Jump to content

Moneypack and no safe mode access


Recommended Posts

I am trying to repair this malware on my cousin's Toshiba Satelitte L645-S4102 laptop running Windows 7 Home Edition, not sure if it is 32 or 64 bit, probably 64?  No malware protection and I don't even think she has had virus protection for a while (they switched from Comcast to AT&T as an internet provider recently and didn't install new antivirus protection - it comes free with both ISPs).  There was a flash dialog on windows startup with something to do with Sun Java, which I later saw in the scans as a location of one of the malware.

 

There was a ransomware window (FBI) with Moneypak.  I downloaded Malwarebytes in safe mode with networking, then did hitman pro and msisoft emergency kit scans.  That seemed to work but after a couple of reboots the offending moneypak was back.

 

I did a Kaspersky disc and removed what appeared to be the offending malware along with others.  I then tried rkill (which shows as a location for one malware during scans - maybe because it is quarantined there?) and something else and another malwarebytes scan, with files being deleted/quarantined at each step.

 

However, when booting again I got a different ransomware, this one was United States Courts insteadd of FBI and it locked Windows totally, and also is blocking safe mode and safe mode with networking.  Safe Mode repair seems to be working.

 

So it has all gone from bad to worse.  My cousin has her wedding photos on this computer so she really wants to save it!

 

I copied FRST to a jump drive and otlpenet.exe to my desktop in preparation for using this forum help, but the otlpenet.exe gives me a message of "can't load config info" when I double click on it.  I have imgburn on my desktop and it worked well doing an iso on Kaspersky.

 

Can you help?

 

Thanks!

 

Donna MacDonald

 

 

Link to post
Share on other sites

Welcome to the forum, here's how we deal with that malware:

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
      • Startup Repair

        System Restore

        Windows Complete PC Restore

        Windows Memory Diagnostic Tool

        Command Prompt

        Select Command Prompt

        Once in the Command Prompt:

    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
MrC
Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-07-2013
Ran by SYSTEM on 14-07-2013 15:12:23
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] -  [x]
HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [smartAudio] - C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
HKLM\...\Run: [synTPEnh] - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\n. ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [TWebCamera] - "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)
HKLM-x32\...\Run: [selectRebates] - C:\Program Files (x86)\SelectRebates\SelectRebates.exe [886752 2010-11-01] ()
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-24] (Apple Inc.)
HKLM-x32\...\Run: [AVG_UI] - "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [sDTray] - "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3830224 2013-05-16] (Safer-Networking Ltd.)
HKU\Erika\...\Run: [Facebook Update] - "C:\Users\Erika\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-12] (Facebook Inc.)
HKU\Erika\...\Run: [HP Deskjet 3510 series (NET)] - "C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN2CE1PKRT05R7:NW" -scfn "HP Deskjet 3510 series (NET)" -AutoStart 1 [2552168 2012-05-08] (Hewlett-Packard Co.)
HKU\Erika\...\Run: [Apple Computer] - rundll32 "C:\Users\Erika\AppData\Local\Google\Apple Computer\keec.dll",DllRegisterServer [x] <===== ATTENTION
HKU\Erika\...\Run: [Macromedia] - Regsvr32.exe C:\Users\Erika\AppData\Local\Macromedia\yelvzamr.dll [475136 2013-07-10] (Microsoft Corporation) <===== ATTENTION
HKU\Erika\...\Run: [CfgMainLite24] - rundll32.exe "C:\Users\Erika\AppData\Roaming\CfgMainLite24\CfgMainLite24.dll",isaDrvSnap CatDBCrtClass [33280 2013-07-11] () <===== ATTENTION
HKU\Erika\...\Run: [internet Security] - C:\Users\Erika\AppData\Roaming\midefender.exe [839680 2013-07-13] (MindFusion Limited)
HKU\Erika\...\Winlogon: [shell] explorer.exe,C:\Users\Erika\AppData\Roaming\skype.dat [110592 2010-03-23] (Crystal Software Lab.) <==== ATTENTION
AppInit_DLLs-x32: c:\progra~3\browse~1\261339~1.144\{c16c1~1\browse~1.dll [110592 2010-03-23] ()
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Erika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk -> C:\Program Files\HP\HP Deskjet 1000 J110 series\bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe [126904 2010-07-22] (Symantec Corporation)
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
S2 Updater By SweetPacks; C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe [188760 2013-05-16] ()
S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2013-05-02] (Wajam)
S2 AdobeFlashPlayerUpdateSvc; C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 BrowserProtect; C:\ProgramData\BrowserProtect\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [x]

==================== Drivers (Whitelisted) ====================

S1 A2DDA; C:\EEK\RUN\a2ddax64.sys [26176 2013-07-12] (Emsisoft GmbH)
S1 A2DDA; C:\EEK\RUN\a2ddax64.sys [26176 2013-07-12] (Emsisoft GmbH)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx64.sys [945200 2010-08-08] (Symantec Corporation)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx64.sys [945200 2010-08-08] (Symantec Corporation)
S3 cleanhlp; C:\EEK\Run\cleanhlp64.sys [57032 2013-07-12] (Emsisoft GmbH)
S3 cleanhlp; C:\EEK\Run\cleanhlp64.sys [57032 2013-07-12] (Emsisoft GmbH)
S3 hitmanpro37; C:\windows\system32\drivers\hitmanpro37.sys [32000 2013-07-13] ()
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSVia64.sys [463408 2010-06-26] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSVia64.sys [463408 2010-06-26] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\ENG64.SYS [117808 2010-08-13] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\ENG64.SYS [117808 2010-08-13] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\EX64.SYS [1791536 2010-08-13] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\EX64.SYS [1791536 2010-08-13] (Symantec Corporation)
S3 SRTSP; C:\Windows\system32\drivers\NISx64\1201000.025\SRTSP64.SYS [715824 2010-07-28] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1201000.025\SRTSPX64.SYS [40496 2010-07-28] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\NISx64\1201000.025\SYMDS64.SYS [450096 2010-06-13] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NISx64\1201000.025\SYMEFA64.SYS [821808 2010-07-28] (Symantec Corporation)
S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [174640 2010-12-24] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NISx64\1201000.025\Ironx64.SYS [168496 2010-06-26] (Symantec Corporation)
S1 SymNetS; C:\Windows\system32\drivers\NISx64\1201000.025\SYMNETS.SYS [381488 2010-07-12] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-14 15:12 - 2013-07-14 15:12 - 00000000 ____D C:\FRST
2013-07-13 16:58 - 2013-07-13 16:58 - 00839680 _____ (MindFusion Limited) C:\Users\Erika\AppData\Roaming\midefender.exe
2013-07-13 16:58 - 2013-07-13 16:58 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\conhost.exe
2013-07-13 16:58 - 2013-07-13 16:58 - 00079661 _____ C:\Users\Erika\acrobat.exe
2013-07-13 16:58 - 2013-07-13 16:58 - 00000000 _____ C:\Users\Erika\windowsupdate.exe
2013-07-13 16:58 - 2013-07-13 16:58 - 00000000 _____ C:\Users\Erika\notepad.exe
2013-07-13 10:49 - 2013-07-14 10:48 - 00000004 _____ C:\Users\Erika\AppData\Roaming\skype.ini
2013-07-13 10:44 - 2013-07-13 16:58 - 00000804 _____ C:\Users\Erika\Desktop\Internet Security Pro.lnk
2013-07-13 10:44 - 2013-07-13 10:44 - 00845312 _____ (MindFusion Limited) C:\Users\Erika\AppData\Roaming\virus.exe
2013-07-13 10:44 - 2013-07-13 10:44 - 00140288 _____ C:\Users\Erika\googleupdate.exe
2013-07-13 10:44 - 2013-07-13 10:44 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\ctfmon.exe
2013-07-13 10:44 - 2013-07-13 10:44 - 00000000 _____ C:\Users\Erika\rundll32.exe
2013-07-13 10:44 - 2013-07-13 10:44 - 00000000 _____ C:\Users\Erika\mstsc.exe
2013-07-13 10:34 - 2013-07-13 10:34 - 00000557 _____ C:\Users\Erika\Desktop\Emsisoft Emergency Kit.lnk
2013-07-13 10:33 - 2013-07-13 10:34 - 00000000 ____D C:\EEK
2013-07-13 10:33 - 2013-07-13 10:33 - 179696520 _____ C:\Users\Erika\Downloads\EmsisoftEmergencyKit.exe
2013-07-13 10:23 - 2013-07-13 10:23 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-07-13 10:21 - 2013-07-13 10:21 - 00001872 _____ C:\Windows\System32\.crusader
2013-07-13 10:17 - 2013-07-13 10:17 - 00001904 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2013-07-13 10:17 - 2013-07-13 10:17 - 00000000 ____D C:\Program Files\HitmanPro
2013-07-13 10:16 - 2013-07-13 10:22 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-13 10:15 - 2013-07-13 10:15 - 09833328 _____ (SurfRight B.V.) C:\Users\Erika\Desktop\HitmanPro_x64.exe
2013-07-13 08:56 - 2013-07-13 10:07 - 00036500 _____ C:\Users\Erika\Desktop\avgrep.txt
2013-07-13 08:18 - 2013-07-13 08:23 - 00003044 _____ C:\Users\Erika\Desktop\Rkill.txt
2013-07-13 08:18 - 2013-07-13 08:18 - 00000000 ____D C:\Users\Erika\Desktop\rkill
2013-07-13 07:56 - 2013-07-13 07:56 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\opera.exe
2013-07-13 07:56 - 2013-07-13 07:56 - 00000000 _____ C:\Users\Erika\skype.exe
2013-07-13 07:38 - 2013-07-13 07:38 - 00140288 _____ C:\Users\Erika\icq.exe
2013-07-12 21:00 - 2013-07-12 21:00 - 00140288 _____ C:\Users\Erika\msconfig.exe
2013-07-12 21:00 - 2013-07-12 21:00 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\flashplayer.exe
2013-07-12 21:00 - 2013-07-12 21:00 - 00000000 _____ C:\Users\Erika\alg.exe
2013-07-12 20:06 - 2013-07-12 20:12 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-07-12 20:06 - 2013-07-12 20:09 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-07-12 20:06 - 2013-07-12 20:06 - 00001390 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-07-12 20:06 - 2013-07-12 20:06 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-07-12 20:06 - 2009-01-25 09:14 - 00017272 _____ (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe
2013-07-12 20:02 - 2013-07-12 20:02 - 00000000 ____D C:\Users\Erika\AppData\Roaming\AVG2013
2013-07-12 20:01 - 2013-07-12 20:01 - 00000976 _____ C:\Users\Public\Desktop\AVG 2013.lnk
2013-07-12 20:01 - 2013-07-12 20:01 - 00000000 ____D C:\Users\Erika\AppData\Roaming\TuneUp Software
2013-07-12 20:00 - 2013-07-12 20:02 - 00000000 ____D C:\ProgramData\AVG2013
2013-07-12 20:00 - 2013-07-12 20:00 - 00000000 ___HD C:\$AVG
2013-07-12 19:59 - 2013-07-12 19:59 - 00000000 ____D C:\Program Files (x86)\AVG
2013-07-12 19:55 - 2013-07-14 10:25 - 00000000 ____D C:\ProgramData\MFAData
2013-07-12 19:55 - 2013-07-13 08:56 - 00000000 ____D C:\Users\Erika\AppData\Local\Avg2013
2013-07-12 19:55 - 2013-07-12 19:55 - 00000000 ____D C:\Users\Erika\AppData\Local\MFAData
2013-07-12 19:17 - 2013-07-12 19:17 - 00000000 ____D C:\Users\Erika\AppData\Roaming\Malwarebytes
2013-07-12 19:16 - 2013-07-12 19:16 - 00001120 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-12 19:16 - 2013-07-12 19:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-12 19:16 - 2013-07-12 19:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-12 19:16 - 2013-04-04 10:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-07-12 14:15 - 2013-07-12 14:15 - 00003432 _____ C:\Windows\System32\Tasks\BrowserProtect
2013-07-11 07:02 - 2013-07-11 07:02 - 00000000 ____D C:\Users\Erika\AppData\Roaming\CfgMainLite24
2013-07-10 07:01 - 2013-07-10 16:17 - 00000000 ____D C:\Users\Erika\AppData\Local\Macromedia
2013-07-10 05:13 - 2013-07-13 10:21 - 00000000 ____D C:\Program Files (x86)\LessTabs
2013-07-10 05:13 - 2013-07-10 05:13 - 04953944 _____ (FLVMPlayer                                                  ) C:\Users\Erika\Desktop\FLVMPlayer.exe
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\WNLT
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\jmdp
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\ARFC
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files\Updater By SweetPacks
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files (x86)\SweetIM
2013-07-10 05:13 - 2013-05-27 00:58 - 01447728 _____ C:\Windows\System32\dmwu.exe
2013-07-10 05:13 - 2013-05-27 00:57 - 00033792 _____ (IncrediMail, Ltd.) C:\Windows\System32\ImHttpComm.dll
2013-07-10 05:13 - 2013-02-04 23:25 - 00829264 _____ (Microsoft Corporation) C:\Windows\System32\msvcr100.dll
2013-07-10 05:13 - 2013-02-04 23:25 - 00608080 _____ (Microsoft Corporation) C:\Windows\System32\msvcp100.dll
2013-06-17 05:30 - 2013-06-17 05:37 - 08787875 _____ C:\Users\Erika\Documents\Offer-16844.zip
2013-06-16 17:21 - 2013-06-16 17:21 - 00002283 _____ C:\Users\Public\Desktop\HP Deskjet 1000 J110 series.lnk
2013-06-16 17:21 - 2013-06-16 17:21 - 00001205 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Deskjet 1000 J110 series.lnk
2013-06-16 17:19 - 2013-06-16 17:21 - 17629400 _____ C:\Users\Erika\Desktop\DJ1000_J110_Basicx64_1313.exe
2013-06-15 15:02 - 2013-06-15 15:02 - 00003440 _____ C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate
2013-06-15 15:02 - 2013-06-15 15:02 - 00003180 _____ C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate 2
2013-06-15 15:01 - 2013-06-15 15:01 - 00000000 ____D C:\Users\Erika\AppData\Roaming\File Scout

==================== One Month Modified Files and Folders =======

2013-07-14 15:12 - 2013-07-14 15:12 - 00000000 ____D C:\FRST
2013-07-14 11:04 - 2011-05-13 19:31 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-14 11:04 - 2011-04-05 20:59 - 00060078 _____ C:\Windows\setupact.log
2013-07-14 11:04 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-14 10:48 - 2013-07-13 10:49 - 00000004 _____ C:\Users\Erika\AppData\Roaming\skype.ini
2013-07-14 10:30 - 2013-05-08 13:03 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-14 10:27 - 2009-07-13 20:45 - 00015568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-14 10:27 - 2009-07-13 20:45 - 00015568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-14 10:25 - 2013-07-12 19:55 - 00000000 ____D C:\ProgramData\MFAData
2013-07-14 10:25 - 2009-07-13 21:13 - 00006386 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-14 10:22 - 2011-05-13 19:31 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-14 10:22 - 2011-04-05 21:20 - 00232022 _____ C:\Windows\WindowsUpdate.log
2013-07-13 16:58 - 2013-07-13 16:58 - 00839680 _____ (MindFusion Limited) C:\Users\Erika\AppData\Roaming\midefender.exe
2013-07-13 16:58 - 2013-07-13 16:58 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\conhost.exe
2013-07-13 16:58 - 2013-07-13 16:58 - 00079661 _____ C:\Users\Erika\acrobat.exe
2013-07-13 16:58 - 2013-07-13 16:58 - 00000000 _____ C:\Users\Erika\windowsupdate.exe
2013-07-13 16:58 - 2013-07-13 16:58 - 00000000 _____ C:\Users\Erika\notepad.exe
2013-07-13 16:58 - 2013-07-13 10:44 - 00000804 _____ C:\Users\Erika\Desktop\Internet Security Pro.lnk
2013-07-13 16:58 - 2011-04-02 17:52 - 00000000 ____D C:\users\Erika
2013-07-13 10:44 - 2013-07-13 10:44 - 00845312 _____ (MindFusion Limited) C:\Users\Erika\AppData\Roaming\virus.exe
2013-07-13 10:44 - 2013-07-13 10:44 - 00140288 _____ C:\Users\Erika\googleupdate.exe
2013-07-13 10:44 - 2013-07-13 10:44 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\ctfmon.exe
2013-07-13 10:44 - 2013-07-13 10:44 - 00000000 _____ C:\Users\Erika\rundll32.exe
2013-07-13 10:44 - 2013-07-13 10:44 - 00000000 _____ C:\Users\Erika\mstsc.exe
2013-07-13 10:34 - 2013-07-13 10:34 - 00000557 _____ C:\Users\Erika\Desktop\Emsisoft Emergency Kit.lnk
2013-07-13 10:34 - 2013-07-13 10:33 - 00000000 ____D C:\EEK
2013-07-13 10:33 - 2013-07-13 10:33 - 179696520 _____ C:\Users\Erika\Downloads\EmsisoftEmergencyKit.exe
2013-07-13 10:23 - 2013-07-13 10:23 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-07-13 10:22 - 2013-07-13 10:16 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-13 10:21 - 2013-07-13 10:21 - 00001872 _____ C:\Windows\System32\.crusader
2013-07-13 10:21 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files (x86)\LessTabs
2013-07-13 10:17 - 2013-07-13 10:17 - 00001904 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2013-07-13 10:17 - 2013-07-13 10:17 - 00000000 ____D C:\Program Files\HitmanPro
2013-07-13 10:15 - 2013-07-13 10:15 - 09833328 _____ (SurfRight B.V.) C:\Users\Erika\Desktop\HitmanPro_x64.exe
2013-07-13 10:07 - 2013-07-13 08:56 - 00036500 _____ C:\Users\Erika\Desktop\avgrep.txt
2013-07-13 08:56 - 2013-07-12 19:55 - 00000000 ____D C:\Users\Erika\AppData\Local\Avg2013
2013-07-13 08:54 - 2011-05-14 04:55 - 00024018 _____ C:\Windows\PFRO.log
2013-07-13 08:23 - 2013-07-13 08:18 - 00003044 _____ C:\Users\Erika\Desktop\Rkill.txt
2013-07-13 08:18 - 2013-07-13 08:18 - 00000000 ____D C:\Users\Erika\Desktop\rkill
2013-07-13 07:56 - 2013-07-13 07:56 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\opera.exe
2013-07-13 07:56 - 2013-07-13 07:56 - 00000000 _____ C:\Users\Erika\skype.exe
2013-07-13 07:38 - 2013-07-13 07:38 - 00140288 _____ C:\Users\Erika\icq.exe
2013-07-12 21:27 - 2011-04-09 08:17 - 00000000 ____D C:\Users\Erika\AppData\Local\CrashDumps
2013-07-12 21:16 - 2012-04-06 16:24 - 00000928 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2653264943-2767222869-872802475-1001UA.job
2013-07-12 21:00 - 2013-07-12 21:00 - 00140288 _____ C:\Users\Erika\msconfig.exe
2013-07-12 21:00 - 2013-07-12 21:00 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\flashplayer.exe
2013-07-12 21:00 - 2013-07-12 21:00 - 00000000 _____ C:\Users\Erika\alg.exe
2013-07-12 20:12 - 2013-07-12 20:06 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-07-12 20:09 - 2013-07-12 20:06 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-07-12 20:06 - 2013-07-12 20:06 - 00001390 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-07-12 20:06 - 2013-07-12 20:06 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-07-12 20:02 - 2013-07-12 20:02 - 00000000 ____D C:\Users\Erika\AppData\Roaming\AVG2013
2013-07-12 20:02 - 2013-07-12 20:00 - 00000000 ____D C:\ProgramData\AVG2013
2013-07-12 20:01 - 2013-07-12 20:01 - 00000976 _____ C:\Users\Public\Desktop\AVG 2013.lnk
2013-07-12 20:01 - 2013-07-12 20:01 - 00000000 ____D C:\Users\Erika\AppData\Roaming\TuneUp Software
2013-07-12 20:00 - 2013-07-12 20:00 - 00000000 ___HD C:\$AVG
2013-07-12 19:59 - 2013-07-12 19:59 - 00000000 ____D C:\Program Files (x86)\AVG
2013-07-12 19:55 - 2013-07-12 19:55 - 00000000 ____D C:\Users\Erika\AppData\Local\MFAData
2013-07-12 19:53 - 2013-05-24 18:37 - 00000000 ____D C:\Program Files (x86)\LyricsFan
2013-07-12 19:53 - 2011-04-05 22:37 - 00000000 ____D C:\Users\Erika\AppData\Roaming\SoftGrid Client
2013-07-12 19:17 - 2013-07-12 19:17 - 00000000 ____D C:\Users\Erika\AppData\Roaming\Malwarebytes
2013-07-12 19:17 - 2011-05-13 19:31 - 00003892 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-12 19:17 - 2011-05-13 19:31 - 00003640 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-12 19:16 - 2013-07-12 19:16 - 00001120 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-12 19:16 - 2013-07-12 19:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-12 19:16 - 2013-07-12 19:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-12 19:08 - 2009-07-13 21:08 - 00032632 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-12 14:15 - 2013-07-12 14:15 - 00003432 _____ C:\Windows\System32\Tasks\BrowserProtect
2013-07-11 17:13 - 2012-04-06 16:24 - 00000906 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2653264943-2767222869-872802475-1001Core.job
2013-07-11 07:02 - 2013-07-11 07:02 - 00000000 ____D C:\Users\Erika\AppData\Roaming\CfgMainLite24
2013-07-10 16:17 - 2013-07-10 07:01 - 00000000 ____D C:\Users\Erika\AppData\Local\Macromedia
2013-07-10 07:01 - 2011-04-02 14:56 - 00000000 ____D C:\Users\Erika\AppData\Local\Google
2013-07-10 05:13 - 2013-07-10 05:13 - 04953944 _____ (FLVMPlayer                                                  ) C:\Users\Erika\Desktop\FLVMPlayer.exe
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\WNLT
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\jmdp
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\ARFC
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files\Updater By SweetPacks
2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files (x86)\SweetIM
2013-07-09 15:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-06-17 05:37 - 2013-06-17 05:30 - 08787875 _____ C:\Users\Erika\Documents\Offer-16844.zip
2013-06-16 17:22 - 2013-04-15 19:17 - 00000000 ____D C:\Users\Erika\AppData\Local\HP
2013-06-16 17:21 - 2013-06-16 17:21 - 00002283 _____ C:\Users\Public\Desktop\HP Deskjet 1000 J110 series.lnk
2013-06-16 17:21 - 2013-06-16 17:21 - 00001205 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Deskjet 1000 J110 series.lnk
2013-06-16 17:21 - 2013-06-16 17:19 - 17629400 _____ C:\Users\Erika\Desktop\DJ1000_J110_Basicx64_1313.exe
2013-06-16 17:21 - 2013-04-15 19:21 - 00000000 ____D C:\ProgramData\HP
2013-06-16 17:21 - 2013-04-15 19:21 - 00000000 ____D C:\Program Files (x86)\HP
2013-06-16 17:21 - 2013-04-15 19:18 - 00000000 ____D C:\Program Files\HP
2013-06-15 15:02 - 2013-06-15 15:02 - 00003440 _____ C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate
2013-06-15 15:02 - 2013-06-15 15:02 - 00003180 _____ C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate 2
2013-06-15 15:01 - 2013-06-15 15:01 - 00000000 ____D C:\Users\Erika\AppData\Roaming\File Scout

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a
C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\@
C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\L
C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\U

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a
C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\@
C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\L
C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\U

Files to move or delete:
====================
C:\Users\Erika\acrobat.exe
C:\Users\Erika\alg.exe
C:\Users\Erika\conhost.exe
C:\Users\Erika\ctfmon.exe
C:\Users\Erika\flashplayer.exe
C:\Users\Erika\googleupdate.exe
C:\Users\Erika\icq.exe
C:\Users\Erika\msconfig.exe
C:\Users\Erika\mstsc.exe
C:\Users\Erika\notepad.exe
C:\Users\Erika\opera.exe
C:\Users\Erika\rundll32.exe
C:\Users\Erika\skype.exe
C:\Users\Erika\windowsupdate.exe
C:\Users\Erika\AppData\Roaming\skype.dat
C:\Users\Erika\AppData\Roaming\skype.ini

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-08 15:54:01
Restore point made on: 2013-05-16 08:58:39
Restore point made on: 2013-05-24 07:43:51
Restore point made on: 2013-05-24 18:38:36
Restore point made on: 2013-05-25 05:10:59
Restore point made on: 2013-06-01 07:33:18
Restore point made on: 2013-06-16 15:10:52
Restore point made on: 2013-06-26 14:15:10
Restore point made on: 2013-07-09 18:08:58
Restore point made on: 2013-07-12 19:59:43
Restore point made on: 2013-07-12 20:00:11

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 3893.86 MB
Available physical RAM: 3352.68 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3345.46 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (TI106033W0C) (Fixed) (Total:452.58 GB) (Free:402.69 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]
Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.03 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:7.45 GB) (Free:6.97 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 38A39E6A)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=453 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=12 GB) - (Type=17)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)


LastRegBack: 2013-07-09 14:17

==================== End Of Log ============================

Link to post
Share on other sites

Please read the following information first.

 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan also.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-07-2013
Ran by SYSTEM at 2013-07-14 16:12:00 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\Erika\Software\Microsoft\Windows\CurrentVersion\Run\\Apple Computer => Value deleted successfully.
HKU\Erika\Software\Microsoft\Windows\CurrentVersion\Run\\Macromedia => Value deleted successfully.
HKU\Erika\Software\Microsoft\Windows\CurrentVersion\Run\\CfgMainLite24 => Value deleted successfully.
HKU\Erika\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value deleted successfully.
HKU\Erika\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Users\Erika\AppData\Roaming\midefender.exe  => Moved successfully.
"C:\Users\Erika\AppData\Local\Google\Apple Computer\keec.dll" => File/Directory not found.
C:\Users\Erika\AppData\Local\Macromedia\yelvzamr.dll  => Moved successfully.
C:\Users\Erika\AppData\Roaming\CfgMainLite24\CfgMainLite24.dll => Moved successfully.
C:\Users\Erika\acrobat.exe => Moved successfully.
C:\Users\Erika\alg.exe => Moved successfully.
C:\Users\Erika\conhost.exe => Moved successfully.
C:\Users\Erika\ctfmon.exe => Moved successfully.
C:\Users\Erika\flashplayer.exe => Moved successfully.
C:\Users\Erika\googleupdate.exe => Moved successfully.
C:\Users\Erika\icq.exe => Moved successfully.
C:\Users\Erika\msconfig.exe => Moved successfully.
C:\Users\Erika\mstsc.exe => Moved successfully.
C:\Users\Erika\notepad.exe => Moved successfully.
C:\Users\Erika\opera.exe => Moved successfully.
C:\Users\Erika\rundll32.exe => Moved successfully.
C:\Users\Erika\skype.exe => Moved successfully.
C:\Users\Erika\windowsupdate.exe => Moved successfully.
C:\Users\Erika\AppData\Roaming\skype.dat => Moved successfully.
C:\Users\Erika\AppData\Roaming\skype.ini => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a => Moved successfully.
"C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a" => File/Directory not found.

==== End of Fixlog ====

Link to post
Share on other sites

Okay the first scan showed some files and all was clear on the second scan, the logs are attached.

 

Is there anything else I should do?  Any additional scans?

 

I plan to remove all the files she wants to keep, hopefully none of those will be infected!

mbar-log-2013-07-14 (16-20-21).txt

mbar-log-2013-07-14 (16-39-31).txt

system-log.txt

Link to post
Share on other sites

Hmmmm......I am seeing a Internet Security Pro short cut on the desktop.....isn't that related to the FBI ransomware and shouldn't it have been removed?

It's not related to it but it should be removed.

------------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Looks Good, but there's a lot of adware showing in the log.

Please download AdwCleaner from here and save it on your Desktop.

  • Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  • Click on Delete button.
  • Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

    Then......

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

    MrC

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool and save it to a folder. (64bit version)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

Running FRST as outlined should have deleted it, but the fixlog doesn't show anything.

 

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) please post it to your reply.

If you can manually delete the shortcut, please do.

I was under the impression that you couldn't delete it.

If not use FRST.

 

Then.......

 

Lets check your computers security before you go and we have a little cleanup to do also:

 

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

No the last fix did not delete it so I manually deleted it.  When Windows shut down at one point, 130 updates were installed.

 

Here is the Security Check results:

 

 Results of screen317's Security Check version 0.99.69 
 Windows 7  x64 (UAC is enabled) 
 Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
AVG AntiVirus Free Edition 2013  
Norton Internet Security         
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 6 Update 17 
 Java version out of Date!
 Adobe Flash Player 11.7.700.224 
 Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Spybot Teatimer.exe is disabled!
 AVG avgwdsvc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


-------------------------------------------------

Java™ 6 Update 17 <---please uninstall from add/remove programs
Java version out of Date! <-------Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

---------------------------------------------------

Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Thank you SO much for the wonderful and easy to follow help!  I've always been able to handle malware/virus issues on my own, but this one stumped me.  It is wonderful that this exists to help people in a nonprofit manner....so civilized and caring!  With all the negative things that go on in the world, this is one thing that shines!  Thanks MrC!

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.