Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.crypt ransomware gone, but files are still encrypted.


  • This topic is locked This topic is locked
29 replies to this topic

#1 callupchuck

callupchuck

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 11 June 2012 - 01:51 PM

I am working with a pc that is running Win7sp.1 x32
The infection was removed by McAfee, before I arrived on site. It becomes my duty to get the information back for the user(he's never run a proper backup of these files). After reading on a few boards how this is a new variant of the infection, there seems to be no quick cure for it. I also tried using the decrypter program found at http://tmp.emsisoft.com/fw/decrypt_SetSysLog32.zip which only yielded this message: "Could not find decryption key. Maybe a new variant?"

Has anyone been able to come up with not only a cure for the infection, but also a way to reverse the issues caused by it?

And where does one report this type of dirtbag running the scam? I have his email address : decrypt2012@yahoo.com

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 11 June 2012 - 04:02 PM

Is there a log available from McAfee to show what files were removed

can you show the names of a few of the encrypted files

please run the following:


download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 11 June 2012 - 04:35 PM

Hi, could you also check the McAfee quarantine for the infected files as well in case it wasn't deleted but just quarantined as the developer will need a sample of the malware.

It appears to be a newer variant

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 callupchuck

callupchuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 11 June 2012 - 09:10 PM

The end user uninstalled McAfee when it started acting up as well. I have not found a log or quarantine, to answer your question.

I sent one of the encrypted files off to ESET as advised in another forum. It could take a while to hear back from them.

I had been running Photorec, until it caused the hdd to nearly fill up. At that point, Photorec had used over 200Gb on the drive. I am now running the stopgpcode utility to send those files that have been unencrypted thus far back to their original drive, freeing up much needed space on the temp storage drive.

I have DL'd frst.exe and will copy and paste the generated log file after the current operation is complete.

Stay tuned.

PS. one of the filenames: L101_Catalog.pdf.crypt

Edited by callupchuck, 12 June 2012 - 07:27 AM.


#5 callupchuck

callupchuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 12 June 2012 - 07:37 AM

I will have to go back onsite to run FRST.exe, so I'll try to get you that log file today at some point.
In the meantime, I received a lot of errors during the first run of STOPGPCODE.

The errors all look like this: N 5unknown err N 5unknown err ... and also the errors "CD crmlog access denied" & "CD system volume information access denied"

#6 callupchuck

callupchuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 12 June 2012 - 12:03 PM

FRST log text:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-06-2012 01
Ran by SYSTEM at 12-06-2012 12:22:20
Running from I:\utils
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [43632 2010-01-18] ()
HKLM\...\Run: [NUSB3MON] "C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-11-20] (NEC Electronics Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [PowerPanel Personal Edition User Interaction] J:\cyberpower ups\pppeuser.exe [x]
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [BCU] "C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe" [375000 2009-10-15] (DeviceVM, Inc.)
HKU\Al Burton\...\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [101080 2005-08-24] (Microsoft Corporation)
HKU\Al Burton\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-09-05] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 69.60.160.196 64.25.208.6

================================ Services (Whitelisted) ==================

3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
2 BCUService; C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe [223464 2009-10-15] (DeviceVM, Inc.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
4 FSDFWD; "C:\Program Files\F-Secure\apps\ComputerSecurity\FWES\Program\fsdfwd.exe" [613528 2011-12-18] (F-Secure Corporation)
4 fshoster; "C:\Program Files\F-Secure\fshoster32.exe" -hosterid:0 [159480 2012-04-27] (F-Secure Corporation)
4 FSMA; "C:\Program Files\F-Secure\apps\ComputerSecurity\Common\FSMA32.EXE" [212632 2011-12-18] (F-Secure Corporation)
3 hkmsvc; C:\Windows\System32\kmsvc.dll [71168 2010-11-20] (Microsoft Corporation)
2 JMB36X; C:\Windows\System32\XSrvSetup.exe [72304 2010-01-18] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [124240 2010-03-18] (Microsoft Corporation)
4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
2 Stereo Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [248936 2010-07-09] (NVIDIA Corporation)
3 StorSvc; C:\Windows\System32\storsvc.dll [16384 2009-07-13] (Microsoft Corporation)
2 TeamViewer7; C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe [2666880 2012-03-19] (TeamViewer GmbH)
2 ppped; "C:\cyberpower ups\ppped.exe" [x]

========================== Drivers (Whitelisted) =============

1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [19496 2010-04-22] ()
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [78336 2009-07-13] (Microsoft Corporation)
3 F-Secure Gatekeeper; \??\C:\Program Files\F-Secure\apps\ComputerSecurity\Anti-Virus\minifilter\fsgk.sys [148632 2011-12-18] ()
1 F-Secure HIPS; \??\C:\Program Files\F-Secure\apps\ComputerSecurity\HIPS\drivers\fshs.sys [72920 2012-06-08] (F-Secure Corporation)
0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [44184 2012-06-08] ()
1 FSES; C:\Windows\System32\drivers\fses.sys [36984 2011-12-18] (F-Secure Corporation)
1 FSFW; C:\Windows\System32\drivers\fsdfw.sys [72600 2011-12-18] (F-Secure Corporation)
1 fsvista; \??\C:\Program Files\F-Secure\apps\ComputerSecurity\Anti-Virus\minifilter\fsvista.sys [13464 2011-12-18] ()
3 iirsp; C:\Windows\system32\DRIVERS\iirsp.sys [41040 2009-07-13] (Intel Corp./ICP vortex GmbH)
0 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [98928 2010-01-27] (JMicron Technology Corp.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [130424 2010-07-15] (McAfee, Inc.)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [74112 2012-03-20] (Microsoft Corporation)
3 nusb3hub; C:\Windows\System32\DRIVERS\nusb3hub.sys [58880 2009-11-20] (NEC Electronics Corporation)
3 nusb3xhc; C:\Windows\System32\DRIVERS\nusb3xhc.sys [137728 2009-11-20] (NEC Electronics Corporation)
3 NVENETFD; C:\Windows\System32\DRIVERS\nvm62x32.sys [347264 2009-07-13] (NVIDIA Corporation)
3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)
3 catchme; \??\C:\Users\ALBURT~1\AppData\Local\Temp\catchme.sys [x]
3 gdrv; \??\C:\Windows\gdrv.sys [x]
3 MFE_RR; \??\C:\Users\ALBURT~1\AppData\Local\Temp\mfe_rr.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-11 09:20 - 2012-06-11 09:20 - 00001120 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
2012-06-11 09:20 - 2012-06-11 09:20 - 00000000 ____D C:\Program Files\TeamViewer
2012-06-11 05:25 - 2012-06-11 05:26 - 00403260 ____A C:\XoristDecryptor.2.2.73.0_11.06.2012_09.25.57_log.txt
2012-06-11 05:25 - 2012-06-11 05:25 - 00012548 ____A C:\RectorDecryptor.2.4.3.0_11.06.2012_09.25.31_log.txt
2012-06-11 05:23 - 2012-06-11 05:25 - 00023238 ____A C:\RectorDecryptor.2.4.3.0_11.06.2012_09.23.55_log.txt
2012-06-11 05:21 - 2012-06-11 05:23 - 00002202 ____A C:\RannohDecryptor.1.1.0.0_11.06.2012_09.21.16_log.txt
2012-06-11 05:08 - 2012-06-11 05:06 - 00248120 ____A (Doctor Web, Ltd.) C:\te94decrypt.exe
2012-06-11 04:56 - 2012-06-11 04:56 - 00019694 ____A C:\ComboFix.txt
2012-06-11 04:46 - 2012-06-11 04:54 - 00000000 ____D C:\Windows\ERDNT
2012-06-11 04:46 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-11 04:46 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-11 04:46 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-11 04:46 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-11 04:46 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-11 04:46 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-11 04:46 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-11 04:46 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-11 04:43 - 2012-06-11 04:56 - 00000000 ___AD C:\Qoobox
2012-06-11 04:17 - 2012-06-11 04:32 - 00000000 ____D C:\Users\Al Burton\Documents\Quicken
2012-06-09 06:36 - 2012-06-11 07:23 - 00000000 ____D C:\Users\Al Burton\AppData\Local\Adobe
2012-06-09 06:31 - 2012-06-09 06:31 - 00000240 ____A C:\Users\Al Burton\Downloads\RootkitRemover20120609103143.txt
2012-06-09 06:28 - 2012-06-09 06:42 - 00000000 ____D C:\MTM
2012-06-09 06:27 - 2012-06-09 06:28 - 06726741 ____A C:\Users\Al Burton\Downloads\perses.exe
2012-06-09 06:25 - 2012-06-10 04:38 - 00000000 ____D C:\Users\Al Burton\AppData\Local\LogMeIn Rescue Applet
2012-06-08 14:08 - 2012-06-08 14:08 - 03747496 ____A C:\Windows\FSISU.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00939306 ____A C:\Windows\FSSFM.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00660323 ____A C:\Windows\FSSETUP.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00137634 ____A C:\Windows\RunSetup.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00127285 ____A C:\Windows\FSPROD.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00122306 ____A C:\Windows\FSDEPH.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00065261 ____A C:\Windows\FSAVINST.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00025350 ____A C:\Windows\fwesinst.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00021378 ____A C:\Windows\fsmainst.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00019778 ____A C:\Windows\fspplugin.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00019569 ____A C:\Windows\prodsett_copy.ini
2012-06-08 14:08 - 2012-06-08 14:08 - 00018374 ____A C:\Windows\FSGUIINS.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00010545 ____A C:\Windows\FSAVCSIN.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00004413 ____A C:\Windows\FSGKIAIN.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00004261 ____A C:\Windows\fstnbins.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00003747 ____A C:\Windows\fsavunin.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00003614 ____A C:\Windows\FSGemini.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00002371 ____A C:\Windows\DAASINST.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00001897 ____A C:\Windows\FSLDIN.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00000862 ____A C:\Windows\fsgadget.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00000813 ____A C:\Windows\fstsutil.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00000645 ____A C:\Windows\fsav_db_setup.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00000505 ____A C:\Windows\FSAVES_inst.log
2012-06-08 14:08 - 2011-12-18 19:27 - 00072600 ____A (F-Secure Corporation) C:\Windows\System32\Drivers\fsdfw.sys
2012-06-08 14:08 - 2011-12-18 19:27 - 00036984 ____A (F-Secure Corporation) C:\Windows\System32\Drivers\fses.sys
2012-06-08 13:56 - 2012-06-08 13:56 - 00083456 ____A C:\Users\Al Burton\Desktop\2011.xls
2012-06-08 13:53 - 2012-06-08 13:53 - 00001890 ____A C:\Users\Public\Desktop\F-Secure Launch pad.lnk
2012-06-08 13:53 - 2012-06-08 13:53 - 00000000 ____D C:\Program Files\F-Secure
2012-06-08 13:52 - 2012-06-08 14:08 - 00000000 ____D C:\Users\All Users\F-Secure
2012-06-08 13:45 - 2012-06-12 08:08 - 00001466 ____A C:\Windows\setupact.log
2012-06-08 13:45 - 2012-06-11 05:02 - 00002482 ____A C:\Windows\PFRO.log
2012-06-08 13:45 - 2012-06-08 13:45 - 00000000 ____A C:\Windows\setuperr.log
2012-06-08 13:44 - 2012-06-08 14:14 - 00044184 ____A C:\Windows\System32\Drivers\fsbts.sys
2012-06-08 12:57 - 2012-06-08 12:57 - 00000066 ____A C:\Users\Al Burton\Desktop\technical support.txt
2012-06-08 12:49 - 2012-06-08 12:49 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-08 12:47 - 2012-06-08 12:47 - 00000965 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-08 12:47 - 2012-06-08 12:47 - 00000000 ____D C:\Program Files\CCleaner
2012-06-08 12:39 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-08 12:39 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-08 12:39 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-08 12:39 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-08 12:39 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-08 12:39 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-08 12:39 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-08 12:39 - 2012-06-02 11:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-08 12:39 - 2012-06-02 11:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-08 12:37 - 2012-06-12 08:12 - 00006656 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-08 12:37 - 2012-06-12 08:12 - 00006656 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-08 12:28 - 2012-06-08 16:58 - 00084719 ____A C:\Users\Al Burton\Desktop\yl_101usesforessential7.pdf
2012-06-08 12:21 - 2012-06-08 12:35 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-06-08 12:21 - 2012-06-08 12:21 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-08 12:21 - 2012-06-08 12:21 - 00000000 ____D C:\Users\Al Burton\AppData\Roaming\Malwarebytes
2012-06-08 12:19 - 2012-06-08 12:57 - 00000000 ____D C:\Users\Al Burton\AppData\Local\Google
2012-06-08 12:11 - 2012-06-08 12:11 - 00000000 ____D C:\Users\Al Burton\AppData\Local\blekkotb_031
2012-06-08 12:10 - 2012-06-08 12:10 - 00000000 ____D C:\Windows\System32\config\HiveBackup
2012-06-08 12:01 - 2012-06-12 12:22 - 00000000 ____D C:\FRST
2012-06-08 11:12 - 2012-06-08 12:49 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-08 10:18 - 2012-06-08 10:18 - 00000000 ____D C:\Users\Al Burton\AppData\Roaming\TeamViewer
2012-05-22 06:58 - 2012-06-08 12:34 - 00000000 ____D C:\Users\Al Burton\Downloads\Autoruns
2012-05-20 08:24 - 2012-05-20 08:25 - 02378424 ____A (The Weather Channel Interactive) C:\Users\Al Burton\Downloads\weathersp3_StubInstaller.exe

============ 3 Months Modified Files and Folders ===============

2012-06-12 12:22 - 2012-06-08 12:01 - 00000000 ____D C:\FRST
2012-06-12 08:12 - 2012-06-08 12:37 - 00006656 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-12 08:12 - 2012-06-08 12:37 - 00006656 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-12 08:12 - 2010-09-14 13:38 - 00721757 ____A C:\Windows\AdvPack.log
2012-06-12 08:12 - 2010-08-20 15:23 - 01805986 ____A C:\Windows\WindowsUpdate.log
2012-06-12 08:12 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\tracing
2012-06-12 08:08 - 2012-06-08 13:45 - 00001466 ____A C:\Windows\setupact.log
2012-06-12 08:08 - 2010-08-20 15:32 - 00000000 ____D C:\Users\All Users\NVIDIA
2012-06-12 08:08 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-12 07:49 - 2012-04-02 05:36 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-12 07:46 - 2010-09-05 15:01 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-12 05:46 - 2010-09-05 15:01 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-11 19:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2012-06-11 17:43 - 2012-04-02 05:36 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-11 17:43 - 2011-06-06 05:14 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-11 09:20 - 2012-06-11 09:20 - 00001120 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
2012-06-11 09:20 - 2012-06-11 09:20 - 00000000 ____D C:\Program Files\TeamViewer
2012-06-11 07:23 - 2012-06-09 06:36 - 00000000 ____D C:\Users\Al Burton\AppData\Local\Adobe
2012-06-11 05:26 - 2012-06-11 05:25 - 00403260 ____A C:\XoristDecryptor.2.2.73.0_11.06.2012_09.25.57_log.txt
2012-06-11 05:25 - 2012-06-11 05:25 - 00012548 ____A C:\RectorDecryptor.2.4.3.0_11.06.2012_09.25.31_log.txt
2012-06-11 05:25 - 2012-06-11 05:23 - 00023238 ____A C:\RectorDecryptor.2.4.3.0_11.06.2012_09.23.55_log.txt
2012-06-11 05:23 - 2012-06-11 05:21 - 00002202 ____A C:\RannohDecryptor.1.1.0.0_11.06.2012_09.21.16_log.txt
2012-06-11 05:06 - 2012-06-11 05:08 - 00248120 ____A (Doctor Web, Ltd.) C:\te94decrypt.exe
2012-06-11 05:06 - 2009-08-06 08:57 - 00785072 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-11 05:02 - 2012-06-08 13:45 - 00002482 ____A C:\Windows\PFRO.log
2012-06-11 04:56 - 2012-06-11 04:56 - 00019694 ____A C:\ComboFix.txt
2012-06-11 04:56 - 2012-06-11 04:43 - 00000000 ___AD C:\Qoobox
2012-06-11 04:56 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Public
2012-06-11 04:56 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Default
2012-06-11 04:54 - 2012-06-11 04:46 - 00000000 ____D C:\Windows\ERDNT
2012-06-11 04:53 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
2012-06-11 04:53 - 2009-07-13 18:04 - 00000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-06-11 04:52 - 2010-08-27 12:46 - 00000000 ____D C:\users\Al Burton
2012-06-11 04:52 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Web
2012-06-11 04:52 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\system
2012-06-11 04:32 - 2012-06-11 04:17 - 00000000 ____D C:\Users\Al Burton\Documents\Quicken
2012-06-11 04:13 - 2009-07-13 20:53 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-10 04:38 - 2012-06-09 06:25 - 00000000 ____D C:\Users\Al Burton\AppData\Local\LogMeIn Rescue Applet
2012-06-09 06:42 - 2012-06-09 06:28 - 00000000 ____D C:\MTM
2012-06-09 06:31 - 2012-06-09 06:31 - 00000240 ____A C:\Users\Al Burton\Downloads\RootkitRemover20120609103143.txt
2012-06-09 06:28 - 2012-06-09 06:27 - 06726741 ____A C:\Users\Al Burton\Downloads\perses.exe
2012-06-08 16:58 - 2012-06-08 12:28 - 00084719 ____A C:\Users\Al Burton\Desktop\yl_101usesforessential7.pdf
2012-06-08 14:14 - 2012-06-08 13:44 - 00044184 ____A C:\Windows\System32\Drivers\fsbts.sys
2012-06-08 14:08 - 2012-06-08 14:08 - 03747496 ____A C:\Windows\FSISU.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00939306 ____A C:\Windows\FSSFM.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00660323 ____A C:\Windows\FSSETUP.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00137634 ____A C:\Windows\RunSetup.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00127285 ____A C:\Windows\FSPROD.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00122306 ____A C:\Windows\FSDEPH.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00065261 ____A C:\Windows\FSAVINST.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00025350 ____A C:\Windows\fwesinst.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00021378 ____A C:\Windows\fsmainst.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00019778 ____A C:\Windows\fspplugin.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00019569 ____A C:\Windows\prodsett_copy.ini
2012-06-08 14:08 - 2012-06-08 14:08 - 00018374 ____A C:\Windows\FSGUIINS.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00010545 ____A C:\Windows\FSAVCSIN.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00004413 ____A C:\Windows\FSGKIAIN.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00004261 ____A C:\Windows\fstnbins.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00003747 ____A C:\Windows\fsavunin.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00003614 ____A C:\Windows\FSGemini.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00002371 ____A C:\Windows\DAASINST.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00001897 ____A C:\Windows\FSLDIN.LOG
2012-06-08 14:08 - 2012-06-08 14:08 - 00000862 ____A C:\Windows\fsgadget.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00000813 ____A C:\Windows\fstsutil.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00000645 ____A C:\Windows\fsav_db_setup.log
2012-06-08 14:08 - 2012-06-08 14:08 - 00000505 ____A C:\Windows\FSAVES_inst.log
2012-06-08 14:08 - 2012-06-08 13:52 - 00000000 ____D C:\Users\All Users\F-Secure
2012-06-08 13:56 - 2012-06-08 13:56 - 00083456 ____A C:\Users\Al Burton\Desktop\2011.xls
2012-06-08 13:53 - 2012-06-08 13:53 - 00001890 ____A C:\Users\Public\Desktop\F-Secure Launch pad.lnk
2012-06-08 13:53 - 2012-06-08 13:53 - 00000000 ____D C:\Program Files\F-Secure
2012-06-08 13:45 - 2012-06-08 13:45 - 00000000 ____A C:\Windows\setuperr.log
2012-06-08 13:45 - 2010-09-07 09:42 - 00000000 ____D C:\Program Files\McAfee
2012-06-08 13:45 - 2010-09-07 09:42 - 00000000 ____D C:\Program Files\Common Files\McAfee
2012-06-08 13:45 - 2010-09-07 09:20 - 00000000 ____D C:\Users\All Users\McAfee
2012-06-08 12:57 - 2012-06-08 12:57 - 00000066 ____A C:\Users\Al Burton\Desktop\technical support.txt
2012-06-08 12:57 - 2012-06-08 12:19 - 00000000 ____D C:\Users\Al Burton\AppData\Local\Google
2012-06-08 12:49 - 2012-06-08 12:49 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-08 12:49 - 2012-06-08 11:12 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-08 12:47 - 2012-06-08 12:47 - 00000965 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-08 12:47 - 2012-06-08 12:47 - 00000000 ____D C:\Program Files\CCleaner
2012-06-08 12:47 - 2010-09-05 15:00 - 00000000 ____D C:\Program Files\Google
2012-06-08 12:38 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\config\TxR
2012-06-08 12:35 - 2012-06-08 12:21 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-06-08 12:35 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2012-06-08 12:35 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2012-06-08 12:34 - 2012-05-22 06:58 - 00000000 ____D C:\Users\Al Burton\Downloads\Autoruns
2012-06-08 12:34 - 2012-03-26 07:46 - 00000000 ____D C:\Program Files\The Weather Channel
2012-06-08 12:34 - 2010-11-04 10:31 - 00000000 ____D C:\Users\Al Burton\Desktop\Al Burton
2012-06-08 12:34 - 2010-09-14 13:29 - 00000000 ____D C:\Users\Al Burton\AppData\Local\The Weather Channel
2012-06-08 12:34 - 2010-09-14 13:15 - 00000000 ____D C:\WINECAT
2012-06-08 12:34 - 2010-09-14 13:15 - 00000000 ____D C:\WIN32APP
2012-06-08 12:34 - 2010-09-14 13:15 - 00000000 ____D C:\VICKERS
2012-06-08 12:34 - 2010-09-14 13:14 - 00000000 ____D C:\sw2000Dist
2012-06-08 12:34 - 2010-09-14 13:14 - 00000000 ____D C:\QUICKENW
2012-06-08 12:34 - 2010-09-14 13:12 - 00000000 ____D C:\HYDRAWIN
2012-06-08 12:34 - 2010-09-14 13:12 - 00000000 ____D C:\ACLTWIN
2012-06-08 12:34 - 2010-09-06 08:42 - 00000000 ____D C:\Users\All Users\FLEXnet
2012-06-08 12:34 - 2010-08-29 05:33 - 00000000 ___RD C:\Users\Al Burton\Documents\Scanned Documents
2012-06-08 12:34 - 2010-08-27 12:58 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-08 12:34 - 2010-08-27 12:46 - 00000000 ____D C:\Users\Al Burton\AppData\LocalLow
2012-06-08 12:34 - 2010-08-27 12:46 - 00000000 ____D C:\Users\Al Burton\AppData\Local\VirtualStore
2012-06-08 12:34 - 2010-03-01 15:50 - 00000000 ____D C:\Program Files\Windows Journal
2012-06-08 12:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2012-06-08 12:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-06-08 12:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2012-06-08 12:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2012-06-08 12:33 - 2010-09-14 05:48 - 00000000 ___RD C:\MSOCache
2012-06-08 12:21 - 2012-06-08 12:21 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-08 12:21 - 2012-06-08 12:21 - 00000000 ____D C:\Users\Al Burton\AppData\Roaming\Malwarebytes
2012-06-08 12:11 - 2012-06-08 12:11 - 00000000 ____D C:\Users\Al Burton\AppData\Local\blekkotb_031
2012-06-08 12:10 - 2012-06-08 12:10 - 00000000 ____D C:\Windows\System32\config\HiveBackup
2012-06-08 10:18 - 2012-06-08 10:18 - 00000000 ____D C:\Users\Al Burton\AppData\Roaming\TeamViewer
2012-06-02 14:19 - 2012-06-08 12:39 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 12:39 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 12:39 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 12:39 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 12:39 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-08 12:39 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-08 12:39 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-08 12:39 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-08 12:39 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-20 08:26 - 2012-03-26 07:46 - 00001266 ____A C:\Users\Public\Desktop\The Weather Channel App.lnk
2012-05-20 08:25 - 2012-05-20 08:24 - 02378424 ____A (The Weather Channel Interactive) C:\Users\Al Burton\Downloads\weathersp3_StubInstaller.exe
2012-05-13 05:25 - 2009-07-13 20:33 - 00578416 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-12 05:32 - 2010-03-01 11:41 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-10 13:02 - 2009-07-13 18:04 - 00000661 ____A C:\Windows\win.ini
2012-03-30 20:39 - 2012-05-12 04:52 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-03-30 20:39 - 2012-05-12 04:52 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-30 18:36 - 2012-05-12 04:52 - 02343424 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 02:23 - 2012-05-12 04:52 - 01291632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-20 16:44 - 2012-03-20 16:44 - 00171064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 16:44 - 2012-03-20 16:44 - 00074112 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-03-16 23:27 - 2012-05-12 04:52 - 00056176 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 4%
Total physical RAM: 12286.49 MB
Available physical RAM: 11732.41 MB
Total Pagefile: 12284.77 MB
Available Pagefile: 11757.49 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.23 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:237.65 GB) (Free:41.22 GB) NTFS
2 Drive d: () (Fixed) (Total:0.83 GB) (Free:0.79 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (CP_WIN7_RTMX32) (CDROM) (Total:2.27 GB) (Free:0 GB) CDFS
5 Drive h: (FreeAgent Drive) (Fixed) (Total:931.51 GB) (Free:835.78 GB) NTFS
6 Drive i: (KINGSTON) (Removable) (Total:3.72 GB) (Free:0.02 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (New Volume) (Fixed) (Total:931.51 GB) (Free:922.7 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 238 GB 0 B
Disk 2 Online 931 GB 0 B
Disk 3 Online 3817 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 1024 KB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y New Volume NTFS Partition 931 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 848 MB 1024 KB
Partition 2 Primary 237 GB 849 MB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 848 MB Healthy

======================================================================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 C NTFS Partition 237 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 31 KB

======================================================================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FreeAgent D NTFS Partition 931 GB Healthy

======================================================================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3817 MB 31 KB

======================================================================================================

Disk: 3
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 I KINGSTON FAT32 Removable 3817 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-11 19:27

======================= End Of Log ==========================

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 12 June 2012 - 04:59 PM

could you please post the ComboFix log(s)

(older logs will be at c:\qoobox\combofix2.txt, newer log at c:\combofix.txt)

Edited by CatByte, 13 June 2012 - 08:39 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 callupchuck

callupchuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 13 June 2012 - 09:09 AM

As requested:

ComboFix 12-06-10.01 - Al Burton 06/11/2012 8:47.1.8 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3582.2480 [GMT -4:00]
Running from: f:\scanners\ComboFix.exe
AV: Anti-Virus *Enabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Anti-Virus *Enabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\INSTALL.LOG
c:\program files\UPDATE3003212.exe
c:\program files\version.txt
c:\program files\vs0512ai.exe
c:\programdata\DragToDiscUserNameD.txt
c:\users\Al Burton\WINDOWS
c:\windows\_detmp.2
c:\windows\000016~1.SCR
c:\windows\AutoRun.ini
c:\windows\java.exe
c:\windows\ST6UNST.000
c:\windows\start.exe
c:\windows\system\Drivers
c:\windows\system\Drivers\MrtRate.sys
c:\windows\system32\msvcrt.1
c:\windows\system32\msvcrt.2
c:\windows\system32\rnaph.dll
c:\windows\system32\SET1D7.tmp
c:\windows\system32\spsys.log
c:\windows\system32\win.ini
c:\windows\Web\default.htt
c:\windows\winhelp.ini
H:\Autorun.inf
H:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-11 to 2012-06-11 )))))))))))))))))))))))))))))))
.
.
2066-12-17 19:52 . 2002-11-11 05:00 92672 ----a-w- c:\windows\system\system\CsLsp.dll
2012-06-11 12:53 . 2012-06-11 12:53 -------- d-----w- c:\users\Al Burton\AppData\Local\temp
2012-06-11 12:53 . 2012-06-11 12:53 -------- d-----w- c:\windows\ServiceProfiles\NetworkService\AppData\Local\temp
2012-06-11 12:43 . 2012-06-11 12:43 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0029EBAB-3C32-4C7C-B07E-8C650BB50A68}\offreg.dll
2012-06-11 12:43 . 2012-06-11 12:43 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0029EBAB-3C32-4C7C-B07E-8C650BB50A68}\MpKsla29ede9f.sys
2012-06-11 12:20 . 2012-06-11 12:20 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-06-11 12:20 . 2012-06-11 12:20 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-06-11 12:20 . 2012-06-11 12:20 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-06-11 12:20 . 2012-06-11 12:20 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-06-11 12:20 . 2012-06-11 12:20 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-06-11 12:20 . 2012-06-11 12:20 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-06-11 12:20 . 2012-06-11 12:20 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-06-11 12:20 . 2012-06-11 12:20 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-06-11 12:20 . 2012-06-11 12:20 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-06-11 12:20 . 2012-06-11 12:20 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-06-11 12:20 . 2012-06-11 12:20 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-06-11 12:20 . 2012-06-11 12:20 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-06-11 12:19 . 2012-06-11 12:19 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-06-11 12:19 . 2012-06-11 12:19 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-06-11 12:19 . 2012-06-11 12:19 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-06-11 12:19 . 2012-06-11 12:19 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-06-11 12:19 . 2012-06-11 12:19 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-06-10 12:49 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0029EBAB-3C32-4C7C-B07E-8C650BB50A68}\mpengine.dll
2012-06-09 14:36 . 2012-06-09 14:36 -------- d-----w- c:\users\Al Burton\AppData\Local\Adobe
2012-06-09 14:31 . 2012-06-09 14:31 -------- d-----w- C:\!KillBox
2012-06-09 14:28 . 2012-06-09 14:42 -------- d-----w- C:\MTM
2012-06-09 14:25 . 2012-06-10 12:38 -------- d-----w- c:\users\Al Burton\AppData\Local\LogMeIn Rescue Applet
2012-06-08 22:08 . 2012-06-08 22:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\f-secure
2012-06-08 22:08 . 2011-12-19 03:27 36984 ----a-w- c:\windows\system32\drivers\fses.sys
2012-06-08 22:08 . 2011-12-19 03:27 72600 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2012-06-08 21:53 . 2012-06-08 21:53 -------- d-----w- c:\program files\F-Secure
2012-06-08 21:52 . 2012-06-08 22:08 -------- d-----w- c:\programdata\F-Secure
2012-06-08 21:44 . 2012-06-08 22:14 44184 ----a-w- c:\windows\system32\drivers\fsbts.sys
2012-06-08 20:49 . 2012-06-08 20:49 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{75CD1393-2D06-4312-8E8F-692D0F1AE15B}\gapaengine.dll
2012-06-08 20:49 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-08 20:47 . 2012-06-08 20:47 -------- d-----w- c:\program files\CCleaner
2012-06-08 20:40 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{417BB2BE-910A-4C29-9A54-9CABFC188EA9}\mpengine.dll
2012-06-08 20:39 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-08 20:39 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-08 20:39 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-08 20:39 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-08 20:39 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-08 20:39 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-08 20:39 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-08 20:39 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-08 20:39 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-08 20:21 . 2012-06-08 20:21 -------- d-----w- c:\users\Al Burton\AppData\Roaming\Malwarebytes
2012-06-08 20:21 . 2012-06-08 20:21 -------- d-----w- c:\programdata\Malwarebytes
2012-06-08 20:21 . 2012-06-08 20:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-08 20:19 . 2012-06-08 20:57 -------- d-----w- c:\users\Al Burton\AppData\Local\Google
2012-06-08 20:11 . 2012-06-08 20:11 -------- d-----w- c:\users\Al Burton\AppData\Local\blekkotb_031
2012-06-08 20:01 . 2012-06-08 20:07 -------- d-----w- C:\FRST
2012-06-08 19:12 . 2012-06-08 20:49 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-08 18:18 . 2012-06-08 18:18 -------- d-----w- c:\users\Al Burton\AppData\Roaming\TeamViewer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 14:49 . 2012-04-02 13:36 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 14:49 . 2011-06-06 13:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-31 04:39 . 2012-05-12 12:52 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-12 12:52 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-31 02:36 . 2012-05-12 12:52 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 10:23 . 2012-05-12 12:52 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-21 00:44 . 2012-03-21 00:44 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-17 07:27 . 2012-05-12 12:52 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2001-02-14 21:45 . 2001-02-14 21:45 155 ----a-w- c:\program files\memorex_8220s_update.reg
2001-02-14 21:43 . 2001-02-14 21:43 53041 ----a-w- c:\program files\memorex_6424_update.reg
2001-02-14 21:37 . 2001-02-14 21:37 1367511 ----a-w- c:\program files\ecdc_v402_std.exe
2001-02-07 12:54 . 2001-02-07 12:54 7897288 ----a-w- c:\program files\junoinst.exe
2001-01-26 18:13 . 2001-01-26 18:13 20095488 ----a-w- c:\program files\swviewerWenglish.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-13 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\System32\msgsvc.dll
.
[-] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\System32\mspmsnsv.dll
[-] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\System32\dllcache\mspmsnsv.dll
.
[-] 2008-04-13 23:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\System32\ntmssvc.dll
.
[-] 2008-04-13 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\System32\srsvc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-05 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"NUSB3MON"="c:\program files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-20 106496]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PowerPanel Personal Edition User Interaction"="j:\cyberpower ups\pppeuser.exe" [2011-06-17 353728]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-15 375000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"a-winpoet-service"="c:\program files\WinPoET Broadband Connection\winpppoverethernet.exe"
"EnsoniqMixer"=starter.exe
"Imonitor"="c:\program files\McAfee\QuickClean\Plguni.exe" /START
"Iomega Drive Icons"=c:\program files\Iomega\DriveIcons\ImgIcon.exe
"Iomega Startup Options"=c:\program files\Iomega\Common\ImgStart.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"MCAgentExe"=c:\progra~1\MCAFEE.COM\AGENT\mcagent.exe
"MCTskShd"=c:\progra~1\MCAFEE.COM\AGENT\mctskshd.exe
"MCUpdateExe"=c:\progra~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
"mdac_runonce"=c:\windows\SYSTEM32\RUNONCE.EXE
"MPFExe"=c:\progra~1\MCAFEE.COM\PERSON~1\MpfTray.exe
"MPSExe"=c:\progra~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
"MSKAGENTEXE"=c:\progra~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
"MSKDetectorExe"=c:\progra~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
"MSKServerExe"=c:\program files\McAfee\SpamKiller\MSKSrvr.exe
"POINTER"=point32.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"VortexTray"=c:\windows\au10setp.exe 3
"VSOCheckTask"="c:\progra~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
"z-wrdialer"="c:\program files\WinPoET Broadband Connection\wrdialer.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-05 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-05 136176]
R3 MFE_RR;MFE_RR;c:\users\ALBURT~1\AppData\Local\Temp\mfe_rr.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-06 1343400]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2012-06-08 44184]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2010-04-22 19496]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\apps\ComputerSecurity\HIPS\drivers\fshs.sys [2012-06-08 72920]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2011-12-19 36984]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2011-12-19 72600]
S1 fsvista;F-Secure Vista Support Driver;c:\program files\F-Secure\apps\ComputerSecurity\Anti-Virus\minifilter\fsvista.sys [2011-12-19 13464]
S1 MpKsla29ede9f;MpKsla29ede9f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0029EBAB-3C32-4C7C-B07E-8C650BB50A68}\MpKsla29ede9f.sys [2012-06-11 29904]
S2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-10-15 223464]
S2 fshoster;F-Secure Dll Hoster;c:\program files\F-Secure\fshoster32.exe [2012-04-27 159480]
S2 JMB36X;JMB36X;c:\windows\System32\XSrvSetup.exe [2010-01-19 72304]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\apps\ComputerSecurity\Anti-Virus\minifilter\fsgk.sys [2011-12-19 148632]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-11-20 58880]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-11-20 137728]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-06-21 105576]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-04 277536]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - FASTFAT
*NewlyCreated* - MPKSLA29EDE9F
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ----a-w- c:\windows\System32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 14:49]
.
2012-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-05 23:01]
.
2012-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-05 23:01]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Display All Images with Full Quality - "c:\program files\JunoInternet\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\JunoInternet\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: juno.com
TCP: DhcpNameServer = 69.60.160.196 64.25.208.6
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)
HKU-Default-RunOnce-PCmover CookieMerge - j:\lap link\CookieMerge.exe
HKU-Default-RunOnce-PCmover MapiFix - j:\lap link\mapifix.exe
AddRemove-The Weather Channel Desktop 6 - c:\program files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
AddRemove-XferPro32 - c:\program files\Sabasoft
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fshoster]
"ImagePath"="\"c:\program files\F-Secure\fshoster32.exe\" -hosterid:0"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\My Services Agent\Protected]
@Denied: ) (Everyone)
"AgentIdentifier"="0e7e60ad-4b86-4f8f-b988-68c0ecc09ef1"
"AuthorizationCode"="CLXMxayGZ5Ur6OKBC6R4X6P4qTzsAw9baA9tvC8XsD59btZPMLJSTg"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-11 08:56:36
ComboFix-quarantined-files.txt 2012-06-11 12:56
.
Pre-Run: 207,447,556,096 bytes free
Post-Run: 207,134,912,512 bytes free
.
- - End Of File - - 6EB4DB35B28A7D90482566FFEDA5AABE

#9 callupchuck

callupchuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 13 June 2012 - 09:10 AM

Would you also like a paste of the quarantine txt file?

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 13 June 2012 - 08:44 PM

yes please.

were you able to find anything in the McAfee quarantine that we could send to the developer as without that, it is doubtful that those files will be able to be decrypted

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 callupchuck

callupchuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 14 June 2012 - 07:20 AM

I'll check to see if there are any logs left over, as McAfee was removed last week.

#12 callupchuck

callupchuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 14 June 2012 - 08:47 AM

There are a few folders left over in the McAfee folders in \program files and in \program data, but nothing that looks like a log file. Any ideas? Earlier I had asked the AV labs at Eset about this issue, and they requested a specific registry key be sent to them. Would you also like to see what they requested?

Quarantine log from ComboFix:

2012-06-11 12:55:49 . 2012-06-11 12:55:49 524 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-XferPro32.reg.dat
2012-06-11 12:55:49 . 2012-06-11 12:55:49 608 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-The Weather Channel Desktop 6.reg.dat
2012-06-11 12:54:49 . 2012-06-11 12:54:49 287 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKU-Default-RunOnce-PCmover MapiFix.reg.dat
2012-06-11 12:54:49 . 2012-06-11 12:54:49 287 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKU-Default-RunOnce-PCmover CookieMerge.reg.dat
2012-06-11 12:54:34 . 2012-06-11 12:54:34 169 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1}.reg.dat
2012-06-11 12:53:26 . 2009-06-30 21:13:26 67 ----a-w- C:\Qoobox\Quarantine\H\Autorun.inf.vir
2012-06-11 12:53:26 . 2009-01-16 08:14:08 156,312 ----a-w- C:\Qoobox\Quarantine\H\Setup.exe.vir
2012-06-11 12:49:54 . 2012-06-11 12:49:54 3,818 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-06-11 12:46:52 . 2012-06-11 12:47:32 62 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-06-08 20:37:53 . 2012-06-08 20:37:53 552 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\spsys.log.vir
2011-03-11 22:56:46 . 1999-03-04 20:03:48 266,293 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\msvcrt.2.vir
2011-03-11 19:23:27 . 1999-07-02 22:36:54 81,920 ----a-w- C:\Qoobox\Quarantine\C\Windows\_detmp.2.vir
2010-09-09 19:54:39 . 1999-03-04 20:03:48 266,293 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\msvcrt.1.vir
2009-06-19 18:43:31 . 2009-06-19 18:43:32 13 ----a-w- C:\Qoobox\Quarantine\C\Program Files\version.txt.vir
2008-04-01 17:41:20 . 2008-04-01 17:41:22 8 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\win.ini.vir
2007-05-11 17:28:25 . 2010-09-03 17:32:44 7 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\DragToDiscUserNameD.txt.vir
2006-11-15 20:38:25 . 1998-02-06 14:13:16 9,728 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\rnaph.dll.vir
2006-10-19 01:47:20 . 2006-10-19 01:47:20 8,231,936 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\SET1D7.tmp.vir
2006-05-03 00:45:35 . 2002-06-04 19:56:30 28 ----a-w- C:\Qoobox\Quarantine\C\Windows\AutoRun.ini.vir
2006-05-03 00:45:35 . 2000-06-20 03:33:54 9 ----a-w- C:\Qoobox\Quarantine\C\Windows\winhelp.ini.vir
2006-02-10 18:02:43 . 2005-11-10 15:27:06 49,248 ----a-w- C:\Qoobox\Quarantine\C\Windows\java.exe.vir
2005-03-30 20:56:02 . 2005-03-30 20:56:28 828 ----a-w- C:\Qoobox\Quarantine\C\Windows\ST6UNST.000.vir
2002-09-20 14:18:05 . 2002-09-20 14:18:06 253 ----a-w- C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2001-03-10 21:03:10 . 2001-03-10 21:03:12 234,496 ----a-w- C:\Qoobox\Quarantine\C\Windows\000016~1.SCR.vir
2000-10-10 14:04:35 . 2000-10-10 14:04:34 1,870,721 ----a-w- C:\Qoobox\Quarantine\C\Program Files\UPDATE3003212.exe.vir
2000-10-10 13:53:21 . 2000-10-10 13:53:20 16,737,947 ----a-w- C:\Qoobox\Quarantine\C\Program Files\vs0512ai.exe.vir
2000-06-26 12:15:59 . 1999-11-05 22:43:24 36,404 ----a-w- C:\Qoobox\Quarantine\C\Windows\system\drivers\MrtRate.sys.vir
2000-06-15 03:37:31 . 2000-06-15 03:37:32 14,258 ----a-w- C:\Qoobox\Quarantine\C\Windows\Web\default.htt.vir
1980-01-01 04:00:00 . 1999-04-24 02:22:00 28,672 ----a-w- C:\Qoobox\Quarantine\C\Windows\start.exe.vir

#13 callupchuck

callupchuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 14 June 2012 - 10:11 AM

BTW, since we seem to be on different schedules, is there a way we can get someone involved that could work with me during the daytime? This situation is getting dire, as my customer is extremely anxious to get back to work.

I value your help highly and you are being diligent. So, I hope I don't offend you, as that is not my intention. I just need to have the ability to resolve this issue during daytime hours, and as quickly as possible.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 14 June 2012 - 06:29 PM

I'm sorry, but this issue isn't going to get resolved anytime soon

you did not infect your client, neither did our brilliant developers who are working endless hours to try and come up with a decryptor for this variant. I'm very sorry, but your client has few options.

Please advise what you may have sent ESET

thank-you

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 14 June 2012 - 07:16 PM

Hi,

please try the following:

Please check the shadow volume using a tool like Shadow Explorer (http://www.shadowexplorer.com)

The malware usually installs and saves temporary copies of the generated password to the %appdata% directory
(C:\Users\<username>\AppData\Roaming).

The files are called cconf.txt as well as cconf.enc. If you are able to recover those files the Developer may be able to reconstruct the password.

He is also interested in what you sent ESET

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users