Jump to content

Department of Justice Money Pak

CCPCDR
 Share

Recommended Posts

CCPCDR

CCPCDR

Posted
Posted

I am a repair tech who has removed a number of Money Pak but this one has me perplexed and I need the help of folks smarter than me. The screen is black and says Department of Justice so it looks a little different from the others but still demanding money etc.....and of course hijacks the whole system. I have the system working off a new account and could just delete old account but what fun is that. :wacko:

 

So I booted in Safe Mode Command Prompt>Created a New User Account and DL and ran Malware Bytes Full with zero items found. I also went ahead and ran Hitman Pro and found 2 tracking cookies but nothing else.

 

Rebooted machine to main account and its still there so I'm stumped and attached picture of screen as again I have seen a number of them but not in this format with black background.

 

Chris

post-142899-0-63646000-1374091572_thumb.

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

This should get you going. Let me know if you encounter any trouble.

 

---------------

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Let me know how things go. If you at any point have trouble using FRST, please stop and post back here to let me know.


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"
 

-------> Your topic will be closed if you haven't replied within 3 days! <--------
(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites
CCPCDR

CCPCDR

Posted
  • Author
Posted

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 17-07-2013 02
Ran by SYSTEM on 17-07-2013 17:07:30
Running from I:\
Windows Vista Home Premium (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKU\Gail\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Gail\...\Run: [swg] - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Gail\...\Run: [DellSupportCenter] - "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [ 2009-05-21] (SupportSoft, Inc.)
HKU\Gail\...\Run: [DisplaySwitch] - "C:\Users\Gail\AppData\Roaming\Microsoft\Windows\Templates\DisplaySwitch.exe" [x]
HKU\Tech Support\...\Run: [swg] - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
Startup: C:\Users\Gail\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
ShortcutTarget: MyPC Backup.lnk -> C:\Program Files\MyPC Backup\MyPC Backup.exe (MyPCBackup.com)
Startup: C:\Users\Gail\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S2 BackupStack; C:\Program Files\MyPC Backup\BackupStack.exe [32808 2013-05-31] (Just Develop It)
S2 dldoCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\dldoserv.exe [99568 2007-10-05] ()
S2 dldo_device; C:\Windows\system32\dldocoms.exe [595184 2007-10-05] ( )
S3 GoogleDesktopManager-061008-081103; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [29744 2008-08-01] (Google)
S2 hasplms; C:\Windows\system32\hasplms.exe [535807 2007-03-15] (Aladdin Knowledge Systems Ltd.)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 NAV; C:\Program Files\Norton AntiVirus\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)
S2 NCO; C:\Program Files\Norton Identity Safe\Engine\2013.4.0.10\diMaster.dll [556336 2013-05-29] (Symantec Corporation)
S2 ProtexisLicensing; C:\Windows\system32\PSIService.exe [174656 2006-11-02] ()
S2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-13] (SupportSoft, Inc.)
S2 WeatherBlinkService; C:\PROGRA~1\WEATHE~2\bar\1.bin\gcbarsvc.exe [42504 2013-05-21] (COMPANYVERS_NAME)

==================== Drivers (Whitelisted) ====================

S2 aksfridge; C:\Windows\System32\DRIVERS\aksfridge.sys [351744 2007-03-12] (Aladdin Knowledge Systems Ltd.)
S3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [329856 2007-03-06] (Aladdin Knowledge Systems Ltd.)
S3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [135424 2007-03-06] (Aladdin Knowledge Systems Ltd.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [99712 2007-03-06] (Aladdin Knowledge Systems Ltd.)
S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)
S1 ccSet_NAV; C:\Windows\system32\drivers\NAV\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)
S1 ccSet_NST; C:\Windows\system32\drivers\NST\7DD04000.00A\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-02-03] (Symantec Corporation)
S3 EraserUtilDrv11220; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys [106656 2013-05-05] (Symantec Corporation)
S2 Hardlock; C:\Windows\system32\drivers\hardlock.sys [694272 2007-03-06] (Aladdin Knowledge Systems Ltd.)
S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\IPSDefs\20130716.001\IDSvix86.sys [386720 2013-02-01] (Symantec Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20130716.017\NAVENG.SYS [93272 2013-05-21] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20130716.017\NAVEX15.SYS [1611992 2013-05-21] (Symantec Corporation)
S3 SiBulk; C:\Windows\System32\drivers\EsonicBulk.sys [15744 2007-07-29] (Silicon Laboratories)
S3 SRTSP; C:\Windows\System32\Drivers\NAV\1404000.028\SRTSP.SYS [603224 2013-05-15] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NAV\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\NAV\1404000.028\SYMDS.SYS [367704 2013-05-20] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NAV\1404000.028\SYMEFA.SYS [934488 2013-05-22] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-17] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NAV\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)
S1 SYMTDIv; C:\Windows\System32\Drivers\NAV\1404000.028\SYMTDIV.SYS [352344 2013-04-24] (Symantec Corporation)
S3 VsmRWDriver; C:\Windows\System32\DRIVERS\VsmRWDriver.sys [7808 2007-01-08] (VSM Group AB)
S3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [195424 2009-09-02] (Jungo)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-17 17:06 - 2013-07-17 17:06 - 00000000 ____D C:\FRST
2013-07-17 09:07 - 2013-07-17 09:07 - 00000000 ____D C:\ProgramData\Sun
2013-07-17 09:07 - 2013-07-17 09:06 - 00867240 _____ (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-07-17 09:07 - 2013-07-17 09:06 - 00789416 _____ (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-07-17 09:07 - 2013-07-17 09:06 - 00263592 _____ (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-07-17 09:07 - 2013-07-17 09:06 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-07-17 09:07 - 2013-07-17 09:06 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\java.exe
2013-07-17 09:07 - 2013-07-17 09:06 - 00094632 _____ (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-07-17 09:03 - 2013-07-17 09:03 - 00003584 _____ C:\Users\Tech Support\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-17 09:01 - 2013-07-17 09:01 - 00000680 _____ C:\Users\Tech Support\AppData\Local\d3d9caps.dat
2013-07-17 09:01 - 2013-07-17 09:01 - 00000000 ____D C:\ProgramData\McAfee
2013-07-17 08:24 - 2013-07-17 08:59 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-17 08:24 - 2013-07-17 08:24 - 09171472 _____ (SurfRight B.V.) C:\Users\Tech Support\Downloads\HitmanPro.exe
2013-07-17 08:07 - 2013-07-17 08:07 - 423931472 _____ C:\Windows\MEMORY.DMP
2013-07-17 08:07 - 2013-07-17 08:07 - 00149648 _____ C:\Windows\Minidump\Mini071713-01.dmp
2013-07-17 08:07 - 2013-07-17 08:07 - 00000000 ____D C:\Windows\Minidump
2013-07-17 07:03 - 2013-07-17 07:03 - 00000000 ____D C:\ProgramData\WindowsSearch
2013-07-17 07:00 - 2013-07-17 07:00 - 00003584 _____ C:\{805053B1-448F-46C1-B49B-6973BF8B6F00}
2013-07-17 06:57 - 2013-07-17 06:57 - 00002984 _____ C:\{64D965DC-E6A4-4444-9636-7DB4B9C29AA7}
2013-07-17 06:42 - 2013-07-17 06:42 - 00000000 ____D C:\Users\Tech Support\AppData\Roaming\Malwarebytes
2013-07-17 06:41 - 2013-07-17 06:41 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-17 06:41 - 2013-07-17 06:41 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-17 06:41 - 2013-07-17 06:41 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-17 06:41 - 2013-04-04 11:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-07-17 06:38 - 2013-07-17 06:41 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tech Support\Downloads\mbam-setup-1.75.0.1300.exe
2013-07-17 06:37 - 2013-07-17 08:23 - 00000000 ____D C:\Users\Tech Support\AppData\Roaming\Google
2013-07-17 06:37 - 2013-07-17 06:37 - 00000000 ____D C:\Users\Tech Support\AppData\Roaming\Adobe
2013-07-17 06:37 - 2013-07-17 06:37 - 00000000 ____D C:\Users\Tech Support\AppData\Local\WeatherBlink
2013-07-17 06:37 - 2013-07-17 06:37 - 00000000 ____D C:\Users\Tech Support\AppData\Local\Google
2013-07-17 06:36 - 2013-07-17 06:36 - 00083784 _____ C:\Users\Tech Support\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-17 06:36 - 2013-07-17 06:36 - 00000020 ___SH C:\Users\Tech Support\ntuser.ini
2013-07-17 06:36 - 2013-07-17 06:36 - 00000000 ___RD C:\Users\Tech Support\Desktop
2013-07-17 06:36 - 2013-07-17 06:36 - 00000000 ____D C:\Users\Tech Support\AppData\Local\VirtualStore
2013-07-17 06:36 - 2013-07-17 06:36 - 00000000 ____D C:\Users\Tech Support\AppData\Local\SupportSoft
2013-07-17 06:36 - 2013-07-17 06:36 - 00000000 ____D C:\users\Tech Support
2013-07-17 06:36 - 2010-01-06 17:21 - 00000000 ____D C:\Users\Tech Support\AppData\Roaming\Macromedia
2013-07-13 00:00 - 2013-07-13 00:02 - 00000000 ____D C:\Windows\System32\MRT
2013-07-11 00:08 - 2013-05-28 17:56 - 12333568 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-11 00:08 - 2013-05-28 17:50 - 01800704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-11 00:08 - 2013-05-28 17:48 - 09738752 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-11 00:08 - 2013-05-28 17:41 - 01427968 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-07-11 00:08 - 2013-05-28 17:41 - 01129472 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-11 00:08 - 2013-05-28 17:41 - 01104384 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-11 00:08 - 2013-05-28 17:40 - 00231936 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2013-07-11 00:08 - 2013-05-28 17:38 - 00065024 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-11 00:08 - 2013-05-28 17:37 - 00142848 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-07-11 00:08 - 2013-05-28 17:36 - 00420864 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-07-11 00:08 - 2013-05-28 17:35 - 00717824 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-11 00:08 - 2013-05-28 17:35 - 00607744 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-11 00:08 - 2013-05-28 17:33 - 02382848 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-11 00:08 - 2013-05-28 17:33 - 01796096 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-11 00:08 - 2013-05-28 17:33 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-07-11 00:08 - 2013-05-28 17:29 - 00176640 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-10 06:27 - 2013-06-03 17:50 - 02049024 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-10 06:26 - 2013-05-31 20:06 - 00505344 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-10 06:26 - 2013-05-07 20:04 - 01548288 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-10 06:26 - 2013-04-17 03:28 - 01029120 _____ (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-07-10 06:26 - 2013-04-17 03:28 - 00219648 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-07-10 06:26 - 2013-04-17 03:28 - 00189952 _____ (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-07-10 06:26 - 2013-04-17 03:28 - 00160768 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-07-10 06:26 - 2013-04-17 02:34 - 01172480 _____ (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-07-10 06:26 - 2013-04-17 02:33 - 00486400 _____ (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-07-10 06:26 - 2013-04-17 02:14 - 00683008 _____ (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-07-10 06:26 - 2013-04-17 02:10 - 01069056 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-10 06:26 - 2013-04-17 02:10 - 00798208 _____ (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-06-27 07:01 - 2013-06-27 09:54 - 00000000 ____D C:\Program Files\MyPC Backup
2013-06-27 07:01 - 2013-06-27 07:01 - 00000886 _____ C:\Users\Gail\Desktop\MyPC Backup.lnk
2013-06-27 06:59 - 2013-06-28 07:09 - 00000000 ____D C:\Users\Gail\AppData\Local\FileTypeAssistant
2013-06-27 06:58 - 2013-07-17 07:13 - 00000000 ____D C:\Program Files\File Type Assistant
2013-06-27 06:58 - 2013-06-27 06:58 - 00000000 ____D C:\Program Files\FreeAllInOneMediaPlayer

==================== One Month Modified Files and Folders =======

2013-07-17 17:06 - 2013-07-17 17:06 - 00000000 ____D C:\FRST
2013-07-17 13:57 - 2007-12-17 23:58 - 00000012 _____ C:\Windows\bthservsdp.dat
2013-07-17 13:57 - 2007-12-17 23:45 - 01518211 _____ C:\Windows\WindowsUpdate.log
2013-07-17 13:57 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-17 13:57 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-17 13:40 - 2009-06-05 14:02 - 00000680 _____ C:\Users\Gail\AppData\Local\d3d9caps.dat
2013-07-17 11:56 - 2006-11-02 02:33 - 00005510 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-17 09:07 - 2013-07-17 09:07 - 00000000 ____D C:\ProgramData\Sun
2013-07-17 09:07 - 2007-12-17 23:59 - 00000000 ____D C:\Program Files\Common Files\Java
2013-07-17 09:06 - 2013-07-17 09:07 - 00867240 _____ (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-07-17 09:06 - 2013-07-17 09:07 - 00789416 _____ (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-07-17 09:06 - 2013-07-17 09:07 - 00263592 _____ (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-07-17 09:06 - 2013-07-17 09:07 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-07-17 09:06 - 2013-07-17 09:07 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\java.exe
2013-07-17 09:06 - 2013-07-17 09:07 - 00094632 _____ (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-07-17 09:06 - 2007-12-17 23:59 - 00000000 ____D C:\Program Files\Java
2013-07-17 09:03 - 2013-07-17 09:03 - 00003584 _____ C:\Users\Tech Support\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-17 09:01 - 2013-07-17 09:01 - 00000680 _____ C:\Users\Tech Support\AppData\Local\d3d9caps.dat
2013-07-17 09:01 - 2013-07-17 09:01 - 00000000 ____D C:\ProgramData\McAfee
2013-07-17 08:59 - 2013-07-17 08:24 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-17 08:24 - 2013-07-17 08:24 - 09171472 _____ (SurfRight B.V.) C:\Users\Tech Support\Downloads\HitmanPro.exe
2013-07-17 08:23 - 2013-07-17 06:37 - 00000000 ____D C:\Users\Tech Support\AppData\Roaming\Google
2013-07-17 08:07 - 2013-07-17 08:07 - 423931472 _____ C:\Windows\MEMORY.DMP
2013-07-17 08:07 - 2013-07-17 08:07 - 00149648 _____ C:\Windows\Minidump\Mini071713-01.dmp
2013-07-17 08:07 - 2013-07-17 08:07 - 00000000 ____D C:\Windows\Minidump
2013-07-17 07:13 - 2013-06-27 06:58 - 00000000 ____D C:\Program Files\File Type Assistant
2013-07-17 07:03 - 2013-07-17 07:03 - 00000000 ____D C:\ProgramData\WindowsSearch
2013-07-17 07:00 - 2013-07-17 07:00 - 00003584 _____ C:\{805053B1-448F-46C1-B49B-6973BF8B6F00}
2013-07-17 06:57 - 2013-07-17 06:57 - 00002984 _____ C:\{64D965DC-E6A4-4444-9636-7DB4B9C29AA7}
2013-07-17 06:42 - 2013-07-17 06:42 - 00000000 ____D C:\Users\Tech Support\AppData\Roaming\Malwarebytes
2013-07-17 06:41 - 2013-07-17 06:41 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-17 06:41 - 2013-07-17 06:41 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-17 06:41 - 2013-07-17 06:41 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-17 06:41 - 2013-07-17 06:38 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tech Support\Downloads\mbam-setup-1.75.0.1300.exe
2013-07-17 06:41 - 2006-11-02 03:18 - 00000000 __RHD C:\Users\Public\Desktop
2013-07-17 06:37 - 2013-07-17 06:37 - 00000000 ____D C:\Users\Tech Support\AppData\Roaming\Adobe
2013-07-17 06:37 - 2013-07-17 06:37 - 00000000 ____D C:\Users\Tech Support\AppData\Local\WeatherBlink
2013-07-17 06:37 - 2013-07-17 06:37 - 00000000 ____D C:\Users\Tech Support\AppData\Local\Google
2013-07-17 06:36 - 2013-07-17 06:36 - 00083784 _____ C:\Users\Tech Support\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-17 06:36 - 2013-07-17 06:36 - 00000020 ___SH C:\Users\Tech Support\ntuser.ini
2013-07-17 06:36 - 2013-07-17 06:36 - 00000000 ___RD C:\Users\Tech Support\Desktop
2013-07-17 06:36 - 2013-07-17 06:36 - 00000000 ____D C:\Users\Tech Support\AppData\Local\VirtualStore
2013-07-17 06:36 - 2013-07-17 06:36 - 00000000 ____D C:\Users\Tech Support\AppData\Local\SupportSoft
2013-07-17 06:36 - 2013-07-17 06:36 - 00000000 ____D C:\users\Tech Support
2013-07-17 06:09 - 2006-11-02 04:52 - 00044718 _____ C:\Windows\setupact.log
2013-07-16 11:44 - 2013-02-04 15:19 - 00000000 ____D C:\Users\Gail\AppData\Local\PokerStars.NET
2013-07-13 05:51 - 2013-03-13 16:11 - 00001973 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-07-13 00:02 - 2013-07-13 00:00 - 00000000 ____D C:\Windows\System32\MRT
2013-07-11 00:54 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-07-11 00:46 - 2006-11-02 04:47 - 00334648 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-11 00:44 - 2007-12-18 00:26 - 00586846 _____ C:\Windows\PFRO.log
2013-07-11 00:39 - 2006-11-02 04:37 - 00000000 ____D C:\Windows\System32\XPSViewer
2013-07-11 00:01 - 2006-11-02 04:37 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-03 15:15 - 2007-12-29 12:14 - 00000000 ___RD C:\Users\Gail\Desktop
2013-06-28 07:09 - 2013-06-27 06:59 - 00000000 ____D C:\Users\Gail\AppData\Local\FileTypeAssistant
2013-06-27 15:54 - 2008-02-24 12:05 - 00004076 ___SH C:\Windows\System32\KGyGaAvL.sys
2013-06-27 15:54 - 2008-02-24 12:05 - 00000088 __RSH C:\Windows\System32\01C08C6115.sys
2013-06-27 15:54 - 2008-02-19 07:44 - 00000000 ____D C:\Users\Gail\AppData\Roaming\Corel
2013-06-27 09:54 - 2013-06-27 07:01 - 00000000 ____D C:\Program Files\MyPC Backup
2013-06-27 07:01 - 2013-06-27 07:01 - 00000886 _____ C:\Users\Gail\Desktop\MyPC Backup.lnk
2013-06-27 07:00 - 2006-11-02 03:18 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2013-06-27 06:58 - 2013-06-27 06:58 - 00000000 ____D C:\Program Files\FreeAllInOneMediaPlayer
2013-06-26 11:43 - 2013-02-03 13:28 - 00000000 ____D C:\Windows\System32\Drivers\NST
2013-06-26 11:43 - 2013-02-03 13:26 - 00000000 ____D C:\Windows\System32\Drivers\NAV
2013-06-26 11:42 - 2013-02-03 13:28 - 00002127 _____ C:\Users\Public\Desktop\Norton AntiVirus.lnk
2013-06-23 21:37 - 2006-11-02 02:24 - 75733144 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-06-17 14:10 - 2013-02-03 13:28 - 00142496 _____ (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2013-06-17 14:10 - 2013-02-03 13:28 - 00007611 _____ C:\Windows\System32\Drivers\SYMEVENT.CAT

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-06-26 14:25:48
Restore point made on: 2013-06-27 11:52:29
Restore point made on: 2013-06-27 23:52:31
Restore point made on: 2013-06-28 21:00:21
Restore point made on: 2013-06-29 23:52:50
Restore point made on: 2013-06-30 21:00:23
Restore point made on: 2013-07-01 21:00:21
Restore point made on: 2013-07-02 23:59:24
Restore point made on: 2013-07-03 21:00:21
Restore point made on: 2013-07-04 22:08:13
Restore point made on: 2013-07-05 23:04:15
Restore point made on: 2013-07-06 21:00:20
Restore point made on: 2013-07-07 21:00:23
Restore point made on: 2013-07-08 09:53:37
Restore point made on: 2013-07-08 23:31:05
Restore point made on: 2013-07-09 22:34:14
Restore point made on: 2013-07-10 21:00:25
Restore point made on: 2013-07-11 00:00:33
Restore point made on: 2013-07-11 21:22:54
Restore point made on: 2013-07-12 14:19:53
Restore point made on: 2013-07-13 00:00:25
Restore point made on: 2013-07-17 09:03:36
Restore point made on: 2013-07-17 09:06:26

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 1981.88 MB
Available physical RAM: 1701.37 MB
Total Pagefile: 1915.61 MB
Available Pagefile: 1767.61 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.51 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:222.79 GB) (Free:154.28 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (NORTON) (CDROM) (Total:0.61 GB) (Free:0 GB) CDFS
Drive i: () (Removable) (Total:0.12 GB) (Free:0.12 GB) FAT
Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.31 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: E0000000)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=223 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 121 MB) (Disk ID: 00324CE4)
Partition 1: (Active) - (Size=121 MB) - (Type=06)

LastRegBack: 2013-07-17 09:40

==================== End Of Log ============================

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

Okay, let's move onto these then:

 

----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


----------Step 4----------------
Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------
In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.