Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Search the Community

Showing results for tags 'Ukash'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Nebula
    • Malwarebytes Nebula Modules
    • Malwarebytes Endpoint Security
    • Other Malwarebytes Business Products
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 9 results

  1. Hi, I am struggling to remove the ukash virus. I am using the trial version of Malwarebytes Premium but still no joy. The log files you asked for are attacehd and I really look forward to your reply. Addition.txt FRST.txt Regards, Jane
  2. Hello, I tried to search the forum in case somebody had the same issue than me but I'm less and less hopeful... so I will need your direct help to heal my computer! It (HP mini, Windows 7 starter, 32 bit) has been infected by a ransomware (french version) and there is absolutly nothing I can do. I tried to start in all the modes but I keep ending up on the ransomware page and since I have access to nothing I can't event seem to reach a program loaded on an USB key. If you know how to help me, I would be very grateful for your help, thank you in advance, Ema
  3. Hey, i posted before but accidentally replied to myself (probably should have read the pinned thread) anyway... I seem to have encountered the Australian media authority/interpol Ukash ransomware on my hp pavillion running windows 7 home premium 32bit. The virus doesn't allow me to access my laptop with safemode or safemode with command prompt or safemode with networking or even in normal mode. However I've downloaded and run a scan with FSRT and have the log below. not really sure where to go from here Thank you in advance KB Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-08-2013Ran by SYSTEM on 29-08-2013 18:53:10Running from H:\Windows 7 Home Premium (X86) OS Language: English(US)Internet Explorer Version 10Boot Mode: Recovery The current controlset is ControlSet001ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1549608 2009-08-14] (Synaptics Incorporated)HKLM\...\Run: [HPCam_Menu] - c:\Program Files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)HKLM\...\Run: [smartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [567864 2009-08-25] ()HKLM\...\Run: [QlbCtrl.exe] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.)HKLM\...\Run: [NortonOnlineBackupReminder] - C:\Program Files\Symantec\Norton Online Backup\Activation\NobuActivation.exe [600936 2009-06-29] (Symantec Corporation)HKLM\...\Run: [WirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2011-03-10] (IDT, Inc.)HKLM\...\Run: [AppleSyncNotifier] - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-01] (Apple Inc.)HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)HKLM\...\Run: [DivXUpdate] - C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1259376 2011-07-28] ()HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)HKLM\...\Run: [KiesTrayAgent] - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [3521464 2012-06-07] (Samsung Electronics Co., Ltd.)HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)HKLM\...\Run: [Trend Micro Titanium] - C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe [1374328 2013-05-29] (Trend Micro Inc.)HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-02] (Sun Microsystems, Inc.)HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)HKLM\...\Run: [Trend Micro Client Framework] - C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [132920 2013-02-04] (Trend Micro Inc.)HKU\DSE\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2009-08-20] (Hewlett-Packard Company)HKU\DSE\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [ 2009-07-26] (Microsoft Corporation)HKU\DSE\...\Run: [uTorrent] - C:\Program Files\uTorrent\uTorrent.exe [ 2010-04-20] (BitTorrent, Inc.)HKU\DSE\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2009-09-29] (Hewlett-Packard)HKU\DSE\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2011-03-29] (Google Inc.)HKU\DSE\...\Run: [MobileDocuments] - C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [ 2012-02-22] (Apple Inc.)HKU\DSE\...\Run: [DAEMON Tools Pro Agent] - C:\Program Files\DAEMON Tools Pro\DTAgent.exe [ 2012-02-02] (DT Soft Ltd)HKU\DSE\...\Run: [KiesHelper] - C:\Program Files\Samsung\Kies\KiesHelper.exe [ 2012-06-07] (Samsung)HKU\DSE\...\Run: [KiesAirMessage] - C:\Program Files\Samsung\Kies\KiesAirMessage.exe -startup [x]HKU\DSE\...\Run: [KiesPDLR] - C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [ 2012-06-07] ()HKU\DSE\...\Winlogon: [shell] explorer.exe,C:\Users\DSE\AppData\Roaming\cache.dat [ 2013-08-25] () <==== ATTENTION ========================== Services (Whitelisted) ================= S2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-27] (LSI Corporation)S2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1f4e5527ca660a3d\STacSV.exe [229458 2011-03-10] (IDT, Inc.)S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [x] ==================== Drivers (Whitelisted) ==================== S0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)S0 sptd; C:\Windows\System32\Drivers\sptd.sys [473656 2012-03-08] (Duplex Secure Ltd.)S1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [96248 2012-12-21] (Trend Micro Inc.)S0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [258976 2012-12-21] (Trend Micro Inc.)S0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC32.sys [38328 2012-08-24] (Trend Micro Inc.)S3 tmeevw; C:\Windows\System32\DRIVERS\tmeevw.sys [83256 2012-12-07] (Trend Micro Inc.)S1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [76648 2012-12-21] (Trend Micro Inc.)S3 tmnciesc; C:\Windows\System32\DRIVERS\tmnciesc.sys [171064 2012-07-05] (Trend Micro Inc.)S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [92304 2012-05-02] (Trend Micro Inc.)S2 TMAgent; ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-08-25 00:13 - 2013-08-28 23:40 - 00000004 _____ C:\Users\DSE\AppData\Roaming\cache.ini2013-08-25 00:08 - 2013-08-25 00:07 - 00062976 _____ C:\Users\DSE\AppData\Roaming\cache.dat2013-08-14 07:27 - 2013-08-14 07:27 - 00000000 ____D C:\Windows\System32\MRT2013-08-14 07:19 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll2013-08-14 07:19 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll2013-08-14 07:19 - 2013-07-25 19:13 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe2013-08-14 07:19 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-08-14 07:19 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll2013-08-14 07:19 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll2013-08-14 07:19 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll2013-08-14 07:19 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll2013-08-14 07:19 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll2013-08-14 07:19 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll2013-08-14 07:19 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll2013-08-14 07:19 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll2013-08-14 07:19 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll2013-08-14 07:19 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll2013-08-14 07:19 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-08-14 07:19 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe2013-08-14 02:18 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL2013-08-14 02:18 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll2013-08-14 02:18 - 2013-07-08 21:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe2013-08-14 02:18 - 2013-07-08 21:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe2013-08-14 02:18 - 2013-07-08 20:53 - 01289096 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll2013-08-14 02:18 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll2013-08-14 02:18 - 2013-07-08 20:50 - 00652800 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll2013-08-14 02:18 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll2013-08-14 02:18 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll2013-08-14 02:18 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll2013-08-14 02:18 - 2013-07-05 21:05 - 01293760 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys2013-08-14 02:17 - 2013-06-14 19:38 - 00031232 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys2013-08-11 23:36 - 2013-08-11 23:39 - 00096768 ___SH C:\Users\DSE\Downloads\Thumbs.db2013-08-06 00:16 - 2013-08-06 00:52 - 00000000 ____D C:\Users\DSE\Downloads\adventure time season 42013-08-02 05:02 - 2013-08-24 03:30 - 00000000 ____D C:\Users\DSE\AppData\Roaming\vlc2013-08-02 05:02 - 2013-08-02 05:02 - 00000984 _____ C:\Users\Public\Desktop\VLC media player.lnk2013-08-02 05:01 - 2013-08-02 05:01 - 00000000 ____D C:\Program Files\VideoLAN2013-08-02 04:58 - 2013-08-02 05:00 - 23003252 _____ C:\Users\DSE\Downloads\vlc-2.0.8-win32.exe2013-08-02 01:07 - 2013-08-02 01:53 - 00006144 _____ C:\Users\DSE\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini2013-08-02 01:01 - 2013-08-02 04:56 - 00000000 ____D C:\Users\DSE\Downloads\Adventure Time Season 3 Complete ==================== One Month Modified Files and Folders ======= 2013-08-29 00:05 - 2009-07-13 20:34 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-08-29 00:05 - 2009-07-13 20:34 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02013-08-29 00:01 - 2009-12-25 01:27 - 02088213 _____ C:\Windows\WindowsUpdate.log2013-08-28 23:57 - 2009-07-13 20:39 - 00114704 _____ C:\Windows\setupact.log2013-08-28 23:43 - 2012-05-13 18:16 - 00000258 __RSH C:\ProgramData\ntuser.pol2013-08-28 23:40 - 2013-08-25 00:13 - 00000004 _____ C:\Users\DSE\AppData\Roaming\cache.ini2013-08-28 23:40 - 2010-04-20 17:02 - 00000000 ____D C:\Users\DSE\AppData\Roaming\uTorrent2013-08-28 23:39 - 2010-02-02 16:36 - 00000000 ____D C:\Users\DSE\AppData\Roaming\HpUpdate2013-08-28 23:35 - 2010-02-17 00:48 - 00000000 ____D C:\Users\DSE\Tracing2013-08-28 23:34 - 2010-04-23 15:33 - 00000000 ____D C:\Users\DSE\AppData\Local\CrashDumps2013-08-25 00:07 - 2013-08-25 00:08 - 00062976 _____ C:\Users\DSE\AppData\Roaming\cache.dat2013-08-24 03:30 - 2013-08-02 05:02 - 00000000 ____D C:\Users\DSE\AppData\Roaming\vlc2013-08-24 03:30 - 2012-10-29 05:29 - 00000000 ____D C:\Users\DSE\Downloads\Archer Season 12013-08-23 15:18 - 2011-03-29 05:23 - 00002089 _____ C:\Users\Public\Desktop\Google Chrome.lnk2013-08-22 21:19 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF2013-08-22 14:16 - 2011-11-24 13:15 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt2013-08-22 14:16 - 2010-03-01 22:59 - 00000052 _____ C:\Windows\System32\DOErrors.log2013-08-15 06:40 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache2013-08-15 05:35 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET2013-08-14 07:30 - 2013-08-14 07:27 - 00000000 ____D C:\Windows\System32\MRT2013-08-14 07:27 - 2012-09-25 05:48 - 75778376 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe2013-08-14 07:24 - 2009-09-06 15:02 - 00747890 _____ C:\Windows\System32\PerfStringBackup.INI2013-08-11 23:39 - 2013-08-11 23:36 - 00096768 ___SH C:\Users\DSE\Downloads\Thumbs.db2013-08-11 23:36 - 2012-04-01 22:28 - 00000000 ____D C:\Users\DSE\Downloads\Game.of.Thrones.S02E01.HDTV.x264-ASAP [PublicHD.ORG]2013-08-07 14:23 - 2012-07-16 23:22 - 00000000 ____D C:\Users\DSE\Downloads\Bones - Season 12013-08-06 00:52 - 2013-08-06 00:16 - 00000000 ____D C:\Users\DSE\Downloads\adventure time season 42013-08-05 00:23 - 2013-07-14 03:55 - 00000000 ____D C:\Users\DSE\Downloads\Archer.2009.S04E01-13.720p.WEB-DL.x264.AAC2013-08-02 05:02 - 2013-08-02 05:02 - 00000984 _____ C:\Users\Public\Desktop\VLC media player.lnk2013-08-02 05:01 - 2013-08-02 05:01 - 00000000 ____D C:\Program Files\VideoLAN2013-08-02 05:00 - 2013-08-02 04:58 - 23003252 _____ C:\Users\DSE\Downloads\vlc-2.0.8-win32.exe2013-08-02 04:56 - 2013-08-02 01:01 - 00000000 ____D C:\Users\DSE\Downloads\Adventure Time Season 3 Complete2013-08-02 01:53 - 2013-08-02 01:07 - 00006144 _____ C:\Users\DSE\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini2013-08-01 22:20 - 2011-03-29 05:21 - 00000000 ____D C:\Program Files\Google2013-08-01 21:53 - 2010-05-10 18:41 - 00000000 ____D C:\Users\DSE\AppData\Local\Adobe2013-08-01 21:25 - 2012-08-06 23:17 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe2013-08-01 21:25 - 2011-12-13 14:52 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl Files to move or delete:====================C:\Users\DSE\iTunesSetup.exeC:\Users\DSE\AppData\Roaming\cache.datC:\Users\DSE\AppData\Roaming\cache.iniC:\Users\DSE\AppData\Local\Temp\gsctmlviidrubmpel.exeC:\Users\DSE\AppData\Local\Temp\SCC.dllC:\Users\DSE\AppData\Local\Temp\TsuFCA74EC2.dllC:\Users\DSE\AppData\Local\Temp\{B47A25A5-5E9B-4CCF-AE24-16B96F990753}\Custom.dllC:\Users\DSE\AppData\Local\Temp\{B47A25A5-5E9B-4CCF-AE24-16B96F990753}\Setup.exeC:\Users\DSE\AppData\Local\Temp\{B47A25A5-5E9B-4CCF-AE24-16B96F990753}\_Setup.dllC:\Users\DSE\AppData\Local\Temp\HP Support Framework\HPSF_Config1.dllC:\Users\DSE\AppData\Local\Temp\26b4a1dd-e07b-48af-be4e-9642b273284b\CliSecureRT.dll ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legitC:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-07-25 22:26:20Restore point made on: 2013-08-01 21:27:49Restore point made on: 2013-08-05 23:16:28Restore point made on: 2013-08-11 23:47:20Restore point made on: 2013-08-14 07:18:43Restore point made on: 2013-08-21 22:46:40Restore point made on: 2013-08-28 23:36:07 ==================== Memory info =========================== Percentage of memory in use: 15%Total physical RAM: 4022.87 MBAvailable physical RAM: 3392.39 MBTotal Pagefile: 4021.14 MBAvailable Pagefile: 3392.64 MBTotal Virtual: 2047.88 MBAvailable Virtual: 1936.21 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:453.75 GB) (Free:166.13 GB) NTFS ==>[system with boot components (obtained from reading drive)]Drive e: (RECOVERY) (Fixed) (Total:11.71 GB) (Free:1.95 GB) NTFS ==>[system with boot components (obtained from reading drive)]Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32Drive h: (HITMANPRO) (Removable) (Total:0.95 GB) (Free:0.95 GB) FAT32Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFSDrive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ========================================================Disk: 0 (Size: 466 GB) (Disk ID: 88DB4E50)Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)Partition 2: (Not Active) - (Size=454 GB) - (Type=07 NTFS)Partition 3: (Not Active) - (Size=12 GB) - (Type=07 NTFS)Partition 4: (Not Active) - (Size=103 MB) - (Type=0C) ========================================================Disk: 1 (Size: 983 MB) (Disk ID: D3F20374)Partition 1: (Active) - (Size=981 MB) - (Type=0B) LastRegBack: 2013-08-22 00:13 ==================== End Of Log ============================
  4. I am fairly ignorant about computers. The infected laptop is Win 7 64bit. The virus is Ukash. I can't use safe mode or use system restore so I have no idea what to do. I looked at a similar thread, so I downloaded Farbar Recovery Scan Tool and used on infected computer. This what I got: Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-08-2013 01Ran by SYSTEM on 16-08-2013 15:11:41Running from F:\Windows 7 Home Premium (X64) OS Language: English(US)Internet Explorer Version 10Boot Mode: Recovery The current controlset is ControlSet001ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1220392 2008-05-20] (Synaptics, Inc.)HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [6956576 2009-01-06] (Realtek Semiconductor)HKLM\...\Run: [skytel] - C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-01-06] (Realtek Semiconductor Corp.)HKLM\...\Run: [PSQLLauncher] - C:\Program Files\Protector Suite QL\launcher.exe [66824 2008-08-04] (UPEK Inc.)HKLM\...\Run: [Zune Launcher] - c:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)Winlogon\Notify\psfus: C:\Windows\system32\psqlpwd.dll (UPEK Inc.)HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2009-02-10] (Advanced Micro Devices, Inc.)HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2285232 2013-07-30] ()HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)HKU\Shawn\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [163328 2010-11-20] (Microsoft Corporation)HKU\Shawn\...\Run: [steam] - c:\program files (x86)\steam\steam.exe [1807272 2013-07-26] (Valve Corporation)HKU\Shawn\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [3093624 2012-11-26] ()HKU\Shawn\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_224_ActiveX.exe [514952 2013-06-11] (Adobe Systems Incorporated)Lsa: [Notification Packages] scecli psqlpwdStartup: C:\Users\Shawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnkShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () ==================== Services (Whitelisted) ================= S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [109056 2009-02-06] (ArcSoft Inc.)S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)S3 PACSPTISVR; C:\Program Files (x86)\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [114688 2009-01-07] (Sony Corporation)S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [141344 2009-01-06] (Realtek Semiconductor)S2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)S2 vToolbarUpdater15.4.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe [1616048 2013-07-30] (AVG Secure Search) ==================== Drivers (Whitelisted) ==================== S3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2008-04-24] (ArcSoft, Inc.)S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-07-30] (AVG Technologies)S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)S2 risdptsk; C:\Windows\System32\DRIVERS\risdsn64.sys [76288 2008-10-22] (REDC)S0 shpf; C:\Windows\System32\DRIVERS\shpf.sys [25120 2008-08-26] (Sony Corporation) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-08-15 22:06 - 2013-08-15 22:06 - 02019389 _____ C:\ProgramData\2433f4332013-08-15 22:06 - 2013-08-15 22:06 - 02019384 _____ C:\Users\Shawn\AppData\Local\2433f4332013-08-15 22:06 - 2013-08-15 22:06 - 02019329 _____ C:\Users\Shawn\AppData\Roaming\2433f4332013-08-13 20:14 - 2013-08-13 20:14 - 00000000 ____D C:\Users\Public\Documents\Education2013-08-12 22:23 - 2013-08-12 22:23 - 00000000 ____D C:\Program Files\Symantec2013-08-07 06:29 - 2013-08-07 06:29 - 00000000 ____D C:\Users\Public\Downloads\Norton2013-08-05 17:06 - 2013-08-05 17:06 - 00000000 ____D C:\Users\Shawn\AppData\Roaming\Apple Computer2013-08-03 09:12 - 2013-08-03 09:12 - 00000000 ____D C:\Users\Shawn\Downloads\BogusTrivia 2.06.4.62013-08-03 09:04 - 2013-08-03 09:04 - 00448181 _____ C:\Users\Shawn\Downloads\BogusTrivia 2.06.4.6.zip2013-07-29 02:04 - 2013-08-15 09:55 - 00000000 ____D C:\Windows\System32\MRT2013-07-28 06:56 - 2013-07-28 06:56 - 00000000 ____D C:\ProgramData\Apple Computer2013-07-28 06:56 - 2013-07-28 06:56 - 00000000 ____D C:\Program Files (x86)\QuickTime2013-07-28 06:54 - 2013-07-28 06:54 - 00000000 ____D C:\Program Files (x86)\Apple Software Update2013-07-28 06:53 - 2013-07-28 06:53 - 39401336 _____ (Apple Inc.) C:\Users\Shawn\Downloads\QuickTimeInstaller.exe2013-07-19 15:18 - 2013-07-19 15:18 - 07876512 _____ (Adobe Systems Inc.) C:\Users\Shawn\Downloads\Shockwave_Installer_Slim (1).exe ==================== One Month Modified Files and Folders ======= 2013-08-16 00:28 - 2010-01-26 21:36 - 00000000 ____D C:\users\Shawn2013-08-16 00:27 - 2013-03-08 01:36 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar2013-08-16 00:27 - 2013-03-08 01:36 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar2013-08-16 00:27 - 2012-11-26 05:09 - 00000000 ____D C:\ProgramData\PMB Files2013-08-16 00:27 - 2012-04-12 01:06 - 00000000 ____D C:\Program Files (x86)\I Want This2013-08-16 00:27 - 2009-09-04 16:42 - 00000000 ____D C:\Users\Shawn\AppData\Roaming\ArcSoft2013-08-16 00:27 - 2009-09-01 10:26 - 00000000 ____D C:\ProgramData\Norton2013-08-16 00:27 - 2009-09-01 09:54 - 00000000 ____D C:\ProgramData\Microsoft Help2013-08-16 00:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing2013-08-16 00:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration2013-08-16 00:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat2013-08-16 00:27 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared2013-08-15 22:06 - 2013-08-15 22:06 - 02019389 _____ C:\ProgramData\2433f4332013-08-15 22:06 - 2013-08-15 22:06 - 02019384 _____ C:\Users\Shawn\AppData\Local\2433f4332013-08-15 22:06 - 2013-08-15 22:06 - 02019329 _____ C:\Users\Shawn\AppData\Roaming\2433f4332013-08-15 10:00 - 2013-07-29 02:04 - 00000000 ____D C:\Windows\System32\MRT2013-08-13 20:14 - 2013-08-13 20:14 - 00000000 ____D C:\Users\Public\Documents\Education2013-08-12 22:23 - 2013-08-12 22:23 - 00000000 ____D C:\Program Files\Symantec2013-08-11 23:07 - 2012-11-26 05:09 - 00000000 ____D C:\Users\Shawn\AppData\Local\PMB Files2013-08-09 09:35 - 2010-01-26 22:19 - 02052344 _____ C:\Windows\WindowsUpdate.log2013-08-09 09:31 - 2013-04-26 18:29 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job2013-08-09 09:24 - 2012-07-28 17:36 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job2013-08-08 21:48 - 2009-07-13 20:51 - 04969425 _____ C:\Windows\setupact.log2013-08-08 14:31 - 2013-04-26 18:29 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job2013-08-07 12:02 - 2011-10-03 18:38 - 00000402 ____H C:\Windows\Tasks\Norton Security Scan for Shawn.job2013-08-07 06:29 - 2013-08-07 06:29 - 00000000 ____D C:\Users\Public\Downloads\Norton2013-08-05 17:56 - 2010-01-26 21:35 - 00011120 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-08-05 17:56 - 2010-01-26 21:35 - 00011120 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02013-08-05 17:50 - 2009-07-13 21:13 - 00726444 _____ C:\Windows\System32\PerfStringBackup.INI2013-08-05 17:07 - 2009-09-09 18:26 - 00000000 ____D C:\Program Files (x86)\Steam2013-08-05 17:06 - 2013-08-05 17:06 - 00000000 ____D C:\Users\Shawn\AppData\Roaming\Apple Computer2013-08-05 17:05 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT2013-08-03 09:12 - 2013-08-03 09:12 - 00000000 ____D C:\Users\Shawn\Downloads\BogusTrivia 2.06.4.62013-08-03 09:04 - 2013-08-03 09:04 - 00448181 _____ C:\Users\Shawn\Downloads\BogusTrivia 2.06.4.6.zip2013-08-01 10:34 - 2013-04-26 18:29 - 00002188 _____ C:\Users\Public\Desktop\Google Chrome.lnk2013-07-30 02:07 - 2013-03-08 01:36 - 00045856 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys2013-07-29 06:18 - 2009-09-13 00:45 - 00000000 ____D C:\Users\Shawn\Documents\School Papers2013-07-28 06:56 - 2013-07-28 06:56 - 00000000 ____D C:\ProgramData\Apple Computer2013-07-28 06:56 - 2013-07-28 06:56 - 00000000 ____D C:\Program Files (x86)\QuickTime2013-07-28 06:54 - 2013-07-28 06:54 - 00000000 ____D C:\Program Files (x86)\Apple Software Update2013-07-28 06:53 - 2013-07-28 06:53 - 39401336 _____ (Apple Inc.) C:\Users\Shawn\Downloads\QuickTimeInstaller.exe2013-07-19 15:18 - 2013-07-19 15:18 - 07876512 _____ (Adobe Systems Inc.) C:\Users\Shawn\Downloads\Shockwave_Installer_Slim (1).exe2013-07-19 15:18 - 2010-07-21 15:35 - 00000000 ____D C:\Windows\SysWOW64\Adobe ZeroAccess:C:\$Recycle.Bin\S-1-5-21-2249149611-3261099150-3482308780-1000\$bb0bb305beeff25c45e6009089919155 Files to move or delete:====================C:\ProgramData\piz_0ef.padC:\ProgramData\z7_0ytr.pad ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\SysWOW64\wininit.exe => MD5 is legitC:\Windows\explorer.exe => MD5 is legitC:\Windows\SysWOW64\explorer.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\SysWOW64\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\SysWOW64\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\SysWOW64\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-06-26 02:15:20Restore point made on: 2013-06-26 20:56:51Restore point made on: 2013-06-26 21:14:10Restore point made on: 2013-06-30 02:17:01Restore point made on: 2013-07-01 09:05:48Restore point made on: 2013-07-01 09:06:22Restore point made on: 2013-07-03 18:02:16Restore point made on: 2013-07-07 08:00:49Restore point made on: 2013-07-08 07:15:18Restore point made on: 2013-07-10 09:27:08Restore point made on: 2013-07-11 08:34:56Restore point made on: 2013-07-14 23:39:24Restore point made on: 2013-07-18 14:20:14Restore point made on: 2013-07-22 13:56:03Restore point made on: 2013-07-23 14:51:22Restore point made on: 2013-07-27 06:09:00Restore point made on: 2013-07-28 06:55:47Restore point made on: 2013-07-29 02:00:25Restore point made on: 2013-08-01 10:38:06Restore point made on: 2013-08-05 14:14:15Restore point made on: 2013-08-06 07:39:20Restore point made on: 2013-08-09 09:35:40Restore point made on: 2013-08-13 08:59:33Restore point made on: 2013-08-15 09:53:52Restore point made on: 2013-08-15 22:06:49 ==================== Memory info =========================== Percentage of memory in use: 14%Total physical RAM: 4063.04 MBAvailable physical RAM: 3462.97 MBTotal Pagefile: 4061.19 MBAvailable Pagefile: 3459.12 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.85 MB ==================== Drives ================================ Drive c: (Vista) (Fixed) (Total:287.54 GB) (Free:115.49 GB) NTFS ==>[Drive with boot components (obtained from BCD)]Drive d: (Recovery) (Fixed) (Total:10.55 GB) (Free:0.81 GB) NTFS ==>[system with boot components (obtained from reading drive)]Drive f: (HP v125w) (Removable) (Total:7.52 GB) (Free:7.52 GB) FAT32Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS ==================== MBR & Partition Table ================== ========================================================Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: DEF791C4)Partition 1: (Not Active) - (Size=11 GB) - (Type=27)Partition 2: (Active) - (Size=288 GB) - (Type=07 NTFS) ========================================================Disk: 1 (MBR Code: Windows XP) (Size: 8 GB) (Disk ID: C3072E18)Partition 1: (Not Active) - (Size=8 GB) - (Type=0C) LastRegBack: 2013-08-12 21:49 ==================== End Of Log ============================
  5. Hi, One of our computers has recently become infected with the rather nastily updated version of the PCEU (UKash type) ransomware. I have been attempting to use the fix that is already on this forum but i need the fixlist.txt script in order to finish that initial stage of the process. Could a mod please help with this using the following log from farbar. Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-06-2013 01 Ran by SYSTEM on 07-06-2013 10:17:33 Running from I:\ Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11613288 2010-11-16] (Realtek Semiconductor) HKLM\...\Run: [intelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-10-07] () HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-05] (Adobe Systems Incorporated) HKLM\...\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch [1580368 2010-11-03] (Logitech, Inc.) HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2817872 2012-04-24] (ELAN Microelectronics Corp.) HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation) HKLM-x32\...\Winlogon: [userinit] c:\windows\syswow64\userinit.exe, [x] HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [103720 2009-11-01] (CyberLink) HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation) HKLM-x32\...\Run: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-21] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [38768 2009-10-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [] [x] HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2009-10-02] (Adobe Systems Inc.) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [935288 2009-09-04] (Adobe Systems Incorporated) HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.) HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.) HKLM-x32\...\Run: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun [139264 2011-04-20] (Brother Industries, Ltd.) HKLM-x32\...\Run: [brStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN [2629632 2011-10-07] (Brother Industries, Ltd.) HKLM-x32\...\Run: [indexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe" [46368 2010-03-08] (Nuance Communications, Inc.) HKLM-x32\...\Run: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe" [29984 2010-03-08] (Nuance Communications, Inc.) HKLM-x32\...\Run: [PPort12reminder] "C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini" [328992 2010-02-09] (Nuance Communications, Inc.) HKLM-x32\...\Run: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.) HKLM-x32\...\Run: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.) HKU\Christine Kirby\...\Run: [AdobeBridge] "C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe" -stealth [11989960 2010-03-08] (Adobe Systems, Inc.) HKU\Christine Kirby\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation) HKU\UpdatusUser\...\Run: [AdobeBridge] "C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe" -stealth [11989960 2010-03-08] (Adobe Systems, Inc.) HKU\UpdatusUser\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation) AppInit_DLLs: C:\windows\system32\nvinitx.dll [226920 2011-01-17] (NVIDIA Corporation) Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) ==================== Services (Whitelisted) ================= S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [44768 2011-09-06] (AVAST Software) S2 CLKMSVC10_38F51D56; C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\kmsvc.exe [246256 2010-08-24] (CyberLink) S2 Crypkey License; C:\Windows\SysWow64\crypserv.exe [52224 2000-06-29] (Kenonic Controls Ltd.) S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-05-31] (Symantec Corporation) S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.) S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-11-30] () S2 szserver; C:\Program Files (x86)\Common Files\iS3\Anti-Spyware\SZServer.exe [67024 2011-09-28] (iS3, Inc.) ==================== Drivers (Whitelisted) ==================== S2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [24408 2011-09-06] (AVAST Software) S2 aswMonFlt; C:\windows\system32\drivers\aswMonFlt.sys [65368 2011-09-06] (AVAST Software) S1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [42328 2011-09-06] (AVAST Software) S1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [601944 2011-09-06] (AVAST Software) S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [301912 2011-09-06] (AVAST Software) S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [58200 2011-09-06] (AVAST Software) S0 is3srv; C:\Windows\SysWow64\drivers\is3srv64.sys [74768 2011-06-02] (iS3 Inc.) S1 NetworkX; C:\Windows\SysWow64\ckldrv.sys [24608 2000-02-03] () S3 rtport; C:\windows\SysWOW64\drivers\rtport.sys [15144 2011-08-19] (Windows ® 2003 DDK 3790 provider) S0 szkg5; C:\Windows\SysWow64\DRIVERS\szkg64.sys [74768 2011-06-02] (iS3 Inc.) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-06-07 10:17 - 2013-06-07 10:17 - 00000000 ____D C:\FRST 2013-06-07 00:25 - 2013-06-07 00:25 - 00003224 ____N C:\bootsqm.dat 2013-06-03 22:30 - 2013-06-03 22:30 - 00000288 ____A C:\Windows\System32\Drivers\kgpcpy.cfg 2013-05-28 07:42 - 2013-05-28 07:42 - 00188928 ____A C:\Users\Christine Kirby\Documents\Publication1.pub 2013-05-27 23:35 - 2013-05-27 23:35 - 00012896 ____A C:\Users\Christine Kirby\Downloads\MC900389934.WMF 2013-05-15 12:00 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-05-15 12:00 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-05-15 12:00 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2013-05-15 12:00 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-05-15 12:00 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll 2013-05-15 12:00 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-05-15 12:00 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-05-15 12:00 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-05-15 12:00 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-05-15 12:00 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-05-15 12:00 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe 2013-05-15 12:00 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-05-15 02:18 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys 2013-05-15 02:18 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys 2013-05-15 02:18 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe 2013-05-15 02:18 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2013-05-15 02:18 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll 2013-05-15 02:18 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll 2013-05-15 02:18 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll 2013-05-15 02:18 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2013-05-15 02:18 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll 2013-05-15 02:18 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll 2013-05-15 02:18 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll 2013-05-15 02:17 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-05-15 02:17 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll 2013-05-15 02:17 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll ==================== One Month Modified Files and Folders ======= 2013-06-07 10:17 - 2013-06-07 10:17 - 00000000 ____D C:\FRST 2013-06-07 09:49 - 2012-01-22 12:30 - 00000000 ____D C:\ProgramData\FLEXnet 2013-06-07 09:49 - 2011-10-07 06:21 - 00000000 ____D C:\users\Christine Kirby 2013-06-07 09:49 - 2011-04-08 01:45 - 00000000 ____D C:\ProgramData\WinClon 2013-06-07 09:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF 2013-06-07 09:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration 2013-06-07 00:29 - 2011-10-07 06:57 - 00000000 ____D C:\ProgramData\STOPzilla! 2013-06-07 00:25 - 2013-06-07 00:25 - 00003224 ____N C:\bootsqm.dat 2013-06-03 22:36 - 2011-04-08 17:13 - 01433462 ____A C:\Windows\WindowsUpdate.log 2013-06-03 22:35 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-06-03 22:35 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-06-03 22:31 - 2011-10-07 06:53 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-06-03 22:30 - 2013-06-03 22:30 - 00000288 ____A C:\Windows\System32\Drivers\kgpcpy.cfg 2013-06-03 22:28 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-06-03 22:28 - 2009-07-13 20:51 - 00091948 ____A C:\Windows\setupact.log 2013-06-03 09:52 - 2011-10-07 06:53 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-06-01 04:50 - 2009-07-13 21:08 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2013-05-31 10:38 - 2012-03-02 09:11 - 00000016 ____A C:\Windows\System32\config\software.szfi 2013-05-30 09:10 - 2009-07-13 21:13 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI 2013-05-28 07:42 - 2013-05-28 07:42 - 00188928 ____A C:\Users\Christine Kirby\Documents\Publication1.pub 2013-05-27 23:35 - 2013-05-27 23:35 - 00012896 ____A C:\Users\Christine Kirby\Downloads\MC900389934.WMF 2013-05-24 03:53 - 2011-10-07 06:54 - 00002183 ____A C:\Users\Public\Desktop\Google Chrome.lnk 2013-05-16 05:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache 2013-05-15 21:54 - 2009-07-13 20:45 - 05059552 ____A C:\Windows\System32\FNTCACHE.DAT 2013-05-15 12:06 - 2012-01-22 06:12 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-05-15 05:33 - 2013-03-11 00:14 - 00006815 ____A C:\Users\Christine Kirby\Documents\plot.log Files to move or delete: ==================== C:\Users\Christine Kirby\AppData\Roaming\skype.dat ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-05-15 11:59:48 Restore point made on: 2013-05-20 22:06:40 Restore point made on: 2013-05-23 22:46:20 Restore point made on: 2013-05-24 07:05:26 Restore point made on: 2013-05-27 22:37:48 Restore point made on: 2013-05-31 07:55:23 Restore point made on: 2013-05-31 12:59:20 Restore point made on: 2013-06-03 22:36:44 ==================== Memory info =========================== Percentage of memory in use: 11% Total physical RAM: 8103.12 MB Available physical RAM: 7193.54 MB Total Pagefile: 8101.32 MB Available Pagefile: 7204.19 MB Total Virtual: 8192 MB Available Virtual: 8191.85 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:419 GB) (Free:215.16 GB) NTFS (Disk=0 Partition=2) Drive d: (2ndHDD) (Fixed) (Total:465.76 GB) (Free:417.28 GB) NTFS (Disk=1 Partition=1) Drive e: () (Fixed) (Total:24 GB) (Free:23.88 GB) NTFS (Disk=0 Partition=4) Drive g: (SAMSUNG_REC) (Fixed) (Total:22.66 GB) (Free:0.94 GB) NTFS (Disk=0 Partition=3) ==>[system with boot components (obtained from reading drive)] Drive i: (Lexar) (Removable) (Total:14.61 GB) (Free:14.58 GB) FAT32 (Disk=2 Partition=1) Drive j: () (Removable) (Total:15.02 GB) (Free:14.8 GB) FAT32 (Disk=3 Partition=1) Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 466 GB) (Disk ID: AD8CB770) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=419 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=24 GB) - (Type=OF Extended) Partition 4: (Not Active) - (Size=23 GB) - (Type=27) ======================================================== Disk: 1 (Size: 466 GB) (Disk ID: 92CDA70E) Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS) ======================================================== Disk: 2 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18) Partition 1: (Active) - (Size=15 GB) - (Type=0C) ======================================================== Disk: 3 (Size: 15 GB) (Disk ID: 00000000) Partition 1: (Not Active) - (Size=15 GB) - (Type=0C) Last Boot: 2013-06-03 03:52 ==================== End Of Log ============================
  6. Hi, my PC running XP Professional SP3 has been infected with the Bedford Police version of the Ukash ransomware (about 2 weeks ago) I .cannot boot in safe mode, safe mode with networking or safe mode with command prompt, without the hijack screen taking over and not allowing me any access to Windows.I also tried running malwarebytes (which was already insta led on the PC) via New Task inTask Mgr. After searching the web for advice I have made a usb with Hitmanpro and have changed the boot order in BIOS Setup and can get the Kickstart USB Boot Options menu up, but I cannot enter a choice. The cursor is flashing but the wireless keyboard is not responding. Sorry for the lack of new paragraphs in this post but the return key on the Samsung netbook I am using to post this will not work here. Hope you can help.
  7. I need help to remove the Ukash malware infection from my laptop. I'm using windows 7 64 bit. Windows boots OK until the desktop shows up then immediately goes to a white screen so I can't click on and run Malwarebytes. Sometimes it remains white screen, other times it goes to a ransomware message offering to unlock my computer for a fine of $150 using Ukash. After looking at other posts I have booted to System Recovery and run Farbar64. The log is pasted below. Any help greatly appreciated. Chris Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-04-2013 03 Ran by SYSTEM on 26-04-2013 12:36:05 Running from G:\ Windows 7 Home Premium (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet002 ==================== Registry (Whitelisted) ================== HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated) HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [7539744 2009-05-06] (Realtek Semiconductor) HKLM\...\Run: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-08-17] (Realtek Semiconductor Corp.) HKLM\...\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation) HKLM\...\Run: [KeybdUtility] C:\Program Files\LG Software\LG OSD\HotKey.exe [3275264 2009-06-10] (LG Electronics) HKLM\...\Run: [LG Magnifier] [x] HKLM\...\Run: [TELUS_McciTrayApp] "C:\Program Files\TELUS\McciTrayApp.exe" [3440640 2011-10-12] (Alcatel-Lucent) HKLM-x32\...\Run: [] [x] HKLM-x32\...\Run: [LG Intelligent Update] "C:\Program Files (x86)\lg_swupdate\giljabistart.exe" Gilautouc [308528 2009-07-16] (BIT LEADER) HKLM-x32\...\Run: [Tsa.exe] "C:\Program Files (x86)\TELUS\TELUS security advisor\Tsa.exe" /AUTORUN [4318520 2010-12-15] (TELUS) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.) HKU\Owner\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [163328 2010-11-20] (Microsoft Corporation) HKU\Owner\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-04-29] (Google Inc.) HKU\Owner\...\Run: [smileboxTray] "C:\Users\Owner\AppData\Roaming\Smilebox\SmileboxTray.exe" [x] HKU\Owner\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18642024 2013-02-28] (Skype Technologies S.A.) HKU\Owner\...\Winlogon: [shell] C:\Users\Owner\AppData\Roaming\i.ini,explorer.exe Startup: C:ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) ==================== Services (Whitelisted) ================= S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.) S2 CFUACProxy_officeguardianv2n; C:\ProgramData\OfficeGuardianV2N\UACProxy.exe [83272 2010-11-10] (Storage Appliance Corp.) S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2011-10-12] (Alcatel-Lucent) S3 PDAgent; C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe [1487624 2009-06-08] (Raxco Software, Inc.) S3 PDEngine; C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe [1481992 2009-06-08] (Raxco Software, Inc.) S2 Radialpoint Security Services; C:\Program Files (x86)\TELUS\TELUS security services\RpsSecurityAwareR.exe [166944 2010-06-02] (TELUS) S2 RadialpointIDSAgent; C:\Program Files (x86)\TELUS\TELUS security services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe [5832712 2009-11-02] (AVG Technologies CZ, s.r.o.) S2 RP_FWS; C:\Program Files (x86)\TELUS\TELUS security services\Fws.exe [382208 2010-06-02] (TELUS) S2 SacNetAgentService_C57C4F854F53; C:\ProgramData\OfficeGuardianV2N\Reminder\SacNetAgent.exe [163144 2010-11-10] (Storage Appliance Corporation) S3 scan; C:\Program Files (x86)\TELUS\TELUS security services\BitDefender\scan.dll [392192 2009-10-23] (S.C. BitDefender S.R.L) S2 ServicepointService; C:\Program Files (x86)\TELUS\TELUS security advisor\ServicepointService.exe [689464 2010-12-15] (Radialpoint Inc.) S3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [x] ==================== Drivers (Whitelisted) ==================== S3 AX88772; C:\Windows\System32\DRIVERS\ax88772.sys [79360 2011-06-01] (ASIX Electronics Corp.) S0 bdfsfltr; C:\Windows\System32\drivers\bdfsfltr.sys [340488 2009-10-23] (BitDefender S.R.L. Bucharest, ROMANIA) S0 CLBStor; C:\Windows\System32\DRIVERS\CLBStor.sys [24824 2007-02-15] (Cyberlink Co.,Ltd.) S2 CLBUDF; C:\Windows\System32\Drivers\CLBUDF.sys [368888 2007-02-15] (CyberLink Corporation.) S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2011-10-12] (Printing Communications Assoc., Inc. (PCAUSA)) S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2011-10-12] (Printing Communications Assoc., Inc. (PCAUSA)) S3 RadialpointIDSDriver; C:\Program Files (x86)\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [132616 2009-11-02] (AVG Technologies ) S0 RadialpointIDSEH; C:\Windows\SysWow64\drivers\AVGIDSEH.sys [27144 2009-11-02] (AVG Technologies ) S3 RadialpointIDSFilter; C:\Program Files (x86)\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [35848 2009-11-02] (AVG Technologies ) S3 RPPKT; C:\Windows\System32\DRIVERS\rp_pkt64.sys [59136 2010-12-27] (Radialpoint, Inc.) S2 RPSKT; C:\Windows\System32\DRIVERS\rp_skt64.sys [71456 2010-12-27] (Radialpoint Inc.) S3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x] S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x] S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x] S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x] S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x] S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x] S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-04-26 12:35 - 2013-04-26 12:35 - 00000000 ____D C:\FRST 2013-04-25 13:15 - 2013-04-25 14:15 - 00000000 ____D C:ProgramData\oulec 2013-04-25 11:47 - 2013-04-25 11:47 - 00152568 ____A (Hilgraeve, Inc.) C:\Users\Owner\Desktop\bllb.tmp 2013-04-24 00:11 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys 2013-04-17 14:34 - 2013-04-17 14:34 - 00011101 ____H C:\Users\Owner\Documents\~WRL0608.tmp 2013-04-11 04:34 - 2013-02-21 22:57 - 17817088 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-04-11 04:34 - 2013-02-21 22:29 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-04-11 04:34 - 2013-02-21 22:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-04-11 04:34 - 2013-02-21 22:21 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-04-11 04:34 - 2013-02-21 22:20 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-04-11 04:34 - 2013-02-21 22:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2013-04-11 04:34 - 2013-02-21 22:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2013-04-11 04:34 - 2013-02-21 22:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-04-11 04:34 - 2013-02-21 22:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-04-11 04:34 - 2013-02-21 22:15 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2013-04-11 04:34 - 2013-02-21 22:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2013-04-11 04:34 - 2013-02-21 22:14 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-04-11 04:34 - 2013-02-21 22:13 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-04-11 04:34 - 2013-02-21 22:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2013-04-11 04:34 - 2013-02-21 22:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-04-11 04:34 - 2013-02-21 22:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-04-11 04:34 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-04-11 04:34 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-04-11 04:34 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-04-11 04:34 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-04-11 04:34 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-04-11 04:34 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2013-04-11 04:34 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2013-04-11 04:34 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-04-11 04:34 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-04-11 04:34 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2013-04-11 04:34 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2013-04-11 04:34 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-04-11 04:34 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-04-11 04:34 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-04-11 04:34 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2013-04-11 04:34 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-04-10 05:20 - 2013-03-18 22:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe 2013-04-10 05:20 - 2013-03-18 21:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll 2013-04-10 05:20 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2013-04-10 05:20 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2013-04-10 05:20 - 2013-03-18 20:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll 2013-04-10 05:20 - 2013-03-18 19:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe 2013-04-10 05:20 - 2013-02-28 19:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-04-10 05:20 - 2013-01-23 22:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys 2013-04-05 07:25 - 2013-04-04 17:07 - 2038614404 ___RA C:\Users\Owner\Downloads\Life.of.Pi.2012.1080p.BRrip.x264.GAZ.YIFY.mp4 2013-04-02 10:20 - 2013-04-02 01:29 - 2209116160 ___RA C:\Users\Owner\Downloads\Looper 2012 DVDRip AC3 XViD-RemixHD.avi ==================== One Month Modified Files and Folders ======= 2013-04-26 12:35 - 2013-04-26 12:35 - 00000000 ____D C:\FRST 2013-04-26 10:29 - 2010-12-27 09:42 - 01708306 ____A C:\Windows\WindowsUpdate.log 2013-04-26 10:20 - 2012-08-25 16:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-04-26 09:59 - 2012-04-29 13:21 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-04-26 09:54 - 2010-12-27 09:04 - 00011120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-04-26 09:54 - 2010-12-27 09:04 - 00011120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-04-26 09:51 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI 2013-04-26 09:45 - 2012-04-29 13:21 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-04-26 09:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-04-26 09:45 - 2009-07-13 20:51 - 01011989 ____A C:\Windows\setupact.log 2013-04-26 08:38 - 2010-12-27 09:25 - 00051836 ____A C:\Windows\PFRO.log 2013-04-25 17:10 - 2011-04-02 14:29 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype 2013-04-25 14:15 - 2013-04-25 13:15 - 00000000 ____D C:ProgramData\oulec 2013-04-25 11:47 - 2013-04-25 11:47 - 00152568 ____A (Hilgraeve, Inc.) C:\Users\Owner\Desktop\bllb.tmp 2013-04-25 05:45 - 2012-04-28 10:10 - 00048640 ____A C:\Users\Owner\Documents\Accent_wood.xlsx 2013-04-23 17:44 - 2006-11-02 04:34 - 00000222 ____A C:\Windows\win.ini 2013-04-18 12:40 - 2012-12-27 18:08 - 00048128 __ASH C:\Users\Owner\Documents\Thumbs.db 2013-04-17 14:34 - 2013-04-17 14:34 - 00011101 ____H C:\Users\Owner\Documents\~WRL0608.tmp 2013-04-12 06:45 - 2013-04-24 00:11 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys 2013-04-11 05:11 - 2009-07-13 20:45 - 00430976 ____A C:\Windows\System32\FNTCACHE.DAT 2013-04-11 04:36 - 2011-04-10 18:39 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-04-10 10:34 - 2012-10-04 07:03 - 00002183 ____A C:\Users\Public\Desktop\Google Chrome.lnk 2013-04-10 08:56 - 2011-04-02 14:28 - 00000000 ___RD C:\Program Files (x86)\Skype 2013-04-10 08:56 - 2011-04-02 14:28 - 00000000 ____D C:ProgramData\Skype 2013-04-09 07:55 - 2011-09-30 14:10 - 00159232 ____A C:\Users\Owner\Documents\Accent_wood.xls 2013-04-04 17:07 - 2013-04-05 07:25 - 2038614404 ___RA C:\Users\Owner\Downloads\Life.of.Pi.2012.1080p.BRrip.x264.GAZ.YIFY.mp4 2013-04-02 10:22 - 2013-01-05 11:39 - 00145920 __ASH C:\Users\Owner\Downloads\Thumbs.db 2013-04-02 01:29 - 2013-04-02 10:20 - 2209116160 ___RA C:\Users\Owner\Downloads\Looper 2012 DVDRip AC3 XViD-RemixHD.avi 2013-04-01 15:32 - 2010-11-30 19:17 - 00000000 ____D C:\Users\Owner\Documents\My Scans 2013-03-31 16:39 - 2012-09-02 09:37 - 00000000 ____D C:\Users\Owner\Documents\Kevin's College Application 2013-03-27 06:52 - 2009-10-16 05:52 - 00000000 ____D C:\Users\Owner\Documents\Mom ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-03-05 11:56:10 Restore point made on: 2013-03-08 20:11:40 Restore point made on: 2013-03-12 04:05:27 Restore point made on: 2013-03-14 05:12:26 Restore point made on: 2013-03-18 05:17:13 Restore point made on: 2013-03-22 05:22:57 Restore point made on: 2013-03-26 03:52:53 Restore point made on: 2013-04-02 04:45:20 Restore point made on: 2013-04-09 05:04:11 Restore point made on: 2013-04-11 04:32:41 Restore point made on: 2013-04-16 05:04:00 Restore point made on: 2013-04-19 19:16:10 Restore point made on: 2013-04-23 03:55:22 Restore point made on: 2013-04-24 01:00:48 ==================== Memory info =========================== Percentage of memory in use: 15% Total physical RAM: 3999.2 MB Available physical RAM: 3369.98 MB Total Pagefile: 3997.34 MB Available Pagefile: 3367.02 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:148 GB) (Free:7.86 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)] Drive d: () (Fixed) (Total:138.59 GB) (Free:103.06 GB) NTFS (Disk=0 Partition=3) Drive f: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS Drive g: (Cruzer) (Removable) (Total:7.47 GB) (Free:7.47 GB) FAT32 (Disk=1 Partition=1) Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 298 GB 0 B Disk 1 Online 7663 MB 0 B Partitions of Disk 0: =============== Disk ID: 9512B8F5 Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 OEM 1536 MB 1024 KB Partition 2 Primary 148 GB 1537 MB Partition 3 Primary 138 GB 149 GB Partition 4 OEM 10 GB 288 GB ================================================================================== Disk: 0 Partition 1 Type : 12 Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 5 RECOVERY NTFS Partition 1536 MB Healthy Hidden ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 148 GB Healthy ========================================================= Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 D NTFS Partition 138 GB Healthy ========================================================= Disk: 0 Partition 4 Type : 12 Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 5 LG_RECOVERY NTFS Partition 10 GB Healthy Hidden ========================================================= Partitions of Disk 1: =============== Disk ID: 00000000 Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 7655 MB 22 KB ================================================================================== Disk: 1 Partition 1 Type : 0B Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 G Cruzer FAT32 Removable 7655 MB Healthy ========================================================= ============================== MBR & Partition Table ================== ==================================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 9512B8F5) Partition 1: (Not Active) - (Size=2 GB) - (Type=12) Partition 2: (Active) - (Size=148 GB) - (Type=07) (NTFS) Partition 3: (Not Active) - (Size=139 GB) - (Type=07) (NTFS) Partition 4: (Not Active) - (Size=10 GB) - (Type=12) ==================================================================== Disk: 1 (Size: 7 GB) (Disk ID: 00000000) Partition 1: (Not Active) - (Size=7 GB) - (Type=0B) Last Boot: 2013-04-24 01:48 ==================== End Of Log ============================
  8. I was asked to look at a friends Vista PC infected with what I believe is known as the Ukash, West Yorkshire Police ransomware. The PC would boot and then a full screen internet explorer window would open, purporting to be from the police and demanding a payment to unlock the PC. Booting from AVGs linux boot disk and runing a scan from there seems to have killed some of the nasties, but not all. The PC now boots to a desktop and seems to run pretty much normally, until I try and run any form of virus scanner. Windows Defender, Microsoft Security Essentials and Malwarebytes all fail to complete a scan, locking up and requiring a reboot. So I assume there are still remnants of whatever infection was on the machine, and would appreciate any assistance in cleaning this PC up. I have managed to run dds, and have attached logs to this post. Thanks Mike attach.txt dds.txt
  9. I'm sure youre familiar with this one but for some reason MBytes will not remove. I own the produyct but it will not extricate this crap. What to do?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.