New Ukash ?

[Huolto]

Hello

 

I not sure if this is right place to ask, but here goes.

 

I have laptop with UKASH malware (Finnish version). Looks like new version. It speaks and all . All normal "no safe mode" and other crap as before.

 

Usually i have removed those with other laptop (moved disk to usb dock and run Antimalware to disk).

 

But now Antimalware (nor any other programm i have tred so far) don't find anything bad from disk.

 

Any ideas what to do?

[kevinf80]

What version of windows do you run?

[Huolto]

Laptop with Ukash: Vista basic (32bit)

 

Laptop i am using to cleaning, Win7 Professional (64bit).

[kevinf80]

ok, we can run FRST tool from USB stick via recovery environment on sick PC, use clean PC to get tool as per below...

 

Download Farbar Recovery Scan Tool from here:  

                                                                

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

 

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

Plug the flash drive into the infected PC.

 

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.

 

If you are using Vista or Windows 7 enter System Recovery Options.

 

Plug the flashdrive into the infected PC.

 

Enter System Recovery Options I give two methods, use whichever is convenient for you.

 

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select Your Country as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

 

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select Your Country as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

 

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

 

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  

 

Kevin

[Huolto]

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-09-2013
Ran by SYSTEM on MINWINPC on 23-09-2013 14:12:43
Running from G:\
Windows Vista Home Basic (X86) OS Language: English(US)
Internet Explorer Version 7
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1006264 2007-07-19] (Microsoft Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [827392 2007-01-12] (Synaptics, Inc.)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [472776 2007-03-01] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [WAWifiMessage] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [317128 2007-01-10] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [HP Health Check Scheduler] - C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [50696 2007-03-07] (Hewlett-Packard)
HKLM\...\Run: [QlbCtrl] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [159744 2007-02-07] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [symantec PIF AlertEng] - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [583048 2008-01-29] (Symantec Corporation)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-10-14] (Hewlett-Packard)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [149280 2009-07-24] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Matti\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2009-01-16] (Google Inc.)
HKU\Matti\...\Run: [TomTomHOME.exe] - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [ 2009-11-13] (TomTom)
HKU\Matti\...\Run: [Google Update] - C:\Users\Matti\AppData\Local\Google\Update\GoogleUpdate.exe [ 2012-03-29] (Google Inc.)
HKU\Matti\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [ 2013-06-20] (Skype Technologies S.A.)
HKU\Matti\...\Run: [dyK2QKaWt8Rcf4] - C:\Users\Matti\AppData\Local\fvJcrgR.exe [ 2013-09-18] (Корпорация Майкрософт)
HKU\Matti\...\Winlogon: [shell] explorer.exe <==== ATTENTION

========================== Services (Whitelisted) =================

S3 Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [110592 2007-01-09] (Hewlett-Packard Development Company, L.P.)
S2 HP Health Check Service; C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [62984 2007-03-08] (Hewlett-Packard)
S3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2999664 2007-09-26] (Symantec Corporation)
S2 LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll [537992 2008-04-10] (Symantec Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S2 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
S2 LiveUpdate Notice Ex; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

==================== Drivers (Whitelisted) ====================

S0 CLFS; C:\Windows\System32\CLFS.sys [224824 2008-02-24] (Microsoft Corporation)
S1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-29] (Hewlett-Packard Development Company, L.P.)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2009-08-27] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [102448 2009-08-27] (Symantec Corporation)
S3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [159232 2007-02-21] (Conexant Systems Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 NAVENG; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20091008.003\NAVENG.SYS [84912 2009-08-27] (Symantec Corporation)
S3 NAVEX15; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20091008.003\NAVEX15.SYS [1323568 2009-08-27] (Symantec Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [279088 2007-11-30] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2007-11-30] (Symantec Corporation)
S1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2007-11-30] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2009-01-20] (Symantec Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-23 14:12 - 2013-09-23 14:12 - 00000000 ____D C:\FRST
2013-09-18 01:15 - 2013-09-18 01:15 - 00152651 _____ C:\Users\Matti\AppData\Local\9d8a4421-05c6-4bb4-903f-a5c7adbea94b
2013-09-18 01:14 - 2013-09-18 01:14 - 00208896 _____ (Корпорация Майкрософт) C:\Users\Matti\AppData\Local\fvJcrgR.exe
2013-09-12 05:10 - 2013-09-12 05:10 - 00000000 ____D C:\Windows\System32\MRT
2013-09-12 05:09 - 2013-09-12 05:09 - 00000000 ____D C:\967f093ea675e52a770f53aebc6702
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Users\Matti\AppData\Roaming\ParetoLogic
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Users\Matti\AppData\Roaming\DriverCure
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\ProgramData\ParetoLogic
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Program Files\ParetoLogic
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Program Files\Common Files\ParetoLogic

==================== One Month Modified Files and Folders =======

2013-09-23 14:12 - 2013-09-23 14:12 - 00000000 ____D C:\FRST
2013-09-23 03:07 - 2006-11-02 04:49 - 00030296 _____ C:\Windows\setupact.log
2013-09-23 03:04 - 2006-11-02 04:45 - 00003072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-23 03:04 - 2006-11-02 04:45 - 00003072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-23 03:03 - 2006-11-02 04:44 - 00033792 _____ C:\Windows\System32\umstartup.etl
2013-09-18 05:37 - 2013-07-10 08:27 - 00000000 ____D C:\Users\Matti\AppData\Roaming\Skype
2013-09-18 01:20 - 2007-01-03 06:47 - 00000012 _____ C:\Windows\bthservsdp.dat
2013-09-18 01:16 - 2007-06-06 22:26 - 01272375 _____ C:\Windows\WindowsUpdate.log
2013-09-18 01:15 - 2013-09-18 01:15 - 00152651 _____ C:\Users\Matti\AppData\Local\9d8a4421-05c6-4bb4-903f-a5c7adbea94b
2013-09-18 01:14 - 2013-09-18 01:14 - 00208896 _____ (Корпорация Майкрософт) C:\Users\Matti\AppData\Local\fvJcrgR.exe
2013-09-12 05:13 - 2012-01-31 07:55 - 00001887 _____ C:\Users\Public\Desktop\Adobe Reader 9.lnk
2013-09-12 05:10 - 2013-09-12 05:10 - 00000000 ____D C:\Windows\System32\MRT
2013-09-12 05:09 - 2013-09-12 05:09 - 00000000 ____D C:\967f093ea675e52a770f53aebc6702
2013-09-12 04:59 - 2006-11-02 02:33 - 01273706 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Users\Matti\AppData\Roaming\ParetoLogic
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Users\Matti\AppData\Roaming\DriverCure
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\ProgramData\ParetoLogic
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Program Files\ParetoLogic
2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Program Files\Common Files\ParetoLogic
2013-09-01 05:57 - 2006-11-02 02:24 - 76725432 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe

Files to move or delete:
====================
C:\Users\Matti\AppData\Roaming\AltShell.ini
C:\Users\Matti\AppData\Roaming\msconfig.ini
C:\ProgramData\Ip8n1qW.pad

Some content of TEMP:
====================
C:\Users\Matti\AppData\Local\Temp\1LIQIY.exe
C:\Users\Matti\AppData\Local\Temp\AdobeUpdater12345.exe
C:\Users\Matti\AppData\Local\Temp\contentDATs.exe
C:\Users\Matti\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Matti\AppData\Local\Temp\jre-6u15-windows-i586-iftw.exe
C:\Users\Matti\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exe
C:\Users\Matti\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\Matti\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Matti\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Matti\AppData\Local\Temp\SymLCSVC.EXE
C:\Users\Matti\AppData\Local\Temp\TTFCt.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-08-27 05:39:52
Restore point made on: 2013-08-28 21:38:06
Restore point made on: 2013-08-30 22:41:39
Restore point made on: 2013-09-02 06:34:54
Restore point made on: 2013-09-03 06:21:47
Restore point made on: 2013-09-04 06:46:20
Restore point made on: 2013-09-05 21:18:59
Restore point made on: 2013-09-08 07:40:20
Restore point made on: 2013-09-10 11:00:40
Restore point made on: 2013-09-12 05:09:07
Restore point made on: 2013-09-12 22:52:44
Restore point made on: 2013-09-14 06:47:53
Restore point made on: 2013-09-16 04:40:46
Restore point made on: 2013-09-17 10:06:55

==================== Memory info ===========================

Percentage of memory in use: 41%
Total physical RAM: 1014.81 MB
Available physical RAM: 596.26 MB
Total Pagefile: 778.14 MB
Available Pagefile: 635.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.97 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:65.16 GB) (Free:33.35 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (HP_RECOVERY) (Fixed) (Total:7.81 GB) (Free:2.99 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive e: (OS_TOOLS) (Fixed) (Total:1.55 GB) (Free:1.28 GB) NTFS
Drive g: () (Removable) (Total:14.7 GB) (Free:14.7 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 75 GB) (Disk ID: 6AB8B737)
Partition 1: (Active) - (Size=65 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=2 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 84766F74)
No partition Table on disk 1.

LastRegBack: 2013-09-12 05:24

==================== End Of Log ============================

[Huolto]

So i deleted "2013-09-18 01:14 - 2013-09-18 01:14 - 00208896 _____ (Корпорация Майкрософт) C:\Users\Matti\AppData\Local\fvJcrgR.exe" and system seems to work.

[kevinf80]

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it and select Copy. Then right click into open open notepad and select Paste. Save it on the flashdrive as fixlist.txt
 

startHKU\Matti\...\Run: [dyK2QKaWt8Rcf4] - C:\Users\Matti\AppData\Local\fvJcrgR.exe [ 2013-09-18] (?????????? ??????????)HKU\Matti\...\Winlogon: [Shell] explorer.exe <==== ATTENTIONC:\Users\Matti\AppData\Local\fvJcrgR.exeC:\Users\Matti\AppData\Roaming\AltShell.iniC:\Users\Matti\AppData\Roaming\msconfig.iniC:\ProgramData\Ip8n1qW.padC:\Users\Matti\AppData\Local\Temp\1LIQIY.exeC:\Users\Matti\AppData\Local\Temp\AdobeUpdater12345.exeC:\Users\Matti\AppData\Local\Temp\contentDATs.exeC:\Users\Matti\AppData\Local\Temp\FlashPlayerUpdate.exeC:\Users\Matti\AppData\Local\Temp\jre-6u15-windows-i586-iftw.exeC:\Users\Matti\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exeC:\Users\Matti\AppData\Local\Temp\SearchWithGoogleUpdate.exeC:\Users\Matti\AppData\Local\Temp\SecurityScan_Release.exeC:\Users\Matti\AppData\Local\Temp\SkypeSetup.exeC:\Users\Matti\AppData\Local\Temp\SymLCSVC.EXEC:\Users\Matti\AppData\Local\Temp\TTFCt.exeend

Now please enter System Recovery Options as you did to get the log.

Run FRST64 or FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

Next,

 

Reboot the PC to normal mode, run Malwarebytes, check for updates then do a quick scan. Remove anything it finds and post that log..

 

Kevin
 

Kevin

[kevinf80]

Do you still need help or can we close out your thread?

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!