Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files 'locked'


  • This topic is locked This topic is locked
13 replies to this topic

#1 PersonaUser314

PersonaUser314

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 06 June 2012 - 08:14 AM

I'd had a virus problem (fully detailed in this thread: http://www.bleepingcomputer.com/forums/topic454343.html/page__st__15) and after running the appropriate scans and adctions, the files in my computer have become 'locked'. That is, they're unaccessable and the file names read like so: locked-Name of file.file extension.random 4 letter sequence that is different for all files. I don'[t know if this is due to that virus or what, but I know I can't access about 90% of my files (curiously, a few programs on my desktop work; games, quicktime, GIMP, but others have been locked as well).

I've followed steps 6-9 in the Prep Guide and am posting the required logs here now:

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.4.1
Run by Lauren at 13:47:43 on 2012-06-06
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3317.2408 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\Lauren\AppData\Local\Akamai\netsession_win.exe
C:\Users\Lauren\AppData\Local\Akamai\netsession_win.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=110019&tt=220512_53ctrl&babsrc=HP_ss&mntrId=eed80c340000000000000024e8142280
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
uRun: [Akamai NetSession Interface] "c:\users\lauren\appdata\local\akamai\netsession_win.exe"
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [EED80C34] c:\windows\system32\555465A5EED80C342A71.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableRegedit = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableRegedit = 1 (0x1)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2AF7E242-E0A6-4B7F-9C07-708F97E3808F} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4F55DD86-8B07-4E96-A314-87973FB9BD35} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD}\2445F40756E6A7F6E656 : DhcpNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD}\E4564776561627 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8BB823E6-FE78-41B1-A824-F16DE6062387} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C5387D32-A527-4127-BD1A-2E4922D0AEFA} : DhcpNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
IFEO: msconfig.exe - P9KDMF.EXE
IFEO: regedit.exe - P9KDMF.EXE
IFEO: taskmgr.exe - P9KDMF.EXE
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lauren\appdata\roaming\mozilla\firefox\profiles\kj7vdly3.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110019&tt=220512_53ctrl&babsrc=KW_ss&mntrId=eed80c340000000000000024e8142280&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110019&tt=220512_53ctrl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - eed80c340000000000000024e8142280
FF - user.js: extensions.BabylonToolbar_i.hardId - eed80c340000000000000024e8142280
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15495
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:24:34
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-10-26 464384]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 257696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-20 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-28 129976]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-28 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-22 1343400]
.
=============== Created Last 30 ================
.
2012-06-06 12:38:49 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{59f1ba8d-e762-4e0f-83fc-b5bad6e3e216}\mpengine.dll
2012-06-04 17:25:19 -------- d-----w- c:\program files\hpmonitor
2012-06-04 17:24:24 -------- d-----w- c:\users\lauren\appdata\roaming\Babylon
2012-06-04 17:24:24 -------- d-----w- c:\programdata\Babylon
2012-06-04 17:23:50 -------- d-----w- c:\program files\4dots Software
2012-06-04 17:22:49 -------- d--h--w- c:\programdata\Common Files
2012-06-04 17:22:44 -------- d-----w- c:\programdata\MFAData
2012-06-03 15:05:58 -------- d-----w- c:\program files\Oracle
2012-05-26 13:31:07 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f7edead3-41a9-41f1-ab18-ab61d7858ddd}\gapaengine.dll
2012-05-26 13:31:02 6737808 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-26 13:24:58 19736 ----a-w- c:\programdata\microsoft\identitycrl\production\ppcrlconfig600.dll
2012-05-24 21:56:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-23 19:17:26 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2012-05-20 18:08:26 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-15 15:32:53 144416 ----a-w- c:\windows\system32\drivers\str.sys
2012-05-15 15:32:33 -------- d-----w- c:\users\lauren\appdata\roaming\Mitlhdpbxkn
2012-05-09 18:11:27 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-09 18:11:26 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-09 18:11:25 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-09 18:11:25 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-09 18:11:25 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-09 18:11:21 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-09 18:11:20 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-09 18:11:20 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-09 18:11:08 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 18:11:08 1077248 ----a-w- c:\windows\system32\DWrite.dll
.
==================== Find3M ====================
.
2012-05-05 20:40:12 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 20:40:12 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 17:47:08 772504 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-04 17:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-20 19:44:12 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 19:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 13:48:50.10 ===============


GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-06 14:07:03
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC44
Running: 9mqv2ve1.exe; Driver: C:\Users\Lauren\AppData\Local\Temp\uxdirpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C543C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C8DD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 9B145000 192 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5051 9B1450C1 97 Bytes CALL 9B1450D5 \SystemRoot\system32\drivers\spsys.sys (security processor/Microsoft Corporation)
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 9B145123 629 Bytes [05, 14, 9B, FE, 05, 34, 05, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 9B145399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F 9B1453FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE ...
? C:\Users\Lauren\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3320] ntdll.dll!LdrLoadDll 7773223E 5 Bytes JMP 6BB6C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3320] kernel32.dll!MapViewOfFile 776393DB 5 Bytes JMP 6BD9E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3320] kernel32.dll!VirtualAlloc 7763C43A 5 Bytes JMP 6BD9E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3320] GDI32.dll!CreateDIBSection 77328850 5 Bytes JMP 6BD9E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x03 0x48 0xD9 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7B 0xC4 0xD3 0xB3 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA9 0xDC 0x51 0xE8 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x03 0x48 0xD9 0x42 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7B 0xC4 0xD3 0xB3 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA9 0xDC 0x51 0xE8 ...

---- EOF - GMER 1.0.15 ----


Hoping someone can help me out with this problem!

BC AdBot (Login to Remove)

 


#2 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 06 June 2012 - 08:20 AM

The attatchments I put in the last post don't seem to have worked, here they are in this one, sorry!

Attached Files



#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:20 PM

Posted 08 June 2012 - 08:33 PM

Please run the Kaspersky Rannoh Decryptor

http://support.kaspersky.com/faq/?qid=208286527

It will take a while to run, but should be successful on the type of ransomeware you are infected with

let me know how that goes, then we can continue with other scans to make certain there are no remnants of the infection.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 09 June 2012 - 09:02 AM

That seems to have unlocked the majority of my files. There were about 15 or so files that didn't unlock; some music, some pictures, some backed up system data for PS3 games I have on my HDD and some shortcuts to games I have on my desktop (I don't know if it's just the shortcuts or if the games themselves don't work either). I don't think I have the originals of any of those files, or I'd run the decryptor again to try and unlock them. Is there smething I can do for these or are they lost causes?

I saved a copy of the decrypter log, but the whole thing's too big to post or attach to the post. I din't know if you'd need to see anything in it, so I've copy/pasted the start and end of the log (i.e. all except the 'Processing file: e.t.c' bits). If there's anything specific you need to see from it, let me know.

11:14:26.0607 2560 Trojan-Ransom.Win32.Rannoh decryptor tool 1.1.0.0 Apr 30 2012 19:08:22
11:14:26.0703 2560 ============================================================
11:14:26.0703 2560 Current date / time: 2012/06/09 11:14:26.0703
11:14:26.0703 2560 SystemInfo:
11:14:26.0703 2560
11:14:26.0703 2560 OS Version: 6.1.7601 ServicePack: 1.0
11:14:26.0703 2560 Product type: Workstation
11:14:26.0703 2560 ComputerName: LAUREN-PC
11:14:26.0703 2560 UserName: Lauren
11:14:26.0703 2560 Windows directory: C:\Windows
11:14:26.0703 2560 System windows directory: C:\Windows
11:14:26.0703 2560 Processor architecture: Intel x86
11:14:26.0703 2560 Number of processors: 4
11:14:26.0703 2560 Page size: 0x1000
11:14:26.0703 2560 Boot type: Normal boot
11:14:26.0703 2560 ============================================================
11:14:26.0705 2560 Initialize success
11:16:03.0515 1568 Can't init decryptor
11:17:28.0559 2404 Can't get clean file path
11:17:28.0559 2404 Can't init decryptor
11:21:32.0385 2284 Can't get clean file path
11:21:32.0385 2284 Can't init decryptor
11:22:43.0860 1964 Can't get clean file path
11:22:43.0860 1964 Can't init decryptor
ProcessDriveEnumEx: Drive C:\ type 3:0


--

14:46:10.0952 2836
14:46:10.0952 2836 Statistic:
14:46:10.0952 2836 Processed: 143269
14:46:10.0952 2836 Suspicious: 0
14:46:10.0952 2836 Found: 12804
14:46:10.0952 2836 Decrypted: 12789
14:46:10.0952 2836 ================================================================================
14:46:10.0952 2836 Scan finished
14:46:10.0952 2836 ================================================================================

What's next?

Edited by PersonaUser314, 09 June 2012 - 09:18 AM.


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:20 PM

Posted 09 June 2012 - 09:32 AM

I would say that those are lost causes, although if you know someone with the same original file, you could copy it over then run the decryptor again, so give it another try.

NEXT

Please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 09 June 2012 - 10:08 AM

After running combofix, a few of the locked files were unencrypted and back to normal again - as for the others, I don't think I'll be able to get hold of the originals, so should I just delete them from my system, or does something else need to be done with them?

Here's the combofix log you asked for:

ComboFix 12-06-09.01 - Lauren 09/06/2012 15:44:41.3.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3317.2116 [GMT 1:00]
Running from: c:\users\Lauren\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Lauren\AppData\Roaming\Microsoft\Windows\Recent\Adventure Sheet.doc.urpf
c:\users\Lauren\AppData\Roaming\Microsoft\Windows\Recent\Cures (Persona 4).doc.nqra
c:\windows\system32\drivers\str.sys
c:\windows\system32\system
c:\windows\system32\winsh320
c:\windows\system32\winsh321
c:\windows\system32\winsh322
c:\windows\system32\winsh323
c:\windows\system32\winsh324
c:\windows\system32\winsh325
.
.
((((((((((((((((((((((((( Files Created from 2012-05-09 to 2012-06-09 )))))))))))))))))))))))))))))))
.
.
2012-06-09 14:49 . 2012-06-09 14:50 -------- d-----w- c:\users\Lauren\AppData\Local\temp
2012-06-09 14:49 . 2012-06-09 14:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-09 14:49 . 2012-06-09 14:49 -------- d-----w- c:\users\Lauren1\AppData\Local\temp
2012-06-09 14:49 . 2012-06-09 14:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-09 13:46 . 2012-06-09 13:46 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{59F1BA8D-E762-4E0F-83FC-B5BAD6E3E216}\offreg.dll
2012-06-09 10:25 . 2012-06-09 10:25 40960 ----a-w- c:\users\Lauren\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2012-06-09 10:25 . 2012-06-09 10:25 40960 ----a-w- c:\users\Lauren\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2012-06-09 10:25 . 2012-06-09 10:25 29184 ----a-w- c:\users\Lauren\AppData\Roaming\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
2012-06-09 10:23 . 2012-06-09 10:23 703824 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-06-06 12:38 . 2012-05-08 08:40 6737808 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{59F1BA8D-E762-4E0F-83FC-B5BAD6E3E216}\mpengine.dll
2012-06-04 17:25 . 2012-06-04 17:46 -------- d-----w- c:\program files\hpmonitor
2012-06-04 17:24 . 2012-06-04 17:24 254 ----a-w- C:\user.js
2012-06-04 17:24 . 2012-06-04 17:24 -------- d-----w- c:\users\Lauren\AppData\Roaming\Babylon
2012-06-04 17:24 . 2012-06-04 17:24 -------- d-----w- c:\programdata\Babylon
2012-06-04 17:23 . 2012-06-04 17:48 -------- d-----w- c:\program files\4dots Software
2012-06-04 17:22 . 2012-06-04 17:22 -------- d--h--w- c:\programdata\Common Files
2012-06-04 17:22 . 2012-06-04 17:22 -------- d-----w- c:\programdata\MFAData
2012-06-03 15:06 . 2012-06-03 15:06 -------- d-----w- c:\program files\Common Files\Java
2012-06-03 15:05 . 2012-06-03 15:05 -------- d-----w- c:\program files\Oracle
2012-05-26 13:31 . 2012-05-26 13:30 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F7EDEAD3-41A9-41F1-AB18-AB61D7858DDD}\gapaengine.dll
2012-05-26 13:31 . 2012-06-09 10:23 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-26 13:24 . 2012-06-09 10:23 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-05-24 21:56 . 2012-05-24 21:56 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-23 19:17 . 2012-05-25 17:54 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2012-05-20 18:08 . 2012-05-25 17:24 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-15 15:32 . 2012-05-23 18:39 -------- d-----w- c:\users\Lauren\AppData\Roaming\Mitlhdpbxkn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 20:40 . 2012-04-12 12:52 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 20:40 . 2011-06-16 19:28 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 17:47 . 2012-02-10 01:16 772504 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-04 17:47 . 2010-05-28 13:46 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-31 04:39 . 2012-05-09 18:11 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-09 18:11 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-31 02:36 . 2012-05-09 18:11 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 10:23 . 2012-05-09 18:11 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-20 19:44 . 2010-10-24 20:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 19:44 . 2010-10-24 20:25 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-17 07:27 . 2012-05-09 18:11 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-04-27 23:28 . 2012-01-21 01:13 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Lauren\AppData\Local\Akamai\netsession_win.exe" [2012-05-07 3331872]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableRegedit"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R2 NEWDRIVER;NEWDRIVER;c:\windows\system32\WinVDEdrv6.sys [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-05-25 40776]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-27 129976]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 74112]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-21 1343400]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-10-26 464384]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 20:40]
.
2012-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:35]
.
2012-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?affID=110019&tt=220512_53ctrl&babsrc=HP_ss&mntrId=eed80c340000000000000024e8142280
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\kj7vdly3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110019&tt=220512_53ctrl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - eed80c340000000000000024e8142280
FF - user.js: extensions.BabylonToolbar_i.hardId - eed80c340000000000000024e8142280
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15495
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:24
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EED80C34 - c:\windows\system32\555465A5EED80C342A71.exe
SafeBoot-79772640.sys
SafeBoot-WinFLAdrv.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Microsoft Security Client\MpCmdRun.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-06-09 15:54:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-09 14:54
ComboFix2.txt 2012-06-09 10:23
ComboFix3.txt 2012-06-09 10:24
.
Pre-Run: 170,270,203,904 bytes free
Post-Run: 170,630,029,312 bytes free
.
- - End Of File - - 3E716EDA48FCFC11E065DCE4E0F42EAD

Edited by PersonaUser314, 09 June 2012 - 10:09 AM.


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:20 PM

Posted 09 June 2012 - 10:32 AM

I would hang onto them and keep an eye on any updates for those Kaspersky Utilities as they are working on decryptors for the newest variants all the time


Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\users\Lauren\AppData\Roaming\Mitlhdpbxkn

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=dword:00000000

DDS::
uStart Page = hxxp://search.babylon.com/?affID=110019&tt=220512_53ctrl&babsrc=HP_ss&mntrId=eed80c340000000000000024e8142280
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110019&tt=220512_53ctrl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - eed80c340000000000000024e8142280
FF - user.js: extensions.BabylonToolbar_i.hardId - eed80c340000000000000024e8142280
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15495
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:24
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 09 June 2012 - 12:19 PM

So they'll be OK just being on my cpu? They're not potentially malicious or anything?

The logs you wanted:

Combofix:

ComboFix 12-06-09.01 - Lauren 09/06/2012 16:41:15.4.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3317.2241 [GMT 1:00]
Running from: c:\users\Lauren\Desktop\ComboFix.exe
Command switches used :: c:\users\Lauren\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Lauren\AppData\Roaming\Mitlhdpbxkn
.
.
((((((((((((((((((((((((( Files Created from 2012-05-09 to 2012-06-09 )))))))))))))))))))))))))))))))
.
.
2012-06-09 15:45 . 2012-06-09 15:45 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-09 15:45 . 2012-06-09 15:45 -------- d-----w- c:\users\Lauren1\AppData\Local\temp
2012-06-09 15:45 . 2012-06-09 15:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-09 15:05 . 2012-05-08 08:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0A6882AF-7189-413C-B2C8-BABA79DD4287}\mpengine.dll
2012-06-09 14:49 . 2012-06-09 15:45 -------- d-----w- c:\users\Lauren\AppData\Local\temp
2012-06-09 10:25 . 2012-06-09 10:25 40960 ----a-w- c:\users\Lauren\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2012-06-09 10:25 . 2012-06-09 10:25 40960 ----a-w- c:\users\Lauren\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2012-06-09 10:25 . 2012-06-09 10:25 29184 ----a-w- c:\users\Lauren\AppData\Roaming\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
2012-06-09 10:23 . 2012-06-09 10:23 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-06-04 17:25 . 2012-06-04 17:46 -------- d-----w- c:\program files\hpmonitor
2012-06-04 17:24 . 2012-06-04 17:24 254 ----a-w- C:\user.js
2012-06-04 17:24 . 2012-06-04 17:24 -------- d-----w- c:\users\Lauren\AppData\Roaming\Babylon
2012-06-04 17:24 . 2012-06-04 17:24 -------- d-----w- c:\programdata\Babylon
2012-06-04 17:23 . 2012-06-04 17:48 -------- d-----w- c:\program files\4dots Software
2012-06-04 17:22 . 2012-06-04 17:22 -------- d--h--w- c:\programdata\Common Files
2012-06-04 17:22 . 2012-06-04 17:22 -------- d-----w- c:\programdata\MFAData
2012-06-03 15:06 . 2012-06-03 15:06 -------- d-----w- c:\program files\Common Files\Java
2012-06-03 15:05 . 2012-06-03 15:05 -------- d-----w- c:\program files\Oracle
2012-05-26 13:31 . 2012-05-26 13:30 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F7EDEAD3-41A9-41F1-AB18-AB61D7858DDD}\gapaengine.dll
2012-05-26 13:31 . 2012-06-09 10:23 6734704 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-26 13:24 . 2012-06-09 10:23 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-05-24 21:56 . 2012-05-24 21:56 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-23 19:17 . 2012-05-25 17:54 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2012-05-20 18:08 . 2012-05-25 17:24 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 20:40 . 2012-04-12 12:52 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 20:40 . 2011-06-16 19:28 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 17:47 . 2012-02-10 01:16 772504 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-04 17:47 . 2010-05-28 13:46 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-31 04:39 . 2012-05-09 18:11 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-09 18:11 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-31 02:36 . 2012-05-09 18:11 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 10:23 . 2012-05-09 18:11 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-20 19:44 . 2010-10-24 20:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 19:44 . 2010-10-24 20:25 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-17 07:27 . 2012-05-09 18:11 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-04-27 23:28 . 2012-01-21 01:13 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Lauren\AppData\Local\Akamai\netsession_win.exe" [2012-05-07 3331872]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableRegedit"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R2 NEWDRIVER;NEWDRIVER;c:\windows\system32\WinVDEdrv6.sys [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-05-25 40776]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-27 129976]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 74112]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-21 1343400]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-10-26 464384]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 20:40]
.
2012-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:35]
.
2012-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:35]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\kj7vdly3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110019&tt=220512_53ctrl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - eed80c340000000000000024e8142280
FF - user.js: extensions.BabylonToolbar_i.hardId - eed80c340000000000000024e8142280
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15495
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:24
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-09 16:47:02
ComboFix-quarantined-files.txt 2012-06-09 15:47
ComboFix2.txt 2012-06-09 14:54
ComboFix3.txt 2012-06-09 10:23
ComboFix4.txt 2012-06-09 10:24
.
Pre-Run: 171,501,699,072 bytes free
Post-Run: 171,448,619,008 bytes free
.
- - End Of File - - AB654E638F81E087E758F9A8287E5484

Malwarebytes:


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.09.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Lauren :: LAUREN-PC [administrator]

09/06/2012 16:52:37
mbam-log-2012-06-09 (16-52-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220077
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 1 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESETS:

C:\_OTL\MovedFiles\02062012_170051\c_program files\internet explorer\bin\iexplore.exe a variant of Win32/BitCoinMiner.A application

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:20 PM

Posted 09 June 2012 - 01:34 PM

you could move those files to an empty USB stick and then remove them from your system, just to be certain.

How many files are left encrypted and what type of files are they?

how is the computer running now?

Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 09 June 2012 - 02:05 PM

I'm actually having trouble figuring out what some of the files are, since they now read 'locked-filename.4 letters' rather than 'locked.filename.extension.4 letters'
Basing my guesses on the previous locations of the files I think at least 2 are mp3s, 2 are pictures, several are PS3 save data files and the rest are files associated with an Image Manipulation program I have called GIMP (though the program itself runs fine). I've shifted all but the GIMP files to my desktop - I can probably move those and the GIMP files to a USB and just re-download GIMP if I need to.

The computer seems to be running fine now. It was suggesed in the previous thread that I set up a new system restore point, will I be OK to do that once I move those files?

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:20 PM

Posted 09 June 2012 - 03:13 PM

yes,

I suggest you remove the Babylon toolbar from FireFox (unless you intentionally installed it yourself) as it usually comes bundled with other software and is unwanted.

a new restore point in created when we uninstall comboFix, which we will do shortly.

For any of those files that remain, if they are associated to programs that aren't to difficult to uninstall then re-install then that's what I would do and get rid of the remainder of the files.

You may want to give your system a defrag after you have done that

First open an elevated Command Prompt
  • Go to Start > All Programs > Accessories
  • right click on the Command Prompt and choose “Run as administrator”
  • Type the following see how much your hard drive is fragmented (in this example, your C:\ drive):
  • defrag c: -a (be patient, this can take a while)
  • The resulting analysis will tell you a “Percent file fragmentation” and at the bottom, if you need to defragment the drive or not.
  • To fully defragment your C:\ drive type the following:
  • defrag c: -w
  • Give it time to run (it can take a while, best to leave the computer alone) and then you’re done!

NEXT


You can delete the DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 09 June 2012 - 06:03 PM

Cleanup of programs and logs is done and finished! Ran TFC and installed WOT for extra safety. As for the babylon toolbar, that had actually vanished from Firefox after the Combofix scans, I've looked in the C drive and in the Control Panel and it doesn't seem to be anywhere, so I'm assuming it got deleted by something.

Thanks very much for your help with this issue and for your speedy responses to the problem^^

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:20 PM

Posted 09 June 2012 - 06:07 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:20 PM

Posted 09 June 2012 - 06:08 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users