DMacDonald Posted July 14, 2013 ID:702707 Share Posted July 14, 2013 I am trying to repair this malware on my cousin's Toshiba Satelitte L645-S4102 laptop running Windows 7 Home Edition, not sure if it is 32 or 64 bit, probably 64? No malware protection and I don't even think she has had virus protection for a while (they switched from Comcast to AT&T as an internet provider recently and didn't install new antivirus protection - it comes free with both ISPs). There was a flash dialog on windows startup with something to do with Sun Java, which I later saw in the scans as a location of one of the malware. There was a ransomware window (FBI) with Moneypak. I downloaded Malwarebytes in safe mode with networking, then did hitman pro and msisoft emergency kit scans. That seemed to work but after a couple of reboots the offending moneypak was back. I did a Kaspersky disc and removed what appeared to be the offending malware along with others. I then tried rkill (which shows as a location for one malware during scans - maybe because it is quarantined there?) and something else and another malwarebytes scan, with files being deleted/quarantined at each step. However, when booting again I got a different ransomware, this one was United States Courts insteadd of FBI and it locked Windows totally, and also is blocking safe mode and safe mode with networking. Safe Mode repair seems to be working. So it has all gone from bad to worse. My cousin has her wedding photos on this computer so she really wants to save it! I copied FRST to a jump drive and otlpenet.exe to my desktop in preparation for using this forum help, but the otlpenet.exe gives me a message of "can't load config info" when I double click on it. I have imgburn on my desktop and it worked well doing an iso on Kaspersky. Can you help? Thanks! Donna MacDonald Link to post Share on other sites More sharing options...
MrCharlie Posted July 14, 2013 ID:702720 Share Posted July 14, 2013 Welcome to the forum, here's how we deal with that malware:Please download Farbar Recovery Scan Tool and save it to a flash drive. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flash drive into the infected PC.If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used. To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt Select Command Prompt Once in the Command Prompt:In the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close the notepad.In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.The tool will start to run.When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.MrC Link to post Share on other sites More sharing options...
DMacDonald Posted July 14, 2013 Author ID:702730 Share Posted July 14, 2013 Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-07-2013Ran by SYSTEM on 14-07-2013 15:12:23Running from F:\Windows 7 Home Premium (X64) OS Language: English(US)Internet Explorer Version 8Boot Mode: RecoveryThe current controlset is ControlSet001ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.==================== Registry (Whitelisted) ==================HKLM\...\Run: [] - [x]HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)HKLM\...\Run: [smartAudio] - C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()HKLM\...\Run: [synTPEnh] - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\n. ATTENTION! ====> ZeroAccessHKLM-x32\...\Run: [TWebCamera] - "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)HKLM-x32\...\Run: [selectRebates] - C:\Program Files (x86)\SelectRebates\SelectRebates.exe [886752 2010-11-01] ()HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)HKLM-x32\...\Run: [] - [x]HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-24] (Apple Inc.)HKLM-x32\...\Run: [AVG_UI] - "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)HKLM-x32\...\Run: [sDTray] - "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3830224 2013-05-16] (Safer-Networking Ltd.)HKU\Erika\...\Run: [Facebook Update] - "C:\Users\Erika\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-12] (Facebook Inc.)HKU\Erika\...\Run: [HP Deskjet 3510 series (NET)] - "C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN2CE1PKRT05R7:NW" -scfn "HP Deskjet 3510 series (NET)" -AutoStart 1 [2552168 2012-05-08] (Hewlett-Packard Co.)HKU\Erika\...\Run: [Apple Computer] - rundll32 "C:\Users\Erika\AppData\Local\Google\Apple Computer\keec.dll",DllRegisterServer [x] <===== ATTENTIONHKU\Erika\...\Run: [Macromedia] - Regsvr32.exe C:\Users\Erika\AppData\Local\Macromedia\yelvzamr.dll [475136 2013-07-10] (Microsoft Corporation) <===== ATTENTIONHKU\Erika\...\Run: [CfgMainLite24] - rundll32.exe "C:\Users\Erika\AppData\Roaming\CfgMainLite24\CfgMainLite24.dll",isaDrvSnap CatDBCrtClass [33280 2013-07-11] () <===== ATTENTIONHKU\Erika\...\Run: [internet Security] - C:\Users\Erika\AppData\Roaming\midefender.exe [839680 2013-07-13] (MindFusion Limited)HKU\Erika\...\Winlogon: [shell] explorer.exe,C:\Users\Erika\AppData\Roaming\skype.dat [110592 2010-03-23] (Crystal Software Lab.) <==== ATTENTIONAppInit_DLLs-x32: c:\progra~3\browse~1\261339~1.144\{c16c1~1\browse~1.dll [110592 2010-03-23] ()Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnkShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnkShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)Startup: C:\Users\Erika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnkShortcutTarget: Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk -> C:\Program Files\HP\HP Deskjet 1000 J110 series\bin\HPStatusBL.dll (Hewlett-Packard Co.)==================== Services (Whitelisted) =================S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe [126904 2010-07-22] (Symantec Corporation)S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)S2 Updater By SweetPacks; C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe [188760 2013-05-16] ()S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2013-05-02] (Wajam)S2 AdobeFlashPlayerUpdateSvc; C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [x]S2 BrowserProtect; C:\ProgramData\BrowserProtect\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [x]==================== Drivers (Whitelisted) ====================S1 A2DDA; C:\EEK\RUN\a2ddax64.sys [26176 2013-07-12] (Emsisoft GmbH)S1 A2DDA; C:\EEK\RUN\a2ddax64.sys [26176 2013-07-12] (Emsisoft GmbH)S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.)S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.)S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx64.sys [945200 2010-08-08] (Symantec Corporation)S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx64.sys [945200 2010-08-08] (Symantec Corporation)S3 cleanhlp; C:\EEK\Run\cleanhlp64.sys [57032 2013-07-12] (Emsisoft GmbH)S3 cleanhlp; C:\EEK\Run\cleanhlp64.sys [57032 2013-07-12] (Emsisoft GmbH)S3 hitmanpro37; C:\windows\system32\drivers\hitmanpro37.sys [32000 2013-07-13] ()S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSVia64.sys [463408 2010-06-26] (Symantec Corporation)S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSVia64.sys [463408 2010-06-26] (Symantec Corporation)S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\ENG64.SYS [117808 2010-08-13] (Symantec Corporation)S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\ENG64.SYS [117808 2010-08-13] (Symantec Corporation)S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\EX64.SYS [1791536 2010-08-13] (Symantec Corporation)S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\EX64.SYS [1791536 2010-08-13] (Symantec Corporation)S3 SRTSP; C:\Windows\system32\drivers\NISx64\1201000.025\SRTSP64.SYS [715824 2010-07-28] (Symantec Corporation)S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1201000.025\SRTSPX64.SYS [40496 2010-07-28] (Symantec Corporation)S0 SymDS; C:\Windows\System32\drivers\NISx64\1201000.025\SYMDS64.SYS [450096 2010-06-13] (Symantec Corporation)S0 SymEFA; C:\Windows\System32\drivers\NISx64\1201000.025\SYMEFA64.SYS [821808 2010-07-28] (Symantec Corporation)S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [174640 2010-12-24] (Symantec Corporation)S1 SymIRON; C:\Windows\system32\drivers\NISx64\1201000.025\Ironx64.SYS [168496 2010-06-26] (Symantec Corporation)S1 SymNetS; C:\Windows\system32\drivers\NISx64\1201000.025\SYMNETS.SYS [381488 2010-07-12] (Symantec Corporation)==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-07-14 15:12 - 2013-07-14 15:12 - 00000000 ____D C:\FRST2013-07-13 16:58 - 2013-07-13 16:58 - 00839680 _____ (MindFusion Limited) C:\Users\Erika\AppData\Roaming\midefender.exe2013-07-13 16:58 - 2013-07-13 16:58 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\conhost.exe2013-07-13 16:58 - 2013-07-13 16:58 - 00079661 _____ C:\Users\Erika\acrobat.exe2013-07-13 16:58 - 2013-07-13 16:58 - 00000000 _____ C:\Users\Erika\windowsupdate.exe2013-07-13 16:58 - 2013-07-13 16:58 - 00000000 _____ C:\Users\Erika\notepad.exe2013-07-13 10:49 - 2013-07-14 10:48 - 00000004 _____ C:\Users\Erika\AppData\Roaming\skype.ini2013-07-13 10:44 - 2013-07-13 16:58 - 00000804 _____ C:\Users\Erika\Desktop\Internet Security Pro.lnk2013-07-13 10:44 - 2013-07-13 10:44 - 00845312 _____ (MindFusion Limited) C:\Users\Erika\AppData\Roaming\virus.exe2013-07-13 10:44 - 2013-07-13 10:44 - 00140288 _____ C:\Users\Erika\googleupdate.exe2013-07-13 10:44 - 2013-07-13 10:44 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\ctfmon.exe2013-07-13 10:44 - 2013-07-13 10:44 - 00000000 _____ C:\Users\Erika\rundll32.exe2013-07-13 10:44 - 2013-07-13 10:44 - 00000000 _____ C:\Users\Erika\mstsc.exe2013-07-13 10:34 - 2013-07-13 10:34 - 00000557 _____ C:\Users\Erika\Desktop\Emsisoft Emergency Kit.lnk2013-07-13 10:33 - 2013-07-13 10:34 - 00000000 ____D C:\EEK2013-07-13 10:33 - 2013-07-13 10:33 - 179696520 _____ C:\Users\Erika\Downloads\EmsisoftEmergencyKit.exe2013-07-13 10:23 - 2013-07-13 10:23 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys2013-07-13 10:21 - 2013-07-13 10:21 - 00001872 _____ C:\Windows\System32\.crusader2013-07-13 10:17 - 2013-07-13 10:17 - 00001904 _____ C:\Users\Public\Desktop\HitmanPro.lnk2013-07-13 10:17 - 2013-07-13 10:17 - 00000000 ____D C:\Program Files\HitmanPro2013-07-13 10:16 - 2013-07-13 10:22 - 00000000 ____D C:\ProgramData\HitmanPro2013-07-13 10:15 - 2013-07-13 10:15 - 09833328 _____ (SurfRight B.V.) C:\Users\Erika\Desktop\HitmanPro_x64.exe2013-07-13 08:56 - 2013-07-13 10:07 - 00036500 _____ C:\Users\Erika\Desktop\avgrep.txt2013-07-13 08:18 - 2013-07-13 08:23 - 00003044 _____ C:\Users\Erika\Desktop\Rkill.txt2013-07-13 08:18 - 2013-07-13 08:18 - 00000000 ____D C:\Users\Erika\Desktop\rkill2013-07-13 07:56 - 2013-07-13 07:56 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\opera.exe2013-07-13 07:56 - 2013-07-13 07:56 - 00000000 _____ C:\Users\Erika\skype.exe2013-07-13 07:38 - 2013-07-13 07:38 - 00140288 _____ C:\Users\Erika\icq.exe2013-07-12 21:00 - 2013-07-12 21:00 - 00140288 _____ C:\Users\Erika\msconfig.exe2013-07-12 21:00 - 2013-07-12 21:00 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\flashplayer.exe2013-07-12 21:00 - 2013-07-12 21:00 - 00000000 _____ C:\Users\Erika\alg.exe2013-07-12 20:06 - 2013-07-12 20:12 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 22013-07-12 20:06 - 2013-07-12 20:09 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy2013-07-12 20:06 - 2013-07-12 20:06 - 00001390 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk2013-07-12 20:06 - 2013-07-12 20:06 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking2013-07-12 20:06 - 2009-01-25 09:14 - 00017272 _____ (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe2013-07-12 20:02 - 2013-07-12 20:02 - 00000000 ____D C:\Users\Erika\AppData\Roaming\AVG20132013-07-12 20:01 - 2013-07-12 20:01 - 00000976 _____ C:\Users\Public\Desktop\AVG 2013.lnk2013-07-12 20:01 - 2013-07-12 20:01 - 00000000 ____D C:\Users\Erika\AppData\Roaming\TuneUp Software2013-07-12 20:00 - 2013-07-12 20:02 - 00000000 ____D C:\ProgramData\AVG20132013-07-12 20:00 - 2013-07-12 20:00 - 00000000 ___HD C:\$AVG2013-07-12 19:59 - 2013-07-12 19:59 - 00000000 ____D C:\Program Files (x86)\AVG2013-07-12 19:55 - 2013-07-14 10:25 - 00000000 ____D C:\ProgramData\MFAData2013-07-12 19:55 - 2013-07-13 08:56 - 00000000 ____D C:\Users\Erika\AppData\Local\Avg20132013-07-12 19:55 - 2013-07-12 19:55 - 00000000 ____D C:\Users\Erika\AppData\Local\MFAData2013-07-12 19:17 - 2013-07-12 19:17 - 00000000 ____D C:\Users\Erika\AppData\Roaming\Malwarebytes2013-07-12 19:16 - 2013-07-12 19:16 - 00001120 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2013-07-12 19:16 - 2013-07-12 19:16 - 00000000 ____D C:\ProgramData\Malwarebytes2013-07-12 19:16 - 2013-07-12 19:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware2013-07-12 19:16 - 2013-04-04 10:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys2013-07-12 14:15 - 2013-07-12 14:15 - 00003432 _____ C:\Windows\System32\Tasks\BrowserProtect2013-07-11 07:02 - 2013-07-11 07:02 - 00000000 ____D C:\Users\Erika\AppData\Roaming\CfgMainLite242013-07-10 07:01 - 2013-07-10 16:17 - 00000000 ____D C:\Users\Erika\AppData\Local\Macromedia2013-07-10 05:13 - 2013-07-13 10:21 - 00000000 ____D C:\Program Files (x86)\LessTabs2013-07-10 05:13 - 2013-07-10 05:13 - 04953944 _____ (FLVMPlayer ) C:\Users\Erika\Desktop\FLVMPlayer.exe2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\WNLT2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\jmdp2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\ARFC2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files\Updater By SweetPacks2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files (x86)\SweetIM2013-07-10 05:13 - 2013-05-27 00:58 - 01447728 _____ C:\Windows\System32\dmwu.exe2013-07-10 05:13 - 2013-05-27 00:57 - 00033792 _____ (IncrediMail, Ltd.) C:\Windows\System32\ImHttpComm.dll2013-07-10 05:13 - 2013-02-04 23:25 - 00829264 _____ (Microsoft Corporation) C:\Windows\System32\msvcr100.dll2013-07-10 05:13 - 2013-02-04 23:25 - 00608080 _____ (Microsoft Corporation) C:\Windows\System32\msvcp100.dll2013-06-17 05:30 - 2013-06-17 05:37 - 08787875 _____ C:\Users\Erika\Documents\Offer-16844.zip2013-06-16 17:21 - 2013-06-16 17:21 - 00002283 _____ C:\Users\Public\Desktop\HP Deskjet 1000 J110 series.lnk2013-06-16 17:21 - 2013-06-16 17:21 - 00001205 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Deskjet 1000 J110 series.lnk2013-06-16 17:19 - 2013-06-16 17:21 - 17629400 _____ C:\Users\Erika\Desktop\DJ1000_J110_Basicx64_1313.exe2013-06-15 15:02 - 2013-06-15 15:02 - 00003440 _____ C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate2013-06-15 15:02 - 2013-06-15 15:02 - 00003180 _____ C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate 22013-06-15 15:01 - 2013-06-15 15:01 - 00000000 ____D C:\Users\Erika\AppData\Roaming\File Scout==================== One Month Modified Files and Folders =======2013-07-14 15:12 - 2013-07-14 15:12 - 00000000 ____D C:\FRST2013-07-14 11:04 - 2011-05-13 19:31 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job2013-07-14 11:04 - 2011-04-05 20:59 - 00060078 _____ C:\Windows\setupact.log2013-07-14 11:04 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT2013-07-14 10:48 - 2013-07-13 10:49 - 00000004 _____ C:\Users\Erika\AppData\Roaming\skype.ini2013-07-14 10:30 - 2013-05-08 13:03 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job2013-07-14 10:27 - 2009-07-13 20:45 - 00015568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-07-14 10:27 - 2009-07-13 20:45 - 00015568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02013-07-14 10:25 - 2013-07-12 19:55 - 00000000 ____D C:\ProgramData\MFAData2013-07-14 10:25 - 2009-07-13 21:13 - 00006386 _____ C:\Windows\System32\PerfStringBackup.INI2013-07-14 10:22 - 2011-05-13 19:31 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job2013-07-14 10:22 - 2011-04-05 21:20 - 00232022 _____ C:\Windows\WindowsUpdate.log2013-07-13 16:58 - 2013-07-13 16:58 - 00839680 _____ (MindFusion Limited) C:\Users\Erika\AppData\Roaming\midefender.exe2013-07-13 16:58 - 2013-07-13 16:58 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\conhost.exe2013-07-13 16:58 - 2013-07-13 16:58 - 00079661 _____ C:\Users\Erika\acrobat.exe2013-07-13 16:58 - 2013-07-13 16:58 - 00000000 _____ C:\Users\Erika\windowsupdate.exe2013-07-13 16:58 - 2013-07-13 16:58 - 00000000 _____ C:\Users\Erika\notepad.exe2013-07-13 16:58 - 2013-07-13 10:44 - 00000804 _____ C:\Users\Erika\Desktop\Internet Security Pro.lnk2013-07-13 16:58 - 2011-04-02 17:52 - 00000000 ____D C:\users\Erika2013-07-13 10:44 - 2013-07-13 10:44 - 00845312 _____ (MindFusion Limited) C:\Users\Erika\AppData\Roaming\virus.exe2013-07-13 10:44 - 2013-07-13 10:44 - 00140288 _____ C:\Users\Erika\googleupdate.exe2013-07-13 10:44 - 2013-07-13 10:44 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\ctfmon.exe2013-07-13 10:44 - 2013-07-13 10:44 - 00000000 _____ C:\Users\Erika\rundll32.exe2013-07-13 10:44 - 2013-07-13 10:44 - 00000000 _____ C:\Users\Erika\mstsc.exe2013-07-13 10:34 - 2013-07-13 10:34 - 00000557 _____ C:\Users\Erika\Desktop\Emsisoft Emergency Kit.lnk2013-07-13 10:34 - 2013-07-13 10:33 - 00000000 ____D C:\EEK2013-07-13 10:33 - 2013-07-13 10:33 - 179696520 _____ C:\Users\Erika\Downloads\EmsisoftEmergencyKit.exe2013-07-13 10:23 - 2013-07-13 10:23 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys2013-07-13 10:22 - 2013-07-13 10:16 - 00000000 ____D C:\ProgramData\HitmanPro2013-07-13 10:21 - 2013-07-13 10:21 - 00001872 _____ C:\Windows\System32\.crusader2013-07-13 10:21 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files (x86)\LessTabs2013-07-13 10:17 - 2013-07-13 10:17 - 00001904 _____ C:\Users\Public\Desktop\HitmanPro.lnk2013-07-13 10:17 - 2013-07-13 10:17 - 00000000 ____D C:\Program Files\HitmanPro2013-07-13 10:15 - 2013-07-13 10:15 - 09833328 _____ (SurfRight B.V.) C:\Users\Erika\Desktop\HitmanPro_x64.exe2013-07-13 10:07 - 2013-07-13 08:56 - 00036500 _____ C:\Users\Erika\Desktop\avgrep.txt2013-07-13 08:56 - 2013-07-12 19:55 - 00000000 ____D C:\Users\Erika\AppData\Local\Avg20132013-07-13 08:54 - 2011-05-14 04:55 - 00024018 _____ C:\Windows\PFRO.log2013-07-13 08:23 - 2013-07-13 08:18 - 00003044 _____ C:\Users\Erika\Desktop\Rkill.txt2013-07-13 08:18 - 2013-07-13 08:18 - 00000000 ____D C:\Users\Erika\Desktop\rkill2013-07-13 07:56 - 2013-07-13 07:56 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\opera.exe2013-07-13 07:56 - 2013-07-13 07:56 - 00000000 _____ C:\Users\Erika\skype.exe2013-07-13 07:38 - 2013-07-13 07:38 - 00140288 _____ C:\Users\Erika\icq.exe2013-07-12 21:27 - 2011-04-09 08:17 - 00000000 ____D C:\Users\Erika\AppData\Local\CrashDumps2013-07-12 21:16 - 2012-04-06 16:24 - 00000928 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2653264943-2767222869-872802475-1001UA.job2013-07-12 21:00 - 2013-07-12 21:00 - 00140288 _____ C:\Users\Erika\msconfig.exe2013-07-12 21:00 - 2013-07-12 21:00 - 00110592 _____ (Crystal Software Lab.) C:\Users\Erika\flashplayer.exe2013-07-12 21:00 - 2013-07-12 21:00 - 00000000 _____ C:\Users\Erika\alg.exe2013-07-12 20:12 - 2013-07-12 20:06 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 22013-07-12 20:09 - 2013-07-12 20:06 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy2013-07-12 20:06 - 2013-07-12 20:06 - 00001390 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk2013-07-12 20:06 - 2013-07-12 20:06 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking2013-07-12 20:02 - 2013-07-12 20:02 - 00000000 ____D C:\Users\Erika\AppData\Roaming\AVG20132013-07-12 20:02 - 2013-07-12 20:00 - 00000000 ____D C:\ProgramData\AVG20132013-07-12 20:01 - 2013-07-12 20:01 - 00000976 _____ C:\Users\Public\Desktop\AVG 2013.lnk2013-07-12 20:01 - 2013-07-12 20:01 - 00000000 ____D C:\Users\Erika\AppData\Roaming\TuneUp Software2013-07-12 20:00 - 2013-07-12 20:00 - 00000000 ___HD C:\$AVG2013-07-12 19:59 - 2013-07-12 19:59 - 00000000 ____D C:\Program Files (x86)\AVG2013-07-12 19:55 - 2013-07-12 19:55 - 00000000 ____D C:\Users\Erika\AppData\Local\MFAData2013-07-12 19:53 - 2013-05-24 18:37 - 00000000 ____D C:\Program Files (x86)\LyricsFan2013-07-12 19:53 - 2011-04-05 22:37 - 00000000 ____D C:\Users\Erika\AppData\Roaming\SoftGrid Client2013-07-12 19:17 - 2013-07-12 19:17 - 00000000 ____D C:\Users\Erika\AppData\Roaming\Malwarebytes2013-07-12 19:17 - 2011-05-13 19:31 - 00003892 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA2013-07-12 19:17 - 2011-05-13 19:31 - 00003640 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore2013-07-12 19:16 - 2013-07-12 19:16 - 00001120 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2013-07-12 19:16 - 2013-07-12 19:16 - 00000000 ____D C:\ProgramData\Malwarebytes2013-07-12 19:16 - 2013-07-12 19:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware2013-07-12 19:08 - 2009-07-13 21:08 - 00032632 _____ C:\Windows\Tasks\SCHEDLGU.TXT2013-07-12 14:15 - 2013-07-12 14:15 - 00003432 _____ C:\Windows\System32\Tasks\BrowserProtect2013-07-11 17:13 - 2012-04-06 16:24 - 00000906 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2653264943-2767222869-872802475-1001Core.job2013-07-11 07:02 - 2013-07-11 07:02 - 00000000 ____D C:\Users\Erika\AppData\Roaming\CfgMainLite242013-07-10 16:17 - 2013-07-10 07:01 - 00000000 ____D C:\Users\Erika\AppData\Local\Macromedia2013-07-10 07:01 - 2011-04-02 14:56 - 00000000 ____D C:\Users\Erika\AppData\Local\Google2013-07-10 05:13 - 2013-07-10 05:13 - 04953944 _____ (FLVMPlayer ) C:\Users\Erika\Desktop\FLVMPlayer.exe2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\WNLT2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\jmdp2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Windows\SysWOW64\ARFC2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files\Updater By SweetPacks2013-07-10 05:13 - 2013-07-10 05:13 - 00000000 ____D C:\Program Files (x86)\SweetIM2013-07-09 15:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF2013-06-17 05:37 - 2013-06-17 05:30 - 08787875 _____ C:\Users\Erika\Documents\Offer-16844.zip2013-06-16 17:22 - 2013-04-15 19:17 - 00000000 ____D C:\Users\Erika\AppData\Local\HP2013-06-16 17:21 - 2013-06-16 17:21 - 00002283 _____ C:\Users\Public\Desktop\HP Deskjet 1000 J110 series.lnk2013-06-16 17:21 - 2013-06-16 17:21 - 00001205 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Deskjet 1000 J110 series.lnk2013-06-16 17:21 - 2013-06-16 17:19 - 17629400 _____ C:\Users\Erika\Desktop\DJ1000_J110_Basicx64_1313.exe2013-06-16 17:21 - 2013-04-15 19:21 - 00000000 ____D C:\ProgramData\HP2013-06-16 17:21 - 2013-04-15 19:21 - 00000000 ____D C:\Program Files (x86)\HP2013-06-16 17:21 - 2013-04-15 19:18 - 00000000 ____D C:\Program Files\HP2013-06-15 15:02 - 2013-06-15 15:02 - 00003440 _____ C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate2013-06-15 15:02 - 2013-06-15 15:02 - 00003180 _____ C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate 22013-06-15 15:01 - 2013-06-15 15:01 - 00000000 ____D C:\Users\Erika\AppData\Roaming\File ScoutZeroAccess:C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906aC:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\@C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\LC:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\UZeroAccess:C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906aC:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\@C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\LC:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a\UFiles to move or delete:====================C:\Users\Erika\acrobat.exeC:\Users\Erika\alg.exeC:\Users\Erika\conhost.exeC:\Users\Erika\ctfmon.exeC:\Users\Erika\flashplayer.exeC:\Users\Erika\googleupdate.exeC:\Users\Erika\icq.exeC:\Users\Erika\msconfig.exeC:\Users\Erika\mstsc.exeC:\Users\Erika\notepad.exeC:\Users\Erika\opera.exeC:\Users\Erika\rundll32.exeC:\Users\Erika\skype.exeC:\Users\Erika\windowsupdate.exeC:\Users\Erika\AppData\Roaming\skype.datC:\Users\Erika\AppData\Roaming\skype.ini==================== Known DLLs (Whitelisted) ==================================== Bamital & volsnap Check =================C:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\SysWOW64\wininit.exe => MD5 is legitC:\Windows\explorer.exe => MD5 is legitC:\Windows\SysWOW64\explorer.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\SysWOW64\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\SysWOW64\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\SysWOW64\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit==================== EXE ASSOCIATION =====================HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK==================== Restore Points =========================Restore point made on: 2013-05-08 15:54:01Restore point made on: 2013-05-16 08:58:39Restore point made on: 2013-05-24 07:43:51Restore point made on: 2013-05-24 18:38:36Restore point made on: 2013-05-25 05:10:59Restore point made on: 2013-06-01 07:33:18Restore point made on: 2013-06-16 15:10:52Restore point made on: 2013-06-26 14:15:10Restore point made on: 2013-07-09 18:08:58Restore point made on: 2013-07-12 19:59:43Restore point made on: 2013-07-12 20:00:11==================== Memory info ===========================Percentage of memory in use: 13%Total physical RAM: 3893.86 MBAvailable physical RAM: 3352.68 MBTotal Pagefile: 3892.01 MBAvailable Pagefile: 3345.46 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.85 MB==================== Drives ================================Drive c: (TI106033W0C) (Fixed) (Total:452.58 GB) (Free:402.69 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.03 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]Drive f: () (Removable) (Total:7.45 GB) (Free:6.97 GB) FAT32 (Disk=1 Partition=1)Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS==================== MBR & Partition Table ==========================================================================Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 38A39E6A)Partition 1: (Active) - (Size=1 GB) - (Type=27)Partition 2: (Not Active) - (Size=453 GB) - (Type=07 NTFS)Partition 3: (Not Active) - (Size=12 GB) - (Type=17)========================================================Disk: 1 (Size: 7 GB) (Disk ID: 00000000)Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)LastRegBack: 2013-07-09 14:17==================== End Of Log ============================ Link to post Share on other sites More sharing options...
MrCharlie Posted July 14, 2013 ID:702745 Share Posted July 14, 2013 Please read the following information first. You're infected with Rootkit.ZeroAccess, a BackDoor Trojan also. BACKDOOR WARNING ------------------------------ One or more of the identified infections is known to use a backdoor. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451 When Should I Format, How Should I Reinstall http://www.dslreports.com/faq/10063 I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps. ----------------------------------------- OK, here you go......this should get you going: Please download the attached fixlist.txt and copy it to your flashdrive. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system On Vista or Windows 7: Now please enter System Recovery Options. (as you did before) Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. See if the computer boots normally now and if so.......... Download Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txtTo attach a log if needed: Bottom right corner of this page. New window that comes up. ~~~~~~~~~~~~~~~~~~~~~~~ Note: If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional: Internet access Windows Update Windows Firewall If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder. Just run fixdamage.exe. Verify that they are now functioning normally. MrC Link to post Share on other sites More sharing options...
DMacDonald Posted July 14, 2013 Author ID:702747 Share Posted July 14, 2013 Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-07-2013Ran by SYSTEM at 2013-07-14 16:12:00 Run:1Running from F:\Boot Mode: Recovery==============================================HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.HKU\Erika\Software\Microsoft\Windows\CurrentVersion\Run\\Apple Computer => Value deleted successfully.HKU\Erika\Software\Microsoft\Windows\CurrentVersion\Run\\Macromedia => Value deleted successfully.HKU\Erika\Software\Microsoft\Windows\CurrentVersion\Run\\CfgMainLite24 => Value deleted successfully.HKU\Erika\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value deleted successfully.HKU\Erika\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.C:\Users\Erika\AppData\Roaming\midefender.exe => Moved successfully."C:\Users\Erika\AppData\Local\Google\Apple Computer\keec.dll" => File/Directory not found.C:\Users\Erika\AppData\Local\Macromedia\yelvzamr.dll => Moved successfully.C:\Users\Erika\AppData\Roaming\CfgMainLite24\CfgMainLite24.dll => Moved successfully.C:\Users\Erika\acrobat.exe => Moved successfully.C:\Users\Erika\alg.exe => Moved successfully.C:\Users\Erika\conhost.exe => Moved successfully.C:\Users\Erika\ctfmon.exe => Moved successfully.C:\Users\Erika\flashplayer.exe => Moved successfully.C:\Users\Erika\googleupdate.exe => Moved successfully.C:\Users\Erika\icq.exe => Moved successfully.C:\Users\Erika\msconfig.exe => Moved successfully.C:\Users\Erika\mstsc.exe => Moved successfully.C:\Users\Erika\notepad.exe => Moved successfully.C:\Users\Erika\opera.exe => Moved successfully.C:\Users\Erika\rundll32.exe => Moved successfully.C:\Users\Erika\skype.exe => Moved successfully.C:\Users\Erika\windowsupdate.exe => Moved successfully.C:\Users\Erika\AppData\Roaming\skype.dat => Moved successfully.C:\Users\Erika\AppData\Roaming\skype.ini => Moved successfully.C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a => Moved successfully."C:\$Recycle.Bin\S-1-5-18\$d0d044e97abb0899018b0676cf8a906a" => File/Directory not found.==== End of Fixlog ==== Link to post Share on other sites More sharing options...
DMacDonald Posted July 14, 2013 Author ID:702750 Share Posted July 14, 2013 Working on the mbar scan now. I figure it is best to get it as cleaned up as possible then maybe remove all her files and do a fresh install of Win 7...but I'm sure she doesn't have the discs! Link to post Share on other sites More sharing options...
DMacDonald Posted July 14, 2013 Author ID:702755 Share Posted July 14, 2013 Okay the first scan showed some files and all was clear on the second scan, the logs are attached. Is there anything else I should do? Any additional scans? I plan to remove all the files she wants to keep, hopefully none of those will be infected!mbar-log-2013-07-14 (16-20-21).txtmbar-log-2013-07-14 (16-39-31).txtsystem-log.txt Link to post Share on other sites More sharing options...
DMacDonald Posted July 14, 2013 Author ID:702758 Share Posted July 14, 2013 Hmmmm......I am seeing a Internet Security Pro short cut on the desktop.....isn't that related to the FBI ransomware and shouldn't it have been removed? Link to post Share on other sites More sharing options...
MrCharlie Posted July 14, 2013 ID:702761 Share Posted July 14, 2013 Hmmmm......I am seeing a Internet Security Pro short cut on the desktop.....isn't that related to the FBI ransomware and shouldn't it have been removed? It's not related to it but it should be removed. ------------------------------------ Please download and run ComboFix. The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop. Please visit this webpage for download links, and instructions for running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Information on disabling your malware programs can be found Here. Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed. Please include the C:\ComboFix.txt in your next reply for further review. ---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed. MrC Link to post Share on other sites More sharing options...
DMacDonald Posted July 14, 2013 Author ID:702766 Share Posted July 14, 2013 Here is the combofix.txt fileComboFix.txt Link to post Share on other sites More sharing options...
MrCharlie Posted July 14, 2013 ID:702768 Share Posted July 14, 2013 Looks Good, but there's a lot of adware showing in the log. Please download AdwCleaner from here and save it on your Desktop.Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.Click on Delete button.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number. Then...... Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message. MrC Link to post Share on other sites More sharing options...
DMacDonald Posted July 14, 2013 Author ID:702781 Share Posted July 14, 2013 Here are the next two cleaning logs! LOLAdwCleanerS1.txtJRT.txt Link to post Share on other sites More sharing options...
DMacDonald Posted July 14, 2013 Author ID:702783 Share Posted July 14, 2013 The Internet Security Pro shortcut is still on the desktop! Link to post Share on other sites More sharing options...
MrCharlie Posted July 15, 2013 ID:702791 Share Posted July 15, 2013 Please download Farbar Recovery Scan Tool and save it to a folder. (64bit version)Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.MrC Link to post Share on other sites More sharing options...
DMacDonald Posted July 15, 2013 Author ID:702801 Share Posted July 15, 2013 Here are the FRST scans....Addition.txtFRST.txt Link to post Share on other sites More sharing options...
MrCharlie Posted July 15, 2013 ID:702913 Share Posted July 15, 2013 Download the attached fixlist.txt to the same folder as FRST. Run FRST and click Fix only once and wait The tool will create a log (Fixlog.txt) please post it to your reply. MrC Link to post Share on other sites More sharing options...
DMacDonald Posted July 15, 2013 Author ID:702967 Share Posted July 15, 2013 Here us the fixlog file, looks like all clear. Should I just delete the Internet Security Pro shortcut?Fixlog.txt Link to post Share on other sites More sharing options...
MrCharlie Posted July 15, 2013 ID:702974 Share Posted July 15, 2013 Running FRST as outlined should have deleted it, but the fixlog doesn't show anything. Download the attached fixlist.txt to the same folder as FRST. Run FRST and click Fix only once and wait The tool will create a log (Fixlog.txt) please post it to your reply. If you can manually delete the shortcut, please do. I was under the impression that you couldn't delete it. If not use FRST. Then....... Lets check your computers security before you go and we have a little cleanup to do also: Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
DMacDonald Posted July 15, 2013 Author ID:703005 Share Posted July 15, 2013 No the last fix did not delete it so I manually deleted it. When Windows shut down at one point, 130 updates were installed. Here is the Security Check results: Results of screen317's Security Check version 0.99.69 Windows 7 x64 (UAC is enabled) Out of date service pack!!``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! AVG AntiVirus Free Edition 2013 Norton Internet Security Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Spybot - Search & Destroy Malwarebytes Anti-Malware version 1.75.0.1300 Java 6 Update 17 Java version out of Date! Adobe Flash Player 11.7.700.224 Adobe Reader 9 Adobe Reader out of Date!````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Spybot Teatimer.exe is disabled! AVG avgwdsvc.exe`````````````````System Health check````````````````` Total Fragmentation on Drive C: 3%````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
MrCharlie Posted July 15, 2013 ID:703017 Share Posted July 15, 2013 Out dated programs on the system are vulnerable to malware.Please update or uninstall them:-------------------------------------------------Java™ 6 Update 17 <---please uninstall from add/remove programsJava version out of Date! <-------Download and install the latest version from HereUncheck the box to install the Ask toolbar!!! and any other free "stuff".---------------------------------------------------Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~A little clean up to do....Please Uninstall ComboFix: (if you used it)Press the Windows logo key + R to bring up the "run box"Copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)---------------------------------If you used DeFogger to disable your CD Emulation drivers, please re-enable them.-------------------------------Please download OTC to your desktop.http://oldtimer.geekstogo.com/OTC.exeDouble-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")Click on the CleanUp! button and follow the prompts.(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)You will be asked to reboot the machine to finish the Cleanup process, choose Yes.After the reboot all the tools we used should be gone.Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.Any other programs or logs you can manually delete.IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.-------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again.Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
DMacDonald Posted July 15, 2013 Author ID:703084 Share Posted July 15, 2013 Thank you SO much for the wonderful and easy to follow help! I've always been able to handle malware/virus issues on my own, but this one stumped me. It is wonderful that this exists to help people in a nonprofit manner....so civilized and caring! With all the negative things that go on in the world, this is one thing that shines! Thanks MrC! Link to post Share on other sites More sharing options...
MrCharlie Posted July 15, 2013 ID:703085 Share Posted July 15, 2013 OK....Take Care MrC Link to post Share on other sites More sharing options...
LDTate Posted July 18, 2013 ID:704525 Share Posted July 18, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts