Win 10 DOJ Ransomware Safe Mode infected

[johnedko]

Okay, I have Win 10 on my PC (not sure of the service pack because I can't get in).

If I boot up the PC normally, I see one or two of my normal startup things launch (Dell Stage, and a note that a Logitech programmable remote can't run with Win 10) and then the entire screen goes to a "Department of Justice has Locked your Computer" screen and from there I can't do anything. Ctl+Alt+Del does nothing, I can ALT_TAB through open windows (ie the above error message and Dell Stage) but as soon as I select a window, it goes back to the "locked" screen.

If I try to boot up the PC into Safe mode (with or without networking) it stays on that screen, but slowly the top bar (across the top of the screen) starts to get overwritten pixel by pixel with different colors. After around 5 minutes I just powered down the PC.

Please Help.

I am not currently with the PC (I am at work now) - I do have uninfected PCs located at home, so I can do stuff then, but I also have a USB Flash Drive with me so I can download anything I need now.

I do have the Reinstallation CD for Win 10 handy (I pulled it out last night) but didn't want to gamble with it.

On another site, someone said that disconnecting from the Internet interferred with it running, but I have not yet tested that theory.

Currently, the PC is turned off (and unplugged) so I don't think anything more can happen with it while I work.

I'll try to answer any other questions.

-John

PS: I did have a firewall, but it kept turning off - STUPID ME didn't realize that was a warning sign and just kept driving until I hit the wall. For someone with this much PC experience to do something this dumb is kinda embarrassing. But I guess none of us are perfect (especially not me!).

[MrCharlie]

Welcome to the forum, here's how we deal with that malware:

1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
   Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
   Plug the flash drive into the infected PC.
   
2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
   If you are using Vista or Windows 7 enter System Recovery Options.
   To enter System Recovery Options from the Advanced Boot Options:
   
   • Restart the computer.
     
   • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
     
   • Use the arrow keys to select the Repair your computer menu item.
     
   • Select US as the keyboard language settings, and then click Next.
     
   • Select the operating system you want to repair, and then click Next.
     
   • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    Select Command Prompt
    Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[johnedko]

MrC-

Thank you for your attention. I have downloaded the files to my Thumbdrive (I am pretty sure I have the 64 bit version) - and it looks like I have Office 2010 but Windows 7 (as I got the PC before 8 seems to have come out, PC is 18 months old). I'll comply with the rest of your instructions once I get home (around 6pm if the traffic gods smile) and post the info back.

One quick question - about the repair CD / installation CD - WIndows came preloaded on my PC, but I got a "reinstallation" CD with it - would this accomplish the same job as an installation CD? I am assuming so, but wanted to ask the question, as it was *assuming* that got me into this problem in the first place. :-)

-John

[MrCharlie]

In most cases you don't need a disk, this method should work:

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

[*]On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    Select Command Prompt
    Once in the Command Prompt:
    

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[johnedko]

MrC,

One thing I note - if you hold down F8 you get one set of options (the 3 Safe Mode and Normal Start), while if you tap F8 multiple times you get the advanced boot options. Interesting to know.

I am also guessing that if you have only 1 operating system that it skips that request (it did for me)

In the system recovery options, I have slightly different options (oh, I have Windows 7 Ultimate, 64 bit)

Startup Repair

System Restore

System Image Recovery

Windows Memory Diagnostic

Command Prompt

Dell DataSafe Restore and Emergency Backup

When I run (j:\frst64) I get an error message "There is no disk in the drive. Please insert a disk into drive \Device\Harddisk2\DR2" - I hit continue, I had to hit it twice to get by.

I then hit "Scan" (under "Whitelist" all 6 boxes were checked (Registry, Services, Drivers, Processes, Known DLLs, Internet; under "Optional Scan" no boxes were checked, List BCD, Drivers MD5, Addition.txt)

It claims to be completed and saved in the same location as the FRST tool.

Based on the created files, I would say it really got infected at 23:08 on 6/5/2013, I tried to fix it at 4am (I couldn't sleep) then I just went to work - and came here. Here is the log:

--------------------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-06-2013 01

Ran by SYSTEM on 06-06-2013 18:11:01

Running from J:\

Windows 7 Ultimate (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10920552 2010-06-22] (Realtek Semiconductor)

HKLM\...\Run: [RunDLLEntry_THXCfg] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64 [17920 2009-10-15] (Creative Technology Ltd.)

HKLM\...\Run: [RunDLLEntry_EptMon] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\EptMon64.dll,RunDLLEntry EptMon64 [21504 2009-10-15] (Creative Technology Ltd.)

HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [483424 2012-02-01] ()

HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-13] (Dell)

HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)

HKLM-x32\...\Run: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-11-10] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)

HKLM-x32\...\Run: [shwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe [237568 2010-03-10] (Alcor Micro Corp.)

HKLM-x32\...\Run: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r [963584 2009-12-01] (Creative Technology Ltd)

HKLM-x32\...\Run: [updReg] C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)

HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)

HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1532992 2013-03-13] (McAfee, Inc.)

HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [968048 2012-02-01] ()

HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)

HKLM-x32\...\Run: [] [x]

HKU\John\...\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1602984 2013-02-25] (Valve Corporation)

HKU\John\...\Run: [HP Photosmart 5510 series (NET)] "C:\Program Files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN19L042XV05NR:NW" -scfn "HP Photosmart 5510 series (NET)" -AutoStart 1 [2672488 2011-05-25] (Hewlett-Packard Co.)

HKU\John\...\Run: [courts] C:\Users\John\AppData\Roaming\p1.exe [94208 2013-06-05] ()

Startup: C:\ProgramData\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

ShortcutTarget: Logitech Desktop Messenger.lnk -> C:\Program Files (x86)\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)

Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk

ShortcutTarget: ctfmon.lnk -> C:\Users\John\AppData\Local\Temp\iop0__cha.exe (No File)

Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk

ShortcutTarget: Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk -> C:\Program Files\HP\HP Photosmart 5510 series\bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Services (Whitelisted) =================

S3 McAWFwk; c:\PROGRA~1\mcafee\msc\mcawfwk.exe [220528 2010-08-30] (McAfee, Inc.)

S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)

S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)

S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)

S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)

S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)

S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)

S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)

S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)

S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)

S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)

S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)

==================== Drivers (Whitelisted) ====================

S1 AEP_TDI_DRV; C:\Windows\SysWow64\DRIVERS\aeptdipfwd.sys [61328 2012-10-28] (AEP Networks Inc.)

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)

S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)

S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)

S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)

S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)

S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)

S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)

S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)

S3 RemoteControl-USBLAN; C:\Windows\System32\DRIVERS\rcblan.sys [46616 2007-01-24] (Belcarra Technologies)

S3 mfeavfk01; No ImagePath

S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]

S3 tsusbhub; system32\drivers\tsusbhub.sys [x]

S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-06 18:08 - 2013-06-06 18:08 - 00000000 ____D C:\FRST

2013-06-05 23:08 - 2013-06-05 23:08 - 00094208 ____A C:\Users\John\Application Data\p1.exe

2013-06-05 23:08 - 2013-06-05 23:08 - 00094208 ____A C:\Users\John\AppData\Roaming\p1.exe

2013-06-05 23:08 - 2013-06-05 23:08 - 00000000 ____A C:\Users\John\Application Data\doesexist

2013-06-05 23:08 - 2013-06-05 23:08 - 00000000 ____A C:\Users\John\AppData\Roaming\doesexist

2013-05-15 22:22 - 2013-04-05 01:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 22:22 - 2013-04-05 01:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 22:22 - 2013-04-05 01:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-15 22:22 - 2013-04-05 01:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 22:22 - 2013-04-05 01:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-15 22:22 - 2013-04-05 00:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-15 22:22 - 2013-04-05 00:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-15 22:22 - 2013-04-05 00:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-05-15 22:22 - 2013-04-04 23:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 22:22 - 2013-04-04 23:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-15 22:22 - 2013-04-04 22:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-15 22:22 - 2013-04-04 22:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-05-15 18:25 - 2013-04-10 01:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 18:25 - 2013-04-10 01:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 18:25 - 2013-04-09 22:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 18:25 - 2013-03-19 00:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 18:25 - 2013-03-19 00:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-15 18:25 - 2013-02-27 01:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 18:25 - 2013-02-27 00:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 18:25 - 2013-02-27 00:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 18:25 - 2013-02-27 00:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 18:25 - 2013-02-27 00:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-15 18:25 - 2013-02-26 23:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-15 18:25 - 2013-02-26 23:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-15 18:25 - 2013-02-26 23:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-15 18:25 - 2011-02-03 06:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

==================== One Month Modified Files and Folders =======

2013-06-06 18:08 - 2013-06-06 18:08 - 00000000 ____D C:\FRST

2013-06-06 04:01 - 2012-02-13 16:40 - 00000254 ____A C:\Windows\Tasks\HP Photo Creations Messager.job

2013-06-06 04:00 - 2011-05-02 22:16 - 00000000 ____D C:\Program Files (x86)\Steam

2013-06-06 03:59 - 2012-02-11 23:00 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-06-06 03:59 - 2011-05-02 22:05 - 00000000 ____D C:\Users\John\Local Settings\SoftThinks

2013-06-06 03:59 - 2011-05-02 22:05 - 00000000 ____D C:\Users\John\Local Settings\Application Data\SoftThinks

2013-06-06 03:59 - 2011-05-02 22:05 - 00000000 ____D C:\Users\John\AppData\Local\SoftThinks

2013-06-06 03:59 - 2011-04-21 14:18 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup

2013-06-06 03:59 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-06 03:59 - 2009-07-13 23:51 - 00067941 ____A C:\Windows\setupact.log

2013-06-05 23:08 - 2013-06-05 23:08 - 00094208 ____A C:\Users\John\Application Data\p1.exe

2013-06-05 23:08 - 2013-06-05 23:08 - 00094208 ____A C:\Users\John\AppData\Roaming\p1.exe

2013-06-05 23:08 - 2013-06-05 23:08 - 00000000 ____A C:\Users\John\Application Data\doesexist

2013-06-05 23:08 - 2013-06-05 23:08 - 00000000 ____A C:\Users\John\AppData\Roaming\doesexist

2013-06-05 22:39 - 2012-02-11 23:01 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-06-05 17:01 - 2011-05-02 22:08 - 00000422 ____A C:\Windows\Tasks\SystemToolsDailyTest.job

2013-06-05 16:54 - 2009-07-13 23:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-06-05 16:54 - 2009-07-13 23:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-06-05 16:50 - 2009-07-14 00:10 - 01091125 ____A C:\Windows\WindowsUpdate.log

2013-06-05 05:41 - 2012-01-02 22:10 - 00000000 ____D C:\ProgramData\Rosetta Stone

2013-06-05 05:41 - 2012-01-02 22:10 - 00000000 ____D C:\ProgramData\Application Data\Rosetta Stone

2013-06-03 05:00 - 2011-04-21 16:03 - 00105066 ____A C:\Windows\PFRO.log

2013-05-22 06:40 - 2011-05-02 22:08 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job

2013-05-20 20:19 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache

2013-05-16 21:10 - 2009-07-13 23:45 - 00344064 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 22:25 - 2011-05-04 17:04 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-15 22:25 - 2011-05-04 17:04 - 00000000 ____D C:\ProgramData\Application Data\Microsoft Help

2013-05-15 22:24 - 2009-07-14 00:13 - 00740322 ____A C:\Windows\System32\PerfStringBackup.INI

Files to move or delete:

====================

C:\ProgramData\ahc__0poi.pad

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-17 19:47:03

Restore point made on: 2013-04-24 20:00:50

Restore point made on: 2013-04-24 21:49:35

Restore point made on: 2013-05-14 19:16:27

Restore point made on: 2013-05-15 22:22:00

Restore point made on: 2013-05-25 07:16:13

Restore point made on: 2013-06-04 20:28:12

==================== Memory info ===========================

Percentage of memory in use: 9%

Total physical RAM: 8174.46 MB

Available physical RAM: 7390.01 MB

Total Pagefile: 8172.61 MB

Available Pagefile: 7391.47 MB

Total Virtual: 8192 MB

Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:1384.51 GB) (Free:1256.39 GB) NTFS (Disk=0 Partition=3)

Drive i: (RECOVERY) (Fixed) (Total:12.71 GB) (Free:5.17 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

Drive j: () (Removable) (Total:1.87 GB) (Free:1.86 GB) FAT32 (Disk=5 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 1397 GB) (Disk ID: 3887DDD0)

Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)

Partition 2: (Active) - (Size=13 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=-712415117312) - (Type=07 NTFS)

========================================================

Disk: 5 (MBR Code: Windows XP) (Size: 2 GB) (Disk ID: C3072E18)

Partition 1: (Active) - (Size=2 GB) - (Type=0C)

Last Boot: 2013-06-04 20:21

==================== End Of Log ============================

[MrCharlie]

Do you have any idea what these are: all created the same time.

2013-06-05 23:08 - 2013-06-05 23:08 - 00094208 ____A C:\Users\John\Application Data\p1.exe

2013-06-05 23:08 - 2013-06-05 23:08 - 00094208 ____A C:\Users\John\AppData\Roaming\p1.exe

2013-06-05 23:08 - 2013-06-05 23:08 - 00000000 ____A C:\Users\John\Application Data\doesexist

2013-06-05 23:08 - 2013-06-05 23:08 - 00000000 ____A C:\Users\John\AppData\Roaming\doesexist

MrC

[johnedko]

Nope, I wasn't doing anything that should create files (I was online, doing something with Khan academy if I remember properly). I am guessing they might be part of the culprit.

[MrCharlie]

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

[johnedko]

If my PC is still at the command prompt should I just run it, or should I reboot then run it?

[MrCharlie]

Use what ever way you used last time.

MrC

[johnedko]

Okay, I ran it and rebooted. It started up mostly normally, the PC wanted to do a diskcheck, but I skipped that (I will run it later) - one thing I did notice is that Steam didn't try to launch the way it did before (which I am happy with, uninstalling it is on my todo list).

Mbar updated (after I figured out I should run the extracted version and not the zipped version - duh!) , then I ran the scan, ... currently running

[johnedko]

Okay, it found 1 malware, as soon as it found it, McAfee popped up and said IT found it and killed it. - I am running out of time though, my wife wants to go get dinner...

[johnedko]

scan still running...

[johnedko]

Okay, scan finished and found 3 pieces of malware, I told it to kill all three, then told it to reboot, although I am going to leave it off for now and take the wife out to dinner. I will post the logs later tonight. Thanks for the help so far MrC!

-John

PS: I work in Morristown and live in Sparta, NJ.

[MrCharlie]

Great, my brother lives up in Newton.

MrC

[johnedko]

Newton is nice. My commute sucks, but that is life. :-)

CheckDisk ran and made some changes, then I ran MBAR again. But when I went to run it, QtGui4.dll was corrupted (file size 0) - so I re-extracted the files then updated and scanned the PC... Scan claims no malware found.

But I am still a little concerned because the McAfee Firewall seems to keep going down. Internet access seems to work fine, but not sure how to check windows updater.

The two log files are attached here, as requested. Let me know where we go next. Thanks!

-John

mbar-log-2013-06-06 (21-38-57).txt

system-log.txt

[MrCharlie]

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[johnedko]

Thanks MrC - I will do that when I get home from work (just getting ready to face the rainy day now). A few additional notes on the PC: Windows Firewall is not working right (the McAfee firewall is up though) and when I try to turn on the windows one I get a message "Can't change some of your settings Error Code 0x80070424" (this could simply be you can only have one firewall running at a time). [weird note: my return key is not generating a hard line return - it works in other software, I just tried it in Word] [so I apologize for the rambling paragraph, I just can't get it to start a new one] Windows Update appears to be running fine - is there any reason I would want to install Remote Desktop for Windows 7 - that seems to be just asking for problems. (I didn't install the two updates that would install that). Also IE seems to be running fine - sometimes a little slow on loading, but with my wifi that could be just the weather (the wireless is on one side of the house, my PC on the other ). Thanks again, and more to follow after work.

[MrCharlie]

Windows Firewall is not working right (the McAfee firewall is up though)

You don't want 2 firewalls running at the same time

- is there any reason I would want to install Remote Desktop for Windows 7 - that seems to be just asking for problems.

No, not unless you want it.

Did you run fixdamage?

MrC

[johnedko]

Mrc,

No - at work now, will run it as soon as I get home - but I don't know when that will be. (Depends on when I get these slides done, could be 5pm, could be 8pm...) Thanks for all the help so far.

-John

[MrCharlie]

OK.......MrC

[johnedko]

MrC, okay it ran and I have attached it to this post. (my enter key still doesn't work at my pc - very annoying) I did get the illegal operation message when I tried to open IE, but I rebooted and the error message disappeared. ComboFix.txt is attached to this post. Thanks again for all the help! -John

ComboFix.txt

[johnedko]

To clarify, my enter key works fine on other software, it only doesn't appear to work in this forum...

[MrCharlie]

Is it a wireless keyboard?

Can you try another wired keyboard.

-----------------------------------------------

Log looks OK....next:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
   
2. Now click on the Search tab.
   
3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.

MrC

[johnedko]

Unfortunately, I don't have another keyboard, its just weird I don't have this problem with other programs or with other forums...

But I can copy the hard-returns from Word into this forum. :-) Here is the log.

-------------------------------------------------------------------------------------------------

# AdwCleaner v2.302 - Logfile created 06/08/2013 at 07:59:06

# Updated 06/06/2013 by Xplode

# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)

# User : John - JOHN-PC

# Boot Mode : Normal

# Running from : C:\Users\John\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]

Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]

Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16576

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1247 octets] - [08/06/2013 07:59:06]

########## EOF - C:\AdwCleaner[R1].txt - [1307 octets] ##########