Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Huge virus window pop up won't let me run antivirus download


  • This topic is locked This topic is locked
26 replies to this topic

#1 ellimjay

ellimjay

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington
  • Local time:12:12 PM

Posted 06 June 2012 - 07:29 PM

I had some kind of virus or trojan or whatever attack my comp. Btw, if there are typos in this, I apologize, but I can only see about 30-40% of my screen, most of which is border. This huge freaking black window has popped up and I can't get it to go away. It won't minimize, can't be moved, and blocks absolutely everything so that I can't see or click on anything underneathe it. I downloaded Avast, but can't run it because the effing window to run it is under the black box of doom, and cannot be moved, apparently.

The black box says:

WARNING!!! CRYPT ID = 778
Your computer protection level was very low and your system was attacked by trojan program which encrypts data.
All your documents, text files, databases, pictures and etc. were encrypted by secure AES algorithm with unique password.
Random password entry attempt is imposible, all the data will be damaged after first unsuccessful attempt.
Programs that can restore data wont help you as original files will be destroyed without a possibility to restore them.
It is useless to ask someone for help. Only we can decipher your data.
We will create a decipher program if you really need your files.COST IS $50.
We accept payments through MoneyPak. ( you can find more information on their website www.moneypak.com).
Enter MoneyPak number with $50 value as well as your e-mail and click Pay.
You will receive decipher program which will help you to retrieve your files and remove malware from your computer in 24 HOURS.)
We provide 100% guarantee that your data will be restored in 24 hours after
ATTENTION: Do not remove this window or other program components until you receive a decipher. Such actions may make your data restoration impossible.
ATTENTION: In case if MoneyPak number and/or e-mail is invalid it will make restoration process more complicated. PRODUCT COST WILL RISE TO $150. EMAIL: decryptmeplease@yahoo.com



How do I get rid of this stupid thing??? I can't bring up task manager or start in safe mode, either.

Someone please help - I think my blood pressure has tripled trying to deal with this thing!! :(

BC AdBot (Login to Remove)

 


#2 ellimjay

ellimjay
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington
  • Local time:12:12 PM

Posted 06 June 2012 - 08:24 PM

I forgot to mention that I'm running Windows 7. Thank you all for your time.

#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:12 PM

Posted 06 June 2012 - 10:11 PM

Hi and :welcome:

Lets give it a try. You will need a USB Flash drive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:12 PM

Posted 21 September 2012 - 07:38 PM

Due to the lack of feedback this Topic is closed. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:12 PM

Posted 24 October 2012 - 08:04 AM

Please post the report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 ellimjay

ellimjay
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington
  • Local time:12:12 PM

Posted 25 October 2012 - 09:10 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-10-2012
Ran by SYSTEM at 23-10-2012 23:02:54
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [488816 2011-01-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5249024 2010-02-01] (Dell Inc.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [x]
HKLM\...\Run: [PortableDeviceValues] "C:\Program Files\Common Files\PortableDeviceValues\PortableDeviceValues.exe" /v [79328 2012-05-31] (tttt Corporation)
HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-02-15] (Google Inc.)
HKU\User\...\Run: [SetSysLog32] "C:\Users\User\AppData\Roaming\SetSysLog32.exe" [284160 2012-05-31] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\User\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 alssvc; "C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe" [382232 2008-06-03] (Dell Inc.)
2 wltrysvc; "C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE" "C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe" [4539392 2010-02-01] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

3 acpials; C:\Windows\System32\DRIVERS\acpials.sys [7680 2009-07-13] (Microsoft Corporation)
3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2010-02-01] (Broadcom Corporation)
3 STHDA; C:\Windows\System32\DRIVERS\stwrt.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========



==================== 3 Months Modified Files ==================

2012-10-23 19:57 - 2009-07-13 20:34 - 00015696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-23 19:57 - 2009-07-13 20:34 - 00015696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-23 19:47 - 2012-01-28 18:40 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-23 19:43 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-23 19:43 - 2009-07-13 20:39 - 00028145 ____A C:\Windows\setupact.log

ZeroAccess:
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\@
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\L
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\n
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U\00000001.@
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U\80000000.@
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U\800000cb.@

ZeroAccess:
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\@
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\L
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\n
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-05-11 19:57:14
Restore point made on: 2012-05-13 12:49:51
Restore point made on: 2012-05-18 13:29:07
Restore point made on: 2012-05-21 18:45:21
Restore point made on: 2012-05-22 06:31:43
Restore point made on: 2012-05-25 21:33:07
Restore point made on: 2012-05-29 11:53:09
Restore point made on: 2012-06-06 19:00:57

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2003.17 MB
Available physical RAM: 1613.57 MB
Total Pagefile: 2003.17 MB
Available Pagefile: 1614 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:148.95 GB) (Free:126.34 GB) NTFS
3 Drive f: () (Removable) (Total:1.88 GB) (Free:1.84 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 1927 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 148 GB 101 MB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 148 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1927 MB 31 KB

=========================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 1927 MB Healthy

=========================================================

Last Boot: 2012-05-29 12:35

==================== End Of Log ============================

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:12 PM

Posted 26 October 2012 - 12:31 PM

First step:

Download the enclosed file.

Save it next to FRST.

Run FRST as you did before, except that this time around click on the Fix button and wait.

It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

Second step:

Type the following in the edit box on FRST, after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes on the USB drive in your next reply.

Edited by JSntgRvr, 26 October 2012 - 12:31 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 ellimjay

ellimjay
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington
  • Local time:12:12 PM

Posted 05 November 2012 - 02:54 PM

Farbar Recovery Scan Tool (x86) Version: 30-10-2012
Ran by SYSTEM at 2012-11-02 21:21:01
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===



Thanks for all your help, btw.

Edited by ellimjay, 05 November 2012 - 02:54 PM.


#9 ellimjay

ellimjay
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington
  • Local time:12:12 PM

Posted 05 November 2012 - 02:55 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2012
Ran by SYSTEM at 02-11-2012 21:17:42
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [488816 2011-01-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5249024 2010-02-01] (Dell Inc.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [x]
HKLM\...\Run: [PortableDeviceValues] "C:\Program Files\Common Files\PortableDeviceValues\PortableDeviceValues.exe" /v [79328 2012-05-31] (tttt Corporation)
HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-02-15] (Google Inc.)
HKU\User\...\Run: [SetSysLog32] "C:\Users\User\AppData\Roaming\SetSysLog32.exe" [284160 2012-05-31] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\User\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 alssvc; "C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe" [382232 2008-06-03] (Dell Inc.)
2 wltrysvc; "C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE" "C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe" [4539392 2010-02-01] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

3 acpials; C:\Windows\System32\DRIVERS\acpials.sys [7680 2009-07-13] (Microsoft Corporation)
3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2010-02-01] (Broadcom Corporation)
3 STHDA; C:\Windows\System32\DRIVERS\stwrt.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========



==================== 3 Months Modified Files ==================

2012-10-23 20:12 - 2009-07-13 20:34 - 00015696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-23 20:12 - 2009-07-13 20:34 - 00015696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-23 20:09 - 2012-01-28 18:40 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-23 20:06 - 2009-07-13 20:39 - 00028995 ____A C:\Windows\setupact.log
2012-10-23 20:05 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

ZeroAccess:
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\@
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\L
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\n
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U\00000001.@
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U\80000000.@
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U\800000cb.@

ZeroAccess:
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\@
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\L
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\n
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-05-13 12:49:51
Restore point made on: 2012-05-18 13:29:07
Restore point made on: 2012-05-21 18:45:21
Restore point made on: 2012-05-22 06:31:43
Restore point made on: 2012-05-25 21:33:07
Restore point made on: 2012-05-29 11:53:09
Restore point made on: 2012-06-06 19:00:57
Restore point made on: 2012-10-23 20:37:20

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2003.17 MB
Available physical RAM: 1612.78 MB
Total Pagefile: 2003.17 MB
Available Pagefile: 1613.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.62 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:148.95 GB) (Free:126.56 GB) NTFS
3 Drive f: () (Removable) (Total:3.75 GB) (Free:3.75 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 3851 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 148 GB 101 MB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 148 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3847 MB 4096 KB

=========================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 3847 MB Healthy

=========================================================

Last Boot: 2012-10-23 20:30

==================== End Of Log ============================

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:12 PM

Posted 07 November 2012 - 12:56 PM

Download the enclosed file.

Save it next to FRST, overwriting the existing one.

Run FRST as you did before, except that this time around click on the Fix button and wait.

It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

Boot in normal mode.

If successful, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 ellimjay

ellimjay
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington
  • Local time:12:12 PM

Posted 08 November 2012 - 05:47 PM

It still didn't work. :( Here are the logs:

Attached File  Fixlog.txt   636bytes   5 downloads

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2012
Ran by SYSTEM at 02-11-2012 21:17:42
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [488816 2011-01-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5249024 2010-02-01] (Dell Inc.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [x]
HKLM\...\Run: [PortableDeviceValues] "C:\Program Files\Common Files\PortableDeviceValues\PortableDeviceValues.exe" /v [79328 2012-05-31] (tttt Corporation)
HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-02-15] (Google Inc.)
HKU\User\...\Run: [SetSysLog32] "C:\Users\User\AppData\Roaming\SetSysLog32.exe" [284160 2012-05-31] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\User\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 alssvc; "C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe" [382232 2008-06-03] (Dell Inc.)
2 wltrysvc; "C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE" "C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe" [4539392 2010-02-01] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

3 acpials; C:\Windows\System32\DRIVERS\acpials.sys [7680 2009-07-13] (Microsoft Corporation)
3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2010-02-01] (Broadcom Corporation)
3 STHDA; C:\Windows\System32\DRIVERS\stwrt.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========



==================== 3 Months Modified Files ==================

2012-10-23 20:12 - 2009-07-13 20:34 - 00015696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-23 20:12 - 2009-07-13 20:34 - 00015696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-23 20:09 - 2012-01-28 18:40 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-23 20:06 - 2009-07-13 20:39 - 00028995 ____A C:\Windows\setupact.log
2012-10-23 20:05 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

ZeroAccess:
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\@
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\L
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\n
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U\00000001.@
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U\80000000.@
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U\800000cb.@

ZeroAccess:
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\@
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\L
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\n
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-05-13 12:49:51
Restore point made on: 2012-05-18 13:29:07
Restore point made on: 2012-05-21 18:45:21
Restore point made on: 2012-05-22 06:31:43
Restore point made on: 2012-05-25 21:33:07
Restore point made on: 2012-05-29 11:53:09
Restore point made on: 2012-06-06 19:00:57
Restore point made on: 2012-10-23 20:37:20

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2003.17 MB
Available physical RAM: 1612.78 MB
Total Pagefile: 2003.17 MB
Available Pagefile: 1613.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.62 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:148.95 GB) (Free:126.56 GB) NTFS
3 Drive f: () (Removable) (Total:3.75 GB) (Free:3.75 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 3851 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 148 GB 101 MB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 148 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3847 MB 4096 KB

=========================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 3847 MB Healthy

=========================================================

Last Boot: 2012-10-23 20:30

==================== End Of Log ============================

Attached Files


Edited by JSntgRvr, 08 November 2012 - 11:41 PM.


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:12 PM

Posted 08 November 2012 - 11:54 PM

Please download MBRFix. Save and extract its contents to the desktop. Once extracted, there will be three files in the folder. Copy just the MBRFix application to the USB drive.

Download also the enclosed file next to FRST, overwriting the existing one.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post its contents in your reply. It will also produce another file, MBRDUMP.txt, on the flash drive that although it may look a text file, it is a hex file. You must attach this report on your reply instead of posting its contents.

The FRST report included was the previous one. Please also run another scan in FRST and post the new FRST.txt report.

Edited by JSntgRvr, 09 November 2012 - 12:03 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 ellimjay

ellimjay
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington
  • Local time:12:12 PM

Posted 11 November 2012 - 06:44 PM

I apologize for my ignorance, but I can't seem to open the setup file to get to the three folders/files you're talking about. I tried saving that to the desktop and the USB drive, but any time I try to open it, it just starts to download and run the program. Now I have something called FixPC on this comp with popups all the time. :(

What am I doing wrong? You might have to break it down step-by-step for me, sorry.

#14 ellimjay

ellimjay
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington
  • Local time:12:12 PM

Posted 11 November 2012 - 06:49 PM

Nevermind - I just realized that I was clicking the huge "Download" button that was on an AD. *facepalm* :crazy:

#15 ellimjay

ellimjay
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington
  • Local time:12:12 PM

Posted 11 November 2012 - 08:19 PM

Here it is:

Fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-10-2012
Ran by SYSTEM at 2012-11-11 19:15:36 Run:2
Running from F:\

==============================================

MBRDUMP.txt is made successfully.
HKEY_USERS\User\Software\Microsoft\Windows\CurrentVersion\Run\\SetSysLog32 Value deleted successfully.
C:\Users\User\AppData\Roaming\SetSysLog32.exe moved successfully.
C:\Windows\Installer\{d33b9d17-d410-b1d4-3fdc-4213161614ac} not found.
C:\Users\User\AppData\Local\{d33b9d17-d410-b1d4-3fdc-4213161614ac} not found.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====



FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2012 (ATTENTION: FRST version is 12 days old)
Ran by SYSTEM at 11-11-2012 19:16:20
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [488816 2011-01-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5249024 2010-02-01] (Dell Inc.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [x]
HKLM\...\Run: [PortableDeviceValues] "C:\Program Files\Common Files\PortableDeviceValues\PortableDeviceValues.exe" /v [79328 2012-05-31] (tttt Corporation)
HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-02-15] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\User\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 alssvc; "C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe" [382232 2008-06-03] (Dell Inc.)
2 wltrysvc; "C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE" "C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe" [4539392 2010-02-01] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

3 acpials; C:\Windows\System32\DRIVERS\acpials.sys [7680 2009-07-13] (Microsoft Corporation)
3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2010-02-01] (Broadcom Corporation)
3 STHDA; C:\Windows\System32\DRIVERS\stwrt.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========



==================== 3 Months Modified Files ==================

2012-11-11 17:09 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-11 17:09 - 2009-07-13 20:39 - 00030013 ____A C:\Windows\setupact.log
2012-10-23 20:12 - 2009-07-13 20:34 - 00015696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-23 20:12 - 2009-07-13 20:34 - 00015696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-23 20:09 - 2012-01-28 18:40 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-05-13 12:49:51
Restore point made on: 2012-05-18 13:29:07
Restore point made on: 2012-05-21 18:45:21
Restore point made on: 2012-05-22 06:31:43
Restore point made on: 2012-05-25 21:33:07
Restore point made on: 2012-05-29 11:53:09
Restore point made on: 2012-06-06 19:00:57
Restore point made on: 2012-10-23 20:37:20

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2003.17 MB
Available physical RAM: 1609.57 MB
Total Pagefile: 2003.17 MB
Available Pagefile: 1611.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.38 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:148.95 GB) (Free:126.55 GB) NTFS
3 Drive f: () (Removable) (Total:3.75 GB) (Free:3.75 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 3851 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 148 GB 101 MB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 148 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3847 MB 4096 KB

=========================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 3847 MB Healthy

=========================================================

Last Boot: 2012-10-23 20:30

==================== End Of Log ============================

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users