Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI variant removal....Black SOD


  • This topic is locked This topic is locked
6 replies to this topic

#1 jakkwb

jakkwb

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 12 October 2012 - 05:22 PM

Hello, I have a laptop brought to me that they think was infected with the FBI "pay me" virus.

For me it will only go to a black screen with a mouse cursor. No keys work, except for the Ease of Access shortcut, but on that, the onscreen keyboard gives an error and will not show up. Does the same thing in any safe mode. Last known good does not work either.

Customer may have scanned it before bringing to me.

There are only 3 restore points and all three error out. Something about a file missing...

Need suggestions on how to proceed, or if I can....

Thank you.

OS is Windows 7 Home premium 64bit.

BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:33 AM

Posted 13 October 2012 - 01:46 PM

Hello jakk,

You must tell the customer that the system has backdoor trojan(s) and to plan to protect themselves for identity & banking info theft.

This may well be facing a wipe and clean install if you cannot get some reports and to run Windows in some manner ---- other than using a Linux Live CD.


For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt Posted Image
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 jakkwb

jakkwb
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 13 October 2012 - 02:44 PM

OK, thanks for the response. Here is the log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-10-2012
Ran by SYSTEM at 13-10-2012 14:38:02
Running from G:\Removal tools\Farbar64bit
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [384296 2010-04-05] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-02-25] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [1022368 2010-09-16] (Trend Micro Inc.)
HKLM\...\Run: [lxdcmon.exe] "C:\Program Files (x86)\Lexmark 1300 Series\lxdcmon.exe" [x]
HKLM\...\Run: [lxdcamon] "C:\Program Files (x86)\Lexmark 1300 Series\lxdcamon.exe" [20480 2007-04-30] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [dellsupportcenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-11-12] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [847872 2009-12-02] (SEIKO EPSON CORPORATION)
HKU\Owner\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-12-08] (Google Inc.)
HKU\Owner\...\Run: [EPSON WorkForce 520 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGIA.EXE /FU "C:\Windows\TEMP\E_S787E.tmp" /EF "HKCU" [224768 2009-09-13] (SEIKO EPSON CORPORATION)
HKU\Owner\...\Run: [DW7] "C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe" [13003448 2012-09-19] (The Weather Channel)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 12.165.234.132 8.8.4.4
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Owner\Start Menu\Programs\Startup\ctfmon.lnk
ShortcutTarget: ctfmon.lnk -> C:\ProgramData\lsass.exe (Microsoft Corporation)
Startup: C:\Users\Owner\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Owner\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk
ShortcutTarget: Epson all-in-one Registration.lnk -> (No File)

==================== Services (Whitelisted) ===================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 lxdcCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxdcserv.exe [34224 2007-05-25] (Lexmark International, Inc.)
2 lxdc_device; C:\Windows\system32\lxdccoms.exe -service [567216 2007-05-25] ( )
2 lxdc_device; C:\Windows\SysWow64\lxdccoms.exe -service [537520 2007-05-25] ( )
2 SfCtlCom; "C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe" [836504 2010-11-10] (Trend Micro Inc.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\STacSV64.exe [244736 2010-02-25] (IDT, Inc.)
3 TMBMServer; "C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service [570632 2010-09-16] (Trend Micro Inc.)
3 TmProxy; "C:\Program Files\Trend Micro\Internet Security\TmProxy.exe" [917768 2010-09-16] (Trend Micro Inc.)
2 lckfldservice; C:\Windows\System32\viamraid.dll [x]
2 SPService; C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL [x]

==================== Drivers (Whitelisted) =====================

1 SASDIFSV; \??\C:\Windows\TEMP\SAS_SelfExtract\SASDIFSV64.SYS [14920 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Windows\TEMP\SAS_SelfExtract\SASKUTIL64.SYS [12360 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
2 tmpreflt; C:\Windows\System32\Drivers\tmpreflt.sys [42576 2010-07-30] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\Drivers\tmtdi.sys [107536 2010-09-16] (Trend Micro Inc.)
2 tmxpflt; C:\Windows\System32\Drivers\tmxpflt.sys [309840 2010-07-30] (Trend Micro Inc.)
2 vsapint; C:\Windows\System32\Drivers\vsapint.sys [1988176 2010-07-30] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ====================

NETSVC: lckfldservice -> C:\Windows\system32\viamraid.dll ==> No File.

==================== One Month Created Files and Folders ========

2012-10-13 14:37 - 2012-10-13 14:37 - 00000000 ____D C:\FRST
2012-10-04 06:02 - 2012-10-04 06:02 - 00000000 __SHD C:\found.000
2012-09-22 07:10 - 2012-10-04 05:06 - 83023306 ___AT C:\Users\All Users\qci.pad
2012-09-22 07:10 - 2012-09-22 07:10 - 00044544 ____A (Microsoft Corporation) C:\Users\All Users\lsass.exe
2012-09-21 19:54 - 2012-08-24 10:05 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-09-21 19:54 - 2012-08-24 10:05 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-09-21 19:54 - 2012-08-24 10:03 - 09056256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-09-21 19:54 - 2012-08-24 10:03 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-09-21 19:54 - 2012-08-24 10:03 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-09-21 19:54 - 2012-08-24 10:02 - 12295680 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-09-21 19:54 - 2012-08-24 10:02 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-09-21 19:54 - 2012-08-24 10:02 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-09-21 19:54 - 2012-08-24 08:57 - 06028800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-09-21 19:54 - 2012-08-24 08:57 - 01231872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-09-21 19:54 - 2012-08-24 08:57 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-09-21 19:54 - 2012-08-24 08:57 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-09-21 19:54 - 2012-08-24 08:57 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-09-21 19:54 - 2012-08-24 08:56 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-09-21 19:54 - 2012-08-24 08:56 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-09-21 19:54 - 2012-08-24 08:56 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-09-21 19:53 - 2012-08-24 10:05 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-09-21 19:53 - 2012-08-24 10:03 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-09-21 19:53 - 2012-08-24 08:57 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-09-21 19:53 - 2012-08-24 08:56 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-09-21 19:53 - 2012-08-24 07:59 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-09-21 19:53 - 2012-08-24 07:20 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-09-16 18:55 - 2012-08-22 10:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-09-16 18:55 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-09-16 18:55 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-09-16 18:55 - 2012-08-22 10:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-09-16 18:55 - 2012-08-02 09:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-09-16 18:55 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-09-16 18:55 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2012-09-16 07:29 - 2012-09-16 07:29 - 00000000 ____D C:\Users\Owner\Documents\Symantec
2012-09-16 07:27 - 2012-09-16 18:47 - 00000000 ____D C:\Program Files (x86)\Norton 360
2012-09-16 07:27 - 2012-09-16 07:27 - 00000000 ____D C:\Program Files\Symantec
2012-09-13 19:11 - 2012-09-16 07:30 - 00000000 ____D C:\Users\All Users\Norton
2012-09-13 19:11 - 2012-09-13 19:11 - 00000000 ____D C:\Users\Public\Downloads\Norton

==================== 3 Months Modified Files ==================

2012-10-12 13:32 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-12 13:32 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-12 13:27 - 2009-07-13 21:10 - 01261310 ____A C:\Windows\WindowsUpdate.log
2012-10-12 13:25 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-12 13:24 - 2011-01-24 08:30 - 00241226 ____A C:\Windows\PFRO.log
2012-10-12 11:04 - 2011-12-08 22:08 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-12 10:58 - 2012-05-21 06:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-12 01:38 - 2011-12-08 22:08 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-10 14:50 - 2009-07-13 20:45 - 00271008 ____A C:\Windows\System32\FNTCACHE.DAT
2012-10-10 09:58 - 2012-05-21 06:00 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-10-10 09:58 - 2011-12-08 22:14 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-10-04 05:06 - 2012-09-22 07:10 - 83023306 ___AT C:\Users\All Users\qci.pad
2012-10-04 05:04 - 2011-01-24 08:31 - 00015168 ____A C:\Windows\setupact.log
2012-09-22 07:10 - 2012-09-22 07:10 - 00044544 ____A (Microsoft Corporation) C:\Users\All Users\lsass.exe
2012-09-19 05:11 - 2009-07-13 21:13 - 00793480 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-19 05:10 - 2012-05-05 05:53 - 00001310 ____A C:\Users\Public\Desktop\The Weather Channel App.lnk
2012-09-17 06:39 - 2010-09-15 21:24 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-26 08:10 - 2009-07-13 21:08 - 00032536 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-24 10:05 - 2012-09-21 19:54 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 10:05 - 2012-09-21 19:54 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 10:05 - 2012-09-21 19:53 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 10:03 - 2012-09-21 19:54 - 09056256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 10:03 - 2012-09-21 19:54 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 10:03 - 2012-09-21 19:54 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 10:03 - 2012-09-21 19:53 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 10:02 - 2012-09-21 19:54 - 12295680 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 10:02 - 2012-09-21 19:54 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 10:02 - 2012-09-21 19:54 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-24 08:57 - 2012-09-21 19:54 - 06028800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-24 08:57 - 2012-09-21 19:54 - 01231872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-24 08:57 - 2012-09-21 19:54 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-24 08:57 - 2012-09-21 19:54 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-24 08:57 - 2012-09-21 19:54 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-24 08:57 - 2012-09-21 19:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-24 08:56 - 2012-09-21 19:54 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-24 08:56 - 2012-09-21 19:54 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-24 08:56 - 2012-09-21 19:54 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-24 08:56 - 2012-09-21 19:53 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-24 07:59 - 2012-09-21 19:53 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 07:20 - 2012-09-21 19:53 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-22 10:12 - 2012-09-16 18:55 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 10:12 - 2012-09-16 18:55 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 10:12 - 2012-09-16 18:55 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 10:12 - 2012-09-16 18:55 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-18 21:29 - 2012-08-18 21:29 - 00002746 ____A C:\Users\Owner\Documents\BONO SHOW.odt
2012-08-18 21:29 - 2012-08-18 21:29 - 00000162 ___AH C:\Users\Owner\Documents\~$NO SHOW.odt
2012-08-15 14:17 - 2012-08-14 06:47 - 83023306 ___AT C:\Users\All Users\ism_0_llatsni.pad
2012-08-02 09:58 - 2012-09-16 18:55 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-08-02 08:57 - 2012-09-16 18:55 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-07-18 10:15 - 2012-08-15 14:34 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-25 09:19:16
Restore point made on: 2012-09-26 03:48:02
Restore point made on: 2012-10-03 13:24:33

==================== Memory info ===========================

Percentage of memory in use: 44%
Total physical RAM: 2008.36 MB
Available physical RAM: 1120.24 MB
Total Pagefile: 2008.36 MB
Available Pagefile: 1115.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:218.2 GB) (Free:175.72 GB) NTFS
2 Drive e: (W7SP1_HOMEPREMIUM) (CDROM) (Total:5.23 GB) (Free:0 GB) UDF
3 Drive f: () (Removable) (Total:1.83 GB) (Free:0.01 GB) FAT
4 Drive g: (STORE N GO) (Removable) (Total:14.91 GB) (Free:11.11 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.02 GB) NTFS
6 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:6.74 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 1876 MB 0 B
Disk 2 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 218 GB 14 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 218 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1875 MB 68 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 1875 MB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 4032 KB

==================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G STORE N GO FAT32 Removable 14 GB Healthy

=========================================================

Last Boot: 2012-09-17 14:12

==================== End Of Log =============================

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:33 AM

Posted 14 October 2012 - 11:54 AM

Restart the pc into normal mode Windows; otherwise, into Safe Mode with Networking.


Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
To show all files:
  • Go to your Desktop
  • Double-Click the Computer icon.
  • From the menu options, Select Tools, then Folder Options.
  • Next click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders and drives.
  • Click Apply > OK.

Step 3

See Grinler's article here
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

See the section titled Automated Removal Instructions
Follow his instructions to get into Safe Mode with Networking
and do the rest of the steps listed after that (including the tool from from Emsisoft

Report back with the results.

Edited by Maurice Naggar, 14 October 2012 - 11:56 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 jakkwb

jakkwb
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 14 October 2012 - 02:27 PM

This system will not boot into any safe mode where I can do anything....All methods come up with mouse cursor and black screen.

Will Grinler's removal program run from command line from Windows CD? That is all I can do.

Perhaps you can tell me what registry items need to be removed that are associated with this virus? I can do that as well.

Thank you.

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:33 AM

Posted 14 October 2012 - 08:04 PM

Sorry, no. Cannot tell what registry items are involved.
The section of Grinler's I referred to - uses Windows in order to run a windows-based tool from Emsisoft.

About your last hope is to use the Windows Defender Offline tool:

This is an "offline" tool that you boot the pc with and scan your system for malware.
To get started, find a blank CD, DVD, or USB flash drive with at least 250 MB of free space and then download and run the tool—the tool will help you create the removable media.

The basic sequence of steps are
a) Download and SAVE the tool to a unique folder/location on your pc
b- Create the CD/DVD/USB-flash drive with tool
c) Set pc to boot from the offline media
d) Place media in & restart system
e) Run the tool. Have infinite patience & have it scan the entire system. Remove any malware that is found.

Download & info link http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

The frequently asked questions for this tool
http://windows.microsoft.com/en-US/windows/windows-defender-offline-faq

Edited by Maurice Naggar, 14 October 2012 - 08:05 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:33 AM

Posted 21 October 2012 - 12:44 PM

No reply received. I am closing this thread.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users