Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Ransomware and now white screen in safe mode


  • This topic is locked This topic is locked
14 replies to this topic

#1 mudhustler

mudhustler

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 29 March 2013 - 03:31 PM

The machine is a Latitude E6520 running Win7 Pro 32-bit.  I can't access anything on it.  I just get a white screen after logging in.



BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:14 PM

Posted 29 March 2013 - 03:52 PM

Hello mudhustler, and welcome to the Malware Removal Forums! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:
  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
==========

Now, let's see if we can get a log to work with. You will need the use of a removable flashdrive/thumbdrive for the next steps.

Step :step1:

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt

Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
bloopie

#3 mudhustler

mudhustler
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 29 March 2013 - 05:01 PM

Bloopie,

 

Thanks for the help.  Below is the FRST.txt report.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013 (ATTENTION: FRST version is 16 days old)
Ran by SYSTEM at 29-03-2013 16:01:19
Running from F:\
Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [488816 2011-01-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [536668 2010-12-07] (IDT, Inc.)
HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [288872 2011-02-02] (NVIDIA Corporation)
HKLM\...\Run: [IntelPROSet] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PROSet/Wireless [1210640 2010-12-23] (Intel® Corporation)
HKLM\...\Run: [FreeFallProtection] C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2010-12-15] ()
HKLM\...\Run: [IMSS] "C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [112152 2010-12-03] (Intel Corporation)
HKLM\...\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [462993 2010-03-12] (Creative Technology Ltd)
HKLM\...\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-04-29] (CyberLink Corp.)
HKLM\...\Run: []  [x]
HKLM\...\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM\...\Run: [Desktop Disc Tool] "C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM\...\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-10-25] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2010-10-25] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [821144 2010-10-25] (Adobe Systems Inc.)
HKLM\...\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe" [1353040 2011-05-11] (Sunbelt Software)
HKLM\...\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [670864 2009-09-18] (Carbonite, Inc.)
HKU\jbozarth\...\Winlogon: [Shell] C:\Users\jbozarth\AppData\Roaming\id.cff,explorer.exe [x]
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [X]
AppInit_DLLs: C:\Windows\system32\nvinit.dll
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\ProgramData\Start Menu\Programs\Startup\Dell System Manager.lnk
ShortcutTarget: Dell System Manager.lnk -> C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe (Dell Inc.)

==================== Services (Whitelisted) ===================

2 CarboniteService; "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [1980560 2009-09-18] (Carbonite, Inc. (www.carbonite.com))
2 Credential Vault Host Control Service; "C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe" [826272 2010-10-25] (Broadcom Corporation)
2 Credential Vault Host Storage; "C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe" [32160 2010-10-25] (Broadcom Corporation)
2 Intel® PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [110752 2010-09-21] (Intel Corporation)
2 jhi_service; C:\Program Files\Intel\Services\IPT\jhi_service.exe [210896 2010-11-29] (Intel Corporation)
2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2009704 2011-02-02] (NVIDIA Corporation)
2 O2FLASH; C:\Windows\System32\DRIVERS\o2flash.exe [72296 2010-02-11] (O2Micro International)
3 RoxMediaDB12OEM; "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe" [1116656 2010-11-25] (Sonic Solutions)
2 RoxWatch12; "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-11-25] (Sonic Solutions)
2 SBAMSvc; "C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe" [2804280 2011-05-11] (Sunbelt Software)
2 SBPIMSvc; "C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe" [181584 2011-05-11] (Sunbelt Software)
3 SecureStorageService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe" [1477632 2010-11-03] (Wave Systems Corp.)
2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [262226 2010-12-07] (IDT, Inc.)
2 tcsd_win32.exe; "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1629696 2010-07-13] ()
2 TdmService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe" [2336104 2010-10-16] (Wave Systems Corp.)
2 ZcfgSvc7; C:\Program Files\Intel\WiFi\bin\ZCfgSvc7.exe [577536 2010-12-23] (Intel® Corporation)
2 dcpsysmgrsvc; "c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe" [x]
2 O2SDIOAssist; c:\Windows\system32\srvany.exe [x]

==================== Drivers (Whitelisted) ====================

3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [43888 2010-12-13] (ST Microelectronics)
3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [33832 2010-08-24] (Broadcom Corporation)
3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2010-10-28] (Intel Corporation)
3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [7434240 2010-12-21] (Intel Corporation)
0 nvpciflt; C:\Windows\System32\DRIVERS\nvpciflt.sys [20328 2011-02-02] (NVIDIA Corporation)
3 O2MDFRDR; C:\Windows\system32\DRIVERS\O2MDFw7.sys [60904 2011-01-04] (O2Micro )
3 O2MDRRDR; C:\Windows\System32\DRIVERS\O2MDRw7.sys [62440 2011-01-04] (O2Micro )
3 O2SDJRDR; C:\Windows\System32\DRIVERS\o2sdjw7.sys [63848 2011-01-04] (O2Micro )
0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [74968 2011-05-11] (Sunbelt Software)
1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [101720 2011-04-29] (Sunbelt Software)
1 SbTis; C:\Windows\System32\drivers\sbtis.sys [78936 2011-04-05] (Sunbelt Software, Inc.)
0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17648 2010-08-20] (ST Microelectronics)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-03-29 16:00 - 2013-03-29 16:00 - 00000000 ____D C:\FRST
2013-03-29 10:08 - 2013-03-29 10:08 - 00000000 ____D C:\ProgramData\xjw
2013-03-20 08:17 - 2013-03-20 09:45 - 00015129 ____A C:\Users\jbozarth\Desktop\CONCRETE TEST CHECK.xlsx
2013-03-20 07:51 - 2013-03-20 08:03 - 00038704 ____A C:\Users\jbozarth\Desktop\606 Gaurd Rail 156 Brannan.xlsx
2013-03-18 04:15 - 2013-02-11 19:32 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-03-15 06:30 - 2013-02-28 05:37 - 11020800 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-03-15 06:30 - 2013-02-28 05:37 - 06032384 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-03-15 06:30 - 2013-02-28 05:37 - 02078208 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-03-15 06:30 - 2013-02-28 05:37 - 01231872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-03-15 06:30 - 2013-02-28 05:37 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-03-15 06:30 - 2013-02-28 05:37 - 00627712 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-03-15 06:30 - 2013-02-28 05:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-03-15 06:30 - 2013-02-28 05:37 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-03-15 06:30 - 2013-02-28 05:37 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-03-15 06:30 - 2013-02-28 05:37 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-03-15 06:30 - 2013-02-28 03:38 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-03-05 13:11 - 2013-03-07 10:44 - 00014019 ____A C:\Users\jbozarth\Desktop\Copy of sulfate Ion Content.xlsx
2013-03-04 09:44 - 2013-03-25 10:14 - 00038814 ____A C:\Users\jbozarth\Desktop\606 Bridge Rail 156 Ready Mixed.xlsx
2013-03-04 09:37 - 2013-03-25 08:52 - 00038768 ____A C:\Users\jbozarth\Desktop\608 Sidewalk Bestway 156.xlsx

==================== One Month Modified Files and Folders ========

2013-03-29 16:00 - 2013-03-29 16:00 - 00000000 ____D C:\FRST
2013-03-29 13:37 - 2009-07-13 20:55 - 01157998 ____A C:\Windows\WindowsUpdate.log
2013-03-29 13:37 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-29 13:37 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-29 13:35 - 2011-04-03 21:37 - 00760744 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-29 13:32 - 2009-07-13 20:39 - 00045689 ____A C:\Windows\setupact.log
2013-03-29 13:31 - 2011-04-03 23:28 - 00000000 ____D C:\ProgramData\NVIDIA
2013-03-29 13:31 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-29 13:01 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-03-29 12:20 - 2011-04-03 22:00 - 00000000 ____D C:\ProgramData\Sonic
2013-03-29 10:08 - 2013-03-29 10:08 - 00000000 ____D C:\ProgramData\xjw
2013-03-29 10:07 - 2011-07-28 07:35 - 00000000 ____D C:\users\jbozarth
2013-03-29 07:14 - 2011-08-08 06:29 - 00000000 ____D C:\Users\jbozarth\AppData\Local\Deployment
2013-03-28 05:52 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-03-28 05:25 - 2011-04-03 22:03 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-03-28 05:24 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-03-28 05:18 - 2011-07-28 07:07 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-03-28 05:15 - 2011-07-28 07:16 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-03-25 10:14 - 2013-03-04 09:44 - 00038814 ____A C:\Users\jbozarth\Desktop\606 Bridge Rail 156 Ready Mixed.xlsx
2013-03-25 08:56 - 2012-07-20 06:54 - 00038833 ____A C:\Users\jbozarth\Desktop\606 Gaurd Rail 156.xlsx
2013-03-25 08:52 - 2013-03-04 09:37 - 00038768 ____A C:\Users\jbozarth\Desktop\608 Sidewalk Bestway 156.xlsx
2013-03-22 11:47 - 2012-10-19 08:34 - 00012206 ____A C:\Users\jbozarth\Documents\Bills.xlsx
2013-03-20 10:53 - 2012-06-06 12:43 - 00039835 ____A C:\Users\jbozarth\Desktop\Class D Bridge 156 Hi Early.xlsx
2013-03-20 09:45 - 2013-03-20 08:17 - 00015129 ____A C:\Users\jbozarth\Desktop\CONCRETE TEST CHECK.xlsx
2013-03-20 08:11 - 2012-05-21 06:39 - 00039602 ____A C:\Users\jbozarth\Desktop\48 in. Caissons 156.xlsx
2013-03-20 08:09 - 2012-05-21 07:06 - 00042351 ____A C:\Users\jbozarth\Desktop\Class D Ready Mixed  Bridge 156.xlsx
2013-03-20 08:03 - 2013-03-20 07:51 - 00038704 ____A C:\Users\jbozarth\Desktop\606 Gaurd Rail 156 Brannan.xlsx
2013-03-13 07:02 - 2012-02-07 09:44 - 00043748 ____A C:\Users\jbozarth\Documents\Calibration Dates.xlsx
2013-03-11 09:40 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-03-07 10:44 - 2013-03-05 13:11 - 00014019 ____A C:\Users\jbozarth\Desktop\Copy of sulfate Ion Content.xlsx
2013-03-04 09:30 - 2013-02-21 12:38 - 00039139 ____A C:\Users\jbozarth\Desktop\606 Bridge Rail 156 Brannan.xlsx
2013-03-04 05:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-03-04 05:28 - 2009-07-13 20:33 - 00462744 ____A C:\Windows\System32\FNTCACHE.DAT
2013-02-28 05:37 - 2013-03-15 06:30 - 11020800 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-02-28 05:37 - 2013-03-15 06:30 - 06032384 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-02-28 05:37 - 2013-03-15 06:30 - 02078208 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-02-28 05:37 - 2013-03-15 06:30 - 01231872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-02-28 05:37 - 2013-03-15 06:30 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-02-28 05:37 - 2013-03-15 06:30 - 00627712 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-02-28 05:37 - 2013-03-15 06:30 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-02-28 05:37 - 2013-03-15 06:30 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-02-28 05:37 - 2013-03-15 06:30 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-02-28 05:37 - 2013-03-15 06:30 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-02-28 03:38 - 2013-03-15 06:30 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-02-18 05:08:30
Restore point made on: 2013-02-18 06:04:48
Restore point made on: 2013-02-25 06:47:14
Restore point made on: 2013-02-25 06:49:06
Restore point made on: 2013-02-25 06:50:22
Restore point made on: 2013-02-26 08:25:54
Restore point made on: 2013-03-04 05:13:19
Restore point made on: 2013-03-04 07:48:13
Restore point made on: 2013-03-05 13:12:42
Restore point made on: 2013-03-06 08:18:22
Restore point made on: 2013-03-11 09:21:06
Restore point made on: 2013-03-11 09:39:50
Restore point made on: 2013-03-11 09:46:38
Restore point made on: 2013-03-13 07:31:31
Restore point made on: 2013-03-19 04:12:50
Restore point made on: 2013-03-19 04:25:30
Restore point made on: 2013-03-19 14:18:57
Restore point made on: 2013-03-26 04:18:28
Restore point made on: 2013-03-26 06:15:31
Restore point made on: 2013-03-27 04:32:57
Restore point made on: 2013-03-28 05:11:18
Restore point made on: 2013-03-28 05:24:10
Restore point made on: 2013-03-28 05:24:24
Restore point made on: 2013-03-28 05:37:34
Restore point made on: 2013-03-29 10:18:34

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 3976.9 MB
Available physical RAM: 3312.47 MB
Total Pagefile: 3975.18 MB
Available Pagefile: 3320.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.68 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:285.8 GB) (Free:246.15 GB) NTFS
2 Drive e: (W7SP1_PROFESSIONAL) (CDROM) (Total:4.24 GB) (Free:0 GB) UDF
3 Drive f: (STORE N GO) (Removable) (Total:3.72 GB) (Free:3.72 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:12.25 GB) (Free:5.05 GB) NTFS ==>[System with boot components (obtained from reading drive)]

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        
  Disk 1    Online         3814 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: C648A420

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             12 GB    40 MB
  Partition 3    Primary            285 GB    12 GB

=========================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      FAT    Partition     39 MB  Healthy    Hidden 

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   RECOVERY     NTFS   Partition     12 GB  Healthy           

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    285 GB  Healthy           

=========================================================

Partitions of Disk 1:
===============

Disk ID: C3072E18

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3810 MB  4032 KB

=========================================================

Disk: 1
Partition 1
Type  : 0C
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F   STORE N GO   FAT32  Removable   3810 MB  Healthy           

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: C648A420

Partition 1:
=========
Hex: 00010100DEFE3F043F00000086390100
Active: NO
Type: DE
Size: 39 MB

Partition 2:
=========
Hex: 8019150507FEFFFF0040010000008801
Active: YES
Type: 07 (NTFS)
Size: 12 GB

Partition 3:
=========
Hex: 00FEFFFF07FEFFFF0040890100A0B923
Active: NO
Type: 07 (NTFS)
Size: 286 GB

==============================
Partitions of Disk 1:
===============
Disk ID: C3072E18

Partition 1:
=========
Hex: 000001010C51D2C7801F000080107700
Active: NO
Type: 0C
Size: 4 GB


Last Boot: 2013-03-25 04:33

==================== End Of Log ============================



#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:14 PM

Posted 29 March 2013 - 05:54 PM

Hello again,

 

Thanks for the help.

It's my pleasure. :)
 
Now, lets run a fix and see if we can get the machine booting again:
 
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
HKU\jbozarth\...\Winlogon: [Shell] C:\Users\jbozarth\AppData\Roaming\id.cff,explorer.exe [x]
Folder: C:\ProgramData\xjw
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your next reply.

==========

After running the above fix and posting the log here, please let me know if you can boot normally now and let me know of the current state of the machine. Also, please DO NOT run any other tools unless instructed to do so!

bloopie

#5 mudhustler

mudhustler
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 01 April 2013 - 10:18 AM

Bloopie,

 

Happy Monday!

 

I can log onto the user's profile that was having trouble before without the white screen coming up.  That's a great improvement!

 

Here's the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013
Ran by SYSTEM at 2013-04-01 09:24:23 Run:1
Running from F:\

==============================================

HKEY_USERS\jbozarth\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.

========================= Folder: C:\ProgramData\xjw ========================


====== End of Folder: ======

==== End of Fixlog ====


Edited by mudhustler, 01 April 2013 - 10:23 AM.


#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:14 PM

Posted 01 April 2013 - 12:01 PM

Hello again,
 
Good to hear! Now, let's run Combofix:

Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out here or here

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

bloopie

#7 mudhustler

mudhustler
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 01 April 2013 - 01:15 PM

Here's my ComboFix report:

 

ComboFix 13-04-01.01 - jbozarth 04/01/2013  12:01:59.1.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2985.1804 [GMT -6:00]
Running from: c:\users\jbozarth\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\jbozarth\AppData\Local\Microsoft\Windows\Temporary Internet Files\{00B134DF-D95E-4CE5-ACE5-0C9C6F62C7ED}.xps
c:\users\jbozarth\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2E0D4752-AF4C-4622-8EFB-F77069D15AF9}.xps
c:\users\jbozarth\AppData\Local\Microsoft\Windows\Temporary Internet Files\{87C3BBD0-0CC8-4EAD-91A4-02DCA42724A2}.xps
c:\users\jbozarth\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8FB8D675-E900-485F-A1EA-D30656DEA3D5}.xps
c:\users\jbozarth\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B23CB227-979B-4829-9486-B802B2DF8C2E}.xps
c:\users\jbozarth\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B4D46DDC-FD8E-4592-8DFB-87B32D335306}.xps
c:\users\jbozarth\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C3ACF068-18DB-4650-BB5F-7D5ABFC74235}.xps
c:\users\jbozarth\AppData\Local\Temp\{B360452B-1B92-4A8C-8201-E6EA418A7E65}\fpb.tmp
c:\users\jbozarth\AppData\Roaming\id.cff
c:\windows\system32\instsrv.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-01 to 2013-04-01  )))))))))))))))))))))))))))))))
.
.
2013-04-01 18:06 . 2013-04-01 18:06 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-04-01 18:06 . 2013-04-01 18:06 -------- d-----w- c:\users\RockSol\AppData\Local\temp
2013-04-01 18:06 . 2013-04-01 18:06 -------- d-----w- c:\users\itsupport\AppData\Local\temp
2013-04-01 18:06 . 2013-04-01 18:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-01 17:53 . 2013-04-01 17:53 -------- d-----w- c:\users\jbozarth\AppData\Roaming\Roxio Burn
2013-03-30 00:00 . 2013-03-30 00:00 -------- d-----w- C:\FRST
2013-03-29 18:08 . 2013-03-29 18:08 -------- d-----w- c:\programdata\xjw
2013-03-18 12:15 . 2013-02-12 03:32 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-12 04:48 . 2013-03-15 14:29 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-15 14:29 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-05 05:00 . 2013-02-13 15:56 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-13 15:56 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-04 04:50 . 2013-02-13 15:56 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 03:00 . 2013-02-13 15:56 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-01-03 05:05 . 2013-02-13 15:56 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 05:04 . 2013-02-13 15:56 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-09-19 02:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-09-19 02:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-09-19 02:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-01-05 488816]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-12-08 536668]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-14 143384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-14 177176]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-14 178200]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-02-03 288872]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-12-23 1210640]
"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-15 686704]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2010-12-03 112152]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-03-12 462993]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-10-25 932288]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-05-11 1353040]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-09-19 670864]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2011-1-20 1459056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 16:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ    msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [x]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7.sys [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [x]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [x]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [x]
S2 SBAMSvc;VIPRE Antivirus;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [x]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
S2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 ZcfgSvc7;Intel® PROSet/Wireless ZeroConfig Service;c:\program files\Intel\WiFi\bin\ZCfgSvc7.exe [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [x]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [x]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.2.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\wvauth.DLL
c:\windows\System32\TdmNetworkProvider.dll
.
Completion time: 2013-04-01  12:09:05
ComboFix-quarantined-files.txt  2013-04-01 18:09
.
Pre-Run: 263,345,147,904 bytes free
Post-Run: 263,668,879,360 bytes free
.
- - End Of File - - 2B63F6782B16D9FBCA660E2489DC7554
 



#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:14 PM

Posted 01 April 2013 - 03:36 PM

Hi again,

That's looking better, but we still have some work to do.

Step :step1:

Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

==========

Step :step2:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Now click on: EOLS4.gif
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

==========

Step :step3:

Now, let's get an extra report that Combofix makes:

Combofix Extra Report
  • Hold the "Windows0d8a4985-b5e2-41a6-a1b6-e4bafb517937_92." key and press "R" to open the runbox.
  • Please copy and paste the contents of the codebox below into the empty runbox:
C:\Qoobox\Add-Remove Programs.txt
  • Then click Ok.
Now, copy and paste the contents of the file that opens into your next reply.
==========

In your next reply, please copy and paste all logs here for me

bloopie

Edited by bloopie, 01 April 2013 - 06:26 PM.
Fixed typo


#9 mudhustler

mudhustler
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 02 April 2013 - 11:43 AM

Bloopie,

 

Here are all my reports:

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.04.02.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
jbozarth :: JBOZARTH-PC [administrator]

4/2/2013 9:32:42 AM
mbam-log-2013-04-02 (09-32-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 279424
Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

*************************************************************************************

 

C:\Qoobox\Quarantine\C\Users\jbozarth\AppData\Roaming\id.cff.vir a variant of Win32/Kryptik.AXRU trojan
C:\Users\jbozarth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\490c2f29-5179e725 Java/Exploit.Agent.NOX trojan
 

*************************************************************************************

 

AccelerometerP11
Adobe Acrobat X Standard - English, Français, Deutsch
Adobe Flash Player 11 ActiveX
Asphalt 03 (v 4.0.1.500)
Bing Bar
Bing Bar Platform
Bing Rewards Client Installer
BioAPI Framework
Carbonite Pro
Custom
CyberLink PowerDVD 9.5
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Backup and Recovery Manager
Dell ControlVault Host Components Installer
Dell Data Protection | Access
Dell Data Protection | Access | Drivers
Dell Data Protection | Access | Middleware
Dell Edoc Viewer
Dell System Manager
Dell Touchpad
Dell Webcam Central
DellAccess
DirectX 9 Runtime
EMBASSY Security Center
Gemalto
Intel PROSet Wireless
Intel® Control Center
Intel® Identity Protection Technology 1.0.71.0
Intel® Management Engine Components
Intel® Network Connections 15.7.176.1
Intel® Processor Graphics
Intel® PROSet/Wireless WiFi Software
Java Auto Updater
Java™ 6 Update 23
Junk Mail filter update
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Business 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NTRU TCG Software Stack
NVIDIA 3D Vision Driver 266.96
NVIDIA Control Panel 266.96
NVIDIA Graphics Driver 266.96
NVIDIA Install Application
NVIDIA nView 135.60
NVIDIA nView Desktop Manager
NVIDIA Optimus 1.0.21
NVIDIA Stereoscopic 3D Driver
NVIDIA Update Components
O2Micro Flash Memory Card Windows Driver
PC-CCID
PhotoShowExpress
Preboot Manager
Private Information Manager
Roxio Activation Module
Roxio BackOnTrack
Roxio Burn
Roxio Creator Starter
Roxio Express Labeler 3
Roxio File Backup
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
Sonic CinePlayer Decoder Pack
SPBA 5.9
Trusted Drive Manager
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Upek Touchchip Fingerprint Reader
VIPRE Antivirus
Wave Infrastructure Installer
Wave Support Software Installer
Windows Driver Package - Dell Inc. PBADRV System  (09/11/2009 1.0.1.6)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
 



#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:14 PM

Posted 02 April 2013 - 12:58 PM

Hi again,

Now, lets remove what was found in the ESET scan with a batch, and then we'll do some updates:

Step :step1:
  • Hold the "Windows0d8a4985-b5e2-41a6-a1b6-e4bafb517937_92." key and press "R" to open the runbox and type in notepad and click Ok.
  • Copy the text in the code box below then paste it into the blank Notepad and save it to your Desktop as DelFile.bat
@echo off
del /f /s /q "C:\Qoobox\Quarantine\C\Users\jbozarth\AppData\Roaming\id.cff.vir"
rd /s /q "C:\Users\jbozarth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\490c2f29-5179e725"
del %0
  • ---->>The batch file should now look like this: batwin7.png<--in Windows Vista/7 and this:batxp.png<--in Windows XP
  • Now double click on the DelFile.bat on your Desktop and the batch will quickly run and delete itself for you.
  • Now reboot the machine.
==========

Step :step2:
Your version of Internet Explorer is outdated.==========

Step :step3:
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit). 64-bit OS users, should read: Which Java download should I choose for my 64-bit Windows operating system?
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to StartBtn.gif > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u7-windows-i586.exe (or jre-7u7-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
  • Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
    To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.
==========

Let me know if you had any trouble with the above steps! We're nearly finished! :thumbup2:

bloopie

#11 mudhustler

mudhustler
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 02 April 2013 - 02:55 PM

Hi, Bloopie.

 

Ran your batch file and installed the updates.  Everything seems to be working fine.



#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:14 PM

Posted 02 April 2013 - 03:56 PM

Hello again,
 
Excellent, glad to hear that! And that means I have some good news:

Your machine appears to be clean! :thumbsup:

Let's do some housekeeping now:



The following steps will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.



Step :step1:

Uninstall ComboFix:
  • Turn off all active protection software.
  • Hold the "Windows0d8a4985-b5e2-41a6-a1b6-e4bafb517937_92." key and press "R" to open the runbox, then copy/paste ComboFix /Uninstall into the box and click Ok.
  • Note the space between the X and the /Uninstall, it needs to be there.
CF-Uninstall.png


==========


Step :step2:

Download and Run OTC:

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click OTC_Icon.jpg icon to start the program. If you are using Vista or Windows 7, please right-click and choose run as administrator
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Any programs and logs that are left over you can just delete from the desktop.


Are you having any additional problems at this point? If so, please let me know. Otherwise feel free to enjoy use of your repaired machine :thumbup2:


Useful information!
Below is some more information and useful tools and tips about how to keep your computer safe in the future.



The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. you can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows XP SP2 or later is fine) and leaving it on, and using and keeping up to date an antivirus solution such as Norton AntiVirus. Antiviral solutions don't even have to cost money; for instance Microsoft Secuity Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:
  • Avast (home use only)
  • Avira (shows nag screen to purchase full product when updating, home use only)
That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:If you want more information on methods malware use to infect your computer, consider browsing our How did I get infected? topic.

Please respond to this post so I can close the thread unless you have any other questions.


Best of regards, and happy surfing!! :wink:

bloopie

#13 mudhustler

mudhustler
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 02 April 2013 - 04:21 PM

Thanks for the help!  I really appreciate what you folks at BleepingComputer do.  Keep up the good work!



#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:14 PM

Posted 02 April 2013 - 04:46 PM

Thanks for the help!

It was my pleasure...glad I could help! You did very well also following all my instructions perfectly. Thanks for that! :clapping:

 

Stay safe!

 

bloopie



#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:14 PM

Posted 02 April 2013 - 04:46 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users