bcurtis65nj
Members-
Posts
17 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by bcurtis65nj
-
attached are the FRST logs. thanks in advace for the help. Addition.txt FRST.txt
-
"Interpole" Extortion virus - locked up PC
bcurtis65nj replied to bcurtis65nj's topic in Resolved Malware Removal Logs
yes, still need help. I was away all weekend, will get to this in the AM. thanks. -
"Interpole" Extortion virus - locked up PC
bcurtis65nj replied to bcurtis65nj's topic in Resolved Malware Removal Logs
here you go: Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013 Ran by Administrator (administrator) on NJTMPDDT047 on 08-11-2013 17:03:23 Running from C:\Users\Administrator\Desktop Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Safe Mode (with Networking) ==================== Processes (Whitelisted) =================== ==================== Registry (Whitelisted) ================== HKLM\...\Run: [McAfeeUpdaterUI] - C:\Program Files\McAfee\Common Framework\UdaterUI.exe [136512 2009-01-16] (McAfee, Inc.) HKLM\...\Run: [shStatEXE] - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe [124224 2010-08-25] (McAfee, Inc.) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation) HKLM\...\Run: [sigmatelSysTrayApp] - C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2007-05-06] (SigmaTel, Inc.) HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation) HKCU\...\Run: [iSUSPM] - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [218032 2006-09-11] (Macrovision Corporation) MountPoints2: {58a0b9e2-a765-11e2-bac6-001aa0331aa4} - F:\LaunchU3.exe -a HKU\cdomahid\...\Policies\system: [DisableRegistryTools] 2 HKU\dcollins\...\Run: [GoToMeeting] - C:\Users\dcollins\AppData\Local\Citrix\GoToMeeting\1132\g2mstart.exe [ 2013-03-21] (Citrix Online, a division of Citrix Systems, Inc.) HKU\dcollins\...\Run: [XnlY1NVWa.exe] - C:\Users\dcollins\AppData\Local\Nxrzwh3By5\XnlY1NVWa.exe [ 2013-11-08] (Microsoft Corporation) HKU\dcollins\...\Winlogon: [shell] cmd.exe [ 2010-11-20] (Microsoft Corporation) <==== ATTENTION HKU\dcollins\...\Command Processor: "C:\Users\dcollins\AppData\Local\Nxrzwh3By5\XnlY1NVWa.exe" <===== ATTENTION! Startup: C:\Users\dcollins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Interaction Client.lnk ShortcutTarget: Interaction Client.lnk -> C:\Program Files\Interactive Intelligence\ICUserApps\InteractionClient.exe (Interactive Intelligence, Inc.) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x6D3E06E6B3DCCE01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.) BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://jacada.webex.com/client/WBXclient-T28L10NSP8EP1-15699/event/ieatgpc1.cab Tcpip\Parameters: [DhcpNameServer] 10.17.24.20 10.17.24.4 10.17.24.36 ========================== Services (Whitelisted) ================= S2 ININ Tracing; C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe [36352 2012-08-24] (Interactive Intelligence, Inc.) S2 Interactive Update Client; C:\Program Files\Interactive Intelligence\Interactive Update\ININ.UpdateClientService.exe [388264 2010-11-09] (Interactive Intelligence, Inc.) S2 McAfeeEngineService; C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe [22816 2010-08-25] (McAfee, Inc.) S2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [103744 2009-01-16] (McAfee, Inc.) S2 McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [147984 2010-08-25] (McAfee, Inc.) S2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [66880 2010-08-25] (McAfee, Inc.) S2 mfevtp; C:\Windows\system32\mfevtps.exe [69192 2010-08-25] (McAfee, Inc.) S2 STacSV; C:\Windows\system32\STacSV.exe [94208 2007-05-06] (SigmaTel, Inc.) S2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2016504 2011-05-18] (UltraVNC) ==================== Drivers (Whitelisted) ==================== S2 DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [37360 2007-07-23] (Roxio) S2 DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [32848 2007-07-23] (Roxio) S2 DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [9104 2007-07-23] (Roxio) S2 DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [108752 2007-07-23] (Roxio) S2 DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [27216 2007-07-23] (Roxio) S2 DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [16304 2007-07-23] (Roxio) S2 DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [93552 2007-07-23] (Roxio) S2 DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [98448 2007-07-23] (Roxio) S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [76024 2010-08-25] (McAfee, Inc.) S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [91896 2010-08-25] (McAfee, Inc.) S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [43192 2010-08-25] (McAfee, Inc.) S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [344712 2010-08-25] (McAfee, Inc.) S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [66536 2010-08-25] (McAfee, Inc.) R1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [64208 2010-08-25] (McAfee, Inc.) S3 STHDA; C:\Windows\System32\drivers\stwrt.sys [326656 2007-05-06] (SigmaTel, Inc.) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-11-08 17:03 - 2013-11-08 17:03 - 00000000 ____D C:\FRST 2013-11-08 17:03 - 2013-11-08 17:00 - 01089445 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe 2013-11-08 14:32 - 2013-11-08 14:32 - 00388608 _____ (Trend Micro Inc.) C:\Users\Administrator\Downloads\HijackThis.exe 2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Downloads\hijackthis.log 2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Desktop\hijackthis.log 2013-11-08 13:55 - 2013-11-08 13:55 - 00001063 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes 2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-11-08 13:55 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\KBW3HQKJLD 2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Local\ACZqHB7poi 2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\ProgramData\ntN9v4aPVVt 2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\BGGL6jWIdD 2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Local\z0EVe60la0 2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\ProgramData\hm5LUHBahL 2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\QbiJfO82 2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Local\iNXChPq3d 2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\ProgramData\ewRQE8JscJ 2013-11-08 13:29 - 2013-11-08 13:33 - 00000000 ____D C:\Users\dcollins\AppData\Local\Nxrzwh3By5 2013-11-06 16:17 - 2013-11-06 16:17 - 00103364 _____ C:\Users\dcollins\Desktop\Remote Chat Application Mock Up 10 30 13.pptx 2013-11-05 17:57 - 2013-11-05 17:57 - 00026624 _____ C:\Users\dcollins\Desktop\FS Inquiries vs Hours.xls 2013-11-05 11:25 - 2013-11-05 18:30 - 00113437 _____ C:\Users\dcollins\Desktop\TRACFONE.cap 2013-10-24 12:33 - 2013-10-24 12:33 - 00288549 _____ C:\Users\dcollins\Desktop\Olsen Race Picture.pptx 2013-10-17 12:22 - 2013-10-17 12:50 - 00011840 ____N C:\Users\dcollins\Desktop\Updated Review report for Dan 2013.xlsx ==================== One Month Modified Files and Folders ======= 2013-11-08 17:03 - 2013-11-08 17:03 - 00000000 ____D C:\FRST 2013-11-08 17:00 - 2013-11-08 17:03 - 01089445 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe 2013-11-08 14:32 - 2013-11-08 14:32 - 00388608 _____ (Trend Micro Inc.) C:\Users\Administrator\Downloads\HijackThis.exe 2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Downloads\hijackthis.log 2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Desktop\hijackthis.log 2013-11-08 13:59 - 2010-11-20 16:01 - 00730320 _____ C:\Windows\system32\PerfStringBackup.INI 2013-11-08 13:55 - 2013-11-08 13:55 - 00001063 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes 2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-11-08 13:53 - 2012-07-05 09:08 - 00000128 _____ C:\Windows\system32\config\netlogon.ftl 2013-11-08 13:52 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-11-08 13:52 - 2009-07-13 23:39 - 00044735 _____ C:\Windows\setupact.log 2013-11-08 13:43 - 2009-07-13 23:34 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-11-08 13:43 - 2009-07-13 23:34 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\KBW3HQKJLD 2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Local\ACZqHB7poi 2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\ProgramData\ntN9v4aPVVt 2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\BGGL6jWIdD 2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Local\z0EVe60la0 2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\ProgramData\hm5LUHBahL 2013-11-08 13:33 - 2013-11-08 13:29 - 00000000 ____D C:\Users\dcollins\AppData\Local\Nxrzwh3By5 2013-11-08 13:31 - 2012-07-03 12:02 - 01485501 _____ C:\Windows\WindowsUpdate.log 2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\QbiJfO82 2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Local\iNXChPq3d 2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\ProgramData\ewRQE8JscJ 2013-11-08 09:22 - 2012-07-06 09:53 - 00046785 _____ C:\Windows\MKDEMSG.LOG 2013-11-08 09:22 - 2012-07-06 09:53 - 00001024 _____ C:\Windows\MKDEWE.TRN 2013-11-06 16:17 - 2013-11-06 16:17 - 00103364 _____ C:\Users\dcollins\Desktop\Remote Chat Application Mock Up 10 30 13.pptx 2013-11-05 18:30 - 2013-11-05 11:25 - 00113437 _____ C:\Users\dcollins\Desktop\TRACFONE.cap 2013-11-05 17:57 - 2013-11-05 17:57 - 00026624 _____ C:\Users\dcollins\Desktop\FS Inquiries vs Hours.xls 2013-10-24 12:33 - 2013-10-24 12:33 - 00288549 _____ C:\Users\dcollins\Desktop\Olsen Race Picture.pptx 2013-10-17 12:50 - 2013-10-17 12:22 - 00011840 ____N C:\Users\dcollins\Desktop\Updated Review report for Dan 2013.xlsx 2013-10-14 14:33 - 2013-10-03 16:41 - 00010832 ____N C:\Users\dcollins\Desktop\Queue Server Problem Tracking.xlsx Files to move or delete: ==================== C:\Users\dcollins\AppData\Local\Nxrzwh3By5\XnlY1NVWa.exe Some content of TEMP: ==================== C:\Users\Administrator\AppData\Local\Temp\ose00000.exe C:\Users\dcollins\AppData\Local\Temp\G2MInstallerExtractor.exe C:\Users\dcollins\AppData\Local\Temp\~tmf919980727443332709.dll ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2013-10-31 09:58 ==================== End Of Log ============================ Addition.txt -
Malwarebytes found nothing when run under Administrator but under the user account it is all locked up, clock ticking down and demanding $300 be wired to some scum. Here is the log, thanks in advance. Logfile of Trend Micro HijackThis v2.0.5 Scan saved at 2:32:15 PM, on 11/8/2013 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8112.16446) Boot mode: Safe mode with network support Running processes: C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Administrator\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices O4 - HKLM\..\Run: [sigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://jacada.webex.com/client/WBXclient-T28L10NSP8EP1-15699/event/ieatgpc1.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmpdirect.ad O17 - HKLM\Software\..\Telephony: DomainName = tmpdirect.ad O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmpdirect.ad O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tmpdirect.ad O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: ININ Tracing Initialization (ININ Tracing) - Interactive Intelligence, Inc. - C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe O23 - Service: Interactive Update Client - Interactive Intelligence, Inc. - C:\Program Files\Interactive Intelligence\Interactive Update\ININ.UpdateClientService.exe O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe -- End of file - 5857 bytes hijackthis.log
-
Here you go: c:\users\bcurtis\AppData\Roaming\iasna_C92E1371-3DF5-4322-9729-82CC0DD90ECA.dll - https://www.virustotal.com/file/64e4c8ef5f25222f27529c2ce8ba13225488bec7db1c88f6ee469342e64ac214/analysis/1357704864/ c:\users\bcurtis\g2ax_expert_downloadhelper_win32_x86.exe - https://www.virustotal.com/file/4aaf34bf828fa10804bd3ee0a1fbc581e5508d6f8599abdf70c51ad57055b89e/analysis/1357705021/ c:\users\bcurtis\g2mdlhlpx.exe - https://www.virustotal.com/file/407168a8d891526b37bc66c2f7fa97df91fa11dd0810bb274c89ff9d66105423/analysis/ c:\users\bcurtis\GoToAssistDownloadHelper.exe - https://www.virustotal.com/file/2701804c1a4b5b536c3f1eecade14d692850a57b96d62e3188cafd19925c1294/analysis/1357705124/ c:\windows\SysWow64\instsrv.exe - https://www.virustotal.com/file/f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c/analysis/
-
No, they are back due to the fact that I went to a restore point prior to running combo fix. at least one looks like a legit file for my Citrix Go To Assist s/w but it may be masquerading as such.
-
No, they are back due to the fact that I went to a restore point prior to running combo fix. at least one looks like a legit file for my Citrix Go To Assist s/w but it may be masquerading as such.
-
mbar found the same item it did last time, see log post from earlier tonight. Since I had to restore to the restore point it created prior to the original scan it needed to be re-run, see attached. As I did prior the oldest of these two mb logs is the one where it found something, the second should show the restults of the 2nd scan, nothing. mbar-log-2013-01-08 (22-22-41).txt mbar-log-2013-01-08 (22-38-12).txt system-log.txt
-
!!!!!! ComboFix hosed my machine - after it re-booted I could not login with any user or password getting "Request Not Supported" Could login in safe mode though. This is a Dell Precision with a fingerprint reader running win 7 pro in an active directory domain, although I am at home now. Read on answers.microsoft.com this can occur and no fix was available. I had to restore to restore point created with MB rootkit. Combo fix restore point was not there. Re-running MB anti-rootkit now. Please advise. fyi - combo fix did complete and when I got into safe mode it created the log file, attached. log.txt
-
attached are the logs, still having google re-direct issues. I included the mbar-log from the initial run where it did find malware and the one where it did not. nasty bugger this one is... mbar-log-2013-01-08 (20-38-52).txt mbar-log-2013-01-08 (21-07-02).txt system-log.txt
-
here you go, thanks. RKreport1_S_01082013_02d2001.txt
-
This one is just nasty. Any help would be greatly appreciated. Thanks in advance. See attached. Attach.txt DDS.txt
-
had to restore to combofix restore point. Please advise, re-scan using Combofix?
-
HELP! ComboFix ran, re-booted now I cannot login - "the request is not supported" windows 7 Pro. Tried local admin as well, same error. Locked out and bumming....
-
Here you go. I did not "fix" the infected file, see attached. aswMBR.txt
-
not all the time but 25% of the time getting re-direct on google, see attached. thanks in advance. DDS.txt Attach.txt
-
not every time but random re-directs from google. See attached and thanks in advance! Attach.txt DDS.txt