Jump to content

White Screen Moneypak Malware


Recommended Posts

My desktop computer has become infected with what is apperantly the "moneypak" virus. Sure enough the only thing I get when I boot up is a white screen demanding money. I've tried safe mode and such with no luck... In looking at previous posts I was able to make an OLTPE disk on another computer and scan my system. I'll post the log below if it helps. Not sure what to do next. Can anyone please help me out on this one?

 

 

 

OTLPE LOG from earlier today:

 

OTL logfile created on: 9/14/2013 1:46:51 PM - Run
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 372.61 Gb Total Space | 220.13 Gb Free Space | 59.08% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 89.72 Gb Free Space | 38.53% Space Free | Partition Type: NTFS
Drive E: | 1397.25 Gb Total Space | 650.82 Gb Free Space | 46.58% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet003
 
========== Win32 Services (SafeList) ==========
 
SRV - [2013/09/13 23:42:12 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- D:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/08/26 19:37:59 | 000,117,656 | ---- | M] (Mozilla Foundation) [On_Demand] -- D:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/02/28 22:25:34 | 000,161,384 | R--- | M] (Skype Technologies) [Auto] -- D:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/05/10 08:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto] -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/11/11 17:57:04 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/11/11 17:57:02 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/11/11 17:55:56 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/11/11 17:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) [Auto] -- D:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2007/01/31 17:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto] -- D:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand] --  -- (SetupNTGLM7X)
DRV - File not found [Kernel | On_Demand] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDCOMP)
DRV - File not found [Kernel | System] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand] --  -- (NTACCESS)
DRV - File not found [Kernel | System] --  -- (lbrtfdc)
DRV - File not found [Kernel | System] --  -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] --  -- (GMSIPCI)
DRV - File not found [Kernel | On_Demand] --  -- (cpuz132)
DRV - File not found [Kernel | System] --  -- (Changer)
DRV - [2013/09/14 14:25:25 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/05/10 08:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System] -- D:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/05/10 08:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System] -- D:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/05/10 08:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System] -- D:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/05/10 08:02:25 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto] -- D:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/05/10 07:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System] -- D:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/05/10 07:59:37 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System] -- D:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/05/10 07:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto] -- D:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/07/28 21:27:36 | 006,108,776 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2010/07/06 07:13:10 | 000,234,392 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2010/01/28 10:25:05 | 000,058,600 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
DRV - [2009/11/18 10:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/18 10:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/04/13 14:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/08/15 23:49:14 | 000,155,792 | R--- | M] (Promise Technology, Inc.) [Kernel | Boot] -- D:\WINDOWS\system32\drivers\FTT3.sys -- (FTT3)
DRV - [2007/03/16 13:11:38 | 000,012,256 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto] -- D:\WINDOWS\System32\drivers\TBPanel.sys -- (TBPanel)
DRV - [2007/03/16 13:11:38 | 000,012,256 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\TBPanel.sys -- (Cardex)
DRV - [2006/11/02 10:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/01/15 03:25:20 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2005/01/15 03:24:36 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2005/01/15 03:24:30 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2005/01/15 03:24:30 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2005/01/14 20:24:14 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\an983.sys -- (AN983)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Administrator_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Administrator_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=BABTDF&PC=BBLN&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=BABTDF&PC=BBLN&q="
FF - prefs.js..network.proxy.type: 0
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: D:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_168.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: D:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: D:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: D:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: D:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpWinExt,version=4.0: D:\Program Files\MSN Toolbar\Platform\4.0.0417.0\npwinext.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: D:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: D:\Program Files\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: D:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\msntoolbar@msn.com: C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\Firefox [2010/09/14 10:40:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/09/14 10:40:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/08/26 19:37:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/08/26 19:37:53 | 000,000,000 | ---D | M]
 
[2010/09/13 19:09:23 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2012/11/11 19:03:35 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x9sacqu6.default\extensions
[2010/09/14 23:25:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x9sacqu6.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/09/14 13:53:04 | 000,001,832 | ---- | M] () -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x9sacqu6.default\searchplugins\bing.xml
[2013/08/26 19:37:52 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files\Mozilla Firefox\extensions
[2013/08/26 19:37:52 | 000,000,000 | ---D | M] (Java Console) -- D:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
[2013/08/26 19:37:52 | 000,000,000 | ---D | M] (Java Console) -- D:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
[2013/08/26 19:37:51 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files\Mozilla Firefox\browser\extensions
[2013/08/26 19:38:00 | 000,000,000 | ---D | M] (Default) -- D:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
File not found (No name found) --
[2011/12/03 14:12:20 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- D:\Program Files\mozilla firefox\plugins\NPcol400.dll
[2010/07/12 12:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- D:\Program Files\mozilla firefox\plugins\npwachk.dll
 
O1 HOSTS File: ([2011/11/12 13:45:34 | 000,438,353 | R--- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: 127.0.0.1    www.007guard.com
O1 - Hosts: 127.0.0.1    007guard.com
O1 - Hosts: 127.0.0.1    008i.com
O1 - Hosts: 127.0.0.1    www.008k.com
O1 - Hosts: 127.0.0.1    008k.com
O1 - Hosts: 127.0.0.1    www.00hq.com
O1 - Hosts: 127.0.0.1    00hq.com
O1 - Hosts: 127.0.0.1    010402.com
O1 - Hosts: 127.0.0.1    www.032439.com
O1 - Hosts: 127.0.0.1    032439.com
O1 - Hosts: 127.0.0.1    www.0scan.com
O1 - Hosts: 127.0.0.1    0scan.com
O1 - Hosts: 127.0.0.1    1000gratisproben.com
O1 - Hosts: 127.0.0.1    www.1000gratisproben.com
O1 - Hosts: 127.0.0.1    1001namen.com
O1 - Hosts: 127.0.0.1    www.1001namen.com
O1 - Hosts: 127.0.0.1    100888290cs.com
O1 - Hosts: 127.0.0.1    www.100888290cs.com
O1 - Hosts: 127.0.0.1    www.100sexlinks.com
O1 - Hosts: 127.0.0.1    100sexlinks.com
O1 - Hosts: 127.0.0.1    10sek.com
O1 - Hosts: 127.0.0.1    www.10sek.com
O1 - Hosts: 127.0.0.1    www.1-2005-search.com
O1 - Hosts: 127.0.0.1    1-2005-search.com
O1 - Hosts: 15079 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\Administrator_ON_D\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [APSDaemon] D:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast5] D:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [bCSSync] D:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [DisplaySwitch] D:\Documents and Settings\Administrator\Templates\securitywindrv.exe (Babylon Ltd.)
O4 - HKLM..\Run: [EEventManager] D:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] D:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Recordpad] D:\Program Files\NCH Software\Recordpad\recordpad.exe (NCH Software)
O4 - HKLM..\Run: [RemoteControl] D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKLM..\Run: [Zune Launcher] D:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKU\Administrator_ON_D..\Run: [NBJ] D:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKU\Administrator_ON_D..\Run: [sansaDispatch] D:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKU\Administrator_ON_D..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\Administrator_ON_D..\Run: [TBPanel] D:\Program Files\Vtune\TBPanel.exe ()
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - D:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/04 14:30:47 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/09/14 14:25:25 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/08/26 20:54:27 | 000,000,000 | RH-D | C] -- D:\Documents and Settings\Administrator\Recent
[2013/08/26 19:37:51 | 000,000,000 | ---D | C] -- D:\Program Files\Mozilla Firefox
[2010/09/14 13:48:43 | 000,047,360 | ---- | C] (VSO Software) -- D:\Documents and Settings\Administrator\Application Data\pcouffin.sys
[8 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/09/14 14:29:07 | 000,000,300 | ---- | M] () -- D:\WINDOWS\tasks\recordpadShakeIcon.job
[2013/09/14 14:28:40 | 000,002,335 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2013/09/14 14:28:20 | 000,278,041 | ---- | M] () -- D:\WINDOWS\System32\NvApps.xml
[2013/09/14 14:28:01 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2013/09/14 14:25:25 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/09/14 13:42:00 | 000,000,830 | ---- | M] () -- D:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/09/14 11:12:23 | 000,298,848 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2013/09/14 11:00:06 | 000,001,374 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2013/09/13 23:42:10 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- D:\WINDOWS\System32\FlashPlayerApp.exe
[2013/09/13 23:42:10 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- D:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/09/13 23:08:35 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2013/09/13 22:57:32 | 000,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2013/08/26 21:13:18 | 000,000,245 | -HS- | M] () -- D:\boot.ini
[2013/08/26 20:52:26 | 000,000,682 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2013/08/17 18:53:40 | 000,435,688 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2013/08/17 18:53:40 | 000,068,584 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[8 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/09/14 10:55:46 | 000,000,300 | ---- | C] () -- D:\WINDOWS\tasks\recordpadShakeIcon.job
[2013/09/02 16:42:29 | 000,001,374 | ---- | C] () -- D:\WINDOWS\imsins.BAK
[2012/02/15 18:24:33 | 000,003,072 | ---- | C] () -- D:\WINDOWS\System32\iacenc.dll
[2011/08/01 12:16:33 | 000,000,297 | ---- | C] () -- D:\WINDOWS\EReg072.dat
[2011/05/07 13:54:21 | 000,000,557 | ---- | C] () -- D:\WINDOWS\cdplayer.ini
[2011/05/07 13:43:05 | 000,001,492 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\ss.ini
[2010/10/15 15:06:12 | 000,000,128 | ---- | C] () -- D:\WINDOWS\LIBENMP3.INI
[2010/10/15 15:06:12 | 000,000,075 | ---- | C] () -- D:\WINDOWS\LIBENACM.INI
[2010/10/15 15:06:12 | 000,000,048 | ---- | C] () -- D:\WINDOWS\LIBENVRS.INI
[2010/10/15 15:06:12 | 000,000,029 | ---- | C] () -- D:\WINDOWS\LIBENWMA.INI
[2010/10/15 13:37:34 | 000,002,102 | ---- | C] () -- D:\WINDOWS\smp3m45v.ini
[2010/09/20 14:38:30 | 000,010,240 | ---- | C] () -- D:\WINDOWS\System32\vidx16.dll
[2010/09/18 18:01:43 | 000,037,376 | ---- | C] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/14 17:55:30 | 000,000,116 | ---- | C] () -- D:\WINDOWS\NeroDigital.ini
[2010/09/14 13:56:27 | 000,000,032 | ---- | C] () -- D:\WINDOWS\CD_Start.INI
[2010/09/14 13:52:21 | 000,002,126 | ---- | C] () -- D:\WINDOWS\AutostarSuite.ini
[2010/09/14 13:48:43 | 000,087,608 | ---- | C] () -- D:\Documents and Settings\Administrator\Application Data\ezpinst.exe
[2010/09/14 13:48:43 | 000,007,824 | ---- | C] () -- D:\Documents and Settings\Administrator\Application Data\pcouffin.cat
[2010/09/14 13:48:43 | 000,001,144 | ---- | C] () -- D:\Documents and Settings\Administrator\Application Data\pcouffin.inf
[2010/09/14 13:44:52 | 000,040,960 | ---- | C] () -- D:\Program Files\Uninstall_CDS.exe
[2010/09/14 11:01:43 | 000,000,000 | ---- | C] () -- D:\WINDOWS\EEventManager.INI
[2010/09/14 10:45:06 | 000,073,220 | ---- | C] () -- D:\WINDOWS\System32\EPPICPrinterDB.dat
[2010/09/14 10:45:06 | 000,031,053 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern131.dat
[2010/09/14 10:45:06 | 000,029,114 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern1.dat
[2010/09/14 10:45:06 | 000,027,417 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern121.dat
[2010/09/14 10:45:06 | 000,021,021 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern3.dat
[2010/09/14 10:45:06 | 000,015,670 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern5.dat
[2010/09/14 10:45:06 | 000,013,280 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern2.dat
[2010/09/14 10:45:06 | 000,010,673 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern4.dat
[2010/09/14 10:45:06 | 000,004,943 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern6.dat
[2010/09/14 10:45:06 | 000,001,140 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_PT.dat
[2010/09/14 10:45:06 | 000,001,140 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_BP.dat
[2010/09/14 10:45:06 | 000,001,137 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_ES.dat
[2010/09/14 10:45:06 | 000,001,130 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_FR.dat
[2010/09/14 10:45:06 | 000,001,130 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_CF.dat
[2010/09/14 10:45:06 | 000,001,104 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_EN.dat
[2010/09/14 10:45:06 | 000,000,097 | ---- | C] () -- D:\WINDOWS\System32\PICSDK.ini
[2010/09/13 19:09:14 | 000,000,000 | ---- | C] () -- D:\WINDOWS\nsreg.dat
[2010/07/04 14:31:46 | 000,002,048 | --S- | C] () -- D:\WINDOWS\bootstat.dat
[2010/07/04 14:26:32 | 000,021,640 | ---- | C] () -- D:\WINDOWS\System32\emptyregdb.dat
[2010/07/04 07:18:36 | 000,004,161 | ---- | C] () -- D:\WINDOWS\ODBCINST.INI
[2010/07/04 07:17:35 | 000,298,848 | ---- | C] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/06 06:25:58 | 002,185,518 | ---- | C] () -- D:\WINDOWS\System32\nvdata.bin
[2010/01/12 09:35:44 | 000,080,416 | ---- | C] () -- D:\WINDOWS\System32\RtNicProp32.dll
[2008/01/09 05:53:00 | 000,286,720 | ---- | C] () -- D:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/04 01:07:22 | 000,001,804 | ---- | C] () -- D:\WINDOWS\System32\dcache.bin
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- D:\WINDOWS\System32\secupd.dat
[2002/08/29 12:00:00 | 013,107,200 | ---- | C] () -- D:\WINDOWS\System32\oembios.bin
[2002/08/29 12:00:00 | 000,673,088 | ---- | C] () -- D:\WINDOWS\System32\mlang.dat
[2002/08/29 12:00:00 | 000,435,688 | ---- | C] () -- D:\WINDOWS\System32\perfh009.dat
[2002/08/29 12:00:00 | 000,272,128 | ---- | C] () -- D:\WINDOWS\System32\perfi009.dat
[2002/08/29 12:00:00 | 000,218,003 | ---- | C] () -- D:\WINDOWS\System32\dssec.dat
[2002/08/29 12:00:00 | 000,068,584 | ---- | C] () -- D:\WINDOWS\System32\perfc009.dat
[2002/08/29 12:00:00 | 000,046,258 | ---- | C] () -- D:\WINDOWS\System32\mib.bin
[2002/08/29 12:00:00 | 000,028,626 | ---- | C] () -- D:\WINDOWS\System32\perfd009.dat
[2002/08/29 12:00:00 | 000,004,463 | ---- | C] () -- D:\WINDOWS\System32\oembios.dat
[2002/08/29 12:00:00 | 000,000,741 | ---- | C] () -- D:\WINDOWS\System32\noise.dat
 
========== LOP Check ==========
 
[2010/09/14 14:14:46 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Alwil Software
[2012/12/01 14:20:32 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Battle.net
[2010/09/14 10:44:57 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\EPSON
[2011/05/07 13:40:12 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\FreeRIP
[2011/07/11 19:10:45 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/07/04 17:21:02 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2012/02/12 19:23:01 | 000,000,304 | ---- | M] () -- D:\WINDOWS\Tasks\expresszipShakeIcon.job
[2013/09/14 14:29:07 | 000,000,300 | ---- | M] () -- D:\WINDOWS\Tasks\recordpadShakeIcon.job
[2011/10/25 17:28:02 | 000,000,292 | ---- | M] () -- D:\WINDOWS\Tasks\wavepadShakeIcon.job
 
========== Purity Check ==========
 
 
< End of report >
 

Link to post
Share on other sites

Welcome to the forum, the use of OTLPE is now prohibited on this and many other forums:
 

OTLPE at this time contains files from Microsoft Windows XP. Microsoft holds the copyrights to those files. Thus making use or distribution illegal.
Providing users information to download and use the tool is also illegal at least in the United States and probably most other Countries.

 

 

Boot to normal windows, when the ransom screen has loaded select Alt and F4 keys together, does ransom screen close? If so open Malwarebytes, update and run quick scan.... Does that happen?

 

If not try the following, you`ll need access to another PC....

 

Create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Double click WD executable to run the tool, Windows 7 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"

WD2.png

In the new window accept the agreement:

WD2a.png

In the new window select your USB Flash Drive, then select "Next"

WD3.png

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

WD3a.png

In the new window accept the formatting alert by selecting "Next"

WD3b.png

Files will be Downloaded:

WD4.png

Files will be processed and created

WD5.png

Flash drive will be formatted and prepared

WD6.png

Files will be added to the Flash Drive and the tool will be created.

WD7.png

The procedure is finished and the Tool created, click on "Finish" to complete.

WD8.png

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...
As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.
When complete do a full scan, deal with what it finds.
When finished, remove the USB stick then press the Esc key to boot into regular windows.
Navigate to the following file:
"C:\windows\windows defender offline\support\mssWrapper.log" Open with notepad and copy and paste it into a reply.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.