Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot format Windows 7, Google chrome crash, PC is infected with trojan..HELP


  • Please log in to reply
31 replies to this topic

#1 sumsave

sumsave

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 30 September 2013 - 11:02 AM

Hello,

 

I have loads of problems in my pc right now.

 

1. I have installed MSE, which popup every time as I start my pc as "Virus:DOS/Rovnix.D" Detected even if i remove or clean virus its shows " Error Code 0*800704ec. This program blocked by group Policy." and Popus again at next login.

2. For this reason i installed ESET smart security which gives me another Virus, at every start up "win32/Simda.AE" in operating memory >> explorer.exe(3132) as well as get notification also while working on right bottom.

3. Google chrome Crashes Every time i open any site except Google sites (e.g. gmail.com. play.google.com)

4. Now I am using Internet explorer, at every site Ad popup at left bottom, this is very annoying.

5. For all this reason i decided to format PC but when go to boot menu only black screen with blinking cursor appears. It does not go ahead.

Please Help My pc also running very slow. And Hangs most of the times and have to restart it without any option.

I don’t want to format my whole disk as i have very important data related to my study and My work.

PLEASE HELP GUYS...!!!

 

(Previously my PC was infected with bitcoin miner which i found out and deleted the infected files.)



BC AdBot (Login to Remove)

 


#2 sumsave

sumsave
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 03 October 2013 - 01:27 AM

I need Help urgently. Is there is no one who can help me with my problem??



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:57 AM

Posted 05 October 2013 - 05:44 PM

Hello sumsave -
Download Security Check by Screen317
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.

 

 

Download MiniToolBox, Save it to your desktop and run it.
Checkmark the following checkboxes:
* Flush DNS
* Reset IE Proxy Settings
* Reset FF Proxy Settings
* List content of Hosts
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (Only Problems)
* List Users, Partitions and Memory size.
NOTE: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click GO and Copy / Paste the result, (Result.txt) from your desktop

 

Try the Uninstall and Reinstall MSE method - First remove MSE from Programs and Features.
Next  Uninstall M.S.E. Tool use this link to clean up.
The Microsoft Security Essentials Removal Tool can be used to remove all traces of Microsoft Security Essentials.
Re-Install M.S.E. here Microsoft Security Essentials
This may clean out the cache stored in the program.

 

 

Please start with reading How To Temporarily Disable Your Anti-virus
Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them.

You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
* Double-click on the Rkill desktop icon to run the tool.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.
*  Do not reboot your computer after running RKill as the malware programs will start again.
* If the tool does not run from any of the links provided, please let me know.
If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. rKill.txt log will also be present on your desktop.

 

Please download Malwarebytes Anti-Malware Free (aka MBAM)
* Double-click MBAM -setup.exe and follow the prompts to install the program.
* At the end, be sure to Check for Updates to be so it is current
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Scan, then click Quick Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* NOTE : You may be asked to Reboot to fully remove any found infections.
* When completed, a log will open in Notepad.
* Post the log back here.
* If you are not sure of any items, post the log and ask if it should be removed.

 

Scan your machine with ESET OnlineScan
This is best done with Internet Explorer as it uses ActiveX
1. Hold down Control and click HERE to open ESET OnlineScan in a new window.
2. Click the ESET Online Scanner button.
3. NOTE :.For alternate browsers only: (Microsoft Internet Explorer users can skip these 2 steps)

 

- 1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
- 2. Double click on the ESET Online Scanner icon on your desktop.

 

 4. Check "YES, I accept the Terms of Use."
 5. Click the Start button.
 6. Accept any security warnings from your browser.
 7. Under scan settings, check "Scan Archives" and "Remove found threats"
8. Click Advanced settings and select the following:
color="#0000FF"]Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology
[/color]
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time to download the program for a first time, and then download updated data base (1 to 2  hours is not unusual)
10. When the scan completes, click List Threats
11. Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12. Click the Back button.
13. Click the Finish button
Or you can find a report at  C:\Program Files\esetonlinescanner\log.txt.

 

 

Please download Junkware Removal Tool by thisisu to your desktop
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Make sure your Antivirus/Antimalware protection is enabled now -

 

Please download TFC, or Temp File Cleaner By Old Timer
Usage Instructions:
* Download TFC from the download link above and save the file on your desktop.
* Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
* Double-click on the TFC icon.
* When the program opens, click on the Start button. 
* TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
* When done, press OK to reboot your computer and finish the cleanup.

* No log is produced, from the tool -

 

Thank You -



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:57 AM

Posted 06 October 2013 - 12:45 AM

Extra information regarding your infection -
Threat behavior
Trojan: DOS/Rovnix.D may be distributed by malware exploiting Java vulnerabilities, or installed by other malware, for example TrojanDropper:Win32/Rovnix.H.
This trojan may cause your computer to crash unexpectedly. If you can reboot after your computer crashes, we recommend you run a full scan with a complete antivirus solution such as Microsoft Security Essentials.

You may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup.

Additional information
Trojan: DOS/Rovnix.D is a detection for a malicious Volume Boot Record (VBR) which is loaded at boot time. It attempts to tamper with some Windows kernel data to load its own malicious driver. This trick may bypass the Driver Signature Enforcement on a 64-bit system.

The malicious driver injects other malware components, for example Trojan:Win32/Claretore.L, into the "explorer.exe" process.
To hide its presence on the computer, the loaded driver intercepts the hard disk I/O (input/output) operation, and returns the original clean copy if the VBR is accessed.


#5 sumsave

sumsave
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 07 October 2013 - 11:44 PM

Hi,

 

Thank you For information.

 

Junkware Removal Tool Didnot run for me black appears for 2 sec and disappear, i waited for sometime but nothing was happening. I also select "Run as Administrator" and diasble antivirus also but nothing is happening.

 

ESET online scanner Taking too much time to scan my whole system. In 4 Hours only 30% scan was done. once it is complete i will post that scan result also.

 

For now i will post other scan result.

 

 

Security Check

 

 Results of screen317's Security Check version 0.99.74 
   x86  
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````

 Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Java™ 6 Update 30 
 Java 7 Update 25 
 Java version out of Date!
 Adobe Flash Player  11.8.800.94 
 Google Chrome 29.0.1547.76 
````````Process Check: objlist.exe by Laurent```````` 
 ESET ESET Online Scanner OnlineScannerApp.exe 
 ESET ESET Online Scanner OnlineCmdLineScanner.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 
````````````````````End of Log``````````````````````
 

 

Minitoolbox

 

MiniToolBox by Farbar  Version: 13-07-2013
Ran by sam (administrator) on 07-10-2013 at 18:28:23
Running from "D:\Investigation\Download"
Microsoft Windows 7 Ultimate   (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
#         Any other entries you had go here (new line no # no space); 
127.0.0.1 localhost

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/07/2013 08:57:35 AM) (Source: MsiInstaller) (User: sam-PC)
Description: Product: Microsoft Fix it 50535 -- Error 1921. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be stopped.  Verify that you have sufficient privileges to stop system services.

Error: (10/07/2013 08:54:35 AM) (Source: MsiInstaller) (User: sam-PC)
Description: Product: Microsoft Fix it 50535 -- Error 1921. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be stopped.  Verify that you have sufficient privileges to stop system services.

Error: (10/07/2013 08:54:33 AM) (Source: MsiInstaller) (User: sam-PC)
Description: Product: Microsoft Fix it 50535 -- Error 1921. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be stopped.  Verify that you have sufficient privileges to stop system services.

Error: (10/07/2013 08:52:10 AM) (Source: MsiInstaller) (User: sam-PC)
Description: Product: Microsoft Fix it 50535 -- Error 1921. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be stopped.  Verify that you have sufficient privileges to stop system services.

Error: (10/07/2013 08:50:12 AM) (Source: MsiInstaller) (User: sam-PC)
Description: Product: Microsoft Fix it 50535 -- Error 1921. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be stopped.  Verify that you have sufficient privileges to stop system services.

Error: (10/07/2013 08:39:07 AM) (Source: Application Error) (User: )
Description: Faulting application name: chrome.exe, version: 29.0.1547.76, time stamp: 0x5237a3c2
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00012cb3
Faulting process id: 0x12f4
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3

Error: (10/07/2013 08:39:00 AM) (Source: Application Error) (User: )
Description: Faulting application name: chrome.exe, version: 29.0.1547.76, time stamp: 0x5237a3c2
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00062cb3
Faulting process id: 0xcb4
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3

Error: (10/06/2013 07:55:01 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".Error in manifest or policy file "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"2" on line Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8".
Definition is Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8".
Please use sxstrace.exe for detailed diagnosis.

Error: (10/06/2013 10:42:36 AM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (10/06/2013 10:42:36 AM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

System errors:
=============
Error: (10/07/2013 06:16:44 PM) (Source: Microsoft Antimalware) (User: )
Description: %Virus:DOS/Rovnix.D60 has encountered a critical error when taking action on malware or other potentially unwanted software.

For more information please see the following:
%Virus:DOS/Rovnix.D603

 Name: Virus:DOS/Rovnix.D

 ID: 2147680143

 Severity: %Virus:DOS/Rovnix.D600

 Category: %Virus:DOS/Rovnix.D602

 Path: 4.3.0216.02

 Detection Origin: 4.3.0216.04

 Detection Type: 4.3.0216.08

 Detection Source: %Virus:DOS/Rovnix.D608

 User: {9B528DCD-FA3D-42FE-889B-D36F97B61403}9

 Process Name: %Virus:DOS/Rovnix.D609

 Action: {9B528DCD-FA3D-42FE-889B-D36F97B61403}1

 Action Status:  {9B528DCD-FA3D-42FE-889B-D36F97B61403}8

 Error Code: {9B528DCD-FA3D-42FE-889B-D36F97B61403}3

 Error description: {9B528DCD-FA3D-42FE-889B-D36F97B61403}4

 Signature Version: 2013-10-07T12:46:34.508Z1

 Engine Version: 2013-10-07T12:46:34.508Z2

Error: (10/07/2013 06:16:28 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
CSN5PDTS82
CSN5PDTS82x64

Error: (10/07/2013 06:16:25 PM) (Source: Service Control Manager) (User: )
Description: The AODDriver4.2 service failed to start due to the following error:
%%2

Error: (10/07/2013 10:21:55 AM) (Source: Disk) (User: )
Description: The device, \Device\Harddisk1\DR1, has a bad block.

Error: (10/07/2013 10:21:52 AM) (Source: Disk) (User: )
Description: The device, \Device\Harddisk1\DR1, has a bad block.

Error: (10/07/2013 10:21:50 AM) (Source: Disk) (User: )
Description: The device, \Device\Harddisk1\DR1, has a bad block.

Error: (10/07/2013 10:21:47 AM) (Source: Disk) (User: )
Description: The device, \Device\Harddisk1\DR1, has a bad block.

Error: (10/07/2013 10:21:45 AM) (Source: Disk) (User: )
Description: The device, \Device\Harddisk1\DR1, has a bad block.

Error: (10/07/2013 10:21:42 AM) (Source: Disk) (User: )
Description: The device, \Device\Harddisk1\DR1, has a bad block.

Error: (10/07/2013 10:21:40 AM) (Source: Disk) (User: )
Description: The device, \Device\Harddisk1\DR1, has a bad block.

Microsoft Office Sessions:
=========================
Error: (06/27/2012 11:04:44 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 24 seconds with 0 seconds of active time.  This session ended with a crash.

CodeIntegrity Errors:
===================================
  Date: 2013-02-02 19:02:33.481
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2013\active virus control\avc3_000_001\avcuf32.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-02-02 18:32:29.166
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2013\active virus control\avc3_000_001\avcuf32.dll because the set of per-page image hashes could not be found on the system.

=========================== Installed Programs ============================

@BIOS (Version: 2.11)
7-Zip 9.20
Adobe AIR (Version: 3.1.0.4880)
Adobe Community Help (Version: 3.4.980)
Adobe Flash Player 11 Plugin (Version: 11.8.800.94)
Adobe Flash Player ActiveX (Version: 9.0.124.0)
Adobe Reader XI (11.0.04) (Version: 11.0.04)
Adobe Shockwave Player 12.0 (Version: 12.0.3.133)
AMD Accelerated Video Transcoding (Version: 12.5.100.21219)
AMD APP SDK Runtime (Version: 10.0.1084.4)
AMD Catalyst Install Manager (Version: 8.0.903.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Fuel (Version: 2012.1219.1521.27485)
AMD Media Foundation Decoders (Version: 1.0.71219.1540)
AMD VISION Engine Control Center (Version: 2012.1219.1521.27485)
Assassin's Creed ® III (Version: 1.00)
AutoGreen B10.1021.1 (Version: 1.00.0000)
Binary Viewer 4.13.3.15
BitTorrent (Version: 7.7.2.28499)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2012.1219.1521.27485)
Catalyst Control Center InstallProxy (Version: 2012.1219.1521.27485)
Catalyst Control Center Localization All (Version: 2012.1219.1521.27485)
CCC Help Chinese Standard (Version: 2012.1219.1520.27485)
CCC Help Chinese Traditional (Version: 2012.1219.1520.27485)
CCC Help Czech (Version: 2012.1219.1520.27485)
CCC Help Danish (Version: 2012.1219.1520.27485)
CCC Help Dutch (Version: 2012.1219.1520.27485)
CCC Help English (Version: 2012.1219.1520.27485)
CCC Help Finnish (Version: 2012.1219.1520.27485)
CCC Help French (Version: 2012.1219.1520.27485)
CCC Help German (Version: 2012.1219.1520.27485)
CCC Help Greek (Version: 2012.1219.1520.27485)
CCC Help Hungarian (Version: 2012.1219.1520.27485)
CCC Help Italian (Version: 2012.1219.1520.27485)
CCC Help Japanese (Version: 2012.1219.1520.27485)
CCC Help Korean (Version: 2012.1219.1520.27485)
CCC Help Norwegian (Version: 2012.1219.1520.27485)
CCC Help Polish (Version: 2012.1219.1520.27485)
CCC Help Portuguese (Version: 2012.1219.1520.27485)
CCC Help Russian (Version: 2012.1219.1520.27485)
CCC Help Spanish (Version: 2012.1219.1520.27485)
CCC Help Swedish (Version: 2012.1219.1520.27485)
CCC Help Thai (Version: 2012.1219.1520.27485)
CCC Help Turkish (Version: 2012.1219.1520.27485)
ccc-utility (Version: 2012.1219.1521.27485)
CCleaner (Version: 4.05)
Counter-Strike 1.6
CPUID CPU-Z 1.59
D3DX10 (Version: 15.4.2368.0902)
DAEMON Tools Lite (Version: 4.45.1.0236)
Dev-C++ 5 beta 9 release (4.9.9.2)
Dual-Core Optimizer (Version: 1.1.4.0169)
EA Download Manager (Version: 6.0.4.124)
Easy Tune 6 B11.0427.1 (Version: 1.00.0000)
EAX4 Unified Redist (Version: 4.001)
ESET Online Scanner v3
Etron USB3.0 Host Controller (Version: 0.98)
Google Chrome (Version: 29.0.1547.76)
Google Drive (Version: 1.11.4865.2530)
Google Earth (Version: 7.1.1.1888)
Google Update Helper (Version: 1.3.21.153)
ImgBurn (Version: 2.5.6.0)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Java™ 6 Update 30 (Version: 6.0.300)
Macro Vibration Joystick (Version: 2006.05.30)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30320)
Microsoft .NET Framework 4 Extended (Version: 4.0.30320)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.5.88.0)
Microsoft Games for Windows Marketplace (Version: 3.5.50.0)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Enterprise 2007 (Version: 12.0.4518.1014)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (Version: 12.0.4518.1014)
Microsoft Security Client (Version: 4.3.0216.0)
Microsoft Security Essentials (Version: 4.3.216.0)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft_VC100_CRT_SP1_x86 (Version: 10.0.40219.1)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (Version: 1.00.0000)
Movie Maker (Version: 16.4.3508.0205)
MSVC80_x86_v2 (Version: 1.0.3.0)
MSVC90_x86 (Version: 1.0.1.2)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT110 (Version: 16.4.1108.0727)
MSXML4 Parser (Version: 1.0.0)
MyFreeCodec
Nero Burning ROM 10 (Version: 10.2.11000.12.100)
Nero Burning ROM 10 (Version: 10.5.10300)
Nero BurningROM 10 Help (CHM) (Version: 10.5.10100)
Nero BurnRights 10 (Version: 4.2.10300.0.102)
Nero BurnRights 10 Help (CHM) (Version: 10.5.10000)
Nero Control Center 10 (Version: 10.2.10600.0.6)
Nero ControlCenter 10 Help (CHM) (Version: 10.5.10000)
Nero Core Components 10 (Version: 2.0.17400.8.2)
Nero Update (Version: 1.0.0018)
Nokia Connectivity Cable Driver (Version: 7.1.78.0)
NVIDIA PhysX (Version: 9.10.0513)
ON_OFF Charge B11.0110.1 (Version: 1.00.0001)
OpenAL
PC Connectivity Solution (Version: 12.0.17.0)
PDF Settings CS5 (Version: 10.0)
Photo Gallery (Version: 16.4.3508.0205)
Rapture3D 2.4.9 Game
Realtek Ethernet Controller Driver (Version: 7.38.113.2011)
Realtek HDMI Audio Driver for ATI (Version: 6.0.1.6251)
Realtek High Definition Audio Driver (Version: 6.0.1.6316)
Rockstar Games Social Club (Version: 1.00.0000)
Samsung Kies (Version: 2.5.0.12104_15)
Samsung Story Album Viewer (Version: 1.0.0.13052_1)
SAMSUNG USB Driver for Mobile Phones (Version: 1.5.24.0)
Software Informer 1.1
Steam (Version: 1.0.0.0)
swMSM (Version: 12.0.0.1)
TeraCopy 2.27
The Adventures of Tintin - The Secret of the Unicorn 1.0 (Version: 1.0)
Total Uninstall 6.3.4 (Version: 6.3.4)
USB2.0 PC CAMERA (Version: 1.00.0000)
VLC media player 2.0.0 (Version: 2.0.0)
Windows Driver Package - Nokia pccsmcfd  (08/22/2008 7.0.0.0) (Version: 08/22/2008 7.0.0.0)
Windows Live Communications Platform (Version: 16.4.3508.0205)
Windows Live Essentials (Version: 16.4.3508.0205)
Windows Live ID Sign-in Assistant (Version: 7.250.4311.0)
Windows Live Installer (Version: 16.4.3508.0205)
Windows Live Photo Common (Version: 16.4.3508.0205)
Windows Live PIMT Platform (Version: 16.4.3508.0205)
Windows Live SOXE (Version: 16.4.3508.0205)
Windows Live SOXE Definitions (Version: 16.4.3508.0205)
Windows Live UX Platform (Version: 16.4.3508.0205)
Windows Live UX Platform Language Pack (Version: 16.4.3508.0205)
WinPcap 4.1.2 (Version: 4.1.0.2001)
WinRAR 4.11 (32-bit) (Version: 4.11.0)
Wireshark 1.1.2 (Version: 1.1.2)
Workspace Desktop
Xvid MPEG-4 Video Codec

========================= Devices: ================================

Name: CSN5PDTS82 NDIS Protocol Driver
Description: CSN5PDTS82 NDIS Protocol Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: CSN5PDTS82
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: AODDriver4.2
Description: AODDriver4.2
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: AODDriver4.2
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

========================= Memory info: ===================================

Percentage of memory in use: 41%
Total physical RAM: 3325.45 MB
Available physical RAM: 1937.46 MB
Total Pagefile: 6649.18 MB
Available Pagefile: 5137.8 MB
Total Virtual: 2047.88 MB
Available Virtual: 1926.64 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:97.65 GB) (Free:48.27 GB) NTFS
2 Drive d: (Others) (Fixed) (Total:390.62 GB) (Free:16.81 GB) NTFS
3 Drive e: (Games) (Fixed) (Total:443.23 GB) (Free:72.32 GB) NTFS
4 Drive f: (Windows 7) (CDROM) (Total:3.77 GB) (Free:0 GB) UDF
5 Drive g: (Local Disk) (Fixed) (Total:149.05 GB) (Free:18 GB) NTFS

========================= Users: ========================================

User accounts for \\SAM-PC

Administrator            Guest                    sam                     

**** End of log ****

 

Rkill

 

Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/07/2013 06:29:13 PM in x86 mode.
Windows Version: Windows 7 Ultimate

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1 localhost

Program finished at: 10/07/2013 06:30:04 PM
Execution time: 0 hours(s), 0 minute(s), and 51 seconds(s)

 

 

MBAM

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.07.07

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
sam :: SAM-PC [administrator]

Protection: Enabled

07-10-2013 18:31:00
mbam-log-2013-10-07 (18-31-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213056
Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\sam\LOCALS~1\Temp\msjueuia.scr -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\sam\LOCALS~1\Temp\msjueuia.scr -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

 

Please help me with this, i am getting scared to do my financial related work on my PC, Because they might get into wrong hand.

 

As per your second reply i really wanted to format my C drive but couldnot do it(as i mentioned in question). Just black screen with blicking cursor appears after pressing boot menu option.

 

PLEASE HELP....!!!

 

Thank You.



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:57 AM

Posted 08 October 2013 - 12:36 AM

Just black screen with blicking cursor appears after pressing boot menu option

As you say that you are not able to log on at this time please treat the problem like this >>
Take a look here: Cybercrime Division Ransomware Removal Guide

Go to - Automated Removal Instructions for FBI Cybercrime Division Ransomware using HitmanPro.Kickstart:

 

Please tell me if you can follow this guide, if not we will find another similar guide.

We should be able to boot your system with this method, then clean it.


Edited by noknojon, 08 October 2013 - 12:40 AM.


#7 sumsave

sumsave
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 08 October 2013 - 12:56 AM

Thank You for quick response.

 

I will look into method, if any problem i will come back to you.

 

 

 

Query: -

 

1. Is there any possibility that my PC is infected with key logger or something similar logging malware.

 

2. Sometimes when i try to open page it show page cannot be displayed (internet down) but actually i can see internet is up on my router. Is this problem related to infection or i am just worrying to much??

 

Thank you for your help.



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:57 AM

Posted 08 October 2013 - 01:59 AM

1. Is there any possibility that my PC is infected with key logger < Yes. That is why we are doing this.

2. Is this problem related to infection or i am just worrying to much? < Be very worried

Just quickly reading -

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) ->
Did you have 2 Antivirus programs ?? This makes it harder ......
Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2013 ??
Microsoft Security Essentials (Version: 4.3.216.0) ??



#9 sumsave

sumsave
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 08 October 2013 - 03:29 AM

I Have installed MSE and as per your instruction ESET online scanner, these 2 Antivirus are there on my PC.

 

Bitdefender software i have installed long time back. I am not sure why that file did not gone when i uninstalled it. And Bitdefender Folder i found in C:\Program Files\Common Files\Bitdefender which is empty. There is another folder in it "SetupInformation" which is also empty.

 

Deleteing "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load" this registry will help us or not?



#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:57 AM

Posted 08 October 2013 - 04:18 AM

Please follow (when you can) How to uninstall Bitdefender
You do not want this to be installed any more while there is another Active Antivirus.

 

With ESET Scanner, I leave directions how to Temporarily Disable your Antivirus.



#11 sumsave

sumsave
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 08 October 2013 - 08:07 AM

Hi,

 

I am done with ESET online scanner scan. All Files were deleted which ever was infected.

 

But, there is 1 thread in Operating System which is not getting deleted even if i select remove threats.

Threat: - "Operating memory a variant of Win32/Simda.AE trojan"

 

What to do for this??

 

Now i will run HitmanPro.Kickstart and let you know the result.

 

Thank You.



#12 sumsave

sumsave
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 08 October 2013 - 11:05 AM

Hi,

 

I did according to steps specify in HitmanPro.Kickstart tutorial. But when i go to boot menu, which gives me 3 option, after pressing option number 1(as mention in step 9) it gives me following error.

 

"A disk read error occurred

Press ctrl+Alt+del to restart"

 

After that even if i press ctrl+Alt+del PC doesnot restart. I have to manually restart my PC. I did this 3 times but same result.

 

Is there any another method to clean PC??

 

Thank You.



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:57 AM

Posted 08 October 2013 - 03:37 PM

EDIT - Sorry but your last post arrived at 3.00AM my local time -

 

"Operating memory a variant of Win32/Simda.AE trojan" << This is the problem threat

Win32/Simda.AE trojan is a variation of Trojan:Win32/Simda
Please read Technical information from Microsoft on this infection.

 

 

In this area we only have 2 options left and this is the first ........

We can try another Online Removal Program ...... Dr.Web CureIt!

NOTE If you are not 100% sure, Please print this post so that you can do it Step by Step -
 

1. Please download Dr.Web CureIt! antivirus and save it to your computer. The file size is in excess of 100MB
2. NOTE: Free usage of Dr.Web CureIt! for business purposes is illegal.
3. Internet Explorer may show a warning when downloading - the file is safe to download from the provided link.
4. Shutdown your antivirus to avoid any conflicts while scanning.
5. Once the scans have completed please re-enable your antivirus.
6. If using Other Active Antimalware, please disable this also.
7. If needed you can also temporarily disable them from starting with Windows
8. Temporarily turn off any other security add-ons or applications you may also have. > How To Temporarily Disable Your Anti-virus
9. Once you have downloaded Dr.Web CureIt! you should right click over it and choose Properties and verify it has a Digital Signature.
10. If it does not have a Digital Signature then do not run it.
11. Close all open programs including all Web browsers and then double-click on drweb-cureit.exe to start the installer.
12. You should have your User Account Control (UAC) enabled for improved security and which should then produce a dialog box asking for approval to run the installer.
13. Click on the Yes button to start the installer.
14. Click OK to scan your computer in the Enhanced Protection Mode
15. Click on the check box to agree to participate in their software improvement program.
16. Then if needed choose your Language by clicking on the small globe like icon in the upper right corner by the wrench.
17. Then click on the Continue button and then click on the Select objects for scanning link just below the "Start scanning" button.
18. Place a check mark on all the items except for Temporary files and System restore points - those items should not have a check mark on them.
19. Then click on the Start scanning button.
20. If a threat is found you can click on the Action column in the program.
21. Your options will be Cure or Ignore
22. If you see an item that you are absolutely sure is OK, then un-check the check box for that item, otherwise keep it on Cure.
23. Then click on the Neutralize button.
24. Once completed click on the green "Open Report" link. It will open the report in NOTEPAD
25. Save the report to your desktop. The report will be called Cureit.log
26. Close Dr.Web Cureit!
27. Reboot your computer to allow files that were in use to be moved/deleted during reboot.
28. After reboot, post the log Cureit.log, you saved previously in your next reply.
29. Re-Enable your antivirus and other security programs when all done.

 

 

This is the last ..........

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
• If TDSSKiller does not run, try renaming it.
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
• Click the Start Scan button.
Do not use the computer during the scan
•If the scan completes with nothing found, click Close to exit.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
• A log file named TDSSKiller_version_date_time_log.txt (e.g. TDSSKiller.2.4.0.0_27.09.2013_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
• Copy and paste the contents of that file in your next reply.

 

If none works, please tell me ASAP -


Edited by noknojon, 08 October 2013 - 03:40 PM.


#14 sumsave

sumsave
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 09 October 2013 - 04:03 AM

Hi,

 

I have been trying to download Dr. web cureit, but after some time download stops. It says "Download was interrupted". I have kept my protection software disable since my pc started.

 

I tried both links but giving me same output.

 

Should i got with 2nd step??

 

Please suggest.

 

Thank You.



#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:57 AM

Posted 09 October 2013 - 04:46 AM

Sorry it was from my older texts -

I updated them.  How it works

 

Click on this Download site link -

Click "Next" and scroll down to the "Download Dr.Web CureIt! and send the statistics"

Click on "I accept Dr.Web License Agreement" and then > "Continue"

The download should be ready to start -> Save to Desktop.

 

Directions are basically the same.

 

If you have problems, just go to TDSSKiller instructions -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users