Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PCEU Ransomware removed using ComboFix - now no iexplore or network settings!


  • This topic is locked This topic is locked
8 replies to this topic

#1 StatusBaby

StatusBaby

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 26 February 2013 - 03:39 AM

Mod Edit: Moved to proper forum ~~boopme

 

 

Hello - and thanks for help in advance. I am running Windows XP - fully updated with all latest service packs.

 

For the second time in a couple of months my PC became infected with PCEU ransomeware. Previously (last December) I removed this using ComboFix with no issues and so attempted the same again. After some hassle (couldn't boot into safe mode) I eventually managed to get a brief window to run ComboFix booting into safe mode with command prompt.

 

Here is the ComboFix Log:

 

 

ComboFix 13-02-24.01 - Paul 26/02/2013   0:54.2.4 - x86 MINIMAL
Running from: c:\documents and settings\Paul\My Documents\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\5280702.js
c:\documents and settings\All Users\Application Data\5280702.pad
c:\documents and settings\Paul\Application Data\ldr.mcb
c:\windows\system32\Cache
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\ab0dfbd79969a8be.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\c96945d80b014d55.fb
c:\windows\system32\Cache\cbba3a46f7879f63.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-26 to 2013-02-26  )))))))))))))))))))))))))))))))
.
.
2013-02-05 08:41 . 2013-02-05 08:41    --------    d-----w-    c:\documents and settings\Paul\Local Settings\Application Data\PCHealth
2013-01-27 12:10 . 2013-01-27 12:10    --------    d-----w-    c:\program files\AnvSoft
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-20 15:03 . 2012-04-15 20:48    691568    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-02-20 15:03 . 2011-05-21 19:02    71024    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-18 16:40 . 2012-10-07 22:51    33112    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2012-12-16 12:23 . 2002-08-29 12:00    290560    ----a-w-    c:\windows\system32\atmfd.dll
2011-09-07 12:11 . 2011-04-07 23:03    134104    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
Cryptography Services Error !!
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-02-18 16:40    1929392    ----a-w-    c:\program files\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll" [2013-02-18 1929392]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="c:\windows\System32\sw20.exe" [2006-12-15 208896]
"SW24"="c:\windows\System32\sw24.exe" [2006-12-15 69632]
"WinSys2"="c:\windows\System32\winsys2.exe" [2006-12-15 217088]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-02-18 1151152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-03-04 14:57    87424    ----a-w-    c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"d:\\Programs Drivers Utilities\\mIRC Zappateers\\mirc.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\aTube Catcher 2.0\\yct.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.21\\bin\\httpd.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 
.
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [x]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [x]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [x]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [x]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 13379340
*Deregistered* - 13379340
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-179605362-839522115-1003Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-10 00:17]
.
2013-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-179605362-839522115-1003UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-10 00:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
TCP: Interfaces\{408C9110-74F7-4450-ACAD-34E16F21DE64}: NameServer = 10.0.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\svljyyab.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - ExtSQL: !HIDDEN! 2009-08-22 02:37; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-26 01:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(260)
c:\windows\system32\LMIinit.dll
.
Completion time: 2013-02-26  01:02:59
ComboFix-quarantined-files.txt  2013-02-26 01:02
ComboFix2.txt  2012-12-15 03:19
.
Pre-Run: 460,316,602,368 bytes free
Post-Run: 461,705,457,664 bytes free
.
- - End Of File - - FEE5FE9DECB789354CD191DDF5DD71AF
 
 
After this the ransom ware was gone but there was no network icon in the bottom right hand corner of the screen. Right clicking on My Network Connections pulls up an empty Network Connections window - although looking in a CMD window shows IP address allocated and I can ping sites OK. Internet explorer won't run - no error messages - just nothing happens - although Chrome works OK. Finally CD player - whilst still appearing in My Computer - can't actually read any CDs.
 
I assumed I was still infected and ran EmsisoftEmergencyKit which found about 14 problems of various severity - here is the log....
 
Emsisoft Emergency Kit - Version 3.0
Last update: 26/02/2013 01:54:05
 
Scan settings:
 
Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\, D:\, E:\
 
Detect Riskware: Off
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start:    26/02/2013 01:55:17
 
Value: hkey_users\s-1-5-21-484763869-179605362-839522115-1003\software\elcom\advanced rar password recovery -> Installer Language     detected: Trace.Registry.Advanced RAR Password Recovery (A)
Value: HKEY_CLASSES_ROOT\CLSID\{E7EDC300-766F-11CF-A64F-0020AF37425D}\INPROCSERVER32 -> ThreadingModel     detected: Trace.Registry.WebPI (A)
C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\29\262c599d-35bdd9f3 -> wyagcsl/cmqlcpwvrapnrdtffdtdgjvq.class     detected: Exploit.Java.CVE-2012-0507.BH ( B)
C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\61\38d4b23d-182920ad -> wyagcsl/cmqlcpwvrapnrdtffdtdgjvq.class     detected: Exploit.Java.CVE-2012-0507.BH ( B)
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\5280702.js.vir     detected: Trojan.Script.480412 ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Internet Utilities\ADSL Access Software\BT Interactive\Install_Win98.exe -> (CAB Sfx o) -> \disk1\data1.cab -> (IShield Module 2)     detected: Gen:Trojan.Heur.VP.cu0@aCNvENoi ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Internet Utilities\ADSL Access Software\BT Interactive\Install_Win98.exe -> (CAB Sfx o) -> \disk1\data1.cab -> (IShield Module 7)     detected: Gen:Trojan.Heur.VB.bu0@dC9omHmi ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Sound & Video Utilities\codecs\codecs\Codecs\Microsoft_DV_video_codec_v6.4.exe     detected: Gen:Trojan.Heur.yuZ@yP6MXjliu ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Sound & Video Utilities\codecs\codecs\Codecs\SigmaDesign_REALmagic_MPEG4_video_codec_v1.0.exe     detected: Gen:Trojan.Heur.CuZ@yP6MXjliu ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Sound & Video Utilities\MP3Detective.zip -> puke.rar -> patch.exe     detected: Trojan.Generic.4007934 ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Sound & Video Utilities\SPR JukeBox v8.4\spr-jb84.zip -> spr-inf.ini     detected: Trojan.Script.141021 ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\System & General Utilities\Alcohol\alcohol120_trial_1.9.5.3823.exe     detected: Adware.Win32.Mostofate (A)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\System & General Utilities\Serialz2000\ser2k70b.exe     detected: Backdoor.Win32.Rbot.bhkl.AMN (A)
D:\Programs Drivers Utilities\YouTube Catcher\aTube_Catcher_Installer.exe     detected: Trojan.Win32.Agent.AMN (A)
 
Scanned    419875
Found    14
 
Scan end:    26/02/2013 02:57:07
Scan time:    1:01:50
 
D:\Programs Drivers Utilities\YouTube Catcher\aTube_Catcher_Installer.exe    Quarantined Trojan.Win32.Agent.AMN (A)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\System & General Utilities\Serialz2000\ser2k70b.exe    Quarantined Backdoor.Win32.Rbot.bhkl.AMN (A)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\System & General Utilities\Alcohol\alcohol120_trial_1.9.5.3823.exe    Quarantined Adware.Win32.Mostofate (A)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Sound & Video Utilities\SPR JukeBox v8.4\spr-jb84.zip -> spr-inf.ini    Quarantined Trojan.Script.141021 ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Sound & Video Utilities\MP3Detective.zip -> puke.rar -> patch.exe    Quarantined Trojan.Generic.4007934 ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Sound & Video Utilities\codecs\codecs\Codecs\SigmaDesign_REALmagic_MPEG4_video_codec_v1.0.exe    Quarantined Gen:Trojan.Heur.CuZ@yP6MXjliu ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Sound & Video Utilities\codecs\codecs\Codecs\Microsoft_DV_video_codec_v6.4.exe    Quarantined Gen:Trojan.Heur.yuZ@yP6MXjliu ( B)
D:\Programs Drivers Utilities\Games and Utilities\Utilities\Internet Utilities\ADSL Access Software\BT Interactive\Install_Win98.exe -> (CAB Sfx o) -> \disk1\data1.cab -> (IShield Module 7)    Quarantined Gen:Trojan.Heur.VB.bu0@dC9omHmi ( B)
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\5280702.js.vir    Quarantined Trojan.Script.480412 ( B)
C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\29\262c599d-35bdd9f3 -> wyagcsl/cmqlcpwvrapnrdtffdtdgjvq.class    Quarantined Exploit.Java.CVE-2012-0507.BH ( B)
C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\61\38d4b23d-182920ad -> wyagcsl/cmqlcpwvrapnrdtffdtdgjvq.class    Quarantined Exploit.Java.CVE-2012-0507.BH ( B)
Value: HKEY_CLASSES_ROOT\CLSID\{E7EDC300-766F-11CF-A64F-0020AF37425D}\INPROCSERVER32 -> ThreadingModel    Quarantined Trace.Registry.WebPI (A)
Value: hkey_users\s-1-5-21-484763869-179605362-839522115-1003\software\elcom\advanced rar password recovery -> Installer Language    Quarantined Trace.Registry.Advanced RAR Password Recovery (A)
 
Quarantined    13
_________________________________
End of file
 
So now I'm stuck - and the issues still remain - in summary:
1. No network connections showing in windows (although can see connections in CMD line)
2. No Internet Explorer - no error message (other browsers work OK)
3. CD player unable to read any data from CDs
4. Unable to copy and paste files either drag and drop or Ctrl C Ctrl V (discovered when I attempted to copy my pictures to a memory stick for backup)
 
Any help gratefully received
 
 

Thanks

SB


Edited by boopme, 26 February 2013 - 04:51 PM.


BC AdBot (Login to Remove)

 


#2 StatusBaby

StatusBaby
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 27 February 2013 - 08:14 PM

Just a quick note to say I'm still actively looking for help in this problem but will be out of town until Sunday so if you do help me (and I thank-you if you do) please don't expect a response from me until Monday at the earliest.

 

Many thanks

SB



#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 28 February 2013 - 08:16 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:


Posted Image
m0le is a proud member of UNITE

#4 StatusBaby

StatusBaby
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 03 March 2013 - 05:01 AM

Hi - I am here and all ears thank-you



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 03 March 2013 - 09:52 AM

Well, although it was malware has destroyed your cryptographic services this is not a malware subject as such.

 

The best guide I have found was here. It's very comprehensive and as straightforward as this can be and it should get you up and running. The only other option is to reformat and reinstall the machine.


Posted Image
m0le is a proud member of UNITE

#6 StatusBaby

StatusBaby
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 03 March 2013 - 11:52 AM

Thanks for the link - not much to be done until I can get the CD-Rom to recognise CDs - I've tried uninstalling and reinstalling via Device Manager to no avail - I will physically disconnect and reinstall later and let you know if solution worked.

 

As this is a second PC mainly used for torrents and as a data dump I may just resort to an OS reinstallation. Thanks for assistance I'll keep you posted.



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 03 March 2013 - 08:40 PM

Okay. :)
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 07 March 2013 - 08:39 PM

Any news, SB?
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:32 AM

Posted 12 March 2013 - 08:08 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users