Jump to content

bcurtis65nj

Members
 View Profile  See their activity

  • Posts

    17

  • Joined

  • Last visited

 Content Type 

Posts posted by bcurtis65nj

    "Interpole" Extortion virus - locked up PC

    in Resolved Malware Removal Logs

    Posted

    here you go:

     

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013
    Ran by Administrator (administrator) on NJTMPDDT047 on 08-11-2013 17:03:23
    Running from C:\Users\Administrator\Desktop
    Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Safe Mode (with Networking)

    ==================== Processes (Whitelisted) ===================

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [McAfeeUpdaterUI] - C:\Program Files\McAfee\Common Framework\UdaterUI.exe [136512 2009-01-16] (McAfee, Inc.)
    HKLM\...\Run: [shStatEXE] - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe [124224 2010-08-25] (McAfee, Inc.)
    HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-04] (Adobe Systems Incorporated)
    HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
    HKLM\...\Run: [sigmatelSysTrayApp] - C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2007-05-06] (SigmaTel, Inc.)
    HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
    HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
    HKCU\...\Run: [iSUSPM] - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [218032 2006-09-11] (Macrovision Corporation)
    MountPoints2: {58a0b9e2-a765-11e2-bac6-001aa0331aa4} - F:\LaunchU3.exe -a
    HKU\cdomahid\...\Policies\system: [DisableRegistryTools] 2
    HKU\dcollins\...\Run: [GoToMeeting] - C:\Users\dcollins\AppData\Local\Citrix\GoToMeeting\1132\g2mstart.exe [ 2013-03-21] (Citrix Online, a division of Citrix Systems, Inc.)
    HKU\dcollins\...\Run: [XnlY1NVWa.exe] - C:\Users\dcollins\AppData\Local\Nxrzwh3By5\XnlY1NVWa.exe [ 2013-11-08] (Microsoft Corporation)
    HKU\dcollins\...\Winlogon: [shell] cmd.exe [ 2010-11-20] (Microsoft Corporation) <==== ATTENTION
    HKU\dcollins\...\Command Processor: "C:\Users\dcollins\AppData\Local\Nxrzwh3By5\XnlY1NVWa.exe" <===== ATTENTION!
    Startup: C:\Users\dcollins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Interaction Client.lnk
    ShortcutTarget: Interaction Client.lnk -> C:\Program Files\Interactive Intelligence\ICUserApps\InteractionClient.exe (Interactive Intelligence, Inc.)

    ==================== Internet (Whitelisted) ====================

    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x6D3E06E6B3DCCE01
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
    BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://jacada.webex.com/client/WBXclient-T28L10NSP8EP1-15699/event/ieatgpc1.cab
    Tcpip\Parameters: [DhcpNameServer] 10.17.24.20 10.17.24.4 10.17.24.36

    ========================== Services (Whitelisted) =================

    S2 ININ Tracing; C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe [36352 2012-08-24] (Interactive Intelligence, Inc.)
    S2 Interactive Update Client; C:\Program Files\Interactive Intelligence\Interactive Update\ININ.UpdateClientService.exe [388264 2010-11-09] (Interactive Intelligence, Inc.)
    S2 McAfeeEngineService; C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe [22816 2010-08-25] (McAfee, Inc.)
    S2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [103744 2009-01-16] (McAfee, Inc.)
    S2 McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [147984 2010-08-25] (McAfee, Inc.)
    S2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [66880 2010-08-25] (McAfee, Inc.)
    S2 mfevtp; C:\Windows\system32\mfevtps.exe [69192 2010-08-25] (McAfee, Inc.)
    S2 STacSV; C:\Windows\system32\STacSV.exe [94208 2007-05-06] (SigmaTel, Inc.)
    S2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2016504 2011-05-18] (UltraVNC)

    ==================== Drivers (Whitelisted) ====================

    S2 DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [37360 2007-07-23] (Roxio)
    S2 DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [32848 2007-07-23] (Roxio)
    S2 DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [9104 2007-07-23] (Roxio)
    S2 DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [108752 2007-07-23] (Roxio)
    S2 DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [27216 2007-07-23] (Roxio)
    S2 DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [16304 2007-07-23] (Roxio)
    S2 DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [93552 2007-07-23] (Roxio)
    S2 DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [98448 2007-07-23] (Roxio)
    S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [76024 2010-08-25] (McAfee, Inc.)
    S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [91896 2010-08-25] (McAfee, Inc.)
    S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [43192 2010-08-25] (McAfee, Inc.)
    S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [344712 2010-08-25] (McAfee, Inc.)
    S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [66536 2010-08-25] (McAfee, Inc.)
    R1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [64208 2010-08-25] (McAfee, Inc.)
    S3 STHDA; C:\Windows\System32\drivers\stwrt.sys [326656 2007-05-06] (SigmaTel, Inc.)

    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========

    2013-11-08 17:03 - 2013-11-08 17:03 - 00000000 ____D C:\FRST
    2013-11-08 17:03 - 2013-11-08 17:00 - 01089445 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe
    2013-11-08 14:32 - 2013-11-08 14:32 - 00388608 _____ (Trend Micro Inc.) C:\Users\Administrator\Downloads\HijackThis.exe
    2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Downloads\hijackthis.log
    2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Desktop\hijackthis.log
    2013-11-08 13:55 - 2013-11-08 13:55 - 00001063 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
    2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2013-11-08 13:55 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
    2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\KBW3HQKJLD
    2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Local\ACZqHB7poi
    2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\ProgramData\ntN9v4aPVVt
    2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\BGGL6jWIdD
    2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Local\z0EVe60la0
    2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\ProgramData\hm5LUHBahL
    2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\QbiJfO82
    2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Local\iNXChPq3d
    2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\ProgramData\ewRQE8JscJ
    2013-11-08 13:29 - 2013-11-08 13:33 - 00000000 ____D C:\Users\dcollins\AppData\Local\Nxrzwh3By5
    2013-11-06 16:17 - 2013-11-06 16:17 - 00103364 _____ C:\Users\dcollins\Desktop\Remote Chat Application Mock Up 10 30 13.pptx
    2013-11-05 17:57 - 2013-11-05 17:57 - 00026624 _____ C:\Users\dcollins\Desktop\FS Inquiries vs Hours.xls
    2013-11-05 11:25 - 2013-11-05 18:30 - 00113437 _____ C:\Users\dcollins\Desktop\TRACFONE.cap
    2013-10-24 12:33 - 2013-10-24 12:33 - 00288549 _____ C:\Users\dcollins\Desktop\Olsen Race Picture.pptx
    2013-10-17 12:22 - 2013-10-17 12:50 - 00011840 ____N C:\Users\dcollins\Desktop\Updated Review report for Dan 2013.xlsx

    ==================== One Month Modified Files and Folders =======

    2013-11-08 17:03 - 2013-11-08 17:03 - 00000000 ____D C:\FRST
    2013-11-08 17:00 - 2013-11-08 17:03 - 01089445 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe
    2013-11-08 14:32 - 2013-11-08 14:32 - 00388608 _____ (Trend Micro Inc.) C:\Users\Administrator\Downloads\HijackThis.exe
    2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Downloads\hijackthis.log
    2013-11-08 14:32 - 2013-11-08 14:32 - 00005858 _____ C:\Users\Administrator\Desktop\hijackthis.log
    2013-11-08 13:59 - 2010-11-20 16:01 - 00730320 _____ C:\Windows\system32\PerfStringBackup.INI
    2013-11-08 13:55 - 2013-11-08 13:55 - 00001063 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
    2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-11-08 13:55 - 2013-11-08 13:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2013-11-08 13:53 - 2012-07-05 09:08 - 00000128 _____ C:\Windows\system32\config\netlogon.ftl
    2013-11-08 13:52 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2013-11-08 13:52 - 2009-07-13 23:39 - 00044735 _____ C:\Windows\setupact.log
    2013-11-08 13:43 - 2009-07-13 23:34 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-11-08 13:43 - 2009-07-13 23:34 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\KBW3HQKJLD
    2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\Users\dcollins\AppData\Local\ACZqHB7poi
    2013-11-08 13:36 - 2013-11-08 13:36 - 00299520 _____ C:\ProgramData\ntN9v4aPVVt
    2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\BGGL6jWIdD
    2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\Users\dcollins\AppData\Local\z0EVe60la0
    2013-11-08 13:34 - 2013-11-08 13:34 - 00299520 _____ C:\ProgramData\hm5LUHBahL
    2013-11-08 13:33 - 2013-11-08 13:29 - 00000000 ____D C:\Users\dcollins\AppData\Local\Nxrzwh3By5
    2013-11-08 13:31 - 2012-07-03 12:02 - 01485501 _____ C:\Windows\WindowsUpdate.log
    2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Roaming\QbiJfO82
    2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\Users\dcollins\AppData\Local\iNXChPq3d
    2013-11-08 13:30 - 2013-11-08 13:30 - 00299520 _____ C:\ProgramData\ewRQE8JscJ
    2013-11-08 09:22 - 2012-07-06 09:53 - 00046785 _____ C:\Windows\MKDEMSG.LOG
    2013-11-08 09:22 - 2012-07-06 09:53 - 00001024 _____ C:\Windows\MKDEWE.TRN
    2013-11-06 16:17 - 2013-11-06 16:17 - 00103364 _____ C:\Users\dcollins\Desktop\Remote Chat Application Mock Up 10 30 13.pptx
    2013-11-05 18:30 - 2013-11-05 11:25 - 00113437 _____ C:\Users\dcollins\Desktop\TRACFONE.cap
    2013-11-05 17:57 - 2013-11-05 17:57 - 00026624 _____ C:\Users\dcollins\Desktop\FS Inquiries vs Hours.xls
    2013-10-24 12:33 - 2013-10-24 12:33 - 00288549 _____ C:\Users\dcollins\Desktop\Olsen Race Picture.pptx
    2013-10-17 12:50 - 2013-10-17 12:22 - 00011840 ____N C:\Users\dcollins\Desktop\Updated Review report for Dan 2013.xlsx
    2013-10-14 14:33 - 2013-10-03 16:41 - 00010832 ____N C:\Users\dcollins\Desktop\Queue Server Problem Tracking.xlsx

    Files to move or delete:
    ====================
    C:\Users\dcollins\AppData\Local\Nxrzwh3By5\XnlY1NVWa.exe

    Some content of TEMP:
    ====================
    C:\Users\Administrator\AppData\Local\Temp\ose00000.exe
    C:\Users\dcollins\AppData\Local\Temp\G2MInstallerExtractor.exe
    C:\Users\dcollins\AppData\Local\Temp\~tmf919980727443332709.dll

    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    LastRegBack: 2013-10-31 09:58

    ==================== End Of Log ============================

    Addition.txt

    "Interpole" Extortion virus - locked up PC

    in Resolved Malware Removal Logs

    Posted

    Malwarebytes found nothing when run under Administrator but under the user account it is all locked up, clock ticking down and demanding $300 be wired to some scum.  Here is the log, thanks in advance.

     

    Logfile of Trend Micro HijackThis v2.0.5
    Scan saved at 2:32:15 PM, on 11/8/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16446)

    Boot mode: Safe mode with network support

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Windows\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Administrator\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
    O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
    O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    O4 - HKLM\..\Run: [sigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://jacada.webex.com/client/WBXclient-T28L10NSP8EP1-15699/event/ieatgpc1.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmpdirect.ad
    O17 - HKLM\Software\..\Telephony: DomainName = tmpdirect.ad
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmpdirect.ad
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tmpdirect.ad
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: ININ Tracing Initialization (ININ Tracing) - Interactive Intelligence, Inc. - C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe
    O23 - Service: Interactive Update Client - Interactive Intelligence, Inc. - C:\Program Files\Interactive Intelligence\Interactive Update\ININ.UpdateClientService.exe
    O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

    --
    End of file - 5857 bytes

    hijackthis.log

    google re-direct

    in Resolved Malware Removal Logs

    Posted

    Here you go:

    c:\users\bcurtis\AppData\Roaming\iasna_C92E1371-3DF5-4322-9729-82CC0DD90ECA.dll - https://www.virustotal.com/file/64e4c8ef5f25222f27529c2ce8ba13225488bec7db1c88f6ee469342e64ac214/analysis/1357704864/

    c:\users\bcurtis\g2ax_expert_downloadhelper_win32_x86.exe - https://www.virustotal.com/file/4aaf34bf828fa10804bd3ee0a1fbc581e5508d6f8599abdf70c51ad57055b89e/analysis/1357705021/

    c:\users\bcurtis\g2mdlhlpx.exe - https://www.virustotal.com/file/407168a8d891526b37bc66c2f7fa97df91fa11dd0810bb274c89ff9d66105423/analysis/

    c:\users\bcurtis\GoToAssistDownloadHelper.exe - https://www.virustotal.com/file/2701804c1a4b5b536c3f1eecade14d692850a57b96d62e3188cafd19925c1294/analysis/1357705124/

    c:\windows\SysWow64\instsrv.exe - https://www.virustotal.com/file/f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c/analysis/

    google re-direct

    in Resolved Malware Removal Logs

    Posted

    !!!!!! ComboFix hosed my machine - after it re-booted I could not login with any user or password getting "Request Not Supported" Could login in safe mode though. This is a Dell Precision with a fingerprint reader running win 7 pro in an active directory domain, although I am at home now. Read on answers.microsoft.com this can occur and no fix was available.

    I had to restore to restore point created with MB rootkit. Combo fix restore point was not there. Re-running MB anti-rootkit now. Please advise.

    fyi - combo fix did complete and when I got into safe mode it created the log file, attached.

    log.txt

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.