Jump to content

Computer badly infected with Ransomware - Need help with FIRST64 logs


EHaber

Recommended Posts

Hello. I work in IT for a small lawfirm. I've seen and removed the FBI Ransomware virus a few times, but this one is particularly nasty and on one of the partners of the firms laptops. I can't get past the virus to run any kind of AV software. Following other threads in this forum, I have been able to run the FIRST64 scanner from a command prompt, but nothing else. Attempting to run other programs from the command prompt gives me a "subsystem needed to support the image type is not present."

I'm hopeful someone can decipher these two logs from FIRST64 and help me create a fixlist so that I can get past the virus for just a few minutes and run combofix, antimalwarebytes, and anything else I can find. Here is the FRST log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-12-2012 01

Ran by SYSTEM at 26-12-2012 09:54:21

Running from F:\

Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11775592 2011-01-18] (Realtek Semiconductor)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-05-17] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [296824 2010-09-25] (TOSHIBA Corporation)

HKLM\...\Run: [TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [972672 2011-04-27] (TOSHIBA Corporation)

HKLM\...\Run: [intelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray [1935120 2011-06-01] (Intel® Corporation)

HKLM\...\Run: [TFPUPWDBankService] C:\Program Files\TOSHIBA\TFPU\TFPUPWDBank.exe /start [925104 2010-03-02] (TOSHIBA)

HKLM\...\Run: [TFPUService] C:\Program Files\TOSHIBA\TFPU\TFPUTaskMonitor.exe /start [789368 2010-11-04] (TOSHIBA)

HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1544624 2011-05-24] (TOSHIBA Corporation)

HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-06-09] (TOSHIBA Corporation)

HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]

HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-07-01] (TOSHIBA Corporation)

HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)

HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)

HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)

HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2011-09-16] (LogMeIn, Inc.)

HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED [3218864 2011-06-22] (Toshiba)

HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)

HKLM-x32\...\Run: [TOSDCR] %ProgramFiles%\TOSHIBA\PasswordUtility\TOSDCR.exe [169296 2007-08-28] ()

HKLM-x32\...\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START [80840 2011-04-01] (TOSHIBA CORPORATION)

HKLM-x32\...\Run: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [x]

HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [41944 2012-07-31] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640480 2012-07-30] (Adobe Systems Inc.)

HKLM-x32\...\Run: [Olympus DSS UpdateManager] "C:\Program Files (x86)\OLYMPUS\DSSPlayerPro\UpdateManager.exe" [204800 2012-03-22] (OLYMPUS IMAGING CORP.)

HKLM-x32\...\Run: [Olympus Notification] C:\Program Files (x86)\OLYMPUS\DSSPlayerPro\Notification.exe [x]

HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [304568 2010-10-12] (Citrix Systems, Inc.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKU\Admin\...\Policies\system: [DisableTaskMgr] 1

HKU\Administrator\...\Policies\system: [DisableTaskMgr] 1

HKU\cflick.SEIPPFLICK\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-30] (Google Inc.)

HKU\cflick.SEIPPFLICK\...\Policies\system: [DisableTaskMgr] 1

HKLM\...\Winlogon: [shell] Explorer.exe, C:\ProgramData\nzqwwnh_ [x ] ()

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess

Tcpip\Parameters: [DhcpNameServer] 10.0.3.22

AppInit_DLLs: acaptuser64.dll

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Device Detector 4.lnk

ShortcutTarget: Device Detector 4.lnk -> C:\Program Files (x86)\OLYMPUS\DeviceDetector\DeviceDetector4.exe (OLYMPUS IMAGING CORP.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk

ShortcutTarget: Directrec Configuration Tool.lnk -> C:\Program Files (x86)\OLYMPUS\DirectrecConfig\DirectrecConfigurationTool.exe (OLYMPUS IMAGING CORP.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\SmartCapture.lnk

ShortcutTarget: SmartCapture.lnk -> C:\Program Files (x86)\Seiko Instruments USA Inc\Smart Label Printer 6.9.2\slpcap.exe (Seiko Instruments USA Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Snagit 9.lnk

ShortcutTarget: Snagit 9.lnk -> C:\Program Files (x86)\TechSmith\Snagit 9\Snagit32.exe (TechSmith Corporation)

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)

2 LMIGuardianSvc; "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" [375728 2012-11-13] (LogMeIn, Inc.)

2 LMIMaint; "C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe" [147888 2012-11-13] (LogMeIn, Inc.)

2 LogMeIn; "C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe" [407424 2011-09-16] (LogMeIn, Inc.)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-06-01] ()

2 PCCUJobMgr; "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe" /s "PCCUJobMgr" /m "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll" /prefetch:1 [132984 2011-07-19] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2011-09-16] (LogMeIn, Inc.)

1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

3 catchme; \??\C:\CF2012\catchme.sys [x]

1 erfxvgrn; \??\C:\windows\system32\drivers\erfxvgrn.sys [x]

1 grdxwgmj; \??\C:\windows\system32\drivers\grdxwgmj.sys [x]

1 isiutmhe; \??\C:\windows\system32\drivers\isiutmhe.sys [x]

1 khtilzpl; \??\C:\windows\system32\drivers\khtilzpl.sys [x]

4 LMIRfsClientNP; [x]

1 rdybkrrf; \??\C:\windows\system32\drivers\rdybkrrf.sys [x]

3 Tosrfcom; [x]

1 wwbrzgbu; \??\C:\windows\system32\drivers\wwbrzgbu.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-26 09:54 - 2012-12-26 09:54 - 00000000 ____D C:\FRST

2012-12-26 09:53 - 2012-12-26 09:12 - 05013093 ____A (Swearware) C:\CF2013.exe

2012-12-26 06:41 - 2012-12-26 06:41 - 00000000 ___RD C:\Users\Admin\Virtual Machines

2012-12-26 06:40 - 2012-12-26 06:41 - 00000000 ____D C:\users\Admin

2012-12-26 06:40 - 2012-12-26 06:40 - 00112640 ____A (Tov) C:\Users\Admin\AppData\Local\nzqwwnh_.exe

2012-12-26 06:40 - 2012-12-26 06:40 - 00000020 __ASH C:\Users\Admin\ntuser.ini

2012-12-26 06:40 - 2012-12-26 06:40 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Intel

2012-12-26 06:40 - 2011-10-09 22:20 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Macromedia

2012-12-24 16:44 - 2012-12-24 16:44 - 00112640 ____A (Tov) C:\Users\Administrator\AppData\Roaming\nzqwwnh_.exe

2012-12-24 16:44 - 2012-12-24 16:44 - 00112640 ____A (Tov) C:\Users\Administrator\AppData\Local\nzqwwnh_.exe

2012-12-24 14:39 - 2012-12-26 06:41 - 00000578 ____A C:\Windows\M3JPEG.INI

2012-12-24 14:39 - 2012-12-26 06:40 - 00112640 ____A (Tov) C:\Users\All Users\nzqwwnh_.exe

2012-12-24 14:39 - 2012-12-24 14:39 - 00112640 ____A (Tov) C:\Users\cflick.SEIPPFLICK\AppData\Local\nzqwwnh_.exe

2012-12-14 12:54 - 2012-12-14 12:54 - 00000000 ____D C:\Users\cflick.SEIPPFLICK\AppData\Roaming\ESET

2012-12-14 12:54 - 2012-12-14 12:54 - 00000000 ____D C:\Users\cflick.SEIPPFLICK\AppData\Local\ESET

2012-12-14 12:36 - 2012-12-14 12:36 - 01374624 ____A (ESET) C:\Users\cflick.SEIPPFLICK\Downloads\eset_smart_security_live_installer (3).exe

2012-12-14 12:36 - 2012-12-14 12:36 - 01374624 ____A (ESET) C:\Users\cflick.SEIPPFLICK\Downloads\eset_smart_security_live_installer (2).exe

2012-12-14 12:36 - 2012-12-14 12:36 - 00157048 ____A (Symantec Corporation) C:\Users\cflick.SEIPPFLICK\Downloads\NSSRT.exe

2012-12-14 12:35 - 2012-12-14 12:36 - 01374624 ____A (ESET) C:\Users\cflick.SEIPPFLICK\Downloads\eset_smart_security_live_installer (1).exe

2012-12-14 12:35 - 2012-12-14 12:35 - 01374624 ____A (ESET) C:\Users\cflick.SEIPPFLICK\Downloads\eset_smart_security_live_installer.exe

2012-12-14 12:29 - 2012-12-14 12:29 - 00000000 ____D C:\Program Files (x86)\ESET

==================== One Month Modified Files and Folders =======

2012-12-26 09:36 - 2012-10-10 15:06 - 00000000 ____D C:\Users\Administrator\AppData\Local\Copitrak

2012-12-26 09:36 - 2012-10-10 15:06 - 00000000 ____D C:\users\Administrator

2012-12-26 09:36 - 2012-03-06 13:07 - 00000000 ____D C:\users\CFLICK

2012-12-26 09:36 - 2012-03-05 13:29 - 00000000 ____D C:\Users\cflick.SEIPPFLICK\AppData\Local\Copitrak

2012-12-26 09:36 - 2012-03-05 13:28 - 00000000 ____D C:\users\cflick.SEIPPFLICK

2012-12-26 09:36 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security

2012-12-26 09:36 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2012-12-26 09:12 - 2012-12-26 09:53 - 05013093 ____A (Swearware) C:\CF2013.exe

2012-12-26 06:41 - 2012-12-26 06:41 - 00000000 ___RD C:\Users\Admin\Virtual Machines

2012-12-26 06:41 - 2012-12-26 06:40 - 00000000 ____D C:\users\Admin

2012-12-26 06:41 - 2012-12-24 14:39 - 00000578 ____A C:\Windows\M3JPEG.INI

2012-12-26 06:41 - 2011-10-09 23:44 - 00089955 ____A C:\Windows\setupact.log

2012-12-26 06:40 - 2012-12-26 06:40 - 00112640 ____A (Tov) C:\Users\Admin\AppData\Local\nzqwwnh_.exe

2012-12-26 06:40 - 2012-12-26 06:40 - 00000020 __ASH C:\Users\Admin\ntuser.ini

2012-12-26 06:40 - 2012-12-26 06:40 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Intel

2012-12-26 06:40 - 2012-12-24 14:39 - 00112640 ____A (Tov) C:\Users\All Users\nzqwwnh_.exe

2012-12-26 06:40 - 2012-03-06 04:37 - 01224267 ____A C:\Windows\WindowsUpdate.log

2012-12-26 06:40 - 2012-03-05 13:26 - 00000136 ____A C:\Windows\System32\config\netlogon.ftl

2012-12-26 06:40 - 2011-10-09 22:20 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-12-26 06:40 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-26 05:57 - 2012-03-05 13:42 - 00000000 ____D C:\Users\All Users\LogMeIn

2012-12-24 17:13 - 2012-03-30 10:10 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-12-24 16:44 - 2012-12-24 16:44 - 00112640 ____A (Tov) C:\Users\Administrator\AppData\Roaming\nzqwwnh_.exe

2012-12-24 16:44 - 2012-12-24 16:44 - 00112640 ____A (Tov) C:\Users\Administrator\AppData\Local\nzqwwnh_.exe

2012-12-24 16:30 - 2011-10-09 22:20 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-12-24 16:00 - 2012-04-05 05:48 - 00000000 ____D C:\Users\cflick.SEIPPFLICK\AppData\Local\CrashDumps

2012-12-24 14:39 - 2012-12-24 14:39 - 00112640 ____A (Tov) C:\Users\cflick.SEIPPFLICK\AppData\Local\nzqwwnh_.exe

2012-12-24 13:57 - 2012-03-14 09:59 - 00000000 ____D C:\Users\cflick.SEIPPFLICK\AppData\Local\Deployment

2012-12-18 15:41 - 2012-03-20 11:07 - 00000000 ____D C:\Users\cflick.SEIPPFLICK\AppData\Roaming\.oit

2012-12-17 14:41 - 2012-03-05 13:31 - 00000000 ____D C:\Users\cflick.SEIPPFLICK\AppData\Local\Google

2012-12-17 09:57 - 2009-07-13 21:13 - 00730384 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-17 09:27 - 2009-07-13 20:45 - 00027344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-17 09:27 - 2009-07-13 20:45 - 00027344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-17 09:20 - 2009-07-13 21:08 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-12-14 12:54 - 2012-12-14 12:54 - 00000000 ____D C:\Users\cflick.SEIPPFLICK\AppData\Roaming\ESET

2012-12-14 12:54 - 2012-12-14 12:54 - 00000000 ____D C:\Users\cflick.SEIPPFLICK\AppData\Local\ESET

2012-12-14 12:44 - 2010-11-20 19:47 - 00714398 ____A C:\Windows\PFRO.log

2012-12-14 12:36 - 2012-12-14 12:36 - 01374624 ____A (ESET) C:\Users\cflick.SEIPPFLICK\Downloads\eset_smart_security_live_installer (3).exe

2012-12-14 12:36 - 2012-12-14 12:36 - 01374624 ____A (ESET) C:\Users\cflick.SEIPPFLICK\Downloads\eset_smart_security_live_installer (2).exe

2012-12-14 12:36 - 2012-12-14 12:36 - 00157048 ____A (Symantec Corporation) C:\Users\cflick.SEIPPFLICK\Downloads\NSSRT.exe

2012-12-14 12:36 - 2012-12-14 12:35 - 01374624 ____A (ESET) C:\Users\cflick.SEIPPFLICK\Downloads\eset_smart_security_live_installer (1).exe

2012-12-14 12:35 - 2012-12-14 12:35 - 01374624 ____A (ESET) C:\Users\cflick.SEIPPFLICK\Downloads\eset_smart_security_live_installer.exe

2012-12-14 12:29 - 2012-12-14 12:29 - 00000000 ____D C:\Program Files (x86)\ESET

2012-12-14 12:20 - 2012-03-21 06:31 - 00001945 ____A C:\Windows\epplauncher.mif

2012-12-14 09:36 - 2012-09-14 12:43 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2012-12-12 08:14 - 2012-03-30 10:10 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-12-12 08:14 - 2011-10-09 22:19 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-12-04 14:18 - 2011-10-09 22:18 - 00000000 ____D C:\Users\All Users\Adobe

2012-12-01 13:00 - 2012-09-14 12:43 - 00001863 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

ZeroAccess:

C:\Windows\Installer\{72ba270d-243d-b756-a3a0-bd91d2f19319}

C:\Windows\Installer\{72ba270d-243d-b756-a3a0-bd91d2f19319}\L

C:\Windows\Installer\{72ba270d-243d-b756-a3a0-bd91d2f19319}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-1159711757-4209633756-1748526071-1201\$72ba270d243db756a3a0bd91d2f19319

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$72ba270d243db756a3a0bd91d2f19319

ZeroAccess:

C:\Users\cflick.SEIPPFLICK\AppData\Local\{72ba270d-243d-b756-a3a0-bd91d2f19319}

C:\Users\cflick.SEIPPFLICK\AppData\Local\{72ba270d-243d-b756-a3a0-bd91d2f19319}\L

C:\Users\cflick.SEIPPFLICK\AppData\Local\{72ba270d-243d-b756-a3a0-bd91d2f19319}\U

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-19 07:42:48

Restore point made on: 2012-11-23 09:07:20

Restore point made on: 2012-11-26 10:35:09

Restore point made on: 2012-11-29 19:27:46

Restore point made on: 2012-12-03 17:43:49

Restore point made on: 2012-12-06 20:19:43

Restore point made on: 2012-12-10 05:42:26

Restore point made on: 2012-12-14 08:46:44

Restore point made on: 2012-12-24 17:23:49

==================== Memory info ===========================

Percentage of memory in use: 15%

Total physical RAM: 3999.43 MB

Available physical RAM: 3373.83 MB

Total Pagefile: 3997.63 MB

Available Pagefile: 3348.48 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (TI106268W0D) (Fixed) (Total:449.17 GB) (Free:372.58 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.25 GB) NTFS ==>[system with boot components (obtained from reading drive)]

4 Drive f: (KINGSTON) (Removable) (Total:7.26 GB) (Free:7.16 GB) FAT32

5 Drive g: () (Removable) (Total:0.48 GB) (Free:0.48 GB) FAT

7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 Online 7441 MB 0 B

Disk 2 Online 488 MB 0 B

Disk 3 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 1500 MB 1024 KB

Partition 2 Primary 449 GB 1501 MB

Partition 3 Primary 15 GB 450 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C TI106268W0D NTFS Partition 449 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7437 MB 4032 KB

==================================================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F KINGSTON FAT32 Removable 7437 MB Healthy

=========================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 488 MB 116 KB

==================================================================================

Disk: 2

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G FAT Removable 488 MB Healthy

=========================================================

Last Boot: 2012-12-24 21:46

==================== End Of Log =============================

Here is the SEARCH log:

Farbar Recovery Scan Tool (x64) Version: 23-12-2012 01

Ran by SYSTEM at 2012-12-26 11:35:46

Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Thank you so much for anyone who can help me!!

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

MrCharlie, thank you SO MUCH for your reply. Your fixlist worked and I was able to boot up normally. I'm running my usual AV software now. Here is the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-12-2012 01

Ran by SYSTEM at 2012-12-26 12:22:55 Run:1

Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.

HKEY_USERS\Admin\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.

HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.

HKEY_USERS\cflick.SEIPPFLICK\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).

C:\windows\system32\drivers\erfxvgrn.sys not found.

C:\windows\system32\drivers\grdxwgmj.sys not found.

C:\windows\system32\drivers\isiutmhe.sys not found.

C:\windows\system32\drivers\khtilzpl.sys not found.

C:\windows\system32\drivers\rdybkrrf.sys not found.

C:\windows\system32\drivers\wwbrzgbu.sys not found.

C:\Users\All Users\nzqwwnh_.exe moved successfully.

C:\Users\cflick.SEIPPFLICK\AppData\Local\nzqwwnh_.exe moved successfully.

C:\Users\Admin\AppData\Local\nzqwwnh_.exe not found.

C:\Users\Administrator\AppData\Local\nzqwwnh_.exe moved successfully.

C:\Users\cflick.SEIPPFLICK\AppData\Local\nzqwwnh_.exe not found.

C:\ProgramData\nzqwwnh_ not found.

C:\Windows\Installer\{72ba270d-243d-b756-a3a0-bd91d2f19319} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\$Recycle.Bin\S-1-5-21-1159711757-4209633756-1748526071-1201\$72ba270d243db756a3a0bd91d2f19319 moved successfully.

C:\$Recycle.Bin\S-1-5-18\$72ba270d243db756a3a0bd91d2f19319 moved successfully.

C:\Users\cflick.SEIPPFLICK\AppData\Local\{72ba270d-243d-b756-a3a0-bd91d2f19319} moved successfully.

==== End of Fixlog ====

I am open to any additional suggestions for anything you think I should run. Thank you again! Have a happy new year to you!

Link to post
Share on other sites

Just take note of this warning...........

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When you're done running your scans....please do this>>>>>>

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Hello again, MrC. As requested, here is the RougeKiller report. I didn't click on any of the fix buttons, just ran the program and clicked Report:

RogueKiller V8.4.1 [Dec 24 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : cflick [Admin rights]

Mode : Scan -- Date : 12/26/2012 16:07:58

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH] CopitrakDesktop10.EXE -- C:\Users\cflick.SEIPPFLICK\AppData\Local\Copitrak\CopitrakDesktop10.EXE -> KILLED [TermProc]

[sUSP PATH] LtProcMon.exe -- C:\Users\cflick.SEIPPFLICK\AppData\Local\Copitrak\LtProcMon.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS547550A9E384 +++++

--- User ---

[MBR] c5ee9216aed6890b5765e3e29f79835e

[bSP] e5d878481c3736c349e68cd1fe369970 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 459950 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 945051648 | Size: 15489 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: OLYMPUS DVR USB Device +++++

--- User ---

[MBR] c705c9b081145460a8ff2eec24204844

[bSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 233 | Size: 488 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_12262012_02d1607.txt >>

RKreport[1]_S_12262012_02d1607.txt

Thank you!!

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Hello again, MrC! I had already ran Combofix earlier once I could get into the OS, but I'll definitely run it again. I gave the user his computer back (he was very pleased) so I'll only have a chance to run another Combofix scan later tonight. I'll post it when I can and I look forward to your feedback.

Thank You Again!!!

Link to post
Share on other sites

Good morning, MrC. Attached are two combofix logs. The first I ran prior to running MBAR and the second was run this morning. I would appreciate your insight.

After your warning yesterday regarding the backdoor trojan, I was planning to wipe this laptop and then reinstall the OS. Do you think that's still nessecary?

FirstRun_ComboFix.txt

SecondRun_ComboFix.txt

Link to post
Share on other sites

After your warning yesterday regarding the backdoor trojan, I was planning to wipe this laptop and then reinstall the OS. Do you think that's still nessecary?

That's up to you, I'm obligated to give you that warning, it depends on what the computer is used for, etc.

I would definitely change all my passwords and keep an eye on my accounts.

~~~~~~~~~~~~~~~

Lets make sure these are gone:

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\windows\system32\drivers\erfxvgrn.sys

c:\windows\system32\drivers\grdxwgmj.sys

c:\windows\system32\drivers\isiutmhe.sys

c:\windows\system32\drivers\khtilzpl.sys

c:\windows\system32\drivers\rdybkrrf.sys

c:\windows\system32\drivers\wwbrzgbu.sys

Driver::

erfxvgrn

grdxwgmj

isiutmhe

khtilzpl

rdybkrrf

wwbrzgbu

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~

If you're not going to re-install.....

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

MrC

Link to post
Share on other sites

Some adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then...........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

Adwcleaner log attached.

Security Check:

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

(On Access scanning disabled!)

Error obtaining update status for antivirus!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 25

Java version out of Date!

Adobe Flash Player 11.5.502.135

Adobe Reader 10.1.4 Adobe Reader out of Date!

Mozilla Firefox 11.0 Firefox out of Date!

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

Google Chrome 23.0.1271.97

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Microsoft Security Essentials MSMpEng.exe

Microsoft Security Essentials msseces.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

AdwCleanerS1.txt

Link to post
Share on other sites

Java™ 6 Update 25 <----please uninstall from add/remove programs

Java version out of Date! <-------Download and install the latest version from Here

Please check for an update for these:

Adobe Reader 10.1.4 Adobe Reader out of Date!

Mozilla Firefox 11.0 Firefox out of Date!

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.