Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Metropolian Police ransom virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 kennydevon

kennydevon

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 19 June 2012 - 03:07 PM

Hi Bleepers,

This virus is a real pain. The AVAST viral protection system was able to detect the threat as it happened but was unable to prevent it. It also detects it again each time I re-boot, but again without effect.

Everything goes black, the fake message comes up demanding money, and nothing else works.

I have read Grinler's responses to another unfortunate in this forum. He lists files that are associated with the virus, then there is a second list that reflects a newer version of the virus. None of these files is present on my computer. He also talks about files being locked with passwords - I have not seen this so far on my computer.

If you're wondering how I know this, given the blocking nature of the virus, I have occasionally been able to interrupt the virus as it takes control after rebooting. (Is it a good idea to post the details here of how to do this?) In any case on occasion I end up back in control of the PC. This is very fortunate since it seems to have disabled safe mode - when I used safe mode it crashed and automatically restarted. I did the Regedit to disable the automatic restart. The reboot in safe mode still crashes of course, but now there is an error message to chew on - it's a terse technical message - looks like the values of some registers, but means nothing at all to me.

During my tussle with the virus, I noticed an application called Autoruns(or similar) in Task Manager, and when I ended it, my Desktop reappeared> I have subsequently noticed on the OTL log many entries referring to Autoruns and the like. Is this something to do with it?

I noticed in Grinler's list of DLLs a file called NOSafeMode.dll (or similar) which would appear to confirm the intent of the virus to deny safe mode. But again I don't see this file on my disk.

To make matters worse, my DVD drive doesn't read the GETxPUD system disk. I'll try again using different speed setting.

Right now I have the PC back under some control, but I'm not daring to reboot it in case I cant get back in.

I have run as many of your standard discovery programs as I can and the results are below. DDS did not work. I also ran Rkill. I didn't run Unhide before I ran the Security scan, because I didn't want to risk the reboot - does this invalidate the security scan?.

I know I'll have to reboot sometime when getting through this, but I'll hold off if I can until I hear from you in case there is another discovery routine you want me to run or rerun.

In short I seem to have a milder version of this virus, but it is still a real pain. Virus 7 kenny 3. I need help.

Thanks in advance

Kenny

LOGS: OTL, GMER and Security follow -POST WAS TOO LONG WITH GMER - I have attached it instead.

OTL logfile created on: 19/06/2012 16:09:31 - Run 1
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Documents and Settings\Kenny\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1022.04 Mb Total Physical Memory | 597.47 Mb Available Physical Memory | 58.46% Memory free
2.40 Gb Paging File | 2.10 Gb Available in Paging File | 87.43% Paging File free
Paging file location(s): F:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 10.92 Gb Total Space | 1.09 Gb Free Space | 9.96% Space Free | Partition Type: NTFS
Drive D: | 499.84 Mb Total Space | 198.78 Mb Free Space | 39.77% Space Free | Partition Type: FAT
Drive F: | 69.55 Gb Total Space | 25.27 Gb Free Space | 36.33% Space Free | Partition Type: FAT32

Computer Name: KENNYS-LAPTOP | User Name: Kenny | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Kenny\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)


========== Modules (No Company Name) ==========

MOD - c:\Program Files\Common Files\Akamai\netsession_win_80c2ffa.dll ()
MOD - C:\Program Files\Alwil Software\Avast5\defs\12042001\algo.dll ()
MOD - C:\WINDOWS\system32\pdf995mon.dll ()
MOD - C:\WINDOWS\system32\cpwmon2k.dll ()
MOD - C:\WINDOWS\system32\nvshell.dll ()


========== Win32 Services (SafeList) ==========

SRV - (Akamai) -- c:\program files\common files\akamai/netsession_win_80c2ffa.dll ()
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (Skype C2C Service) -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Skype Technologies S.A.)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (EvtEng) Intel® -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
SRV - (S24EventMonitor) Intel® -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
SRV - (RegSrvc) Intel® -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (Macromedia Licensing Service) -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe ()
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (uwlyqkow) -- C:\DOCUME~1\Kenny\LOCALS~1\Temp\uwlyqkow.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (GEARAspiWDM) -- System32\Drivers\GEARAspiWDM.sys File not found
DRV - (Changer) -- File not found
DRV - (2611A1) -- globalroot\C:\WINDOWS\system32\drivers\2611A1.sys File not found
DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (PSSDK42) -- C:\WINDOWS\system32\drivers\pssdk42.sys (microOLAP Technologies LTD)
DRV - (NETwLx32) Intel® -- C:\WINDOWS\system32\drivers\NETwLx32.sys (Intel Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (StarOpen) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()
DRV - (LVUSBSta) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (PID_PEPI) Logitech QuickCam IM(PID_PEPI) -- C:\WINDOWS\system32\drivers\LV302V32.SYS (Logitech Inc.)
DRV - (MobileAdapter) -- C:\WINDOWS\system32\drivers\hmvmdm.sys (Huawei Technologies Co., Ltd.)
DRV - (dgcfltr) -- C:\WINDOWS\system32\drivers\ACFDCP32.sys (Conexant Systems, Inc.)
DRV - (acfva) -- C:\WINDOWS\system32\drivers\ACFVA32.sys (Conexant Systems Inc.)
DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\ACFSDK32.sys (Conexant)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (ESMCR) -- C:\WINDOWS\system32\drivers\ESM7SK.sys (ENE Technology Inc.)
DRV - (ESDCR) -- C:\WINDOWS\system32\drivers\ESD7SK.sys (ENE Technology Inc.)
DRV - (EMSCR) -- C:\WINDOWS\system32\drivers\EMS7SK.sys (ENE Technology Inc.)
DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel® Corporation)
DRV - (ssm_mdm) -- C:\WINDOWS\system32\drivers\ssm_mdm.sys (MCCI)
DRV - (ssm_mdfl) -- C:\WINDOWS\system32\drivers\ssm_mdfl.sys (MCCI)
DRV - (ssm_bus) SAMSUNG Mobile USB Device II 1.0 driver (WDM) -- C:\WINDOWS\system32\drivers\ssm_bus.sys (MCCI)
DRV - (PQNTDrv) -- C:\WINDOWS\System32\drivers\PQNTDRV.sys (PowerQuest Corporation)
DRV - (lusbaudio) -- C:\WINDOWS\system32\drivers\OVSound2.sys (Microsoft Corporation)
DRV - (QCAbsee) Logitech QuickCam Web (0801) -- C:\WINDOWS\system32\drivers\OVCA.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk/
IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.orange.co.uk/iesearch/
IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\..\SearchScopes,DefaultScope = {EC83D6D7-E8AB-44E5-BBF8-6EBD76B00101}
IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_uk&p={searchTerms}
IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\..\SearchScopes\{EC83D6D7-E8AB-44E5-BBF8-6EBD76B00101}: "URL" = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7ADFA_en
IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-842925246-1935655697-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;127.0.0.1:9421;

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.9.9
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\3.0.40818.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2012/04/21 06:49:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/03 08:23:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/13 23:37:03 | 000,000,000 | ---D | M]

[2008/09/07 13:48:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Kenny\Application Data\Mozilla\Extensions
[2012/06/17 09:37:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\bn9yh03m.default\extensions
[2011/01/24 16:47:58 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\bn9yh03m.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2005/06/01 01:06:10 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\bn9yh03m.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2012/06/17 09:37:51 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\bn9yh03m.default\extensions\inspector@mozilla.org
[2012/05/07 10:42:34 | 000,000,000 | ---D | M] (Zotero) -- C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\bn9yh03m.default\extensions\zotero@chnm.gmu.edu
[2012/05/26 22:22:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/05/26 22:22:01 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/06/17 09:37:51 | 000,525,294 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\KENNY\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\BN9YH03M.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
[2012/05/17 15:09:12 | 001,335,949 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\KENNY\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\BN9YH03M.DEFAULT\EXTENSIONS\FIREBUG@SOFTWARE.JOEHEWITT.COM.XPI
[2012/04/21 06:49:20 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST5\WEBREP\FF
[2012/05/03 08:23:02 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2008/07/21 17:49:09 | 000,044,360 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
[2008/07/21 17:49:11 | 000,107,928 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
[2008/07/21 17:49:06 | 000,057,240 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2011/01/24 13:47:42 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2008/11/12 18:44:55 | 000,279,888 | ---- | M] (Musicnotes, Inc.) -- C:\Program Files\mozilla firefox\plugins\npmusicn.dll
[2010/06/07 08:01:20 | 000,057,344 | ---- | M] (Walt Disney Imagineering) -- C:\Program Files\mozilla firefox\plugins\NPSqueak.dll
[2012/05/03 08:22:54 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/05/03 08:22:54 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========


O1 HOSTS File: ([2011/01/22 20:23:39 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKU\S-1-5-21-842925246-1935655697-725345543-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Update] C:\WINDOWS\system32\tpl_0_c.exe (Contrasts Soft)
O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 File not found
O4 - HKU\S-1-5-18..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
O4 - Startup: C:\Documents and Settings\Kenny\Start Menu\Programs\Startup\AutorunsDisabled [2012/06/18 14:59:13 | 000,000,000 | ---D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\__avast! sandbox\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-842925246-1935655697-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-842925246-1935655697-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-842925246-1935655697-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html File not found
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\AutorunsDisabled - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/16 12:16:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/19 16:05:16 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kenny\Desktop\OTL.exe
[2012/06/19 15:45:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kenny\Desktop\chntpw
[2012/06/19 15:36:28 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Kenny\Desktop\unhide.exe
[2012/06/19 14:13:39 | 000,147,456 | ---- | C] (TeraByte Unlimited) -- C:\Documents and Settings\Kenny\Desktop\BurnCDCC.exe
[2012/06/19 14:11:35 | 000,607,260 | ---- | C] (Swearware) -- C:\Documents and Settings\Kenny\Desktop\kenny.scr
[2012/06/18 19:57:37 | 054,310,841 | ---- | C] (itp commerce Ltd. ) -- F:\My Documents\pm51en_r10593.exe
[2012/06/18 19:52:33 | 233,139,240 | ---- | C] (Microsoft Corporation) -- F:\My Documents\X12-30247.exe
[2012/06/18 19:52:22 | 027,217,213 | ---- | C] (Macromedia ) -- F:\My Documents\fwmx_2004_en.exe
[2012/06/18 19:51:53 | 002,832,544 | ---- | C] (Adobe Systems, Inc.) -- F:\My Documents\install_flash_player.exe
[2012/06/18 19:51:51 | 000,697,696 | ---- | C] (TGRMN Software ) -- F:\My Documents\vvfreesetup.exe
[2012/06/18 19:50:01 | 001,927,676 | ---- | C] (Macromedia, Inc.) -- F:\My Documents\chicken.exe
[2012/06/18 19:49:56 | 050,896,944 | ---- | C] (Hewlett-Packard Company ) -- F:\My Documents\drv_gc_w01_ENU.exe
[2012/06/18 19:49:54 | 005,111,184 | ---- | C] (iCentric Corp.) -- F:\My Documents\dgt2.exe
[2012/06/18 19:49:53 | 009,882,240 | ---- | C] (Lavalys, Inc. ) -- F:\My Documents\everestultimate502.exe
[2012/06/18 19:49:50 | 034,228,856 | ---- | C] (Google) -- F:\My Documents\GoogleSketchUpWEN.exe
[2012/06/18 19:49:50 | 001,045,536 | ---- | C] (PC Drivers HeadQuarters ) -- F:\My Documents\DriverDetective.exe
[2012/06/18 03:52:09 | 000,231,424 | ---- | C] (Contrasts Soft) -- C:\WINDOWS\System32\tpl_0_c.exe
[2012/06/16 10:49:27 | 000,000,000 | ---D | C] -- C:\gobetwino
[2012/06/14 13:00:20 | 000,000,000 | ---D | C] -- F:\My Documents\FLOWER
[2012/05/26 22:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2012/05/26 22:20:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2012/05/26 22:20:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012/05/26 22:20:00 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2012/05/26 21:47:11 | 000,944,264 | ---- | C] (Skype Technologies S.A.) -- C:\Documents and Settings\Kenny\Desktop\SkypeSetup.exe

========== Files - Modified Within 30 Days ==========

[2012/06/19 16:19:05 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/19 16:05:41 | 000,000,364 | ---- | M] () -- C:\Documents and Settings\Kenny\Desktop\Shortcut to ComboFix.exe.lnk
[2012/06/19 15:25:22 | 001,012,656 | ---- | M] () -- C:\Documents and Settings\Kenny\Desktop\iExploreAKARKILL.exe
[2012/06/19 15:24:42 | 001,012,656 | ---- | M] () -- C:\Documents and Settings\Kenny\Desktop\rkill.exe
[2012/06/19 15:02:56 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kenny\Desktop\OTL.exe
[2012/06/19 15:02:22 | 000,881,475 | ---- | M] () -- C:\Documents and Settings\Kenny\Desktop\SecurityCheck.exe
[2012/06/19 15:01:52 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Kenny\Desktop\unhide.exe
[2012/06/19 14:06:09 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/19 14:05:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/19 14:05:51 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/19 13:56:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/19 12:46:46 | 000,705,912 | ---- | M] () -- C:\Documents and Settings\Kenny\Desktop\query.exe
[2012/06/18 21:36:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/06/18 19:26:24 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Kenny\Desktop\9g4fmvquAKA GMER.exe
[2012/06/18 19:12:12 | 000,607,260 | ---- | M] (Swearware) -- C:\Documents and Settings\Kenny\Desktop\kenny.scr
[2012/06/18 03:52:03 | 000,231,424 | ---- | M] (Contrasts Soft) -- C:\WINDOWS\System32\tpl_0_c.exe
[2012/06/16 11:28:21 | 000,000,500 | ---- | M] () -- C:\Documents and Settings\Kenny\Desktop\Shortcut to Gobetwino.exe.lnk
[2012/06/14 02:26:24 | 000,000,554 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/26 22:20:45 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/05/26 21:46:51 | 000,944,264 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\Kenny\Desktop\SkypeSetup.exe

========== Files Created - No Company Name ==========

[2012/06/19 16:05:41 | 000,000,364 | ---- | C] () -- C:\Documents and Settings\Kenny\Desktop\Shortcut to ComboFix.exe.lnk
[2012/06/19 15:45:56 | 000,005,699 | ---- | C] () -- C:\Documents and Settings\Kenny\Desktop\query.sh
[2012/06/19 15:36:23 | 000,881,475 | ---- | C] () -- C:\Documents and Settings\Kenny\Desktop\SecurityCheck.exe
[2012/06/19 15:36:20 | 001,012,656 | ---- | C] () -- C:\Documents and Settings\Kenny\Desktop\iExploreAKARKILL.exe
[2012/06/19 15:36:05 | 001,012,656 | ---- | C] () -- C:\Documents and Settings\Kenny\Desktop\rkill.exe
[2012/06/19 14:14:08 | 000,705,912 | ---- | C] () -- C:\Documents and Settings\Kenny\Desktop\query.exe
[2012/06/19 14:13:46 | 067,108,864 | ---- | C] () -- C:\Documents and Settings\Kenny\Desktop\xpud_0.9.2.iso
[2012/06/19 14:13:15 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Kenny\Desktop\9g4fmvquAKA GMER.exe
[2012/06/18 19:57:19 | 212,180,612 | ---- | C] () -- F:\My Documents\mainwwsp2.cab
[2012/06/18 19:57:19 | 000,448,098 | ---- | C] () -- F:\My Documents\irish census.pdf
[2012/06/18 19:57:15 | 000,008,862 | ---- | C] () -- F:\My Documents\Untitled-1.wav
[2012/06/18 19:57:13 | 000,236,616 | ---- | C] () -- F:\My Documents\AkamaiDownloadManagerInstaller.exe
[2012/06/18 19:55:39 | 000,411,358 | ---- | C] () -- F:\My Documents\OCRNationals_Complete_Contents.pdf
[2012/06/18 19:55:32 | 000,038,126 | ---- | C] () -- F:\My Documents\tcm21-65389.pdf
[2012/06/18 19:53:29 | 1465,304,046 | ---- | C] () -- F:\My Documents\removeable.ace
[2012/06/18 19:52:58 | 317,959,280 | ---- | C] () -- F:\My Documents\col8356.exe
[2012/06/18 19:51:58 | 229,852,160 | ---- | C] () -- F:\My Documents\93d25ec.msp
[2012/06/18 19:51:54 | 017,819,136 | ---- | C] () -- F:\My Documents\Thoughtograph-1.0.2.msi
[2012/06/18 19:50:02 | 229,852,160 | ---- | C] () -- F:\My Documents\b976b2e.msp
[2012/06/18 19:49:56 | 003,357,184 | ---- | C] () -- F:\My Documents\VersionTracker_Pro_Windows_4_1.msi
[2012/06/16 11:28:21 | 000,000,500 | ---- | C] () -- C:\Documents and Settings\Kenny\Desktop\Shortcut to Gobetwino.exe.lnk
[2012/06/14 02:26:24 | 000,000,554 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/26 22:20:45 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/05/01 00:46:39 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17620788r
[2011/05/01 00:46:38 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17620788
[2011/05/01 00:46:25 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17620788
[2011/02/26 00:41:29 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2011/02/04 17:06:44 | 000,356,352 | ---- | C] () -- C:\WINDOWS\EMCRI.dll

========== Custom Scans ==========

< %TEMP%\stemp\*.* /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 233 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9A870F8B
@Alternate Data Stream - 174 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0FD841FF

< End of report >





Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Malwarebytes Anti-Malware version 1.61.0.1400
HijackThis 2.0.2
Java™ 6 Update 23
Java version out of Date!
Adobe Flash Player 11.2.202.235
Adobe Reader X 10.0.1 Adobe Reader out of Date!
Mozilla Firefox 12.0 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Alwil Software Avast5 AvastSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 45% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 21 June 2012 - 07:37 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 kennydevon

kennydevon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 22 June 2012 - 04:39 AM

Hi mole,
Thanks for your help.
Kenny

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 22 June 2012 - 12:42 PM

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win) and then use FRST to scan the system

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

:step1:

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output: (C:\ubcd4win\BartPE)
    • Keep the default BartPE
  • Media output
  • Choose Create ISO image
  • Do not choose Burn to CD/DVD


Please note: If your XP install disc is SP1 then please .....

  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

    This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

Also note: If you have a Dell XP install disc you will need to follow the instructions here
http://www.ubcd4win.com/faq.htm#dell
[/list]
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit


4. Burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.
[/list]
==========

:step2:

Next, from your clean computer:

Download Farbar Recovery Scan Tool
and save it to your flash drive.

Now plug your flashdrive back into your sick computer and follow the next instructions:

==========

:step3:

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
    • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
  • You should now have a desktop that looks like this:

    Posted Image


==========

:step4:

  • Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
  • Double click on it to begin running the tool.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.

Posted Image
m0le is a proud member of UNITE

#5 kennydevon

kennydevon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 22 June 2012 - 01:50 PM

Hi mole,

Unfortunately there are two problems with the CD approach:

1 the sick computer's CD drive is broken - can I boot the system from a flash drive?
2 the system CDs are somewhere in France, where I bought the computer, but I'm not sure where.

Alternatively I still have temporary control over the PC, and can run any programs directly from a stick - can we make any progress like that?

Kenny

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 22 June 2012 - 02:08 PM

That's a bit sticky.

Try Combofix then - this will reboot the system and hopefully clear the infection. If that doesn't happen we will be forced to look at some USB boot options.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 kennydevon

kennydevon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 23 June 2012 - 04:31 AM

Hi Mole,

Combofix seems to have done the job!! THANK YOU.

Is it worth trying to recover my Safe Mode? As I said originally, it was crashing and looping back to a reboot> I switched off the automatic reboot and 0on the next attempt I got a blue screen with a terse message and what looked like four register values showing. I didnt pursue it at this point.

Just now, after success with the Combofix, I decided to try another Safe Mode startup to see if it had been fixed. After several of those usual filenames flashing by, it went into a very long session of disk activity. I got scared and pressed reset! My next normal boot was another blue screen affair. Next I went to "last known configuration that succeeded", and lo and behold I'm back in business.

Half of me wants to clean things up and get everything working. The other half is scared to touch anything that aint broke (for now!). What do you think?

Thanks again

Kenny

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 23 June 2012 - 05:47 AM

Im a cautious one.:)

Can you post the Combofix log - if you didn't get one then use the instructions below

Please go to start -> Run.

Copy and paste the bold line in the run-box and click OK:

cmd /c dir /a/s/b C:\QooBox >log.txt & log.txt

A text file opens up, copy and paste the content to your reply.
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 27 June 2012 - 07:15 PM

Are you still there? There's a few things to do to complete this fix.
Posted Image
m0le is a proud member of UNITE

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 28 June 2012 - 07:32 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users