fpk1963 Posted May 23, 2013 ID:683121 Share Posted May 23, 2013 Hi, I have a Win 7 laptop that has been infected with the DOJ ransomware. I cannot login in safe mode with a normal user that has admin rights, however I seem to get to a command prompt with a non-admin user. I tried running Hitman Pro and, though it found and deleted some files, I still have the original issue.Looking for advice on what to do next.Thanks Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 23, 2013 ID:683124 Share Posted May 23, 2013 Hello fpk1963 and welcome to Malwarebytes!I am D-FRED-BROWN and I will be helping you. Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.----------Step 1----------------For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options.To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select English as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select English as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press EnterNote: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.----------Step 2----------------In your next reply, please include the following:FRST.txtAfter that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Note:Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"-------> Your topic will be closed if you haven't replied within 3 days! <--------(If I don't respond within 24 hours, please send me a PM)-DFB Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683137 Share Posted May 24, 2013 Hi,The text from FRST.txt is below. Please note that I can only get to a command prompt in recovery mode when logged in as a user that is not an admin.Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-05-2013Ran by fpk228 (ATTENTION: The logged in user is not administrator) on 23-05-2013 19:22:03Running from E:\Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)Internet Explorer Version 9Boot Mode: Safe Mode (minimal)Attention: System hive is missing.==================== Processes (Whitelisted) =================(Microsoft Corporation) C:\Windows\system32\cmd.exe(Farbar) e:\FRST64.exe==================== Registry (Whitelisted) ==================Attention: Software hive is missing.HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [2692008 2009-03-19] (ESET)HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [342528 2009-06-19] (Alps Electric Co., Ltd.)HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-31] (IDT, Inc.)HKLM\...\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch [1832760 2012-09-20] (Logitech, Inc.)HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTIONHKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTIONHKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTIONHKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTIONHKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$c5d4bc2371e7668554fa311938a84dcb\n. ATTENTION! ====> ZeroAccessHKCU\...\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [1475584 2010-11-20] (Microsoft Corporation)HKCU\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)HKLM-x32\...\Run: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)HKLM-x32\...\Run: [DLSService] "C:\Program Files (x86)\DYMO\DYMO Label Software\DLSService.exe" [55808 2009-10-28] (Sanford, L.P.)HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)HKLM-x32\...\Run: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe" [64112 2011-09-23] (VMware, Inc.)HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)Lsa: [Authentication Packages] msv1_0 setuidStartup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnkShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)Startup: C:\ProgramData\Start Menu\Programs\Startup\vpngui.exe.lnkShortcutTarget: vpngui.exe.lnk -> C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe ()==================== Internet (Whitelisted) ====================SearchScopes: HKCU - DefaultScope value is missing.BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll (Safer Networking Limited)BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)BHO-x32: Skype Plug-In - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)PDF: HKLM-x32 {00191E4B-49C2-48E2-A548-8F702D75622A} https://strtc.oracle.com/imtapp/res/jar/cnsload.cabPDF: HKLM-x32 {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cabPDF: HKLM-x32 {4871A87A-BFDD-4106-8153-FFDE2BAC2967} https://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.5.7.cabPDF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://ciscosales.webex.com/client/T27L10NSP15/webex/ieatgpc1.cabPDF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No FileHandler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)Winsock: Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation)Winsock: Catalog9 11 C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll [232448] (Microsoft Corporation)Winsock: Catalog9 12 C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll [232448] (Microsoft Corporation)Winsock: Catalog5-x64 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)Winsock: Catalog9-x64 11 C:\Program Files (x86)\VMware\VMware Player\x64\vsocklib.dll [446576] (VMware, Inc.)Winsock: Catalog9-x64 12 C:\Program Files (x86)\VMware\VMware Player\x64\vsocklib.dll [446576] (VMware, Inc.)Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt==================== Services (Whitelisted) =================S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)S2 CVS; C:\Program Files (x86)\cvsnt\cvsservice.exe [35328 2004-08-19] (GNU)S2 CVSLock; C:\Program Files (x86)\cvsnt\cvslock.exe [48640 2004-08-19] ()S3 EhttpSrv; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [23296 2009-03-19] (ESET)S2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [731840 2009-03-19] (ESET)S2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2012-06-01] (Microsoft Corporation)S3 Incognito Configuration File Manager Proxy for Windows; C:\Program Files (x86)\Incognito Software\NT\CFMProxy\cfmproxysvc.exe [4927488 2010-03-25] (Incognito Software, Inc,)S3 Incognito Configuration File Manager Service for Windows; C:\Program Files (x86)\Incognito Software\NT\CFM\cfmsvc.exe [5758976 2011-05-04] (Incognito Software, Inc,)S3 Incognito DHCP Service for Windows; C:\Program Files (x86)\Incognito Software\NT\IPCmdr\DIPSVC.exe [10338304 2011-09-06] (Incognito Software Inc.)S3 Incognito DNS Service for Windows; C:\Program Files (x86)\Incognito Software\NT\DNS\dnssvc.exe [7667712 2011-09-16] (Incognito Software Inc.)S3 Incognito KDC Service for Windows; C:\Program Files (x86)\Incognito Software\NT\KDC Wrapper\kdcwrappersvc.exe [4550656 2009-06-24] (Incognito Software Inc.)S3 Incognito Multimedia Provisioning Service for Windows; C:\Program Files (x86)\Incognito Software\NT\MPS\mpssvc.exe [13463552 2011-01-05] (Incognito Software Inc.)S2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)S2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)S2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\STacSV64.exe [240640 2009-07-31] (IDT, Inc.)S3 rpcapd; "%ProgramFiles(x86)%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles(x86)%\WinPcap\rpcapd.ini" [x]S3 ufad-ws60; "C:\Program Files (x86)\VMware\VMware Player\vmware-ufad.exe" -d "C:\Program Files (x86)\VMware\VMware Player\\" -s ufad-p2v.xml [x]==================== Drivers (Whitelisted) ====================S3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()S2 eamon; C:\Windows\System32\DRIVERS\eamon.sys [142776 2009-03-19] (ESET)S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [134024 2009-03-19] (ESET)S2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [121152 2009-03-19] (ESET)S2 vstor2-ws60; C:\Program Files (x86)\VMware\VMware Player\vstor2-ws60.sys [32816 2010-08-19] (VMware, Inc.)S2 NPF; system32\drivers\npf.sys [x]S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]S3 tsusbhub; system32\drivers\tsusbhub.sys [x]S3 VGPU; System32\drivers\rdvgkmd.sys [x]==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-05-23 19:22 - 2013-05-23 19:22 - 00000000 ____D C:\FRST2013-05-23 17:50 - 2013-05-23 17:50 - 00000020 ___SH C:\Users\fpk228\ntuser.ini2013-05-23 17:50 - 2013-05-23 17:50 - 00000000 ____D C:\users\fpk2282013-05-23 17:50 - 2012-10-31 17:21 - 00000000 ____D C:\Users\fpk228\AppData\LocalGoogle2013-05-23 17:50 - 2012-10-31 17:20 - 00000000 ____D C:\Users\fpk228\AppData\Local\Google2013-05-23 17:50 - 2009-11-23 14:17 - 00000000 ____D C:\Users\fpk228\AppData\Local\Microsoft Help2013-05-23 16:40 - 2013-05-23 16:40 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe2013-05-23 15:05 - 2013-05-23 16:41 - 00000000 ____D C:\ProgramData\HitmanPro2013-05-23 14:05 - 2013-05-23 14:05 - 00000000 ___HD C:\Users\Public\Documents\Report2013-05-16 15:55 - 2013-04-10 01:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys2013-05-16 15:55 - 2013-04-10 01:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys2013-05-16 15:55 - 2011-02-03 06:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll2013-05-16 15:54 - 2013-02-27 01:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe2013-05-16 15:54 - 2013-02-27 00:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll2013-05-16 15:54 - 2013-02-27 00:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll2013-05-16 15:54 - 2013-02-27 00:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll2013-05-16 15:54 - 2013-02-27 00:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll2013-05-16 15:54 - 2013-02-26 23:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll2013-05-16 15:54 - 2013-02-26 23:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll2013-05-16 15:54 - 2013-02-26 23:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll2013-05-16 15:53 - 2013-04-09 22:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys2013-05-16 15:47 - 2013-05-05 16:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-05-16 15:47 - 2013-05-05 16:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-05-16 15:47 - 2013-05-05 14:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll2013-05-16 15:47 - 2013-05-05 14:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb2013-05-16 15:46 - 2013-04-04 20:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll2013-05-16 15:46 - 2013-04-04 20:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll2013-05-16 15:46 - 2013-04-04 20:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll2013-05-16 15:46 - 2013-04-04 20:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll2013-05-16 15:46 - 2013-04-04 19:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl2013-05-16 15:46 - 2013-04-04 19:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll2013-05-16 15:46 - 2013-04-04 19:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll2013-05-16 15:46 - 2013-04-04 19:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe2013-05-16 15:46 - 2013-04-04 19:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll2013-05-16 15:46 - 2013-04-04 19:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll2013-05-16 15:46 - 2013-04-04 19:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll2013-05-16 15:46 - 2013-04-04 19:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll2013-05-16 15:46 - 2013-04-04 19:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll2013-05-16 15:46 - 2013-04-04 19:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll2013-05-16 15:46 - 2013-04-04 17:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll2013-05-16 15:46 - 2013-04-04 17:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll2013-05-16 15:46 - 2013-04-04 17:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl2013-05-16 15:46 - 2013-04-04 17:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll2013-05-16 15:46 - 2013-04-04 17:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll2013-05-16 15:46 - 2013-04-04 17:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll2013-05-16 15:46 - 2013-04-04 16:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll2013-05-16 15:46 - 2013-04-04 16:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll2013-05-16 15:46 - 2013-04-04 16:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe2013-05-16 15:46 - 2013-04-04 16:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll2013-05-16 15:46 - 2013-04-04 16:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll2013-05-16 15:46 - 2013-04-04 16:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll2013-05-16 15:46 - 2013-04-04 16:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll2013-05-16 15:46 - 2013-04-04 16:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll2013-05-13 14:52 - 2013-05-13 14:52 - 00001109 ____A C:\Users\Public\Desktop\X-Lite.lnk2013-05-13 14:50 - 2013-05-13 14:50 - 00000000 ____D C:\ProgramData\Package Cache2013-04-29 09:02 - 2013-04-12 09:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys==================== One Month Modified Files and Folders =======2013-05-23 19:22 - 2013-05-23 19:22 - 00000000 ____D C:\FRST2013-05-23 19:20 - 2009-07-14 00:13 - 00787630 ____A C:\Windows\System32\PerfStringBackup.INI2013-05-23 17:50 - 2013-05-23 17:50 - 00000020 ___SH C:\Users\fpk228\ntuser.ini2013-05-23 17:50 - 2013-05-23 17:50 - 00000000 ____D C:\users\fpk2282013-05-23 17:29 - 2009-12-15 17:16 - 00000000 ____D C:\ProgramData\VMware2013-05-23 17:29 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT2013-05-23 17:29 - 2009-07-13 23:51 - 00060441 ____A C:\Windows\setupact.log2013-05-23 17:07 - 2009-11-23 13:57 - 01051436 ____A C:\Windows\WindowsUpdate.log2013-05-23 17:07 - 2009-07-13 23:45 - 00020240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-05-23 17:07 - 2009-07-13 23:45 - 00020240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02013-05-23 17:05 - 2009-12-22 18:09 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job2013-05-23 16:41 - 2013-05-23 15:05 - 00000000 ____D C:\ProgramData\HitmanPro2013-05-23 16:40 - 2013-05-23 16:40 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe2013-05-23 16:29 - 2011-03-01 21:25 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1448186152-1295568710-3893836055-1701UA.job2013-05-23 16:29 - 2009-12-22 18:09 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job2013-05-23 14:05 - 2013-05-23 14:05 - 00000000 ___HD C:\Users\Public\Documents\Report2013-05-23 14:05 - 2009-12-16 17:43 - 00000000 ____D C:\users\pkinnerk2013-05-23 02:29 - 2011-03-01 21:25 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1448186152-1295568710-3893836055-1701Core.job2013-05-17 21:17 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache2013-05-17 18:14 - 2010-06-23 17:59 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy2013-05-17 18:14 - 2010-02-01 16:07 - 00000000 ____D C:\ProgramData\McAfee Security Scan2013-05-17 18:14 - 2010-01-21 09:40 - 00000000 ___RD C:\Program Files (x86)\Skype2013-05-17 18:14 - 2009-12-14 19:52 - 00000000 ____D C:\users\administrator2013-05-17 18:14 - 2009-11-23 14:55 - 00000000 ____D C:\users\andre2013-05-17 18:14 - 2009-11-23 14:08 - 00000000 ____D C:\users\localadmin2013-05-17 18:14 - 2009-07-14 02:23 - 00000000 ___RD C:\Users\Public\Recorded TV2013-05-17 18:14 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration2013-05-17 18:14 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\AppCompat2013-05-16 16:00 - 2009-07-13 23:45 - 00413312 ____A C:\Windows\System32\FNTCACHE.DAT2013-05-16 15:55 - 2009-11-23 14:14 - 00000000 ____D C:\ProgramData\Microsoft Help2013-05-13 14:52 - 2013-05-13 14:52 - 00001109 ____A C:\Users\Public\Desktop\X-Lite.lnk2013-05-13 14:52 - 2012-08-03 10:26 - 02279462 ____A C:\Windows\System32\installer.log2013-05-13 14:52 - 2011-08-11 10:36 - 00043022 ____A C:\Windows\SysWOW64\installer.log2013-05-13 14:50 - 2013-05-13 14:50 - 00000000 ____D C:\ProgramData\Package Cache2013-05-05 16:36 - 2013-05-16 15:47 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-05-05 16:16 - 2013-05-16 15:47 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-05-05 14:25 - 2013-05-16 15:47 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll2013-05-05 14:12 - 2013-05-16 15:47 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlbOther Malware:===========C:\ProgramData\ezsidmv.dat==================== Bamital & volsnap Check =================C:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\SysWOW64\wininit.exe => MD5 is legitC:\Windows\explorer.exe => MD5 is legitC:\Windows\SysWOW64\explorer.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\SysWOW64\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\SysWOW64\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\SysWOW64\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit==================== End Of Log ============================ Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 24, 2013 ID:683153 Share Posted May 24, 2013 Could you try running it from the Recovery Environment as a non-administrator user? Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683154 Share Posted May 24, 2013 I'm not sure I understand. It was run as a non-admin user. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 24, 2013 ID:683155 Share Posted May 24, 2013 My mistake, I misinterpreted the log.Please do the following:</p><p>Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$c5d4bc2371e7668554fa311938a84dcb\n. ATTENTION! ====> ZeroAccessC:\ProgramData\ezsidmv.datNOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options.Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply. Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683160 Share Posted May 24, 2013 Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-05-2013Ran by fpk228 at 2013-05-23 20:52:08 Run:1Running from E:\Boot Mode: Safe Mode (minimal)==============================================HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.Could not move C:\ProgramData\ezsidmv.dat. => Scheduled to move on reboot. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 24, 2013 ID:683161 Share Posted May 24, 2013 Are you able to successfully boot into Normal Mode now? Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683163 Share Posted May 24, 2013 No. After reboot, I logged back in and the DOJ screen is back. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 24, 2013 ID:683164 Share Posted May 24, 2013 Okay, please try this:Try this please. You will need a USB drive.Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computerInsert your USB drivePress Start > My Computer > right click your USB drive > choose Format > Quick formatDouble click the unetbootin-xpud-windows-387.exe that you just downloadedPress Run then OKSelect the DiskImage option then click the browse button located on the right side of the textbox field.Browse to and select the xpud-0.9.2.iso file you downloadedVerify the correct drive letter is selected for your USB device then click OKIt will install a little bootable OS on your USB deviceOnce the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interfaceAfter it has completed do not choose to reboot the clean computer simply close the installerNext download http://noahdfear.net/downloads/driver.sh to your USBRemove the USB and insert it in the sick computerBoot the Sick computerPress F12 and choose to boot from the USBFollow the promptsA Welcome to xPUD screen will appearPress FileExpand mntsda1,2...usually corresponds to your HDDsdb1 is likely your USBClick on the folder that represents your USB drive (sdb1 ?)Confirm that you see driver.sh that you downloaded therePress Tool at the topChoose Open TerminalType bash driver.shPress EnterAfter it has finished a report will be located on your USB drive named report.txtRemove the USB drive and insert back in your working computer and navigate to report.txtPlease note - all text entries are case sensitiveCopy and paste the report.txt for my review Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683173 Share Posted May 24, 2013 <p>The boot is not working as described. In the following steps:</p><p> </p><p>-Boot the Sick computer</p><div>-Press F12 and choose to boot from the USB</div><div>-Follow the prompts</div><div>-A Welcome to xPUD screen will appear</div><div><span style="color:#ff0000;">-Press File</span></div><div><span style="color:#ff0000;">-Expand mnt</span></div><div> </div><div>I never get to the last two steps. I boot off of the USB drive OK. I see see an xPUD screen where I have to select a language, but after that, Windows 7 boots up right away and I get my login screen. If I login with my normal user name, the DOJ screen is back.</div> Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 24, 2013 ID:683174 Share Posted May 24, 2013 Try setting your computer to boot exclusively from USB: http://pcsupport.about.com/od/tipstricks/ht/bootusbflash.htm Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683175 Share Posted May 24, 2013 OK. It doesn't like the boot image. It just keeps looping through trying to boot up on the xpud image. After I select the language. there it says it loads /boot/xpud and /opt/medai, then says "ready", but then just reboot again. Is it a bad .iso download? Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 24, 2013 ID:683176 Share Posted May 24, 2013 Yeah, try giving the .iso another download.Alternatively, you could burn it to a CD/DVD (I recommend ImgBurn as a good image burning program) and try booting from that. Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683202 Share Posted May 24, 2013 re-downloading the .iso worked. I am able to boot and run driver.sh. However, the report.txt file was basically empty after I removed the USB, even though the sh program ran and found quite a bit. I'm running again now. Will update after it's done. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 24, 2013 ID:683206 Share Posted May 24, 2013 Sounds good. Keep me posted. I will call it a night and check back here tomorrow. Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683208 Share Posted May 24, 2013 Thu May 23 23:59:45 UTC 2013Driver report for /mnt/sda2/Windows/System32/driverscc8e52daa9826064ba464dbe531f2bb5 CVPNDRVA.sys has NO Company Name!64edd3f59db321947969fdf1dd747323 1394bus.sysMicrosoft Corporationa87d604aea360176311474c87a63bb88 1394ohci.sysMicrosoft Corporation12c5274cd87449a2a37a607cdb321922 acpials.sysMicrosoft Corporation99f8e788246d495ce3794d7e7821d2ca acpipmi.sysMicrosoft Corporationd81d9e70b8a6dd14d42d7b4efa65d5f2 acpi.sysMicrosoft Corporation2f6b34b83843f0c5118b63ac634f5bf4 adp94xx.sysAdaptec597f78224ee9224ea1a13d6350ced962 adpahci.sysAdaptece109549c90f62fb570b9540c4b148e54 adpu320.sysAdaptec1c7857b62de5994a75b054a9fd4c3825 afd.sysMicrosoft Corporation7ecff9b22276b73f43a99a15a6094e90 agilevpn.sysMicrosoft Corporation608c14dba7299d8cb6ed035a68a15799 AGP440.sysMicrosoft Corporation5812713a477a3ad7363c7438ca2ee038 aliide.sysAcer Laboratories1ff8b4431c353ce385c875f194924c0c amdide.sysMicrosoft Corporation7024f087cff1833a806193ef9d22cda9 amdk8.sysMicrosoft Corporation1e56388b3fe0d031c44144eb8c4d6217 amdppm.sysMicrosoft Corporationd4121ae6d0c0e7e13aa221aa57ef2d49 amdsata.sysAdvanced Micro Devicesf67f933e79241ed32ff46a4f29b5120b amdsbs.sysAMD Technologies540daf1cea6094886d72126fd7c33048 amdxata.sysAdvanced Micro Devices616d5100fc96936f78ec7b0745af31f7 Apfiltr.sysAlps Electric89a69c3f2f319b43379399547526d952 appid.sysMicrosoft Corporation019af6924aefe7839f61c830227fe79c arcsas.sysAdaptecc484f8ceb1717c540242531db7845c4e arc.sysAdaptec769765ce2cc62867468cea93969b2242 asyncmac.sysMicrosoft Corporation02062c0b390b7729edc9e69c680a6f3c atapi.sysMicrosoft Corporationa34fe1e025e88798e746f484956c0720 ataport.sysMicrosoft Corporationb5ace6968304a3900eeb1ebfd9622df2 b57nd60a.sysBroadcom Corporationf4de2ae7a9e1badac70bc71ea2c17612 battc.sysMicrosoft Corporation9e84a931dbee0292e38ed672f6293a99 BCMWL664.SYSBroadcom Corporation16a47ce2decc9b099349a5f840654746 beep.sysMicrosoft Corporation61583ee3c3a17003c4acd0475646b4d3 blbdrive.sysMicrosoft Corporation6c02a83164f5cc0a262f4199f0871cf5 bowser.sysMicrosoft Corporationf09eee9edc320b5e1501f749fde686c8 BrFiltLo.sysBrother Industriesb114d3098e9bdb8bea8b053685831be6 BrFiltUp.sysBrother Industries5c2f352a4e961d72518261257aae204b bridge.sysMicrosoft Corporation43bea8d483bf1870f018e2d02e06a5bd BrSerId.sysBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother IndustriesBrother Industriesa6eca2151b08a09caceca35c07f05b42 BrSerWdm.sysBrother Industriesb79968002c277e869cf38bd22cd61524 BrUsbMdm.sysBrother Industriesa87528880231c54e75ea7a44943b38bf BrUsbSer.sysBrother Industries9da669f11d1f894ab4eb69bf546a42e8 bthmodem.sysMicrosoft Corporation3e5b191307609f7514148c6832bb0842 bxvbda.sysBroadcom Corporationb8bd2bb284668c84865658c77574381a cdfs.sysMicrosoft Corporationf036ce71586e93d94dab220d7bdf4416 cdrom.sysMicrosoft Corporationd7cd5c4e1b71fa62050515314cfb52cf circlass.sysMicrosoft Corporationacfad0b512226c7a83c7cb09fd55a9ad Classpnp.sysMicrosoft Corporation0840155d0bddf1190f84a663c284bd33 CmBatt.sysMicrosoft Corporatione19d3f095812725d88f9001985b94edd cmdide.sysCMD Technology9ac4f97c2d3e93367e2148ea940cd2cd cng.sysMicrosoft Corporation102de219c3f61415f964c88e9085ad14 compbatt.sysMicrosoft Corporation03edb043586cceba243d689bdda370a8 CompositeBus.sysMicrosoft Corporation3e588b60ec061686ba05d33574a344c6 crashdmp.sysMicrosoft Corporation1c827878a998c18847245fe1f34ee597 crcdisk.sysMicrosoft Corporation54da3dfd29ed9f1619b6f53f3ce55e49 csc.sysMicrosoft Corporation44bddeb03c84a1c993c992ffb5700357 CVirtA64.sysCisco Systemscc8e52daa9826064ba464dbe531f2bb5 CVPNDRVA.sys9bb2ef44eaa163b29c4a4587887a0fe4 dfsc.sysMicrosoft Corporation13096b05847ec78f0977f2c0f79e9ab3 discache.sysMicrosoft Corporation9bbd8b5855bc6578957f82341f9cde5a Diskdump.sysMicrosoft Corporation9819eee8b5ea3784ec4af3b137a5244c disk.sysMicrosoft Corporation05cb5910b3ca6019fc3cca815ee06ffb dne64x.systH`VS_VERSION_INFOHFHF?zStringFileInfoVbZCompanyNameDeterministicNetworks,Inc.,FileDescriptionDeterministicNetworkEnhancerforNDIS.:rFileVersion...(InternalNameDNETLegalCopyrightCopyright©->vOriginalFilenameDNEX.SYS,BuildNumber>rProductVersion...DVarFileInfo$Translationt*9b19f34400d24df84c858a421c205754 drmkaud.sysMicrosoft Corporation21d26064aedb4988f785bb4a3a2c051e drmk.sysMicrosoft Corporation839b5fe3d48e9f35b22c21a3d5103f6c Dumpata.sysMicrosoft Corporation814db88f2641691575a455cf25354098 dumpfve.sysMicrosoft Corporationbf24d6f2ed97fe830bfd52b246f98e67 dxapi.sysMicrosoft Corporationaf2e16242aa723f68f461b6eae2ead3d dxgkrnl.sysMicrosoft Corporation1f04cfb79dd5fb7694468ce3fb3dcc31 dxgmms1.sysMicrosoft Corporationfede0629ecb23650d48989517d4914da dxg.sysMicrosoft Corporation0ba4598a98fb32f6501dff95aaff2a24 eamon.sys?StringFileInfoe*CompanyNameESETBrFileDescriptionAmonmonitortFileVersion..nInternalNameeamon.sysLegalCopyrightCopyright©ESET-.Allrightsreserved.:LegalTrademarksNOD,NOD,AMON,ESETareregisteredtrademarksofESET.<nOriginalFilenameeamon.sysHProductNameESETSmartSecuritytProductVersion..DVarFileInfo$Translationtpx5afd23047d77c3bdd3769d4a1908a100 ehdrv.sys?StringFileInfoe*CompanyNameESETNFileDescriptionESETHelperdrivertFileVersion..nInternalNameehdrv.sysLegalCopyrightCopyright©ESET-.Allrightsreserved.:LegalTrademarksNOD,NOD,AMON,ESETareregisteredtrademarksofESET.<nOriginalFilenameehdrv.sysHProductNameESETSmartSecuritytProductVersion..DVarFileInfo$Translationt*0e5da5369a0fcaea12456dd852545184 elxstor.sysEmulex63616c10896aed3c12a4d03b6acdf75f epfwwfpr.sys?&StringFileInfoe*CompanyNameESETdFileDescriptionESETPersonalFirewalldrivertFileVersion..:rInternalNameepfwwfpr.sysLegalCopyrightCopyright©ESET-.Allrightsreserved.:LegalTrademarksNOD,NOD,AMON,ESETareregisteredtrademarksofESET.BrOriginalFilenameepfwwfpr.sysHProductNameESETSmartSecuritytProductVersion..DVarFileInfo$Translationt*34a3c54752046e79a126e15c51db409b errdev.sysMicrosoft Corporationdc5d737f51be844d8c82c695eb17372f evbda.sysBroadcom Corporationa510c654ec00c1e9bdd91eeb3a59823b exfat.sysMicrosoft Corporation0adc83218b66a6db380c330836f3e36d fastfat.sysMicrosoft Corporationd765d19cd8ef61f650c384f62fac00ab fdc.sysMicrosoft Corporation655661be46b5f5f3fd454e2c3095b930 fileinfo.sysMicrosoft Corporation5f671ab5bc87eea04ec38a6cd5962a47 filetrace.sysMicrosoft Corporationc172a0f53008eaeb8ea33fe10e177af5 flpydisk.sysMicrosoft Corporationda6b67270fd9db3697b20fce94950741 fltMgr.sysMicrosoft Corporationd43703496149971890703b4b1b723eac fsdepends.sysMicrosoft Corporation6bd9295cc032dd3077c671fccf579a7b fs_rec.sysMicrosoft Corporation1f7b25b858fa27015169fe95e54108ed fvevol.sysMicrosoft Corporation41c67e4205c606a103dec8651d0b6fe6 FWPKCLNT.SYSMicrosoft Corporation8c778d335c9d272cfd3298ab02abe3b6 GAGP30KX.SYSMicrosoft Corporation8e98d21ee06192492a5671a6144d092f GEARAspiWDM.sysGEAR Softwareea5935fa5f07a18268bd5f2715242df4 hcmon.sysVMwaref2523ef6460fc42405b12248338ab2f0 hcw85cir.sysHauppauge Computer Works97bfed39b6b79eb12cddbfeed51f56bb hdaudbus.sysMicrosoft Corporation975761c778e33cd22498059b91e7373a HdAudio.sysMicrosoft Corporation78e86380454a7b10a5eb255dc44a355f hidbatt.sysMicrosoft Corporation7fd2a313f7afe5c4dab14798c48dd104 hidbth.sysMicrosoft Corporation8b0e40e7e8bbf5acf390465609d89ff1 hidclass.sysMicrosoft Corporation0a77d29f311b88cfae3b13f9c1a73825 hidir.sysMicrosoft Corporation49ee2e52e6cd03947dad72f65367be06 hidparse.sysMicrosoft Corporation9592090a7e2b61cd582b612b6df70536 hidusb.sysMicrosoft Corporation39d2abcd392f3d8a6dce7b60ae7b8efc HpSAMD.sysHewlett-Packard0ea7de1acb728dd5a369fd742d6eee28 http.sysMicrosoft Corporationa5462bd6884960c9dc85ed49d34ff392 hwpolicy.sysMicrosoft Corporationfa55c73d4affa7ee23ac4be53b4592d3 i8042prt.sysMicrosoft Corporationaaaf44db3bd0b9d1fb6969b23ecc8366 iaStorV.sysIntel Corporation677aa5991026a65ada128c4b59cf2bad igdkmd64.sysIntel Corporation5c18831c61933628f5bb0ea2675b9d21 iirsp.sysIntel Corpf00f20e70c6ec3aa366910083a0518aa intelide.sysMicrosoft Corporationada036632c664caa754079041cf1f8c1 intelppm.sysMicrosoft Corporationc9f0e1bd74365a8771590e9008d22ab6 ipfltdrv.sysMicrosoft Corporation0fc1aea580957aa8817b8f305d18ca3a IPMIDrv.sysMicrosoft Corporationaf9b39a7e7b6caa203b3862582e9f2d0 ipnat.sysMicrosoft Corporation05360b1ea5a2abf620d1d96ebd8bd8f1 irda.sysMicrosoft Corporation3abf5e7213eb28966d55d58b515d5ce9 irenum.sysMicrosoft Corporation2f7b28dc3e1183e5eb418df55c204f38 isapnp.sysMicrosoft Corporationbc02336f1cba7dcc7d1213bb588a68a5 kbdclass.sysMicrosoft Corporation0705eff5b42a9db58548eec3b26bb484 kbdhid.sysMicrosoft Corporation97a7070aea4c058b6418519e869a63b4 ksecdd.sysMicrosoft Corporation26c43a7c2862447ec59deda188d1da07 ksecpkg.sysMicrosoft Corporation24fbf5cc5c04150073c315a7c83521ee ks.sysMicrosoft Corporation6869281e78cb31a43e969f06b57347c4 ksthunk.sysMicrosoft Corporation1538831cf8ad2979a04c423779465827 lltdio.sysMicrosoft Corporation1a93e54eb0ece102495a51266dcdb6a6 lsi_fc.sysLSI Corporation30f5c0de1ee8b5bc9306c1f0e4a75f93 lsi_sas2.sysLSI Corporation1047184a9fdc8bdbff857175875ee810 lsi_sas.sysLSI Corporation0504eacaff0d3c8aed161c4b0d369d4a lsi_scsi.sysLSI Corporation43d0f98e1d56ccddb0d5254cff7b356e luafv.sysMicrosoft Corporation3c9f072f9dca856b9fb7a20cbd4281ac mcd.sysMicrosoft Corporationa55805f747c6edb6a9080d7c633bd0f4 megasas.sysLSI Corporationbaf74ce0072480c3b6b7c13b2a94d6b3 MegaSR.sysLSI Corporation800ba92f7010378b09f9ed9270f07137 modem.sysMicrosoft Corporationb03d591dc7da45ece20b3b467e6aadaa monitor.sysMicrosoft Corporation7d27ea49f3c1f687d357e77a470aea99 mouclass.sysMicrosoft Corporationd3bf052c40b0c4166d9fd86a4288c1e6 mouhid.sysMicrosoft Corporation32e7a3d591d671a6df2db515a5cbe0fa mountmgr.sysMicrosoft Corporationa44b420d30bd56e145d6a2bc8768ec58 mpio.sysMicrosoft Corporation6c38c9e45ae0ea2fa5e551f2ed5e978f mpsdrv.sysMicrosoft Corporationdc722758b8261e1abafd31a3c0a66380 mrxdav.sysMicrosoft Corporationd711b3c1d5f42c0c2415687be09fc163 mrxsmb10.sysMicrosoft Corporation9423e9d355c8d303e76b8cfbd8a5c30c mrxsmb20.sysMicrosoft Corporationa5d9106a73dc88564c825d317cac68ac mrxsmb.sysMicrosoft Corporationc25f0bafa182cbca2dd3c851c2e75796 msahci.sysMicrosoft Corporationdb801a638d011b9633829eb6f663c900 msdsm.sysMicrosoft Corporationaa3fb40e17ce1388fa1bedab50ea8f96 msfs.sysMicrosoft Corporationf9d215a46a8b9753f61767fa72a20326 mshidkmdf.sysMicrosoft Corporationd916874bbd4f8b07bfb7fa9b3ccae29d msisadrv.sysMicrosoft Corporationd931d7309deb2317035b07c9f9e6b0bd msiscsi.sysMicrosoft Corporation49ccf2c4fea34ffad8b1b59d49439366 mskssrv.sysMicrosoft Corporationbdd71ace35a232104ddd349ee70e1ab3 mspclock.sysMicrosoft Corporation4ed981241db27c3383d72092b618a1d0 mspqm.sysMicrosoft Corporation759a9eeb0fa9ed79da1fb7d4ef78866d msrpc.sysMicrosoft Corporation0eed230e37515a0eaee3c2e1bc97b288 mssmbios.sysMicrosoft Corporation2e66f9ecb30b4221a318c92ac2250779 mstee.sysMicrosoft Corporation7ea404308934e675bffde8edf0757bcd MTConfig.sysMicrosoft Corporationf9a18612fd3526fe473c1bda678d61c8 mup.sysMicrosoft Corporation9f9a1f53aad7da4d6fef5bb73ab811ac ndiscap.sysMicrosoft Corporation79b47fd40d9a817e932f9d26fac0a81c ndis.sysMicrosoft Corporation30639c932d9fef22b31268fe25a1b6e5 ndistapi.sysMicrosoft Corporation136185f9fb2cc61e573e676aa5402356 ndisuio.sysMicrosoft Corporation53f7305169863f0a2bddc49e116c2e11 ndiswan.sysMicrosoft Corporation015c0d8e0e0421b4cfd48cffe2825879 ndproxy.sysMicrosoft Corporation86743d9f5d2b1048062b14b1d84501c4 netbios.sysMicrosoft Corporation09594d1089c523423b32a4229263f068 netbt.sysMicrosoft Corporation7942b7ac3ff598f8a1736d51adaf04e8 netio.sysMicrosoft Corporation77889813be4d166cdab78ddba990da92 nfrd960.sysIBM Corp1e4c4ab5c9b8dd13179bbdc75a2a01f7 npfs.sysMicrosoft Corporationc31fa031335eff434b2d94278e74bcce npf.systH`VS_VERSION_INFO?aDStringFileInfobPCompanyNameCACETechnologies,Inc.p$FileDescriptionnpf.sys(NT/AMD)KernelDrivervFileVersion...nInternalNameNPF+TME`LegalCopyrightCopyright-CACETechnologies.Copyright-NetGroup,PolitecnicodiTorino.(LegalTrademarksbOriginalFilenamenpf.sysbProductNameWinPcap:vProductVersion...,BuildDescriptionDVarFileInfo$Translation*e7f5ae18af4168178a642a9247c63001 nsiproxy.sysMicrosoft Corporationb98f8c6e31cd07b2e6f71f7f648e38c0 ntfs.sysMicrosoft Corporation9899284589f75fa8724ff3d16aed75c1 null.sysMicrosoft Corporation270d7cd42d6e3979f6dd0146650f0e05 NV_AGP.SYSMicrosoft Corporation0a92cb65770442ed0dc44834632f66ad nvraid.sysNVIDIA Corporationdab0e87525c10052bf65f06152f37e4a nvstor.sysNVIDIA Corporation1ea3749c4114db3e3161156ffffa6b33 nwifi.sysMicrosoft Corporation3589478e4b22ce21b41fa1bfc0b8b8a0 ohci1394.sysMicrosoft Corporation0557cf5a2556bd58e26384169d72438d pacer.sysMicrosoft Corporation0086431c29c35be1dbc43f52cc273887 parport.sysMicrosoft Corporatione9766131eeade40a27dc27d2d68fba9c partmgr.sysMicrosoft Corporationb5b8b5ef2e5cb34df8dcf8831e3534fa pciide.sysMicrosoft Corporation144497daa145ba0f7be896064146c058 pciidex.sysMicrosoft Corporation94575c0571d1462a0f70bde6bd6ee6b3 pci.sysMicrosoft Corporationb2e81d4e87ce48589f98cb8c05b01f2f pcmcia.sysMicrosoft Corporationd6b9c2e1a11a3a4b26a182ffef18f603 pcw.sysMicrosoft Corporation68769c3356b3be5d1c732c97b9a80d6e PEAuth.sysMicrosoft Corporationa010f13d27c1033a8be09d5fa9bf348b pneteth.systH`VS_VERSION_INFO?baStringFileInfoBZCompanyNameJuneFabricsTechnologyInc.hFileDescriptionPdaNetBroadbandAdapterDriverFileVersion...builtby:WinDDKbInternalNamepneteth.sysLegalCopyrightCopyright©JuneFabricsTechnologyInc.@bOriginalFilenamepneteth.sysRProductNamePdaNetBroadbandAdapter>rProductVersion...DVarFileInfo$Translation06841f5cd8410b6bdc0b5a631b8f8787 pnetmdm64.systH`VS_VERSION_INFO?nStringFileInfobPCompanyNameJuneFabricsTechnologyDFileDescriptionPdaNetDriverbFileVersion,,,bInternalNamepnetmdm.sysr'LegalCopyrightCopyrightJuneFabricsTechnology@bOriginalFilenamepnetmdm.sys<ProductNamePdaNetDriverbProductVersion,,,DVarFileInfo$Translationt*32e11315b5126921ffd9074840ef13d3 portcls.sysMicrosoft Corporation0d922e23c041efb1c3fac2a6f943c9bf processr.sysMicrosoft Corporationa53a15a11ebfd21077463ee2c7afeef0 ql2300.sysQLogic Corporation4f6d12b51de1aaeff7dc58c4d75423c8 ql40xx.sysQLogic Corporation76707bb36430888d9ce9d705398adb6c qwavedrv.sysMicrosoft Corporation5a0da8ad5762fa2d91678a8a01311704 rasacd.sysMicrosoft Corporation471815800ae33e6f1c32fb1b97c490ca rasl2tp.sysMicrosoft Corporation855c9b1cd4756c5e9a2aa58a15f58c25 raspppoe.sysMicrosoft Corporationf92a2c41117a11a00be01ca01a7fcde9 raspptp.sysMicrosoft Corporatione8b1e447b008d07ff47d016c2b0eeecb rassstp.sysMicrosoft Corporation77f665941019a1594d887a74f301fa2f rdbss.sysMicrosoft Corporation302da2a0539f2cf54d7c6cc30c1f2d8d rdpbus.sysMicrosoft Corporationcea6cc257fc9b7715f1c2b4849286d24 RDPCDD.sysMicrosoft Corporation1b6163c503398b23ff8b939c67747683 rdpdr.sysMicrosoft Corporationbb5971a4f00659529a5c44831af22365 RDPENCDD.sysMicrosoft Corporation216f3fa57533d98e1f74ded70113177a RDPREFMP.sysMicrosoft Corporation70cba1a0c98600a2aa1863479b35cb90 rdpvideominiport.sysMicrosoft Corporatione61608aa35e98999af9aaeeea6114b0a rdpwd.sysMicrosoft Corporation34ed295fa0121c241bfef24764fc4520 rdyboost.sysMicrosoft Corporatione31960692cbb3a8bcdf300bc1d889e1f rimmpx64.sysRicoh Companycaf88d6573d21cd2aa27001ddbfdc74d rmcast.sysMicrosoft Corporationfc6d5c50d846b795335deb3fce8b33f3 RNDISMP.sysMicrosoft Corporation9ebe1ca4bedbaa510dcac418b87b3c45 rndismpx.sysMicrosoft Corporation388d3dd1a6457280f3badba9f3acd6b1 rootmdm.sysMicrosoft Corporationddc86e4f8e7456261e637e3552e804ff rspndr.sysMicrosoft Corporationac03af3329579fffb455aa2daabbe22b sbp2port.sysMicrosoft Corporation253f38d0d7074c02ff8deb9836c97d2b scfilter.sysMicrosoft Corporation1b1e264203d4ef9d3da1987ad70355ab scsiport.sysMicrosoft Corporation111e0ebc0ad79cb0fa014b907b231cf0 sdbus.sysMicrosoft Corporation3ea8a16169c26afbeb544e0e48421186 secdrv.sysMacrovision Corporationcb624c0035412af0debec78c41f5ca1b serenum.sysMicrosoft Corporationc1d8e28b2c2adfaec4ba89e9fda69bd6 serial.sysMicrosoft Corporation1c545a7d0691cc4a027396535691c3e3 sermouse.sysMicrosoft Corporationa554811bcd09279536440c964ae35bbf sffdisk.sysMicrosoft Corporationff414f0baefeba59bc6c04b3db0b87bf sffp_mmc.sysMicrosoft Corporationdd85b78243a19b59f0637dcf284da63c sffp_sd.sysMicrosoft Corporationa9d601643a1647211a1ee2ec4e433ff4 sfloppy.sysMicrosoft Corporation843caf1e5fde1ffd5ff768f23a51e2e1 sisraid2.sysSilicon Integrated Systems6a6c106d42e9ffff8b9fcb4f754f6da4 sisraid4.sysSilicon Integrated Systems548260a7b8654e024dc30bf8a7c5baa4 smb.sysMicrosoft Corporationa80348ba03e96c70852959655ca3e084 smclib.sysMicrosoft Corporationb9e31e5cacdfe584f34f730a677803f9 spldr.sysMicrosoft Corporationfff95479c7ab1550f0750a5d01744211 spsys.sysMicrosoft Corporationb4adebbf5e3677cce9651e0f01f7cc28 srv2.sysMicrosoft Corporation27e461f0be5bff5fc737328f749538c3 srvnet.sysMicrosoft Corporation441fba48bff01fdb9d5969ebc1838f0b srv.sysMicrosoft Corporationf3817967ed533d08327dc73bc4d5542a stexstor.sysPromise Technology19cb37ac38b802be9c441d094521a29a storport.sysMicrosoft Corporationd34e4943d5ac096c8edeebfd80d76e23 storvsc.sysMicrosoft Corporation001cc10fa5e71ae1119115e126c8750d stream.sysMicrosoft Corporationeb059bc699e6c766857a71087594bcd7 stwrt64.sysnS?btStringFileInfoBnCompanyNameIDT,Inc.BrFileDescriptionIDTPCAudiobFileVersion...bInternalNameIDTPCAh"LegalCopyrightCopyright-IDT,Inc.@bOriginalFilenamestwrt.sys:rProductNameIDTPCAudio<bProductVersion...BrLegalTrademarksIDTPCAudiol*CommentsAllRightsReserved-IDT,Inc.DVarFileInfo$TranslationtDd01ec09b6711a5f8e7e6564a4d0fbc90 swenum.sysMicrosoft Corporation<p>1e036f98e6c780dd7669f516e8be0cea SWIPsec.systH`XXVS_VERSION_INFOn(n( Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683209 Share Posted May 24, 2013 I have also attached the file as written.report.txt Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683285 Share Posted May 24, 2013 Updates.... I was poking around the HDD while booted up on xPUD, and I came across a folder C:\Users\Public\Report that was created around the time that I think the computer may have been infected. The folder contained an html file and jpeg image. The html file was the DOJ page that hijacked my desktop. I renamed that folder, rebooted, and logged back in as the normal user (that has admin rights). I then had access to my desktop again, however there were still other problems (like I couldn't run msconfig, or the task manager).However I could now run rstrui.exe, which I was unable to do earlier in safe mode since I could not login as an admin user in safe mode. I was able to restore to an earlier state that "appears" to be normal and virus-free. What else should be done? I am currently running a scan with my ESET NOD32.Thanks for your help thus far. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 24, 2013 ID:683326 Share Posted May 24, 2013 Nice work! Glad to hear you have it up and running.Let's do the usual routine malware checks to verify there isn't anything we need to worry about:----------Step 1----------------Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it.To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).Copy and paste the contents of that file in your next reply.----------Step 2----------------Please download Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt----------Step 3----------------Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:http://www.bleepingc...to-use-combofix***IMPORTANT: save ComboFix to your Desktop**** Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Please go here to see a list of programs that should be disabled.**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall** Please include the C:\ComboFix.txt in your next reply for further review.NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.----------Step 4----------------Please download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.----------Step 5----------------In your next reply, please include the following:TDSSKiller's logfileMBAR mbar-log.txt and system-log.txtComboFix's report (C:\ComboFix.txt)Security Check checkup.txt Link to post Share on other sites More sharing options...
fpk1963 Posted May 24, 2013 Author ID:683355 Share Posted May 24, 2013 I have completed scans so far with ESET and Malwarebytes Anti-malware with zero problems detected thus far. I will proceed to your list and post when complete. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 24, 2013 ID:683360 Share Posted May 24, 2013 Sounds good. Link to post Share on other sites More sharing options...
fpk1963 Posted May 25, 2013 Author ID:683434 Share Posted May 25, 2013 OK, I'm done!I ran mbar twice, since it found and cleaned some things on the first pass. Second pass was clean.All requested logs are attached.TDSSKiller.2.8.17.0_24.05.2013_14.21.10_log.txtcheckup.txtmbar-log-2013-05-24 (15-06-34).txtmbar-log-2013-05-24 (15-57-45).txtsystem-log.txtComboFix.txt Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted May 25, 2013 ID:683442 Share Posted May 25, 2013 Looking better. I'd still like to run a few more scans for malware just to be sure.We need to create a New FULL OTL ReportPlease download OTL from here if you have not done so already:Main Mirror[*]Save it to your desktop.[*]Double click on the icon on your desktop.[*]Click the "Scan All Users" checkbox.[*]Change the "Extra Registry" option to "SafeList"[*]Push the button.[*]Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimized Link to post Share on other sites More sharing options...
fpk1963 Posted May 25, 2013 Author ID:683601 Share Posted May 25, 2013 Here they are.Extras.TxtOTL.Txt Link to post Share on other sites More sharing options...
Recommended Posts