Jump to content

Medical Computer Infected - FBI Virus with White Screen


Recommended Posts

My fiance works in the medical field and the laptop she uses has become infected with this virus, which I've never heard of before. It's imperative that this get resolved as immediately as possible, as she needs the laptop to transmit radiographic images for one of her patients. Per another thread regarding this particular malware, I'm attaching a Farbar log below. Thanks in advance.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-07-2013
Ran by SYSTEM on 22-07-2013 00:57:08
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

Winlogon\Notify\kliptll: C:\Users\MDS_SouthCarolina\AppData\Local\kliptll.dll [X]
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$d3d39678adf16b71d565864a0191ec56\n. ATTENTION! ====> ZeroAccess?
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-13] (Microsoft Corporation)
HKU\MDS_SouthCarolina\...\Run: [Google Update] - "C:\Users\MDS_SouthCarolina\AppData\Local\Google\Update\GoogleUpdate.exe" /c [x]
HKU\MDS_SouthCarolina\...\Run: [kliptll] - rundll32 "C:\Users\MDS_SouthCarolina\AppData\Local\kliptll.dll",kliptll [x] <===== ATTENTION
HKU\MDS_SouthCarolina\...\Run: [Temp] - rundll32 "C:\Users\MDS_SouthCarolina\AppData\Local\ApplicationHistory\Temp\fepb.dll",DllRegisterServer [x] <===== ATTENTION
HKU\MDS_SouthCarolina\...\Run: [667B2176F785463608CD726193C256F7] - RunDLL32.exe C:\Users\MDS_SouthCarolina\AppData\Local\667B2176F785463608CD726193C256F7\cahczrxs.dll,gllzypcmja [x] <===== ATTENTION
HKU\MDS_SouthCarolina\...\Run: [VbWebNetM24] - rundll32.exe "C:\Users\MDS_SouthCarolina\AppData\Roaming\VbWebNetM24\VbWebNetM24.dll",WlxMgmt SyncapiKit4 [x] <===== ATTENTION
HKU\MDS_SouthCarolina\...\Run: [Adobe CSS5.1 Manager] - C:\Users\MDS_SouthCarolina\AppData\Local\7ff23f3e-cdfc-4f02-ada7-40dc45c15c10ad\fffecdfcfadadcccad.exe [ 2013-07-21] () <===== ATTENTION
HKU\MDS_SouthCarolina\...\Winlogon: [shell] C:\Users\MDS_SouthCarolina\AppData\Roaming\dbu32.ocx,explorer.exe <==== ATTENTION

========================== Services (Whitelisted) =================

S2 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [826272 2010-10-25] (Broadcom Corporation)
S2 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [32160 2010-10-25] (Broadcom Corporation)
S4 DicomSend; C:\Program Files\Carestream\CarestreamCR\GenRAD\Bin\DicomSend.exe [98304 2011-06-15] (Carestream Health)
S2 GoToMyPC; C:\Program Files\Citrix\GoToMyPC\g2svc.exe [946032 2011-11-13] (Citrix Online, a division of Citrix Systems, Inc.)
S2 hasplms; C:\Windows\system32\hasplms.exe [4913608 2011-12-02] (SafeNet Inc.)
S2 LGE NDIS Connection Service; C:\Program Files\LG Electronics\LGE LTE Driver\LGVL600SVC.exe [144832 2010-12-13] ()
S2 Macromed; C:\Windows\Macromed.exe [284160 2013-07-21] ()
S2 NWVZHelper; C:\Program Files\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe [216064 2010-06-03] (Novatel Wireless Inc.)
S2 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2010-02-11] (O2Micro International)
S2 O2SDIOAssist; C:\Windows\system32\srvany.exe [8192 2003-04-18] ()
S2 ptumlcmsvc; C:\Windows\system32\ptumlcmsvc.exe [143360 2012-05-22] (DEVGURU Co., LTD)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] ()
S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [5210112 2011-01-18] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

S3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [43888 2010-12-13] (ST Microelectronics)
S2 aksfridge; C:\Windows\System32\DRIVERS\aksfridge.sys [367560 2011-10-07] (SafeNet Inc.)
S3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [238208 2011-02-09] (Aladdin Knowledge Systems Ltd.)
S3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [46720 2011-09-08] (SafeNet Inc.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [16512 2011-08-09] (SafeNet Inc.)
S3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18496 2011-01-18] (Broadcom Corporation)
S2 CarestreamCR; C:\Windows\System32\DRIVERS\OrexScanner.sys [30422 2007-08-27] (KEC)
S3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [33832 2010-08-24] (Broadcom Corporation)
S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2010-10-28] (Intel Corporation)
S2 hardlock; C:\Windows\system32\drivers\hardlock.sys [596424 2011-09-08] (SafeNet Inc.)
S3 LGELTEBus; C:\Windows\System32\DRIVERS\LGELTEBus.sys [32512 2011-02-16] (LG Electronics )
S3 LGELTEmdm; C:\Windows\System32\DRIVERS\LGELTEmdm.sys [101888 2011-02-16] (LG Electronics )
S3 LGELTEMux; C:\Windows\System32\DRIVERS\LGELTEMux.sys [38016 2011-02-16] (LG Electronics )
S3 LGELTENdis; C:\Windows\System32\DRIVERS\LGELTENdis.sys [46336 2011-02-16] (LG Electronics )
S3 LGELTEprt; C:\Windows\System32\DRIVERS\LGELTEprt.sys [102784 2011-02-16] (LG Electronics )
S3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
S3 NWUSBCDFIL; C:\Windows\System32\DRIVERS\NwUsbCdFil.sys [20480 2010-07-08] (Novatel Wireless Inc.)
S3 NWUSBModem_000; C:\Windows\System32\DRIVERS\nwusbmdm_000.sys [176384 2010-07-08] (Novatel Wireless Inc.)
S3 NWUSBPort2_000; C:\Windows\System32\DRIVERS\nwusbser2_000.sys [176384 2010-07-08] (Novatel Wireless Inc.)
S3 NWUSBPort_000; C:\Windows\System32\DRIVERS\nwusbser_000.sys [176384 2010-07-08] (Novatel Wireless Inc.)
S3 O2MDRRDR; C:\Windows\System32\DRIVERS\O2MDRw7.sys [62440 2011-01-04] (O2Micro )
S3 O2SDJRDR; C:\Windows\System32\DRIVERS\o2sdjw7.sys [63848 2011-01-04] (O2Micro )
S0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
S3 PTUMLBUS; C:\Windows\System32\DRIVERS\PTUMLBUS.sys [86176 2012-05-22] (DEVGURU Co., LTD.)
S3 PTUMLCVsp; C:\Windows\System32\DRIVERS\PTUMLCVsp.sys [168864 2012-05-22] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLMBMP; C:\Windows\System32\DRIVERS\PTUMLMBMP.sys [268576 2012-05-22] (DEVGURU Co., LTD.)
S3 PTUMLMdm; C:\Windows\System32\DRIVERS\PTUMLMdm.sys [168864 2012-05-22] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLNVsp; C:\Windows\System32\DRIVERS\PTUMLNVsp.sys [169632 2012-05-22] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLRMNET; C:\Windows\System32\DRIVERS\PTUMLRMNET.sys [55072 2012-05-22] (DEVGURU Co., LTD.)
S3 PTUMLVsp; C:\Windows\System32\DRIVERS\PTUMLVsp.sys [168864 2012-05-22] (DEVGURU Co., LTD.(www.devguru.co.kr))
S0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17648 2010-08-20] (ST Microelectronics)
S2 WIBUKEY; C:\Windows\System32\DRIVERS\WibuKey.sys [70656 2003-09-30] (WIBU-SYSTEMS AG)
S3 PTUMLNET61; system32\DRIVERS\PTUMLNET61.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-22 00:57 - 2013-07-22 00:57 - 00000000 ____D C:\FRST
2013-07-21 20:36 - 2013-07-21 20:36 - 171158989 _____ C:\Windows\MEMORY.DMP
2013-07-21 20:36 - 2013-07-21 20:36 - 00142800 _____ C:\Windows\Minidump\072213-14554-01.dmp
2013-07-21 17:11 - 2013-07-21 17:11 - 00258560 _____ C:\ctfmon.exe
2013-07-21 17:10 - 2013-07-21 17:10 - 00258560 _____ C:\windowsupdate.exe
2013-07-21 17:10 - 2013-07-21 17:10 - 00211968 _____ C:\iexplore.exe
2013-07-21 17:10 - 2013-07-21 17:10 - 00000000 _____ C:\msconfig.exe
2013-07-21 17:10 - 2013-07-21 17:10 - 00000000 _____ C:\acrobat.exe
2013-07-21 17:09 - 2013-07-21 17:09 - 00253440 _____ C:\Users\MDS_SouthCarolina\mstsc618226.exe
2013-07-21 17:09 - 2013-07-21 17:09 - 00145408 _____ (InterVision Software Lab.) C:\Users\MDS_SouthCarolina\teamviewer.exe
2013-07-21 17:09 - 2013-07-21 17:09 - 00000000 _____ C:\Users\MDS_SouthCarolina\flashplayer.exe
2013-07-21 17:08 - 2013-07-21 17:09 - 00000000 _____ C:\Users\MDS_SouthCarolina\winlogon.exe
2013-07-21 17:07 - 2013-07-21 17:07 - 00258560 _____ C:\Users\MDS_SouthCarolina\rundll32.exe
2013-07-21 17:07 - 2013-07-21 17:07 - 00258560 _____ C:\Users\MDS_SouthCarolina\conhost.exe
2013-07-21 17:07 - 2013-07-21 17:07 - 00000000 ____D C:\ProgramData\xjg
2013-07-21 17:06 - 2013-07-21 17:06 - 00000000 _____ C:\Users\MDS_SouthCarolina\spoolsv.exe
2013-07-21 17:06 - 2013-07-21 17:06 - 00000000 _____ C:\Users\MDS_SouthCarolina\jqs.exe
2013-07-21 17:06 - 2013-07-21 17:06 - 00000000 _____ C:\Users\MDS_SouthCarolina\java.exe
2013-07-21 16:57 - 2013-07-21 16:57 - 00258560 _____ C:\Users\MDS_SouthCarolina\googleupdate.exe
2013-07-21 16:57 - 2013-07-21 16:57 - 00258560 _____ C:\Users\MDS_SouthCarolina\acrobat.exe
2013-07-21 16:56 - 2013-07-21 16:57 - 00049664 _____ C:\Users\MDS_SouthCarolina\iexplore.exe
2013-07-21 16:56 - 2013-07-21 16:56 - 00000000 _____ C:\Users\MDS_SouthCarolina\jucheck.exe
2013-07-21 16:43 - 2013-07-21 16:43 - 00258560 _____ C:\Users\MDS_SouthCarolina\msconfig.exe
2013-07-21 16:42 - 2013-07-21 16:42 - 00258560 _____ C:\Users\MDS_SouthCarolina\vlcplayer.exe
2013-07-21 16:41 - 2013-07-21 16:41 - 00000000 _____ C:\Users\MDS_SouthCarolina\mstsc.exe
2013-07-21 16:41 - 2013-07-21 16:41 - 00000000 _____ C:\Users\MDS_SouthCarolina\icq.exe
2013-07-21 16:23 - 2013-07-21 16:23 - 00284160 _____ () C:\Windows\Macromed.exe
2013-07-21 16:23 - 2013-07-21 16:23 - 00258560 _____ C:\Users\MDS_SouthCarolina\alg.exe
2013-07-21 16:23 - 2013-07-21 16:23 - 00000000 ____D C:\Users\MDS_SouthCarolina\AppData\Local\7ff23f3e-cdfc-4f02-ada7-40dc45c15c10ad
2013-07-21 16:22 - 2013-07-21 17:10 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\mldefender.exe
2013-07-21 16:22 - 2013-07-21 17:10 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\87F9.tmp
2013-07-21 16:22 - 2013-07-21 17:10 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\77B4.tmp
2013-07-21 16:22 - 2013-07-21 17:10 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\743B.tmp
2013-07-21 16:22 - 2013-07-21 17:10 - 00000651 _____ C:\Users\Public\Desktop\Internet Security Pro.lnk
2013-07-21 16:22 - 2013-07-21 17:09 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\DA8B.tmp
2013-07-21 16:22 - 2013-07-21 17:06 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\B7A.tmp
2013-07-21 16:22 - 2013-07-21 17:06 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\71CA.tmp
2013-07-21 16:22 - 2013-07-21 16:56 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\7821.tmp
2013-07-21 16:22 - 2013-07-21 16:56 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\6DF4.tmp
2013-07-21 16:22 - 2013-07-21 16:41 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\5AB2.tmp
2013-07-21 16:22 - 2013-07-21 16:41 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\479F.tmp
2013-07-21 16:22 - 2013-07-21 16:23 - 00211968 _____ C:\Users\MDS_SouthCarolina\ctfmon.exe
2013-07-21 16:22 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\74D6.tmp
2013-07-21 16:22 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\35E3.tmp
2013-07-21 16:22 - 2013-07-21 16:22 - 00000000 _____ C:\Users\MDS_SouthCarolina\opera.exe
2013-07-21 16:22 - 2013-07-21 16:22 - 00000000 _____ C:\Users\MDS_SouthCarolina\notepad.exe
2013-07-21 14:14 - 2013-07-21 14:14 - 00000000 ____D C:\Users\MDS_SouthCarolina\AppData\Roaming\VbWebNetM24
2013-07-20 12:44 - 2013-07-21 12:03 - 00000000 ____D C:\Users\MDS_SouthCarolina\AppData\Local\667B2176F785463608CD726193C256F7
2013-07-19 17:54 - 2013-07-19 17:54 - 00025600 _____ C:\Users\MDS_SouthCarolina\AppData\Local\kliptll.dll
2013-07-16 16:03 - 2013-07-16 16:03 - 00118784 _____ C:\6349600.exe
2013-07-11 09:58 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-11 09:58 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-11 09:58 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-11 09:58 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-11 09:58 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-11 09:58 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-11 09:58 - 2013-06-11 15:43 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-11 09:58 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-11 09:58 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-11 09:58 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-11 09:58 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-11 09:58 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-11 09:58 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-11 09:58 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-11 09:58 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-11 09:58 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-09 16:55 - 2013-06-04 19:05 - 02347520 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-09 16:55 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-09 16:55 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-09 16:55 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll

==================== One Month Modified Files and Folders =======

2013-07-22 00:57 - 2013-07-22 00:57 - 00000000 ____D C:\FRST
2013-07-21 20:40 - 2012-05-01 10:48 - 00739744 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-21 20:36 - 2013-07-21 20:36 - 171158989 _____ C:\Windows\MEMORY.DMP
2013-07-21 20:36 - 2013-07-21 20:36 - 00142800 _____ C:\Windows\Minidump\072213-14554-01.dmp
2013-07-21 20:36 - 2012-05-30 12:37 - 00000000 ____D C:\Windows\Minidump
2013-07-21 20:31 - 2012-05-18 07:47 - 00024260 _____ C:\Windows\PFRO.log
2013-07-21 20:30 - 2012-05-01 12:21 - 00000152 _____ C:\Wait4Device.txt
2013-07-21 20:30 - 2009-07-13 20:34 - 00014448 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-21 20:30 - 2009-07-13 20:34 - 00014448 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-21 20:21 - 2013-02-23 21:21 - 00015802 _____ C:\Windows\setupact.log
2013-07-21 17:12 - 2012-05-01 10:57 - 00000000 ____D C:\users\MDS_SouthCarolina
2013-07-21 17:11 - 2013-07-21 17:11 - 00258560 _____ C:\ctfmon.exe
2013-07-21 17:10 - 2013-07-21 17:10 - 00258560 _____ C:\windowsupdate.exe
2013-07-21 17:10 - 2013-07-21 17:10 - 00211968 _____ C:\iexplore.exe
2013-07-21 17:10 - 2013-07-21 17:10 - 00000000 _____ C:\msconfig.exe
2013-07-21 17:10 - 2013-07-21 17:10 - 00000000 _____ C:\acrobat.exe
2013-07-21 17:10 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\mldefender.exe
2013-07-21 17:10 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\87F9.tmp
2013-07-21 17:10 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\77B4.tmp
2013-07-21 17:10 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\743B.tmp
2013-07-21 17:10 - 2013-07-21 16:22 - 00000651 _____ C:\Users\Public\Desktop\Internet Security Pro.lnk
2013-07-21 17:09 - 2013-07-21 17:09 - 00253440 _____ C:\Users\MDS_SouthCarolina\mstsc618226.exe
2013-07-21 17:09 - 2013-07-21 17:09 - 00145408 _____ (InterVision Software Lab.) C:\Users\MDS_SouthCarolina\teamviewer.exe
2013-07-21 17:09 - 2013-07-21 17:09 - 00000000 _____ C:\Users\MDS_SouthCarolina\flashplayer.exe
2013-07-21 17:09 - 2013-07-21 17:08 - 00000000 _____ C:\Users\MDS_SouthCarolina\winlogon.exe
2013-07-21 17:09 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\DA8B.tmp
2013-07-21 17:07 - 2013-07-21 17:07 - 00258560 _____ C:\Users\MDS_SouthCarolina\rundll32.exe
2013-07-21 17:07 - 2013-07-21 17:07 - 00258560 _____ C:\Users\MDS_SouthCarolina\conhost.exe
2013-07-21 17:07 - 2013-07-21 17:07 - 00000000 ____D C:\ProgramData\xjg
2013-07-21 17:06 - 2013-07-21 17:06 - 00000000 _____ C:\Users\MDS_SouthCarolina\spoolsv.exe
2013-07-21 17:06 - 2013-07-21 17:06 - 00000000 _____ C:\Users\MDS_SouthCarolina\jqs.exe
2013-07-21 17:06 - 2013-07-21 17:06 - 00000000 _____ C:\Users\MDS_SouthCarolina\java.exe
2013-07-21 17:06 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\B7A.tmp
2013-07-21 17:06 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\71CA.tmp
2013-07-21 16:57 - 2013-07-21 16:57 - 00258560 _____ C:\Users\MDS_SouthCarolina\googleupdate.exe
2013-07-21 16:57 - 2013-07-21 16:57 - 00258560 _____ C:\Users\MDS_SouthCarolina\acrobat.exe
2013-07-21 16:57 - 2013-07-21 16:56 - 00049664 _____ C:\Users\MDS_SouthCarolina\iexplore.exe
2013-07-21 16:56 - 2013-07-21 16:56 - 00000000 _____ C:\Users\MDS_SouthCarolina\jucheck.exe
2013-07-21 16:56 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\7821.tmp
2013-07-21 16:56 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\6DF4.tmp
2013-07-21 16:43 - 2013-07-21 16:43 - 00258560 _____ C:\Users\MDS_SouthCarolina\msconfig.exe
2013-07-21 16:42 - 2013-07-21 16:42 - 00258560 _____ C:\Users\MDS_SouthCarolina\vlcplayer.exe
2013-07-21 16:41 - 2013-07-21 16:41 - 00000000 _____ C:\Users\MDS_SouthCarolina\mstsc.exe
2013-07-21 16:41 - 2013-07-21 16:41 - 00000000 _____ C:\Users\MDS_SouthCarolina\icq.exe
2013-07-21 16:41 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\5AB2.tmp
2013-07-21 16:41 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\479F.tmp
2013-07-21 16:23 - 2013-07-21 16:23 - 00284160 _____ () C:\Windows\Macromed.exe
2013-07-21 16:23 - 2013-07-21 16:23 - 00258560 _____ C:\Users\MDS_SouthCarolina\alg.exe
2013-07-21 16:23 - 2013-07-21 16:23 - 00000000 ____D C:\Users\MDS_SouthCarolina\AppData\Local\7ff23f3e-cdfc-4f02-ada7-40dc45c15c10ad
2013-07-21 16:23 - 2013-07-21 16:22 - 00211968 _____ C:\Users\MDS_SouthCarolina\ctfmon.exe
2013-07-21 16:23 - 2012-05-01 10:57 - 01241749 _____ C:\Windows\WindowsUpdate.log
2013-07-21 16:22 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\74D6.tmp
2013-07-21 16:22 - 2013-07-21 16:22 - 00839680 _____ (Polenter-Software Solutions) C:\ProgramData\35E3.tmp
2013-07-21 16:22 - 2013-07-21 16:22 - 00000000 _____ C:\Users\MDS_SouthCarolina\opera.exe
2013-07-21 16:22 - 2013-07-21 16:22 - 00000000 _____ C:\Users\MDS_SouthCarolina\notepad.exe
2013-07-21 16:22 - 2009-07-13 18:37 - 00000000 __RHD C:\Users\Public\Desktop
2013-07-21 14:14 - 2013-07-21 14:14 - 00000000 ____D C:\Users\MDS_SouthCarolina\AppData\Roaming\VbWebNetM24
2013-07-21 12:03 - 2013-07-20 12:44 - 00000000 ____D C:\Users\MDS_SouthCarolina\AppData\Local\667B2176F785463608CD726193C256F7
2013-07-19 17:54 - 2013-07-19 17:54 - 00025600 _____ C:\Users\MDS_SouthCarolina\AppData\Local\kliptll.dll
2013-07-16 16:03 - 2013-07-16 16:03 - 00118784 _____ C:\6349600.exe
2013-07-11 16:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-07-11 16:43 - 2009-07-13 20:33 - 00267056 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-11 16:41 - 2009-07-13 23:50 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-11 16:41 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-01 09:11 - 2012-11-02 11:45 - 00000000 ____D C:\Users\MDS_SouthCarolina\Instadose
2013-06-22 13:45 - 2012-05-02 12:09 - 05000027 _____ C:\Windows\System32\ptumlacsvc-1.log

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1258375535-621269055-4063172407-1000\$d3d39678adf16b71d565864a0191ec56

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d3d39678adf16b71d565864a0191ec56

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
C:\ProgramData\mldefender.exe
C:\Users\MDS_SouthCarolina\acrobat.exe
C:\Users\MDS_SouthCarolina\alg.exe
C:\Users\MDS_SouthCarolina\conhost.exe
C:\Users\MDS_SouthCarolina\ctfmon.exe
C:\Users\MDS_SouthCarolina\flashplayer.exe
C:\Users\MDS_SouthCarolina\googleupdate.exe
C:\Users\MDS_SouthCarolina\gosetup.exe
C:\Users\MDS_SouthCarolina\icq.exe
C:\Users\MDS_SouthCarolina\iexplore.exe
C:\Users\MDS_SouthCarolina\java.exe
C:\Users\MDS_SouthCarolina\jqs.exe
C:\Users\MDS_SouthCarolina\jucheck.exe
C:\Users\MDS_SouthCarolina\msconfig.exe
C:\Users\MDS_SouthCarolina\mstsc.exe
C:\Users\MDS_SouthCarolina\mstsc618226.exe
C:\Users\MDS_SouthCarolina\notepad.exe
C:\Users\MDS_SouthCarolina\opera.exe
C:\Users\MDS_SouthCarolina\rundll32.exe
C:\Users\MDS_SouthCarolina\spoolsv.exe
C:\Users\MDS_SouthCarolina\teamviewer.exe
C:\Users\MDS_SouthCarolina\vlcplayer.exe
C:\Users\MDS_SouthCarolina\winlogon.exe
C:\Users\MDS_SouthCarolina\AppData\Roaming\skype.dat
C:\Windows\Tasks\{5267BA0E-E5D5-40BE-BC7B-B220D76C0F92}.job

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-06-22 05:35:13
Restore point made on: 2013-06-25 18:28:37
Restore point made on: 2013-07-02 11:21:28
Restore point made on: 2013-07-09 14:56:20
Restore point made on: 2013-07-09 16:51:53
Restore point made on: 2013-07-11 09:54:33
Restore point made on: 2013-07-16 13:18:25
Restore point made on: 2013-07-17 15:38:21
Restore point made on: 2013-07-19 07:47:15
Restore point made on: 2013-07-20 12:49:57
Restore point made on: 2013-07-21 16:38:37

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3976.9 MB
Available physical RAM: 3253.05 MB
Total Pagefile: 3975.18 MB
Available Pagefile: 3251.54 MB
Total Virtual: 2047.88 MB
Available Virtual: 1926.31 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.79 GB) (Free:117.7 GB) NTFS
Drive f: (USB20FD) (Removable) (Total:7.48 GB) (Free:7.46 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (ATTENTION: ===> MBR IS INFECTED. Use FixMbr command in Recovery Mode) (Size: 233 GB) (Disk ID: EC8F0207)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 8 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=7 GB) - (Type=0C)


LastRegBack: 2013-07-13 18:37

==================== End Of Log ============================

 

Link to post
Share on other sites

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$d3d39678adf16b71d565864a0191ec56\n. ATTENTION! ====> ZeroAccess?Winlogon\Notify\kliptll: C:\Users\MDS_SouthCarolina\AppData\Local\kliptll.dll [X]HKU\MDS_SouthCarolina\...\Run: [kliptll] - rundll32 "C:\Users\MDS_SouthCarolina\AppData\Local\kliptll.dll",kliptll [x] <===== ATTENTIONHKU\MDS_SouthCarolina\...\Run: [Temp] - rundll32 "C:\Users\MDS_SouthCarolina\AppData\Local\ApplicationHistory\Temp\fepb.dll",DllRegisterServer [x] <===== ATTENTIONHKU\MDS_SouthCarolina\...\Run: [667B2176F785463608CD726193C256F7] - RunDLL32.exe C:\Users\MDS_SouthCarolina\AppData\Local\667B2176F785463608CD726193C256F7\cahczrxs.dll,gllzypcmja [x] <===== ATTENTIONHKU\MDS_SouthCarolina\...\Run: [VbWebNetM24] - rundll32.exe "C:\Users\MDS_SouthCarolina\AppData\Roaming\VbWebNetM24\VbWebNetM24.dll",WlxMgmt SyncapiKit4 [x] <===== ATTENTIONHKU\MDS_SouthCarolina\...\Run: [Adobe CSS5.1 Manager] - C:\Users\MDS_SouthCarolina\AppData\Local\7ff23f3e-cdfc-4f02-ada7-40dc45c15c10ad\fffecdfcfadadcccad.exe [ 2013-07-21] () <===== ATTENTIONHKU\MDS_SouthCarolina\...\Winlogon: [Shell] C:\Users\MDS_SouthCarolina\AppData\Roaming\dbu32.ocx,explorer.exe <==== ATTENTIONS2 Macromed; C:\Windows\Macromed.exe [284160 2013-07-21] ()C:\$Recycle.Bin\S-1-5-18\$d3d39678adf16b71d565864a0191ec56C:\Users\MDS_SouthCarolina\AppData\Local\kliptll.dllC:\Users\MDS_SouthCarolina\AppData\Local\ApplicationHistory\Temp\fepb.dllC:\Users\MDS_SouthCarolina\AppData\Local\667B2176F785463608CD726193C256F7C:\Users\MDS_SouthCarolina\AppData\Roaming\VbWebNetM24C:\Users\MDS_SouthCarolina\AppData\Local\7ff23f3e-cdfc-4f02-ada7-40dc45c15c10adC:\Users\MDS_SouthCarolina\AppData\Roaming\dbu32.ocxC:\Windows\Macromed.exeC:\ctfmon.exeC:\windowsupdate.exeC:\iexplore.exeC:\msconfig.exeC:\acrobat.exeC:\Users\MDS_SouthCarolina\mstsc618226.exeC:\Users\MDS_SouthCarolina\flashplayer.exeC:\Users\MDS_SouthCarolina\winlogon.exeC:\Users\MDS_SouthCarolina\rundll32.exeC:\Users\MDS_SouthCarolina\conhost.exeC:\ProgramData\xjgC:\Users\MDS_SouthCarolina\spoolsv.exeC:\Users\MDS_SouthCarolina\jqs.exeC:\Users\MDS_SouthCarolina\java.exeC:\Users\MDS_SouthCarolina\googleupdate.exeC:\Users\MDS_SouthCarolina\acrobat.exeC:\Users\MDS_SouthCarolina\iexplore.exeC:\Users\MDS_SouthCarolina\jucheck.exeC:\Users\MDS_SouthCarolina\msconfig.exeC:\Users\MDS_SouthCarolina\vlcplayer.exeC:\Users\MDS_SouthCarolina\mstsc.exeC:\Users\MDS_SouthCarolina\icq.exeC:\Users\MDS_SouthCarolina\alg.exeC:\ProgramData\mldefender.exeC:\ProgramData\87F9.tmpC:\ProgramData\77B4.tmpC:\ProgramData\743B.tmpC:\Users\Public\Desktop\Internet Security Pro.lnkC:\ProgramData\DA8B.tmpC:\ProgramData\B7A.tmpC:\ProgramData\71CA.tmpC:\ProgramData\7821.tmpC:\ProgramData\6DF4.tmpC:\ProgramData\5AB2.tmpC:\ProgramData\479F.tmpC:\Users\MDS_SouthCarolina\ctfmon.exeC:\ProgramData\74D6.tmpC:\ProgramData\35E3.tmpC:\Users\MDS_SouthCarolina\opera.exeC:\Users\MDS_SouthCarolina\notepad.exeC:\6349600.exeC:\Users\MDS_SouthCarolina\AppData\Roaming\skype.datC:\Windows\Tasks\{5267BA0E-E5D5-40BE-BC7B-B220D76C0F92}.jobC:\Windows\assembly\GAC\Desktop.iniDeleteJunctionsIndirectory: C:\Program Files\Windows DefenderCMD: bootrec /fixmbr


    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

Boot into windows.

 

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe



When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

Link to post
Share on other sites

Fixlog.txt below...

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-07-2013
Ran by SYSTEM at 2013-07-22 01:39:04 Run:1
Running from F:\
Boot Mode: Recovery

==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kliptll => Key deleted successfully.
HKU\MDS_SouthCarolina\Software\Microsoft\Windows\CurrentVersion\Run\\kliptll => Value deleted successfully.
HKU\MDS_SouthCarolina\Software\Microsoft\Windows\CurrentVersion\Run\\Temp => Value deleted successfully.
HKU\MDS_SouthCarolina\Software\Microsoft\Windows\CurrentVersion\Run\\667B2176F785463608CD726193C256F7 => Value deleted successfully.
HKU\MDS_SouthCarolina\Software\Microsoft\Windows\CurrentVersion\Run\\VbWebNetM24 => Value deleted successfully.
HKU\MDS_SouthCarolina\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\MDS_SouthCarolina\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
Macromed => Service deleted successfully.
C:\$Recycle.Bin\S-1-5-18\$d3d39678adf16b71d565864a0191ec56 => Moved successfully.
C:\Users\MDS_SouthCarolina\AppData\Local\kliptll.dll => Moved successfully.
C:\Users\MDS_SouthCarolina\AppData\Local\ApplicationHistory\Temp\fepb.dll => Moved successfully.
C:\Users\MDS_SouthCarolina\AppData\Local\667B2176F785463608CD726193C256F7 => Moved successfully.
C:\Users\MDS_SouthCarolina\AppData\Roaming\VbWebNetM24 => Moved successfully.
C:\Users\MDS_SouthCarolina\AppData\Local\7ff23f3e-cdfc-4f02-ada7-40dc45c15c10ad => Moved successfully.
C:\Users\MDS_SouthCarolina\AppData\Roaming\dbu32.ocx => Moved successfully.
C:\Windows\Macromed.exe => Moved successfully.
C:\ctfmon.exe => Moved successfully.
C:\windowsupdate.exe => Moved successfully.
C:\iexplore.exe => Moved successfully.
C:\msconfig.exe => Moved successfully.
C:\acrobat.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\mstsc618226.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\flashplayer.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\winlogon.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\rundll32.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\conhost.exe => Moved successfully.
C:\ProgramData\xjg => Moved successfully.
C:\Users\MDS_SouthCarolina\spoolsv.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\jqs.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\java.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\googleupdate.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\acrobat.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\iexplore.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\jucheck.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\msconfig.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\vlcplayer.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\mstsc.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\icq.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\alg.exe => Moved successfully.
C:\ProgramData\mldefender.exe => Moved successfully.
C:\ProgramData\87F9.tmp => Moved successfully.
C:\ProgramData\77B4.tmp => Moved successfully.
C:\ProgramData\743B.tmp => Moved successfully.
C:\Users\Public\Desktop\Internet Security Pro.lnk => Moved successfully.
C:\ProgramData\DA8B.tmp => Moved successfully.
C:\ProgramData\B7A.tmp => Moved successfully.
C:\ProgramData\71CA.tmp => Moved successfully.
C:\ProgramData\7821.tmp => Moved successfully.
C:\ProgramData\6DF4.tmp => Moved successfully.
C:\ProgramData\5AB2.tmp => Moved successfully.
C:\ProgramData\479F.tmp => Moved successfully.
C:\Users\MDS_SouthCarolina\ctfmon.exe => Moved successfully.
C:\ProgramData\74D6.tmp => Moved successfully.
C:\ProgramData\35E3.tmp => Moved successfully.
C:\Users\MDS_SouthCarolina\opera.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\notepad.exe => Moved successfully.
C:\6349600.exe => Moved successfully.
C:\Users\MDS_SouthCarolina\AppData\Roaming\skype.dat => Moved successfully.
C:\Windows\Tasks\{5267BA0E-E5D5-40BE-BC7B-B220D76C0F92}.job => Moved successfully.
C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.
Error: DeleteJunctionsIndirectory: C:\Program Files\Windows Defender => entry should be fixed outside recovery mode.

=========  bootrec /fixmbr =========

��T h e   o p e r a t i o n   c o m p l e t e d   s u c c e s s f u l l y .
 
========= End of CMD: =========


==== End of Fixlog ====

Link to post
Share on other sites

Combofix Log... Please let me know if there is anything further that needs to be done. Thanks for the help, by the way!

 

ComboFix 13-07-22.01 - MDS_SouthCarolina 07/22/2013   1:49.1.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3241.2333 [GMT -4:00]
Running from: c:\users\MDS_SouthCarolina\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\isDownloadFailedTemp.tmp
c:\users\MDS_SouthCarolina\teamviewer.exe
c:\windows\system32\config\systemprofile\acrobatreader.exe
c:\windows\system32\config\systemprofile\Appdata\local\svcxdcl32.exe
c:\windows\system32\config\systemprofile\conhost.exe
c:\windows\system32\config\systemprofile\firefox.exe
c:\windows\system32\config\systemprofile\googleupdate.exe
c:\windows\system32\config\systemprofile\jucheck.exe
c:\windows\system32\config\systemprofile\opera.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\instsrv.exe
c:\windows\system32\UNWISE.EXE
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-22 to 2013-07-22  )))))))))))))))))))))))))))))))
.
.
2013-07-22 08:57 . 2013-07-22 08:57    --------    d-----w-    C:\FRST
2013-07-22 05:54 . 2013-07-22 05:54    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-19 17:02 . 2013-07-21 22:15    60872    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{6E69D986-58EC-48C8-A4DB-13B5D383DD01}\offreg.dll
2013-07-19 15:50 . 2013-07-02 06:54    7143960    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{6E69D986-58EC-48C8-A4DB-13B5D383DD01}\mpengine.dll
2013-07-10 00:55 . 2013-04-09 23:34    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-07-10 00:55 . 2013-06-05 03:05    2347520    ----a-w-    c:\windows\system32\win32k.sys
2013-07-10 00:55 . 2013-06-04 04:53    509440    ----a-w-    c:\windows\system32\qedit.dll
2013-07-10 00:55 . 2013-05-06 04:56    1620480    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-07-10 00:55 . 2013-05-27 04:57    224768    ----a-w-    c:\program files\Windows Defender\MpCommu.dll
2013-07-10 00:54 . 2013-04-10 05:04    1221632    ----a-w-    c:\program files\Windows Journal\NBDoc.DLL
2013-07-10 00:54 . 2013-04-10 05:03    936448    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-10 00:54 . 2013-04-10 05:03    988672    ----a-w-    c:\program files\Windows Journal\JNTFiltr.dll
2013-07-10 00:54 . 2013-04-10 05:03    969216    ----a-w-    c:\program files\Windows Journal\JNWDRV.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 01:30 . 2012-05-14 02:26    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 01:30 . 2012-05-14 02:26    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-05-13 04:45 . 2013-06-12 17:10    140288    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-05-13 04:45 . 2013-06-12 17:10    1160192    ----a-w-    c:\windows\system32\crypt32.dll
2013-05-13 04:45 . 2013-06-12 17:10    103936    ----a-w-    c:\windows\system32\cryptnet.dll
2013-05-13 03:08 . 2013-06-12 17:10    903168    ----a-w-    c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-12 17:10    43008    ----a-w-    c:\windows\system32\certenc.dll
2013-05-10 03:20 . 2013-06-12 17:10    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
2013-05-08 05:38 . 2013-06-12 17:10    1293672    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-05-06 05:06 . 2013-06-12 17:10    3968872    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-05-06 05:06 . 2013-06-12 17:10    3913576    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-02 06:06 . 2012-05-01 20:16    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-26 04:55 . 2013-06-12 17:10    492544    ----a-w-    c:\windows\system32\win32spl.dll
2013-04-25 23:30 . 2013-06-12 17:10    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2011-12-12 22:20 . 2011-12-12 22:20    106496    ----a-w-    c:\program files\Translation.resources.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-15 686704]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-01-05 488816]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2011-01-18 5955072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-15 143384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-15 177176]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-15 178200]
"DicomSend"="c:\program files\Carestream\CarestreamCR\GenRAD\Bin\DicomSend.exe" [2011-06-15 98304]
"KodakQC"="c:\program files\Carestream\CarestreamCR\Wait4device.vbs" [2007-04-17 1221]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-03-20 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 18:11    1971536    ----a-w-    c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 CarestreamCR;Carestream CR System driver;c:\windows\system32\DRIVERS\OrexScanner.sys [2007-08-28 30422]
R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2003-04-19 8192]
R3 LGELTEBus;LGE Composite Device;c:\windows\system32\DRIVERS\LGELTEBus.sys [2011-02-16 32512]
R3 LGELTEmdm;LGE LTE USB Device for Modem Communication;c:\windows\system32\DRIVERS\LGELTEmdm.sys [2011-02-16 101888]
R3 LGELTEMux;LGE LTE Mux Enumerator ;c:\windows\system32\DRIVERS\LGELTEMux.sys [2011-02-16 38016]
R3 LGELTENdis;LGE USB NDIS Miniport Ethernet Adapter Service;c:\windows\system32\DRIVERS\LGELTENdis.sys [2011-02-16 46336]
R3 LGELTEprt;LGE USB Device for Serial Communication;c:\windows\system32\DRIVERS\LGELTEprt.sys [2011-02-16 102784]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2010-07-08 20480]
R3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\DRIVERS\nwusbmdm_000.sys [2010-07-08 176384]
R3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser_000.sys [2010-07-08 176384]
R3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser2_000.sys [2010-07-08 176384]
R3 PTUMLBUS;PTUML USB Composite Device Driver;c:\windows\system32\DRIVERS\PTUMLBUS.sys [2012-05-23 86176]
R3 PTUMLCVsp;PANTECH UML290 Connection Manager Port;c:\windows\system32\DRIVERS\PTUMLCVsp.sys [2012-05-23 168864]
R3 PTUMLMBMP;PANTECH UML290 Mobile Broadband;c:\windows\system32\DRIVERS\PTUMLMBMP.sys [2012-05-23 268576]
R3 PTUMLMdm;PANTECH UML290;c:\windows\system32\DRIVERS\PTUMLMdm.sys [2012-05-23 168864]
R3 PTUMLNET61;PANTECH UML290 WWAN (NDIS6.1);c:\windows\system32\DRIVERS\PTUMLNET61.sys [x]
R3 PTUMLNVsp;PANTECH UML290 NMEA Port;c:\windows\system32\DRIVERS\PTUMLNVsp.sys [2012-05-23 169632]
R3 PTUMLRMNET;PANTECH UML290 RMNET Service;c:\windows\system32\DRIVERS\PTUMLRMNET.sys [2012-05-23 55072]
R3 PTUMLVsp;PANTECH UML290 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMLVsp.sys [2012-05-23 168864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-05-04 1343400]
R4 DicomSend;DicomSend;c:\program files\Carestream\CarestreamCR\GenRAD\Bin\DicomSend.exe [2011-06-15 98304]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 17648]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-10-25 826272]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-10-25 32160]
S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe [2011-12-02 4913608]
S2 LGE NDIS Connection Service;LGE NDIS Connection Service;c:\program files\LG Electronics\LGE LTE Driver\LGVL600SVC.exe [2010-12-14 144832]
S2 NWVZHelper;Novatel Wireless Verizon Device Helper;c:\program files\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe [2010-06-04 216064]
S2 ptumlcmsvc;PTUML290 Connection Manager Service;c:\windows\system32\ptumlcmsvc.exe [2012-05-23 143360]
S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [2013-04-23 3574624]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-03 2656280]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-12-13 43888]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-08-24 33832]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [2011-01-04 62440]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-01-04 63848]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-14 01:30]
.
2013-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-14 02:26]
.
2013-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-14 02:26]
.
2013-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1258375535-621269055-4063172407-1000Core.job
- c:\users\MDS_SouthCarolina\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-13 05:36]
.
2013-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1258375535-621269055-4063172407-1000UA.job
- c:\users\MDS_SouthCarolina\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-13 05:36]
.
.
------- Supplementary Scan -------
.

TCP: Interfaces\{252C0525-4735-40B1-B1D6-567B712E6FDD}: NameServer = 198.224.145.135 198.224.144.135
TCP: Interfaces\{5A6931A4-85D4-44BF-B59D-AEE824ED845F}: NameServer = 198.224.144.135 198.224.145.135
TCP: Interfaces\{E5D61ACC-E5C6-4ED5-B223-8342955336B7}: NameServer = 198.224.144.135 198.224.145.135
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-Temp - c:\users\MDS_SouthCarolina\AppData\Local\ApplicationHistory\Temp\fepb.dll
AddRemove-HASP HL Device Driver - c:\windows\System32\UNWISE.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-22  02:01:37
ComboFix-quarantined-files.txt  2013-07-22 06:01
.
Pre-Run: 126,344,818,688 bytes free
Post-Run: 127,548,624,896 bytes free
.
- - End Of File - - 006609E46487D6D65049C0D075423B6D
A36C5E4F47E84449FF07ED3517B43A31
 

Link to post
Share on other sites

Create a new fixlist.txt on your usb stick, containing only the following line:

 

DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

 

Run the frst tool in normal windows mode and hit the fix button.

 

Post up the log it provides.

 

Also, do the following:

 

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender



    [*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please copy and paste the log to your reply.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Frst fixlog.txt.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-07-2013
Ran by MDS_SouthCarolina at 2013-07-22 02:40:48 Run:2
Running from E:\
Boot Mode: Normal

==============================================

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

==== End of Fixlog ====

Link to post
Share on other sites

FSS.txt...

 

Farbar Service Scanner Version: 13-07-2013
Ran by MDS_SouthCarolina (administrator) on 22-07-2013 at 02:41:55
Running from "C:\Users\MDS_SouthCarolina\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2013-07-09 20:55] - [2013-05-27 00:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Link to post
Share on other sites

ESET Online Scanner Log...

 

C:\FRST\Quarantine\35E3.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\479F.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\5AB2.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\6349600.exe    a variant of Win32/Kryptik.BFZJ trojan
C:\FRST\Quarantine\6DF4.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\71CA.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\743B.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\74D6.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\77B4.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\7821.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\87F9.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\B7A.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\ctfmon.exe    a variant of Win32/Kryptik.BGCI trojan
C:\FRST\Quarantine\DA8B.tmp    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\dbu32.ocx    a variant of Win32/Kryptik.BGIA trojan
C:\FRST\Quarantine\iexplore.exe    a variant of Win32/TrojanDownloader.Delf.RWG trojan
C:\FRST\Quarantine\kliptll.dll    a variant of Win32/TrojanProxy.Agent.NOU trojan
C:\FRST\Quarantine\mldefender.exe    a variant of Win32/Kryptik.BGHV trojan
C:\FRST\Quarantine\skype.dat    a variant of Win32/Kryptik.BGHG trojan
C:\Qoobox\Quarantine\C\Users\MDS_SouthCarolina\teamviewer.exe.vir    a variant of Win32/Kryptik.BGHG trojan
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\acrobatreader.exe.vir    a variant of Win32/Kryptik.BGCI trojan
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\conhost.exe.vir    a variant of Win32/Kryptik.BGCI trojan
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\AppData\Local\svcxdcl32.exe.vir    a variant of Win32/Kryptik.BFZJ trojan
C:\Users\MDS_SouthCarolina\AppData\Local\Google\Chrome\User Data\Default\Users\ggfaooknfkclkhcoigolcgfadjlmnidd\background.js    Win32/TrojanDownloader.Tracur.AH trojan
C:\Users\MDS_SouthCarolina\AppData\Local\Google\Chrome\User Data\Default\Users\ggfaooknfkclkhcoigolcgfadjlmnidd\cs.js    Win32/TrojanDownloader.Tracur.AH trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\about[1].htm    JS/Kryptik.AMC trojan
 

Link to post
Share on other sites

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

ESET Services Repair

Download ESET services repair from here and save the file to your desktop.

Run it by right click --> "run as administrator".

After the tool is finished, reboot and post a new FSS log

CFScript.txt

Link to post
Share on other sites

  • Root Admin

Warning:..  As this is a computer in the Unite States that is used in the Medical field this should not be handled here on the forum.  This should be reported to the medical facility as there are potential laws governing this conduct possibly under the HIPPA or other medical laws of the United States.  You need to contact the Information Services or Technology group  and let them manage this infection as it should also be reported to the authorities as it could potentially have compromised patient or hospital data.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.