Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomed / White Screen


  • This topic is locked This topic is locked
6 replies to this topic

#1 Seatbelt99

Seatbelt99

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 20 July 2013 - 03:10 PM

My sister in law dropped off her computer, and I'm running into quite a few issues getting it fixed. 

She told me she was getting the FBI warning/ransom virus.  When I log into windows 7 it just gives me a white screen and won't go on from there. 

 

If I reboot into safe mode or safe mode with networking, it simply reboots itself. 

 

I can get to command prompt. 

 

I tried making a kickstarter USB boot drive, but I only have an uninfected windows 7 64 bit PC, and my sister in law's computer is win 7 32 bit so it won't run the kickstarter boot drive.  It just says kickstarter version xxx.xxx twice on a black screen with white letters and freezes there.  

 

My sister in law's computer does have xp on it as well, which I can boot to no problem.  The only issue there is I can't get it to connect to the internet, which may be unrelated, I don't know at this point.  I tried running Hitman pro from my flash drive, but it requires the internet so that won't work.  

 

Any suggestions?  Are there any antivirus/malware programs I can just put on my flash drive and then run while in xp?  

 

Also, will any anti-virus stuff I run while in XP fix my windows 7 virus problems?  

 

HELP!

 

Thank you



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:46 AM

Posted 20 July 2013 - 03:51 PM

I'll report this topic to appropriate helpers.

Hold on there....


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:46 AM

Posted 20 July 2013 - 04:13 PM

Hi and welcome.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 Seatbelt99

Seatbelt99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 20 July 2013 - 05:15 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-07-2013
Ran by Seatbelt99 (administrator) on 20-07-2013 18:48:03
Running from G:\
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX86\integratedoffice.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(tzuk) C:\Program Files\Sandboxie\SbieSvc.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version5\TeamViewer.exe
(Google Inc.) C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\chrome.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\system32\LogonUI.exe
(Google Inc.) C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ==================
 
MountPoints2: {531dca6a-fa19-11de-ac7c-806e6f6e6963} - E:\_AUTORUN\AUTORUN.EXE
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-13] (Microsoft Corporation)
\Users\Seatbelt99\AppData\Local\Google\Update\GoogleUpdate.exe [135664 2010-01-05] (Google Inc.)
HKCU\...\Run: [SandboxieControl] - C:\Program Files\Sandboxie\SbieCtrl.exe [394984 2010-02-03] (tzuk)
HKCU\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [3872080 2010-04-16] (Microsoft Corporation)
HKCU\...\Run: [FoodBuzzUpdate] - C:\Program Files\FoodBuzz\Update\FoodBuzzUpdate.exe [x]
HKCU\...\Winlogon: [Shell] explorer.exe,C:\Users\Seatbelt99\AppData\Roaming\skype.dat <==== ATTENTION 
 
==================== Internet (Whitelisted) ====================
 
ProxyServer: 65.50.56.66:2479
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
SearchScopes: HKCU - DefaultScope {A3558D80-B6C3-4C2A-9B7D-030EAF96886B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3283791&CUI=UN36093835902676526&UM=2
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?mkt=en-us&q=?FORM=MICCD1&q={searchTerms}
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Club Bing Toolbar Helper - {B771FEA3-2A05-4c21-B1E2-55551A97D520} - C:\Program Files\Club Bing Toolbar Helper\Bmbho.dll (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Club Bing Toolbar - {719D74AB-1AF9-43A1-8C62-D8750628D93E} - C:\Program Files\Club Bing Toolbar\Toolbar.dll (Microsoft Corporation)
Toolbar: HKLM - Club Bing Toolbar Helper - {B771FEA3-2A05-4c21-B1E2-55551A97D520} - C:\Program Files\Club Bing Toolbar Helper\Bmbho.dll (Microsoft Corporation)
Toolbar: HKCU -Club Bing Toolbar Helper - {B771FEA3-2A05-4C21-B1E2-55551A97D520} - C:\Program Files\Club Bing Toolbar Helper\Bmbho.dll (Microsoft Corporation)
Toolbar: HKCU -Club Bing Toolbar - {719D74AB-1AF9-43A1-8C62-D8750628D93E} - C:\Program Files\Club Bing Toolbar\Toolbar.dll (Microsoft Corporation)
Toolbar: HKCU -No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU -No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} -  No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 184.63.96.68 184.63.96.69
 
FireFox:
========
FF ProfilePath: C:\Users\Seatbelt99\AppData\Roaming\Mozilla\Firefox\Profiles\ujler62z.default
FF SelectedSearchEngine: Bing
FF Homepage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={60CB42F9-B8CF-11E2-97E2-0060972017D7}
FF Keyword.URL: hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10043&barid={60CB42F9-B8CF-11E2-97E2-0060972017D7}&q=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.17.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.1.18 - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.1.18 - C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Seatbelt99\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Seatbelt99\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @yahoo.com/BrowserPlus,version=2.6.0 - C:\Users\Seatbelt99\AppData\Local\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll (Yahoo! Inc.)
FF SearchPlugin: C:\Users\Seatbelt99\AppData\Roaming\Mozilla\Firefox\Profiles\ujler62z.default\searchplugins\conduit.xml
FF SearchPlugin: C:\Users\Seatbelt99\AppData\Roaming\Mozilla\Firefox\Profiles\ujler62z.default\searchplugins\sweetim.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: No Name - C:\Users\Seatbelt99\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
FF Extension: No Name - C:\Users\Seatbelt99\AppData\Roaming\Mozilla\Firefox\Profiles\ujler62z.default\Extensions\{2326C1C3-3E92-49da-A3FB-CB8AD8AD8F25}
FF Extension: HttpFox - C:\Users\Seatbelt99\AppData\Roaming\Mozilla\Firefox\Profiles\ujler62z.default\Extensions\{4093c4de-454a-4329-8aff-c6b0b123c386}
FF Extension: ytbyclick B1  - C:\Users\Seatbelt99\AppData\Roaming\Mozilla\Firefox\Profiles\ujler62z.default\Extensions\{49c53dce-afa0-49a1-a08b-2eb8e8444128}
FF Extension: appbario7  - C:\Users\Seatbelt99\AppData\Roaming\Mozilla\Firefox\Profiles\ujler62z.default\Extensions\{6926c7f7-6006-42d1-b046-eba1b3010315}
FF Extension: SweetPacks Toolbar for Firefox - C:\Users\Seatbelt99\AppData\Roaming\Mozilla\Firefox\Profiles\ujler62z.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
FF Extension: Default - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{DAC3F861-B30D-40dd-9166-F4E75327FAC7}] C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\
FF HKLM\...\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] C:\Program Files\Updater By SweetPacks\Firefox
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
 
Chrome: 
=======
CHR HomePage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={60CB42F9-B8CF-11E2-97E2-0060972017D7}
CHR RestoreOnStartup: "hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={60CB42F9-B8CF-11E2-97E2-0060972017D7}", "hxxp://www.google.com/"
CHR Plugin: (Shockwave Flash) - C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\27.0.1453.116\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
CHR Plugin: (Winamp Application Detector) - C:\Program Files\Mozilla Firefox\plugins\npwachk.dll (Nullsoft, Inc.)
CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\Seatbelt99\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (BrowserPlus (from Yahoo!) v2.6.0) - C:\Users\Seatbelt99\AppData\Local\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll (Yahoo! Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (ytbyclick B1) - C:\Users\SEATBE~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckofdlnjijmfpjnffabkfldjbahlieed\10.15.2.523_0
CHR Extension: (RealDownloader) - C:\Users\SEATBE~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.1_0
CHR Extension: (StumbleUpon) - C:\Users\SEATBE~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcahibnffhnnjcedflmchmokndkjnhpg\5.3.7.1_0
CHR Extension: (SweetPacks Chrome Extension) - C:\Users\SEATBE~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj\1.3.0.3_0
CHR HKLM\...\Chrome\Extension: [ckofdlnjijmfpjnffabkfldjbahlieed] - C:\Users\Seatbelt99\AppData\Local\CRE\ckofdlnjijmfpjnffabkfldjbahlieed.crx
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx
CHR HKLM\...\Chrome\Extension: [mmlkabjddkpgkgfhdhpimhcbonapngoh] - C:\Users\Seatbelt99\AppData\Local\CRE\mmlkabjddkpgkgfhdhpimhcbonapngoh.crx
CHR HKLM\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Users\Seatbelt99\AppData\Local\Google\Chrome\\User Data\\Default\\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}\SweetNT.crx
CHR StartMenuInternet: Google Chrome - "C:\Users\Seatbelt99\AppData\Local\Google\Chrome\Application\chrome.exe"
 
========================== Services (Whitelisted) =================
 
R2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX86\integratedoffice.exe [1316024 2013-06-05] (Microsoft Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-03-06] ()
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [73960 2010-02-03] (tzuk)
 
==================== Drivers (Whitelisted) ====================
 
R3 EL90x; C:\Windows\System32\DRIVERS\el90XND5.SYS [156020 2001-07-16] (3Com Corporation)
R3 es1371; C:\Windows\System32\drivers\es1371mp.sys [40832 2002-06-03] (Creative Technology Ltd.)
S3 HabuFltr; C:\Windows\System32\drivers\habu.sys [27776 2006-10-23] (Razer (Asia-Pacific) Pte Ltd)
S3 RTL85n86; C:\Windows\System32\DRIVERS\RTL85n86.sys [311808 2009-07-13] (Realtek)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [115432 2010-02-03] (tzuk)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-07-20 18:47 - 2013-07-20 18:47 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-20 18:47 - 2013-07-20 18:47 - 00000000 ____D C:\FRST
2013-06-27 15:53 - 2013-07-20 18:45 - 00000004 _____ C:\Users\Seatbelt99\AppData\Roaming\skype.ini
 
==================== One Month Modified Files and Folders =======
 
2013-07-20 18:47 - 2013-07-20 18:47 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-20 18:47 - 2013-07-20 18:47 - 00000000 ____D C:\FRST
2013-07-20 18:46 - 2013-04-09 18:24 - 00000376 _____ C:\Windows\Tasks\AmiUpdXp.job
2013-07-20 18:46 - 2009-07-14 00:39 - 00030047 _____ C:\Windows\setupact.log
2013-07-20 18:45 - 2013-06-27 15:53 - 00000004 _____ C:\Users\Seatbelt99\AppData\Roaming\skype.ini
2013-07-20 18:45 - 2013-06-15 23:55 - 00000396 _____ C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Seatbelt99.job
2013-07-20 18:45 - 2010-06-30 14:26 - 00000000 ____D C:\Users\Seatbelt99\Tracing
2013-07-20 18:44 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-20 14:53 - 2010-01-05 12:46 - 01224068 _____ C:\Windows\WindowsUpdate.log
2013-07-20 14:53 - 2009-07-14 00:34 - 00014832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-20 14:53 - 2009-07-14 00:34 - 00014832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-20 13:34 - 2012-05-09 20:01 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-20 13:08 - 2010-01-05 15:10 - 00000928 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2622827469-919460541-3677295561-1000UA.job
2013-07-20 10:08 - 2010-01-05 10:36 - 00726444 _____ C:\Windows\system32\PerfStringBackup.INI
2013-06-29 18:02 - 2013-06-15 23:55 - 00000390 _____ C:\Windows\Tasks\ReclaimerUpdateFiles_Seatbelt99.job
2013-06-29 15:02 - 2013-04-02 15:31 - 00000416 ____H C:\Windows\Tasks\Norton Security Scan for Seatbelt99.job
2013-06-29 14:08 - 2010-01-05 15:10 - 00000876 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2622827469-919460541-3677295561-1000Core.job
2013-06-29 07:11 - 2013-04-03 08:50 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-06-29 00:07 - 2013-06-15 23:55 - 00000386 _____ C:\Windows\Tasks\ReclaimerUpdateXML_Seatbelt99.job
 
Files to move or delete:
====================
C:\Users\Seatbelt99\AppData\Roaming\skype.dat
C:\Users\Seatbelt99\AppData\Roaming\skype.ini
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-07-20 10:46
 
==================== End Of Log ============================


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:46 AM

Posted 20 July 2013 - 06:48 PM

Since the tool was ran in Normal Mode, then it should have produced an Addition.txt report. Have it attached.

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as fixlist.txt
  • Change the Save as Type to All Files
  • and Save it next to FRST.
  • Run FRST as you did before, except that this time around, click on the Fix button and wait.
  • The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.
     

Start
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-13] (Microsoft Corporation)
HKCU\...\Run: [FoodBuzzUpdate] - C:\Program Files\FoodBuzz\Update\FoodBuzzUpdate.exe [x]
HKCU\...\Winlogon: [Shell] explorer.exe,C:\Users\Seatbelt99\AppData\Roaming\skype.dat <==== ATTENTION
C:\Users\Seatbelt99\AppData\Roaming\skype.ini
C:\Users\Seatbelt99\AppData\Roaming\skype.dat
End

 
 
 
thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please post it in your next reply.
 
bf_new.gif Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 25 July 2013 - 03:15 PM

Are you still with us?

Edited by JSntgRvr, 25 July 2013 - 06:13 PM.


#7 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 30 July 2013 - 03:20 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users