Jump to content

FBI Virus

colinr
 Share

Recommended Posts

colinr

colinr

Posted
Posted

Hi everyone,

I have a computer infected with the FBI Ransom virus.

I have run the Farbar tool and here is what it found:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-06-2013 01

Ran by SYSTEM on 17-06-2013 13:31:30

Running from F:\FRST

Windows Vista Home Premium (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet003

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-18] (Microsoft Corporation)

HKLM\...\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1316136 2008-06-20] (Synaptics, Inc.)

HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [176128 2007-04-23] (CyberLink Corp.)

HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [159744 2007-02-13] ( Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R [116224 2007-03-06] (j2 Global Communications, Inc.)

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13556256 2008-12-04] (NVIDIA Corporation)

HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-12-04] (NVIDIA Corporation)

HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-10-03] (Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)

HKLM\...\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [630784 2007-03-02] (Brother Industries, Ltd.)

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2009-12-18] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)

HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)

HKLM\...\Run: [] [x]

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)

HKLM\...\Run: [MapsGalaxy Search Scope Monitor] "C:\PROGRA~1\MAPSGA~2\bar\1.bin\39srchmn.exe" /m=2 /w /h [44784 2013-05-22] (MindSpark)

HKLM\...\Run: [MapsGalaxy_39 Browser Plugin Loader] C:\PROGRA~1\MAPSGA~2\bar\1.bin\39brmon.exe [30096 2013-05-22] (VER_COMPANY_NAME)

HKLM\...\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe [44128 2006-11-07] (soft thinks)

Winlogon\Notify\ScCertProp: wlnotify.dll [X]

HKU\Cake Maker 2\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [ 2009-04-10] (Microsoft Corporation)

HKU\Cake Maker 2\...\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [ 2007-03-20] (Hewlett-Packard)

HKU\Cake Maker 2\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]

HKU\Cake Maker 2\...\Run: [cdloader] "C:\Users\Cake Maker 2\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK [ 2008-12-17] (magicJack L.P.)

HKU\Cake Maker 2\...\Run: [Microsoft] Regsvr32.exe "C:\Users\Cake Maker 2\AppData\Local\Microsoft\dcdwvifx.dll" [x]

HKU\Cake Maker 2\...\Run: [wabEventSupport16] rundll32.exe "C:\Users\Cake Maker 2\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll",AwPath KernelUtilLibs [x]

HKU\Cake Maker 2\...\Run: [Adobe CSS5.1 Manager] C:\Users\Cake Maker 2\AppData\Local\5156c442-3f84-41f7-bd41-f3d8bdcf431fad\cffbdfdbdcffad.exe [ 2013-06-15] () <===== ATTENTION

HKU\Cake Maker 2\...\Winlogon: [shell] explorer.exe,C:\Users\Cake Maker 2\AppData\Roaming\skype.dat <==== ATTENTION

HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [ 2007-03-20] (Hewlett-Packard)

HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [ 2007-03-20] (Hewlett-Packard)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk

ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\DocuSign Web.lnk

ShortcutTarget: DocuSign Web.lnk -> C:\Program Files\DocuSign Web\DocuSignExpress.exe (DocuSign, Inc.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\eFax 4.3.lnk

ShortcutTarget: eFax 4.3.lnk -> C:\Program Files\eFax Messenger 4.3\J2GTray.exe (j2 Global Communications, Inc.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Bluetooth Laser Mobile Mouse.lnk

ShortcutTarget: HP Bluetooth Laser Mobile Mouse.lnk -> C:\Program Files\HP Bluetooth Laser Mobile Mouse\MulMouse.exe ()

========================== Services (Whitelisted) =================

S2 CLCapSvc; C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe [262243 2007-04-23] ()

S2 CLSched; C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe [106593 2007-04-23] ()

S2 dlcc_device; C:\Windows\system32\dlcccoms.exe [538096 2007-02-14] ( )

S2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-10-09] (Hewlett-Packard)

S2 MapsGalaxy_39Service; C:\PROGRA~1\MAPSGA~2\bar\1.bin\39barsvc.exe [42504 2013-05-22] (COMPANYVERS_NAME)

S2 Norton PC Checkup Application Launcher; C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\SymcPCCULaunchSvc.exe [123320 2011-05-03] (Symantec Corporation)

S2 PCCUJobMgr; C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\diMaster.dll [132984 2011-05-03] (Symantec Corporation)

S3 ATTRcAppSvc; "C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" [x]

S3 CAATT; "C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe" /n "CAATT" [x]

S3 msiserver; %systemroot%\system32\msiexec /V [x]

==================== Drivers (Whitelisted) ====================

S3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2008-01-18] (Microsoft Corporation)

S1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)

S3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [160768 2007-04-11] (Conexant Systems Inc.)

S3 n558; C:\Windows\System32\Drivers\n558.sys [9600 2007-08-15] ()

S3 SCR3XX2K; C:\Windows\System32\DRIVERS\SCR3XX2K.sys [63232 2013-01-07] (Identive)

S3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [25736 2008-04-16] ()

S3 SWNC8U56; C:\Windows\System32\DRIVERS\swnc8u56.sys [101248 2007-06-27] (Sierra Wireless Inc.)

S3 SWUMX56; C:\Windows\System32\DRIVERS\swumx56.sys [73856 2007-06-27] (Sierra Wireless Inc.)

S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]

S3 IpInIp; system32\DRIVERS\ipinip.sys [x]

S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]

S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

S3 PCTINDIS5; \??\C:\Windows\system32\PCTINDIS5.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-17 13:31 - 2013-06-17 13:31 - 00000000 ____D C:\FRST

2013-06-16 08:12 - 2013-06-17 12:28 - 00000004 ____A C:\Users\Cake Maker 2\Application Data\skype.ini

2013-06-16 08:12 - 2013-06-17 12:28 - 00000004 ____A C:\Users\Cake Maker 2\AppData\Roaming\skype.ini

2013-06-15 19:29 - 2013-06-16 08:10 - 00000356 ___AH C:\Windows\Tasks\{4F9C6553-638A-4D83-B1CD-C060F656FB5C}.job

2013-06-15 19:29 - 2013-06-15 19:29 - 00209920 ____A C:\Users\Cake Maker 2\opera.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00137216 ____A (Grand-Automatic Software Group) C:\Users\Cake Maker 2\iexplore.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00137216 ____A (Grand-Automatic Software Group) C:\Users\Cake Maker 2\conhost.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____D C:\Users\Cake Maker 2\Local Settings\Application Data\5156c442-3f84-41f7-bd41-f3d8bdcf431fad

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____D C:\Users\Cake Maker 2\Local Settings\5156c442-3f84-41f7-bd41-f3d8bdcf431fad

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____D C:\Users\Cake Maker 2\AppData\Local\5156c442-3f84-41f7-bd41-f3d8bdcf431fad

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____A C:\Users\Cake Maker 2\rundll32.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____A C:\Users\Cake Maker 2\msconfig.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____A C:\Users\Cake Maker 2\jucheck.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____A C:\Users\Cake Maker 2\acrobat.exe

2013-06-15 19:28 - 2013-06-15 19:29 - 00877056 ____A (FileZilla Project) C:\Users\Cake Maker 2\windowsupdate.exe

2013-06-15 19:28 - 2013-06-15 19:29 - 00877056 ____A (FileZilla Project) C:\Users\Cake Maker 2\googleupdate.exe

2013-06-15 15:44 - 2013-06-15 15:44 - 00000000 ____D C:\Users\Cake Maker 2\Application Data\wabEventSupport16

2013-06-15 15:44 - 2013-06-15 15:44 - 00000000 ____D C:\Users\Cake Maker 2\AppData\Roaming\wabEventSupport16

2013-06-13 02:26 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-06-13 02:26 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-06-13 02:26 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-06-13 02:26 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-06-13 02:26 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-06-13 02:26 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-06-13 02:26 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-06-13 02:26 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-06-13 02:26 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-06-13 02:26 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-06-13 02:26 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-06-13 02:26 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-06-13 02:26 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-06-13 02:26 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-06-13 02:26 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-06-13 02:26 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-06-12 19:04 - 2013-05-07 20:37 - 00905576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2013-06-12 18:50 - 2013-05-01 20:04 - 00443904 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-06-12 18:50 - 2013-05-01 20:03 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\printcom.dll

2013-06-12 18:46 - 2013-04-23 20:00 - 00985600 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2013-06-12 18:46 - 2013-04-23 20:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2013-06-12 18:46 - 2013-04-23 20:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2013-06-12 18:46 - 2013-04-23 20:00 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll

2013-06-12 18:46 - 2013-04-23 17:46 - 00812544 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe

2013-06-12 18:44 - 2013-05-02 14:03 - 03603832 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2013-06-12 18:44 - 2013-05-02 14:03 - 03551096 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2013-06-12 18:44 - 2013-04-17 04:30 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll

2013-06-12 08:30 - 2013-06-13 02:45 - 00000350 ____A C:\Windows\Tasks\HPCeeScheduleForCake Maker 2.job

2013-05-22 11:58 - 2013-06-06 18:55 - 00000000 ____D C:\Users\Cake Maker 2\Local Settings\MapsGalaxy_39

2013-05-22 11:58 - 2013-06-06 18:55 - 00000000 ____D C:\Users\Cake Maker 2\Local Settings\Application Data\MapsGalaxy_39

2013-05-22 11:58 - 2013-06-06 18:55 - 00000000 ____D C:\Users\Cake Maker 2\AppData\Local\MapsGalaxy_39

2013-05-22 11:57 - 2013-05-22 11:57 - 00000000 ____D C:\Program Files\MapsGalaxy_39

==================== One Month Modified Files and Folders ========

2013-06-17 13:31 - 2013-06-17 13:31 - 00000000 ____D C:\FRST

2013-06-17 12:28 - 2013-06-16 08:12 - 00000004 ____A C:\Users\Cake Maker 2\Application Data\skype.ini

2013-06-17 12:28 - 2013-06-16 08:12 - 00000004 ____A C:\Users\Cake Maker 2\AppData\Roaming\skype.ini

2013-06-17 12:28 - 2007-11-27 14:57 - 01838152 ____A C:\Windows\WindowsUpdate.log

2013-06-17 12:28 - 2007-11-27 14:56 - 00001076 ____A C:\Windows\bthservsdp.dat

2013-06-17 12:28 - 2006-11-02 05:01 - 00032616 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-06-17 12:28 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-17 12:28 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-06-17 12:28 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-06-17 12:14 - 2010-01-03 21:04 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-06-17 12:06 - 2013-02-19 15:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-17 12:02 - 2009-02-19 11:21 - 00028504 ____A C:\ProgramData\nvModes.001

2013-06-17 12:02 - 2009-02-19 11:21 - 00028504 ____A C:\ProgramData\Application Data\nvModes.001

2013-06-17 12:02 - 2008-04-29 21:32 - 00006944 ____A C:\Users\Cake Maker 2\Local Settings\d3d9caps.dat

2013-06-17 12:02 - 2008-04-29 21:32 - 00006944 ____A C:\Users\Cake Maker 2\Local Settings\Application Data\d3d9caps.dat

2013-06-17 12:02 - 2008-04-29 21:32 - 00006944 ____A C:\Users\Cake Maker 2\AppData\Local\d3d9caps.dat

2013-06-17 12:02 - 2007-08-04 02:40 - 00000147 ____A C:\Users\Public\Documents\hpqp.ini

2013-06-17 12:02 - 2007-08-04 02:40 - 00000147 ____A C:\ProgramData\Documents\hpqp.ini

2013-06-17 12:01 - 2010-01-03 21:04 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-06-17 12:01 - 2007-08-04 03:16 - 00000000 ____D C:\Windows\SMINST

2013-06-16 14:19 - 2009-02-19 11:21 - 00028504 ____A C:\ProgramData\nvModes.dat

2013-06-16 14:19 - 2009-02-19 11:21 - 00028504 ____A C:\ProgramData\Application Data\nvModes.dat

2013-06-16 08:10 - 2013-06-15 19:29 - 00000356 ___AH C:\Windows\Tasks\{4F9C6553-638A-4D83-B1CD-C060F656FB5C}.job

2013-06-15 19:29 - 2013-06-15 19:29 - 00209920 ____A C:\Users\Cake Maker 2\opera.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00137216 ____A (Grand-Automatic Software Group) C:\Users\Cake Maker 2\iexplore.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00137216 ____A (Grand-Automatic Software Group) C:\Users\Cake Maker 2\conhost.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____D C:\Users\Cake Maker 2\Local Settings\Application Data\5156c442-3f84-41f7-bd41-f3d8bdcf431fad

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____D C:\Users\Cake Maker 2\Local Settings\5156c442-3f84-41f7-bd41-f3d8bdcf431fad

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____D C:\Users\Cake Maker 2\AppData\Local\5156c442-3f84-41f7-bd41-f3d8bdcf431fad

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____A C:\Users\Cake Maker 2\rundll32.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____A C:\Users\Cake Maker 2\msconfig.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____A C:\Users\Cake Maker 2\jucheck.exe

2013-06-15 19:29 - 2013-06-15 19:29 - 00000000 ____A C:\Users\Cake Maker 2\acrobat.exe

2013-06-15 19:29 - 2013-06-15 19:28 - 00877056 ____A (FileZilla Project) C:\Users\Cake Maker 2\windowsupdate.exe

2013-06-15 19:29 - 2013-06-15 19:28 - 00877056 ____A (FileZilla Project) C:\Users\Cake Maker 2\googleupdate.exe

2013-06-15 19:29 - 2008-04-10 20:32 - 00000000 ____D C:\users\Cake Maker 2

2013-06-15 15:44 - 2013-06-15 15:44 - 00000000 ____D C:\Users\Cake Maker 2\Application Data\wabEventSupport16

2013-06-15 15:44 - 2013-06-15 15:44 - 00000000 ____D C:\Users\Cake Maker 2\AppData\Roaming\wabEventSupport16

2013-06-15 15:43 - 2009-04-04 11:27 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job

2013-06-13 03:01 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache

2013-06-13 02:45 - 2013-06-12 08:30 - 00000350 ____A C:\Windows\Tasks\HPCeeScheduleForCake Maker 2.job

2013-06-13 02:29 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET

2013-06-13 02:27 - 2007-08-04 02:35 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-06-13 02:27 - 2007-08-04 02:35 - 00000000 ____D C:\ProgramData\Application Data\Microsoft Help

2013-06-13 02:24 - 2006-11-02 02:33 - 00722608 ____A C:\Windows\System32\PerfStringBackup.INI

2013-06-13 02:03 - 2006-11-02 02:24 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2013-06-12 08:29 - 2009-02-04 20:39 - 00000052 ____A C:\Windows\System32\DOErrors.log

2013-06-12 08:28 - 2013-02-19 15:06 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-06-12 08:28 - 2011-06-14 12:50 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-06-11 14:35 - 2012-10-09 06:59 - 00000000 ____D C:\Users\Cake Maker 2\Application Data\HpUpdate

2013-06-11 14:35 - 2012-10-09 06:59 - 00000000 ____D C:\Users\Cake Maker 2\AppData\Roaming\HpUpdate

2013-06-08 18:47 - 2009-12-02 15:31 - 00000000 ____D C:\Users\Cake Maker 2\ZipForm

2013-06-06 19:02 - 2013-04-01 09:19 - 00001971 ____A C:\Users\Public\Desktop\Google Chrome.lnk

2013-06-06 19:02 - 2013-04-01 09:19 - 00001971 ____A C:\ProgramData\Desktop\Google Chrome.lnk

2013-06-06 18:55 - 2013-05-22 11:58 - 00000000 ____D C:\Users\Cake Maker 2\Local Settings\MapsGalaxy_39

2013-06-06 18:55 - 2013-05-22 11:58 - 00000000 ____D C:\Users\Cake Maker 2\Local Settings\Application Data\MapsGalaxy_39

2013-06-06 18:55 - 2013-05-22 11:58 - 00000000 ____D C:\Users\Cake Maker 2\AppData\Local\MapsGalaxy_39

2013-05-22 15:45 - 2009-10-27 11:00 - 00001050 ____A C:\Users\Cake Maker 2\Application Data\wklnhst.dat

2013-05-22 15:45 - 2009-10-27 11:00 - 00001050 ____A C:\Users\Cake Maker 2\AppData\Roaming\wklnhst.dat

2013-05-22 15:38 - 2007-08-04 02:25 - 00322178 ____A C:\Windows\PFRO.log

2013-05-22 11:57 - 2013-05-22 11:57 - 00000000 ____D C:\Program Files\MapsGalaxy_39

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888\@

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888\L

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888\U

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888\L\00000004.@

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\00000004.@

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\00000008.@

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\000000cb.@

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\80000000.@

C:\$Recycle.Bin\S-1-5-21-1410398631-1634151822-1184643937-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\80000032.@

Files to move or delete:

====================

C:\Users\Cake Maker 2\acrobat.exe

C:\Users\Cake Maker 2\conhost.exe

C:\Users\Cake Maker 2\googleupdate.exe

C:\Users\Cake Maker 2\iexplore.exe

C:\Users\Cake Maker 2\jucheck.exe

C:\Users\Cake Maker 2\msconfig.exe

C:\Users\Cake Maker 2\opera.exe

C:\Users\Cake Maker 2\rundll32.exe

C:\Users\Cake Maker 2\windowsupdate.exe

C:\Users\Cake Maker 2\AppData\Roaming\skype.dat

C:\Users\Cake Maker 2\AppData\Roaming\skype.ini

C:\Users\Cake Maker 2\Application Data\skype.dat

C:\Users\Cake Maker 2\Application Data\skype.ini

C:\ProgramData\nvModes.dat

C:\Windows\Tasks\{4F9C6553-638A-4D83-B1CD-C060F656FB5C}.job

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-21 08:03:25

Restore point made on: 2013-05-24 11:15:04

Restore point made on: 2013-05-27 10:51:31

Restore point made on: 2013-05-28 07:59:29

Restore point made on: 2013-05-30 08:49:43

Restore point made on: 2013-06-02 11:39:10

Restore point made on: 2013-06-04 08:49:22

Restore point made on: 2013-06-11 07:34:06

Restore point made on: 2013-06-12 10:16:18

Restore point made on: 2013-06-13 02:01:45

Restore point made on: 2013-06-14 08:46:41

Restore point made on: 2013-06-15 15:44:08

==================== Memory info ===========================

Percentage of memory in use: 25%

Total physical RAM: 1982.31 MB

Available physical RAM: 1486.71 MB

Total Pagefile: 1716.22 MB

Available Pagefile: 1554.77 MB

Total Virtual: 2047.88 MB

Available Virtual: 1972.3 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:140.62 GB) (Free:71.83 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Drive d: (HP_RECOVERY) (Fixed) (Total:8.43 GB) (Free:1.81 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive f: () (Removable) (Total:7.44 GB) (Free:2.22 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (Size: 149 GB) (Disk ID: 9E86F523)

Partition 1: (Active) - (Size=141 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=8 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 7 GB) (Disk ID: 00000000)

Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

LastRegBack: 2013-06-17 12:06

==================== End Of Log ============================

Any help would be greatly appreciated!!

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites
colinr

colinr

Posted
  • Author
Posted

Thank you very much! I ran the anti rootkit program you specified, and it found 3 files that were infected. They have been cleaned and I rebooted, re-ran the scan and it found nothing. I've attached the logs in case you need them.

 

I have verified that Windows Update, Firewall, and internet are working. I am going to run a scan with Malwarebytes to cover all of the bases.

mbar-log-2013-06-17 (14-29-21).txt

mbar-log-2013-06-17 (14-49-55).txt

system-log.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept