWS.DLL

Delete this folder.
C:\ProgramData\SpeedyPC Software

Reboot, are they still gone?

Now, click on Start > and type in services.msc and hit ENTER.
[*]Scroll down to the Background Intelligent Transfer Service if it shows and let me know its status and start up type, please.

Maelli · Sep 23, 2012

Yes, they were still gone.

Kestrel13! · Sep 23, 2012

What about the service I asked about!

Maelli · Sep 23, 2012

i attached a screenshot of it. The status isn't listed and the start up type is manual.

Kestrel13! · Sep 23, 2012

The status isn't listed
Click to expand...

Right click it and start the service if you can. Let me know what happens when you try?

Maelli · Sep 23, 2012

Now it says started.

Kestrel13! · Sep 24, 2012

Reboot > now check again, is it still started and still on manual?

Maelli · Sep 25, 2012

No. I've rebooted and it is no longer started (but is still on manual).

Kestrel13! · Sep 25, 2012

Are Windows Updates okay?

Log in or Sign up

FBI Moneypak

Maelli Private E-2

Attached Files:

RKreport[1].txt

mbam-log-2012-09-19 (22-33-06).txt

HitmanPro_20120919_2302.log

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Maelli Private E-2

Attached Files:

RKreport[2].txt

RKreport[3].txt

HitmanPro_20120920_1840.log

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Maelli Private E-2

Attached Files:

MBRCheck_09.21.12_17.38.55.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Maelli Private E-2

Attached Files:

cap1.JPG

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Maelli Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Maelli Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Maelli Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member