Jump to content

I need Help with the FBI virus

ItsEazy
 Share

Recommended Posts

ItsEazy

ItsEazy

Posted
Posted

My room mate managed to pick up the FBI ransom virus im sure you all know about. Long story short i need help cannot even get safe mod with command prompt. im running windows 7 with a 64bit system. have read a few other postings about this and i know i need to download a scaning tool and give you a few logs but the thing i need is the script to fix. please help if you could give me a step by step much appericated

-eazy

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum, here's how we deal with that malware:

  1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    Plug the flash drive into the infected PC.
  2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
    If you are using Vista or Windows 7 enter System Recovery Options.
    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
      Select Command Prompt
      Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

Link to post
Share on other sites
ItsEazy

ItsEazy

Posted
  • Author
Posted

Here you go Mr.C

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-05-2013

Ran by SYSTEM on 09-05-2013 22:57:05

Running from I:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10060320 2010-02-09] (Realtek Semiconductor)

HKLM\...\RunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [415232 2009-07-13] (Microsoft Corporation)

HKLM\...\Winlogon: [shell] regsvr32 /n /i /s "C:\Users\Eazy\AppData\Local\ohqjoh.yzb" [x ] ()

HKLM-x32\...\Winlogon: [shell] C:\ProgramData\DisplaySwitch.exe [x ] ()

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$46bd3aa31c814fd27224b506b0e89d2c\n. ATTENTION! ====> ZeroAccess

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe [611872 2010-08-04] ()

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288080 2009-07-17] (Microsoft Corporation)

HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1644680 2013-02-08] (Ask)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)

HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)

HKLM-x32\...\Run: [DisplaySwitch] "C:\ProgramData\DisplaySwitch.exe" [128512 2013-05-09] (Hilgraeve, Inc.)

HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe /default [162336 2009-07-21] ()

HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe /default [162336 2009-07-21] ()

HKU\Eazy\...\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1635752 2013-05-03] (Valve Corporation)

HKU\Eazy\...\Run: [Facebook Update] "C:\Users\Eazy\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-22] (Facebook Inc.)

HKU\Eazy\...\Run: [bAS] "C:\ProgramData\34ac13\bestantivirus.exe" /s [3658752 2012-05-19] ()

HKU\Eazy\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18705664 2013-01-08] (Skype Technologies S.A.)

HKU\Eazy\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-06-07] (Google Inc.)

HKU\Eazy\...\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [4284976 2013-05-06] ()

HKU\UpdatusUser\...\RunOnce: [scrSav] C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe /default [162336 2009-07-21] ()

Startup: C:\ProgramData\Start Menu\Programs\Startup\ctfmon.lnk

ShortcutTarget: ctfmon.lnk -> C:\Windows\System32\regsvr32.exe (Microsoft Corporation)

Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

Startup: C:\Users\Eazy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk

ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) =================

S2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [626208 2009-08-10] ()

S3 GameConsoleService; C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe [238328 2009-10-09] (WildTangent, Inc.)

S2 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)

S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)

S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)

S2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [206880 2009-08-10] ()

S2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-06-03] ()

S2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [243232 2010-01-28] (Acer Group)

==================== Drivers (Whitelisted) ====================

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)

S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-09 22:56 - 2013-05-09 22:56 - 00000000 ____D C:\FRST

2013-05-09 09:29 - 2013-05-09 09:29 - 00282640 ____A C:\Windows\Minidump\050913-18096-01.dmp

2013-05-09 09:22 - 2013-05-09 09:22 - 00055808 ____A C:\Users\Eazy\AppData\Local\ohqjoh.yzb

2013-05-09 09:22 - 2013-05-09 09:22 - 00055808 ____A C:\ProgramData\ivevkkjv.xie

2013-05-09 09:18 - 2013-05-09 09:18 - 00128512 ____A (Hilgraeve, Inc.) C:\ProgramData\DisplaySwitch.exe

2013-05-08 17:36 - 2013-05-08 19:11 - 00000000 ____D C:\Users\Eazy\Desktop\p01-05

2013-05-07 09:54 - 2013-05-07 09:54 - 00001729 ____A C:\Users\Public\Desktop\Play League of Legends.lnk

2013-05-07 09:47 - 2013-05-07 09:47 - 00000000 ____D C:\Riot Games

2013-05-06 19:24 - 2013-05-07 03:03 - 00000000 ____D C:\Users\Eazy\Desktop\League of Legends

2013-05-06 19:23 - 2013-05-09 09:27 - 00000000 ____D C:\Users\Eazy\AppData\Local\PMB Files

2013-05-06 19:23 - 2013-05-08 17:02 - 00000000 ____D C:\ProgramData\PMB Files

2013-05-06 19:06 - 2013-05-06 19:06 - 00000000 ____D C:\ProgramData\uwfa

2013-05-06 19:03 - 2013-05-06 19:03 - 00190456 ____A (Hilgraeve, Inc.) C:\Users\Eazy\Desktop\omec.tmp

2013-05-04 15:25 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2013-04-28 09:55 - 2013-04-28 09:56 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-04-28 09:55 - 2013-04-28 09:56 - 00000000 ____D C:\Program Files\iTunes

2013-04-28 09:55 - 2013-04-28 09:55 - 00000000 ____D C:\Program Files\iPod

2013-04-25 19:13 - 2013-04-25 19:16 - 00000000 ____D C:\Users\Eazy\Desktop\phone stuff

2013-04-14 08:04 - 2013-04-14 08:04 - 00000810 ____A C:\Users\Eazy\Desktop\Craziness - Shortcut.lnk

2013-04-14 08:00 - 2013-04-14 08:00 - 00000000 ____D C:\Users\Eazy\Documents\thumbscrew[1]

2013-04-14 07:55 - 2013-04-14 07:55 - 00000000 ____D C:\ProgramData\APN

2013-04-14 07:48 - 2013-04-18 16:58 - 00000000 ____D C:\Users\Eazy\Documents\RootkitRevealer[1]

2013-04-14 07:44 - 2013-04-15 17:56 - 00000000 ____D C:\Users\Eazy\AppData\Local\Conduit

2013-04-14 07:44 - 2013-04-14 07:44 - 00000000 ____D C:\Users\Eazy\AppData\Local\SwvUpdater

2013-04-14 07:44 - 2013-04-14 07:44 - 00000000 ____D C:\Program Files (x86)\Conduit

2013-04-14 07:43 - 2013-04-14 12:24 - 00000000 ____D C:\Users\Eazy\Downloads\wolfeye2zip

2013-04-14 07:43 - 2013-04-14 07:44 - 00000009 ____A C:\end

2013-04-14 07:43 - 2013-04-14 07:43 - 00000000 ____D C:\Program Files (x86)\InfoAtoms

==================== One Month Modified Files and Folders =======

2013-05-09 22:56 - 2013-05-09 22:56 - 00000000 ____D C:\FRST

2013-05-09 18:02 - 2010-10-31 12:33 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-09 18:02 - 2010-08-25 14:47 - 00000000 ____D C:\ProgramData\NVIDIA

2013-05-09 18:02 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-09 18:02 - 2009-07-13 20:51 - 00177802 ____A C:\Windows\setupact.log

2013-05-09 09:29 - 2013-05-09 09:29 - 00282640 ____A C:\Windows\Minidump\050913-18096-01.dmp

2013-05-09 09:29 - 2012-09-06 03:34 - 452156194 ____A C:\Windows\MEMORY.DMP

2013-05-09 09:29 - 2012-07-22 09:12 - 00000000 ____D C:\Windows\Minidump

2013-05-09 09:27 - 2013-05-06 19:23 - 00000000 ____D C:\Users\Eazy\AppData\Local\PMB Files

2013-05-09 09:22 - 2013-05-09 09:22 - 00055808 ____A C:\Users\Eazy\AppData\Local\ohqjoh.yzb

2013-05-09 09:22 - 2013-05-09 09:22 - 00055808 ____A C:\ProgramData\ivevkkjv.xie

2013-05-09 09:18 - 2013-05-09 09:18 - 00128512 ____A (Hilgraeve, Inc.) C:\ProgramData\DisplaySwitch.exe

2013-05-09 09:17 - 2013-01-11 13:59 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-09 09:16 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-09 09:16 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-09 09:14 - 2009-07-13 21:13 - 00727160 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-09 09:09 - 2011-07-09 15:19 - 00000000 ____D C:\Users\Eazy\AppData\Roaming\Skype

2013-05-09 09:09 - 2011-04-10 12:57 - 00000000 ____D C:\Program Files (x86)\Steam

2013-05-08 20:02 - 2011-03-21 13:41 - 00000000 ____D C:\Users\Eazy\AppData\Roaming\SoftGrid Client

2013-05-08 19:36 - 2010-10-31 12:33 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-08 19:11 - 2013-05-08 17:36 - 00000000 ____D C:\Users\Eazy\Desktop\p01-05

2013-05-08 17:52 - 2011-09-15 14:53 - 00000000 ____D C:\Users\Eazy\Desktop\Eli

2013-05-08 17:38 - 2011-12-13 18:28 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2710024321-3585097214-2633004960-1001UA.job

2013-05-08 17:38 - 2011-12-13 18:28 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2710024321-3585097214-2633004960-1001Core.job

2013-05-08 17:02 - 2013-05-06 19:23 - 00000000 ____D C:\ProgramData\PMB Files

2013-05-07 09:54 - 2013-05-07 09:54 - 00001729 ____A C:\Users\Public\Desktop\Play League of Legends.lnk

2013-05-07 09:47 - 2013-05-07 09:47 - 00000000 ____D C:\Riot Games

2013-05-07 09:47 - 2010-06-07 09:22 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information

2013-05-07 03:03 - 2013-05-06 19:24 - 00000000 ____D C:\Users\Eazy\Desktop\League of Legends

2013-05-06 19:17 - 2012-09-18 13:46 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-05-06 19:17 - 2011-07-09 15:18 - 00000000 ____D C:\ProgramData\Skype

2013-05-06 19:15 - 2010-10-31 12:17 - 00000000 ____D C:\users\Eazy

2013-05-06 19:13 - 2012-09-20 11:50 - 00000000 ____D C:\Program Files (x86)\Guild Wars 2

2013-05-06 19:13 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-05-06 19:13 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-05-06 19:06 - 2013-05-06 19:06 - 00000000 ____D C:\ProgramData\uwfa

2013-05-06 19:03 - 2013-05-06 19:03 - 00190456 ____A (Hilgraeve, Inc.) C:\Users\Eazy\Desktop\omec.tmp

2013-04-28 10:33 - 2011-01-09 12:21 - 00000000 ____D C:\Users\Eazy\AppData\Roaming\Apple Computer

2013-04-28 09:56 - 2013-04-28 09:55 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-04-28 09:56 - 2013-04-28 09:55 - 00000000 ____D C:\Program Files\iTunes

2013-04-28 09:56 - 2012-08-06 06:32 - 00001752 ____A C:\Users\Public\Desktop\iTunes.lnk

2013-04-28 09:56 - 2011-01-09 12:21 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-04-28 09:56 - 2011-01-09 12:20 - 00000000 ____D C:\Program Files\Common Files\Apple

2013-04-28 09:55 - 2013-04-28 09:55 - 00000000 ____D C:\Program Files\iPod

2013-04-28 09:47 - 2010-08-25 14:45 - 01534074 ____A C:\Windows\WindowsUpdate.log

2013-04-25 19:16 - 2013-04-25 19:13 - 00000000 ____D C:\Users\Eazy\Desktop\phone stuff

2013-04-18 16:58 - 2013-04-14 07:48 - 00000000 ____D C:\Users\Eazy\Documents\RootkitRevealer[1]

2013-04-15 17:56 - 2013-04-14 07:44 - 00000000 ____D C:\Users\Eazy\AppData\Local\Conduit

2013-04-14 12:25 - 2010-06-07 09:32 - 00419996 ____A C:\Windows\PFRO.log

2013-04-14 12:24 - 2013-04-14 07:43 - 00000000 ____D C:\Users\Eazy\Downloads\wolfeye2zip

2013-04-14 08:44 - 2012-02-03 16:18 - 00001082 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-04-14 08:44 - 2011-03-30 05:44 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-04-14 08:04 - 2013-04-14 08:04 - 00000810 ____A C:\Users\Eazy\Desktop\Craziness - Shortcut.lnk

2013-04-14 08:00 - 2013-04-14 08:00 - 00000000 ____D C:\Users\Eazy\Documents\thumbscrew[1]

2013-04-14 07:55 - 2013-04-14 07:55 - 00000000 ____D C:\ProgramData\APN

2013-04-14 07:44 - 2013-04-14 07:44 - 00000000 ____D C:\Users\Eazy\AppData\Local\SwvUpdater

2013-04-14 07:44 - 2013-04-14 07:44 - 00000000 ____D C:\Program Files (x86)\Conduit

2013-04-14 07:44 - 2013-04-14 07:43 - 00000009 ____A C:\end

2013-04-14 07:43 - 2013-04-14 07:43 - 00000000 ____D C:\Program Files (x86)\InfoAtoms

2013-04-14 07:42 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Resources

2013-04-14 02:54 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-04-11 06:22 - 2010-03-18 06:15 - 00770384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr100.dll

2013-04-11 06:22 - 2010-03-18 06:15 - 00421200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp100.dll

ZeroAccess:

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{46bd3aa3-1c81-4fd2-7224-b506b0e89d2c}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{46bd3aa3-1c81-4fd2-7224-b506b0e89d2c}\L

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{46bd3aa3-1c81-4fd2-7224-b506b0e89d2c}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-2710024321-3585097214-2633004960-1001\$46bd3aa31c814fd27224b506b0e89d2c

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$46bd3aa31c814fd27224b506b0e89d2c

Other Malware:

===========

C:\Windows\svchost.exe

ATTENTION ====> Check for partition/boot infection.C:\ProgramData\kp_0loor.pad

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-07 09:47:14

==================== Memory info ===========================

Percentage of memory in use: 17%

Total physical RAM: 4095.37 MB

Available physical RAM: 3369.26 MB

Total Pagefile: 4093.52 MB

Available Pagefile: 3358.41 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (eMachines) (Fixed) (Total:449.66 GB) (Free:324.69 GB) NTFS (Disk=0 Partition=3)

Drive e: (PQSERVICE) (Fixed) (Total:16 GB) (Free:5.12 GB) NTFS (Disk=0 Partition=1)

Drive i: (cis121) (Removable) (Total:1.87 GB) (Free:1.83 GB) NTFS (Disk=3 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 6A84BB11)

Partition 00: (Active) - (Size=0) - (Type=00) ATTENTION ===> 0 byte partition bootkit.

Partition 1: (Not Active) - (Size=16 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=450 GB) - (Type=07 NTFS)

========================================================

Disk: 3 (Size: 2 GB) (Disk ID: 24CE4062)

Partition 1: (Not Active) - (Size=2 GB) - (Type=07 NTFS)

Last Boot: 2013-05-06 20:34

==================== End Of Log ============================

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please don't put the logs in bold, just use the default font.

Your computer is badly infected!!!

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept