Huolto Posted September 23, 2013 ID:733473 Share Posted September 23, 2013 Hello I not sure if this is right place to ask, but here goes. I have laptop with UKASH malware (Finnish version). Looks like new version. It speaks and all . All normal "no safe mode" and other crap as before. Usually i have removed those with other laptop (moved disk to usb dock and run Antimalware to disk). But now Antimalware (nor any other programm i have tred so far) don't find anything bad from disk. Any ideas what to do? Link to post Share on other sites More sharing options...
kevinf80 Posted September 23, 2013 ID:733474 Share Posted September 23, 2013 What version of windows do you run? Link to post Share on other sites More sharing options...
Huolto Posted September 23, 2013 Author ID:733476 Share Posted September 23, 2013 Laptop with Ukash: Vista basic (32bit) Laptop i am using to cleaning, Win7 Professional (64bit). Link to post Share on other sites More sharing options...
kevinf80 Posted September 23, 2013 ID:733480 Share Posted September 23, 2013 ok, we can run FRST tool from USB stick via recovery environment on sick PC, use clean PC to get tool as per below... Download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flash drive into the infected PC. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter System Recovery Options. Plug the flashdrive into the infected PC. Enter System Recovery Options I give two methods, use whichever is convenient for you. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select Your Country as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next. To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select Your Country as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next. On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt Select Command PromptIn the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close the notepad.In the command window type e:\frst64 or e:\frst depending on your version. Press EnterNote: Replace letter e with the drive letter of your flash drive.The tool will start to run.When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Kevin Link to post Share on other sites More sharing options...
Huolto Posted September 23, 2013 Author ID:733488 Share Posted September 23, 2013 Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-09-2013Ran by SYSTEM on MINWINPC on 23-09-2013 14:12:43Running from G:\Windows Vista Home Basic (X86) OS Language: English(US)Internet Explorer Version 7Boot Mode: RecoveryThe current controlset is ControlSet001ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.==================== Registry (Whitelisted) ==================HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1006264 2007-07-19] (Microsoft Corporation)HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [827392 2007-01-12] (Synaptics, Inc.)HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [472776 2007-03-01] (Hewlett-Packard Development Company, L.P.)HKLM\...\Run: [WAWifiMessage] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [317128 2007-01-10] (Hewlett-Packard Development Company, L.P.)HKLM\...\Run: [HP Health Check Scheduler] - C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [50696 2007-03-07] (Hewlett-Packard)HKLM\...\Run: [QlbCtrl] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [159744 2007-02-07] ( Hewlett-Packard Development Company, L.P.)HKLM\...\Run: [symantec PIF AlertEng] - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [583048 2008-01-29] (Symantec Corporation)HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-10-14] (Hewlett-Packard)HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [149280 2009-07-24] (Sun Microsystems, Inc.)HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenterHKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenterHKU\Matti\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2009-01-16] (Google Inc.)HKU\Matti\...\Run: [TomTomHOME.exe] - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [ 2009-11-13] (TomTom)HKU\Matti\...\Run: [Google Update] - C:\Users\Matti\AppData\Local\Google\Update\GoogleUpdate.exe [ 2012-03-29] (Google Inc.)HKU\Matti\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [ 2013-06-20] (Skype Technologies S.A.)HKU\Matti\...\Run: [dyK2QKaWt8Rcf4] - C:\Users\Matti\AppData\Local\fvJcrgR.exe [ 2013-09-18] (Корпорация Майкрософт)HKU\Matti\...\Winlogon: [shell] explorer.exe <==== ATTENTION========================== Services (Whitelisted) =================S3 Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [110592 2007-01-09] (Hewlett-Packard Development Company, L.P.)S2 HP Health Check Service; C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [62984 2007-03-08] (Hewlett-Packard)S3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2999664 2007-09-26] (Symantec Corporation)S2 LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll [537992 2008-04-10] (Symantec Corporation)S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)S2 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]S2 LiveUpdate Notice Ex; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]==================== Drivers (Whitelisted) ====================S0 CLFS; C:\Windows\System32\CLFS.sys [224824 2008-02-24] (Microsoft Corporation)S1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-29] (Hewlett-Packard Development Company, L.P.)S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2009-08-27] (Symantec Corporation)S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [102448 2009-08-27] (Symantec Corporation)S3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [159232 2007-02-21] (Conexant Systems Inc.)S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)S3 NAVENG; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20091008.003\NAVENG.SYS [84912 2009-08-27] (Symantec Corporation)S3 NAVEX15; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20091008.003\NAVEX15.SYS [1323568 2009-08-27] (Symantec Corporation)S3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [279088 2007-11-30] (Symantec Corporation)S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2007-11-30] (Symantec Corporation)S1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2007-11-30] (Symantec Corporation)S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2009-01-20] (Symantec Corporation)S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]S3 IpInIp; system32\DRIVERS\ipinip.sys [x]S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-09-23 14:12 - 2013-09-23 14:12 - 00000000 ____D C:\FRST2013-09-18 01:15 - 2013-09-18 01:15 - 00152651 _____ C:\Users\Matti\AppData\Local\9d8a4421-05c6-4bb4-903f-a5c7adbea94b2013-09-18 01:14 - 2013-09-18 01:14 - 00208896 _____ (Корпорация Майкрософт) C:\Users\Matti\AppData\Local\fvJcrgR.exe2013-09-12 05:10 - 2013-09-12 05:10 - 00000000 ____D C:\Windows\System32\MRT2013-09-12 05:09 - 2013-09-12 05:09 - 00000000 ____D C:\967f093ea675e52a770f53aebc67022013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Users\Matti\AppData\Roaming\ParetoLogic2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Users\Matti\AppData\Roaming\DriverCure2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\ProgramData\ParetoLogic2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Program Files\ParetoLogic2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Program Files\Common Files\ParetoLogic==================== One Month Modified Files and Folders =======2013-09-23 14:12 - 2013-09-23 14:12 - 00000000 ____D C:\FRST2013-09-23 03:07 - 2006-11-02 04:49 - 00030296 _____ C:\Windows\setupact.log2013-09-23 03:04 - 2006-11-02 04:45 - 00003072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A02013-09-23 03:04 - 2006-11-02 04:45 - 00003072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A02013-09-23 03:03 - 2006-11-02 04:44 - 00033792 _____ C:\Windows\System32\umstartup.etl2013-09-18 05:37 - 2013-07-10 08:27 - 00000000 ____D C:\Users\Matti\AppData\Roaming\Skype2013-09-18 01:20 - 2007-01-03 06:47 - 00000012 _____ C:\Windows\bthservsdp.dat2013-09-18 01:16 - 2007-06-06 22:26 - 01272375 _____ C:\Windows\WindowsUpdate.log2013-09-18 01:15 - 2013-09-18 01:15 - 00152651 _____ C:\Users\Matti\AppData\Local\9d8a4421-05c6-4bb4-903f-a5c7adbea94b2013-09-18 01:14 - 2013-09-18 01:14 - 00208896 _____ (Корпорация Майкрософт) C:\Users\Matti\AppData\Local\fvJcrgR.exe2013-09-12 05:13 - 2012-01-31 07:55 - 00001887 _____ C:\Users\Public\Desktop\Adobe Reader 9.lnk2013-09-12 05:10 - 2013-09-12 05:10 - 00000000 ____D C:\Windows\System32\MRT2013-09-12 05:09 - 2013-09-12 05:09 - 00000000 ____D C:\967f093ea675e52a770f53aebc67022013-09-12 04:59 - 2006-11-02 02:33 - 01273706 _____ C:\Windows\System32\PerfStringBackup.INI2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Users\Matti\AppData\Roaming\ParetoLogic2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Users\Matti\AppData\Roaming\DriverCure2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\ProgramData\ParetoLogic2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Program Files\ParetoLogic2013-09-11 06:50 - 2013-09-11 06:50 - 00000000 ____D C:\Program Files\Common Files\ParetoLogic2013-09-01 05:57 - 2006-11-02 02:24 - 76725432 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exeFiles to move or delete:====================C:\Users\Matti\AppData\Roaming\AltShell.iniC:\Users\Matti\AppData\Roaming\msconfig.iniC:\ProgramData\Ip8n1qW.padSome content of TEMP:====================C:\Users\Matti\AppData\Local\Temp\1LIQIY.exeC:\Users\Matti\AppData\Local\Temp\AdobeUpdater12345.exeC:\Users\Matti\AppData\Local\Temp\contentDATs.exeC:\Users\Matti\AppData\Local\Temp\FlashPlayerUpdate.exeC:\Users\Matti\AppData\Local\Temp\jre-6u15-windows-i586-iftw.exeC:\Users\Matti\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exeC:\Users\Matti\AppData\Local\Temp\SearchWithGoogleUpdate.exeC:\Users\Matti\AppData\Local\Temp\SecurityScan_Release.exeC:\Users\Matti\AppData\Local\Temp\SkypeSetup.exeC:\Users\Matti\AppData\Local\Temp\SymLCSVC.EXEC:\Users\Matti\AppData\Local\Temp\TTFCt.exe==================== Known DLLs (Whitelisted) ================================ Bamital & volsnap Check =================C:\Windows\explorer.exe => MD5 is legitC:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit==================== EXE ASSOCIATION =====================HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK==================== Restore Points =========================Restore point made on: 2013-08-27 05:39:52Restore point made on: 2013-08-28 21:38:06Restore point made on: 2013-08-30 22:41:39Restore point made on: 2013-09-02 06:34:54Restore point made on: 2013-09-03 06:21:47Restore point made on: 2013-09-04 06:46:20Restore point made on: 2013-09-05 21:18:59Restore point made on: 2013-09-08 07:40:20Restore point made on: 2013-09-10 11:00:40Restore point made on: 2013-09-12 05:09:07Restore point made on: 2013-09-12 22:52:44Restore point made on: 2013-09-14 06:47:53Restore point made on: 2013-09-16 04:40:46Restore point made on: 2013-09-17 10:06:55==================== Memory info ===========================Percentage of memory in use: 41%Total physical RAM: 1014.81 MBAvailable physical RAM: 596.26 MBTotal Pagefile: 778.14 MBAvailable Pagefile: 635.73 MBTotal Virtual: 2047.88 MBAvailable Virtual: 1976.97 MB==================== Drives ================================Drive c: () (Fixed) (Total:65.16 GB) (Free:33.35 GB) NTFS ==>[Drive with boot components (obtained from BCD)]Drive d: (HP_RECOVERY) (Fixed) (Total:7.81 GB) (Free:2.99 GB) NTFS ==>[system with boot components (obtained from reading drive)]Drive e: (OS_TOOLS) (Fixed) (Total:1.55 GB) (Free:1.28 GB) NTFSDrive g: () (Removable) (Total:14.7 GB) (Free:14.7 GB) FAT32Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS==================== MBR & Partition Table ==========================================================================Disk: 0 (Size: 75 GB) (Disk ID: 6AB8B737)Partition 1: (Active) - (Size=65 GB) - (Type=07 NTFS)Partition 2: (Not Active) - (Size=8 GB) - (Type=07 NTFS)Partition 3: (Not Active) - (Size=2 GB) - (Type=07 NTFS)========================================================Disk: 1 (Size: 15 GB) (Disk ID: 84766F74)No partition Table on disk 1.LastRegBack: 2013-09-12 05:24==================== End Of Log ============================ Link to post Share on other sites More sharing options...
Huolto Posted September 23, 2013 Author ID:733515 Share Posted September 23, 2013 So i deleted "2013-09-18 01:14 - 2013-09-18 01:14 - 00208896 _____ (Корпорация Майкрософт) C:\Users\Matti\AppData\Local\fvJcrgR.exe" and system seems to work. Link to post Share on other sites More sharing options...
kevinf80 Posted September 23, 2013 ID:733545 Share Posted September 23, 2013 Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it and select Copy. Then right click into open open notepad and select Paste. Save it on the flashdrive as fixlist.txt startHKU\Matti\...\Run: [dyK2QKaWt8Rcf4] - C:\Users\Matti\AppData\Local\fvJcrgR.exe [ 2013-09-18] (?????????? ??????????)HKU\Matti\...\Winlogon: [Shell] explorer.exe <==== ATTENTIONC:\Users\Matti\AppData\Local\fvJcrgR.exeC:\Users\Matti\AppData\Roaming\AltShell.iniC:\Users\Matti\AppData\Roaming\msconfig.iniC:\ProgramData\Ip8n1qW.padC:\Users\Matti\AppData\Local\Temp\1LIQIY.exeC:\Users\Matti\AppData\Local\Temp\AdobeUpdater12345.exeC:\Users\Matti\AppData\Local\Temp\contentDATs.exeC:\Users\Matti\AppData\Local\Temp\FlashPlayerUpdate.exeC:\Users\Matti\AppData\Local\Temp\jre-6u15-windows-i586-iftw.exeC:\Users\Matti\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exeC:\Users\Matti\AppData\Local\Temp\SearchWithGoogleUpdate.exeC:\Users\Matti\AppData\Local\Temp\SecurityScan_Release.exeC:\Users\Matti\AppData\Local\Temp\SkypeSetup.exeC:\Users\Matti\AppData\Local\Temp\SymLCSVC.EXEC:\Users\Matti\AppData\Local\Temp\TTFCt.exeendNow please enter System Recovery Options as you did to get the log.Run FRST64 or FRST and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. Next, Reboot the PC to normal mode, run Malwarebytes, check for updates then do a quick scan. Remove anything it finds and post that log.. Kevin Kevin Link to post Share on other sites More sharing options...
kevinf80 Posted September 24, 2013 ID:734064 Share Posted September 24, 2013 Do you still need help or can we close out your thread? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 25, 2013 Root Admin ID:734268 Share Posted September 25, 2013 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts