Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with MoneyPak virus


  • This topic is locked This topic is locked
41 replies to this topic

#1 djny2k

djny2k

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 14 October 2012 - 02:23 AM

Computer is extremely slow and when connected to the internet, a screen pops up indicating a FBI logo with Moneypak payment demanding to pay $100 to unlock screen. Tried running Emicsoft virus removal but after scan is initiated, it displays blue screen right away and computer restarts if I press any key.


I tried to run DDS log but it's still stuck at the MS-DOS window for about 15 mins.....what should I do?

BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 15 October 2012 - 12:38 AM

Hello djny2k :)

  • I will be helping with your computer problems.
  • From this point on, it is very important that you refrain from doing anything else to your computer other than what I have requested of you.
  • I do not mind if you browse the web, do basic tasks, or even test to see if the problem(s) you are experiencing are still occurring with the computer while we are working together, but do not run any tools/fixes unless I or another helper from this thread has asked you to do so.
  • Remember that you came here for help, so allow us to help you :)
  • If something does not run, make a detailed note of what problems you encountered along the way (exact error messages are preferred), but continue onto the next steps until you reach the end of my post.
  • Always do the steps they are listed in (left to right, top to bottom).
  • I prefer that you complete all the steps while you are in Normal Mode. However, I understand that sometimes this is not possible. If you are unsuccessful in getting a tool/fix to run from Normal Mode, but Safe Mode works, then use Safe Mode.
  • If you have a question about something, do not hesitate to ask.

__

First, when operating system are you using? Windows XP, Windows Vista, Windows Seven?

#3 djny2k

djny2k
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 16 October 2012 - 05:12 PM

Okay, appreciate your help. I currently have Windows Vista.

#4 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 16 October 2012 - 05:19 PM

Posted Image Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach or post the contents of FRST.txt into your next reply.


#5 djny2k

djny2k
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 16 October 2012 - 11:37 PM

I will follow the above steps Thursday evening since I am currently traveling and not by the computer. Hope this is okay with you. I'll post the txt file.

#6 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 17 October 2012 - 12:23 AM

No problem. Thanks for letting me know.

#7 djny2k

djny2k
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 18 October 2012 - 10:35 PM

Attached is FRST.log. I had to zip the file because it was too big for me to attach it.

#8 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 18 October 2012 - 11:17 PM

There's a lot to fix here but this should at least get you back into Windows. Let me know how it goes.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is:[attachment=131409:fixlist.zip]
  • There is a text file in fixlist.zip. It is called fixlist.txt.
  • Extract and save fixlist.txt to your flash drive.
  • You should now have both fixlist.txt and FRST.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
I do not need you to post this log unless the system failed to boot normally.
Try to boot and let me know how it goes.

Edited by thisisu, 18 October 2012 - 11:18 PM.


#9 djny2k

djny2k
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 18 October 2012 - 11:36 PM

I was able to run the fix and am now able to get into Windows.

#10 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 19 October 2012 - 12:02 AM

Great :thumbup2:

Posted Image Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

__

Posted Image Please download OTL.

  • Save it to your desktop.
  • Right mouse click on the OTL icon on your desktop and select Run as Administrator
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Posted Image text-field.
    netsvcs
    /md5start
    afd.sys
    i8042prt.sys
    netbt.sys
    nsiproxy.sys
    svchost.exe
    tcpip.sys
    tdx.sys
    /md5stop
    
  • Now click the Posted Image button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Paste the contents of OTL.txt here for me to review but attach Extras.txt


#11 djny2k

djny2k
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 19 October 2012 - 11:41 AM

I have started running the scan using Malware Bytes. Initially, I did run this tool and it took about 2 days to complete the scan. I hope that is not the case this time. I'll post the logs once it's finished scanning.

#12 djny2k

djny2k
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 19 October 2012 - 12:35 PM

Okay, scan froze after 21 minutes and is not responding even if I left the computer as is after an hour. What should I do?

#13 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 19 October 2012 - 01:07 PM

Close Malwarebytes.
Is the entire computer frozen up, or just MBAM?
Force restart the computer if you need to and then try the below:

  • Please download and install CCleaner Slim
  • Open CCleaner and click the Options button
  • Now choose Advanced
  • Uncheck everything here except for Skip User Account Control warning
  • Now click the Cleaner button and press the Run Cleaner button at the bottom right of the program.
  • If this is your first time running this program, a prompt may appear asking for confirmation to delete temporary files. Go ahead and proceed.

__

Posted Image Please download RogueKiller to your desktop.
  • Now rename RogueKiller.exe to winlogon.exe
  • Double-click winlogon.exe to run. Right-click winlogon.exe and select "Run as administrator"
  • When it opens, press the Scan button
  • When the scan is finished, press the Delete button.
  • Post the contents of the latest numbered RKReport in your next message.

__

Posted Image Please download and run TDSSKiller
  • VERY IMPORTANT: In the event that threats are detected, allow TDSSKiller to perform the default action by simply pressing the Continue button.
  • Do NOT change the default action on your own unless instructed by a malware helper! Doing so may render your computer unbootable.
  • If threats were detected, TDSSKiller will require a reboot in order to attempt to clean the system.
  • After the scan is complete, you can find the TDSSKiller log at the root of your C: drive.
    • Example: C:\TDSSKiller.2.8.10.0_29.09.2012_00.22.50_log.txt
  • Post the contents of this log in your next message.

__

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

__

Posted Image Now retry the OTL scan previously mentioned.

#14 djny2k

djny2k
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 19 October 2012 - 03:20 PM

RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Ashraf [Admin rights]
Mode : Remove -- Date : 10/19/2012 14:55:44

Bad processes : 0

Registry Entries : 31
[RUN][SUSP PATH] HKUS\S-1-5-21-4195540046-1241745021-4260514785-1007_Classes[...]\Run : AppleData (rundll32.exe "C:\Users\Ashraf\AppData\Local\Apple\AppleData\Appledata.dll",DllRegisterServer) -> DELETED
[TASK][SUSP PATH] At73 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At74 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At75 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At76 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At77 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At78 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At79 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At80 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At81 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At82 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At83 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At84 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At85 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At86 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At87 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At88 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At89 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At90 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At91 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At92 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At93 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At94 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At95 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] At96 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
[TASK][SUSP PATH] {BEEEB7A0-D36D-4B00-BFEB-AD6A8E3D6525} : C:\Windows\System32\pcalua.exe -a "C:\Users\DAndrea\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQPIPTN3\VFProSetup1.0_EN[1].exe" -d C:\Users\DAndrea\Desktop -> DELETED
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver : [LOADED]

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts



MBR Check:

+++++ PhysicalDrive0: WDC WD3200AAJS-65B4A0 ATA Device +++++
--- User ---
[MBR] 83095fc7b5c9cb15a183a5148ca66b72
[BSP] 309fdfd200901d3359dd1e035123a213 : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 294743 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 603635760 | Size: 10498 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

14:56:48.0723 2860 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
14:56:49.0020 2860 ============================================================
14:56:49.0020 2860 Current date / time: 2012/10/19 14:56:49.0020
14:56:49.0020 2860 SystemInfo:
14:56:49.0020 2860
14:56:49.0020 2860 OS Version: 6.0.6002 ServicePack: 2.0
14:56:49.0020 2860 Product type: Workstation
14:56:49.0020 2860 ComputerName: DANDREA-PC
14:56:49.0020 2860 UserName: Ashraf
14:56:49.0020 2860 Windows directory: C:\Windows
14:56:49.0020 2860 System windows directory: C:\Windows
14:56:49.0020 2860 Processor architecture: Intel x86
14:56:49.0020 2860 Number of processors: 2
14:56:49.0020 2860 Page size: 0x1000
14:56:49.0020 2860 Boot type: Normal boot
14:56:49.0020 2860 ============================================================
14:56:50.0080 2860 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0xA181, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
14:56:50.0096 2860 ============================================================
14:56:50.0096 2860 \Device\Harddisk0\DR0:
14:56:50.0096 2860 MBR partitions:
14:56:50.0096 2860 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x23FABFF1
14:56:50.0096 2860 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x23FAC030, BlocksNum 0x14812E0
14:56:50.0096 2860 ============================================================
14:56:50.0314 2860 D: <-> \Device\Harddisk0\DR0\Partition2
14:56:50.0314 2860 ============================================================
14:56:50.0314 2860 Initialize success
14:56:50.0314 2860 ============================================================
14:57:01.0110 1228 ============================================================
14:57:01.0110 1228 Scan started
14:57:01.0110 1228 Mode: Manual;
14:57:01.0110 1228 ============================================================
14:57:01.0312 1228 ================ Scan system memory ========================
14:57:01.0312 1228 System memory - ok
14:57:01.0312 1228 ================ Scan services =============================
14:57:01.0375 1228 A2DDA - ok
14:57:01.0390 1228 ACPI - ok
14:57:01.0406 1228 AdobeARMservice - ok
14:57:01.0422 1228 adp94xx - ok
14:57:01.0437 1228 adpahci - ok
14:57:01.0437 1228 adpu160m - ok
14:57:01.0453 1228 adpu320 - ok
14:57:01.0468 1228 AeLookupSvc - ok
14:57:01.0484 1228 AFD - ok
14:57:01.0500 1228 AGCoreService - ok
14:57:01.0500 1228 agp440 - ok
14:57:01.0515 1228 aic78xx - ok
14:57:01.0531 1228 ALG - ok
14:57:01.0546 1228 aliide - ok
14:57:01.0546 1228 amdagp - ok
14:57:01.0562 1228 amdide - ok
14:57:01.0578 1228 AmdK7 - ok
14:57:01.0578 1228 AmdK8 - ok
14:57:01.0593 1228 Appinfo - ok
14:57:01.0609 1228 Apple Mobile Device - ok
14:57:01.0624 1228 arc - ok
14:57:01.0640 1228 arcsas - ok
14:57:01.0671 1228 aspnet_state - ok
14:57:01.0687 1228 AsyncMac - ok
14:57:01.0702 1228 atapi - ok
14:57:01.0702 1228 AudioEndpointBuilder - ok
14:57:01.0718 1228 Audiosrv - ok
14:57:01.0734 1228 BcmSqlStartupSvc - ok
14:57:01.0749 1228 Beep - ok
14:57:01.0765 1228 BFE - ok
14:57:01.0780 1228 BITS - ok
14:57:01.0780 1228 blbdrive - ok
14:57:01.0812 1228 Bonjour Service - ok
14:57:01.0812 1228 bowser - ok
14:57:01.0827 1228 BrFiltLo - ok
14:57:01.0827 1228 BrFiltUp - ok
14:57:01.0843 1228 Browser - ok
14:57:01.0843 1228 Brserid - ok
14:57:01.0858 1228 BrSerIf - ok
14:57:01.0858 1228 BrSerWdm - ok
14:57:01.0874 1228 BrUsbMdm - ok
14:57:01.0890 1228 BrUsbSer - ok
14:57:01.0890 1228 BTHMODEM - ok
14:57:01.0905 1228 cdfs - ok
14:57:01.0905 1228 cdrom - ok
14:57:01.0921 1228 CertPropSvc - ok
14:57:01.0936 1228 circlass - ok
14:57:01.0936 1228 CLFS - ok
14:57:01.0952 1228 clr_optimization_v2.0.50727_32 - ok
14:57:01.0952 1228 clr_optimization_v4.0.30319_32 - ok
14:57:01.0968 1228 cmdide - ok
14:57:01.0968 1228 Compbatt - ok
14:57:01.0983 1228 COMSysApp - ok
14:57:01.0983 1228 crcdisk - ok
14:57:01.0999 1228 Crusoe - ok
14:57:02.0014 1228 CryptSvc - ok
14:57:02.0030 1228 DcomLaunch - ok
14:57:02.0030 1228 DfsC - ok
14:57:02.0046 1228 DFSR - ok
14:57:02.0046 1228 Dhcp - ok
14:57:02.0061 1228 disk - ok
14:57:02.0077 1228 Dnscache - ok
14:57:02.0092 1228 dot3svc - ok
14:57:02.0092 1228 DPS - ok
14:57:02.0108 1228 drmkaud - ok
14:57:02.0124 1228 DXGKrnl - ok
14:57:02.0124 1228 E1G60 - ok
14:57:02.0139 1228 EapHost - ok
14:57:02.0170 1228 Ecache - ok
14:57:02.0170 1228 ehRecvr - ok
14:57:02.0186 1228 ehSched - ok
14:57:02.0186 1228 ehstart - ok
14:57:02.0202 1228 elxstor - ok
14:57:02.0217 1228 EMDMgmt - ok
14:57:02.0217 1228 ErrDev - ok
14:57:02.0233 1228 EventSystem - ok
14:57:02.0248 1228 exfat - ok
14:57:02.0248 1228 fastfat - ok
14:57:02.0264 1228 FastUserSwitchingCompatibility - ok
14:57:02.0280 1228 fdc - ok
14:57:02.0280 1228 fdPHost - ok
14:57:02.0295 1228 FDResPub - ok
14:57:02.0311 1228 FileInfo - ok
14:57:02.0311 1228 Filetrace - ok
14:57:02.0326 1228 FLEXnet Licensing Service - ok
14:57:02.0342 1228 flpydisk - ok
14:57:02.0342 1228 FltMgr - ok
14:57:02.0358 1228 FontCache - ok
14:57:02.0358 1228 FontCache3.0.0.0 - ok
14:57:02.0373 1228 fssfltr - ok
14:57:02.0373 1228 fsssvc - ok
14:57:02.0389 1228 Fs_Rec - ok
14:57:02.0389 1228 gagp30kx - ok
14:57:02.0404 1228 GameConsoleService - ok
14:57:02.0420 1228 GEARAspiWDM - ok
14:57:02.0420 1228 getPlusHelper - ok
14:57:02.0436 1228 gpsvc - ok
14:57:02.0436 1228 HDAudBus - ok
14:57:02.0451 1228 HidBth - ok
14:57:02.0451 1228 HidIr - ok
14:57:02.0467 1228 hidserv - ok
14:57:02.0467 1228 HidUsb - ok
14:57:02.0482 1228 hkmsvc - ok
14:57:02.0482 1228 HpCISSs - ok
14:57:02.0514 1228 HSF_DP - ok
14:57:02.0514 1228 HSXHWBS3 - ok
14:57:02.0529 1228 HTTP - ok
14:57:02.0529 1228 i2omp - ok
14:57:02.0545 1228 i8042prt - ok
14:57:02.0560 1228 iaStorV - ok
14:57:02.0560 1228 IDriverT - ok
14:57:02.0576 1228 idsvc - ok
14:57:02.0592 1228 iirsp - ok
14:57:02.0592 1228 IKEEXT - ok
14:57:02.0607 1228 IntcAzAudAddService - ok
14:57:02.0623 1228 intelide - ok
14:57:02.0638 1228 intelppm - ok
14:57:02.0638 1228 IntuitUpdateService - ok
14:57:02.0654 1228 IntuitUpdateServiceV4 - ok
14:57:02.0654 1228 IPBusEnum - ok
14:57:02.0670 1228 IpFilterDriver - ok
14:57:02.0670 1228 IPMIDRV - ok
14:57:02.0685 1228 IPNAT - ok
14:57:02.0685 1228 iPod Service - ok
14:57:02.0701 1228 IRENUM - ok
14:57:02.0701 1228 isapnp - ok
14:57:02.0716 1228 iScsiPrt - ok
14:57:02.0716 1228 iteatapi - ok
14:57:02.0732 1228 iteraid - ok
14:57:02.0748 1228 kbdclass - ok
14:57:02.0748 1228 kbdhid - ok
14:57:02.0763 1228 KeyIso - ok
14:57:02.0763 1228 KSecDD - ok
14:57:02.0794 1228 KtmRm - ok
14:57:02.0794 1228 LanmanServer - ok
14:57:02.0810 1228 LanmanWorkstation - ok
14:57:02.0826 1228 LightScribeService - ok
14:57:02.0826 1228 lltdio - ok
14:57:02.0841 1228 lltdsvc - ok
14:57:02.0841 1228 lmhosts - ok
14:57:02.0857 1228 LSI_FC - ok
14:57:02.0857 1228 LSI_SAS - ok
14:57:02.0872 1228 LSI_SCSI - ok
14:57:02.0888 1228 luafv - ok
14:57:02.0888 1228 MBAMSwissArmy - ok
14:57:02.0904 1228 Mcx2Svc - ok
14:57:02.0904 1228 mdmxsdk - ok
14:57:02.0919 1228 megasas - ok
14:57:02.0919 1228 MegaSR - ok
14:57:02.0935 1228 MMCSS - ok
14:57:02.0935 1228 Modem - ok
14:57:02.0950 1228 monitor - ok
14:57:02.0950 1228 mouclass - ok
14:57:02.0966 1228 mouhid - ok
14:57:02.0966 1228 MountMgr - ok
14:57:02.0997 1228 MozillaMaintenance - ok
14:57:03.0044 1228 mpio - ok
14:57:03.0044 1228 mpsdrv - ok
14:57:03.0060 1228 Mraid35x - ok
14:57:03.0060 1228 MRxDAV - ok
14:57:03.0075 1228 mrxsmb - ok
14:57:03.0075 1228 mrxsmb10 - ok
14:57:03.0091 1228 mrxsmb20 - ok
14:57:03.0106 1228 msahci - ok
14:57:03.0106 1228 msdsm - ok
14:57:03.0122 1228 MSDTC - ok
14:57:03.0153 1228 Msfs - ok
14:57:03.0153 1228 msisadrv - ok
14:57:03.0169 1228 MSiSCSI - ok
14:57:03.0169 1228 msiserver - ok
14:57:03.0184 1228 MSKSSRV - ok
14:57:03.0200 1228 MSPCLOCK - ok
14:57:03.0200 1228 MSPQM - ok
14:57:03.0216 1228 MsRPC - ok
14:57:03.0231 1228 mssmbios - ok
14:57:03.0231 1228 MSTEE - ok
14:57:03.0247 1228 Mup - ok
14:57:03.0247 1228 napagent - ok
14:57:03.0262 1228 NativeWifiP - ok
14:57:03.0262 1228 NDIS - ok
14:57:03.0278 1228 NdisTapi - ok
14:57:03.0294 1228 Ndisuio - ok
14:57:03.0309 1228 NdisWan - ok
14:57:03.0309 1228 NDProxy - ok
14:57:03.0325 1228 Netaapl - ok
14:57:03.0340 1228 NetBIOS - ok
14:57:03.0340 1228 netbt - ok
14:57:03.0356 1228 Netlogon - ok
14:57:03.0356 1228 Netman - ok
14:57:03.0372 1228 netprofm - ok
14:57:03.0372 1228 NetTcpPortSharing - ok
14:57:03.0387 1228 nfrd960 - ok
14:57:03.0403 1228 NlaSvc - ok
14:57:03.0418 1228 nosGetPlusHelper - ok
14:57:03.0434 1228 Npfs - ok
14:57:03.0434 1228 nsi - ok
14:57:03.0450 1228 nsiproxy - ok
14:57:03.0450 1228 Ntfs - ok
14:57:03.0465 1228 ntrigdigi - ok
14:57:03.0481 1228 Null - ok
14:57:03.0496 1228 NVENETFD - ok
14:57:03.0496 1228 nvlddmkm - ok
14:57:03.0512 1228 nvraid - ok
14:57:03.0512 1228 nvsmu - ok
14:57:03.0528 1228 nvstor - ok
14:57:03.0528 1228 nvsvc - ok
14:57:03.0543 1228 nv_agp - ok
14:57:03.0574 1228 odserv - ok
14:57:03.0590 1228 ohci1394 - ok
14:57:03.0590 1228 ose - ok
14:57:03.0606 1228 p2pimsvc - ok
14:57:03.0621 1228 p2psvc - ok
14:57:03.0621 1228 Parport - ok
14:57:03.0637 1228 partmgr - ok
14:57:03.0637 1228 Parvdm - ok
14:57:03.0652 1228 PcaSvc - ok
14:57:03.0652 1228 pci - ok
14:57:03.0668 1228 pciide - ok
14:57:03.0668 1228 pcmcia - ok
14:57:03.0699 1228 PEAUTH - ok
14:57:03.0715 1228 pla - ok
14:57:03.0730 1228 PlugPlay - ok
14:57:03.0746 1228 PNRPAutoReg - ok
14:57:03.0746 1228 PNRPsvc - ok
14:57:03.0762 1228 PolicyAgent - ok
14:57:03.0762 1228 PptpMiniport - ok
14:57:03.0777 1228 Processor - ok
14:57:03.0793 1228 ProfSvc - ok
14:57:03.0793 1228 ProtectedStorage - ok
14:57:03.0808 1228 Ps2 - ok
14:57:03.0808 1228 PSched - ok
14:57:03.0824 1228 ql2300 - ok
14:57:03.0824 1228 ql40xx - ok
14:57:03.0840 1228 QWAVE - ok
14:57:03.0840 1228 QWAVEdrv - ok
14:57:03.0855 1228 RapiMgr - ok
14:57:03.0855 1228 RasAcd - ok
14:57:03.0871 1228 RasAuto - ok
14:57:03.0886 1228 Rasl2tp - ok
14:57:03.0886 1228 RasMan - ok
14:57:03.0902 1228 RasPppoe - ok
14:57:03.0902 1228 RasSstp - ok
14:57:03.0918 1228 rdbss - ok
14:57:03.0918 1228 RDPCDD - ok
14:57:03.0933 1228 rdpdr - ok
14:57:03.0933 1228 RDPENCDD - ok
14:57:03.0949 1228 RDPWD - ok
14:57:03.0980 1228 RemoteAccess - ok
14:57:03.0980 1228 RemoteRegistry - ok
14:57:04.0011 1228 RimVSerPort - ok
14:57:04.0027 1228 ROOTMODEM - ok
14:57:04.0027 1228 RpcLocator - ok
14:57:04.0042 1228 RpcSs - ok
14:57:04.0042 1228 rspndr - ok
14:57:04.0074 1228 SamSs - ok
14:57:04.0074 1228 sbp2port - ok
14:57:04.0089 1228 SCardSvr - ok
14:57:04.0089 1228 Schedule - ok
14:57:04.0105 1228 SCPolicySvc - ok
14:57:04.0105 1228 SDRSVC - ok
14:57:04.0120 1228 secdrv - ok
14:57:04.0136 1228 seclogon - ok
14:57:04.0136 1228 SENS - ok
14:57:04.0152 1228 Serenum - ok
14:57:04.0152 1228 Serial - ok
14:57:04.0167 1228 sermouse - ok
14:57:04.0183 1228 SessionEnv - ok
14:57:04.0183 1228 sffdisk - ok
14:57:04.0198 1228 sffp_mmc - ok
14:57:04.0214 1228 sffp_sd - ok
14:57:04.0214 1228 sfloppy - ok
14:57:04.0230 1228 SharedAccess - ok
14:57:04.0230 1228 ShellHWDetection - ok
14:57:04.0245 1228 sisagp - ok
14:57:04.0245 1228 SiSRaid2 - ok
14:57:04.0261 1228 SiSRaid4 - ok
14:57:04.0276 1228 SkypeUpdate - ok
14:57:04.0292 1228 slsvc - ok
14:57:04.0323 1228 SLUINotify - ok
14:57:04.0323 1228 Smb - ok
14:57:04.0339 1228 SNMPTRAP - ok
14:57:04.0354 1228 spldr - ok
14:57:04.0370 1228 Spooler - ok
14:57:04.0370 1228 srv - ok
14:57:04.0386 1228 srv2 - ok
14:57:04.0386 1228 srvnet - ok
14:57:04.0401 1228 SSDPSRV - ok
14:57:04.0417 1228 SstpSvc - ok
14:57:04.0432 1228 stisvc - ok
14:57:04.0432 1228 swenum - ok
14:57:04.0448 1228 swprv - ok
14:57:04.0448 1228 Symc8xx - ok
14:57:04.0464 1228 Sym_hi - ok
14:57:04.0464 1228 Sym_u3 - ok
14:57:04.0479 1228 SysMain - ok
14:57:04.0479 1228 TabletInputService - ok
14:57:04.0495 1228 TapiSrv - ok
14:57:04.0510 1228 TBS - ok
14:57:04.0510 1228 Tcpip - ok
14:57:04.0526 1228 Tcpip6 - ok
14:57:04.0526 1228 tcpipreg - ok
14:57:04.0542 1228 TDPIPE - ok
14:57:04.0542 1228 TDTCP - ok
14:57:04.0557 1228 tdx - ok
14:57:04.0573 1228 TermDD - ok
14:57:04.0573 1228 TermService - ok
14:57:04.0588 1228 Themes - ok
14:57:04.0588 1228 THREADORDER - ok
14:57:04.0604 1228 TrkWks - ok
14:57:04.0604 1228 TrustedInstaller - ok
14:57:04.0620 1228 tssecsrv - ok
14:57:04.0635 1228 tunmp - ok
14:57:04.0651 1228 tunnel - ok
14:57:04.0651 1228 uagp35 - ok
14:57:04.0666 1228 udfs - ok
14:57:04.0682 1228 UI0Detect - ok
14:57:04.0682 1228 uliagpkx - ok
14:57:04.0698 1228 uliahci - ok
14:57:04.0713 1228 UlSata - ok
14:57:04.0713 1228 ulsata2 - ok
14:57:04.0729 1228 umbus - ok
14:57:04.0729 1228 upnphost - ok
14:57:04.0744 1228 USBAAPL - ok
14:57:04.0760 1228 usbaudio - ok
14:57:04.0776 1228 usbccgp - ok
14:57:04.0791 1228 usbcir - ok
14:57:04.0791 1228 usbehci - ok
14:57:04.0807 1228 usbhub - ok
14:57:04.0807 1228 usbohci - ok
14:57:04.0822 1228 usbprint - ok
14:57:04.0838 1228 usbscan - ok
14:57:04.0838 1228 USBSTOR - ok
14:57:04.0854 1228 usbuhci - ok
14:57:04.0854 1228 usb_rndisx - ok
14:57:04.0869 1228 UxSms - ok
14:57:04.0869 1228 vds - ok
14:57:04.0885 1228 vga - ok
14:57:04.0885 1228 VgaSave - ok
14:57:04.0900 1228 viaagp - ok
14:57:04.0900 1228 ViaC7 - ok
14:57:04.0916 1228 viaide - ok
14:57:04.0932 1228 volmgr - ok
14:57:04.0932 1228 volmgrx - ok
14:57:04.0947 1228 volsnap - ok
14:57:04.0947 1228 vsmraid - ok
14:57:04.0963 1228 VSS - ok
14:57:04.0963 1228 W32Time - ok
14:57:04.0978 1228 WacomPen - ok
14:57:04.0994 1228 Wanarp - ok
14:57:04.0994 1228 Wanarpv6 - ok
14:57:05.0010 1228 WcesComm - ok
14:57:05.0010 1228 wcncsvc - ok
14:57:05.0025 1228 WcsPlugInService - ok
14:57:05.0025 1228 Wd - ok
14:57:05.0041 1228 Wdf01000 - ok
14:57:05.0056 1228 WdiServiceHost - ok
14:57:05.0056 1228 WdiSystemHost - ok
14:57:05.0072 1228 WebClient - ok
14:57:05.0072 1228 Wecsvc - ok
14:57:05.0088 1228 wercplsupport - ok
14:57:05.0088 1228 WerSvc - ok
14:57:05.0103 1228 winachsf - ok
14:57:05.0134 1228 WinDefend - ok
14:57:05.0150 1228 WinHttpAutoProxySvc - ok
14:57:05.0166 1228 Winmgmt - ok
14:57:05.0166 1228 WinRM - ok
14:57:05.0181 1228 Wlansvc - ok
14:57:05.0212 1228 wlcrasvc - ok
14:57:05.0228 1228 wlidsvc - ok
14:57:05.0244 1228 WmiAcpi - ok
14:57:05.0244 1228 wmiApSrv - ok
14:57:05.0259 1228 WMPNetworkSvc - ok
14:57:05.0259 1228 WPCSvc - ok
14:57:05.0275 1228 WPDBusEnum - ok
14:57:05.0306 1228 WpdUsb - ok
14:57:05.0306 1228 WPFFontCache_v0400 - ok
14:57:05.0322 1228 ws2ifsl - ok
14:57:05.0337 1228 wscsvc - ok
14:57:05.0337 1228 WSearch - ok
14:57:05.0353 1228 wuauserv - ok
14:57:05.0368 1228 WUDFRd - ok
14:57:05.0368 1228 wudfsvc - ok
14:57:05.0384 1228 XAudio - ok
14:57:05.0384 1228 XAudioService - ok
14:57:05.0415 1228 ================ Scan global ===============================
14:57:05.0415 1228 [Global] - ok
14:57:05.0415 1228 ================ Scan MBR ==================================
14:57:05.0431 1228 [ 03BA8F890B47C0BE359A4D5A636D214D ] \Device\Harddisk0\DR0
14:57:06.0523 1228 \Device\Harddisk0\DR0 - ok
14:57:06.0523 1228 ================ Scan VBR ==================================
14:57:06.0554 1228 [ F4BE959F09B72F58D33643C16B12408E ] \Device\Harddisk0\DR0\Partition1
14:57:06.0570 1228 \Device\Harddisk0\DR0\Partition1 - ok
14:57:06.0601 1228 [ 166D14DED1E794CB98D32EF3750CB0A3 ] \Device\Harddisk0\DR0\Partition2
14:57:06.0632 1228 \Device\Harddisk0\DR0\Partition2 - ok
14:57:06.0632 1228 ============================================================
14:57:06.0632 1228 Scan finished
14:57:06.0632 1228 ============================================================
14:57:06.0648 2624 Detected object count: 0
14:57:06.0648 2624 Actual detected object count: 0
14:57:18.0332 2588 Deinitialize success

Junkware Removal Tool (JRT) by Thisisu
Version: 1.7.9 (10.19.2012)
OS: Windows Vista ™ Home Premium x86
Ran by Ashraf on Fri 10/19/2012 at 14:58:05.13
Blog: http://thisisudax.blogspot.com
**************************************************************




*** Services: 0 Detections



*** Registry Values:

Successfully deleted: [VALUE] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Failed to delete: [VALUE-LOCKED!] hkey_users\s-1-5-18\software\microsoft\internet explorer\urlsearchhooks\\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Failed to delete: [VALUE-LOCKED!] hkey_users\s-1-5-19\software\microsoft\internet explorer\urlsearchhooks\\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Failed to delete: [VALUE-LOCKED!] hkey_users\s-1-5-20\software\microsoft\internet explorer\urlsearchhooks\\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}



*** Registry Keys:

Successfully deleted: [KEY] "hkey_current_user\software\appdatalow\software\conduit"
Successfully deleted: [KEY] "hkey_current_user\software\appdatalow\software\conduitengine"
Successfully deleted: [KEY] "hkey_current_user\software\appdatalow\software\pricegong"
Successfully deleted: [KEY] "hkey_current_user\software\zugo"
Successfully deleted: [KEY] "hkey_local_machine\software\classes\conduit.engine"
Successfully deleted: [KEY] "hkey_local_machine\software\conduit"
Successfully deleted: [KEY] "hkey_local_machine\software\google\chrome\extensions\dhkplhfnhceodhffomolpfigojocbpcb"
Successfully deleted: [KEY] "hkey_local_machine\software\google\chrome\extensions\kincjchfokkeneeofpeefomkikfkiedl"
Successfully deleted: [KEY] hkey_classes_root\typelib\{09c554c3-109b-483c-a06b-f14172f1a947}
Successfully deleted: [KEY] hkey_classes_root\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [KEY] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [KEY] hkey_current_user\software\microsoft\windows\currentversion\ext\settings\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [KEY] hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [KEY] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [KEY] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}
Successfully deleted: [KEY] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}
Successfully deleted: [KEY] hkey_classes_root\clsid\{9afb8248-617f-460d-9366-d71cdeda3179}
Successfully deleted: [KEY] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Successfully deleted: [KEY] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Successfully deleted: [KEY] hkey_classes_root\appid\{bdb69379-802f-4eaf-b541-f8de92dd98db}
Successfully deleted: [KEY] hkey_classes_root\interface\{db507187-9746-458c-97da-c458131eede7}



*** Files:

Successfully deleted: [FILE] C:\Program Files\conduit\community alerts\Alert.dll
Successfully deleted: [FILE] C:\Program Files\conduit\community alerts\Alert0.dll
Successfully deleted: [FILE] C:\Program Files\conduit\community alerts\Alert1(34).dll
Successfully deleted: [FILE] C:\Program Files\conduit\community alerts\Alert1.dll
Successfully deleted: [FILE] C:\Program Files\coupons\Coupons.com.url
Successfully deleted: [FILE] C:\Program Files\coupons\uninstall.exe



*** Folders:

Successfully deleted: [FOLDER] "C:\Users\Ashraf\appdata\locallow\conduit"
Successfully deleted: [FOLDER] "C:\Users\Ashraf\appdata\locallow\conduitengine"
Successfully deleted: [FOLDER] "C:\Users\Ashraf\appdata\locallow\pricegong"
Successfully deleted: [FOLDER] "C:\Program Files\babylon"
Successfully deleted: [FOLDER] "C:\Program Files\conduit"
Successfully deleted: [FOLDER] "C:\Program Files\coupons"
Successfully deleted: [FOLDER] "C:\Program Files\radiorage_4jei"



*** FireFox detected and repaired



*** Event Viewer Logs - Cleared





**************************************************************
Scan was completed on Fri 10/19/2012 at 15:03:26.06
End of Report

#15 djny2k

djny2k
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 19 October 2012 - 03:21 PM

OTL Scan is still ongoing. I'll post the contents once it's finished. Also, Malware Bytes window froze and not the operating system itself.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users