Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Moneypak infection, cannot start in safe mode


  • This topic is locked This topic is locked
30 replies to this topic

#1 mercuryrsng

mercuryrsng

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 May 2013 - 11:08 PM

Hey there...I have in my possession a friends computer who has the moneypak malware infection.  I tried to start in safe mode to run malwarebytes anti malware but I have not had success.  When I press F8 as the computer starts, I do get the option to start the computer in safe mode, but after I choose it (with networking, I have tried regular safe mode too), the computer scrolls some usual text, and then restarts.  I cannot get into safe mode.  Any ideas?

 

Thanks

 

~~Justin



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:52 PM

Posted 30 May 2013 - 11:18 PM

I'll report this topic to appropriate helpers.

Hold on there....


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:52 PM

Posted 31 May 2013 - 12:25 AM

:welcome:

Try the AVG rescue CD:

"AVG rescue CD is basically a portable version of AVG anti-virus, which runs on linux distribution as bootable CD or bootable USB flash drive. This Rescue CD is equipped with AVG Antivirus , AVG Anti Spyware and some administrator recovery tool.


You can scan and remove computer virus without booting operating system first. It is suitable for recovering MS Windows and Linux operating systems (FAT32 and NTFS file systems) from virus and spyware attack. Meanwhile, Administrator toolset on AVG rescue disk are Windows Registry editor, a TestDisk utility for data recovering and lost partitions, a file browser for navigating folders, and a Ping tool for basic network diagnostics."

Please Note: Windows does not have to load for this scanner to work.

AVG Rescue CD Guide-check here

You can download AVG rescue CD HERE.
It's also located on ThisPage, make sure you download the .iso file.

Here's how it goes:

Download and install Active@ ISO Burner
Click HERE for ISOBurner Instructions.
Install the program, and follow the next set of steps.

After you install Active@ ISO Burner, put a blank cd-r in your burner and double click on the AVG Rescue CD.iso you downloaded and Active@ ISO Burner should automatically open up.....now click BURN.

The program is very easy to use, you'll just be pressing Enter most of the time but here's how it goes:

1. After the rescue cd is made, boot-up the sick computer, put the rescue cd in and then restart it.
Note: In order to do so, the computer must be set to boot from the CD first. For information on how to do that....click HERE.
2. At the Boot Menu: Choose AVG Rescue CD (1) and press Enter

3. Let it load, at the "Disclaimer Screen"... just choose I agree or not and press Enter

4. At the "Update Screen", choose Yes and press Enter

Next screen, Choose Update from Internet and press Enter

5. At the "Update Priority Configuration" window, choose Priority 2 Virus Database Update and press Enter

6. Let it update and when finished, Press any key to continue

7. You end up back at the "Update Screen", choose Return and press Enter

8. Your at the "Main Menu" screen, choose Scan, press Enter

9. "Scan Type Menu", choose "Volumes Scan - Selected Volumes" and press Enter

10. "Scan Volumes", choose "OK" and press Enter

11. "Scan Options", choose "OK" and press Enter

12. "Run Scan", choose "Yes" and press Enter

13. When scan is complete, Press any key to continue

14. "Info screen", choose "OK" and press Enter

15. To see the scan report, select "Report File" and press Enter
Please look over the list as some files can be crucial for the Windows system and deleting them can make it inoperative, if in your not sure please Google the file or files.

16. "Scan Results Menu", use the up and down keys and choose "Select - Handle single or groups of infected files", press Enter
Go through the files and choose to Rename the infected file, don't choose Delete!
This is important....Rename<---

17. Read the "Warning Screen", "Yes" and Enter

18. Back to "Scan Results Menu", choose "Back or Return" to get to the "Main Menu" and then choose ---->Reboot System
Don't forget to take out the rescue cd.

19. All the malware files will be renamed to "_INFECTED.arl", to find all of these files....
Go to Start > Search > All Files and Folders > type "_INFECTED.arl" and click search.
Example: malware.exe would be renamed to malware.exe_infected.arl

20. Note: If you find the cd doesn't load, it's most likely do to a bad download or bad burn, download the file again and burn it at a slower speed.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 mercuryrsng

mercuryrsng
  • Topic Starter

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 31 May 2013 - 12:29 PM

OK Thank you I will try that and report back.



#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 PM

Posted 04 June 2013 - 11:10 PM

Are you still with us?

Edited by JSntgRvr, 05 June 2013 - 09:17 AM.


#6 mercuryrsng

mercuryrsng
  • Topic Starter

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 05 June 2013 - 09:37 PM

Yes, I actually did this last night and it found some files.  I did as I was instructed and changed the name of them.  What else can I do to make sure I am all clean here?  The moneypak full screen popup appears to be gone.



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:52 PM

Posted 06 June 2013 - 11:19 AM

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 

 

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.  
  • Please post the "C:\ComboFix.txt" .

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

 

 

bf_new.gif Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 mercuryrsng

mercuryrsng
  • Topic Starter

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 07 June 2013 - 11:12 PM

ComboFix 13-06-06.04 - HP_Owner 06/07/2013   1:01.1.1 - x86
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\739956266.pad
c:\documents and settings\All Users\Application Data\DisplaySwitch.exe_1370383665.arl
c:\documents and settings\All Users\Application Data\ras_0oed.pad
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Owner\Local Settings\Application Data\{CC0ACA6A-7918-4C44-8968-A472598836A6}
c:\documents and settings\HP_Owner\Local Settings\Application Data\{CC0ACA6A-7918-4C44-8968-A472598836A6}\chrome.manifest
c:\documents and settings\HP_Owner\Local Settings\Application Data\{CC0ACA6A-7918-4C44-8968-A472598836A6}\chrome\content\_cfg.js
c:\documents and settings\HP_Owner\Local Settings\Application Data\{CC0ACA6A-7918-4C44-8968-A472598836A6}\chrome\content\c.js
c:\documents and settings\HP_Owner\Local Settings\Application Data\{CC0ACA6A-7918-4C44-8968-A472598836A6}\chrome\content\overlay.xul
c:\documents and settings\HP_Owner\Local Settings\Application Data\{CC0ACA6A-7918-4C44-8968-A472598836A6}\install.rdf
c:\documents and settings\HP_Owner\WINDOWS
c:\program files\Common Files\System\Uninstall
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\iun6002.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\TBD124.tmp
c:\windows\system32\TBD22.tmp
c:\windows\system32\TBD91.tmp
c:\windows\system32\TBD96.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wininit.ini
c:\windows\wt
c:\windows\wt\data.wts
c:\windows\wt\updater\wcmdmgr.exe
c:\windows\wt\updater\wcmdmgrl.exe
c:\windows\wt\updater\wt.ini
c:\windows\wt\webdriver.dll
c:\windows\wt\webdriver\4.1.1\actorobject.dll
c:\windows\wt\webdriver\4.1.1\dx5drv.dll
c:\windows\wt\webdriver\4.1.1\dx7drv.dll
c:\windows\wt\webdriver\4.1.1\objectbundle.dll
c:\windows\wt\webdriver\4.1.1\sound.dll
c:\windows\wt\webdriver\4.1.1\wdcaps.ded
c:\windows\wt\webdriver\4.1.1\wdengine.dll
c:\windows\wt\webdriver\4.1.1\webdriver.dll
c:\windows\wt\webdriver\4.1.1\wthost.exe
c:\windows\wt\webdriver\4.1.1\wthostctl.dll
c:\windows\wt\webdriver\4.1.1\wtmulti.dll
c:\windows\wt\webdriver\4.1.1\wtmulti.jar
c:\windows\wt\webdriver\4.1.1\wtwmplug.ax
c:\windows\wt\webdriver\4.1.1\wtwmplug.ini
c:\windows\wt\webdriver\jdriver.dll
c:\windows\wt\webdriver\rdriver.dll
c:\windows\wt\webdriver\wildtangent.jar
c:\windows\wt\wt3d.dll
c:\windows\wt\wt3d.ini
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\controlpanel\index.html
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll
c:\windows\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo
c:\windows\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas
c:\windows\wt\wtupdates\webd\4.1.1\files\actorobject.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\controlpanel\index.html
c:\windows\wt\wtupdates\webd\4.1.1\files\dx5drv.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\dx7drv.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\jdriver.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\legacy\data.wts
c:\windows\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\npWTHost.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt
c:\windows\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\rdriver.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\Sound.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\update_info\data.wts
c:\windows\wt\wtupdates\webd\4.1.1\files\wdcaps.ded
c:\windows\wt\wtupdates\webd\4.1.1\files\wdengine.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo
c:\windows\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas
c:\windows\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas
c:\windows\wt\wtupdates\webd\4.1.1\files\webdriver.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\wildtangent.jar
c:\windows\wt\wtupdates\webd\4.1.1\files\wt3d.ini
c:\windows\wt\wtupdates\webd\4.1.1\files\WTHost.exe
c:\windows\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\wtmulti.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\wtmulti.jar
c:\windows\wt\wtupdates\webd\4.1.1\files\wtvh.dll
c:\windows\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax
c:\windows\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini
c:\windows\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo
c:\windows\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas
c:\windows\wt\wtupdates\WireControl\1.1.0.23\files\controlpanel\index.html
c:\windows\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl.cdanfo
c:\windows\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl_Uninstall.cdas
c:\windows\wt\wtupdates\WireControl\1.1.0.23\files\WireControl.dll
c:\windows\wt\wtupdates\wtupdater\appinfo.dat
c:\windows\wt\wtupdates\wtwebdriver\update_info\data.wts
c:\windows\wt\wtvh.dll
D:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-07 to 2013-06-07  )))))))))))))))))))))))))))))))
.
.
2013-06-05 02:12 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2013-06-05 02:12 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2013-06-05 02:11 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2013-06-05 02:11 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2013-05-20 14:10 . 2013-05-23 01:44 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-14 22:49 . 2012-04-08 01:12 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-14 22:49 . 2011-12-01 15:10 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 08:59 . 2013-03-12 12:55 174664 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-05-09 08:59 . 2013-03-12 12:55 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-05-09 08:59 . 2011-05-21 00:31 368944 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-05-09 08:59 . 2011-05-21 00:31 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-05-09 08:59 . 2011-05-21 00:31 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-05-09 08:59 . 2013-03-12 12:55 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-05-09 08:59 . 2011-05-21 00:31 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-05-09 08:59 . 2011-05-21 00:31 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-05-09 08:58 . 2011-05-21 00:29 41664 ----a-w- c:\windows\avastSS.scr
2013-05-09 08:58 . 2011-05-21 00:29 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-04-24 20:33 . 2013-04-24 20:33 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2013-04-24 20:33 . 2013-04-24 20:33 256 ----a-w- c:\windows\system32\MSIevent.bat
2013-04-24 20:32 . 2013-04-24 20:32 65536 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{40D36ECF-FA05-4077-B836-C439CD0DDEF1}\VZ2_900EACD7F4664370BC900C532FB167D4.exe
2013-04-24 20:32 . 2013-04-24 20:32 65536 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{40D36ECF-FA05-4077-B836-C439CD0DDEF1}\VZ1_90BE4A00DB2440438F3002B23387E4D2.exe
2013-04-24 20:32 . 2013-04-24 20:32 65536 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{40D36ECF-FA05-4077-B836-C439CD0DDEF1}\ARPPRODUCTICON.exe
2013-04-16 22:17 . 2004-08-04 11:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 11:00 385024 ------w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 11:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-09 12:50 . 2013-04-09 12:51 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-09 12:50 . 2012-05-01 15:40 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-04-09 12:50 . 2012-09-21 13:33 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-04-09 12:50 . 2010-05-18 01:06 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-04 18:50 . 2009-11-14 06:19 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-15 13:41 . 2013-03-15 13:41 2148152 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\BcsKtYcHW.dll
2013-03-15 13:39 . 2013-03-15 13:39 45056 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{4956ACE3-F537-4418-BB45-FD52395275A7}\UNINST_Uninstall_C_EBD1846850A64C858760A659B987DCFF.exe
2013-03-15 13:39 . 2013-03-15 13:39 45056 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{4956ACE3-F537-4418-BB45-FD52395275A7}\ARPPRODUCTICON.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmileboxTray"="c:\documents and settings\HP_Owner\Application Data\Smilebox\SmileboxTray.exe" [2012-10-01 305000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-21 180269]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-12-20 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-23 06:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VERIZONDM]
2010-09-29 10:59 206120 ----a-w- c:\program files\VERIZONDM\bin\sprtcmd.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1778:UDP"= 1778:UDP:HAVA Service
.
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2012-08-03 352248]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-05-23 40776]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\DRIVERS\WUSB54GCv3.sys [2008-12-04 627072]
S0 aswRvrt;aswRvrt; [x]
S0 aswVmm;aswVmm; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-05-09 66336]
S2 havasvc;HAVA Service;c:\program files\Monsoon Multimedia\HAVA\Common\havasvc.exe [2009-04-03 145408]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2010-09-29 206120]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2010-09-29 185640]
S3 havabus;HAVA Bus Enumerator;c:\windows\system32\DRIVERS\havabus.sys [2009-01-13 37376]
S3 havanet;HAVA NDIS Protocol Driver;c:\windows\system32\DRIVERS\havanet.sys [2009-01-13 20480]
S3 HAVATV;Hava Video Device;c:\windows\system32\DRIVERS\HAVATV.sys [2009-04-23 324224]
S3 HavaTV_10;Hava Remote Video Device;c:\windows\system32\DRIVERS\HavaTV_10.sys [2009-04-23 324224]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 02610348
*NewlyCreated* - 22963352
*Deregistered* - 02610348
*Deregistered* - 22963352
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 22:49]
.
2013-06-07 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-12 08:58]
.
2013-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-21 00:31]
.
2013-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-21 00:31]
.
2013-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3693004127-1662369552-4201838568-1008Core.job
- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-21 00:31]
.
2013-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3693004127-1662369552-4201838568-1008UA.job
- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-21 00:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = <local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\qj7benyn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2642697&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2642697&SearchSource=13
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{D8278076-BC68-4484-9233-6E7F1628B56C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{43544C32-2D56-3600-76A7-7A786E7484D7} - (no file)
HKCU-Run-Google - xidpwooedd.exe
HKLM-Run-DisplaySwitch - c:\documents and settings\All Users\Application Data\DisplaySwitch.exe
SafeBoot-22963352.sys
MSConfigStartUp-nmctxth - c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
MSConfigStartUp-vsggyuho - c:\docume~1\HP_Owner\LOCALS~1\Temp\hnfdlmifd\frchwvvsjmo.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-07 01:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-06-07  01:22:49
ComboFix-quarantined-files.txt  2013-06-07 05:22
.
Pre-Run: 2,155,966,464 bytes free
Post-Run: 4,362,129,408 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8D2BAD3B19C78856A0C2E40ADDCD7D1D
8F558EB6672622401DA993E1E865C861
 

 

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.06.07.10
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP_Owner :: UPSTAIRS [administrator]
 
6/7/2013 11:30:43 PM
mbam-log-2013-06-07 (23-30-43).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204240
Time elapsed: 27 minute(s), 36 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:52 PM

Posted 07 June 2013 - 11:18 PM

Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • Click the green ESET Online Scanner box
  • Tick the box next to YES, I accept the Terms of Use
     then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, make sure you copy the logfile first!
  • Then click on: Finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

 

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 mercuryrsng

mercuryrsng
  • Topic Starter

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 10 June 2013 - 05:29 PM

Computer is still pretty slow but that could be related to other issues.  Any thoughts?

 

Also, strange thing.  Hidden files appear to be visible, and if I hide them, I lose visibiiity on any flash drive or external drive that is connected, as well as other important, normally visible files, I assume.  Those drives are not "checked" as hidden.  

 

Here is the ESET scan result.

 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=794c13a2b6378b4690244b49d924b3d9
# engine=14035
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-06-10 07:25:58
# local_time=2013-06-10 03:25:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=774 16777213 85 91 1027456 146637430 0 0
# scanned=139283
# found=23
# cleaned=23
# scan_time=12167
sh=BD5FAC19427087326D51EC448156172B7B3CFD6F ft=0 fh=0000000000000000 vn="Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip"
sh=427665AEE95B3C8E992D03DDE6385FFC10ADDD41 ft=0 fh=0000000000000000 vn="Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip"
sh=E393C631048F14095A276CBDFA6C6E81606CBB9B ft=0 fh=0000000000000000 vn="Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip"
sh=605BC02ADEB7EAD3E8C6EA595B13EC8AA5E9312E ft=1 fh=e749192a62569dbf vn="Win32/Adware.Yontoo application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll_1370383665.arl"
sh=7A1694C49EDD4F8AC0E06F3E8E76ED2CE69FA046 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\18\4f541752-4a720349"
sh=FBE467F744721962FB6932D6E6C93F088A680421 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\32\5697b960-712119a7"
sh=89C0F5B55C80C2410559A34F037C4EA92889FCE1 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.CVE-2012-1723.IM trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\11\327faf8b-1dba9fad"
sh=8DBE19E7D2A3636623E92A5546748CA750943FBC ft=0 fh=0000000000000000 vn="Java/Exploit.Agent.NHS trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\17\d6d2411-7dfaf97f"
sh=4D6A96BABADB88BC586440310C45EE20F92CC948 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\19\3e41e753-122f48c7"
sh=23B49E14AF234BA0737D8823AE7790AE9ABDC88B ft=0 fh=0000000000000000 vn="Java/Exploit.CVE-2013-0422.BE trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\6ccf0202-7c9f4b3e"
sh=FA1BB46CF90AB3E67A98A2AF5581E714F30478C2 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.OLK trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\27\87c1b5b-426611bb"
sh=4B2264B89E0FE6699F6906FE24F377EDC4D55CA7 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\41\22f723e9-4e2b1bd9"
sh=23ACB0BEE1EFE17AAE75F8138F885724EAD1640F ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\45\29835c6d-13ce02bf"
sh=20CB317EFD18EA2905D71C5F395179800B4AA545 ft=0 fh=0000000000000000 vn="Java/Exploit.CVE-2013-0422.CB trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\45\46e0f4ed-50f931b0"
sh=3B82A27B817D1569FC8036993D26F373A5A75CA8 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\54\36548736-33517956"
sh=77FF277E36D7D825AA53431529083D6CF779DE7E ft=0 fh=0000000000000000 vn="Java/Exploit.CVE-2012-1723.IF trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\54\3d2bd8f6-1bd672b0"
sh=B554A5A0F1A2D44515D3E0A319ECF62F8AFBD5F6 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.CVE-2012-1723.IM trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\55\5c81b37-2826c49d"
sh=2698252BF8D32683FBDF6AFA8072F77B78A4182B ft=0 fh=0000000000000000 vn="Java/Exploit.CVE-2012-1723.GE trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\57\19ce0d79-25bd08ee"
sh=5415444CAE69AD22C135ED775F3F702ED9E8C4BB ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.CVE-2013-0422.CF trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\59\49a5927b-6a8e3e7c"
sh=41349E818C72016CAE793D7FFD0019AF9BA580CA ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\62\6e9265fe-551e8c82"
sh=8E3EB45F749806C5A88913A04C23BAE649126529 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\63\3270e53f-6f4a5c76"
sh=EE575ED74FBA92084F999272F3B275FB3BFFB3F1 ft=1 fh=ff63dee2cfa006b0 vn="Win32/LockScreen.AQT trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\DisplaySwitch.exe_1370383665.arl.vir"
sh=ACFEBB013C1AA1AD37849E5B11E97F78F368A00F ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.C application (deleted - quarantined)" ac=C fn="C:\WINDOWS\Installer\67c60d5.msi"


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:52 PM

Posted 10 June 2013 - 11:59 PM

Lets take a look at the files.

 

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please post it in your next reply.

 

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

 

 

Download OTL  to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Under File Scans, change File age to 30
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post  the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.

 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 mercuryrsng

mercuryrsng
  • Topic Starter

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 11 June 2013 - 12:16 AM

I am actually headed on vacation until next week so I will have to wait to do the next steps. I'll get back to you when I get back.

Thanks!

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:52 PM

Posted 11 June 2013 - 10:03 AM

If the topic s closed by the helpbot, send me a message. Have a great one!


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 mercuryrsng

mercuryrsng
  • Topic Starter

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 18 June 2013 - 01:14 PM

ok I am just sending a message to save the topic from being closed.  I am back from vacation and I will get back to you asap.

 

Thanks



#15 mercuryrsng

mercuryrsng
  • Topic Starter

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 25 June 2013 - 10:32 PM

OK I got the computer back (I gave it back to my friend while I was on vacation) and it would appear that he has screwed it up further.  Now, there is an image of a man's face floating around all open windows.  When you right click on it, there are 3 options. Resource Center, FAQ, and Exit.  I am re-running Malwarebytes Anti Malware.  What else should I do in the mean while?  I will post that result as soon as it's done.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users