1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

FBI MoneyPak

Discussion in 'Virus & Other Malware Removal' started by sfeind, Feb 22, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. sfeind

    sfeind Thread Starter

    Joined:
    Feb 22, 2013
    Messages:
    6
    I thought I had this all cleaned out of my system... However I have been stuck with the same wallpaper and my dell toolbox driver doesn't want to work..

    I have ran in Safe mode:
    Malware Bytes
    CC Cleaner

    I have searched for a list of different file names and nothing shows up

    Both say everything is fine however I know it isn't..

    I tried to do a system restore but somehow in the mix of everything my restore points have all been deleted and turned off.

    If I format my computer I will loose programs that I can't find my key for...

    Is there another program or suggestions that someone has for me? I am at a complete loss. I called my antivirus company and they were worthless in helping..

    Thank you ahead of time for any help someone can provide..
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    What do you mean stuck with the same wallpaper, is that the FBI alert? if so what system do you have, Windows 8, 7, Vista or XP.
     
  3. sfeind

    sfeind Thread Starter

    Joined:
    Feb 22, 2013
    Messages:
    6
    I got the FBI alert to clear in the safemode.. I am referring to the desktop wallpaper/background that usually is changeable.
    I use Window 7 on a Dell computer if that helps any..
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Can you run DDS and post a set of logs:

    Download and save DDS to your Desktop from either of the following links:

    http://download.bleepingcomputer.com/sUBs/dds.scr
    http://compendiate.net/sUBs/dds/dds.scr

    Note: You must use Internet Explorer to download dds.scr, other browsers will open the file in the browser and not save it. Or if you must use Firefox, or Chrome, then right click the link and select "save link as" and save the file to your desktop.

    Double-click the dds.scr file to run the program.

    It will automatically run in silent mode and then you will see the following note:

    "Two logs shall be created on your Desktop"

    The logs will be named dds.txt and attach.txt".

    Wait until the logs appear and then copy and paste their contents in your post.

    Kevin
     
  5. sfeind

    sfeind Thread Starter

    Joined:
    Feb 22, 2013
    Messages:
    6
    The only program I could get to run was hijack & GMER. Here is the log for hijack
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:20:28 PM, on 2/25/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16464)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe
    C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
    C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
    C:\Program Files (x86)\Dell Stage\Dell Stage\stage_secondary.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files (x86)\Adobe\Photoshop 6.0\Photoshp.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    J:\Run on Baron's computer\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
    O4 - HKLM\..\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {682C59F5-478C-4421-9070-AD170D143B77} - http://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
    O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - https://secure.iolo.com/purchase/We...2jcxaHSE2ukEZ70YimPNPDQ2&t=634793383810000000
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: Dell Digital Delivery Service (DellDigitalDelivery) - Dell Products, LP. - C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
    O23 - Service: iolo System Service (ioloSystemService) - iolo technologies, LLC - C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: vseamps - Commtouch, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
    O23 - Service: vsedsps - Commtouch, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
    O23 - Service: vseqrts - Commtouch, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 8685 bytes
     
  6. sfeind

    sfeind Thread Starter

    Joined:
    Feb 22, 2013
    Messages:
    6
    Here is the log for GMER
    GMER 2.1.19081 - http://www.gmer.net
    Rootkit scan 2013-02-25 21:22:19
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500413AS rev.JC49 465.76GB
    Running: q8f8zd2e.exe; Driver: C:\Users\Owner\AppData\Local\Temp\fxldapob.sys


    ---- Threads - GMER 2.1 ----

    Thread c:\Program Files\Microsoft Security Client\NisSrv.exe [2572:2604] 000007fefe17a808
    Thread c:\Program Files\Microsoft Security Client\NisSrv.exe [2572:2104] 000007fefd7c6e60
    Thread [3300:3384] 00000000103c9f80
    Thread [3300:3392] 0000000076f32e25
    Thread [3300:3404] 000000007369052c
    Thread [3300:3408] 000000007369052c
    Thread [3300:3416] 0000000073db32fb
    Thread [3300:3632] 000000007369052c
    Thread [3300:3640] 000000007369052c
    Thread [3300:3668] 0000000074bf12e5
    Thread [3300:3788] 0000000072daa3e0
    Thread [3300:2032] 0000000076f33e45
    Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4076:944] 000007fefb742a7c
    Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4076:3280] 0000000010009740
    Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4076:2428] 0000000010009740

    ---- EOF - GMER 2.1 ----
     
  7. sfeind

    sfeind Thread Starter

    Joined:
    Feb 22, 2013
    Messages:
    6
    I will try the DDS one again tomorrow.. I am not going to be at that computer this evening.
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Leave DDS for now, run the following diagnostic scanner from the recovery environment:

    download Farbar Recovery Scan Tool from here:
    http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
    save it to a flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options I give two methods, use whichever is convenient for you.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select Your Country as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select Your Country as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Kevin
     
  9. sfeind

    sfeind Thread Starter

    Joined:
    Feb 22, 2013
    Messages:
    6
    Well I followed your directions right up to the last part... and instead of going into the command prompt I saw system restore to original settings.... So needless to say I reformatted this computer.. I spent all weekend reloading software.. The upside to this is it is running better than it has in a long time... :|
    Thank you for your help!
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK thanks for the good news, occasionally a reformat and reinstall is the best way forward. I`ll mark this up as solved
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1090633

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice