Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newest $200 FBI ransomwarrre defeats combofix


  • Please log in to reply
7 replies to this topic

#1 ruralgeek

ruralgeek

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 31 July 2012 - 12:16 AM

Have an old XP home edition, a friends, with the latest one of these ransomware trojans. So far the "fixes" I found on here in an earlier thread no longer fix this one.

I can get in to safe mode command prompt only. If I go to safe mode networking the ransom page still loads - not much graphic but it is still there.

I downloaded the latest combofix today and ran it in cmd prompt a number of times but it did not change a thing. The trojan programmers are obviously working around all fixes that are showing up.

I can't run tdsskiller in command mode, it just sits there and nothing happens so can't even start the [revious fixes.

all I can do is work from the command prompt. I've been at this all day. I tried that hitmanpro36 also but he programs for much larger screen resolution so in safe mode cmd prompt you can't see the next button to click it to continue on. Not much foresight there. Mosr of the fisex I've seen seem to assume one gets the graphical windows interface. How can that be? it is totally locked up and I never see the desktop.

Tomorrow I'll try to the get the drive out and slave it.

I had this old dog working early today. Saw the java update notice, did that and got this crap. sheesh.


so does anyone have any more ideas?

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 PM

Posted 31 July 2012 - 06:32 AM

Boot into safemode

Copy this tool

Autoruns

Extract and launch autoruns.exe

Allow the scan to get finished

Now click on FILE-SAVE

Filename:Autoruns.txt
Save as :Text

Paste the text contents here

#3 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 31 July 2012 - 08:02 AM

quite a mess I see

"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" "" "" ""
+ "C:\Documents and Settings\Jackie\Application Data\0PXnnEUH.exe" "" "" "c:\documents and settings\jackie\application data\0pxnneuh.exe"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" "" "" ""
+ "and" "" "" "File not found: and"
+ "C:\Documents" "" "" "File not found: C:\Documents"
+ "Data\0PXnnEUH.exe" "" "" "File not found: Data\0PXnnEUH.exe"
+ "Settings\Jackie\Application" "" "" "File not found: Settings\Jackie\Application"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "6fPwCBExvucPF0m" "" "" "c:\documents and settings\jackie\application data\0pxnneuh.exe"
+ "Adobe ARM" "Adobe Reader and Acrobat Manager" "Adobe Systems Incorporated" "c:\program files\common files\adobe\arm\1.0\adobearm.exe"
+ "Adobe Reader Speed Launcher" "Adobe Acrobat SpeedLauncher" "Adobe Systems Incorporated" "c:\program files\adobe\reader 8.0\reader\reader_sl.exe"
+ "ArcSoft Connection Service" "ArcSoft Connect Daemon" "ArcSoft Inc." "c:\program files\common files\arcsoft\connection service\bin\acdaemon.exe"
+ "basicsmssmenu" "Maxtor Status Icon" "Maxtor Corporation" "c:\program files\seagate\basics\basics status\maxmenumgrbasics.exe"
+ "Carbonite Backup" "Carbonite User Interface" "Carbonite, Inc." "c:\program files\carbonite\carbonite backup\carboniteui.exe"
+ "dla" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfswctrl.exe"
+ "EKIJ5000StatusMonitor" "Status Monitor for KODAK AiO Printer (32-Bit Intel® Pentium™ 4 Optimized Build)" "Eastman Kodak Company" "c:\windows\system32\spool\drivers\w32x86\3\ekij5000mui.exe"
+ "Lexmark 3100 Series" "Lexmark 3100 Series Button Manager" "Lexmark International, Inc." "c:\program files\lexmark 3100 series\lxbrbmgr.exe"
+ "LXBRKsk" " " " " "c:\program files\lexmark 3100 series\lxbrksk.exe"
+ "nmctxth" "Pure Networks Platform Assistant" "Cisco Systems, Inc." "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
+ "nXJGtsIQncjq.exe" "" "" "File not found: C:\Documents and Settings\All Users\Application Data\nXJGtsIQncjq.exe"
+ "QuickTime Task" "QuickTime Task" "Apple Inc." "c:\program files\quicktime\qttask.exe"
+ "SunJavaUpdateSched" "Java™ Update Scheduler" "Sun Microsystems, Inc." "c:\program files\common files\java\java update\jusched.exe"
+ "UpdateManager" "Sonic Update Manager" "Sonic Solutions" "c:\program files\common files\sonic\update manager\sgtray.exe"
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup" "" "" ""
+ "Kodak EasyShare software.lnk" "Kodak EasyShare Software" "Eastman Kodak Company" "c:\program files\kodak\kodak easyshare software\bin\easyshare.exe"
"C:\Documents and Settings\Jackie\Start Menu\Programs\Startup" "" "" ""
+ "HotSync Manager.lnk" "HotSync® Manager Application" "Palm, Inc." "c:\program files\palm\hotsync.exe"
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" "" "" ""
+ "Address Book 6" "Outlook Express Setup Library" "Microsoft Corporation" "c:\program files\outlook express\setup50.exe"
+ "Microsoft Outlook Express 6" "Outlook Express Setup Library" "Microsoft Corporation" "c:\program files\outlook express\setup50.exe"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "6fPwCBExvucPF0m" "" "" "c:\documents and settings\jackie\application data\0pxnneuh.exe"
+ "Google Update" "Google Installer" "Google Inc." "c:\documents and settings\jackie\local settings\application data\google\update\googleupdate.exe"
+ "Skype" "Skype " "Skype Technologies S.A." "c:\program files\skype\phone\skype.exe"
+ "SpybotSD TeaTimer" "System settings protector" "Safer-Networking Ltd." "c:\program files\spybot - search & destroy\teatimer.exe"
"HKLM\SOFTWARE\Classes\Protocols\Handler" "" "" ""
+ "pure-go" "Pure Service Provider DLL" "Cisco Systems, Inc." "c:\program files\common files\pure networks shared\platform\puresp4.dll"
+ "skype-ie-addon-data" "Click to Call with Skype for Internet Explorer" "Skype Technologies S.A." "c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll"
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" "" "" ""
+ "0" "" "" "File not found: About:Home"
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
+ "Carbonite" "Carbonite Explorer Extensions" "Carbonite, Inc." "c:\program files\carbonite\carbonite backup\carbonitense.dll"
"HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers" "" "" ""
+ "Carbonite" "Carbonite Explorer Extensions" "Carbonite, Inc." "c:\program files\carbonite\carbonite backup\carbonitense.dll"
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
+ "Carbonite" "Carbonite Explorer Extensions" "Carbonite, Inc." "c:\program files\carbonite\carbonite backup\carbonitense.dll"
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
+ "igfxcui" "igfxpph Module" "Intel Corporation" "c:\windows\system32\igfxpph.dll"
"HKLM\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
+ "PDF Shell Extension" "PDF Shell Extension" "Adobe Systems, Inc." "c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
"HKLM\Software\Classes\Folder\ShellEx\PropertySheetHandlers" "" "" ""
+ "Carbonite" "Carbonite Explorer Extensions" "Carbonite, Inc." "c:\program files\carbonite\carbonite backup\carbonitense.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" ""
+ "Carbonite.Green" "Carbonite Explorer Extensions" "Carbonite, Inc." "c:\program files\carbonite\carbonite backup\carbonitense.dll"
+ "Carbonite.Partial" "Carbonite Explorer Extensions" "Carbonite, Inc." "c:\program files\carbonite\carbonite backup\carbonitense.dll"
+ "Carbonite.Yellow" "Carbonite Explorer Extensions" "Carbonite, Inc." "c:\program files\carbonite\carbonite backup\carbonitense.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" ""
+ "Adobe PDF Reader Link Helper" "Adobe PDF Helper for Internet Explorer" "Adobe Systems Incorporated" "c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll"
+ "eBay Toolbar Helper" "eBayTb Dynamic Link Library" "eBay Inc." "c:\program files\ebay\ebay toolbar2\ebaytb.dll"
+ "Google Dictionary Compression sdch" "Fast Search" "Google Inc." "c:\program files\google\google toolbar\component\fastsearch_b7c5ac242193bb3e.dll"
+ "Google Toolbar Helper" "Google Toolbar" "Google Inc." "c:\program files\google\google toolbar\googletoolbar_32.dll"
+ "Google Toolbar Notifier BHO" "GoogleToolbarNotifier" "Google Inc." "c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll"
+ "Java™ Plug-In 2 SSV Helper" "Java™ Platform SE binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\jp2ssv.dll"
+ "Java™ Plug-In SSV Helper" "Java™ Platform SE binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\ssv.dll"
+ "JQSIEStartDetectorImpl Class" "Java™ Quick Starter binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll"
+ "Skype Browser Helper" "Click to Call with Skype for Internet Explorer" "Skype Technologies S.A." "c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll"
+ "Spybot-S&D IE Protection" "SBSD IE Protection" "Safer Networking Limited" "c:\program files\spybot - search & destroy\sdhelper.dll"
"HKLM\Software\Microsoft\Internet Explorer\Toolbar" "" "" ""
+ "eBay Toolbar" "eBayTb Dynamic Link Library" "eBay Inc." "c:\program files\ebay\ebay toolbar2\ebaytb.dll"
+ "Google Toolbar" "Google Toolbar" "Google Inc." "c:\program files\google\google toolbar\googletoolbar_32.dll"
"HKLM\Software\Microsoft\Internet Explorer\Extensions" "" "" ""
+ "MUSICMATCH MX Web Player" "" "" "File not found: http://wwws.musicmatch.com/mmz/openWebRadio.html"
"Task Scheduler" "" "" ""
+ "Adobe Flash Player Updater.job" "Adobe® Flash® Player Update Service 11.3 r300" "Adobe Systems Incorporated" "c:\windows\system32\macromed\flash\flashplayerupdateservice.exe"
+ "AppleSoftwareUpdate.job" "Apple Software Update" "Apple Inc." "c:\program files\apple software update\softwareupdate.exe"
+ "Defrag.job" "" "" "File not found: C:\Program Files\Glarysoft\Disk SpeedUp\Defrag.exe ScheduleStart"
+ "EasyShare Registration Task.job" "EasyShare software update page" "Eastman Kodak Company" "c:\documents and settings\all users\application data\kodak\easysharesetup\$registration\registration_8.0.30.1.sxt"
+ "Google Software Updater.job" "gusvc" "Google" "c:\program files\google\common\google updater\googleupdaterservice.exe"
+ "GoogleUpdateTaskMachineCore.job" "Google Installer" "Google Inc." "c:\program files\google\update\googleupdate.exe"
+ "GoogleUpdateTaskMachineUA.job" "Google Installer" "Google Inc." "c:\program files\google\update\googleupdate.exe"
+ "GoogleUpdateTaskUserS-1-5-21-3761045587-1330577778-3056889153-1006Core.job" "Google Installer" "Google Inc." "c:\documents and settings\jackie\local settings\application data\google\update\googleupdate.exe"
+ "GoogleUpdateTaskUserS-1-5-21-3761045587-1330577778-3056889153-1006UA.job" "Google Installer" "Google Inc." "c:\documents and settings\jackie\local settings\application data\google\update\googleupdate.exe"
+ "Spybot - Search & Destroy - Scheduled Task.job" "Spybot - Search & Destroy" "Safer Networking Limited" "c:\program files\spybot - search & destroy\spybotsd.exe"
+ "Spybot - Search & Destroy Updater - Scheduled Task.job" "Updater for Spybot-S&D" "Safer Networking Limited" "c:\program files\spybot - search & destroy\sdupdate.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "6to4" "Windows NetBIOS State" "" "c:\windows\system32\6to4ex.dll"
+ "ACDaemon" "ArcSoft Connect Service" "ArcSoft Inc." "c:\program files\common files\arcsoft\connection service\bin\acservice.exe"
+ "AdobeFlashPlayerUpdateSvc" "This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes." "Adobe Systems Incorporated" "c:\windows\system32\macromed\flash\flashplayerupdateservice.exe"
+ "Apple Mobile Device" "Provides the interface to Apple mobile devices." "Apple Inc." "c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe"
+ "AppMgmt" "Provides software installation services such as Assign, Publish, and Remove." "" "File not found: C:\WINDOWS\System32\appmgmts.dll"
+ "Basics Service" "Basics service for hardware interaction" "Seagate Technology LLC" "c:\program files\seagate\basics\service\syncservicesbasics.exe"
+ "Bonjour Service" "Enables hardware devices and software services to automatically configure themselves on the network and advertise their presence." "Apple Inc." "c:\program files\bonjour\mdnsresponder.exe"
+ "CarboniteService" "Carbonite Backup Service" "Carbonite, Inc. (www.carbonite.com)" "c:\program files\carbonite\carbonite backup\carboniteservice.exe"
+ "gupdate" "Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it." "Google Inc." "c:\program files\google\update\googleupdate.exe"
+ "gupdatem" "Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it." "Google Inc." "c:\program files\google\update\googleupdate.exe"
+ "gusvc" "Google Updater keeps your Google software up to date. If Google Updater Service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work." "Google" "c:\program files\google\common\google updater\googleupdaterservice.exe"
+ "JavaQuickStarterService" "Prefetches JRE files for faster startup of Java applets and applications" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\jqs.exe"
+ "Kodak AiO Network Discovery Service" "EKDiscovery Module for Kodak AiO Printers" "Eastman Kodak Company" "c:\program files\kodak\aio\center\ekdiscovery.exe"
+ "LexBceS" "LexBce Service" "Lexmark International, Inc." "c:\windows\system32\lexbces.exe"
+ "LinksysUpdater" "Updater for Linksys EasyLink Advisor" "" "c:\program files\linksys\linksys updater\bin\linksysupdater.exe"
+ "nmservice" "Enables Pure Networks Platform services such as file sharing, printer sharing, and network monitoring." "Cisco Systems, Inc." "c:\program files\common files\pure networks shared\platform\nmsrvc.exe"
+ "W32Sch" "" "" "c:\windows\msiserv.exe"
+ "WMPNetworkSvc" "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play" "Microsoft Corporation" "c:\program files\windows media player\wmpnetwk.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "aeaudio" "Andrea Audio Stub Driver" "Andrea Electronics Corporation" "c:\windows\system32\drivers\aeaudio.sys"
+ "AliIde" "ALi mini IDE Driver" "Acer Laboratories Inc." "c:\windows\system32\drivers\aliide.sys"
+ "amdagp" "AMD Win2000 AGP Filter" "Advanced Micro Devices, Inc." "c:\windows\system32\drivers\amdagp.sys"
+ "AN983" "ADMtek AN983/AN985/ADM951X NDIS5 Driver" "ADMtek Incorporated." "c:\windows\system32\drivers\an983.sys"
+ "asc" "AdvanSys SCSI Controller Driver" "Advanced System Products, Inc." "c:\windows\system32\drivers\asc.sys"
+ "asc3550" "AdvanSys Ultra-Wide PCI SCSI Driver" "Advanced System Products, Inc." "c:\windows\system32\drivers\asc3550.sys"
+ "AX88178" "ASIX AX88178 Network Driver" "ASIX Electronics Corp." "c:\windows\system32\drivers\ax88178.sys"
+ "bcm4sbxp" "Broadcom Corporation NDIS 5.1 ethernet driver" "Broadcom Corporation" "c:\windows\system32\drivers\bcm4sbxp.sys"
+ "bvrp_pci" "" "" "c:\windows\system32\drivers\bvrp_pci.sys"
+ "Changer" "" "" "File not found: C:\WINDOWS\System32\Drivers\Changer.sys"
+ "CmdIde" "CMD PCI IDE Bus Driver" "CMD Technology, Inc." "c:\windows\system32\drivers\cmdide.sys"
+ "dac2w2k" "Mylex Disk Array Controller Driver" "Mylex Corporation" "c:\windows\system32\drivers\dac2w2k.sys"
+ "DCamUSBSQTECH" "Universal Serial Bus Camera Driver" "Service & Quality Technology." "c:\windows\system32\drivers\sqcaptur.sys"
+ "drvmcdb" "Device Driver" "Sonic Solutions" "c:\windows\system32\drivers\drvmcdb.sys"
+ "drvnddm" "Device Driver Manager" "Sonic Solutions" "c:\windows\system32\drivers\drvnddm.sys"
+ "E100B" "NDIS 5 driver" "Intel Corporation" "c:\windows\system32\drivers\e100b325.sys"
+ "FIXUSTOR" "" "" "File not found: system32\DRIVERS\fixustor.sys"
+ "GEARAspiWDM" "CD DVD Filter" "GEAR Software Inc." "c:\windows\system32\drivers\gearaspiwdm.sys"
+ "ialm" "Intel Graphics Miniport Driver" "Intel Corporation" "c:\windows\system32\drivers\ialmnt5.sys"
+ "IntelC51" "Modem DSP Driver" "Intel Corporation" "c:\windows\system32\drivers\intelc51.sys"
+ "IntelC52" "Modem CP Driver" "Intel Corporation" "c:\windows\system32\drivers\intelc52.sys"
+ "IntelC53" "Modem AFE Driver" "Intel Corporation" "c:\windows\system32\drivers\intelc53.sys"
+ "lbrtfdc" "" "" "File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"
+ "mohfilt" "Filter Driver to Support Modem-on-Hold" "Intel Corporation" "c:\windows\system32\drivers\mohfilt.sys"
+ "mraid35x" "MegaRAID RAID Controller Driver for Windows Whistler 32" "American Megatrends Inc." "c:\windows\system32\drivers\mraid35x.sys"
+ "nv" "NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 " "NVIDIA Corporation" "c:\windows\system32\drivers\nv4_mini.sys"
+ "omci" "OMCI Device Driver" "Dell Computer Corporation" "c:\windows\system32\drivers\omci.sys"
+ "PCIDump" "" "" "File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"
+ "PDCOMP" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"
+ "PDFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"
+ "PDRELI" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"
+ "PDRFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"
+ "pnarp" "Provides support for Pure Networks Platform device discovery." "Cisco Systems, Inc." "c:\windows\system32\drivers\pnarp.sys"
+ "Ptilink" "Direct Parallel Link Driver" "Parallel Technologies, Inc." "c:\windows\system32\drivers\ptilink.sys"
+ "purendis" "Provides support for Pure Networks Platform wireless adapter configuration." "Cisco Systems, Inc." "c:\windows\system32\drivers\purendis.sys"
+ "PxHelp20" "Px Engine Device Driver for Windows 2000/XP" "Sonic Solutions" "c:\windows\system32\drivers\pxhelp20.sys"
+ "ql1080" "Miniport Driver for QLogic ISP PCI Adapters" "QLogic Corporation" "c:\windows\system32\drivers\ql1080.sys"
+ "ql12160" "Miniport Driver for QLogic ISP PCI Adapters" "QLogic Corporation" "c:\windows\system32\drivers\ql12160.sys"
+ "ql1280" "Miniport Driver for QLogic ISP PCI Adapters" "QLogic Corporation" "c:\windows\system32\drivers\ql1280.sys"
+ "Secdrv" "SafeDisc driver" "Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K." "c:\windows\system32\drivers\secdrv.sys"
+ "sisagp" "SiS NT AGP Filter" "Silicon Integrated Systems Corporation" "c:\windows\system32\drivers\sisagp.sys"
+ "smwdm" "SoundMAX Integrated Digital Audio " "Analog Devices, Inc." "c:\windows\system32\drivers\smwdm.sys"
+ "Sparrow" "Adaptec AIC-6x60 series SCSI miniport" "Adaptec, Inc." "c:\windows\system32\drivers\sparrow.sys"
+ "sscdbhk5" "Shared Driver Component" "Sonic Solutions" "c:\windows\system32\drivers\sscdbhk5.sys"
+ "ssrtln" "Shared Driver Component" "Sonic Solutions" "c:\windows\system32\drivers\ssrtln.sys"
+ "sym_hi" "Symbios Hi-Perf SCSI Miniport Driver" "LSI Logic" "c:\windows\system32\drivers\sym_hi.sys"
+ "sym_u3" "Symbios Ultra3 SCSI Miniport Driver" "LSI Logic" "c:\windows\system32\drivers\sym_u3.sys"
+ "symc810" "Symbios Logic Inc. SCSI Miniport Driver" "Symbios Logic Inc." "c:\windows\system32\drivers\symc810.sys"
+ "symc8xx" "Symbios 8XX SCSI Miniport Driver" "LSI Logic" "c:\windows\system32\drivers\symc8xx.sys"
+ "symlcbrd" "Symantec Core Component" "Symantec Corporation" "c:\windows\system32\drivers\symlcbrd.sys"
+ "tfsnboio" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfsnboio.sys"
+ "tfsncofs" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfsncofs.sys"
+ "tfsndrct" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfsndrct.sys"
+ "tfsndres" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfsndres.sys"
+ "tfsnifs" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfsnifs.sys"
+ "tfsnopio" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfsnopio.sys"
+ "tfsnpool" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfsnpool.sys"
+ "tfsnudf" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfsnudf.sys"
+ "tfsnudfa" "Drive Letter Access Component" "Sonic Solutions" "c:\windows\system32\dla\tfsnudfa.sys"
+ "ultra" "Promise Ultra66 Miniport Driver" "Promise Technology, Inc." "c:\windows\system32\drivers\ultra.sys"
+ "wanatw" "" "" "File not found: system32\DRIVERS\wanatw4.sys"
+ "WDC_SAM" "Manages WD external storage products." "Western Digital Technologies" "c:\windows\system32\drivers\wdcsam.sys"
+ "WDICA" "" "" "File not found: C:\WINDOWS\System32\Drivers\WDICA.sys"
+ "{6080A529-897E-4629-A488-ABA0C29B635E}" "Intel Graphics Platform (SoftBIOS) Driver for Windows 2000® & Windows XP™" "Intel Corporation" "c:\windows\system32\drivers\ialmsbw.sys"
+ "{D31A0762-0CEB-444e-ACFF-B049A1F6FE91}" "Intel Graphics Chipset (KCH) Driver for Windows 2000® & Windows XP™" "Intel Corporation" "c:\windows\system32\drivers\ialmkchw.sys"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
+ "msacm.iac2" "Indeo® audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax"
+ "msacm.l3acm" "MPEG Layer-3 Audio Codec for MSACM" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codeca.acm"
+ "msacm.sl_anet" "Audio codec for MS ACM" "Sipro Lab Telecom Inc." "c:\windows\system32\sl_anet.acm"
+ "msacm.trspch" "DSP Group TrueSpeech™ Audio Codec for MSACM V3.50" "DSP GROUP, INC." "c:\windows\system32\tssoft32.acm"
+ "vidc.cvid" "Cinepak® Codec" "Radius Inc." "c:\windows\system32\iccvid.dll"
+ "vidc.iv31" "" "" "c:\windows\system32\ir32_32.dll"
+ "vidc.iv32" "" "" "c:\windows\system32\ir32_32.dll"
+ "vidc.iv41" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "vidc.iv50" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "vidc.tscc" "TechSmith Screen Capture Codec" "TechSmith Corporation" "c:\windows\system32\tsccvid.dll"
"HKLM\Software\Classes\Filter" "" "" ""
+ "Indeo® video 4.4 Compression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "Indeo® video 4.4 Compression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "Indeo® video 4.4 Decompression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "Indeo® video 4.4 Decompression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
+ "9x8Resize" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "ACELP.net Audio Decoder" "ACELP.net Audio Decoder" "Sipro Lab Telecom Inc." "c:\windows\system32\acelpdec.ax"
+ "Allocator Fix" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "Audio Destination" "WAVDest Filter (Sample)" "Microsoft Corporation" "c:\program files\google\google earth\client\wavdest.ax"
+ "Bitmap" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "Cyberlink Byte Counter Filter" "Cyberlink Byte Counter Filter" "CyberLink Corporation" "c:\program files\dell\media experience\video\pdbytecounter.ax"
+ "CyberLink DDR" "CyberLink DDR" "CyberLink Corp." "c:\program files\dell\media experience\video\pdrender.ax"
+ "CyberLink Double Pin Tee" "Cyberlink Double Tee Filter" "CtberLink Corporation" "c:\program files\dell\media experience\video\pddoubletee.ax"
+ "Cyberlink Dump Filter" "Cyberlink File Dump Filter" "CyberLink Corp." "c:\program files\dell\media experience\video\pddump.ax"
+ "CyberLink DV Buffer" "CLDVBuffer Filter" "CyberLink" "c:\program files\dell\media experience\video\pddvbuffer.ax"
+ "CyberLink DV Dump Filter" "DV dump Filter" "CyberLink Corporation" "c:\program files\dell\media experience\video\pddvdump.ax"
+ "CyberLink DV Filter" "DVTCR" "CyberLink" "c:\program files\dell\media experience\video\pddvtcr.ax"
+ "CyberLink DV Reader Filter" "DVMultReader Filter" "CyberLink" "c:\program files\dell\media experience\video\pddvmrd.ax"
+ "Cyberlink Gate Filter" "CLGate" "CyberLink" "c:\program files\dell\media experience\video\pdgate.ax"
+ "CyberLink MPEG Audio Encoder" "CyberLink MPEG Audio Encoder" "CyberLink Corp." "c:\program files\dell\media experience\video\pdmpgaenc.ax"
+ "CyberLink MPEG Muxer" "MpgMux" "CyberLink" "c:\program files\dell\media experience\video\pdmpgmux.ax"
+ "CyberLink MPEG Video Encoder" "CyberLink MPEG Video Encoder " "CyberLink Corp. " "c:\program files\dell\media experience\video\pdmpgvenc.ax"
+ "CyberLink SlideShowLT Source Filter" "Cyberlink Slide Show Controler LT for Dell" "CyberLink Corp." "c:\program files\dell\media experience\photo\slideshowlt.ax"
+ "CyberLink SnapShot Filter" "CLSnapShot Filter" "CyberLink" "c:\program files\dell\media experience\video\pdsnapshot.ax"
+ "CyberLink Video Regulator" "CLRGL" "Cyberlink" "c:\program files\dell\media experience\photo\clrgl.ax"
+ "CyberLink YUY2 DeInterlace" "DitlYuY2" "CyberLink" "c:\program files\dell\media experience\video\pdditlyuy2.ax"
+ "CyberLink YUY2 Sub-Sampling" "SubYUY2 Filter" "CyberLink" "c:\program files\dell\media experience\video\pdsubyuy2.ax"
+ "Frame Eater" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "Indeo® audio software" "Indeo® audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax"
+ "Indeo® video 5.10 Compression Filter" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "Indeo® video 5.10 Decompression Filter" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "MPEG Layer-3 Decoder" "MPEG Layer-3 Audio Decoder" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codecx.ax"
+ "Record Queue" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "ShotDetect" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "Snapshot" "Arcsoft Snapshot Filter 1.0" "Arcsoft Corporation" "c:\program files\common files\arcsoft\mpeg engine\arcsnap.ax"
+ "Stetch" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "TrueMotion 2.0 Decompressor" "TrueMotion 2.0 Decompressor" "The Duck Corporation" "c:\windows\system32\tm20dec.ax"
+ "WIA Stream Snapshot Filter" "WIA Stream Snapshot Filter" "MyCompanyName" "c:\windows\system32\wiasf.ax"
+ "WM VIH2 Fix" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Audio Analyzer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Black Frame Generator" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT DirectX Transform Wrapper" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT DV Extract Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT FormatConversion" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Import Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Interlacer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Log Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT MuxDeMux Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Sample Info Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Screen capture Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Switch Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Virtual Renderer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Virtual Source" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Volume" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
"HKLM\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
+ "{584FDB1D-51C4-4A1D-B674-D548D915EE01}" "WIC Metadata Handler Plug-in" "Eastman Kodak Company" "c:\program files\common files\kodak\wic_support\metadatawicmetadatahandler-platopt.dll"
+ "{6DDC8FCE-C470-444A-9425-8EAC662A99F7}" "WIC Metadata Handler Plug-in" "Eastman Kodak Company" "c:\program files\common files\kodak\wic_support\metadatawicmetadatahandler-platopt.dll"
+ "{821C65A9-C22B-4387-9503-265472E25544}" "WIC Metadata Handler Plug-in" "Eastman Kodak Company" "c:\program files\common files\kodak\wic_support\metadatawicmetadatahandler-platopt.dll"
+ "{90F5AF52-6D6C-4C83-8A7D-1C12923A1022}" "WIC Metadata Handler Plug-in" "Eastman Kodak Company" "c:\program files\common files\kodak\wic_support\metadatawicmetadatahandler-platopt.dll"
+ "{C73B6814-9FF3-4D10-A5C0-678904F869E9}" "WIC Metadata Handler Plug-in" "Eastman Kodak Company" "c:\program files\common files\kodak\wic_support\metadatawicmetadatahandler-platopt.dll"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "" "" ""
+ "igfxcui" "igfxsrvc Module" "Intel Corporation" "c:\windows\system32\igfxsrvc.dll"
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries" "" "" ""
+ "mdnsNSP" "Bonjour Namespace Provider" "Apple Inc." "c:\program files\bonjour\mdnsnsp.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" "" "" ""
+ "KODAK EASYSHARE All-in-One Printer" "Language Monitor for KODAK AiO Printer (32-Bit Intel® Pentium™ 4 Optimized Build)" "Eastman Kodak Company" "c:\windows\system32\ekij5000mon.dll"
+ "Lexmark Network Port" "LEXLMPM DLL" "Lexmark International, Inc." "c:\windows\system32\lexlmpm.dll"

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 PM

Posted 31 July 2012 - 08:12 AM

Ok,fine we have some rogue entries hooked to SHELL value.Can you boot into safemode with networking,if yes

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Are you able to launch TDSSkiller?

#5 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 31 July 2012 - 08:35 AM

Ok,fine we have some rogue entries hooked to SHELL value.Can you boot into safemode with networking,if yes

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Are you able to launch TDSSkiller?


I can boot into safe mode command prompt only. When I go to safe mode networking, I get the trojan screen in a lot less graphic mode but the locked down screen anyway.

I have downloaded those programs from yesterday and have them on the usb stick. I did try tdsskiller but it wouldn't run in cmd mode.

that is what so insidious about this one. It's like they are reading here and know what the cures are and working the program to avoid them.

In the autoruns I actually got to see the drive and directories. So it is what I have right now to work with.

Can I delete some of those obvious files if I can see them? might be able to get into safe mode networking then.

thanks for the help with this. :)

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 PM

Posted 31 July 2012 - 08:43 AM

Boot into safemode and manually delete these file

C:\Documents and Settings\Jackie\Application Data\0PXnnEUH.exe

Boot into normal mode now and post the logs as requested.

I downloaded the latest combofix today and ran it in cmd prompt a number of times but it did not change a thing. The trojan programmers are obviously working around all fixes that are showing up.


Do not use combofix without an expert help.

I have downloaded those programs from yesterday and have them on the usb stick. I did try tdsskiller but it wouldn't run in cmd mode.


It will not run in any mode.You also have a rootkit.

Download


FIXTDSS

Launch it ,It may ask for restart,reboot the PC

On reboot ,click on REPAIR

RUn TDSSkiller now and post the log

#7 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 31 July 2012 - 11:43 AM

Boot into safemode and manually delete these file

C:\Documents and Settings\Jackie\Application Data\0PXnnEUH.exe

Boot into normal mode now and post the logs as requested.
.



I removed that file. I rebooted, it did go into normal mode. The rogue did not load but neither did a desktop. All I had was the background blue with a mouse pointer. Nothing else. Nothing to click.

Before that, while in cmd window I did try Fixtdss but nothing happened there either.

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 PM

Posted 31 July 2012 - 12:38 PM

We need advanced tools to remove this one

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users