Jump to content

newsoma

Members
  • Posts

    8
  • Joined

  • Last visited

Reputation

0 Neutral
  1. ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=8 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6920 # api_version=3.0.2 # EOSSerial=d2ce0af8eb3bf840b85edc3cb8b67ee5 # engine=13641 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2013-04-17 11:26:29 # local_time=2013-04-17 07:26:29 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=5893 16776573 100 94 0 117785980 0 0 # compatibility_mode=8450 16777213 85 99 0 20658238 0 0 # scanned=86469 # found=1 # cleaned=1 # scan_time=2502 sh=ADB18FCCEA79DB3D042B1B6E503AD89F10EE4A61 ft=0 fh=0000000000000000 vn="JS/Redirector.NCG trojan (deleted - quarantined)" ac=C fn="C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx"
  2. UPDATE + FIX I logged in as another user and ran MalwareBytes which found 3 entries which I then deleted. (I will attach the log from this scan) The issue seems to be with this registry entry: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceActiveDesktopOn (PUM.Hijack.Desktop) -> Bad: (1) Good: (0) Once that was deleted, I renamed the infected users folder back to just their username, restarted the machine, and logged in as the infected user and voila!! I got control of the desktop back. I then went to open IE and got the message box asking what program I wanted to use to open it. I then tried several other programs only to get the same message. I did find, however, that when I right click on the program and run as administrator, no problem. So I opened IE as an administrator and googled that issue. It took me to his Microsoft FixIt page: http://support.microsoft.com/kb/2688326 I downloaded and ran the FixIt, rebooted the machine, and FINALLY everything is working as normal again. I also had to reinstall my Sophos Anti-Virus as it had gotten corrupted at some point as well. Please let me know if you think there is anything else I should do at this point, or if you think I'm ok now. Thanks for your help. MalwareBytes Log: Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.04.12.10 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 lstudent :: LWR-101-27219 [administrator] 4/17/2013 1:39:21 PM mbam-log-2013-04-17 (13-39-21).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 612021 Time elapsed: 48 minute(s), 11 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceActiveDesktopOn (PUM.Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\Users\lstudent.MCCLABS.bad\AppData\Local\Temp\jar_cache8776431484378787633.tmp (Rootkit.0Access) -> Quarantined and deleted successfully. C:\FRST\Quarantine\9was4t130dw1b.exe (Trojan.Ransom) -> Quarantined and deleted successfully. (end)
  3. Ok, I found out I'm able to log into the computer under a different profile. So I renamed the infected user folder to <username>.bad and <username>.<domain>.bad until this thing is removed and then I'll rename them back. Right now I'm running MalwareBytes and then from what I've read should I proceed with ComboFix?
  4. I went ahead and ran the scan again. Here's the new frst.txt Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-04-2013 (ATTENTION: FRST version is 6 days old) Ran by SYSTEM at 17-04-2013 12:14:07 Running from F:\ Windows 7 Professional Service Pack 1 (X86) OS Language: English(US) The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe [900160 2012-07-06] (Sophos Limited) HKLM\...\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe" [401408 2009-12-01] (Intel Corporation) HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.) HKLM\...\Run: [DagentUI] C:\Program Files\Altiris\Dagent\dagentui.exe [548864 2011-06-10] (Altiris, Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.) HKU\lstudent.MCCLABS\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [16328976 2012-12-17] (Google) Tcpip\Parameters: [DhcpNameServer] 10.10.0.13 10.10.0.14 10.140.0.13 10.150.0.13 AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL Startup: C:\Users\lstudent.MCCLABS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation) ==================== Services (Whitelisted) =================== 2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation) 2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel) 2 SAVAdminService; "C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [216640 2012-09-17] (Sophos Limited) 2 SAVService; "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" [139840 2012-08-20] (Sophos Limited) 2 Sophos Agent; "C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent [289856 2012-09-17] (Sophos Limited) 2 Sophos AutoUpdate Service; "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" [232512 2012-07-06] (Sophos Limited) 2 Sophos Message Router; "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 [818240 2012-09-17] (Sophos Limited) 2 Sophos Web Control Service; "C:\Program Files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" [357400 2012-08-20] (Sophos Limited) 2 swi_service; "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" [2863168 2012-09-17] (Sophos Limited) 2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel) 3 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x] 2 Altiris Deployment Agent; "C:\Program Files\Altiris\Dagent\dagent.exe" -load=default.dll,config.dll,autoupdate.dll [x] 2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [x] 3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [x] 2 swi_update; "C:\ProgramData\Sophos\Web Intelligence\swi_update.exe" [x] ==================== Drivers (Whitelisted) ==================== 1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [123680 2012-08-20] (Sophos Limited) 3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [33696 2012-08-20] (Sophos Limited) 1 SKMScan; C:\Windows\System32\DRIVERS\skmscan.sys [31736 2012-08-20] (Sophos Plc) 4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [22536 2012-08-20] (Sophos Plc) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-04-15 14:02 - 2013-04-15 14:02 - 00297824 ____A C:\Users\lstudent.MCCLABS\Documents\stress mgt.pptx 2013-04-15 14:00 - 2013-04-15 14:00 - 00297845 ____A C:\Users\lstudent.MCCLABS\Documents\stress management tips.pptx 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Users\lstudent.MCCLABS\AppData\Roaming\Malwarebytes 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-04-12 08:56 - 2013-04-04 10:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2013-04-11 11:32 - 2013-04-16 14:54 - 00006493 ____A C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx 2013-04-11 11:32 - 2013-04-12 08:26 - 00000000 ____D C:\ProgramData\4EA0441B322DECEF00004E9FF584F6A9 2013-04-10 05:53 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Local\Adobe 2013-04-10 05:42 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Adobe 2013-04-10 05:41 - 2013-04-10 05:41 - 00000822 _RASH C:\Users\russelg\ntuser.pol 2013-04-10 05:41 - 2013-04-10 05:41 - 00000020 __ASH C:\Users\russelg\ntuser.ini 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Apple Computer 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Local\VirtualStore 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\users\russelg 2013-04-10 05:41 - 2013-01-15 10:21 - 00000000 ____D C:\Users\russelg\AppData\LocalGoogle 2013-04-10 05:41 - 2013-01-15 10:21 - 00000000 ____D C:\Users\russelg\AppData\Local\Google 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Macromedia 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Apple Computer 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Adobe 2013-04-03 15:14 - 2013-04-03 15:15 - 00000000 ____D C:\users\bieberl 2013-04-03 15:14 - 2013-04-03 15:14 - 00000822 _RASH C:\Users\bieberl\ntuser.pol 2013-04-03 15:14 - 2013-04-03 15:14 - 00000020 ___SH C:\Users\bieberl\ntuser.ini 2013-04-03 15:14 - 2013-04-03 15:14 - 00000000 ____D C:\Users\bieberl\AppData\Local\VirtualStore 2013-04-03 15:14 - 2013-01-15 10:21 - 00000000 ____D C:\Users\bieberl\AppData\LocalGoogle 2013-04-03 15:14 - 2013-01-15 10:21 - 00000000 ____D C:\Users\bieberl\AppData\Local\Google ==================== One Month Modified Files and Folders ======== 2013-04-17 11:57 - 2012-08-20 13:01 - 00000000 ____D C:\users\lstudent.MCCLABS 2013-04-17 11:18 - 2013-04-17 11:18 - 00000000 ____D C:\FRST 2013-04-17 08:00 - 2009-07-13 20:39 - 00054841 ____A C:\Windows\setupact.log 2013-04-17 07:59 - 2012-12-10 16:08 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-04-17 07:59 - 2012-08-20 12:59 - 00000240 ____A C:\Windows\System32\config\netlogon.ftl 2013-04-17 07:59 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-04-17 07:02 - 2010-11-20 13:01 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI 2013-04-17 06:57 - 2012-08-20 15:53 - 01663570 ____A C:\Windows\WindowsUpdate.log 2013-04-17 06:48 - 2012-12-10 16:08 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-04-17 06:05 - 2009-07-13 20:34 - 00026032 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-04-17 06:05 - 2009-07-13 20:34 - 00026032 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-04-17 06:02 - 2012-08-20 13:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-04-16 14:54 - 2013-04-11 11:32 - 00006493 ____A C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx 2013-04-15 14:02 - 2013-04-15 14:02 - 00297824 ____A C:\Users\lstudent.MCCLABS\Documents\stress mgt.pptx 2013-04-15 14:00 - 2013-04-15 14:00 - 00297845 ____A C:\Users\lstudent.MCCLABS\Documents\stress management tips.pptx 2013-04-13 08:06 - 2010-11-20 13:48 - 00018246 ____A C:\Windows\PFRO.log 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Users\lstudent.MCCLABS\AppData\Roaming\Malwarebytes 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-04-12 08:26 - 2013-04-11 11:32 - 00000000 ____D C:\ProgramData\4EA0441B322DECEF00004E9FF584F6A9 2013-04-10 05:53 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Local\Adobe 2013-04-10 05:53 - 2013-04-10 05:42 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Adobe 2013-04-10 05:41 - 2013-04-10 05:41 - 00000822 _RASH C:\Users\russelg\ntuser.pol 2013-04-10 05:41 - 2013-04-10 05:41 - 00000020 __ASH C:\Users\russelg\ntuser.ini 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Apple Computer 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Local\VirtualStore 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\users\russelg 2013-04-04 10:50 - 2013-04-12 08:56 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Macromedia 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Apple Computer 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Adobe 2013-04-03 15:15 - 2013-04-03 15:14 - 00000000 ____D C:\users\bieberl 2013-04-03 15:14 - 2013-04-03 15:14 - 00000822 _RASH C:\Users\bieberl\ntuser.pol 2013-04-03 15:14 - 2013-04-03 15:14 - 00000020 ___SH C:\Users\bieberl\ntuser.ini 2013-04-03 15:14 - 2013-04-03 15:14 - 00000000 ____D C:\Users\bieberl\AppData\Local\VirtualStore ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2012-08-20 12:57:25 ==================== Memory info =========================== Percentage of memory in use: 26% Total physical RAM: 2013.61 MB Available physical RAM: 1481.42 MB Total Pagefile: 2013.61 MB Available Pagefile: 1486.25 MB Total Virtual: 2047.88 MB Available Virtual: 1952.47 MB ==================== Partitions ============================= 1 Drive c: () (Fixed) (Total:148.91 GB) (Free:129.45 GB) NTFS 3 Drive f: () (Removable) (Total:0.94 GB) (Free:0.91 GB) FAT 4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 149 GB 0 B Disk 1 Online 964 MB 0 B Partitions of Disk 0: =============== Disk ID: 85508550 Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 100 MB 1024 KB Partition 2 Primary 148 GB 101 MB ========================================================= Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y System Rese NTFS Partition 100 MB Healthy ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 148 GB Healthy ========================================================= Partitions of Disk 1: =============== Disk ID: 00000001 Partition ### Type Size Offset ------------- ---------------- ------- ------- * Partition 1 Primary 964 MB 0 B ========================================================= Disk: 1 There is no partition selected. There is no partition selected. Please select a partition and try again. ========================================================= ============================== MBR Partition Table ================== ============================== Partitions of Disk 0: =============== Disk ID: 85508550 Partition 1: ========= Hex: 8020210007DF130C0008000000200300 Active: YES Type: 07 (NTFS) Size: 100 MB Partition 2: ========= Hex: 00DF140C07FEFFFF0028030000289D12 Active: NO Type: 07 (NTFS) Size: 149 GB ============================== Partitions of Disk 1: =============== Disk ID: 69737369 Partition 1: ========= Hex: FF0D0A4469736B206572726F72FF0D0A Active: NO Type: 69 Size: 80 GB Partition 2: ========= Hex: 507265737320616E79206B657920746F Active: NO Type: 73 Size: 892 GB Partition 3: ========= Hex: 20726573746172740D0A000000000000 Active: NO Type: 74 Size: 0 byte Partition 4: ========= Hex: 00000000000000000000000000ACBFCC Active: NO Type: 00 Size: -440245157888 byte Last Boot: 2013-04-16 04:18 ==================== End Of Log ============================
  5. Here's the fixlog.txt, but when I rebooted I'm still getting the FBI lockdown screen. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-04-2013 Ran by SYSTEM at 2013-04-17 11:57:36 Run:1 Running from F:\ ============================================== HKEY_USERS\lstudent.MCCLABS\Software\Microsoft\Windows\CurrentVersion\Run\\msapnf Value deleted successfully. C:\Users\lstudent.MCCLABS\9was4t130dw1b.exe moved successfully. C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll moved successfully. C:\Users\lstudent.MCCLABS\AppData\Roaming\pscdmc.dll moved successfully. ==== End of Fixlog ====
  6. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-04-2013 (ATTENTION: FRST version is 6 days old) Ran by SYSTEM at 17-04-2013 11:19:39 Running from F:\ Windows 7 Professional Service Pack 1 (X86) OS Language: English(US) The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe [900160 2012-07-06] (Sophos Limited) HKLM\...\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe" [401408 2009-12-01] (Intel Corporation) HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.) HKLM\...\Run: [DagentUI] C:\Program Files\Altiris\Dagent\dagentui.exe [548864 2011-06-10] (Altiris, Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.) HKU\lstudent.MCCLABS\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [16328976 2012-12-17] (Google) HKU\lstudent.MCCLABS\...\Run: [msapnf] "C:\Windows\System32\rundll32.exe" "C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll",write_init_2 [774144 2013-04-11] (Technology Co., LTD) Tcpip\Parameters: [DhcpNameServer] 10.10.0.13 10.10.0.14 10.140.0.13 10.150.0.13 AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL Startup: C:\Users\lstudent.MCCLABS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation) ==================== Services (Whitelisted) =================== 2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation) 2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel) 2 SAVAdminService; "C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [216640 2012-09-17] (Sophos Limited) 2 SAVService; "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" [139840 2012-08-20] (Sophos Limited) 2 Sophos Agent; "C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent [289856 2012-09-17] (Sophos Limited) 2 Sophos AutoUpdate Service; "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" [232512 2012-07-06] (Sophos Limited) 2 Sophos Message Router; "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 [818240 2012-09-17] (Sophos Limited) 2 Sophos Web Control Service; "C:\Program Files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" [357400 2012-08-20] (Sophos Limited) 2 swi_service; "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" [2863168 2012-09-17] (Sophos Limited) 2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel) 3 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x] 2 Altiris Deployment Agent; "C:\Program Files\Altiris\Dagent\dagent.exe" -load=default.dll,config.dll,autoupdate.dll [x] 2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [x] 3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [x] 2 swi_update; "C:\ProgramData\Sophos\Web Intelligence\swi_update.exe" [x] ==================== Drivers (Whitelisted) ==================== 1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [123680 2012-08-20] (Sophos Limited) 3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [33696 2012-08-20] (Sophos Limited) 1 SKMScan; C:\Windows\System32\DRIVERS\skmscan.sys [31736 2012-08-20] (Sophos Plc) 4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [22536 2012-08-20] (Sophos Plc) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-04-16 14:55 - 2013-04-16 14:55 - 00053119 ____A C:\Users\lstudent.MCCLABS\9was4t130dw1b.exe 2013-04-15 14:02 - 2013-04-15 14:02 - 00297824 ____A C:\Users\lstudent.MCCLABS\Documents\stress mgt.pptx 2013-04-15 14:00 - 2013-04-15 14:00 - 00297845 ____A C:\Users\lstudent.MCCLABS\Documents\stress management tips.pptx 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Users\lstudent.MCCLABS\AppData\Roaming\Malwarebytes 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-04-12 08:56 - 2013-04-04 10:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2013-04-11 11:32 - 2013-04-16 14:54 - 00006493 ____A C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx 2013-04-11 11:32 - 2013-04-12 08:26 - 00000000 ____D C:\ProgramData\4EA0441B322DECEF00004E9FF584F6A9 2013-04-11 11:32 - 2013-04-11 11:32 - 00774144 ____A (Technology Co., LTD) C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll 2013-04-11 11:32 - 2013-04-11 11:32 - 00487424 ____A (Corporation) C:\Users\lstudent.MCCLABS\AppData\Roaming\pscdmc.dll 2013-04-10 05:53 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Local\Adobe 2013-04-10 05:42 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Adobe 2013-04-10 05:41 - 2013-04-10 05:41 - 00000822 _RASH C:\Users\russelg\ntuser.pol 2013-04-10 05:41 - 2013-04-10 05:41 - 00000020 __ASH C:\Users\russelg\ntuser.ini 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Apple Computer 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Local\VirtualStore 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\users\russelg 2013-04-10 05:41 - 2013-01-15 10:21 - 00000000 ____D C:\Users\russelg\AppData\LocalGoogle 2013-04-10 05:41 - 2013-01-15 10:21 - 00000000 ____D C:\Users\russelg\AppData\Local\Google 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Macromedia 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Apple Computer 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Adobe 2013-04-03 15:14 - 2013-04-03 15:15 - 00000000 ____D C:\users\bieberl 2013-04-03 15:14 - 2013-04-03 15:14 - 00000822 _RASH C:\Users\bieberl\ntuser.pol 2013-04-03 15:14 - 2013-04-03 15:14 - 00000020 ___SH C:\Users\bieberl\ntuser.ini 2013-04-03 15:14 - 2013-04-03 15:14 - 00000000 ____D C:\Users\bieberl\AppData\Local\VirtualStore 2013-04-03 15:14 - 2013-01-15 10:21 - 00000000 ____D C:\Users\bieberl\AppData\LocalGoogle 2013-04-03 15:14 - 2013-01-15 10:21 - 00000000 ____D C:\Users\bieberl\AppData\Local\Google ==================== One Month Modified Files and Folders ======== 2013-04-17 11:18 - 2013-04-17 11:18 - 00000000 ____D C:\FRST 2013-04-17 07:02 - 2010-11-20 13:01 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI 2013-04-17 06:57 - 2012-08-20 15:53 - 01663570 ____A C:\Windows\WindowsUpdate.log 2013-04-17 06:57 - 2009-07-13 20:39 - 00053991 ____A C:\Windows\setupact.log 2013-04-17 06:48 - 2012-12-10 16:08 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-04-17 06:20 - 2012-12-10 16:08 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-04-17 06:20 - 2012-08-20 12:59 - 00000240 ____A C:\Windows\System32\config\netlogon.ftl 2013-04-17 06:05 - 2009-07-13 20:34 - 00026032 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-04-17 06:05 - 2009-07-13 20:34 - 00026032 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-04-17 06:02 - 2012-08-20 13:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-04-17 05:58 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-04-16 14:55 - 2013-04-16 14:55 - 00053119 ____A C:\Users\lstudent.MCCLABS\9was4t130dw1b.exe 2013-04-16 14:55 - 2012-08-20 13:01 - 00000000 ____D C:\users\lstudent.MCCLABS 2013-04-16 14:54 - 2013-04-11 11:32 - 00006493 ____A C:\Users\lstudent.MCCLABS\AppData\Local\ca59d205-a2de-11e2-8274-b8ac6f996f26.crx 2013-04-15 14:02 - 2013-04-15 14:02 - 00297824 ____A C:\Users\lstudent.MCCLABS\Documents\stress mgt.pptx 2013-04-15 14:00 - 2013-04-15 14:00 - 00297845 ____A C:\Users\lstudent.MCCLABS\Documents\stress management tips.pptx 2013-04-13 08:06 - 2010-11-20 13:48 - 00018246 ____A C:\Windows\PFRO.log 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Users\lstudent.MCCLABS\AppData\Roaming\Malwarebytes 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-04-12 08:56 - 2013-04-12 08:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-04-12 08:26 - 2013-04-11 11:32 - 00000000 ____D C:\ProgramData\4EA0441B322DECEF00004E9FF584F6A9 2013-04-11 11:32 - 2013-04-11 11:32 - 00774144 ____A (Technology Co., LTD) C:\Users\lstudent.MCCLABS\AppData\Roaming\msapnf.dll 2013-04-11 11:32 - 2013-04-11 11:32 - 00487424 ____A (Corporation) C:\Users\lstudent.MCCLABS\AppData\Roaming\pscdmc.dll 2013-04-10 05:53 - 2013-04-10 05:53 - 00000000 ____D C:\Users\russelg\AppData\Local\Adobe 2013-04-10 05:53 - 2013-04-10 05:42 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Adobe 2013-04-10 05:41 - 2013-04-10 05:41 - 00000822 _RASH C:\Users\russelg\ntuser.pol 2013-04-10 05:41 - 2013-04-10 05:41 - 00000020 __ASH C:\Users\russelg\ntuser.ini 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Roaming\Apple Computer 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\Users\russelg\AppData\Local\VirtualStore 2013-04-10 05:41 - 2013-04-10 05:41 - 00000000 ____D C:\users\russelg 2013-04-04 10:50 - 2013-04-12 08:56 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Macromedia 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Apple Computer 2013-04-03 15:15 - 2013-04-03 15:15 - 00000000 ____D C:\Users\bieberl\AppData\Roaming\Adobe 2013-04-03 15:15 - 2013-04-03 15:14 - 00000000 ____D C:\users\bieberl 2013-04-03 15:14 - 2013-04-03 15:14 - 00000822 _RASH C:\Users\bieberl\ntuser.pol 2013-04-03 15:14 - 2013-04-03 15:14 - 00000020 ___SH C:\Users\bieberl\ntuser.ini 2013-04-03 15:14 - 2013-04-03 15:14 - 00000000 ____D C:\Users\bieberl\AppData\Local\VirtualStore ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2012-08-20 12:57:25 ==================== Memory info =========================== Percentage of memory in use: 26% Total physical RAM: 2013.61 MB Available physical RAM: 1472.47 MB Total Pagefile: 2013.61 MB Available Pagefile: 1473.76 MB Total Virtual: 2047.88 MB Available Virtual: 1952.68 MB ==================== Partitions ============================= 1 Drive c: () (Fixed) (Total:148.91 GB) (Free:129.45 GB) NTFS 3 Drive f: () (Removable) (Total:0.94 GB) (Free:0.91 GB) FAT 4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 149 GB 0 B Disk 1 Online 964 MB 0 B Partitions of Disk 0: =============== Disk ID: 85508550 Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 100 MB 1024 KB Partition 2 Primary 148 GB 101 MB ========================================================= Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y System Rese NTFS Partition 100 MB Healthy ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 148 GB Healthy ========================================================= Partitions of Disk 1: =============== Disk ID: 00000001 Partition ### Type Size Offset ------------- ---------------- ------- ------- * Partition 1 Primary 964 MB 0 B ========================================================= Disk: 1 There is no partition selected. There is no partition selected. Please select a partition and try again. ========================================================= ============================== MBR Partition Table ================== ============================== Partitions of Disk 0: =============== Disk ID: 85508550 Partition 1: ========= Hex: 8020210007DF130C0008000000200300 Active: YES Type: 07 (NTFS) Size: 100 MB Partition 2: ========= Hex: 00DF140C07FEFFFF0028030000289D12 Active: NO Type: 07 (NTFS) Size: 149 GB ============================== Partitions of Disk 1: =============== Disk ID: 69737369 Partition 1: ========= Hex: FF0D0A4469736B206572726F72FF0D0A Active: NO Type: 69 Size: 80 GB Partition 2: ========= Hex: 507265737320616E79206B657920746F Active: NO Type: 73 Size: 892 GB Partition 3: ========= Hex: 20726573746172740D0A000000000000 Active: NO Type: 74 Size: 0 byte Partition 4: ========= Hex: 00000000000000000000000000ACBFCC Active: NO Type: 00 Size: -440245157888 byte Last Boot: 2013-04-16 04:18 ==================== End Of Log ============================
  7. Hi I'm running Windows 7 32-bit and have been infected with the FBI Moneypak malware and I can't use Safe Mode. After searching through the forums I have already downloaded the Farbar Recovery Scan Tool and scanned the infected computer and have the text file ready to give to you. Please help! Thanks.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.