Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OnPay Inc Virus infect-steps followed from Bleeping advice to others on this sit


  • This topic is locked This topic is locked
5 replies to this topic

#1 mlkuhn07

mlkuhn07

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 09 April 2013 - 11:03 PM

Subject: OnPay Inc Virus infection - and steps performed following advice provided to other persons on this site.

 

Help Needed: "un-obfuscate (C:)"

 

I found a post from on this site....

http://www.bleepingcomputer.com/forums/t/466692/on-pay-inc-us/

 

This provided a lot of insight and steps to begin performing:

 

After doing all the steps below - I believe there is Obfuscation still ongoing - as the C: contents and MS IE favorites are not visible among other symptoms.

 

Please provide feedback on next steps that may be performed - as I do not believe that a reformat is required.

 Here is a log of the steps I performed... (and logs of processes run).

 Use:

1. RKill 

Results:  Successful, removed a running process and removed some registry entries.

And reset registry associations for .EXE, .COM and .BAT.

 2.  Tried to download and run  TDSSKILLER:

Results:  downloaded and placed on Desktop.  Fails to run - even when downloaded the Windows 7 version.

 3. Malwarebytes-anti-malware

Results: Downloaded and placed on desktop (copied from USB). 

----Fails on attempting to install the "uninstall" portion of the application.

 4.  Did Download and run the MS Safety scan tool.

Results: found Alureon virus ---BELOW

 MS Safety Scanner  (msert.exe)  3-24-13   downloaded and ran:

Results:

  • 1.Removed:   Trojan: Win32/FakeSysdef
  • 2. Trojan:  DOS/Alureon.L      Partially removed -- Manual steps remain  (MS...KB...

 

 THEN - I FOUND THIS on Bleepingcomputer...

 This page is from Bleeping computer for Downloader.generic13.CAM

Posted 08 October 2012 - 05:10 PM

Greetings jcheck99 and :welcome:to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. If you would allow me to call you by your first name I would prefer to do that.

 ================================

Logs:

 

I was able to get Rkill to run:  here is the log:

 

 Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/23/2013 08:43:38 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\ProgramData\YIqeljvLcEYEi.exe (PID: 2780) [AU-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * System Policy Removed:  DisableTaskMgr [HKCU]
 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\Owner\Desktop\rkill\rkill-03-23-2013-08-43-55.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKCU\SOFTWARE\Classes\.exe "@" exists and is set to exefile!
  * HKCU\SOFTWARE\Classes\.exe has been deleted!
  * HKCU\SOFTWARE\Classes\exefile has been deleted!

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

 * SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html

Checking Windows Service Integrity:

 * WinDefend [Missing ImagePath]
 * wscsvc [Missing ImagePath]

 * FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 03/23/2013 08:45:39 PM
Execution time: 0 hours(s), 2 minute(s), and 1 seconds(s)

mlkuhn07]   I have not read the SMTMP link --- just noticed it again.

                  THere were changes made by Rkill ---  Was this OK??   or...

 ==========================================================

 

Anyway next -- I downloaded AVG and ran it several  times on 25-27th.

Results of AVG efforts are listed below:

 

 4-8-13

Scan found no infections.

Previous scans that found infecions are listed below.

3-27 was the previous date with a found infection, and twice on the 26th following the initial scan on 25th-26th with 19 FINDINGS)

 

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636):\memory_00120000";"Infected";"File or Directory";"3/27/2013, 10:41:47 AM"

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636)";"Deleted";"Process";"3/27/2013, 10:41:47 AM"

 

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636):\memory_00120000";"Healed";"File or Directory";"3/26/2013, 8:42:13 PM"

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636)";"Healed";"Process";"3/26/2013, 8:42:13 PM"

 

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636):\memory_00120000";"Healed";"File or Directory";"3/26/2013, 8:39:00 PM"

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636)";"Healed";"Process";"3/26/2013, 8:39:00 PM"

 

19 Infections [3-26-13]:  18 Deleted and moved to Virus Vault:  1 removed

 

 

"";"Corrupted executable file, C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VirtualBox-4.2.6-82870-Win[1].exe";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:33:54 PM"

 

"";"Virus found JS/Obfuscated, C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IM7NFZ9A\q[1].htm";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 10:20:07 AM"

 

"";"Trojan horse Dropper.Generic7.BJOV, C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\53cc9345-619fc616";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:05:58 PM"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\$Recycle.Bin\S-1-5-21-592982947-1044143337-4051690927-1000\$R0OTMDO\HomePage\UpThis\Adobe Acrobat X Pro 10.1.3 (English - French - German) Incl Keygen.exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO3BD5.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zODE2D.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO4EFC.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO6AE.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zOD15.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO256A.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO2C7D.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO1A31.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO138B.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO2CB8.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO3035.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO37E0.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:12:19 PM"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zOB52C.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:12:34 PM"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zOB0B8.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:12:39 PM"

 

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636)";"Healed";"Process";"3/25/2013, 9:50:20 PM"

 

AVG removed/vaulted many instances of the:

trojan Dropper Generic6.AGYO

trojan Downloader.Generic13.CAM

JS/Obfuscated

 

and few others.

 

THE ONE THAT CONCERNS ME IS THE "JS/Obfuscated " because - I believe that the contents of the C drive are OBFUSCATED -from sight, and are not visible.

 

NEXT: after removing these trojans, I was able to run MalwareBytes:

 

=============================================

I followed this with MalwareBytes --- here is the log:--

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.28.13

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Owner :: OWNER-HP [administrator]

3/28/2013 10:51:24 PM
mbam-log-2013-03-28 (22-51-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 765267
Time elapsed: 4 hour(s), 51 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{61E0EF7A-9BC0-45EA-9B2F-F3E9F02692BD} (PUP.PlayBryte) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{61E0EF7A-9BC0-45EA-9B2F-F3E9F02692BD} (PUP.PlayBryte) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|2258 (PUP.CrossFire.SA) -> Data: I Want This -> Quarantined and deleted successfully.

Registry Data Items Detected: 8
HKCU\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Owner\AppData\Local\Temp\is1373634743\PricePeepInstaller.exe (Adware.Shopper) -> Quarantined and deleted successfully.

(end) 

=================================

 

Then -I was able to run "aswMBR"

 Here is the log:

 

 aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-03-29 23:57:48
-----------------------------
23:57:48.736    OS Version: Windows x64 6.1.7601 Service Pack 1
23:57:48.736    Number of processors: 4 586 0x2505
23:57:48.736    ComputerName: OWNER-HP  UserName: Owner
23:57:52.090    Initialize success
23:58:05.740    AVAST engine defs: 13032901
23:58:19.031    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:58:19.031    Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
23:58:20.045    Disk 0 MBR read successfully
23:58:20.061    Disk 0 MBR scan
23:58:20.061    Disk 0 Windows XP default MBR code
23:58:20.061    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
23:58:20.077    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       271190 MB offset 409600
23:58:20.123    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        33751 MB offset 555806720
23:58:20.170    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 624928768
23:58:20.685    Disk 0 scanning C:\Windows\system32\drivers
23:59:12.493    Service scanning
00:00:09.651    Modules scanning
00:00:09.667    Disk 0 trace - called modules:
00:00:10.213    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
00:00:10.213    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800529c060]
00:00:10.228    3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> [0xfffffa8005140a50]
00:00:10.244    5 hpdskflt.sys[fffff88001ba2289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004fbf050]
00:00:11.367    AVAST engine scan C:\Windows
00:00:36.639    AVAST engine scan C:\Windows\system32
00:20:08.954    AVAST engine scan C:\Windows\system32\drivers
00:20:58.135    AVAST engine scan C:\Users\Owner
07:10:27.653    AVAST engine scan C:\ProgramData
07:13:47.975    Scan finished successfully
08:15:45.016    Disk 0 MBR has been saved successfully to "C:\Users\Owner\Documents\MBR.dat"
08:15:45.016    The log file has been saved successfully to "C:\Users\Owner\Documents\aswMBR.txt"
08:19:38.299    Disk 0 MBR has been saved successfully to "F:\!PC Security SW\MBR.dat"
08:19:38.314    The log file has been saved successfully to "F:\!PC Security SW\aswMBR_3-30-2013.txt"


===========

mlkuhn07]  This took about 7 hrs to run --- successfully....but did it clean anything? Not clear to me from the log.

  ===============================================

Attached File  TDSSKiller.2.8.16.0_29.03.2013_18.06.38_log.txt.zip   51.13KB   2 downloads

Next:

I was able to run TDSSKILLER - on 3-29-13:  Log is attached

  =============================================

 

 And I was able to run ListParts.exe ---

For comparison purposes, if that may be helpful, here are 2 logs (3-30-13 and 4-9-13):

 

 ListParts by Farbar Version: 10-03-2013
Ran by Owner (administrator) on 30-03-2013 at 08:43:13
Windows 7 (X64)
Running From: C:\Users\Owner\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 70%
Total physical RAM: 3893.86 MB
Available physical RAM: 1156.55 MB
Total Pagefile: 7785.91 MB
Available Pagefile: 3922.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:264.83 GB) (Free:63.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:32.96 GB) (Free:4.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:3.74 GB) (Free:0.52 GB) FAT32

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        
  Disk 1    Online         3835 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 6EB6D97E

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            199 MB  1024 KB
  Partition 2    Primary            264 GB   200 MB
  Partition 3    Primary             32 GB   265 GB
  Partition 4    Primary            103 MB   297 GB

======================================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1         SYSTEM       NTFS   Partition    199 MB  Healthy    System (partition with boot components) 

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    264 GB  Healthy    Boot   

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   RECOVERY     NTFS   Partition     32 GB  Healthy           

======================================================================================================

Disk: 0
Partition 4
Type  : 0C
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4         HP_TOOLS     FAT32  Partition    103 MB  Healthy           

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3827 MB    19 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     F                FAT32  Removable   3827 MB  Healthy           

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 6EB6D97E

Partition 1:
===========
Hex: 80202100077E25190008000000380600
Active: YES
Type: 07 (NTFS)
Size: 199 MB

Partition 2:
===========
Hex: 007E261907FEFFFF0040060000B01A21
Active: NO
Type: 07 (NTFS)
Size: 265 GB

Partition 3:
===========
Hex: 00FEFFFF07FEFFFF00F0202100B81E04
Active: NO
Type: 07 (NTFS)
Size: 33 GB

Partition 4:
===========
Hex: 00FEFFFF0CFEFFFF00A83F25B03A0300
Active: NO
Type: 0C
Size: 103 MB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
===========
Hex: 000027000BFE7FE726000000C29F7700
Active: NO
Type: 0B
Size: 4 GB


Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
extendedinput           Yes
default                 {current}
resumeobject            {c279be75-9b51-11de-9b93-a29d207e6d0e}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
customactions           0x1000085000001
                        0x5400000f
custom:5400000f         {bf43b54f-52df-11e0-99b0-c3630413caf9}

Windows Boot Loader
-------------------
identifier              {572bcd60-ffa7-11d9-aae0-0007e994107d}
device                  ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
path                    \windows\system32\boot\winload.exe
description             Microsoft Windows PE 2.0
osdevice                ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
systemroot              \windows
detecthal               Yes
winpe                   Yes
ems                     Yes

Windows Boot Loader
-------------------
identifier              {bf43b54f-52df-11e0-99b0-c3630413caf9}
device                  ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{bf43b550-52df-11e0-99b0-c3630413caf9}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{bf43b550-52df-11e0-99b0-c3630413caf9}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {bf43b54f-52df-11e0-99b0-c3630413caf9}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {c279be75-9b51-11de-9b93-a29d207e6d0e}
nx                      OptIn

Resume from Hibernate
---------------------
identifier              {c279be75-9b51-11de-9b93-a29d207e6d0e}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Setup Ramdisk Options
---------------------
identifier              {ramdiskoptions}
description             Ramdisk Options
ramdisksdidevice        boot
ramdisksdipath          \boot\boot.sdi

Device options
--------------
identifier              {bf43b550-52df-11e0-99b0-c3630413caf9}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi


****** End Of Log ******

 

==============================================

Log #2 -  ListParts Log

 

LOG file from 4-9-13

 ListParts by Farbar Version: 10-03-2013
Ran by Owner (administrator) on 09-04-2013 at 00:26:34
Windows 7 (X64)
Running From: C:\Users\Owner\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 45%
Total physical RAM: 3893.86 MB
Available physical RAM: 2137.75 MB
Total Pagefile: 7785.91 MB
Available Pagefile: 5604.69 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:264.83 GB) (Free:73.2 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:32.96 GB) (Free:4.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:3.74 GB) (Free:0.5 GB) FAT32

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        
  Disk 1    Online         3835 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 6EB6D97E

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            199 MB  1024 KB
  Partition 2    Primary            264 GB   200 MB
  Partition 3    Primary             32 GB   265 GB
  Partition 4    Primary            103 MB   297 GB

======================================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1         SYSTEM       NTFS   Partition    199 MB  Healthy    System (partition with boot components) 

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    264 GB  Healthy    Boot   

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   RECOVERY     NTFS   Partition     32 GB  Healthy           

======================================================================================================

Disk: 0
Partition 4
Type  : 0C
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4         HP_TOOLS     FAT32  Partition    103 MB  Healthy           

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3827 MB    19 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     F                FAT32  Removable   3827 MB  Healthy           

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 6EB6D97E

Partition 1:
===========
Hex: 80202100077E25190008000000380600
Active: YES
Type: 07 (NTFS)
Size: 199 MB

Partition 2:
===========
Hex: 007E261907FEFFFF0040060000B01A21
Active: NO
Type: 07 (NTFS)
Size: 265 GB

Partition 3:
===========
Hex: 00FEFFFF07FEFFFF00F0202100B81E04
Active: NO
Type: 07 (NTFS)
Size: 33 GB

Partition 4:
===========
Hex: 00FEFFFF0CFEFFFF00A83F25B03A0300
Active: NO
Type: 0C
Size: 103 MB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
===========
Hex: 000027000BFE7FE726000000C29F7700
Active: NO
Type: 0B
Size: 4 GB


Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
extendedinput           Yes
default                 {current}
resumeobject            {c279be75-9b51-11de-9b93-a29d207e6d0e}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
customactions           0x1000085000001
                        0x5400000f
custom:5400000f         {bf43b54f-52df-11e0-99b0-c3630413caf9}

Windows Boot Loader
-------------------
identifier              {572bcd60-ffa7-11d9-aae0-0007e994107d}
device                  ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
path                    \windows\system32\boot\winload.exe
description             Microsoft Windows PE 2.0
osdevice                ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
systemroot              \windows
detecthal               Yes
winpe                   Yes
ems                     Yes

Windows Boot Loader
-------------------
identifier              {bf43b54f-52df-11e0-99b0-c3630413caf9}
device                  ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{bf43b550-52df-11e0-99b0-c3630413caf9}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{bf43b550-52df-11e0-99b0-c3630413caf9}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {bf43b54f-52df-11e0-99b0-c3630413caf9}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {c279be75-9b51-11de-9b93-a29d207e6d0e}
nx                      OptIn

Resume from Hibernate
---------------------
identifier              {c279be75-9b51-11de-9b93-a29d207e6d0e}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Setup Ramdisk Options
---------------------
identifier              {ramdiskoptions}
description             Ramdisk Options
ramdisksdidevice        boot
ramdisksdipath          \boot\boot.sdi

Device options
--------------
identifier              {bf43b550-52df-11e0-99b0-c3630413caf9}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi


****** End Of Log ******

 

==========================================================================

 

Finally- a system status update:

Currently, Windows Explorer shows (C:), Libraries, Favorites, as empty. 

 

This needs fixing.

 

Thank you for assisting.

 

-mlkuhn07



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 13 April 2013 - 08:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 mlkuhn07

mlkuhn07
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 16 April 2013 - 11:59 AM

nasdaq --

 

Sorry I have not replied -Taxes have occupied my time since Friday.

 

Please let me ask one question -

My current situation on the subject PC laptop is "the C drive is obfuscated".  I know the files are still there because I can launch various MS Office programs by entering their file name in Start\Search Programs and Files  box.

 

Comment -- I read that running combofix may overwrite partitions -- SO --

before I run COmbofix - I need to know that you reviewed by logs entered in this topic and that you are confident that I will not overwrite Program or user data on the C drive by following your steps.  Unfortunately - there has not been a backup of user data in 8 months and I can't lose the data - if at all possible.

 

Appreciate your response.

 

mlkuhn07

Mike



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 17 April 2013 - 07:49 AM

Try this.

To make your files visible again, please download the following program to your desktop: Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

This may take sometime, please let if finish.
=====

However, a variants of the FakeHDD rogue programs are now deleting the following folders and storing them into a numbered folder under %Temp%\smtmp\:

%Temp%\smtmp\1\ => %AllUsersProfile%\Start Menu
%Temp%\smtmp\2\ => %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch
%Temp%\smtmp\3\ => %AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\ => %AllUsersProfile%\Desktop

It goes without saying that running a %temp% cleaner ahead of restoration would result in loss of these folders
===

Then run this Scanner.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push the esetFinish.png button.
  • p.s.
    ComboFix does not change the the partition.
    Forget about it for now.

    If you can you can run the other tools I previously suggested but not ComboFix.




#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 23 April 2013 - 08:03 AM

Are you still with me?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 29 April 2013 - 07:20 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users