Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue $200 FBI ransomeware


  • This topic is locked This topic is locked
121 replies to this topic

#1 ruralgeek

ruralgeek

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 31 July 2012 - 01:35 PM

Have an old XP home edition, SP3, a friends, with the latest one of these ransomware trojans. So far the "fixes" I found on here in an earlier thread in another forum no longer fix this one.

I can get in to safe mode command prompt ok. Originally before Narenxp's help, when I went into safe mode netowwrking I would still get the you are locked screen - just a safe mode one but locked nonetheless.

Narenxp helped a lot and I followed his instructions. Posted the autoruns info. Deleted the rogue file in the app data section he told me to delete and then booted into normal mode. The rogue ransomware screen did not come up but neither did the desktop. All I had was the blue backgound and a mouse pointer. Tried sage mode networking and I get a black screen with no icons and all it says is safe mode in each corner. A mouse pointer and nothing to click.

He recommended I come here to this forum and so I'm here. :)

Thank you :)

Edited by ruralgeek, 31 July 2012 - 01:38 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:53 PM

Posted 05 August 2012 - 09:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I suggest you follow the removal instruction on this page.

Remove the FBI MoneyPak Ransomware
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

Repeat the instructions if you have already executed them.

===

When completed I would like to see the log from this scan.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

Please let me know what problem persists.

#3 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 06 August 2012 - 06:47 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I suggest you follow the removal instruction on this page.

Remove the FBI MoneyPak Ransomware
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

Repeat the instructions if you have already executed them.

===


Since all I can do is command line in safe mode and not safe mode networking, I ran the Emsisoft batch file for the command mode and sent it to a file.

There was no log, that's why I ran it with > cmdlinescan.txt on the cmd line so I'd have something to show you.

formatting is weird.. but this is what the Emsisoft batch file produced:

I see it looks ok in the edit window but all goes together in the preview. it's a notepad file. wouldn't an attachment be better in this case?

C:\_bdutils\emsi>ECHO OFF

Emsisoft Commandline Scanner v. 6.6.0.3
© 2003-2012 Emsisoft - www.emsisoft.com

Emsisoft Commandline Scanner - Version 2.0
Last update: N/A

Scan settings:

Objects: Memory, Traces
Scan archives: Off
ADS Scan: Off

Scan start: 8/5/2012 8:59:10 PM

\\?\C:\WINDOWS\SYSTEM32\svchost.exe \\?\C:\WINDOWS\SYSTEM32\svchost.exe \\?\C:\WINDOWS\SYSTEM32\svchost.exe \\?\C:\WINDOWS\SYSTEM32\svchost.exe \\?\C:\WINDOWS\SYSTEM32\svchost.exe \\?\C:\WINDOWS\SYSTEM32\svchost.exe \\?\C:\WINDOWS\SYSTEM32\smss.exe \\?\C:\WINDOWS\SYSTEM32\smss.exe \\?\C:\WINDOWS\SYSTEM32\smss.exe \\?\c:\windows\system32\ntdll.dll \\?\c:\windows\system32\ntdll.dll \\?\c:\windows\system32\ntdll.dll \\?\c:\windows\system32\ntdll.dll \\?\c:\windows\system32\kernel32.dll \\?\C:\WINDOWS\SYSTEM32\lsass.exe \\?\C:\WINDOWS\SYSTEM32\lsass.exe \\?\c:\windows\system32\msvcrt.dll \\?\C:\WINDOWS\SYSTEM32\cmd.exe \\?\c:\windows\system32\gdi32.dll \\?\c:\windows\system32\shimeng.dll \\?\c:\windows\system32\shimeng.dll \\?\c:\windows\system32\shimeng.dll \\?\c:\windows\system32\user32.dll \\?\c:\windows\system32\user32.dll \\?\C:\WINDOWS\SYSTEM32\services.exe \\?\C:\WINDOWS\SYSTEM32\services.exe \\?\C:\WINDOWS\SYSTEM32\services.exe \\?\c:\windows\system32\advapi32.dll \\?\c:\windows\system32\advapi32.dll \\?\c:\windows\system32\advapi32.dll \\?\c:\windows\system32\advapi32.dll \\?\c:\windows\system32\secur32.dll \\?\c:\windows\system32\secur32.dll \\?\c:\windows\system32\secur32.dll \\?\c:\windows\system32\winmm.dll \\?\c:\windows\system32\winmm.dll \\?\c:\windows\system32\winmm.dll \\?\c:\windows\system32\winmm.dll \\?\c:\windows\apppatch\acgenral.dll \\?\c:\windows\system32\version.dll \\?\c:\windows\system32\ole32.dll \\?\c:\windows\system32\ole32.dll \\?\c:\windows\system32\shlwapi.dll \\?\c:\windows\system32\shlwapi.dll \\?\c:\windows\system32\shlwapi.dll \\?\c:\windows\system32\shlwapi.dll \\?\c:\windows\system32\shlwapi.dll \\?\c:\windows\system32\userenv.dll \\?\c:\windows\system32\userenv.dll \\?\c:\windows\system32\uxtheme.dll \\?\c:\windows\system32\imm32.dll \\?\c:\windows\system32\imm32.dll \\?\c:\windows\system32\imm32.dll \\?\c:\windows\system32\imm32.dll \\?\c:\windows\system32\imm32.dll \\?\c:\windows\system32\imm32.dll \\?\c:\windows\system32\imm32.dll \\?\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll \\?\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll \\?\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll \\?\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll \\?\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll \\?\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll \\?\c:\windows\system32\comctl32.dll \\?\c:\windows\system32\msimg32.dll \\?\c:\windows\system32\msimg32.dll \\?\c:\windows\system32\msimg32.dll \\?\c:\windows\system32\wsock32.dll \\?\c:\windows\system32\ws2_32.dll \\?\c:\windows\system32\ws2help.dll \\?\c:\windows\system32\ws2help.dll \\?\c:\windows\system32\psapi.dll \\?\c:\windows\system32\psapi.dll \\?\c:\_bdutils\emsi\run\a2engine.dll \\?\c:\_bdutils\emsi\run\a2engine.dll \\?\c:\windows\system32\wintrust.dll \\?\c:\windows\system32\wintrust.dll \\?\c:\windows\system32\wintrust.dll \\?\c:\windows\system32\crypt32.dll \\?\c:\windows\system32\msasn1.dll \\?\c:\windows\system32\imagehlp.dll \\?\c:\windows\system32\imagehlp.dll \\?\c:\windows\system32\netapi32.dll \\?\c:\windows\system32\netapi32.dll \\?\c:\windows\system32\sfc.dll \\?\c:\windows\system32\sfc.dll \\?\c:\windows\system32\sfc_os.dll \\?\c:\windows\system32\sfc_os.dll \\?\c:\windows\system32\wtsapi32.dll \\?\c:\_bdutils\emsi\run\quarantine.dll \\?\c:\_bdutils\emsi\run\quarantine.dll \\?\c:\_bdutils\emsi\run\quarantine.dll \\?\c:\_bdutils\emsi\run\quarantine.dll \\?\c:\_bdutils\emsi\run\quarantine.dll c:\docume~1\jackie\locals~1\temp\jhunizu.exe Key: hkey_current_user\software\microsoft\yvilp c:\documents and settings\networkservice\application data\microsoft\internet explorer\quick launch\smart anti-malware protection.lnk Key: hkey_current_user\software\microsoft\windows\currentversion\uninstall\home malware cleaner Value: hkey_local_machine\software\microsoft\windows\currentversion\run --> xxxxxxc00d50d3 c:\windows\system32\config\systemprofile\start menu\programs\smart fortress 2012\smart fortress 2012.lnk c:\docume~1\jackie\locals~1\temp\sywphmbwrub.exe c:\programdata\bljkugy\hppnpdw\nxmhvyt.exe Key: hkey_local_machine\software\microsoft\active setup\installed components\{7ecedd84-3c9e-ac9f-a7ad-8bd41744eeef} c:\documents and settings\networkservice\application data\skype\skype.exe c:\documents and settings\jackie\application data\uwusg\azif.exe c:\windows\key_revoltadonova c:\windows\xxxxxxa65ea0a1\svchsot.exe c:\documents and settings\administrator\wffsp c:\docume~1\jackie\locals~1\temp\stage2.exe c:\documents and settings\administrator\application data\javaup\javaup.exe c:\documents and settings\jackie\application data\wmail-service.exe Key: hkey_current_user\software\lmktnck c:\temp\tdk.exe c:\documents and settings\localservice\local settings\application data\ztlnbaxklb.exe c:\documents and settings\networkservice\application data\macromedia\flash player\macromedia.com\support\flashplayer\sys\print.exe c:\users\public\winupdate.exe Value: hkey_current_user\software\microsoft\windows\currentversion\run --> bougassa c:\documents and settings\jackie\d6279b4c-0.exe c:\documents and settings\jackie\application data\vzgymyzh.exe c:\program files\badboy\xsl\images c:\program files\bpftp server\manual c:\program files\deletedfileanalysisutility c:\program files\2-antispyware\modules c:\program files\aceclub casino\images\games\cardgames\blackjack c:\documents and settings\networkservice\application data\hbtools\v3.0\hbtools\static\2 c:\documents and settings\jackie\favorites\adult sites\lesbian c:\windows\system32\config\systemprofile\start menu\programs\malwarealarm c:\windows\system32\config\systemprofile\start menu\programs\pacmania 3 c:\documents and settings\jackie\desktop\bbmao toolbar c:\program files\seo inc\seo toolbar c:\program files\spywareknight\wav c:\program files\7art\surpriseclock c:\documents and settings\jackie\application data\viewpoint\toolbar runtime\3.8.0\skinengine\themetemplates\default c:\program files\winreanimator\data c:\program files\winsecureav\graphics c:\casino\24kt gold casino\data\shared\fonts c:\program files\scenicreflections\amazing waterfall 1 3d screensaver c:\program files\platrium\bin c:\program files\bubblefish bob\bublis\bonusdrop30x30\extralife c:\program files\midas interactive\golden age of racing\skys c:\program files\games\mahjong world\data\images\flags c:\program files\powershot pinball\bigfile\models\level1-2 c:\program files\fungamesgalaxy.com\alien riposte\sounds c:\program files\common files\winofficeca\recorded c:\program files\gv bigtw casino\data\shared\shared c:\program files\gamefiesta\delicious_2_deluxe\media\images\gui\dialoghelp c:\program files\jcore c:\program files\softsoldier software\ c:\documents and settings\jackie\application data\ghost antivirus\lib\ c:\windows\system32\config\systemprofile\start menu\programs\on clean\ c:\program files\1945 operation konrad\doc\winninggame.htm c:\program files\3d halloween pumpkin screen saver 1.0\setupvalidater.exe c:\program files\a bit of irish screen saver 2.2\install.log c:\program files\abf software\abf password recovery\abfpasswordrecovery.exe c:\windows\system32\drivers\wskrnlc.sys c:\windows\system32\config\systemprofile\start menu\programs\advanced archive password recovery\end-user license agreement.lnk c:\program files\adwarebazooka\adwarebazooka.dll c:\program files\softwaredoctor\agentspyware\dbcookies.ref c:\program files\antispywaredeluxe\img\onguard_off.bmp c:\windows\system32\odetif.exe c:\documents and settings\jackie\start menu\programs\startup\radiate\radiate website.lnk c:\program files\filesubmit\beautyofshenandoah.exe\install.log c:\program files\myplaycity.com\car racing deluxe\install.url c:\program files\zango programs\chess\scripts\set1env.lua c:\program files\clipgenie\clipgenie\media\gui\main\about.html c:\program files\confidentsurf\data\application\adobe acrobat reader v3.1.scr c:\documents and settings\networkservice\application data\microsoft\office\excel10.dll c:\windows\system32\phentermine.ico c:\windows\system\adcache\b_661600.htm c:\program files\default bar\plusbar.crc c:\windows\system32\data.dll c:\program files\ds\version.txt c:\program files\ebatesmoemoneymaker4\ebatessmmm\images\ebmm_hot.ico c:\documents and settings\jackie\application data\errn.exe c:\program files\kss\syslog\syslog.lic c:\program files\filterprogram\data\application\disk explorer professional 3.scr c:\program files\forexcult toolbar\tbu03189\fxlogo3.bmp c:\program files\freeze.com\frosty games\data\exitimg_v2\ftycr_20.jpg c:\program files\a8gsdsapp\report\exefilepath.gif c:\docume~1\jackie\locals~1\temp\gozilla.exe\default\window\ra_o.bmp c:\program files\freegames4rest\help santa\midas11.dll c:\windows\system32\tbps.ini c:\program files\inetformfiller trial\system\languages\arabic.lng c:\windows\system32\config\systemprofile\start menu\programs\internet spy\internet spy.lnk c:\temp\kwdbfm\comdlg32.oc_ c:\windows\system32\kepwd.dll c:\program files\micrsoft searchbar\ring.bmp c:\program files\bingofun games\bingofun\ftpclient.dll c:\program files\maxantispyware\massystemtray.exe c:\program files\ecommerce\dialer.exe c:\program files\ms backup password recovery\readme.txt c:\program files\freeze.com\mylayout profile editor\files\tg_preset6.txt c:\program files\solidlabs technology\net logger pro\logs\index_mail_out.html c:\program files\noble poker\data\common\interface\dialog_back.jpg c:\documents and settings\jackie\start menu\programs\passwordtools\quicken password.lnk c:\program files\pcrc\drivers\2000\fastmedia.sys c:\program files\pestbot\spywares\broadcastpc\description.html c:\documents and settings\jackie\favorites\adult entertainment\hardcore stuff\fistless.url c:\program files\quepasa2\cache\chat-over.bmp c:\program files\remotelyanywhere\moduli c:\program files\riverbellempp\riverbelle\menu\btn_listheader.dat c:\program files\searchnet toolbar\toolbar.inf c:\program files\sensis toolbar\trading post search button v2.bmp c:\program files\pcs\pc sentinel's smoking gun!\pcsmon.exe c:\documents and settings\jackie\start menu\programs\spycut\spycut monitor.lnk c:\program files\spyspotter3\spyspotter.exe c:\windows\system32\winjho32.exe c:\documents and settings\jackie\application data\starware369\browsersearch\browsersearch.xml c:\documents and settings\jackie\application data\starware\buttons\logoxp.bmp c:\documents and settings\networkservice\application data\sskknwrd.dll c:\windows\qzyzoxkj.exe c:\program files\telephone spy\cfg\hcf.def c:\windows\meteo.exe c:\program files\internet explorer\2052\img\1.gif c:\windows\system32\vuf23s1.exe c:\program files\vg\models\xnik.inf c:\program files\warez\warez.exe c:\program files\web activity monitor\reports\flags\by.gif c:\program files\daemon tools searchbar\content\images\weather_us_off.gif c:\program files\wincontentfilter 2005 trial\flash.ini c:\documents and settings\jackie\favorites\adult sites\reality\lesbo 101.lnk c:\program files\zango programs\shuffleboard\textures\ui_sb_newgame_mp_dn.tga c:\program files\zcom\client\help\img\shugui02.png c:\program files\wwii rescue\files\meshbank\ww2\scenery\furniture\structuralc\structural_c.x c:\program files\messengerskinner\resources\btninnormal.bmp c:\program files\borzoi\bcc.exe c:\windows\system32\heislord.scr c:\documents and settings\jackie\desktop\night city 3d screensaver.lnk c:\program files\aaascreensavers\mel gibson\aaa_install.ico c:\program files\mp3 rocket\resource\01_5_ranking_stars.png c:\program files\divx\divx player 2.0 alpha\divx.com.url c:\program files\cleaner2009 freeware\appbase\ccga.dat c:\documents and settings\jackie\start menu\programs\nology\koko arena\check for updates.url c:\program files\mahjongg championship - kanji edition\eula.rtf c:\windows\system32\config\systemprofile\start menu\programs\hexacto\pop's pipe\check for updates.url c:\program files\invisible keylogger\license.txt c:\documents and settings\jackie\start menu\programs\elcomsoft\advanced office password breaker\advanced office password breaker help.lnk c:\windows\command\sc\wnd\132600.tsp c:\documents and settings\jackie\application data\spywareremover2009\data\productcode c:\program files\gamefiesta\abundante\images\buy.gif c:\program files\gamefiesta\ancient_tripeaks_2\images\gf_wrapper_01.gif c:\program files\gamefiesta\babel_deluxe\media\images\minigames\lettermemory\thumbs.db c:\program files\bethedealer casino\loginscreen.dll c:\program files\gamefiesta\birds_on_a_wire\data\images\font\posterbodonibt.gif c:\microgaming\casino\canbet\global\gameregistry\_crt_scratch3.inf c:\program files\grand casino\data\movie\module\sounds\card_flip.mp3 c:\program files\gamefiesta\cannon_blast\audio\music\remix2.sgt c:\program files\gamefiesta\chameleon_gems\levels\04.path c:\program files\gamefiesta\cheboman\audio\raketa.ogg c:\program files\gamefiesta\crystal_wizard\w05 c:\program files\gamefiesta\delicious_2_deluxe\media\data\presets\drinks_park.d2p c:\program files\gamefiesta\diamond_detective\boards\board53.txt c:\docume~1\jackie\locals~1\temp\h0lf0.exe c:\windows\prefetch\ldr.exe-34f7a837.pf c:\windows\prefetch\exefile.exe-079e49ac.pf c:\windows\system32\drivers\4b7504f7.sys c:\windows\system32\web.ini c:\program files\vika\vkclient.exe.lnk c:\documents and settings\jackie\cookies\vajufisyxu.inf c:\program files\softwaredepo.com\dvd player\plugins\libdeinterlace_plugin.dll c:\program files\everest poker\data\startup\shared\sounds\alert.ogg c:\program files\spywarepolice.com\spywarepolice\about.sct c:\program files\max spyware detector\log\sdlog.txt c:\program files\opb\pictures\buttonmiddle.bmp c:\bingo\blackpool club bingo\dfc_start.exe c:\program files\sportsbook.com\rsc\table.rsc c:\program files\vip lounge\sounds\handscore_08.ogg c:\program files\club player casino\bj.dll c:\program files\grande vegas casino\lbyinst.exe c:\program files\american grand casino\rsc\chips32.eur.rsc c:\program files\torrenty.org\tracert.exe c:\program files\slot nuts\rsc\chips.php.rsc c:\poker\mybet poker\data\lobby\loading_info.jpg c:\program files\creditcop2\uninstall.exe c:\documents and settings\jackie\application data\systempro\blue.png c:\documents and settings\networkservice\application data\adobe\plugs\mmc85.exe c:\documents and settings\jackie\my documents\\wda.dll c:\documents and settings\networkservice\application data\installshield\gdi.exe c:\documents and settings\networkservice\application data\macromedia\flash player\#sharedobjects\gpupdate.exe c:\documents and settings\networkservice\application data\16526987 Key: hkey_classes_root\typelib\{48da6120-a779-4c12-8584-47b625efb469} Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\3d raindrop screensaver_is1 --> displayname Value: hkey_current_user\software\7art\toadsfrogs --> path Value: hkey_current_user\software\vb and vba program settings\ab system spy v5.1.1\ftp --> ftpuser Value: hkey_current_user\software\softactivity\activity monitor\settings --> path to log database Value: hkey_current_user\software\softinform\adscleaner\settings\default --> rating7colorbutton_color Value: hkey_local_machine\software\mandel enterprise\adware patrol --> scanfolders Value: hkey_local_machine\system\controlset001\services\adwarekillersysguarddriver\security --> security Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\alien discipline --> publisher Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\alien discipline --> publisher Value: hkey_current_user\software\antispywaresuite\settings --> startblockontimedpopups Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\{ca967c73-dfaf-435d-bdf0-d2651128256d} --> windowsinstaller Key: hkey_classes_root\interface\{8dd50c56-8a07-40b9-98c4-3f169e3ae28e} Value: hkey_current_user\software\avsystemcare\settings --> addviruscertification Key: hkey_classes_root\btnetw.iiittt Value: hkey_current_user\software\xbtb02849\toolbar\tb_items --> tbs_item_010021 Value: hkey_local_machine\system\controlset001\services\tupcaptureservice --> errorcontrol Value: hkey_local_machine\software\bookedspace\adware --> data-spz4 Key: hkey_classes_root\typelib\{ba87b15b-7de7-4da4-8bf7-5c616d6c99da} Value: hkey_current_user\software\carnival casino --> funusername Value: hkey_local_machine\system\currentcontrolset\services\csserver --> errorcontrol Value: hkey_current_user\software\xbtb09239\toolbar --> #editwidthcombo1# Value: hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-21-602162358-1897051121-725345543-500\products\d3300e7c136a79e4c8fe353c3f26ebf9\installproperties --> publisher Value: hkey_local_machine\software\copperhead\antispyware --> installpath Value: hkey_current_user\software\xbtb02131\toolbar\tb_items --> tbs_item_016985 Value: hkey_current_user\software\critical systems technologies\crisystec sentry\optionstabpage_browsers_opera_cache/cookies --> cookies folder Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\{87f93aa6-c062-40ac-970f-dee3628548d9} --> windowsinstaller Value: hkey_local_machine\system\controlset001\services\ccomsvc\enum --> count Value: hkey_current_user\software\fly3 software\active date manager\dict\headaddress\2 --> sortorder Key: hkey_classes_root\dhsvr.dbhelper Value: hkey_current_user\software\dbtb29939\deskbar --> lastversionmsg Value: hkey_current_user\software\matt holwood\messengerdiscovery live\settings --> setting(13) Value: hkey_current_user\software\beermat software\dopewars\2.0\scores120\score18 --> registered Value: hkey_current_user\software\beermat software\dopewars\2.0\scores90\score6 --> name Value: hkey_current_user\software\dotcomtoolbar\dotcomtoolbar --> logo2.gif Value: hkey_current_user\software\xbtb04782\ietoolbar --> connectionerror Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\elisha_cuthbert_screensaver --> uninstallstring Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\emule manager_is1 --> inno setup: app path Value: hkey_current_user\software\errorprotector free\settings2 --> ntdc Value: hkey_current_user\software\avsystemshield\settings --> mailarchivescan Value: hkey_current_user\software\xbtb02652\too23423lbar\tb_items --> tbs_item_024266 Value: hkey_current_user\software\xbtb06823\toolbar\tb_items --> tbs_item_002641 Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\free audio recorder --> nomodify Value: hkey_current_user\software\xbtb03021\toolbar --> countos Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\gigablast toolbar_is9 --> nomodify Value: hkey_current_user\software\irene's images\byesummerss\advanced image --> id110 Value: hkey_current_user\software\xbtb09292\toolbar\tb_items --> tbs_item_020320 Value: hkey_current_user\software\hbtools\hbtools\eui --> region_code Value: hkey_current_user\software\hbtools\hbtools\eui --> region_code Key: hkey_current_user\software\microsoft\installer\products\d493500bd4a54ea6bc805fc9cda952c5 Value: hkey_current_user\software\intexp\config --> searchpath Value: hkey_current_user\software\xbtb01079\toolbar\tb_items --> tbs_item_014891 Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\imesh manager_is1 --> inno setup: icon group Value: hkey_current_user\software\xbtb06823\toolbar\tb_items --> tbs_item_005533 Value: hkey_current_user\software\kimbra gregg\just for you\app --> installdirectory Value: hkey_current_user\software\insight software solutions\keyboard express --> install file Value: hkey_local_machine\software\knowhowprotection --> abbr Value: hkey_classes_root\kubao4 --> url protocol Value: hkey_local_machine\software\ics --> path Value: hkey_current_user\software\malware scanner\settings\general settings --> qurantine path Value: hkey_current_user\software\meme --> was_rs Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\{d8188199-fef2-42e1-8d78-54176defc2c2} --> language Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\mobile mania_is1 --> uninstallstring Key: hkey_local_machine\system\currentcontrolset\services\{89ac985a-ca8b-40d0-830f-96ddd0861f2f} Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\mummy blackjack_is1 --> uninstallstring Value: hkey_local_machine\software\mysearch\bar --> curinstall Value: hkey_local_machine\software\microsoft\windows\currentversion\shareddlls --> c:\windows\downloaded program files\conflict.4\navinst2.ocx Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\newt professional 2_is1 --> inno setup: setup version Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\omniquad_instant_remote_control_1.0 --> uninstallstring Value: hkey_local_machine\system\controlset002\services\afpansi --> imagepath Value: hkey_current_user\software\partygaming\partypoker --> enablesounds Value: hkey_current_user\software\vb and vba program settings\appbd\networkoptions --> savedataonnetwork Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\pestbot --> displayicon Value: hkey_current_user\software\xbtb02049\ietoolbar\tb_items --> tbs_banner_003797 Value: hkey_current_user\software\xbtb02596\too23423lbar --> closeallwindowsforupdate Value: hkey_current_user\software\xbtb01994\toolbar\tb_items --> tb_general_item_home Value: hkey_current_user\software\raptordefence\options --> enablesysbackup Value: hkey_classes_root\installer\products\a4d1a4d9e20975d4cafaf8cc0ab61880\sourcelist --> lastusedsource Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\remoteexec --> urlinfoabout Value: hkey_current_user\software\rosoft\rosoft mp3 encoder --> rbfraunhofer Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\seawolfnovaclock --> displayicon Value: hkey_current_user\software\xbtb09279\toolbar --> tbbreak Value: hkey_current_user\software\evisoft\searchtoolbar\toolbar\form\maintbxtoolbar --> floattop Value: hkey_current_user\software\classes\clsid\{548fa3f1-1d3d-33ea-9756-15cb2effa646}\inprocserver32 --> threadingmodel Value: hkey_current_user\software\microsoft\windows\currentversion\wintrust\trust provider\software publishing\trust database\0 --> goicfboogidikkejccmclpieicilpokg ejemdn Value: hkey_current_user\software\xbtb00842\too23423lbar\tb_items --> tbs_item_022552 Value: hkey_current_user\software\spy officer\options\directories --> %windir%\ Value: hkey_current_user\software\xxi\spydeface\shield\internet agents checkpoints\internet trusted sites --> options Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\spynova toolbar_is1 --> publisher Value: hkey_current_user\software\spytector\1.3.1 --> i_9 Value: hkey_current_user\software\vb and vba program settings\spyware bomb\spyware bomb --> optdownloadandinstallupdates Value: hkey_current_user\software\microsoft\internet explorer\extensions\cmdmapping --> {7b3e5f6b-adf4-4731-9dad-ac8ae9a4dfec} Value: hkey_current_user\software\starware337\searchassistant --> use search asst Key: hkey_classes_root\software\microsoft\windows\currentversion\explorer\browser helper objects\{13f90341-ad79-4a9f-9b57-0234675670d6} Value: hkey_local_machine\software\microsoft\windows\currentversion\run --> qn7p36t Value: hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\products\703a770836b109543bed441ee45767dd\installproperties --> displayversion Value: hkey_current_user\software\microsoft\installer\products\e0137825c3f82bd4996c726101f8000c\sourcelist\net --> 1 Value: hkey_current_user\software\xbtb08631\toolbar\tb_items --> tbs_button_022654 Value: hkey_current_user\software\tz spyware remover\settings\schedule settings --> day Value: hkey_current_user\software\trustyfiles\trustyfiles\lists --> download.columnorder Value: hkey_local_machine\software\classes\installer\products\e52e32a086ad9ae4a96024c4ad72b27d --> advertiseflags Value: hkey_current_user\software\xbtb09923\too23423lbar\tb_items --> tbs_item_111136 Value: hkey_classes_root\clsid\{f3e5847d-13ad-49e2-b86e-a70342072cbb} --> appid Value: hkey_local_machine\system\controlset002\services\copdad 1.0 service\security --> security Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\web activity monitor_is1 --> inno setup: selected tasks Value: hkey_current_user\software\besttoolbar5\ietoolbar --> runsearchdragautomatically Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\windows & internet cleaner pro_is1 --> uninstallstring Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\winperformance --> displayname Value: hkey_current_user\software\wiperwizard\history\explorer --> explorer01 Value: hkey_current_user\software\x-con spyware destroyer eh --> regunlocker version Key: hkey_local_machine\software\classes\interface\{ce2eab19-e31d-43ca-a860-f95a2ca50040} Value: hkey_current_user\software\zangotoolbar\zangotoolbar\eui --> url Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\{c8ecf80b-5712-4cf3-b7dd-caceda5483cf} --> modifypath Key: hkey_local_machine\software\zsearchco Value: hkey_local_machine\software\classes\clsid\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7}\inprocserver32 --> threadingmodel Value: hkey_current_user\software\aws\weather\station22 --> stationid Value: hkey_current_user\software\joyland casino --> funnickname Value: hkey_current_user\software\sierra star casino --> options-fullscreen Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\lanvisor client --> displayname Value: hkey_current_user\software\microsoft\installer\products\ff7f2212b7fde6b4e9b3915636022b2d --> packagecode Value: hkey_current_user\software\vb and vba program settings\spy blaster\optionandsettings --> optrestoredefaultwithoutnotification Value: hkey_local_machine\system\currentcontrolset\services\tupinsightcaptureengine\enum --> count Value: hkey_current_user\software\protectingtool --> firstlaunch Value: hkey_current_user\software\winfix master\shield\system agent checkpoints\wow boot shell --> options Value: hkey_current_user\software\pctotaldefender\settings --> needresetisactive Value: hkey_current_user\software\xbtb09612\toolbar --> updateautomatically Value: hkey_current_user\software\tbsb02930\toolbar --> panic_key Value: hkey_current_user\software\tbsb06829\toolbar\tb_items --> tbs_item_008694 Value: hkey_local_machine\software\ske --> ftptosendfiletest Value: hkey_current_user\software\softactivity\activity monitor\uisettings44\bcgpcontrolbar-59393 --> isfloating Value: hkey_current_user\software\smartline vision\active network monitor\toolbar settings-bar6 --> mrudocktoppos Value: hkey_current_user\software\just it\justremoteit\server --> donations Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\mahjongg championship - kanji edition --> displayversion Value: hkey_local_machine\software\poker superstars iii - gold chip challenge\poker superstars iii - gold chip challenge --> install_dir Value: hkey_local_machine\software\classes\installer\products\a38c39879bf37fa4ebd718df7f5611ba --> authorizedluaapp Value: hkey_current_user\software\starware399\options --> originaldsp Value: hkey_classes_root\installer\products\9ba82767b90adf340ba39117f020ad94\sourcelist --> packagename Value: hkey_local_machine\software\classes\installer\products\31d25b7017d17374aa55b75d3282dddd --> authorizedluaapp Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\{f53bca94-3d03-4a6b-81b1-3d6d65507d52} --> size Value: hkey_local_machine\software\classes\installer\products\9dc80b7e80e05d6449fbc126de2cddb6 --> authorizedluaapp Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\{4cd4d317-f49a-43c3-bc4f-606925119325} --> modifypath Value: hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\products\95593ed7fca14394296b845d7dbeaab4\installproperties --> modifypath Value: hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\products\4a7e0b9d5b4709d45a6ac0c8a3814ee3\installproperties --> installsource Value: hkey_current_user\software\elcomsoft\advanced office password breaker --> default directory Value: hkey_current_user\software\accentsoft utilities\office password recovery --> charsetnumbers Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\etherscout_is1 --> inno setup: setup version Value: hkey_current_user\software\vb and vba program settings\crime catcher\preferences --> ftpwebinterval4 Value: hkey_current_user\software\kazaa & limewire lyric finder\general --> programcode Value: hkey_classes_root\clsid\{c3bfc015-3d62-11d4-83b5-0050bac18d62}\inprocserver32 --> threadingmodel Value: hkey_current_user\software\xbtb05041\toolbar --> closewindow Value: hkey_local_machine\software\netopia\timbuktu pro\ldapoptions --> comment Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\kazaa_is1 --> nomodify Value: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\{29e6e3f3-0f07-4d88-8611-4c28074f86db} --> nomodify Value: hkey_current_user\software\xbtb00092\ietoolbar --> currentlayout Value: hkey_current_user\software\xbtb06823\toolbar --> rx0 Value: hkey_current_user\software\microsoft\windows\currentversion\uninstall\bumperboats --> norepair Value: hkey_current_user\software\doubled\desktop smiley toolbar\urlnotifier --> logsearchkeyword Value: hkey_local_machine\software\microsoft\windows\currentversion\run --> dbghelp Value: hkey_current_user\software\home_business_opportunity\toolbar --> usageurl Key: hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\vnlan300.exe Key: hkey_current_user\software\softwaredepo.com dvddec Key: hkey_current_user\software\vb and vba program settings\spy extractor pro Key: hkey_local_machine\software\classes\interface\{5e7f36b2-e909-4c3f-8a47-a3f70d840720}\typelib Key: hkey_current_user\software\christv_add-on\toolbar\settings\upgrade Key: hkey_current_user\software\appdatalow\software\{48f95043-1323-a36e-0d92-9dc87c5e137f} Key: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\breakaway casino Key: hkey_local_machine\software\classes\rtg.lockcasino\shell\open Key: hkey_current_user\software\xbtb06823\toolbar\rssreader Key: hkey_local_machine\software\microsoft\windows\currentversion\uninstall\wizprivacy Key: hkey_current_user\software\cyber Key: hkey_local_machine\software\vpro4\28811

Scanned

Objects: 0
Traces: 415550
Cookies: 0
Processes: 0

Found

Objects: 0
Traces: 0
Cookies: 0
Processes: 0

Quarantined

Files: 0
Traces: 0
Cookies: 0
Processes: 0

Scan end: 8/5/2012 9:00:15 PM
Scan time: 0:01:05
Press any key to continue . . .





When completed I would like to see the log from this scan.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

Please let me know what problem persists.



ok, also per your instruction I tried to run DDS.COM. But it won't finish even if I leave it sitting there for hours.

I get the short explanation.

then it goes and puts some ###'s across the screen then the cursor sits below that ling of #'s and just blinks. That is it.


The Emsisoft bat file doesn't have a /l log option. I read the a2cmd-readme and have a new batch to run with a deep scan and options with a log callout.

I have not run that. It's just there for me to do if and when you tell em to.


I still can't do anything but safe mode command prompt -

thanks

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:53 PM

Posted 07 August 2012 - 07:44 AM

Stay with us an expert should be around soon.

#5 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 07 August 2012 - 10:01 AM

Stay with us an expert should be around soon.



sure - will do. Just tell me how to format the text files so they post better. :)

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:53 PM

Posted 08 August 2012 - 06:26 AM

Use NotePad and the .txt file format. It should be ok.

#7 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 08 August 2012 - 07:44 AM

Use NotePad and the .txt file format. It should be ok.


I was using notepad and it looked fine but once I posted it all the lines went together for most of it.

So notepad read it fine but posting process couldn't

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:53 PM

Posted 08 August 2012 - 08:12 AM

May be it was Emsisoft's way or reporting or because it was in safe mode.

I have no way of verifying the content so I let it go.

#9 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 08 August 2012 - 09:06 AM

May be it was Emsisoft's way or reporting or because it was in safe mode.

I have no way of verifying the content so I let it go.



Emsisoft didn't create a log the first time. So I enhanced the batch file and added a /l option. I guess I'll run that one now. It's a deep scan.

I'll post it later on.

If nothing else I need to get to the data. I haven't tried loading ubuntu to do that yet. I've snagged files off discs with that before.

She'll at least have her data for a new computer. This one is old. I mean old. heh

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:53 PM

Posted 09 August 2012 - 07:33 AM

Hello, can you please tell me in which location you saved the EEK folder? You can alternatively just execute the a2start.exe file to start the GUI interface, it will run fine from safe mode/command prompt.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 09 August 2012 - 10:28 AM

Hello, can you please tell me in which location you saved the EEK folder? You can alternatively just execute the a2start.exe file to start the GUI interface, it will run fine from safe mode/command prompt.


the folder is c:\_bdutils\emsi

there is no a2start even in c:\_bdutils\emsi\run

but there is a start.exe in the main EEK folder; I'll try that one:

OK all that did was open up another cmd window in red font pointed to the directory c:\_bdutils\emsi that I ran start from.

I got the EEK from that link way above that nasdaq mentioned. So maybe an older version might have had a a2start.exe. I do have a a2cmd.exe, a2emmergenctkit.exe, a2HiJackFree.exe, BlitzBlank.exe.

In the EEK folder is only one exe and that is start.exe. The rest are *.bat files. I did try the one that loads the gui and it just puts up the safe mode screen with nothing to click at all. Just safe mode in each corner.Nothing to click on.

nasty thing this one is.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:53 PM

Posted 09 August 2012 - 10:40 AM

Please execute c:\_bdutils\emsi\run\a2emergencykit.exe
It may take a few seconds to start, then you should see a pop up asking you to update, click No there, and the GUI interface should open.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 09 August 2012 - 11:03 AM

Please execute c:\_bdutils\emsi\run\a2emergencykit.exe
It may take a few seconds to start, then you should see a pop up asking you to update, click No there, and the GUI interface should open.


tried that. It immediately comes up with an error. I managed to get a text file from the clipboard on the error since it can't find a server to send it to.

it's a 22K dump of all that EEK found.

Want that posted? or attached?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:53 PM

Posted 09 August 2012 - 12:32 PM

Could you please attach it to your post?

In the mean time, please run OTL as follows (you can execute it from the command line directly after transferring it with a flashdrive).

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 ruralgeek

ruralgeek
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 09 August 2012 - 03:49 PM

Could you please attach it to your post?

In the mean time, please run OTL as follows (you can execute it from the command line directly after transferring it with a flashdrive).

OTL
-----
Please download OTL from one of the following mirrors:

  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


on the affected computer I don't have a desktop. Just a blue background.

I'll xfer the OTL over to that one with the flash drive and then run it. Has to be from the command line.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users