Jump to content

Justice Dept / can't remove in cmd prmpt


Recommended Posts

Hello and thank you for your help.

After running one of my tools in safe mode with command prompt (the only way I can bypass the virus) I was able to get it to boot in normal mode to the desktop *once* but upon restarting, the virus came back ... I take that back ... it was my going into startup and disabling one of the runctf.lnk programs after running msconfig in safe mode with command prompt that I was able to boot normally. I am unable to reproduce the success with the same method and malwarebytes is also not able to remove the virus via this method (running mbam.exe from flash drive in safe mode with command prompt). Here are the log files, and thank you greatly:

DDS (Ver_2012-11-20.01) - NTFS_x86 MINIMAL

Internet Explorer: 8.0.6001.18702

Run by Administrator at 12:11:55 on 2013-05-18

.

============== Running Processes ================

.

C:\WINDOWS\system32\svchost.exe -k netsvcs

.

============== Pseudo HJT Report ===============

.

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Yahoo! IE Services Button: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll

BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\msconfig.exe /auto

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP9-15980/training/ieatgpc.cab

TCP: Interfaces\{F49330C6-8F57-4BF9-9CE1-55EE2D9394D4} : NameServer = 207.69.188.185,207.69.188.186

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

============= SERVICES / DRIVERS ===============

.

R? DIFMBUS;Franklin EVDO USB Modem Composite Device Driver

R? DIFMCDF;Franklin EVDO USB Modem Installation CD

R? DIFMCVsp;Franklin EVDO USB Modem CM Port

R? DIFMMdm;Franklin EVDO USB Modem

R? DIFMNET;Franklin EVDO USB Modem Network Adapter

R? DIFMNVsp;Franklin EVDO USB Modem NMEA Port Serial Port

R? DIFMVsp;Franklin EVDO USB Modem Diagnostics Port

R? doaxuejh;doaxuejh

R? edyserze;edyserze

R? febvbmbi;febvbmbi

R? GT72NDISIPXP;GT 72 IP NDIS

R? GT72UBUS;GT 72 U BUS

R? iorzilbt;iorzilbt

R? klkhxhjx;klkhxhjx

R? lqeiecsj;lqeiecsj

R? MBAMProtector;MBAMProtector

R? MBAMScheduler;MBAMScheduler

R? MBAMService;MBAMService

R? MBAMSwissArmy;MBAMSwissArmy

R? MpFilter;Microsoft Malware Protection Driver

R? MpKsl5d204264;MpKsl5d204264

R? mxkrgjok;mxkrgjok

R? rvfhvrzg;rvfhvrzg

R? tujtncnk;tujtncnk

R? vldgmyaz;vldgmyaz

R? vvvygjsi;vvvygjsi

R? zgypnxfh;zgypnxfh

.

=============== Created Last 30 ================

.

2013-05-18 14:37:30 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2013-05-18 03:38:17 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-05-17 01:44:01 -------- d-----w- c:\documents and settings\all users\application data\Norton

.

==================== Find3M ====================

.

2013-03-23 03:02:02 12464 ----a-w- c:\windows\system32\drivers\CDAC15BA.SYS

2013-03-12 20:11:03 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-12 20:11:02 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 12:13:18.89 ===============

.

==== Installed Programs ======================

.

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe Flash Player 11 ActiveX

Adobe Reader 8.1.2

AutoCAD 2004

Autodesk Express Viewer

Canon Easy-PhotoPrint EX

Canon Easy-PhotoPrint Pro

Canon MG8200 series MP Drivers

Canon MG8200 series On-screen Manual

Canon MG8200 series User Registration

Canon MP Navigator EX 5.0

Canon My Printer

Canon Solution Menu EX

Cisco WebEx Meetings

Compatibility Pack for the 2007 Office system

Driver Installer

Franklin Access Manager

Franklin EVDO USB Modem

Google Toolbar for Internet Explorer

Google Update Helper

Hotfix for Microsoft .NET Framework 3.0 (KB932471)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB896344)

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB981793)

Intel® Extreme Graphics Driver

Intel® PRO Network Adapters and Drivers

Java 6 Update 2

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Professional

Microsoft Security Client

Microsoft Security Essentials

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft XML Parser

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

RealPlayer

SafeCast Shared Components

Security Update for CAPICOM (KB931906)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 8 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899589)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921503)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB937894)

Security Update for Windows XP (KB938127)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB942615)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB948881)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971032)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981349)

SoundMAX

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB914882)

Update for Windows XP (KB916595)

Update for Windows XP (KB920342)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB925720)

Update for Windows XP (KB925876)

Update for Windows XP (KB927891)

Update for Windows XP (KB930916)

Update for Windows XP (KB932823-v3)

Update for Windows XP (KB936357)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

Update for Windows XP (KB942840)

Update for Windows XP (KB946627)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 11

Windows Presentation Foundation

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB885884

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

Windows XP Service Pack 2

Yahoo! Browser Services

Yahoo! Install Manager

Yahoo! Internet Mail

Yahoo! Messenger

Yahoo! Software Update

Yahoo! Toolbar

.

==== End Of File ===========================

Link to post
Share on other sites

Yes sir ... I do, but I am afraid of doing so at this time before I check with the gentleman who I am doing this for. I havent been able to reach him as of today. Is there another way of getting rid of this virus at this level of infection? I even tried using regedit to modify the default under shell but the default value there not only is correct but does not give any clues as to the location of the virus. Is there a way to use this tool (regedit) or another tool to extract invasivley?

Hugely appreciated. I will request a slight bump in financing this project so as to be able to offer you a percentage in return for your help. Thanks again!

Link to post
Share on other sites

Then it's under one of the run keys.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

or Startup Folder

EDIT: Example:

O4 - HKLM..\Run: [DisplaySwitch] C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe (Hilgraeve, Inc.)

MrC

Link to post
Share on other sites

In the same order as listed above (couldn't find the startup folder) you will see the registry contents in the attachments. Is this enough information? Also ... still can't get in touch with the user to determine what date to set for system restore. I have a SATA bridge so I am able to back up data ... just need his permission on the restore (not to mention a good date). As soon as I touch base with him, I am thinking a restore will be in order, but until that time, I thought I would continue pecking away. I appreciate your help.

http://www.flickr.com/photos/95845172@N07/

Link to post
Share on other sites

OK ... so making sure I could rule out system restore working, I went ahead as it is reversible. I made sure to choose a date from within the calendar range of obvious proper functionality (a day prior to the installation of the virus) but still get the ransomeware at start up. I fear we are going to have to delete files from the registry. Just need help in determining which ones and where to find them. I did a search on all the files located in the folders (especially the executables) but found nothing seemingly malicious. What is the next step? Thanks.

Link to post
Share on other sites

Correction ... tried to go back even further (two month) and this time I could see the message when the desktop loaded (for that second or so prior to the ransomeware) and I was able to determine that the system is reporting that the system restore could not complete ... then, back to DOJ screen.

Link to post
Share on other sites

Has been resolved with system restore of some reg entries.

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.