Jump to content

Recommended Posts

Hi there,

 

Our family laptop got infected with this yesterday. It won't let us boot into any of the safe modes. Would very much appreciate help in getting rid of it! I've scanned the computer with Farbar Recovery Scan Tool and received this log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-08-2013
Ran by SYSTEM on 17-08-2013 11:48:27
Running from F:\
Windows Vista Home Premium (X86) OS Language: English(US)
Internet Explorer Version 7
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4702208 2007-09-03] (Realtek Semiconductor)
HKLM\...\Run: [eDataSecurity Loader] - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [603184 2009-09-10] (Egis Incorporated)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [40048 2007-03-08] (Adobe Systems Incorporated)
HKLM\...\Run: [NvCplDaemon] - C:\Windows\system32\NvCpl.dll [13535776 2008-04-02] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] - C:\Windows\system32\NvMcTray.dll [92704 2008-04-02] (NVIDIA Corporation)
HKLM\...\Run: [PLFSetI] - C:\Windows\PLFSetI.exe [200704 2007-10-23] ()
HKLM\...\Run: [PLFSetL] - C:\Windows\\PLFSetL.exe [94208 2007-07-05] (sonix)
HKLM\...\Run: [iAAnotif] - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [178712 2007-07-12] (Intel Corporation)
HKLM\...\Run: [eAudio] - C:\Acer\Empowering Technology\eAudio\eAudio.exe [1286144 2007-10-09] (CyberLink)
HKLM\...\Run: [LManager] - C:\PROGRA~1\LAUNCH~1\LManager.exe [768520 2008-01-04] (Dritek System Inc.)
HKLM\...\Run: [PlayMovie] - C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe [200704 2008-01-21] (CyberLink Corp.)
HKLM\...\Run: [Apoint] - C:\Program Files\Apoint2K\Apoint.exe [159744 2007-07-21] (Alps Electric Co., Ltd.)
HKLM\...\Run: [eRecoveryService] -  [x]
HKLM\...\Run: [autodetect] - C:\Windows\system32\SupportAppXL\AutoDect.exe [91648 2008-08-25] ()
HKLM\...\Run: [DivXUpdate] - C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1135912 2010-03-05] ()
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-17] (Sun Microsystems, Inc.)
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2008-01-20] (Microsoft Corporation)
HKU\Default\...\RunOnce: [AcerScrSav] - C:\Windows\Acer\run_NB.exe [ 2007-08-20] ()
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2008-01-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [AcerScrSav] - C:\Windows\Acer\run_NB.exe [ 2007-08-20] ()
HKU\Mun\...\Run: [iSUSPM] - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [ 2006-05-16] (Macrovision Corporation)
HKU\Mun\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [ 2009-07-25] (Microsoft Corporation)
HKU\Mun\...\Run: [DAEMON Tools Lite] - C:\Program Files\DAEMON Tools Lite\DTLite.exe [ 2009-10-30] (DT Soft Ltd)
HKU\Mun\...\Run: [sony PC Companion] - C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe [ 2013-05-28] (Sony)
HKU\Mun\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-20] (Microsoft Corporation)
HKU\Mun\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Mun\AppData\Local\Temp\tjkpxpfxorgribbhp.exe [ 2013-08-16] (Valve Corporation) <===== ATTENTION
HKU\Mun\...\Winlogon: [shell] cmd.exe [ 2008-01-20] (Microsoft Corporation) <==== ATTENTION
HKU\Mun\...\Command Processor: "C:\Users\Mun\AppData\Local\Temp\tjkpxpfxorgribbhp.exe" <===== ATTENTION!
Startup: C:\Users\Mun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

========================== Services (Whitelisted) =================

S2 Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [144712 2009-07-08] (Apple Inc.)
S2 eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [497712 2008-03-05] (Egis Incorporated)
S2 eLockService; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [24576 2007-10-01] (Acer Inc.)
S2 eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [131072 2007-12-20] (Acer Inc.)
S2 eRecoveryService; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [57344 2007-09-09] (Acer Inc.)
S2 eSettingsService; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [24576 2007-12-19] ()
S2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe [110592 2007-11-27] ()
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [11736 2011-04-26] (Microsoft Corporation)
S2 NIS; C:\Program Files\Norton Internet Security\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [208944 2011-04-26] (Microsoft Corporation)
S2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [266343 2007-12-03] ()
S3 Sony PC Companion; C:\Program Files\Sony\Sony PC Companion\PCCService.exe [155824 2013-02-04] (Avanquest Software)
S2 Stuffit Archive Name Service; C:\Program Files\Smith Micro\StuffIt 12.0.1\ArcNameService.exe [157016 2008-05-22] (Smith Micro Software, Inc.)
S2 WMIService; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [167936 2007-09-19] (acer)
S2 WTouchService; C:\Program Files\WTouch\WTouchService.exe [112936 2009-09-07] (Wacom Technology, Corp.)

==================== Drivers (Whitelisted) ====================

S1 ASPI32; C:\Windows\System32\Drivers\ASPI32.sys [16877 2002-07-16] (Adaptec)
S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [278728 2010-02-08] ()
S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\BASHDefs\20120815.002\BHDrvx86.sys [995488 2012-08-10] (Symantec Corporation)
S1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)
S1 DritekPortIO; C:\PROGRA~1\LAUNCH~1\DPortIO.sys [20112 2006-11-02] (Dritek System Inc.)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-07-31] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-07-31] (Symantec Corporation)
S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\IPSDefs\20120811.001\IDSVix86.sys [386208 2012-08-10] (Symantec Corporation)
S2 int15; C:\Acer\Empowering Technology\eRecovery\int15.sys [15392 2007-07-02] (Acer, Inc.)
S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [25416 2010-02-08] ()
S1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165648 2011-04-17] (Microsoft Corporation)
S3 MpNWMon; C:\Windows\System32\DRIVERS\MpNWMon.sys [43392 2011-04-17] (Microsoft Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20120913.019\NAVENG.SYS [92704 2012-09-12] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20120913.019\NAVEX15.SYS [1601184 2012-09-12] (Symantec Corporation)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2007-03-26] (Duplex Secure Ltd.)
S3 SRTSP; C:\Windows\System32\Drivers\NIS\1404000.028\SRTSP.SYS [603224 2013-05-15] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NIS\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\NIS\1404000.028\SYMDS.SYS [367704 2013-05-20] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NIS\1404000.028\SYMEFA.SYS [934488 2013-05-22] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-21] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NIS\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)
S1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1404000.028\SYMTDIV.SYS [352344 2013-04-24] (Symantec Corporation)
S3 WacomVTHid; C:\Windows\System32\DRIVERS\WacomVTHid.sys [13224 2009-05-19] (Wacom Technology)
S2 WinisoCDBus; C:\Windows\System32\drivers\WinisoCDBus.sys [121600 2013-06-05] (WinISO.com)
S3 WSVD; C:\Windows\system32\drivers\WSVD.sys [75776 2007-12-15] (Wasay)
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [41456 2008-01-03] (Cyberlink Corp.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 SYMDNS; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMDNS.SYS [x]
S3 SYMFW; \SystemRoot\System32\Drivers\NIS\1008030.006\SYMFW.SYS [x]
S3 SYMNDISV; \SystemRoot\System32\Drivers\NIS\1008030.006\SYMNDISV.SYS [x]
S3 SYMREDRV; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMREDRV.SYS [x]
S2 wuaserv;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-16 15:15 - 2013-08-16 15:15 - 00000000 ____D C:\Windows\System32\MRT
2013-08-16 00:08 - 2013-08-16 00:08 - 01002747 _____ C:\ProgramData\2433f433
2013-08-16 00:08 - 2013-08-16 00:08 - 01002745 _____ C:\Users\Mun\AppData\Local\2433f433
2013-08-16 00:08 - 2013-08-16 00:08 - 01002743 _____ C:\Users\Mun\AppData\Roaming\2433f433
2013-08-09 19:30 - 2013-08-10 04:44 - 00065170 _____ C:\Users\Mun\Documents\CBR for Deposits-Indu 07082013.xlsx

==================== One Month Modified Files and Folders =======

2013-08-16 17:30 - 2008-10-16 10:54 - 01248479 _____ C:\Windows\WindowsUpdate.log
2013-08-16 17:30 - 2006-11-02 02:33 - 00706760 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-16 17:25 - 2009-11-06 04:48 - 00000000 ____D C:\Users\Mun\AppData\Roaming\WTablet
2013-08-16 17:24 - 2008-10-24 20:10 - 00292219 _____ C:\ProgramData\nvModes.001
2013-08-16 17:24 - 2008-10-24 20:08 - 00292219 _____ C:\ProgramData\nvModes.dat
2013-08-16 17:24 - 2006-11-02 04:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-16 17:24 - 2006-11-02 04:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-16 17:23 - 2010-04-19 08:42 - 00812722 _____ C:\Windows\PFRO.log
2013-08-16 15:21 - 2013-08-16 15:15 - 00000000 ____D C:\Windows\System32\MRT
2013-08-16 15:15 - 2008-03-18 02:59 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-08-16 15:15 - 2006-11-02 02:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-08-16 00:08 - 2013-08-16 00:08 - 01002747 _____ C:\ProgramData\2433f433
2013-08-16 00:08 - 2013-08-16 00:08 - 01002745 _____ C:\Users\Mun\AppData\Local\2433f433
2013-08-16 00:08 - 2013-08-16 00:08 - 01002743 _____ C:\Users\Mun\AppData\Roaming\2433f433
2013-08-15 23:56 - 2009-03-20 21:00 - 00000000 ____D C:\Users\Mun\Tracing
2013-08-10 04:44 - 2013-08-09 19:30 - 00065170 _____ C:\Users\Mun\Documents\CBR for Deposits-Indu 07082013.xlsx
2013-08-09 19:16 - 2013-05-24 17:24 - 00000000 ____D C:\Users\Mun\Documents\PCP
2013-08-09 19:11 - 2011-03-02 19:29 - 00009746 _____ C:\Windows\setupact.log
2013-08-03 02:03 - 2009-04-27 05:02 - 00000000 ____D C:\Users\Mun\AppData\Local\Smith Micro
2013-08-03 01:35 - 2010-02-14 03:11 - 00000000 ____D C:\Users\Mun\AppData\Roaming\EndNote
2013-08-02 16:45 - 2009-05-19 03:33 - 00000000 ____D C:\Users\Mun\Desktop\TAX - Latest
2013-07-19 01:15 - 2012-05-19 18:24 - 00282682 _____ C:\Windows\DPINST.LOG

Files to move or delete:
====================
C:\Users\Mun\AppData\Local\Temp\tjkpxpfxorgribbhp.exe
C:\ProgramData\nvModes.dat

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-26 22:42:41
Restore point made on: 2013-07-30 20:13:51
Restore point made on: 2013-08-02 17:36:32
Restore point made on: 2013-08-03 20:46:18
Restore point made on: 2013-08-09 21:32:08
Restore point made on: 2013-08-11 21:20:44
Restore point made on: 2013-08-16 15:13:15

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 2045.37 MB
Available physical RAM: 1783.35 MB
Total Pagefile: 1977.26 MB
Available Pagefile: 1848.59 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.51 MB

==================== Drives ================================

Drive c: (ACER) (Fixed) (Total:68.77 GB) (Free:9.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:68.56 GB) (Free:56.91 GB) NTFS
Drive f: (PENDRIVE) (Removable) (Total:3.71 GB) (Free:0.29 GB) FAT32
Drive x: (PQSERVICE) (Fixed) (Total:11.71 GB) (Free:2.1 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 149 GB) (Disk ID: D2D221F4)
Partition 1: (Not Active) - (Size=12 GB) - (Type=27)
Partition 2: (Active) - (Size=69 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=69 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=4 GB) - (Type=0C)


LastRegBack: 2013-08-16 17:32

==================== End Of Log ============================

Link to post
Share on other sites

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........run MBAR

If not...rescan with FRST and post the new log

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.