boilinh2o

Members

View Profile See their activity

Posts
2
Joined
October 12, 2013
Last visited
October 13, 2013

Reputation

0 Neutral

Ransomware took over and nothing is safe... FRST results

boilinh2o replied to boilinh2o's topic in Resolved Malware Removal Logs

Thank you!! So far so good. The fixlist cleaned out enough crap to get the computer to boot. I'm now running a Full Scan with Mawarebytes Pro. Here's the fixlog: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013 Ran by SYSTEM at 2013-10-13 09:14:18 Run:1 Running from F:\ Boot Mode: Recovery ============================================== Content of fixlist: ***************** HKU\Mark Hunt\...\Winlogon: [shell] explorer.exe,C:\Users\Mark Hunt\AppData\Roaming\data.dat [50688 2013-08-01] () C:\Users\Mark Hunt\AppData\Roaming\data.dat C:\Users\Mark Hunt\AppData\Roaming\settings.ini C:\Users\Mark Hunt\AppData\Roaming\i.ini C:\Users\Mark Hunt\AppData\Local\Temp\ApnStub.exe C:\Users\Mark Hunt\AppData\Local\Temp\b34btbztdb0vavaw.exe C:\Users\Mark Hunt\AppData\Local\Temp\converter.exe C:\Users\Mark Hunt\AppData\Local\Temp\DropboxSetup.exe C:\Users\Mark Hunt\AppData\Local\Temp\install.exe C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe C:\Users\Mark Hunt\AppData\Local\Temp\Setup.exe C:\Users\Mark Hunt\AppData\Local\Temp\SonosUpgrader.exe C:\Users\Mark Hunt\AppData\Local\Temp\Update.exe C:\Users\Mark Hunt\AppData\Local\Temp\webyeryb3460vavaw.exe ***************** HKU\Mark Hunt\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully. C:\Users\Mark Hunt\AppData\Roaming\data.dat => Moved successfully. C:\Users\Mark Hunt\AppData\Roaming\settings.ini => Moved successfully. "C:\Users\Mark Hunt\AppData\Roaming\i.ini" => File/Directory not found. C:\Users\Mark Hunt\AppData\Local\Temp\ApnStub.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\b34btbztdb0vavaw.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\converter.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\DropboxSetup.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\install.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\Setup.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\SonosUpgrader.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\Update.exe => Moved successfully. C:\Users\Mark Hunt\AppData\Local\Temp\webyeryb3460vavaw.exe => Moved successfully. ==== End of Fixlog ====
Ransomware took over and nothing is safe... FRST results

boilinh2o posted a topic in Resolved Malware Removal Logs

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013 Ran by SYSTEM on MININT-LHCDJK9 on 12-10-2013 16:46:39 Running from F:\ Windows 7 Professional (X64) OS Language: English(US) Internet Explorer Version 10 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8067616 2009-08-18] (Realtek Semiconductor) HKLM\...\Run: [Launchpad] - C:\Program Files\Windows Server\Bin\Launchpad.exe [1099360 2012-11-02] (Microsoft Corporation) HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation) HKLM-x32\...\Run: [iAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation) HKLM-x32\...\Run: [] - [x] HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-09-03] (Sonic Solutions) HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [518640 2010-09-02] () HKLM-x32\...\Run: [OfficeScanNT Monitor] - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe [1705296 2010-06-25] (Trend Micro Inc.) HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41208 2012-12-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [267792 2013-01-17] (Research In Motion Limited) HKU\Mark Hunt\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3883856 2009-07-26] (Microsoft Corporation) HKU\Mark Hunt\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-04-15] (Google Inc.) HKU\Mark Hunt\...\Winlogon: [shell] explorer.exe,C:\Users\Mark Hunt\AppData\Roaming\data.dat [50688 2013-08-01] () <==== ATTENTION Startup: C:\Users\Mark Hunt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk ShortcutTarget: Dropbox.lnk -> (No File) ==================== Services (Whitelisted) ================= S3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited) S2 HealthAlertsSvc; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation) S2 initMonitor; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation) S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation) S2 NotificationsProviderSvc; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation) S2 ntrtscan; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe [1835912 2010-06-22] (Trend Micro Inc.) S2 providers_system; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation) S2 ServiceProviderRegistry; C:\Program Files\Windows Server\Bin\ProviderRegistryService.exe [41600 2012-07-06] (Microsoft Corporation) S4 SqmProviderSvc; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation) S2 svcGenericHost; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [45056 2010-07-05] (Trend Micro Inc.) S2 tmlisten; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe [2057096 2010-06-22] (Trend Micro Inc.) S3 TmPfw; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe [595960 2009-07-15] (Trend Micro Inc.) S3 TmProxy; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [917768 2009-07-15] (Trend Micro Inc.) S2 WSS_ComputerBackupProviderSvc; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [1160824 2012-04-12] (Symantec Corporation) S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [1160824 2012-04-12] (Symantec Corporation) S1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation) S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-05-31] (Symantec Corporation) S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-05-31] (Symantec Corporation) S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120606.001\IDSvia64.sys [488568 2012-05-06] (Symantec Corporation) S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120606.001\IDSvia64.sys [488568 2012-05-06] (Symantec Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120606.020\ENG64.SYS [120440 2012-06-06] (Symantec Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120606.020\ENG64.SYS [120440 2012-06-06] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120606.020\EX64.SYS [2068600 2012-06-06] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120606.020\EX64.SYS [2068600 2012-06-06] (Symantec Corporation) S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited) S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd) S3 SRTSP; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSP64.SYS [729720 2011-08-02] (Symantec Corporation) S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSPX64.SYS [37496 2011-08-02] (Symantec Corporation) S0 SymDS; C:\Windows\System32\drivers\NISx64\1301000.01C\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation) S0 SymEFA; C:\Windows\System32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [1084536 2011-07-28] (Symantec Corporation) S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-05-07] (Symantec Corporation) S1 SymIRON; C:\Windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS [189560 2011-07-25] (Symantec Corporation) S1 SymNetS; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMNETS.SYS [401016 2011-07-25] (Symantec Corporation) S2 TmFilter; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [265744 2010-05-10] (Trend Micro Inc.) S1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [200720 2009-07-15] (Trend Micro Inc.) S2 TmPreFilter; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [42000 2010-05-10] (Trend Micro Inc.) S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [107536 2009-07-15] (Trend Micro Inc.) S2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [339984 2009-07-15] (Trend Micro Inc.) S2 VSApiNt; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\VSApiNt.sys [2007056 2010-05-10] (Trend Micro Inc.) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-10-12 16:46 - 2013-10-12 16:46 - 00000000 ____D C:\FRST 2013-10-12 12:15 - 2013-10-12 12:15 - 00003224 ____N C:\bootsqm.dat 2013-09-30 11:09 - 2013-10-12 12:23 - 00000004 _____ C:\Users\Mark Hunt\AppData\Roaming\settings.ini 2013-09-17 07:28 - 2013-09-17 07:32 - 00000000 ____D C:\Users\Mark Hunt\Documents\Gas Station 2013-09-12 00:06 - 2013-08-09 21:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-09-12 00:06 - 2013-08-09 21:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-09-12 00:06 - 2013-08-09 21:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2013-09-12 00:06 - 2013-08-09 21:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-09-12 00:06 - 2013-08-09 21:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-09-12 00:06 - 2013-08-09 21:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-09-12 00:06 - 2013-08-09 21:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-09-12 00:06 - 2013-08-09 21:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-09-12 00:06 - 2013-08-09 21:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-09-12 00:06 - 2013-08-09 21:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-09-12 00:06 - 2013-08-09 21:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-09-12 00:06 - 2013-08-09 21:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll 2013-09-12 00:06 - 2013-08-09 21:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll 2013-09-12 00:06 - 2013-08-09 21:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll 2013-09-12 00:06 - 2013-08-09 19:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-09-12 00:06 - 2013-08-09 19:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-09-12 00:06 - 2013-08-09 19:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-09-12 00:06 - 2013-08-09 19:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-09-12 00:06 - 2013-08-09 19:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-09-12 00:06 - 2013-08-09 18:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe 2013-09-12 00:06 - 2013-08-09 18:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe ==================== One Month Modified Files and Folders ======= 2013-10-12 16:46 - 2013-10-12 16:46 - 00000000 ____D C:\FRST 2013-10-12 12:35 - 2009-07-13 20:45 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-10-12 12:35 - 2009-07-13 20:45 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-10-12 12:31 - 2010-12-31 01:02 - 00000031 _____ C:\tmuninst.ini 2013-10-12 12:28 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-10-12 12:28 - 2009-07-13 20:51 - 00037141 _____ C:\Windows\setupact.log 2013-10-12 12:23 - 2013-09-30 11:09 - 00000004 _____ C:\Users\Mark Hunt\AppData\Roaming\settings.ini 2013-10-12 12:23 - 2009-07-13 21:10 - 01672651 _____ C:\Windows\WindowsUpdate.log 2013-10-12 12:20 - 2011-04-15 13:15 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-10-12 12:19 - 2013-02-10 17:14 - 00000000 ____D C:\Users\Mark Hunt\AppData\Roaming\Dropbox 2013-10-12 12:19 - 2012-09-06 07:00 - 00000524 _____ C:\Windows\Tasks\SpeedyPC Update Version3 Startup Task.job 2013-10-12 12:19 - 2011-01-24 10:01 - 00000000 ____D C:\Users\Mark Hunt\Tracing 2013-10-12 12:15 - 2013-10-12 12:15 - 00003224 ____N C:\bootsqm.dat 2013-10-12 12:09 - 2010-12-31 00:59 - 00000000 ____D C:\ProgramData\Sonic 2013-10-12 10:10 - 2013-02-10 17:24 - 00000000 ___RD C:\Users\Mark Hunt\Desktop\Dropbox 2013-10-12 10:10 - 2011-04-15 13:15 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-09-30 11:11 - 2011-02-10 01:03 - 00000721 _____ C:\Windows\TMFilter.log 2013-09-30 10:45 - 2012-04-23 08:42 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-09-30 07:25 - 2011-10-03 07:40 - 00000000 ____D C:\Users\Mark Hunt\Documents\Randolph Retail 2013-09-30 01:52 - 2012-01-04 08:13 - 00000428 _____ C:\Windows\Tasks\SpeedyPC Pro.job 2013-09-29 15:00 - 2012-01-04 08:14 - 00000500 _____ C:\Windows\Tasks\SpeedyPC Registration3.job 2013-09-28 22:18 - 2012-01-04 08:13 - 00000472 _____ C:\Windows\Tasks\SpeedyPC Update Version3.job 2013-09-25 22:19 - 2012-11-21 23:19 - 00001203 _____ C:\Users\Mark Hunt\Desktop\SpeedyPC Pro.lnk 2013-09-24 09:17 - 2011-10-17 08:27 - 00000000 ____D C:\Users\Mark Hunt\Documents\Crystal Palace 2013-09-23 14:53 - 2011-01-19 08:28 - 00000000 ____D C:\Users\Mark Hunt\AppData\Local\CutePDF Writer 2013-09-23 10:02 - 2012-06-04 07:54 - 00000000 ____D C:\Users\Mark Hunt\Documents\News Bldg 2013-09-19 20:45 - 2012-04-23 08:42 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-09-19 20:45 - 2012-04-23 08:42 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater 2013-09-19 20:45 - 2011-05-13 05:16 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-09-19 18:10 - 2012-02-10 15:13 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk 2013-09-17 07:32 - 2013-09-17 07:28 - 00000000 ____D C:\Users\Mark Hunt\Documents\Gas Station 2013-09-17 05:52 - 2012-11-06 12:32 - 00000000 ____D C:\Users\Mark Hunt\Documents\Base 2013-09-17 05:27 - 2013-01-14 11:37 - 00000000 ____D C:\Users\Mark Hunt\Documents\Pisor 2013-09-17 05:21 - 2011-08-04 08:58 - 00000000 ____D C:\Users\Mark Hunt\Documents\Gap 2013-09-16 07:42 - 2012-09-19 13:50 - 00000000 ____D C:\Users\Mark Hunt\Documents\Bidwell 2013-09-16 07:06 - 2012-03-21 07:40 - 00000000 ____D C:\ProgramData\Sonos,_Inc 2013-09-16 07:04 - 2011-04-15 13:15 - 00000000 ____D C:\Users\Mark Hunt\AppData\Local\Google 2013-09-16 07:03 - 2011-01-06 17:37 - 00000000 ___RD C:\Users\Mark Hunt\Virtual Machines 2013-09-12 00:50 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache 2013-09-12 00:25 - 2009-07-13 20:45 - 00461464 _____ C:\Windows\System32\FNTCACHE.DAT 2013-09-12 00:24 - 2010-12-31 02:28 - 00092570 _____ C:\Windows\PFRO.log 2013-09-12 00:06 - 2011-01-07 10:56 - 00000000 ____D C:\ProgramData\Microsoft Help Files to move or delete: ==================== C:\Users\Mark Hunt\AppData\Roaming\data.dat C:\Users\Mark Hunt\AppData\Roaming\settings.ini C:\Users\Mark Hunt\AppData\Roaming\i.ini Some content of TEMP: ==================== C:\Users\Mark Hunt\AppData\Local\Temp\ApnStub.exe C:\Users\Mark Hunt\AppData\Local\Temp\b34btbztdb0vavaw.exe C:\Users\Mark Hunt\AppData\Local\Temp\converter.exe C:\Users\Mark Hunt\AppData\Local\Temp\DropboxSetup.exe C:\Users\Mark Hunt\AppData\Local\Temp\install.exe C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe C:\Users\Mark Hunt\AppData\Local\Temp\Setup.exe C:\Users\Mark Hunt\AppData\Local\Temp\SonosUpgrader.exe C:\Users\Mark Hunt\AppData\Local\Temp\Update.exe C:\Users\Mark Hunt\AppData\Local\Temp\webyeryb3460vavaw.exe ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= 12 Restore point made on: 2013-09-10 02:37:13 Restore point made on: 2013-09-10 22:32:20 Restore point made on: 2013-09-12 00:00:39 Restore point made on: 2013-09-12 22:13:17 Restore point made on: 2013-09-17 00:36:30 Restore point made on: 2013-09-17 21:37:03 Restore point made on: 2013-09-19 21:37:05 Restore point made on: 2013-09-24 00:39:53 Restore point made on: 2013-09-24 22:11:54 Restore point made on: 2013-09-29 22:01:52 Restore point made on: 2013-10-01 07:36:06 Restore point made on: 2013-10-08 08:14:54 ==================== Memory info =========================== Percentage of memory in use: 15% Total physical RAM: 4055.11 MB Available physical RAM: 3413.21 MB Total Pagefile: 4053.26 MB Available Pagefile: 3409.2 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:232.06 GB) (Free:149.93 GB) NTFS Drive e: (Malwarebytes) (CDROM) (Total:0.04 GB) (Free:0 GB) CDFS Drive f: (TOSHIBA) (Removable) (Total:14.44 GB) (Free:14.43 GB) FAT32 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.51 GB) NTFS ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 233 GB) (Disk ID: 77E3ED41) Partition 1: (Not Active) - (Size=39 MB) - (Type=DE) Partition 2: (Active) - (Size=750 MB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=232 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 14 GB) (Disk ID: 6D914050) Partition 1: (Not Active) - (Size=14 GB) - (Type=0B) LastRegBack: 2013-09-20 21:57 ==================== End Of Log ============================

Sign In

boilinh2o

Posts

Joined

Last visited

Reputation

Ransomware took over and nothing is safe... FRST results

Ransomware took over and nothing is safe... FRST results

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information