Swanny

Found 3 files and cleaned, log file attached. Thank you! esetlog.txt

Completed Successfully Image Version: 10.0.19045.3324 [==========================100.0%==========================] The restore operation completed successfully. The operation completed successfully.

Fixlog attached, Malwarebytes ran successfully and did not have any detections. Fixlog.txt

Attached, Thank you! mbst-grab-results.zip

Good morning, Assisting my son with an infection on his gaming laptop, Malwarebytes found some infections and they were successfully removed but I am unable to remove a trojan that keeps trying to access a website. RegAsm.exe is constantly trying to make the connection and Malwarebyes is blocking it but I want to remove it / make sure there are no additional threats. Log Files attached - FRST.txt Addition.txt

Thanks for the quick reply, Here is the fixlog: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-09-2013 04 Ran by SYSTEM at 2013-09-02 13:11:02 Run:1 Running from F:\ Boot Mode: Recovery ============================================== Content of fixlist: ***************** HKU\owner\...\Run: [DisplaySwitch] - C:\Users\owner\AppData\Roaming\Microsoft\Windows\Templates\sysdrivwin.exe [ 2013-08-30] () HKU\owner\...\Run: [Adobe CSS5.1 Manager] - C:\Users\owner\AppData\Local\39d498f8-6ad9-491f-8d38-19f546e38839ad\dfadfdfead.exe C:\Users\owner\AppData\Roaming\Microsoft\Windows\Templates\sysdrivwin.exe C:\Users\owner\AppData\Local\39d498f8-6ad9-491f-8d38-19f546e38839ad\dfadfdfead.exe C:\Users\owner\spoolsv.exe C:\Users\owner\iexplore.exe C:\Users\owner\Local Settings\Application Data\39d498f8-6ad9-491f-8d38-19f546e38839ad C:\Users\owner\AppData\Local\39d498f8-6ad9-491f-8d38-19f546e38839ad C:\Users\owner\vlcplayer.exe C:\Windows\Tasks\{C473DEA2-EECC-46AA-939C-0E97D9AD1B5A}.job ***************** HKU\owner\Software\Microsoft\Windows\CurrentVersion\Run\\DisplaySwitch => Value deleted successfully. HKU\owner\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully. "C:\Users\owner\AppData\Roaming\Microsoft\Windows\Templates\sysdrivwin.exe " => Could not move. "C:\Users\owner\AppData\Local\39d498f8-6ad9-491f-8d38-19f546e38839ad\dfadfdfead.exe " => Could not move. "C:\Users\owner\spoolsv.exe" => Could not move. "C:\Users\owner\iexplore.exe" => Could not move. "C:\Users\owner\Local Settings\Application Data\39d498f8-6ad9-491f-8d38-19f546e38839ad" => Could not move. "C:\Users\owner\AppData\Local\39d498f8-6ad9-491f-8d38-19f546e38839ad" => Could not move. "C:\Users\owner\vlcplayer.exe" => Could not move. "C:\Windows\Tasks\{C473DEA2-EECC-46AA-939C-0E97D9AD1B5A}.job" => Could not move. ==== End of Fixlog ====

Greetings, I am working on a laptop that has been infected with the FBI Ransomware, please see the below FRST Log: *Note*, this PC has one user account enabled and all attempts to start into safemode so far have failed. Thanks in advance!! Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-09-2013 04 Ran by SYSTEM on MINWINPC on 02-09-2013 12:31:25 Running from F:\ Windows Vista Home Premium (X86) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-18] (Microsoft Corporation) HKLM\...\Run: [synTPStart] - C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-09-15] (Synaptics, Inc.) HKLM\...\Run: [MSConfig] - C:\Windows\system32\msconfig.exe [227840 2008-01-18] (Microsoft Corporation) HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [38872 2012-07-31] (Adobe Systems Incorporated) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [919008 2012-07-11] (Adobe Systems Incorporated) HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard) HKLM\...\Run: [] - [x] HKLM\...\Run: [NvSvc] - C:\Windows\system32\nvsvc.dll [86016 2007-09-28] (NVIDIA Corporation) HKLM\...\Run: [NvCplDaemon] - C:\Windows\system32\NvCpl.dll [8497696 2007-09-28] (NVIDIA Corporation) HKLM\...\Run: [NvMediaCenter] - C:\Windows\system32\NvMcTray.dll [81920 2007-09-28] (NVIDIA Corporation) HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.) HKLM\...\Run: [navservice] - C:\Program Files\Navionics World\NavService.exe [98304 2012-09-25] () HKLM\...\Run: [spySweeper] - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [6273400 2008-11-13] (Webroot Software, Inc.) HKU\Default\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2007-10-01] (Hewlett-Packard) HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2007-10-01] (Hewlett-Packard) HKU\owner\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2009-06-02] (Google Inc.) HKU\owner\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation) HKU\owner\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-18] (Microsoft Corporation) HKU\owner\...\Run: [DisplaySwitch] - C:\Users\owner\AppData\Roaming\Microsoft\Windows\Templates\sysdrivwin.exe [ 2013-08-30] () HKU\owner\...\Run: [Adobe CSS5.1 Manager] - C:\Users\owner\AppData\Local\39d498f8-6ad9-491f-8d38-19f546e38839ad\dfadfdfead.exe [ 2013-08-30] () <===== ATTENTION ========================== Services (Whitelisted) ================= S3 Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.) S2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [65536 2007-09-19] (Hewlett-Packard) S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.) S2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] () S2 WebrootSpySweeperService; C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [3667312 2008-11-12] (Webroot Software, Inc. (www.webroot.com)) S2 WRConsumerService; C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe [1086840 2008-11-13] (Webroot Software, Inc. ) ==================== Drivers (Whitelisted) ==================== S0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-10] (Microsoft Corporation) S3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [176640 2007-09-08] (Conexant Systems Inc.) S1 nm3; C:\Windows\System32\DRIVERS\nm3.sys [39736 2010-06-09] (Microsoft Corporation) S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-08] (Microsoft Corporation) S0 ssfs0bbc; C:\Windows\System32\DRIVERS\ssfs0bbc.sys [29808 2008-11-12] (Webroot Software, Inc. (www.webroot.com)) S0 SSHRMD; C:\Windows\System32\Drivers\SSHRMD.SYS [23152 2008-11-12] (Webroot Software, Inc. (www.webroot.com)) S0 SSIDRV; C:\Windows\System32\Drivers\SSIDRV.SYS [170608 2008-11-12] (Webroot Software, Inc. (www.webroot.com)) S3 SSKBFD; C:\Windows\System32\Drivers\sskbfd.sys [23920 2008-01-04] (Webroot Software Inc (www.webroot.com)) S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x] S1 eabfiltr; S3 IpInIp; system32\DRIVERS\ipinip.sys [x] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x] S3 SymIM; system32\DRIVERS\SymIM.sys [x] S3 SymIMMP; system32\DRIVERS\SymIM.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-08-30 19:04 - 2013-08-30 19:04 - 00063488 _____ (Hilgraeve, Inc.) C:\Users\owner\spoolsv.exe 2013-08-30 19:04 - 2013-08-30 19:04 - 00032768 _____ C:\Users\owner\iexplore.exe 2013-08-30 19:04 - 2013-08-30 19:04 - 00000000 ____D C:\Users\owner\Local Settings\Application Data\39d498f8-6ad9-491f-8d38-19f546e38839ad 2013-08-30 19:04 - 2013-08-30 19:04 - 00000000 ____D C:\Users\owner\AppData\Local\39d498f8-6ad9-491f-8d38-19f546e38839ad 2013-08-30 19:04 - 2013-08-30 19:04 - 00000000 _____ C:\Users\owner\vlcplayer.exe 2013-08-27 19:26 - 2013-08-01 20:09 - 01548288 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL 2013-08-20 14:42 - 2013-08-20 14:42 - 00000000 ____D C:\Users\owner\Local Settings\Application Data\Macromedia 2013-08-20 14:42 - 2013-08-20 14:42 - 00000000 ____D C:\Users\owner\AppData\Local\Macromedia 2013-08-20 14:26 - 2013-08-20 14:26 - 01067192 _____ (Solid State Networks) C:\Users\owner\Downloads\install_flashplayer11x32axau_mssa_awc_aih.exe 2013-08-19 23:18 - 2013-08-19 23:21 - 00000000 ____D C:\Windows\System32\MRT 2013-08-19 23:03 - 2013-07-24 18:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-08-19 23:03 - 2013-07-24 18:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-08-19 23:03 - 2013-07-24 18:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-08-19 23:03 - 2013-07-24 18:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-08-19 23:03 - 2013-07-24 18:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-08-19 23:03 - 2013-07-24 18:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2013-08-19 23:03 - 2013-07-24 18:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\System32\url.dll 2013-08-19 23:03 - 2013-07-24 18:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-08-19 23:03 - 2013-07-24 18:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-08-19 23:03 - 2013-07-24 18:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-08-19 23:03 - 2013-07-24 18:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-08-19 23:03 - 2013-07-24 18:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2013-08-19 23:03 - 2013-07-24 18:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2013-08-19 23:03 - 2013-07-24 18:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-08-19 23:03 - 2013-07-24 18:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-08-19 23:03 - 2013-07-24 18:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2013-08-19 09:58 - 2013-07-07 20:20 - 00172544 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll 2013-08-19 09:58 - 2013-07-07 20:16 - 00992768 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll 2013-08-19 09:58 - 2013-07-07 20:16 - 00133120 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll 2013-08-19 09:58 - 2013-07-07 20:16 - 00098304 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll 2013-08-19 09:58 - 2013-07-04 20:53 - 00905664 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys 2013-08-19 09:58 - 2013-06-15 05:22 - 00015872 _____ (Microsoft Corporation) C:\Windows\System32\icaapi.dll 2013-08-19 09:58 - 2013-06-15 03:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys 2013-08-19 09:57 - 2013-07-17 11:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll 2013-08-19 09:57 - 2013-07-10 01:47 - 00783360 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll 2013-08-19 09:52 - 2013-07-09 04:10 - 01205168 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll 2013-08-19 09:52 - 2013-07-07 20:55 - 03603904 _____ (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe 2013-08-19 09:52 - 2013-07-07 20:55 - 03551680 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe ==================== One Month Modified Files and Folders ======= 2013-09-02 08:19 - 2013-09-02 08:19 - 00000000 __SHD C:\found.000 2013-09-02 08:15 - 2008-01-28 21:13 - 01245760 _____ C:\Windows\WindowsUpdate.log 2013-09-02 08:13 - 2009-06-02 07:27 - 00000000 ____D C:\Program Files\Google 2013-09-02 08:13 - 2008-03-31 15:55 - 00000000 _____ C:\Users\owner\AppData\Roaming\nvModes.001 2013-09-02 08:11 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2013-09-02 08:11 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2013-08-30 19:04 - 2013-08-30 19:04 - 00063488 _____ (Hilgraeve, Inc.) C:\Users\owner\spoolsv.exe 2013-08-30 19:04 - 2013-08-30 19:04 - 00032768 _____ C:\Users\owner\iexplore.exe 2013-08-30 19:04 - 2013-08-30 19:04 - 00000000 ____D C:\Users\owner\Local Settings\Application Data\39d498f8-6ad9-491f-8d38-19f546e38839ad 2013-08-30 19:04 - 2013-08-30 19:04 - 00000000 ____D C:\Users\owner\AppData\Local\39d498f8-6ad9-491f-8d38-19f546e38839ad 2013-08-30 19:04 - 2013-08-30 19:04 - 00000000 _____ C:\Users\owner\vlcplayer.exe 2013-08-30 19:04 - 2008-03-03 19:01 - 00000000 ____D C:\users\owner 2013-08-30 18:52 - 2008-03-31 15:16 - 00027335 _____ C:\Users\owner\AppData\Roaming\nvModes.dat 2013-08-26 14:09 - 2012-02-06 08:10 - 00000000 ____D C:\Users\owner\AppData\Roaming\HpUpdate 2013-08-20 15:00 - 2006-11-02 02:33 - 00721582 _____ C:\Windows\System32\PerfStringBackup.INI 2013-08-20 14:42 - 2013-08-20 14:42 - 00000000 ____D C:\Users\owner\Local Settings\Application Data\Macromedia 2013-08-20 14:42 - 2013-08-20 14:42 - 00000000 ____D C:\Users\owner\AppData\Local\Macromedia 2013-08-20 14:42 - 2012-04-05 17:04 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2013-08-20 14:42 - 2011-06-24 19:15 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2013-08-20 14:26 - 2013-08-20 14:26 - 01067192 _____ (Solid State Networks) C:\Users\owner\Downloads\install_flashplayer11x32axau_mssa_awc_aih.exe 2013-08-19 23:56 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache 2013-08-19 23:53 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET 2013-08-19 23:21 - 2013-08-19 23:18 - 00000000 ____D C:\Windows\System32\MRT 2013-08-19 23:18 - 2006-11-02 02:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe 2013-08-19 23:14 - 2007-10-25 00:51 - 00000000 ____D C:\ProgramData\Microsoft Help Files to move or delete: ==================== C:\Users\owner\AppData\Local\39d498f8-6ad9-491f-8d38-19f546e38839ad\dfadfdfead.exe C:\Users\owner\iexplore.exe C:\Users\owner\spoolsv.exe C:\Users\owner\vlcplayer.exe C:\Users\owner\AppData\Local\Temp\contentDATs.exe C:\Users\owner\AppData\Local\Temp\fp_pl_pfs_installer.exe C:\Users\owner\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe C:\Users\owner\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe C:\Users\owner\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe C:\Users\owner\AppData\Local\Temp\SecurityScan_Release.exe C:\Users\owner\AppData\Local\Temp\tbWhit.dll C:\Users\owner\AppData\Local\Temp\updater_uninstall.exe C:\Users\owner\AppData\Local\Temp\be29e7f1-71ae-4703-50cb-1d52be512f51\twapi-be29e7f1-71ae-4703-50cb-1d52be512f51.dll C:\Windows\Tasks\{C473DEA2-EECC-46AA-939C-0E97D9AD1B5A}.job ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-06-05 13:17:30 Restore point made on: 2013-06-05 23:00:36 Restore point made on: 2013-06-24 15:02:36 Restore point made on: 2013-06-25 23:00:45 Restore point made on: 2013-06-26 19:30:51 Restore point made on: 2013-07-01 18:32:09 Restore point made on: 2013-07-12 16:44:36 Restore point made on: 2013-07-14 23:00:46 Restore point made on: 2013-07-21 19:15:42 Restore point made on: 2013-07-31 19:26:44 Restore point made on: 2013-08-07 14:12:59 Restore point made on: 2013-08-19 09:36:50 Restore point made on: 2013-08-19 23:00:37 Restore point made on: 2013-08-20 15:28:47 Restore point made on: 2013-08-24 12:22:38 Restore point made on: 2013-08-27 23:00:37 ==================== Memory info =========================== Percentage of memory in use: 23% Total physical RAM: 1982.31 MB Available physical RAM: 1511.05 MB Total Pagefile: 1735.09 MB Available Pagefile: 1571.24 MB Total Virtual: 2047.88 MB Available Virtual: 1959.63 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:137.34 GB) (Free:71.6 GB) NTFS ==>[Drive with boot components (obtained from BCD)] Drive d: (PRESARIO_RP) (Fixed) (Total:11.71 GB) (Free:1.87 GB) NTFS ==>[system with boot components (obtained from reading drive)] Drive f: (UNTITLED 1) (Removable) (Total:14.91 GB) (Free:12.31 GB) FAT32 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 149 GB) (Disk ID: D23D125D) Partition 1: (Active) - (Size=137 GB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=12 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 15 GB) (Disk ID: 00000000) Partition 1: (Not Active) - (Size=15 GB) - (Type=0B) LastRegBack: 2013-09-02 08:10 ==================== End Of Log ============================