Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak Virus Victim


  • This topic is locked This topic is locked
31 replies to this topic

#1 Paul Garcia

Paul Garcia

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 27 January 2013 - 09:52 PM

Good evening,

I have been impacted by this virus. It seems I have a newer variant that does not allow me to access Safe Mode. When I try to do so, my PC shuts down and reboots itself in the standard Windows mode.

I am running Windows Vista Home Premium, SP 2, 32 bit. I am also running Norton 360 2013. I downloaded and ran the Norton Bootable Recovery Tool from a CD; the scan did not find any problems.

Please help!

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 28 January 2013 - 02:26 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Paul Garcia

Paul Garcia
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 30 January 2013 - 03:59 AM

Hi Gringo,

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2013 02
Ran by SYSTEM at 29-01-2013 19:35:47
Running from F:\
Windows Vista ™ Home Premium Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [] [x]
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2009-04-21] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6965792 2009-03-12] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1451304 2009-03-18] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [468320 2009-03-06] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [55160 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [448376 2008-12-18] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [729088 2009-03-23] (TOSHIBA Corporation)
HKLM\...\Run: [NDSTray.exe] "C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe" [299008 2009-05-12] (TOSHIBA CORPORATION)
HKLM\...\Run: [cfFncEnabler.exe] "C:\Program Files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [16384 2009-03-24] (Toshiba Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1318912 2009-04-14] (TOSHIBA Corporation)
HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [30248 2007-01-29] (Nuance Communications, Inc.)
HKLM\...\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [46632 2007-01-29] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini [310 2013-01-27] ()
HKLM\...\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [622592 2007-02-06] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [65536 2006-07-19] (Brother Industries, Ltd.)
HKLM\...\Run: [TPCHWMsg] %ProgramFiles%\TOSHIBA\TPHM\TPCHWMsg.exe [570736 2009-04-09] (TOSHIBA Corporation)
HKLM\...\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295736 2011-02-11] (TOSHIBA Corporation)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [417792 2010-02-15] (Apple Inc.)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe [1007616 2009-03-24] (TOSHIBA Corporation)
HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-03-12] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [163840 2009-03-24] (TOSHIBA Corporation)
HKLM\...\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2513472 2009-04-16] (TOSHIBA)
HKLM\...\Run: [Memeo Instant Backup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui [136416 2010-04-22] (Memeo Inc.)
HKLM\...\Run: [Seagate Dashboard] C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui [79112 2011-06-01] ()
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Paul Garcia\...\Run: [Singlesnet] C:\Program Files\Singlesnet\Singlesnet\Singlesnet.exe [x]
HKU\Paul Garcia\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [x]
HKU\Paul Garcia\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Paul Garcia\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Paul Garcia\...\Winlogon: [Shell] Explorer.exe [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

2 camsvc; C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [20544 2009-04-16] (TOSHIBA)
2 ConfigFree Service; "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" [46448 2009-03-10] (TOSHIBA CORPORATION)
2 MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [25824 2010-04-22] (Memeo)
2 N360; "C:\Program Files\Norton 360\Engine\20.2.1.22\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton 360\Engine\20.2.1.22\diMaster.dll" /prefetch:1 [535416 2012-12-05] (Symantec Corporation)
2 NSL; "C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe" /s "NSL" /m "C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\diMaster.dll" /prefetch:1 [303544 2011-10-11] (Symantec Corporation)
2 RSELSVC; C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe /Service [57344 2009-02-19] (TOSHIBA Corporation)
2 SeagateDashboardService; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [14088 2011-06-01] (Memeo)
3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [54136 2011-02-11] (TOSHIBA Corporation)
2 TosCoSrv; "C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe" [464224 2009-03-06] (TOSHIBA Corporation)
2 TOSHIBA eco Utility Service; "C:\Program Files\TOSHIBA\TECO\TecoService.exe" [176128 2009-04-14] (TOSHIBA Corporation)
2 TOSHIBA HDD SSD Alert Service; "C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe" [73728 2009-03-17] (TOSHIBA Corporation)
2 TPCHSrv; "C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe" [656752 2009-04-09] (TOSHIBA Corporation)
2 McAfee SiteAdvisor Service; c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe [x]

==================== Drivers (Whitelisted) ====================

1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130116.013\BHDrvx86.sys [997464 2013-01-15] (Symantec Corporation)
1 ccSet_N360; C:\Windows\system32\drivers\N360\1402010.016\ccSetx86.sys [134304 2012-08-20] (Symantec Corporation)
1 ccSet_NST; C:\Windows\system32\drivers\NST\0200000.010\ccSetx86.sys [132744 2011-08-08] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-08] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130124.001\IDSvix86.sys [386720 2013-01-09] (Symantec Corporation)
3 motandroidusb; C:\Windows\System32\Drivers\motoandroid.sys [25856 2009-07-10] (Motorola)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130126.007\NAVENG.SYS [93296 2013-01-15] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130126.007\NAVEX15.SYS [1603824 2013-01-15] (Symantec Corporation)
3 PGEffect; C:\Windows\System32\DRIVERS\pgeffect.sys [22272 2009-03-18] (TOSHIBA Corporation)
3 rtl819xp; C:\Windows\System32\DRIVERS\rtl819xp.sys [497664 2009-01-23] (Realtek Semiconductor Corporation )
1 RtlProt; C:\Windows\System32\DRIVERS\rtlprot.sys [25896 2007-04-23] (Windows ® Codename Longhorn DDK provider)
3 SRTSP; C:\Windows\System32\Drivers\N360\1402010.016\SRTSP.SYS [586400 2012-10-08] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\1402010.016\SRTSPX.SYS [32888 2012-05-24] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360\1402010.016\SYMDS.SYS [368288 2012-10-03] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\1402010.016\SYMEFA.SYS [927904 2012-10-03] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-01-05] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360\1402010.016\Ironx86.SYS [175264 2012-09-06] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\N360\1402010.016\SYMTDIV.SYS [350368 2012-09-06] (Symantec Corporation)
2 TVALZFL; C:\Windows\System32\DRIVERS\TVALZFL.sys [12920 2009-03-20] (TOSHIBA Corporation)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-01-27 17:33 - 2013-01-27 17:33 - 00000000 ____D C:\NPE
2013-01-27 14:20 - 2013-01-27 17:48 - 00000000 ____D C:\NBRT
2013-01-27 13:27 - 2013-01-27 13:27 - 00002426 ____A C:\Windows\PFRO.log
2013-01-27 13:25 - 2013-01-27 17:23 - 00000004 ____A C:\Users\Paul Garcia\AppData\Roaming\skype.ini
2013-01-16 03:21 - 2013-01-16 03:35 - 00023552 ____A C:\Users\Paul Garcia\Documents\2012 Budget.xls
2013-01-10 06:31 - 2012-11-22 17:35 - 02048000 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-01-10 06:30 - 2012-11-21 19:54 - 00353280 ____A (Microsoft Corporation) C:\Windows\System32\shlwapi.dll
2013-01-10 06:30 - 2012-11-19 20:22 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2013-01-10 06:30 - 2012-11-02 02:19 - 01400832 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll


==================== One Month Modified Files and Folders ========

2013-01-29 19:35 - 2013-01-29 19:35 - 00000000 ____D C:\FRST
2013-01-27 17:48 - 2013-01-27 14:20 - 00000000 ____D C:\NBRT
2013-01-27 17:33 - 2013-01-27 17:33 - 00000000 ____D C:\NPE
2013-01-27 17:23 - 2013-01-27 13:25 - 00000004 ____A C:\Users\Paul Garcia\AppData\Roaming\skype.ini
2013-01-27 17:23 - 2006-11-02 05:01 - 00032648 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-01-27 17:23 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-27 17:22 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-27 17:22 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-27 17:19 - 2011-06-11 06:30 - 01060404 ____A C:\Windows\WindowsUpdate.log
2013-01-27 13:28 - 2012-01-03 15:12 - 00000000 ____D C:\Windows\System32\Drivers\N360
2013-01-27 13:27 - 2013-01-27 13:27 - 00002426 ____A C:\Windows\PFRO.log
2013-01-27 12:56 - 2012-04-16 09:09 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-26 21:05 - 2010-07-22 21:56 - 00000000 ____D C:\Users\Paul Garcia\AppData\Roaming\Skype
2013-01-23 20:57 - 2010-09-12 13:01 - 00007728 ____A C:\Users\Paul Garcia\AppData\Local\d3d9caps.dat
2013-01-23 19:28 - 2011-07-06 19:09 - 00000000 ____D C:\Users\Paul Garcia\AppData\Local\CrashDumps
2013-01-17 06:23 - 2011-04-06 20:12 - 00000000 ____D C:\Users\Paul Garcia\Documents\Legal
2013-01-17 05:09 - 2011-04-20 20:30 - 00002573 ____A C:\Users\Paul Garcia\Desktop\Microsoft Word 2010.lnk
2013-01-16 05:14 - 2011-04-20 20:30 - 00002531 ____A C:\Users\Paul Garcia\Desktop\Microsoft Excel 2010.lnk
2013-01-16 03:35 - 2013-01-16 03:21 - 00023552 ____A C:\Users\Paul Garcia\Documents\2012 Budget.xls
2013-01-11 06:53 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-01-11 06:35 - 2006-11-02 04:47 - 00460872 ____A C:\Windows\System32\FNTCACHE.DAT
2013-01-11 03:19 - 2006-11-02 02:23 - 00000240 ____A C:\Windows\win.ini
2013-01-11 03:14 - 2006-11-02 02:33 - 00737270 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-11 03:07 - 2009-07-21 08:12 - 00000000 ____D C:\Users\All Users\Microsoft Help
2013-01-11 03:01 - 2006-11-02 02:24 - 65273848 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-01-05 14:25 - 2009-07-21 09:20 - 00000000 ____D C:\Users\All Users\Norton
2013-01-05 14:20 - 2012-01-03 15:13 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2013-01-05 14:20 - 2012-01-03 15:13 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2013-01-05 14:20 - 2012-01-03 15:13 - 00000000 ____D C:\Program Files\Symantec
2012-12-30 23:16 - 2011-10-26 14:04 - 00000000 ____D C:\Users\Paul Garcia\Documents\Employment
2012-12-30 15:36 - 2010-10-09 12:59 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-12-30 15:34 - 2009-08-24 15:38 - 00000000 ____D C:\Program Files\Nuance
2012-12-30 15:34 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Speech
2012-12-30 15:25 - 2011-11-06 14:30 - 00000000 ____D C:\Users\Paul Garcia\AppData\Roaming\Dropbox

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-14 01:56] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-21 07:03:56
Restore point made on: 2012-11-25 18:41:07
Restore point made on: 2012-12-14 03:01:57
Restore point made on: 2012-12-15 11:59:30
Restore point made on: 2012-12-20 09:34:29
Restore point made on: 2012-12-21 03:01:09
Restore point made on: 2012-12-21 23:10:21
Restore point made on: 2012-12-26 15:38:07
Restore point made on: 2012-12-27 23:39:33
Restore point made on: 2012-12-30 05:17:17
Restore point made on: 2012-12-30 15:26:03
Restore point made on: 2013-01-03 03:11:51
Restore point made on: 2013-01-04 04:01:20
Restore point made on: 2013-01-05 00:00:26
Restore point made on: 2013-01-11 03:01:10
Restore point made on: 2013-01-23 23:34:48
Restore point made on: 2013-01-26 21:31:44

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 2813.07 MB
Available physical RAM: 2410.64 MB
Total Pagefile: 2612.91 MB
Available Pagefile: 2474.88 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.31 MB

==================== Partitions =============================

1 Drive c: (TI100760V0G) (Fixed) (Total:287.88 GB) (Free:200.13 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
4 Drive f: () (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Disk ID: BDD4F1C4

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 288 GB 1501 MB
Partition 3 Primary 9 GB 289 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI100760V0G NTFS Partition 288 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3819 MB 16 KB

=========================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F FAT32 Removable 3819 MB Healthy

=========================================================

Last Boot: 2013-01-13 11:48

==================== End Of Log ============================

#4 Paul Garcia

Paul Garcia
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 30 January 2013 - 04:01 AM

Farbar Recovery Scan Tool (x86) Version: 28-01-2013 02
Ran by SYSTEM at 2013-01-29 19:38:43
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-08-13 19:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2009-08-13 19:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

#5 Paul Garcia

Paul Garcia
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 30 January 2013 - 04:19 AM

Hi Gringo, three thoughts from me:

First, thank you very much for the assistance you provide (I saw your post count)!

Second, do you have any suggestions for backing up my PC's files? It's virtually useless; I can only access a control prompt. I'm wring this from a second PC I own.

Third, the command for accessing the scan tool is e:\frst.exe for the 32-bit version (no numerals).

Thanks again!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 30 January 2013 - 01:05 PM

Hello

If we get the computer to boot normally then backup the files - if we cannot get to boot normally then I will show you how to remove the files

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

HKU\Paul Garcia\...\Winlogon: [Shell] Explorer.exe [x]
C:\Users\Paul Garcia\AppData\Roaming\skype.ini



NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Paul Garcia

Paul Garcia
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 30 January 2013 - 10:26 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-01-2013 02
Ran by SYSTEM at 2013-01-30 19:23:31 Run:1
Running from F:\

==============================================

HKEY_USERS\Paul Garcia\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.
C:\Users\Paul Garcia\AppData\Roaming\skype.ini moved successfully.

==== End of Fixlog ====

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 30 January 2013 - 10:33 PM

Hello


These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.


-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Paul Garcia

Paul Garcia
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 30 January 2013 - 11:09 PM

I was able to boot up normally. I let the infected PC sit for at least half an hour and the demand screen did not reappear. My desktop appears unaltered and I seem to have my documents and photos available.

I know you are going to instruct me on how to back up my files. I do have an external USB-connected HDD I use for this purpose (although the backup image is not quite up to date). When you instruct on how to back up my files, please advise if I can use the external HDD or if doing so risks contaminating it and I should back up to a DVD instead.

Thanks again!

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 30 January 2013 - 11:27 PM

using the external harddrive should be fine - the main thing I wount you to do is any files that you do not want to lose or that cannot be replaced if something goes wronge - copy them to the external drive for safe keeping



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Paul Garcia

Paul Garcia
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 31 January 2013 - 01:36 AM

RogueKiller V8.4.3 [Jan 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Paul Garcia [Admin rights]
Mode : Remove -- Date : 01/30/2013 21:25:37
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : PPort11reminder ("C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini) -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:6092) -> NOT REMOVED, USE PROXYFIX
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x828DD65D -> HOOKED (Unknown @ 0x877A3DC8)
SSDT[14] : NtAlertThread @ 0x82856295 -> HOOKED (Unknown @ 0x877A3EA8)
SSDT[18] : NtAllocateVirtualMemory @ 0x8289254B -> HOOKED (Unknown @ 0x868C9B58)
SSDT[21] : NtAlpcConnectPort @ 0x8283488B -> HOOKED (Unknown @ 0x87680690)
SSDT[42] : NtAssignProcessToJobObject @ 0x82807B47 -> HOOKED (Unknown @ 0x868A5DB0)
SSDT[67] : NtCreateMutant @ 0x8286A862 -> HOOKED (Unknown @ 0x877A3B18)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x8280A35E -> HOOKED (Unknown @ 0x868A5AD0)
SSDT[78] : NtCreateThread @ 0x828DBC74 -> HOOKED (Unknown @ 0x868A5360)
SSDT[116] : NtDebugActiveProcess @ 0x828AED78 -> HOOKED (Unknown @ 0x868A5E90)
SSDT[129] : NtDuplicateObject @ 0x82842581 -> HOOKED (Unknown @ 0x868C9CB0)
SSDT[147] : NtFreeVirtualMemory @ 0x826CEF1D -> HOOKED (Unknown @ 0x877A3668)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82804F16 -> HOOKED (Unknown @ 0x877A3C08)
SSDT[158] : NtImpersonateThread @ 0x8281A553 -> HOOKED (Unknown @ 0x877A3CE8)
SSDT[165] : NtLoadDriver @ 0x827B5DEE -> HOOKED (Unknown @ 0x87581850)
SSDT[177] : NtMapViewOfSection @ 0x8285A8DA -> HOOKED (Unknown @ 0x877A3568)
SSDT[184] : NtOpenEvent @ 0x82843DFF -> HOOKED (Unknown @ 0x877A3A38)
SSDT[194] : NtOpenProcess @ 0x8286AFFE -> HOOKED (Unknown @ 0x868C9E50)
SSDT[195] : NtOpenProcessToken @ 0x8284BA60 -> HOOKED (Unknown @ 0x878C01F8)
SSDT[197] : NtOpenSection @ 0x8285B6AD -> HOOKED (Unknown @ 0x877A3878)
SSDT[201] : NtOpenThread @ 0x8286654F -> HOOKED (Unknown @ 0x868C9D80)
SSDT[210] : NtProtectVirtualMemory @ 0x82864332 -> HOOKED (Unknown @ 0x868A5CC0)
SSDT[282] : NtResumeThread @ 0x82865B9A -> HOOKED (Unknown @ 0x877A3F88)
SSDT[289] : NtSetContextThread @ 0x828DD10B -> HOOKED (Unknown @ 0x877A32B8)
SSDT[305] : NtSetInformationProcess @ 0x8285E908 -> HOOKED (Unknown @ 0x877A3398)
SSDT[317] : NtSetSystemInformation @ 0x82830EEF -> HOOKED (Unknown @ 0x868A5F70)
SSDT[330] : NtSuspendProcess @ 0x828DD597 -> HOOKED (Unknown @ 0x877A3958)
SSDT[331] : NtSuspendThread @ 0x827E492D -> HOOKED (Unknown @ 0x877A30F8)
SSDT[334] : NtTerminateProcess @ 0x8283B173 -> HOOKED (Unknown @ 0x868AB1C0)
SSDT[335] : unknown @ 0x82866584 -> HOOKED (Unknown @ 0x877A31D8)
SSDT[348] : NtUnmapViewOfSection @ 0x8285AB9D -> HOOKED (Unknown @ 0x877A3488)
SSDT[358] : NtWriteVirtualMemory @ 0x8285796D -> HOOKED (Unknown @ 0x877A3008)
SSDT[382] : NtCreateThreadEx @ 0x82866039 -> HOOKED (Unknown @ 0x868A5BC0)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x86899428)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x878C5E00)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x878C5D40)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x878C5EC0)

#12 Paul Garcia

Paul Garcia
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 31 January 2013 - 01:38 AM

Hi Gringo,

This RougeKiller report is #2 because I inadvertently interrupted the first run and had to run it a second time. The output looks the same as the first one though. Let me know if you need the other log as well.


RogueKiller V8.4.3 [Jan 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Paul Garcia [Admin rights]
Mode : Remove -- Date : 01/30/2013 21:25:37
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : PPort11reminder ("C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini) -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:6092) -> NOT REMOVED, USE PROXYFIX
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x828DD65D -> HOOKED (Unknown @ 0x877A3DC8)
SSDT[14] : NtAlertThread @ 0x82856295 -> HOOKED (Unknown @ 0x877A3EA8)
SSDT[18] : NtAllocateVirtualMemory @ 0x8289254B -> HOOKED (Unknown @ 0x868C9B58)
SSDT[21] : NtAlpcConnectPort @ 0x8283488B -> HOOKED (Unknown @ 0x87680690)
SSDT[42] : NtAssignProcessToJobObject @ 0x82807B47 -> HOOKED (Unknown @ 0x868A5DB0)
SSDT[67] : NtCreateMutant @ 0x8286A862 -> HOOKED (Unknown @ 0x877A3B18)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x8280A35E -> HOOKED (Unknown @ 0x868A5AD0)
SSDT[78] : NtCreateThread @ 0x828DBC74 -> HOOKED (Unknown @ 0x868A5360)
SSDT[116] : NtDebugActiveProcess @ 0x828AED78 -> HOOKED (Unknown @ 0x868A5E90)
SSDT[129] : NtDuplicateObject @ 0x82842581 -> HOOKED (Unknown @ 0x868C9CB0)
SSDT[147] : NtFreeVirtualMemory @ 0x826CEF1D -> HOOKED (Unknown @ 0x877A3668)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82804F16 -> HOOKED (Unknown @ 0x877A3C08)
SSDT[158] : NtImpersonateThread @ 0x8281A553 -> HOOKED (Unknown @ 0x877A3CE8)
SSDT[165] : NtLoadDriver @ 0x827B5DEE -> HOOKED (Unknown @ 0x87581850)
SSDT[177] : NtMapViewOfSection @ 0x8285A8DA -> HOOKED (Unknown @ 0x877A3568)
SSDT[184] : NtOpenEvent @ 0x82843DFF -> HOOKED (Unknown @ 0x877A3A38)
SSDT[194] : NtOpenProcess @ 0x8286AFFE -> HOOKED (Unknown @ 0x868C9E50)
SSDT[195] : NtOpenProcessToken @ 0x8284BA60 -> HOOKED (Unknown @ 0x878C01F8)
SSDT[197] : NtOpenSection @ 0x8285B6AD -> HOOKED (Unknown @ 0x877A3878)
SSDT[201] : NtOpenThread @ 0x8286654F -> HOOKED (Unknown @ 0x868C9D80)
SSDT[210] : NtProtectVirtualMemory @ 0x82864332 -> HOOKED (Unknown @ 0x868A5CC0)
SSDT[282] : NtResumeThread @ 0x82865B9A -> HOOKED (Unknown @ 0x877A3F88)
SSDT[289] : NtSetContextThread @ 0x828DD10B -> HOOKED (Unknown @ 0x877A32B8)
SSDT[305] : NtSetInformationProcess @ 0x8285E908 -> HOOKED (Unknown @ 0x877A3398)
SSDT[317] : NtSetSystemInformation @ 0x82830EEF -> HOOKED (Unknown @ 0x868A5F70)
SSDT[330] : NtSuspendProcess @ 0x828DD597 -> HOOKED (Unknown @ 0x877A3958)
SSDT[331] : NtSuspendThread @ 0x827E492D -> HOOKED (Unknown @ 0x877A30F8)
SSDT[334] : NtTerminateProcess @ 0x8283B173 -> HOOKED (Unknown @ 0x868AB1C0)
SSDT[335] : unknown @ 0x82866584 -> HOOKED (Unknown @ 0x877A31D8)
SSDT[348] : NtUnmapViewOfSection @ 0x8285AB9D -> HOOKED (Unknown @ 0x877A3488)
SSDT[358] : NtWriteVirtualMemory @ 0x8285796D -> HOOKED (Unknown @ 0x877A3008)
SSDT[382] : NtCreateThreadEx @ 0x82866039 -> HOOKED (Unknown @ 0x868A5BC0)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x86899428)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x878C5E00)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x878C5D40)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x878C5EC0)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x878C5F80)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x878C5AD0)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x878C5C70)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x878C5BA0)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x868A61F8)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x868A62C8)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK3255GSX ATA Device +++++
--- User ---
[MBR] 2d2116d4ee3f4b0d6ec7c6396976cc23
[BSP] e3948c3159977fe7dae6e0993bd15cda : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 294788 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 606799872 | Size: 8956 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_01302013_02d2125.txt >>
RKreport[1]_S_01302013_02d2113.txt ; RKreport[2]_D_01302013_02d2125.txt

Edited by Paul Garcia, 31 January 2013 - 01:42 AM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 31 January 2013 - 01:38 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 31 January 2013 - 01:39 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Paul Garcia

Paul Garcia
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 31 January 2013 - 09:36 AM

I'm running Combofix right now.

Issues noted:

1) The linked instructions for suspending my Norton 360 operations are out of date (and the two links have different instructions). I went in and suspended the anti-virus protection and the firewall (which I believe was the intent of the linked instructions), plus the background updates for good measure. My Norton 360 does not have an option to suspend.

2) After doing the above, I still got a message that Combofix found my Norton 360 to be active and I was continuing at my own risk. I clicked the "X" on the dialog box hoping it would stop the process, but Combofix proceeded. I did not want to chance shutting down my PC in the middle of the scan.

#15 Paul Garcia

Paul Garcia
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 31 January 2013 - 09:40 AM

Okay, Combofix is now done.

By the way, I just noticed on BleepingComputer's home page that Combofix itself has acquired a virus. Can we verify whether the version I downloaded is virus-free (we did suspend the anti-virus protection during the lastest process, after all)? If not, how should I proceed in light of this information?

Anyhow, here is the Combofix log:

ComboFix 13-01-30.04 - Paul Garcia 01/31/2013 4:49.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1553 [GMT -8:00]
Running from: c:\users\Paul Garcia\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-31 )))))))))))))))))))))))))))))))
.
.
2013-01-31 13:24 . 2013-01-31 13:25 -------- d-----w- c:\users\Paul Garcia\AppData\Local\temp
2013-01-31 13:24 . 2013-01-31 13:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-30 03:35 . 2013-01-30 03:35 -------- d-----w- C:\FRST
2013-01-28 01:33 . 2013-01-28 01:33 -------- d-----w- C:\NPE
2013-01-27 22:20 . 2013-01-28 01:48 -------- d-----w- C:\NBRT
2013-01-23 03:19 . 2013-01-27 21:26 -------- d-----w- c:\windows\system32\drivers\N360\1402010.016
2013-01-10 14:31 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-10 14:30 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-10 14:30 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-05 22:20 . 2012-01-03 23:13 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-12-16 13:12 . 2012-12-21 11:01 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-21 11:01 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-11-15 03:28 . 2012-11-15 03:28 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-15 03:27 . 2012-06-25 13:29 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-15 03:27 . 2012-03-25 05:31 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-14 02:09 . 2012-12-14 11:25 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58 . 2012-12-14 11:24 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57 . 2012-12-14 11:25 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49 . 2012-12-14 11:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48 . 2012-12-14 11:25 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44 . 2012-12-14 11:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29 . 2012-12-14 09:56 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-22 61440]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-03-13 6965792]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-18 1451304]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-03-07 468320]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-12-18 448376]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-03-23 729088]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-13 299008]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2009-04-15 1318912]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-07 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"TPCHWMsg"="c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe" [2009-04-10 570736]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-16 417792]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-03-24 1007616]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-03-25 163840]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-04-17 2513472]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-04-23 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 17:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyServer = http=127.0.0.1:6092
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Singlesnet - c:\program files\Singlesnet\Singlesnet\Singlesnet.exe
HKCU-Run-ISUSPM - c:\programdata\FLEXnet\Connect\11\ISUSPM.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-31 05:25
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\20.2.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.2.1.22\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(9784)
c:\windows\system32\ieframe.dll
.
Completion time: 2013-01-31 05:28:02
ComboFix-quarantined-files.txt 2013-01-31 13:27
.
Pre-Run: 214,917,050,368 bytes free
Post-Run: 214,837,047,296 bytes free
.
- - End Of File - - 4491ED376E92AA94BCD85D7BE0A0C2C0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users