Jump to content

FBI Ransom Virus Help! - No Safe Mode

brad1014
 Share

Recommended Posts

brad1014

brad1014

Posted
Posted

I have tried many different fixes and I cannot get anything to rid my comp. of the malicious virus. I used the tool you recommend and here is the log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-07-2013 03
Ran by SYSTEM on 10-07-2013 18:39:09
Running from J:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Cmaudio8788] - C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cmicnfgp.dll,CMICtrlWnd [8769536 2011-05-12] (C-Media Corporation)
HKLM\...\Run: [Cmaudio8788GX] - C:\Windows\syswow64\HsMgr.exe Envoke [200704 2008-07-10] ()
HKLM\...\Run: [Cmaudio8788GX64] - C:\Windows\system\HsMgr64.exe Envoke [282112 2008-07-10] ()
HKLM\...\Run: [mckqup] - "C:\Windows\System32\rundll32.exe" "C:\Users\Brad\AppData\Roaming\mckqup.dll",ReleaseLock [565248 2013-07-01] (Mise Technology,Inc)
HKLM\...\Run: [ruidop] - "C:\Windows\System32\rundll32.exe" "C:\Users\Brad\AppData\Roaming\ruidop.dll",Instance_NewRaw [417792 2013-07-01] (DIA Corporation)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$0040424851a523cef18c0a9fb7c7e5dd\n. ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [uSB3MON] - "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [291608 2012-01-04] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Ad-Aware Browsing Protection] - "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [542104 2012-12-11] (Lavasoft)
HKLM-x32\...\Run: [GrooveMonitor] - "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Ad-Aware Antivirus] - "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run [x]
HKLM-x32\...\Run: [sunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Brad\...\Run: [nHancer] - "C:\Program Files\nHancer\nHancer.exe" /tray [x]
HKU\Brad\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Brad\AppData\Local\Temp\rbxbceegmxwsnlajebd.bfg [54272 2013-07-10] (NVIDIA Corporation) <===== ATTENTION
HKU\Brad\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe [30720 2010-11-20] (Microsoft Corporation)
HKU\Brad\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Brad\...\Command Processor: "C:\Users\Brad\AppData\Local\Temp\rbxbceegmxwsnlajebd.bfg" <===== ATTENTION!
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\UpdatusUser\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\UpdatusUser\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe [30720 2010-11-20] (Microsoft Corporation)
Startup: C:\Users\Brad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XNL.lnk
ShortcutTarget: XNL.lnk -> G:\Experience X Lights\FSXXNL\XNL.exe ()

==================== Services (Whitelisted) =================

S2 Ad-Aware Service; C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe [1236968 2012-12-14] (Lavasoft Limited)
S3 Futuremark SystemInfo Service; C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [150464 2012-08-10] (Futuremark Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
S2 SBAMSvc; C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [3677000 2012-09-20] (GFI Software)

==================== Drivers (Whitelisted) ====================

S3 cmudaxp; C:\Windows\System32\drivers\cmudaxp.sys [2725376 2011-03-09] (C-Media Inc)
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [39504 2013-04-11] (ThreatTrack Security)
S0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-01-12] (GFI Software)
S0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [23832 2011-12-02] (Intel Corporation)
S3 npusbio; C:\Windows\System32\Drivers\npusbio_x64.sys [38400 2012-07-09] ()
S3 SaiH0763; C:\Windows\System32\DRIVERS\SaiH0763.sys [178304 2008-02-15] (Saitek)
S3 SaiH0BAC; C:\Windows\System32\DRIVERS\SaiH0BAC.sys [176128 2007-07-02] (Saitek)
S3 ALSysIO; \??\C:\Users\Brad\AppData\Local\Temp\ALSysIO64.sys [x]
S3 cpuz135; \??\C:\Users\ADMINI~1\AppData\Local\Temp\cpuz135\cpuz135_x64.sys [x]
S3 e1cexpress; system32\DRIVERS\e1c62x64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-10 18:39 - 2013-07-10 18:39 - 00000000 ____D C:\FRST
2013-07-10 09:53 - 2013-07-10 09:53 - 00003288 ____N C:\bootsqm.dat
2013-07-10 09:52 - 2013-07-10 09:52 - 00000000 __SHD C:\found.000
2013-07-10 09:43 - 2013-07-10 09:43 - 69730304 ____A C:\Windows\System32\config\software.bhv
2013-07-10 09:43 - 2013-07-10 09:43 - 20709376 ____A C:\Windows\System32\config\system.bhv
2013-07-10 09:43 - 2013-07-10 09:43 - 00262144 ____A C:\Windows\System32\config\security.bhv
2013-07-10 09:43 - 2013-07-10 09:43 - 00262144 ____A C:\Windows\System32\config\sam.bhv
2013-07-10 09:43 - 2013-07-10 09:43 - 00262144 ____A C:\Windows\System32\config\default.bhv
2013-07-10 08:38 - 2013-07-10 08:38 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-07-10 08:08 - 2013-07-10 08:08 - 01097640 ____A C:\Users\Brad\AppData\Local\2433f433
2013-07-10 08:08 - 2013-07-10 08:08 - 01097637 ____A C:\ProgramData\2433f433
2013-07-10 08:08 - 2013-07-10 08:08 - 01097615 ____A C:\Users\Brad\AppData\Roaming\2433f433
2013-07-10 08:04 - 2013-07-10 08:04 - 00000000 ____D C:\Users\Brad\Downloads\kecp_photoreal_update
2013-07-10 08:03 - 2013-07-10 08:04 - 00000000 ____D C:\Users\Brad\Downloads\kecp_northwest_florida_beaches_intl_panama_city
2013-07-09 11:51 - 2013-07-09 11:51 - 00067775 ____A C:\Users\Brad\Desktop\fsx.cfg
2013-07-08 09:32 - 2013-07-08 09:32 - 00006274 ____A C:\Users\Brad\Documents\Unilever - Covington.xls
2013-07-02 06:51 - 2013-07-02 06:51 - 00187359 ____A C:\Users\Brad\Documents\zep pa first load.xps
2013-07-01 19:26 - 2013-07-01 19:26 - 00565248 ____A (Mise Technology,Inc) C:\Users\Brad\AppData\Roaming\mckqup.dll
2013-07-01 19:26 - 2013-07-01 19:26 - 00417792 ____A (DIA Corporation) C:\Users\Brad\AppData\Roaming\ruidop.dll
2013-07-01 19:25 - 2013-07-01 19:25 - 00000012 ____A C:\Windows\sruna.log
2013-07-01 18:48 - 2013-07-01 18:48 - 00293784 ____A C:\Windows\Minidump\070113-12230-01.dmp
2013-06-30 05:55 - 2013-06-30 05:55 - 00293768 ____A C:\Windows\Minidump\063013-6598-01.dmp
2013-06-29 12:49 - 2013-06-29 12:49 - 00000000 ____D C:\Users\Brad\Downloads\ProcessExplorer
2013-06-29 06:38 - 2013-06-29 06:38 - 00000000 ____D C:\Users\Brad\Downloads\ualx145
2013-06-29 04:11 - 2013-06-29 04:11 - 00000000 ____D C:\Users\Brad\Downloads\EMBserie_for_MSFS
2013-06-26 18:35 - 2013-06-26 18:35 - 00000000 ____D C:\Users\Brad\Documents\Aerosoft
2013-06-24 08:58 - 2004-12-19 12:34 - 00054404 ____A C:\Windows\SysWOW64\sndspeed.dll
2013-06-24 08:58 - 2004-07-19 10:54 - 00053248 ____A (FailSafe Systems) C:\Windows\SysWOW64\WinWorX.dll
2013-06-24 08:58 - 2003-11-20 09:27 - 00198656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Comdlg32.ocx
2013-06-24 08:58 - 2003-11-13 12:44 - 00319488 ____A (Polar          sales@polarsoftware.com        www.polarsoftware.com) C:\Windows\SysWOW64\PolarZIPLight.dll
2013-06-24 08:58 - 2003-09-23 12:32 - 00458752 ____A (CSC) C:\Windows\SysWOW64\FDC_Buttons.ocx
2013-06-24 08:58 - 2002-03-13 19:46 - 00053248 ____A C:\Windows\SysWOW64\zlib.dll
2013-06-24 08:58 - 2000-07-09 16:15 - 00106496 ____A (Marco Bellinaso) C:\Windows\SysWOW64\MBPrgBar.ocx
2013-06-24 08:58 - 2000-05-22 13:58 - 00647872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mscomct2.ocx
2013-06-24 08:58 - 2000-05-21 22:00 - 01066176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2013-06-24 08:58 - 1999-05-06 21:00 - 00244232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSFLXGRD.OCX
2013-06-24 08:58 - 1998-06-24 02:00 - 00067376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Sysinfo.ocx
2013-06-24 08:58 - 1998-06-23 22:00 - 00164144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\COMCT232.OCX
2013-06-24 08:58 - 1998-06-23 22:00 - 00137000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMAPI32.OCX
2013-06-24 08:58 - 1998-06-23 21:00 - 00115016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Msinet.ocx
2013-06-24 08:56 - 2013-06-24 08:56 - 00000856 ____A C:\Users\Public\Desktop\FDC Live Cockpit.lnk
2013-06-24 08:40 - 2013-06-24 08:40 - 00000000 ____D C:\Users\Brad\AppData\Roaming\InstallShield
2013-06-24 08:38 - 2013-06-24 08:38 - 00000000 ____D C:\Users\Brad\Downloads\AS_FDCX
2013-06-24 07:53 - 2009-12-19 05:02 - 10976768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\temp.004
2013-06-23 07:00 - 2013-06-23 07:00 - 00293752 ____A C:\Windows\Minidump\062313-6598-01.dmp
2013-06-23 04:53 - 2013-06-23 04:53 - 00000197 ____A C:\Users\Brad\FlightBeam_Washington Dulles Intl - HD.reg
2013-06-22 06:47 - 2009-12-19 05:02 - 10976768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\temp.003
2013-06-22 05:00 - 2013-06-22 05:00 - 00003148 ____A C:\Windows\System32\Tasks\{57C36066-1997-408A-8E30-8DBF1DE9C9F1}
2013-06-22 04:59 - 2013-06-22 04:59 - 03536847 ____A () C:\Users\Brad\Downloads\SKYDC-9_51_FSX_DAL_Setup.exe
2013-06-20 18:01 - 2013-07-09 19:18 - 00084088 ____A C:\AEMODULE.LOG
2013-06-20 17:49 - 2013-06-20 17:49 - 00000000 ____D C:\Users\Brad\AppData\Local\Flight1 Software
2013-06-20 17:47 - 2013-06-20 17:47 - 00000877 ____A C:\Users\Public\Desktop\Audio Environment Configuration Manager.lnk
2013-06-20 17:47 - 2013-06-20 17:47 - 00000858 ____A C:\Users\Public\Desktop\Third Party Aircraft Sound Installer.lnk
2013-06-20 17:46 - 2013-06-20 17:46 - 00000000 ____D C:\Users\Brad\Downloads\FSX - Flight1 - TSS - Audio Environment - Airliner Edition V1.2
2013-06-20 12:49 - 2013-06-20 15:38 - 574635825 ____A C:\Users\Brad\Downloads\FSX - Flight1 - TSS - Audio Environment - Airliner Edition V1.2.rar
2013-06-20 07:26 - 2013-06-20 07:26 - 00000000 ____D C:\ProgramData\CaptainSim
2013-06-20 07:25 - 2013-06-20 07:25 - 00000000 ____D C:\Users\Brad\Downloads\CS777
2013-06-19 07:57 - 2013-06-19 07:57 - 00003992 ____A C:\Users\Brad\Downloads\cls_b763_panel_retrofit.zip
2013-06-19 05:17 - 2013-06-19 05:24 - 00001059 ____A C:\Users\Public\Desktop\PMDG 747-400 FSX Load Manager.lnk
2013-06-18 12:15 - 2013-06-18 12:15 - 00000000 ____D C:\Users\Brad\Downloads\fsx_hawaiian_717-200
2013-06-15 06:25 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-15 06:25 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-15 06:25 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-15 06:25 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-15 06:25 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-15 06:25 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-15 06:25 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-15 06:25 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-15 06:25 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-15 06:25 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-15 06:25 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-15 06:25 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-15 06:25 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-15 06:25 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-15 06:25 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-15 06:25 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-15 06:25 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-15 06:25 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-15 06:25 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-15 06:22 - 2013-06-08 06:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-15 06:22 - 2013-06-08 06:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-15 06:22 - 2013-06-08 06:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-15 06:22 - 2013-06-08 06:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-15 06:22 - 2013-06-08 06:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-15 06:22 - 2013-06-08 04:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-15 06:22 - 2013-06-08 03:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-15 06:22 - 2013-06-08 03:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-15 06:22 - 2013-06-08 03:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-15 06:22 - 2013-06-08 03:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-15 06:22 - 2013-06-08 03:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-15 06:22 - 2013-06-08 03:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-15 06:22 - 2013-05-16 17:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-15 06:22 - 2013-05-16 17:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-15 06:22 - 2013-05-16 17:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-15 06:22 - 2013-05-16 17:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-15 06:22 - 2013-05-16 17:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-15 06:22 - 2013-05-16 17:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-15 06:22 - 2013-05-16 17:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-15 06:22 - 2013-05-16 17:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-15 06:22 - 2013-05-16 16:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-15 06:22 - 2013-05-16 16:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-15 06:22 - 2013-05-16 16:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-15 06:22 - 2013-05-16 16:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-15 06:22 - 2013-05-16 16:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-15 06:22 - 2013-05-16 16:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-15 06:22 - 2013-05-16 16:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-15 06:22 - 2013-05-16 16:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-15 06:22 - 2013-05-16 16:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-15 06:22 - 2013-05-14 04:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-15 06:22 - 2013-05-14 00:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

==================== One Month Modified Files and Folders =======

2013-07-10 18:39 - 2013-07-10 18:39 - 00000000 ____D C:\FRST
2013-07-10 18:34 - 2013-06-29 12:49 - 00000000 ____D C:\Users\Brad\Downloads\ProcessExplorer
2013-07-10 18:34 - 2013-01-31 09:56 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-10 18:34 - 2013-01-31 09:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-07-10 18:34 - 2013-01-12 09:27 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus
2013-07-10 18:34 - 2013-01-12 07:54 - 00000000 ____D C:\ProgramData\Licenses
2013-07-10 18:34 - 2013-01-09 07:51 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-10 18:34 - 2013-01-07 06:35 - 00000000 ____D C:\ProgramData\FLEXnet
2013-07-10 18:34 - 2013-01-06 05:50 - 00000000 ____D C:\Windows\Minidump
2013-07-10 18:34 - 2013-01-04 19:11 - 00000000 ____D C:\users\Brad
2013-07-10 18:34 - 2012-12-28 12:39 - 00000000 ____D C:\ProgramData\NVIDIA
2013-07-10 18:34 - 2010-11-20 23:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-10 18:34 - 2010-11-20 23:16 - 00000000 ____D C:\Windows\ShellNew
2013-07-10 18:34 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-10 18:34 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-07-10 17:19 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-07-10 13:27 - 2013-01-04 20:21 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-10 13:27 - 2012-12-28 11:54 - 01403219 ____A C:\Windows\WindowsUpdate.log
2013-07-10 13:23 - 2009-07-13 20:45 - 00021872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-10 13:23 - 2009-07-13 20:45 - 00021872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-10 13:20 - 2011-06-29 10:51 - 00036176 ____A C:\Windows\setupact.log
2013-07-10 13:20 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-10 09:53 - 2013-07-10 09:53 - 00003288 ____N C:\bootsqm.dat
2013-07-10 09:52 - 2013-07-10 09:52 - 00000000 __SHD C:\found.000
2013-07-10 09:43 - 2013-07-10 09:43 - 69730304 ____A C:\Windows\System32\config\software.bhv
2013-07-10 09:43 - 2013-07-10 09:43 - 20709376 ____A C:\Windows\System32\config\system.bhv
2013-07-10 09:43 - 2013-07-10 09:43 - 00262144 ____A C:\Windows\System32\config\security.bhv
2013-07-10 09:43 - 2013-07-10 09:43 - 00262144 ____A C:\Windows\System32\config\sam.bhv
2013-07-10 09:43 - 2013-07-10 09:43 - 00262144 ____A C:\Windows\System32\config\default.bhv
2013-07-10 08:38 - 2013-07-10 08:38 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-07-10 08:12 - 2009-07-13 21:08 - 00032614 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-10 08:08 - 2013-07-10 08:08 - 01097640 ____A C:\Users\Brad\AppData\Local\2433f433
2013-07-10 08:08 - 2013-07-10 08:08 - 01097637 ____A C:\ProgramData\2433f433
2013-07-10 08:08 - 2013-07-10 08:08 - 01097615 ____A C:\Users\Brad\AppData\Roaming\2433f433
2013-07-10 08:04 - 2013-07-10 08:04 - 00000000 ____D C:\Users\Brad\Downloads\kecp_photoreal_update
2013-07-10 08:04 - 2013-07-10 08:03 - 00000000 ____D C:\Users\Brad\Downloads\kecp_northwest_florida_beaches_intl_panama_city
2013-07-09 19:35 - 2013-01-04 21:06 - 00000000 ____D C:\Users\Brad\Documents\Flight Simulator X Files
2013-07-09 19:18 - 2013-06-20 18:01 - 00084088 ____A C:\AEMODULE.LOG
2013-07-09 11:51 - 2013-07-09 11:51 - 00067775 ____A C:\Users\Brad\Desktop\fsx.cfg
2013-07-08 09:32 - 2013-07-08 09:32 - 00006274 ____A C:\Users\Brad\Documents\Unilever - Covington.xls
2013-07-07 17:45 - 2013-01-13 09:56 - 00000221 ____A C:\Windows\AISmooth.INI
2013-07-07 17:01 - 2013-01-20 07:17 - 00000000 ____D C:\Users\Brad\Desktop\aismv120
2013-07-02 06:51 - 2013-07-02 06:51 - 00187359 ____A C:\Users\Brad\Documents\zep pa first load.xps
2013-07-01 19:26 - 2013-07-01 19:26 - 00565248 ____A (Mise Technology,Inc) C:\Users\Brad\AppData\Roaming\mckqup.dll
2013-07-01 19:26 - 2013-07-01 19:26 - 00417792 ____A (DIA Corporation) C:\Users\Brad\AppData\Roaming\ruidop.dll
2013-07-01 19:25 - 2013-07-01 19:25 - 00000012 ____A C:\Windows\sruna.log
2013-07-01 18:48 - 2013-07-01 18:48 - 00293784 ____A C:\Windows\Minidump\070113-12230-01.dmp
2013-07-01 18:48 - 2013-01-06 05:50 - 1326581077 ____A C:\Windows\MEMORY.DMP
2013-06-30 05:55 - 2013-06-30 05:55 - 00293768 ____A C:\Windows\Minidump\063013-6598-01.dmp
2013-06-29 06:38 - 2013-06-29 06:38 - 00000000 ____D C:\Users\Brad\Downloads\ualx145
2013-06-29 04:11 - 2013-06-29 04:11 - 00000000 ____D C:\Users\Brad\Downloads\EMBserie_for_MSFS
2013-06-28 19:50 - 2009-07-13 21:13 - 00743982 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-27 04:13 - 2010-11-20 19:47 - 00021604 ____A C:\Windows\PFRO.log
2013-06-26 19:39 - 2013-01-05 07:47 - 00000000 ____D C:\Users\Brad\AppData\Roaming\BitTorrent
2013-06-26 18:35 - 2013-06-26 18:35 - 00000000 ____D C:\Users\Brad\Documents\Aerosoft
2013-06-25 12:12 - 2013-01-05 16:30 - 00000000 ____D C:\ProgramData\Esellerate
2013-06-24 08:56 - 2013-06-24 08:56 - 00000856 ____A C:\Users\Public\Desktop\FDC Live Cockpit.lnk
2013-06-24 08:56 - 2013-01-19 19:34 - 00000000 ____D C:\Program Files (x86)\Aerosoft
2013-06-24 08:56 - 2012-12-28 11:56 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-06-24 08:40 - 2013-06-24 08:40 - 00000000 ____D C:\Users\Brad\AppData\Roaming\InstallShield
2013-06-24 08:38 - 2013-06-24 08:38 - 00000000 ____D C:\Users\Brad\Downloads\AS_FDCX
2013-06-24 07:53 - 2013-01-26 05:32 - 00003919 ____A C:\Program Files (x86)\INSTALL.LOG
2013-06-23 07:00 - 2013-06-23 07:00 - 00293752 ____A C:\Windows\Minidump\062313-6598-01.dmp
2013-06-23 04:53 - 2013-06-23 04:53 - 00000197 ____A C:\Users\Brad\FlightBeam_Washington Dulles Intl - HD.reg
2013-06-22 05:00 - 2013-06-22 05:00 - 00003148 ____A C:\Windows\System32\Tasks\{57C36066-1997-408A-8E30-8DBF1DE9C9F1}
2013-06-22 04:59 - 2013-06-22 04:59 - 03536847 ____A () C:\Users\Brad\Downloads\SKYDC-9_51_FSX_DAL_Setup.exe
2013-06-21 04:13 - 2009-07-13 20:45 - 00439904 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-20 17:49 - 2013-06-20 17:49 - 00000000 ____D C:\Users\Brad\AppData\Local\Flight1 Software
2013-06-20 17:47 - 2013-06-20 17:47 - 00000877 ____A C:\Users\Public\Desktop\Audio Environment Configuration Manager.lnk
2013-06-20 17:47 - 2013-06-20 17:47 - 00000858 ____A C:\Users\Public\Desktop\Third Party Aircraft Sound Installer.lnk
2013-06-20 17:46 - 2013-06-20 17:46 - 00000000 ____D C:\Users\Brad\Downloads\FSX - Flight1 - TSS - Audio Environment - Airliner Edition V1.2
2013-06-20 15:38 - 2013-06-20 12:49 - 574635825 ____A C:\Users\Brad\Downloads\FSX - Flight1 - TSS - Audio Environment - Airliner Edition V1.2.rar
2013-06-20 08:46 - 2013-01-04 19:11 - 00118752 ____A C:\Users\Brad\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-20 07:26 - 2013-06-20 07:26 - 00000000 ____D C:\ProgramData\CaptainSim
2013-06-20 07:25 - 2013-06-20 07:25 - 00000000 ____D C:\Users\Brad\Downloads\CS777
2013-06-19 07:57 - 2013-06-19 07:57 - 00003992 ____A C:\Users\Brad\Downloads\cls_b763_panel_retrofit.zip
2013-06-19 05:24 - 2013-06-19 05:17 - 00001059 ____A C:\Users\Public\Desktop\PMDG 747-400 FSX Load Manager.lnk
2013-06-18 15:43 - 2013-05-19 05:35 - 00000000 ____D C:\Users\Brad\Documents\Wilco CRJ
2013-06-18 15:43 - 2013-01-12 07:57 - 00000000 ____D C:\Users\Brad\AppData\Roaming\Virtuali
2013-06-18 12:15 - 2013-06-18 12:15 - 00000000 ____D C:\Users\Brad\Downloads\fsx_hawaiian_717-200
2013-06-15 23:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-06-15 06:27 - 2013-01-04 20:21 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-15 06:27 - 2013-01-04 20:21 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-15 06:27 - 2013-01-04 20:21 - 00003768 ____A C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-06-15 06:18 - 2013-01-04 20:21 - 00000000 ____D C:\Windows\System32\Macromed
2013-06-15 06:17 - 2013-01-04 20:21 - 00000000 ____D C:\Windows\SysWOW64\Macromed

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2302057715-2896670223-2431684762-1002\$0040424851a523cef18c0a9fb7c7e5dd

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$0040424851a523cef18c0a9fb7c7e5dd

Files to move or delete:
====================
C:\Users\Brad\AppData\Roaming\skype.dat

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-06-28 19:49:37
Restore point made on: 2013-06-29 09:55:40
Restore point made on: 2013-06-30 17:08:47
Restore point made on: 2013-07-07 15:00:09
Restore point made on: 2013-07-10 10:24:49

==================== Memory info ===========================

Percentage of memory in use: 7%
Total physical RAM: 16338.94 MB
Available physical RAM: 15122.32 MB
Total Pagefile: 16337.14 MB
Available Pagefile: 15141.07 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:119.14 GB) (Free:38.34 GB) NTFS (Disk=0 Partition=2)
Drive d: () (Fixed) (Total:698.63 GB) (Free:385.03 GB) NTFS (Disk=1 Partition=1)
Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS (Disk=2 Partition=1) ==>[system with boot components (obtained from reading drive)]
Drive g: () (Fixed) (Total:698.54 GB) (Free:136.81 GB) NTFS (Disk=2 Partition=2)
Drive h: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
Drive j: (Transcend) (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT32 (Disk=4 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 119 GB) (Disk ID: A936AE3D)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=119 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 699 GB) (Disk ID: A9A6A9A6)
Partition 1: (Active) - (Size=699 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 77A5E191)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=699 GB) - (Type=07 NTFS)

========================================================
Disk: 4 (Size: 2 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=2 GB) - (Type=0B)

LastRegBack: 2013-07-07 08:27

==================== End Of Log ============================

 

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello brad1014 and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
I'm afraid I have bad news.

One or more of the identified infections is a rootkit. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

I suggest you disconnect this computer from the Internet immediately you finish reading this post.

If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted.

Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on Internet theft and when to reformat!

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Instructions how to format and reinstall Windows can be found here

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.