Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PCEU virus and windows 8


  • This topic is locked This topic is locked
114 replies to this topic

#1 bricowie

bricowie

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 24 May 2013 - 07:06 AM

Hi all,

 

I have a lenovo x200 tablet running win8, 64bit.

It has contracted the PCEU virus and I have tried  a few things to get rid but without success. Hope someone can help!

 

The virus does not let me restart in any safe mode (it just restarts at login) but I can start command mode.

 

I tried creating a hitmanpro flash drive but this just loads sends me through the automatic recovery loop (which doesnt fix anything) before restarting again at login. I tried running the hitmanpro program from the command line and this loads ok. However, amazingly, this requires that you have internet access before it will run a scan(!), which I dont have in command mode.

 

I looked at another post on this site and saw someone with a similar problem and loaded FRST64 onto a flash drive and ran this - the scan result is attached if that helps......?Attached File  FRST.txt   19.43KB   6 downloads.

 

Can anyone help get rid of this horrible pest?

 

Cheers

 

Bri



BC AdBot (Login to Remove)

 


#2 bricowie

bricowie
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 26 May 2013 - 06:22 AM

Here's the printout of the attachment,if this makes things easier. Hope you can assist!Cheers

Bri

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-05-2013
Ran by SYSTEM on 24-05-2013 12:35:58
Running from E:\
Windows 8 Enterprise (X64) OS Language: English(UK)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe [136552 2009-11-24] (Lenovo Group Limited)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
HKLM-x32\...\Run: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey [12100696 2012-07-27] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [CentraStage] C:\Program Files (x86)\CentraStage\Gui.exe [1261568 2013-05-16] (CentraStage)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1644680 2013-01-28] (Ask)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKU\brian_000\...\Run: [BrowserChoice] "C:\Windows\BrowserChoice\browserchoice.exe" /run [86696 2012-08-15] (Microsoft Corporation)
HKU\brian_000\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [911160 2012-01-18] (Microsoft Corporation)
HKU\brian_000\...\Run: [Spotify Web Helper] "C:\Users\brian_000\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1105408 2013-05-08] (Spotify Ltd)
HKU\brian_000\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18642024 2013-02-28] (Skype Technologies S.A.)
HKU\brian_000\...\Run: [Spotify] "C:\Users\brian_000\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [4573184 2013-05-08] (Spotify Ltd)
HKU\brian_000\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\brian_000\Documents\1b3bbe5d.exe [38400 2013-05-23] ()
HKU\brian_000\...\Winlogon: [Shell] cmd.exe [404992 2012-07-26] (Microsoft Corporation) <==== ATTENTION 
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\brian_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Services (Whitelisted) =================
 
S4 AdtAgent; C:\Windows\system32\AdtAgent.exe [343936 2009-05-08] (Microsoft Corporation)
S2 CagService; C:\Program Files (x86)\CentraStage\CagService.exe [7680 2013-05-16] (CentraStage)
S2 HealthService; C:\Program Files\System Center Operations Manager 2007\HealthService.exe [30592 2009-05-08] (Microsoft Corporation)
S2 HPSLPSVC; C:\Users\BRIAN_~1\AppData\Local\Temp\7zS65E7\hpslpsvc64.dll [1039360 2012-11-14] (Hewlett-Packard Co.)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [53880 2012-09-04] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [53880 2012-09-04] (Microsoft Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S2 msoidsvc; C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2024864 2010-08-17] (Microsoft Corp.)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 OmcSvc; C:\Program Files\Microsoft\OnlineManagement\Common\omsvchost2.exe [56864 2013-01-18] (Microsoft Corporation)
S2 omupdsrv; C:\Program Files\Microsoft\OnlineManagement\Common\omsvchost.exe [56336 2012-11-28] (Microsoft Corporation)
S2 SignalingAgent; C:\Program Files\Microsoft\OnlineManagement\Common\omsvchost2.exe [56864 2013-01-18] (Microsoft Corporation)
S2 uvnc_service; C:\Program Files (x86)\CentraStage\UltraVNC\winvnc.exe [1737200 2012-11-25] (UltraVNC)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14920 2013-01-29] (Microsoft Corporation)
S2 WMCoreService; C:\Program Files (x86)\Mobile Broadband drivers\WMCore\mini_WMCore.exe [648744 2011-08-12] (Ericsson AB)
 
==================== Drivers (Whitelisted) ====================
 
S3 e36wmgmt; C:\Windows\system32\DRIVERS\e36wmgmt.sys [140800 2009-07-16] (MCCI Corporation)
S3 ecnssndis; C:\Windows\System32\Drivers\wwuss64.sys [26664 2011-06-13] (Ericsson AB)
S3 ecnssndisfltr; C:\Windows\System32\Drivers\wwussf64.sys [30248 2011-06-13] (Ericsson AB)
S3 lnvobus; C:\Windows\System32\drivers\lnvobus.sys [327680 2008-12-16] (MCCI Corporation)
S3 lnvocard; C:\Windows\system32\DRIVERS\lnvocard.sys [378880 2008-12-16] (MCCI Corporation)
S3 lnvogps; C:\Windows\system32\DRIVERS\lnvogps64.sys [87592 2008-10-23] (Ericsson AB)
S3 lnvomdfl; C:\Windows\system32\DRIVERS\lnvomdfl.sys [19456 2008-12-16] (MCCI Corporation)
S3 lnvomdfl2; C:\Windows\system32\DRIVERS\lnvomdfl2.sys [19456 2008-12-16] (MCCI Corporation)
S3 lnvomdm; C:\Windows\system32\DRIVERS\lnvomdm.sys [422912 2008-12-16] (MCCI Corporation)
S3 lnvomdm2; C:\Windows\system32\DRIVERS\lnvomdm2.sys [474624 2008-12-16] (MCCI Corporation)
S3 lnvond5; C:\Windows\system32\DRIVERS\lnvond5.sys [34816 2008-12-16] (MCCI Corporation)
S3 lnvounic; C:\Windows\System32\drivers\lnvounic.sys [431104 2008-12-16] (MCCI Corporation)
S3 Mbm3CBus; C:\Windows\System32\drivers\Mbm3CBus.sys [419400 2011-04-29] (MCCI Corporation)
S3 Mbm3mdfl; C:\Windows\system32\DRIVERS\Mbm3mdfl.sys [19528 2011-04-29] (MCCI Corporation)
S3 Mbm3Mdm; C:\Windows\system32\DRIVERS\Mbm3Mdm.sys [483400 2011-04-29] (MCCI Corporation)
S0 MpBoot; C:\Windows\System32\DRIVERS\MpBoot.sys [35232 2013-01-27] (Microsoft Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S3 NisDrv; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 Sony_EricssonWWSC; C:\Windows\system32\DRIVERS\lnvoscard64.sys [30760 2008-07-08] (Sony Ericsson)
S3 Tp4Track; C:\Windows\system32\DRIVERS\tp4track.sys [28272 2009-11-24] (Lenovo Group Limited)
S3 wisdpen; C:\Windows\System32\drivers\wisdpen.sys [44656 2011-01-04] (Wacom Technology)
S3 WUDFSensorLP; C:\Windows\system32\DRIVERS\WUDFRd.sys [198656 2012-07-26] (Microsoft Corporation)
S3 WwanUsbServ; C:\Windows\system32\DRIVERS\WwanUsbMp64.sys [268840 2011-08-12] (Ericsson AB)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-05-24 12:35 - 2013-05-24 12:35 - 00000000 ____D C:\FRST
2013-05-23 13:39 - 2013-05-24 12:29 - 00000000 ____A C:\Recovery.txt
2013-05-23 10:01 - 2013-05-23 10:01 - 01038459 ____A C:\Users\brian_000\AppData\Local\2433f433
2013-05-23 10:01 - 2013-05-23 10:01 - 01038443 ____A C:\ProgramData\2433f433
2013-05-23 10:01 - 2013-05-23 10:01 - 00038400 ____A C:\Users\brian_000\Documents\1b3bbe5d.exe
2013-05-21 11:41 - 2013-05-21 11:41 - 00000000 ____D C:\Users\brian_000\Desktop\WP
2013-05-21 09:28 - 2013-05-21 23:07 - 00803713 ____A C:\Users\brian_000\Desktop\Funding your start-up.pptx
2013-05-15 04:43 - 2013-04-09 23:17 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-15 04:43 - 2013-04-09 22:29 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-15 04:42 - 2013-04-16 02:34 - 01455368 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-15 04:42 - 2013-04-11 06:40 - 06987528 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-05-15 04:42 - 2013-04-09 23:17 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-15 04:42 - 2013-04-09 23:17 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-15 04:42 - 2013-04-09 23:17 - 00915968 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2013-05-15 04:42 - 2013-04-09 23:17 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-15 04:42 - 2013-04-09 23:17 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-05-15 04:42 - 2013-04-09 23:16 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-15 04:42 - 2013-04-09 23:16 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-15 04:42 - 2013-04-09 23:16 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-15 04:42 - 2013-04-09 23:16 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-15 04:42 - 2013-04-09 22:30 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-15 04:42 - 2013-04-09 22:30 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-15 04:42 - 2013-04-09 22:29 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-15 04:42 - 2013-04-09 22:29 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-15 04:42 - 2013-04-09 22:29 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-15 04:42 - 2013-04-09 22:29 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-15 04:42 - 2013-04-09 22:29 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-15 04:41 - 2013-03-15 00:17 - 00861184 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\http.sys
2013-05-11 21:52 - 2013-05-12 15:05 - 00000024 ____A C:\Users\brian_000\random.dat
2013-05-11 21:52 - 2013-05-12 14:58 - 00000048 ____A C:\Users\brian_000\jagex_cl_oldschool_LIVE.dat
2013-05-11 21:52 - 2013-05-11 21:52 - 00000000 ____D C:\Users\brian_000\jagexcache
2013-05-08 13:31 - 2013-05-08 13:32 - 00000000 ____D C:\Users\brian_000\AppData\Roaming\HP
2013-05-08 13:31 - 2013-05-08 13:31 - 00000000 ____D C:\Users\brian_000\AppData\Local\HP
2013-05-08 13:31 - 2013-05-08 13:31 - 00000000 ____D C:\ProgramData\WEBREG
2013-05-08 13:07 - 2013-05-15 13:28 - 00000000 ____D C:\Users\brian_000\AppData\Roaming\HpUpdate
2013-05-08 13:06 - 2013-05-08 13:06 - 00001315 ____A C:\Users\Public\Desktop\HP Solution Center.lnk
2013-05-08 13:06 - 2013-05-08 13:06 - 00001161 ____A C:\Users\Public\Desktop\Shop for HP Supplies.lnk
2013-05-08 13:06 - 2013-05-08 13:06 - 00001097 ____A C:\Users\Public\Desktop\HP Photo Creations.lnk
2013-05-08 13:06 - 2013-05-08 13:06 - 00000000 ____D C:\ProgramData\HP Product Assistant
2013-05-08 13:06 - 2013-05-08 13:06 - 00000000 ____D C:\ProgramData\HP Photo Creations
2013-05-08 13:06 - 2013-05-08 13:06 - 00000000 ____D C:\Program Files (x86)\HP Photo Creations
2013-05-08 13:05 - 2013-05-08 13:31 - 00227404 ____A C:\Windows\hpoins31.dat
2013-05-08 13:05 - 2013-05-08 13:31 - 00000828 ____A C:\ProgramData\hpzinstall.log
2013-05-08 13:05 - 2013-05-08 13:07 - 00000000 ____D C:\Program Files (x86)\HP
2013-05-08 13:05 - 2012-10-15 10:21 - 00000955 ____N C:\Windows\hpomdl31.dat
2013-05-08 13:04 - 2012-08-21 06:52 - 01421312 ____A (Hewlett-Packard Co.) C:\Windows\System32\hpost_p01d.dll
2013-05-08 13:04 - 2009-07-08 10:51 - 00966656 ____A (Hewlett-Packard) C:\Windows\System32\hposwia_p01d.dll
2013-05-08 13:04 - 2009-07-08 10:51 - 00551424 ____A (Hewlett-Packard) C:\Windows\System32\hppldcoi.dll
2013-05-08 13:04 - 2009-07-08 10:51 - 00512512 ____A (Hewlett-Packard Co.) C:\Windows\System32\hposc_p01a.dll
2013-05-08 12:51 - 2013-05-08 13:03 - 291235352 ____A C:\Users\brian_000\Downloads\PS_AIO_04_C6300_Net_Full_Win_WW_140_408(1).exe
2013-05-08 12:46 - 2013-05-08 12:46 - 02311288 ____A C:\Users\brian_000\Downloads\hppiw.exe
2013-05-08 12:14 - 2013-05-10 21:16 - 00422912 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-29 13:37 - 2013-05-11 09:55 - 00010353 ____A C:\Users\brian_000\Desktop\assets2013.xlsx
 
==================== One Month Modified Files and Folders =======
 
2013-05-24 12:35 - 2013-05-24 12:35 - 00000000 ____D C:\FRST
2013-05-24 12:29 - 2013-05-23 13:39 - 00000000 ____A C:\Recovery.txt
2013-05-24 11:28 - 2012-07-26 05:26 - 00262144 __ASH C:\Windows\System32\config\BBI
2013-05-24 11:01 - 2012-07-26 07:28 - 00868408 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-24 10:54 - 2012-10-09 14:40 - 01630589 ____A C:\Windows\WindowsUpdate.log
2013-05-23 12:15 - 2012-07-26 07:22 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-23 10:54 - 2012-07-26 08:12 - 00000000 ____D C:\Windows\System32\sru
2013-05-23 10:52 - 2012-07-26 08:12 - 00000000 ____D C:\Windows\AUInstallAgent
2013-05-23 10:07 - 2012-11-14 10:07 - 00000336 ____A C:\Windows\Tasks\Microsoft.OnlineManagement.UpdateAgentTask.job
2013-05-23 10:01 - 2013-05-23 10:01 - 01038459 ____A C:\Users\brian_000\AppData\Local\2433f433
2013-05-23 10:01 - 2013-05-23 10:01 - 01038443 ____A C:\ProgramData\2433f433
2013-05-23 10:01 - 2013-05-23 10:01 - 00038400 ____A C:\Users\brian_000\Documents\1b3bbe5d.exe
2013-05-23 09:59 - 2012-10-26 14:17 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-23 09:18 - 2012-12-07 19:01 - 00000000 ____D C:\Users\brian_000\AppData\Roaming\Spotify
2013-05-23 09:18 - 2012-10-10 10:08 - 00000000 ____D C:\Users\brian_000\Documents\Outlook Files
2013-05-23 08:24 - 2012-11-14 10:18 - 00000418 _RASH C:\ProgramData\ntuser.pol
2013-05-23 08:19 - 2012-12-07 19:01 - 00000000 ____D C:\Users\brian_000\AppData\Local\Spotify
2013-05-21 23:07 - 2013-05-21 09:28 - 00803713 ____A C:\Users\brian_000\Desktop\Funding your start-up.pptx
2013-05-21 23:01 - 2013-02-08 10:47 - 00000000 ____D C:\Users\brian_000\AppData\Roaming\Skype
2013-05-21 11:41 - 2013-05-21 11:41 - 00000000 ____D C:\Users\brian_000\Desktop\WP
2013-05-17 10:56 - 2012-10-09 16:29 - 00000000 ____D C:\Users\brian_000\Tracing
2013-05-16 12:19 - 2012-11-29 14:39 - 00000000 ____D C:\Program Files (x86)\CentraStage
2013-05-16 02:01 - 2012-10-09 15:02 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-15 13:28 - 2013-05-08 13:07 - 00000000 ____D C:\Users\brian_000\AppData\Roaming\HpUpdate
2013-05-12 15:05 - 2013-05-11 21:52 - 00000024 ____A C:\Users\brian_000\random.dat
2013-05-12 14:58 - 2013-05-11 21:52 - 00000048 ____A C:\Users\brian_000\jagex_cl_oldschool_LIVE.dat
2013-05-11 21:52 - 2013-05-11 21:52 - 00000000 ____D C:\Users\brian_000\jagexcache
2013-05-11 21:52 - 2012-10-09 14:40 - 00000000 ____D C:\users\brian_000
2013-05-11 09:55 - 2013-04-29 13:37 - 00010353 ____A C:\Users\brian_000\Desktop\assets2013.xlsx
2013-05-10 21:16 - 2013-05-08 12:14 - 00422912 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-10 21:16 - 2012-10-09 14:13 - 00013550 ____A C:\Windows\PFRO.log
2013-05-08 13:32 - 2013-05-08 13:31 - 00000000 ____D C:\Users\brian_000\AppData\Roaming\HP
2013-05-08 13:31 - 2013-05-08 13:31 - 00000000 ____D C:\Users\brian_000\AppData\Local\HP
2013-05-08 13:31 - 2013-05-08 13:31 - 00000000 ____D C:\ProgramData\WEBREG
2013-05-08 13:31 - 2013-05-08 13:05 - 00227404 ____A C:\Windows\hpoins31.dat
2013-05-08 13:31 - 2013-05-08 13:05 - 00000828 ____A C:\ProgramData\hpzinstall.log
2013-05-08 13:31 - 2012-12-19 18:18 - 00000000 ____D C:\ProgramData\HP
2013-05-08 13:31 - 2012-07-26 05:26 - 00000202 ____A C:\Windows\win.ini
2013-05-08 13:07 - 2013-05-08 13:05 - 00000000 ____D C:\Program Files (x86)\HP
2013-05-08 13:06 - 2013-05-08 13:06 - 00001315 ____A C:\Users\Public\Desktop\HP Solution Center.lnk
2013-05-08 13:06 - 2013-05-08 13:06 - 00001161 ____A C:\Users\Public\Desktop\Shop for HP Supplies.lnk
2013-05-08 13:06 - 2013-05-08 13:06 - 00001097 ____A C:\Users\Public\Desktop\HP Photo Creations.lnk
2013-05-08 13:06 - 2013-05-08 13:06 - 00000000 ____D C:\ProgramData\HP Product Assistant
2013-05-08 13:06 - 2013-05-08 13:06 - 00000000 ____D C:\ProgramData\HP Photo Creations
2013-05-08 13:06 - 2013-05-08 13:06 - 00000000 ____D C:\Program Files (x86)\HP Photo Creations
2013-05-08 13:03 - 2013-05-08 12:51 - 291235352 ____A C:\Users\brian_000\Downloads\PS_AIO_04_C6300_Net_Full_Win_WW_140_408(1).exe
2013-05-08 12:46 - 2013-05-08 12:46 - 02311288 ____A C:\Users\brian_000\Downloads\hppiw.exe
2013-05-08 12:19 - 2012-11-06 13:40 - 00000000 ____D C:\ProgramData\CentraStage
2013-05-08 12:14 - 2012-10-13 12:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-05-07 20:07 - 2012-07-26 08:14 - 00693112 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-07 20:07 - 2012-07-26 08:14 - 00078200 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-04 17:08 - 2012-10-10 09:54 - 00000000 ____D C:\Users\brian_000\Documents\Pers
2013-05-02 15:29 - 2012-10-12 16:10 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-05-01 21:59 - 2012-12-16 12:50 - 00000000 ____D C:\Users\brian_000\Documents\Jamie Work
 
Other Malware:
===========
C:\Users\brian_000\g2mdlhlpx.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
TDL4: custom:26000022 <===== ATTENTION!
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 12%
Total physical RAM: 6040.02 MB
Available physical RAM: 5312.66 MB
Total Pagefile: 6040.02 MB
Available Pagefile: 5334.96 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:111.45 GB) (Free:63.75 GB) NTFS (Disk=0 Partition=2)
Drive e: (HITMANPRO) (Removable) (Total:1.88 GB) (Free:1.86 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.11 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 112 GB) (Disk ID: 84BB668E)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: ECDFF8CC)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)
 
 
Last Boot: 2013-05-22 08:31
 
==================== End Of Log ============================


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,631 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 AM

Posted 29 May 2013 - 07:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/495677 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 bricowie

bricowie
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 29 May 2013 - 07:59 AM

Hi, many thanks for your help.....To answer your questions

 

1. The PCEU virus has taken over my laptop. Initially, it held the laptop to ransom in the usual way, once logged in to Windows 8. However, after trying a couple of ways around the problem (see my first post), it seems to have moved on. I can not get into safe mode but I can get to command line. However, in command line, I cannot run explorer as it doesnt seem to find the program.

 

2. The DDS program doesnt appear to address Windows 8 - should I still attempt to run it?

(the last thing I did on the laptop was to run the Farbar program (scan results above) - I have left it alone since then, while waiting for your assistance.

The windows version is Windows8 enterprise 64 bit.

 

3. I dont have the original Windows CDs

 

4. I await your instructions!

 

Many thanks

 

Bri



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,624 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:44 PM

Posted 30 May 2013 - 08:44 AM

Greetings Bri and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. We apologize for the delay.

I must tell you from the start Windows 8 issues are inherently difficult because many of the tools we routinely use are not compatible with this operating system, as you have already found with DDS. Nevertheless we will do our best. Please run this for me.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
HKU\brian_000\...\Winlogon: [Shell] cmd.exe [404992 2012-07-26] (Microsoft Corporation) <==== ATTENTION 
2013-05-23 10:01 - 2013-05-23 10:01 - 01038459 ____A C:\Users\brian_000\AppData\Local\2433f433
2013-05-23 10:01 - 2013-05-23 10:01 - 01038443 ____A C:\ProgramData\2433f433
2013-05-23 10:01 - 2013-05-23 10:01 - 00038400 ____A C:\Users\brian_000\Documents\1b3bbe5d.exe
C:\Users\brian_000\g2mdlhlpx.exe
TDL4: custom:26000022 <===== ATTENTION!
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Please attempt to boot your computer into Normal Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST log
  • Were you able to boot your computer?

Edited by Oh My, 30 May 2013 - 09:24 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 bricowie

bricowie
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 30 May 2013 - 09:12 AM

Hi Gary

 

Many thanks for your reply. I am standing by and await your instructions.....let's kill this one!

 

Cheers

 

Bri



#7 bricowie

bricowie
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 30 May 2013 - 04:29 PM

Hi Gary,

 

Fix log as follows:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-05-2013
Ran by SYSTEM at 2013-05-30 21:53:53 Run:1
Running from D:\
Boot Mode: Recovery
==============================================

HKEY_USERS\brian_000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Users\brian_000\AppData\Local\2433f433 => Moved successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\brian_000\Documents\1b3bbe5d.exe => Moved successfully.
C:\Users\brian_000\g2mdlhlpx.exe => Moved successfully.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

 

I then attempted a normal restart but this stalled with the following message in cmd.exe

 

"C:users\brian_000\documents\1b3bbe5d.exe" is not recognized as an internal or external command, operable program or batch file

 

Some progress, I hope, but over to you Gary.......many thanks!

 

Bri



#8 bricowie

bricowie
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 31 May 2013 - 04:36 AM

Hi Gary,

 

Fix log as follows:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-05-2013
Ran by SYSTEM at 2013-05-30 21:53:53 Run:1
Running from D:\
Boot Mode: Recovery
==============================================

HKEY_USERS\brian_000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Users\brian_000\AppData\Local\2433f433 => Moved successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\brian_000\Documents\1b3bbe5d.exe => Moved successfully.
C:\Users\brian_000\g2mdlhlpx.exe => Moved successfully.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

 

I then attempted a normal restart but this stalled with the following message in cmd.exe

 

"C:users\brian_000\documents\1b3bbe5d.exe" is not recognized as an internal or external command, operable program or batch file

 

Some progress, I hope, but over to you Gary.......many thanks!

 

Bri

 



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,624 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:44 PM

Posted 31 May 2013 - 08:15 AM

I then attempted a normal restart but this stalled with the following message in cmd.exe


I am not sure I understand exactly what is happening. Are you saying during the boot up process the black cmd window opens and says "C:users\brian_000\documents\1b3bbe5d.exe" is not recognized as an internal or external command, operable program or batch file"?


Edited by Oh My, 31 May 2013 - 08:16 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 bricowie

bricowie
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 31 May 2013 - 08:35 AM

 

I then attempted a normal restart but this stalled with the following message in cmd.exe

I am not sure I understand exactly what is happening. Are you saying during the boot up process the black cmd window opens and says "C:users\brian_000\documents\1b3bbe5d.exe" is not recognized as an internal or external command, operable program or batch file"?

 

The black cmd window opens after I type in my login and password



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,624 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:44 PM

Posted 31 May 2013 - 09:22 AM

Hi Bri,

OK, that helps a lot. Please do this.

===================================================

Run GETxPUD CD with MBR Report and Driver Search

--------------------
  • Using a clean computer download GETxPUD.exe to the desktop of your computer
  • Launch GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image
  • Click on Start and follow the prompts to burn the image to a CD.
  • Format your USB then download dumpit and driver.sh to your USB device
  • Remove the USB and insert it into the infected computer
  • Boot your infected computer with the GETxPUD CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 while booting to go into Setup and change Boot Sequence to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 or sdc1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert
  • Double click on the Dumpit file
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Remove the USB drive, insert it back in your working computer
  • Copy and paste the contents of filefind.txt in your reply
  • Please zip and attach report.txt to your reply
  • Please attach mbr.zip to your reply
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • filefind.txt
  • report.zip
  • mbr.zip

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 bricowie

bricowie
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 31 May 2013 - 10:13 AM

Hi Gary

 

Small problem.......the infected laptop doesn't have a CD drive.....

 

:(

 

Bri



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,624 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:44 PM

Posted 31 May 2013 - 10:17 AM

Just a minor bump in the road. Let's do it this way.

===================================================

xPUD MBR Dump and Driver Scan using USB

--------------------

Try this please. You will need a USB drive with no less than 64 mb of space.
  • Insert your USB drive. Caution: The next step will remove all information from your USB device.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK.
  • Note: If you receive the message "You must select a distribution to load" just follow the instructions/image below
  • Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.

SelectDiskImage.gif

  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert.
  • Confirm that you see driver.sh that you downloaded there
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

dd if=/dev/sda of=mbr.zip bs=512 count=1

  • After it has finished (within just a few seconds) a file will be located on your USB drive named mbr.bin.
  • Remove the USB drive, insert it back in your working computer
  • Copy and paste the contents of filefind.txt in your reply
  • Please zip and attach report.txt to your reply
  • Please attach mbr.zip to your reply
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • filefind.txt
  • report.zip
  • mbr.zip

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 bricowie

bricowie
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 31 May 2013 - 12:56 PM

Hi Gary

 

Attached is report.zip

I can find a mbr.zip......? :mellow:

 

Filefind as follows:

 

Cheers

 

Bri

 

 

Search results for Winlogon.exe

bcf2036a0dd579e47c008c133550283e  /mnt/sda2/Windows/System32/winlogon.exe
      505.0K Oct 11  2012

93ab226c07a9789b2ec7b41f73602f76  /mnt/sda2/Windows/WinSxS/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.2.9200.16384_none_c88ca87b5eb5b1ec/winlogon.exe
      504.5K Jul 26  2012

1f84b5f8dbdffd36df143c61ce25f12a  /mnt/sda2/Windows/WinSxS/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.2.9200.16420_none_c8c988c15e88a211/winlogon.exe
      504.5K Sep 20  2012

bcf2036a0dd579e47c008c133550283e  /mnt/sda2/Windows/WinSxS/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.2.9200.16433_none_c8c1b9b35e8e0a07/winlogon.exe
      505.0K Oct 11  2012

6522e98c94a2a81ae11eb66d2af5743a  /mnt/sda2/Windows/WinSxS/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.2.9200.20521_none_c95425d677a55b32/winlogon.exe
      504.5K Sep 20  2012

cbfd56b4ec07cb056a6abd55dd33671f  /mnt/sda2/Windows/WinSxS/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.2.9200.20534_none_c94c56c877aac328/winlogon.exe
      505.0K Oct 11  2012

7ff135eceb263bb7b26b1d06afe49548  /mnt/sda2/Windows.old/Windows/System32/winlogon.exe
      503.5K May 19  2012

7ff135eceb263bb7b26b1d06afe49548  /mnt/sda2/Windows.old/Windows/WinSxS/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.2.8400.0_none_550d05576556a29d/winlogon.exe
      503.5K May 19  2012


Search results for volsnap.sys

2fb3cdfd5eaf4cd9d4afaf96877d13ae  /mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_amd64_9d78abd6ac3df11c/volsnap.sys
      324.2K Jul 26  2012

2fb3cdfd5eaf4cd9d4afaf96877d13ae  /mnt/sda2/Windows/System32/Drivers/volsnap.sys
      324.2K Jul 26  2012

2fb3cdfd5eaf4cd9d4afaf96877d13ae  /mnt/sda2/Windows/WinSxS/amd64_volume.inf_31bf3856ad364e35_6.2.9200.16384_none_6e805ee585d930c4/volsnap.sys
      324.2K Jul 26  2012

90245509d137b8bc46ce50124fc5676e  /mnt/sda2/Windows.old/Windows/System32/DriverStore/FileRepository/volume.inf_amd64_5aba8e49206a160b/volsnap.sys
      323.7K May 19  2012

90245509d137b8bc46ce50124fc5676e  /mnt/sda2/Windows.old/Windows/System32/drivers/volsnap.sys
      323.7K May 19  2012

90245509d137b8bc46ce50124fc5676e  /mnt/sda2/Windows.old/Windows/WinSxS/amd64_volume.inf_31bf3856ad364e35_6.2.8400.0_none_fb00bbc18c7a2175/volsnap.sys
      323.7K May 19  2012


Search results for explorer.exe

e13a31d5254c25406a7946bdd9b06364  /mnt/sda2/Windows/explorer.exe
        2.3M Oct 11  2012

953adecff08202a01efc6110214fde02  /mnt/sda2/Windows/SysWOW64/explorer.exe
        2.0M Oct 11  2012

928791755fddea721b053535ef84fa17  /mnt/sda2/Windows/WinSxS/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.2.9200.16384_none_aa7e4e770380a4b6/explorer.exe
        2.3M Jul 26  2012

e13a31d5254c25406a7946bdd9b06364  /mnt/sda2/Windows/WinSxS/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.2.9200.16433_none_aab35faf0358fcd1/explorer.exe
        2.3M Oct 11  2012

0ddfeaa2aa18d4295ef220eb666b2312  /mnt/sda2/Windows/WinSxS/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.2.9200.20534_none_ab3dfcc41c75b5f2/explorer.exe
        2.3M Oct 11  2012

5b6ed1b57dbff18d405a0260559b571e  /mnt/sda2/Windows/WinSxS/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.2.9200.16384_none_b4d2f8c937e166b1/explorer.exe
        2.0M Jul 26  2012

953adecff08202a01efc6110214fde02  /mnt/sda2/Windows/WinSxS/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.2.9200.16433_none_b5080a0137b9becc/explorer.exe
        2.0M Oct 11  2012

0ad19a3ca61271ba872ad90771ba47dc  /mnt/sda2/Windows/WinSxS/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.2.9200.20534_none_b592a71650d677ed/explorer.exe
        2.0M Oct 11  2012

acf8d985d07999daa575ae64e9768a96  /mnt/sda2/Windows.old/Windows/explorer.exe
        2.3M May 19  2012

9cf221011009e82742cde1ba4ae94f5c  /mnt/sda2/Windows.old/Windows/SysWOW64/explorer.exe
        2.0M May 19  2012

acf8d985d07999daa575ae64e9768a96  /mnt/sda2/Windows.old/Windows/WinSxS/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.2.8400.0_none_36feab530a219567/explorer.exe
        2.3M May 19  2012

9cf221011009e82742cde1ba4ae94f5c  /mnt/sda2/Windows.old/Windows/WinSxS/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.2.8400.0_none_415355a53e825762/explorer.exe
        2.0M May 19  2012


Search results for Userinit.exe

0e925f7ba032920d58dd284b6181a247  /mnt/sda2/Windows/System32/userinit.exe
       24.5K Jul 26  2012

9f6289d194a04a09671feed4b6cb6ef7  /mnt/sda2/Windows/SysWOW64/userinit.exe
       21.0K Jul 26  2012

0e925f7ba032920d58dd284b6181a247  /mnt/sda2/Windows/WinSxS/amd64_microsoft-windows-userinit_31bf3856ad364e35_6.2.9200.16384_none_34f2617a5b742e02/userinit.exe
       24.5K Jul 26  2012

9f6289d194a04a09671feed4b6cb6ef7  /mnt/sda2/Windows/WinSxS/x86_microsoft-windows-userinit_31bf3856ad364e35_6.2.9200.16384_none_d8d3c5f6a316bccc/userinit.exe
       21.0K Jul 26  2012

a46b3610d3ac5a9db204dd2b40e298cf  /mnt/sda2/Windows.old/Windows/System32/userinit.exe
       25.5K May 19  2012

782e2a50ea4ae8aa5a9646413a7822c1  /mnt/sda2/Windows.old/Windows/SysWOW64/userinit.exe
       22.0K May 19  2012

a46b3610d3ac5a9db204dd2b40e298cf  /mnt/sda2/Windows.old/Windows/WinSxS/amd64_microsoft-windows-userinit_31bf3856ad364e35_6.2.8400.0_none_c172be5662151eb3/userinit.exe
       25.5K May 19  2012

782e2a50ea4ae8aa5a9646413a7822c1  /mnt/sda2/Windows.old/Windows/WinSxS/x86_microsoft-windows-userinit_31bf3856ad364e35_6.2.8400.0_none_655422d2a9b7ad7d/userinit.exe
       22.0K May 19  2012
 

 

 

Attached Files



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,624 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:44 PM

Posted 31 May 2013 - 01:44 PM

The report file is empty. When did you get infected, if you recall? Was it after 5-22?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users