Jump to content

Still Infected with Crypto/Varient


Recommended Posts

Several Weeks ago I had my Server get hit with the Crypto Locker.  I was able to clear 2 users so far.  I have 2 users remaining.  One of the users is going to be this post.   Here is a bit of the backstory.   The day the virus hit, I was able to stop it, but it wrecked havoc on her PC.  It embedded a worm (the antivirus pop up one) and that cause the entire system to crash and fail.  I couldn't get it to load into bios, it just kept crashing out when I turned it on into a Check Sum error.  So I got her a new PC since it was very old.   After working on the other users I found that the virus was user specific.  So her new PC has started to give us issues with running files, setting up printers and normal functions that an administrator or user with administrator roles should be able to run. It isn't after reading a bunch it seems the common cause of these errors are due to a virus.  So I can't even run MBAR, just rogue killer which shows nothing at all and the FBAR64 program that I used for the other removals.   So now its been a few weeks and we still can't get any programs to install and this is impacting our job functions.   

 

Thanks,  

 

Andrew

 

 

Attached are the scan logs and posted as well.   

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-10-2013
Ran by achew (administrator) on EWPC35 on 29-10-2013 16:45:16
Running from F:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Intel® Corporation) c:\Program Files\Intel\iCLS Client\HeciServer.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
(iAnywhere Solutions, Inc.) C:\PROGRA~2\Intuit\QUICKB~1\QBDBMgrN.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Atheros) C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Dell Products, LP.) c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Intuit Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2007\qbw32.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\axlbridge.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6463080 2012-01-16] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Policies\Explorer: [NoAddPrinter] 0
HKLM-x32\...\Run: [iMSS] - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [133400 2011-12-16] (Intel Corporation)
HKLM-x32\...\Run: [uSB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)
HKLM-x32\...\Run: [iAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [McAfeeUpdaterUI] - C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe [161088 2011-01-12] (McAfee, Inc.)
HKLM-x32\...\Run: [shStatEXE] - C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe [215360 2011-01-12] (McAfee, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x1AD36C6B00D5CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
SearchScopes: HKLM - DefaultScope {35D9CA19-BDEA-4EE3-A579-28F9BA8AE86F} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=DCJB
SearchScopes: HKLM - {35D9CA19-BDEA-4EE3-A579-28F9BA8AE86F} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=DCJB
SearchScopes: HKLM-x32 - DefaultScope {35D9CA19-BDEA-4EE3-A579-28F9BA8AE86F} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=DCJB
SearchScopes: HKLM-x32 - {35D9CA19-BDEA-4EE3-A579-28F9BA8AE86F} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=DCJB
SearchScopes: HKCU - DefaultScope {35D9CA19-BDEA-4EE3-A579-28F9BA8AE86F} URL = 
SearchScopes: HKCU - {35D9CA19-BDEA-4EE3-A579-28F9BA8AE86F} URL = 
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130920163035.dll (McAfee, Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130920163035.dll (McAfee, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.11
 
==================== Services (Whitelisted) =================
 
R2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [120128 2011-01-12] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [190256 2013-09-20] (McAfee, Inc.)
R2 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [209760 2011-01-12] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [156248 2013-09-20] (McAfee, Inc.)
R2 QuickBooksDB17; C:\PROGRA~2\Intuit\QUICKB~1\QBDBMgrN.exe [128536 2006-09-13] (iAnywhere Solutions, Inc.)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [73728 2012-02-07] (Atheros)
 
==================== Drivers (Whitelisted) ====================
 
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [153952 2013-09-20] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [217696 2013-09-20] (McAfee, Inc.)
U3 mfeavfk01; No ImagePath
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [607152 2013-09-20] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [97960 2013-09-20] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [281544 2013-09-20] (McAfee, Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-28 09:57 - 2013-10-28 09:57 - 00002442 _____ C:\Users\achew\Desktop\RKreport[0]_D_10282013_095741.txt
2013-10-23 12:46 - 2013-10-23 12:46 - 00019535 _____ C:\Users\achew\Desktop\310-975-4643.xlsx
2013-10-23 08:55 - 2013-10-23 08:55 - 00038724 _____ C:\Users\achew\Desktop\AR AGING REPORT as of 10-23-2013.xlsx
2013-10-22 12:54 - 2013-10-22 12:54 - 00015940 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131022155412-0400.csv
2013-10-22 12:23 - 2013-10-22 12:23 - 00015741 _____ C:\Users\achew\Desktop\310-592-7049 1st.xlsx
2013-10-22 12:20 - 2013-10-22 12:20 - 00021909 _____ C:\Users\achew\Desktop\310-592-7049.xlsx
2013-10-22 12:20 - 2013-10-22 12:20 - 00009964 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131022152050-0400.csv
2013-10-22 10:50 - 2013-10-22 10:50 - 00018550 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131022135007-0400.csv
2013-10-22 09:55 - 2013-10-22 09:55 - 00039551 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131022125519-0400.csv
2013-10-21 09:42 - 2013-10-21 09:42 - 00041232 _____ C:\Users\achew\Desktop\DATA USAGE - ORD11927.xlsx
2013-10-21 09:39 - 2013-10-21 09:39 - 00048141 _____ C:\Users\achew\Downloads\CtnDataUsageDetailsGrid.xml_131021123953-0400.csv
2013-10-17 18:19 - 2013-10-17 18:19 - 00002358 _____ C:\Users\achew\Desktop\RKreport[0]_S_10172013_181947.txt
2013-10-17 18:18 - 2013-10-28 09:57 - 00000000 ____D C:\Users\achew\Desktop\RK_Quarantine
2013-10-16 08:14 - 2013-10-16 08:14 - 00040329 _____ C:\Users\achew\Desktop\AR AGING REPORT as of 10-16-2013.xlsx
2013-10-15 15:09 - 2013-10-15 15:09 - 00002359 _____ C:\Users\andrew.EWIRELESS\Desktop\RKreport[0]_S_10152013_150909.txt
2013-10-15 15:07 - 2013-10-15 15:09 - 00000000 ____D C:\Users\andrew.EWIRELESS\Desktop\RK_Quarantine
2013-10-15 15:06 - 2013-10-15 15:06 - 00000000 ____D C:\FRST
2013-10-15 15:01 - 2013-10-15 15:08 - 00000000 ____D C:\Users\achew\Desktop\integrator
2013-10-14 09:26 - 2013-10-14 09:26 - 00000000 ____D C:\Users\achew\Desktop\W9 FORM
2013-10-09 19:19 - 2013-08-27 18:21 - 03155968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-10-09 15:32 - 2013-10-09 15:32 - 00007199 _____ C:\Users\achew\Downloads\CTL00.XLS
2013-10-08 11:58 - 2013-10-23 19:46 - 00000000 ____D C:\Users\achew\Desktop\baxie
2013-10-03 10:10 - 2013-10-03 10:10 - 00040602 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131003130951-0400.csv
2013-10-03 09:05 - 2013-10-03 09:05 - 00000961 _____ C:\Users\achew\Desktop\VERIZON BILLS.lnk
2013-10-03 09:02 - 2013-10-03 09:02 - 00028096 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131003120225-0400.csv
2013-10-02 18:57 - 2013-10-02 18:57 - 00000000 ____D C:\Users\achew\Desktop\END OF THE MONTH REPORTS
2013-10-01 17:19 - 2013-10-15 15:04 - 00001982 __RSH C:\Users\andrew.EWIRELESS\ntuser.pol
2013-10-01 17:19 - 2013-10-01 17:19 - 00000000 ____D C:\Users\andrew.EWIRELESS\AppData\Local\Intuit
2013-09-30 11:21 - 2013-09-30 11:21 - 00000000 ____D C:\Users\achew\AppData\Local\Downloaded Installations
2013-09-30 11:16 - 2013-09-30 11:22 - 00000000 ____D C:\Users\achew\Desktop\R2QB-INTEGRATOR
2013-09-30 10:45 - 2013-10-14 09:22 - 00009456 _____ C:\Users\achew\Desktop\WORK HOURS.xlsx
 
==================== One Month Modified Files and Folders =======
 
2013-10-29 16:34 - 2013-08-28 12:31 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-29 16:22 - 2013-09-20 10:57 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl
2013-10-29 16:16 - 2013-09-23 10:32 - 00000000 ____D C:\Users\achew\Documents\Outlook Files
2013-10-29 03:01 - 2013-09-24 03:00 - 00442900 _____ C:\Windows\msxml4-KB973688-enu.LOG
2013-10-29 03:01 - 2013-09-24 03:00 - 00441676 _____ C:\Windows\msxml4-KB954430-enu.LOG
2013-10-29 03:01 - 2013-08-28 12:31 - 01180338 _____ C:\Windows\WindowsUpdate.log
2013-10-28 12:47 - 2009-07-13 21:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-28 12:47 - 2009-07-13 21:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-28 12:43 - 2009-07-13 22:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2013-10-28 09:57 - 2013-10-28 09:57 - 00002442 _____ C:\Users\achew\Desktop\RKreport[0]_D_10282013_095741.txt
2013-10-28 09:57 - 2013-10-17 18:18 - 00000000 ____D C:\Users\achew\Desktop\RK_Quarantine
2013-10-23 19:46 - 2013-10-08 11:58 - 00000000 ____D C:\Users\achew\Desktop\baxie
2013-10-23 12:46 - 2013-10-23 12:46 - 00019535 _____ C:\Users\achew\Desktop\310-975-4643.xlsx
2013-10-23 08:55 - 2013-10-23 08:55 - 00038724 _____ C:\Users\achew\Desktop\AR AGING REPORT as of 10-23-2013.xlsx
2013-10-22 12:54 - 2013-10-22 12:54 - 00015940 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131022155412-0400.csv
2013-10-22 12:23 - 2013-10-22 12:23 - 00015741 _____ C:\Users\achew\Desktop\310-592-7049 1st.xlsx
2013-10-22 12:20 - 2013-10-22 12:20 - 00021909 _____ C:\Users\achew\Desktop\310-592-7049.xlsx
2013-10-22 12:20 - 2013-10-22 12:20 - 00009964 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131022152050-0400.csv
2013-10-22 10:50 - 2013-10-22 10:50 - 00018550 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131022135007-0400.csv
2013-10-22 09:55 - 2013-10-22 09:55 - 00039551 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131022125519-0400.csv
2013-10-21 09:42 - 2013-10-21 09:42 - 00041232 _____ C:\Users\achew\Desktop\DATA USAGE - ORD11927.xlsx
2013-10-21 09:39 - 2013-10-21 09:39 - 00048141 _____ C:\Users\achew\Downloads\CtnDataUsageDetailsGrid.xml_131021123953-0400.csv
2013-10-17 18:19 - 2013-10-17 18:19 - 00002358 _____ C:\Users\achew\Desktop\RKreport[0]_S_10172013_181947.txt
2013-10-16 08:14 - 2013-10-16 08:14 - 00040329 _____ C:\Users\achew\Desktop\AR AGING REPORT as of 10-16-2013.xlsx
2013-10-15 15:09 - 2013-10-15 15:09 - 00002359 _____ C:\Users\andrew.EWIRELESS\Desktop\RKreport[0]_S_10152013_150909.txt
2013-10-15 15:09 - 2013-10-15 15:07 - 00000000 ____D C:\Users\andrew.EWIRELESS\Desktop\RK_Quarantine
2013-10-15 15:08 - 2013-10-15 15:01 - 00000000 ____D C:\Users\achew\Desktop\integrator
2013-10-15 15:06 - 2013-10-15 15:06 - 00000000 ____D C:\FRST
2013-10-15 15:04 - 2013-10-01 17:19 - 00001982 __RSH C:\Users\andrew.EWIRELESS\ntuser.pol
2013-10-15 15:04 - 2013-09-23 08:28 - 00000000 ____D C:\Users\andrew.EWIRELESS
2013-10-15 15:04 - 2013-08-28 12:47 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-10-15 15:04 - 2013-08-28 12:47 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-10-15 15:04 - 2013-08-28 12:39 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-10-15 15:00 - 2009-07-13 22:13 - 00799244 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-15 10:41 - 2009-07-13 21:51 - 00033223 _____ C:\Windows\setupact.log
2013-10-14 09:26 - 2013-10-14 09:26 - 00000000 ____D C:\Users\achew\Desktop\W9 FORM
2013-10-14 09:22 - 2013-09-30 10:45 - 00009456 _____ C:\Users\achew\Desktop\WORK HOURS.xlsx
2013-10-10 14:37 - 2013-09-24 08:39 - 00001982 __RSH C:\Users\achew\ntuser.pol
2013-10-10 14:37 - 2013-09-23 08:18 - 00000000 ____D C:\Users\achew
2013-10-10 03:21 - 2013-09-23 08:27 - 00000433 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2013-10-10 03:21 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-10 03:20 - 2009-07-13 21:45 - 00422856 _____ C:\Windows\system32\FNTCACHE.DAT
2013-10-10 03:02 - 2011-02-10 07:33 - 00793620 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-10-10 03:00 - 2013-09-20 11:24 - 80541720 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-10-09 15:32 - 2013-10-09 15:32 - 00007199 _____ C:\Users\achew\Downloads\CTL00.XLS
2013-10-03 10:10 - 2013-10-03 10:10 - 00040602 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131003130951-0400.csv
2013-10-03 09:05 - 2013-10-03 09:05 - 00000961 _____ C:\Users\achew\Desktop\VERIZON BILLS.lnk
2013-10-03 09:02 - 2013-10-03 09:02 - 00028096 _____ C:\Users\achew\Downloads\CTNVoiceUsageDetailsGrid.xml_131003120225-0400.csv
2013-10-02 18:57 - 2013-10-02 18:57 - 00000000 ____D C:\Users\achew\Desktop\END OF THE MONTH REPORTS
2013-10-02 09:37 - 2013-09-20 11:30 - 00004734 __RSH C:\ProgramData\ntuser.pol
2013-10-01 17:19 - 2013-10-01 17:19 - 00000000 ____D C:\Users\andrew.EWIRELESS\AppData\Local\Intuit
2013-09-30 11:22 - 2013-09-30 11:16 - 00000000 ____D C:\Users\achew\Desktop\R2QB-INTEGRATOR
2013-09-30 11:21 - 2013-09-30 11:21 - 00000000 ____D C:\Users\achew\AppData\Local\Downloaded Installations
 
Some content of TEMP:
====================
C:\Users\achew\AppData\Local\Temp\ntdll_dump.dll
C:\Users\andrew.EWIRELESS\AppData\Local\Temp\ntdll_dump.dll
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-10-21 00:34
 
==================== End Of Log ============================

 

Addition.txt

Link to post
Share on other sites

  • Root Admin

You have now had 2 topics closed for failure to reply when requested.

 

If you have no intention of performing the tasks requested and following through with it till the end then you're just wasting our time and yours.

 

Please let me know what you'd like to do.

 

Thank you

Link to post
Share on other sites

  • Root Admin

Yes there were responses but you failed to reply and why they were closed. Just like this one. I replied on Oct 30 and you just replied now 5 days later. I'm sorry but if you don't have the time to reply daily or at most every other day then we won't be able to assist you. It takes time and dedication to task in order to clean up an infection.

Even when you did reply - then you just stopped replying which again is wasting time for Helpers.

No reply to MrC

https://forums.malwarebytes.org/index.php?showtopic=134230#entry736941

Duplicate post

https://forums.malwarebytes.org/index.php?showtopic=134229#entry737590

No Reply to MrC

https://forums.malwarebytes.org/index.php?showtopic=134230#entry740277

Link to post
Share on other sites

I see.  I apologize about the previous issues that were opened with no responses.  They had been resolved, so I thought they were auto-closed topics after 3 days.  Going forward I will respond daily M-F as I don't work on weekends.  I still need this resolved if there is any malware showing up, otherwise I need to know so I can just format and start with a fresh install.  I'm wondering if it's the user as this system was a new computer that replaced one that was heavily damaged by this virus.   It seems to be attacking 2-3 other users now too.  So everytime I remove it from a user it hits another one.

Link to post
Share on other sites

  • Root Admin

This is not a self propagating virus.  You need to ensure that the systems are up to date with plugins.

 

If possible uninstall ALL versions of Java and if you really have to use Java try to only use the very latest version at all times.

 

Remove older plugins from Adobe and Macromedia and ensure that only Adobe Reader and Flash have the latest versions.

Make sure that all Windows security updates are applied, make sure a good antivirus is installed and up to date.  I'd also recommend the PRO version of MBAM installed and up to date at all times to help prevent attacks.

 

Okay so that said.  Please do the following on the system that this log is from.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites

  • Root Admin

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.