Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to Remove Mandiant U.S.A. Cyber Security Virus?


  • Please log in to reply
27 replies to this topic

#1 Diesel350

Diesel350

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 24 October 2013 - 08:28 PM

I tried using Hitman Pro on a USB drive to remove the virus but it would let me boot from the USB. Also tried getting in through Safe mode command prompt and safe mode networking but not much luck there getting anything to work. Whether I log in normally or through safe mode I end up getting just a black screen. I cannot even access my desktop icons. Help appreciated to get this virus off my computer.

Edited by Diesel350, 24 October 2013 - 08:32 PM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:11 PM

Posted 24 October 2013 - 09:27 PM

Any luck trying to bring up the Run box from Safe Mode?

The Mandiant U.S.A. Cyber Security Ransomware virus seems to contain the ability to block tools from running properly.
To that effect, let's see if RKill can paralyze that ability, and disarm it...

Please press the Windows key and the R key at the same time.

In the Run box, type:
 
iexplore.exe http://www.bleepingcomputer.com/download/rkill/dl/10
Click: OK

Right-click on the downloaded RKill file and select: Run as Administrator

A black DOS box briefly flashes and then disappear. This is normal, and indicates the tool ran successfully.

When the scan is done, Notepad opens with the RKill report.

>> Please post the RKill report in your reply.

Please note that Rkill does not actually remove The Mandiant U.S.A. Cyber Security Ransomware virus.
After using RKill, please do not reboot your computer, as the malware re-launches if rebooted.


If the above does not work, is there any shortcut on your Desktop for the Mandiant U.S.A. Cyber Security Ransomware?

Edited by Aaflac, 24 October 2013 - 09:31 PM.

Old duck...


#3 Diesel350

Diesel350
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 25 October 2013 - 06:55 PM

No luck with Windows button and hitting R. It does nothing and it's just a black screen with Safe Mode on 4 corners of screen.

There is no shortcut on the desktop for the Mandiant Ransomware.


Only thing it allows me to do in safe mode is bring up the Windows Task Manager.

Edited by Diesel350, 25 October 2013 - 06:57 PM.


#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:11 PM

Posted 25 October 2013 - 09:54 PM

Only thing it allows me to do in safe mode is bring up the Windows Task Manager


:step1: Bring up Task Manager > New Task
In the Create new Task prompt, copy paste:


iexplore.exe http://www.bleepingcomputer.com/download/rkill/dl/10
Click: OK

Right-click on the downloaded RKill file and select: Run as Administrator

A black DOS box briefly flashes and then disappear. This is normal, and indicates the tool ran successfully.

When the scan is done, Notepad opens with the RKill report.

>> Please post the RKill report in your reply.

If the above does not work...

:step2: When you restart the computer, and as soon as the BIOS is loaded you begin tapping the F8 key until the Advanced Boot Options menu appears.
Is there a Repair your computer menu item?

If there is, do not use it, just post back if it is there.
We can try to use a tool from there.

Edited by Aaflac, 25 October 2013 - 10:01 PM.

Old duck...


#5 Diesel350

Diesel350
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 27 October 2013 - 07:16 PM

When I create a new task it does not allow me to connect to the network in Safe Mode. It brings up Internet Explorer but it says you're not connected to the network.

Yes Repair your computer item appears in BIOS.

 

 

EDIT:  I was actually able to run RKILL in Windows normally.  Below is the log:

 

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/27/2013 09:19:22 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\Tito\Desktop\rkill\rkill-10-27-2013-09-19-27.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Modified HKCU\...\Winlogon: [Shell] => cmd.exe

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * ALERT: ZEROACCESS rootkit symptoms found!

     * C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}\ [ZA Dir]
     * C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}\@ [ZA File]
     * C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}\L\ [ZA Dir]
     * C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}\U\ [ZA Dir]

Checking Windows Service Integrity:

 * Network Connections (Netman) is not Running.
   Startup Type set to: Manual

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 10/27/2013 09:20:51 PM
Execution time: 0 hours(s), 1 minute(s), and 29 seconds(s)


Edited by Diesel350, 27 October 2013 - 07:24 PM.


#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:11 PM

Posted 27 October 2013 - 10:16 PM

Please plug a USB pen drive into a clean computer.

Go to the Farbar Recovery Scan Tool download:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Select the download that applies to the infected system.

Save the program to the >> USB pen drive.


Next, plug the flash drive into the problem computer.

Start the computer.


As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.

Use the arrow keys to select: Repair your computer

Select your language settings, and click: Next

Select your User account and click: OK (If you did not set a password, leave blank.)



On the System Recovery Options menu you get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Scan your computer's memory for errors

Command Prompt



Select: Command Prompt



In the Command Prompt window, at the blinking cursor type notepad and press: Enter

In Notepad, under the File menu select: Open

Double-click Computer, find the pen drive letter, remember what letter it is, click on it, and press: Open

Close out of Notepad.



Click the Command Prompt window

Type x:\frst64.exe, and press: Enter (If running a 32-bit system, use: x:\frst.exe)

Note: Replace the drive letter x with the drive letter of your pen drive!



The tool starts and prepares to run. Follow the prompts.

Click Yes to the disclaimer.

Press: Scan

When done, the program saves the FRST.txt report on the pen drive.

Close Notepad, then, click the Command Prompt window, type exit, and press: Enter

Back at the System Recovery Options, press: ShutDown

Remove the USB pen drive from the infected computer, and plug it into the good computer.



Please provide the FRST.txt report, located on the USB pen drive, in your reply

Also, the first time the tool is run, it makes another log: Addition.txt

Also post the: [color=red]Addition.txt[/color in your reply.

Edited by Aaflac, 27 October 2013 - 10:24 PM.

Old duck...


#7 Diesel350

Diesel350
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 October 2013 - 06:29 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-10-2013
Ran by SYSTEM on MININT-7ABBML4 on 28-10-2013 22:59:10
Running from J:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8321568 2009-11-09] (Realtek Semiconductor)
HKLM\...\Run: [DellStage] - C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj [483424 2012-02-01] ()
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-07-14] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AVG_TRAY] - C:\Program Files (x86)\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [AccuWeatherWidget] - C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj [2835443 2012-02-01] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1564872 2012-06-06] (Ask)
HKU\Tito\...\Run: [SPMTray] - "C:\Program Files (x86)\PC Speed Maximizer\SPMTray.exe"
HKU\Tito\...\Run: [ROC_ROC_APR2013_AV] - C:\Users\Tito\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 83b3af54612a47d1ae7b012ea3f9f551-be44beaafad17858d9dee8da65413f449b97daed --CMPID ROC_APR2013_AV --CMPIDEXTRA 2012
HKU\Tito\...\Run: [AVG-Secure-Search-Update_0913a] - C:\Users\Tito\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 83b3af54612a47d1ae7b012ea3f9f551-be44beaafad17858d9dee8da65413f449b97daed --CMPID 0913a
HKU\Tito\...\Run: [PO9dGsNAvSY.exe] - C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe [105296 2013-09-25] (Microsoft Corporation)
HKU\Tito\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Tito\...\Command Processor: "C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe" <===== ATTENTION!
BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart
 
==================== Services (Whitelisted) =================
 
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
 
==================== Drivers (Whitelisted) ====================
 
S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2013-04-11] (AVG Technologies CZ, s.r.o.)
S3 PCDSRVC{D3412D80-CF3B4A27-06020200}_0; \??\c:\program files\my dell\pcdsrvc_x64.pkms [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-28 22:58 - 2013-10-28 22:58 - 00000000 ____D C:\FRST
2013-10-27 20:19 - 2013-10-27 20:20 - 00003860 _____ C:\Users\Tito\Desktop\Rkill.txt
2013-10-27 20:19 - 2013-10-27 20:19 - 00000000 ____D C:\Users\Tito\Desktop\rkill
2013-10-24 21:14 - 2013-10-24 21:14 - 00299520 _____ C:\Users\Tito\AppData\Roaming\Ukr3ad6G
2013-10-24 21:14 - 2013-10-24 21:14 - 00299520 _____ C:\Users\Tito\AppData\Local\2ZpjkRo8K73
2013-10-24 21:14 - 2013-10-24 21:14 - 00299520 _____ C:\ProgramData\v8bZYACuNd
2013-10-11 02:23 - 2013-09-22 18:28 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-10-11 02:23 - 2013-09-22 18:28 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-10-11 02:23 - 2013-09-22 18:27 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-10-11 02:23 - 2013-09-22 17:55 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-10-11 02:23 - 2013-09-22 17:55 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-10-11 02:23 - 2013-09-22 17:55 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-10-11 02:23 - 2013-09-22 17:54 - 19252224 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 02647552 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-10-11 02:23 - 2013-09-22 17:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-10-11 02:23 - 2013-09-20 22:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-10-11 02:23 - 2013-09-20 22:30 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-10-11 02:23 - 2013-09-20 21:48 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-10-11 02:23 - 2013-09-20 21:39 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-10-10 10:23 - 2013-09-13 20:10 - 00497152 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2013-10-10 10:23 - 2013-09-07 21:30 - 01903552 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-10-10 10:23 - 2013-09-07 21:27 - 00327168 _____ (Microsoft Corporation) C:\Windows\System32\mswsock.dll
2013-10-10 10:23 - 2013-09-07 21:03 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
2013-10-10 10:23 - 2013-08-28 21:17 - 05549504 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-10-10 10:23 - 2013-08-28 21:16 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-10-10 10:23 - 2013-08-28 21:16 - 00859648 _____ (Microsoft Corporation) C:\Windows\System32\tdh.dll
2013-10-10 10:23 - 2013-08-28 21:16 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-10-10 10:23 - 2013-08-28 21:13 - 00878080 _____ (Microsoft Corporation) C:\Windows\System32\advapi32.dll
2013-10-10 10:23 - 2013-08-28 20:51 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-10-10 10:23 - 2013-08-28 20:51 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-10-10 10:23 - 2013-08-28 20:50 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-10-10 10:23 - 2013-08-28 20:50 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2013-10-10 10:23 - 2013-08-28 20:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-10-10 10:23 - 2013-08-28 20:48 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2013-10-10 10:23 - 2013-08-28 19:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-10-10 10:23 - 2013-08-28 19:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-10-10 10:23 - 2013-08-28 19:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-10-10 10:23 - 2013-08-28 19:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-10-10 10:23 - 2013-08-27 20:21 - 03155968 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-10-10 10:23 - 2013-08-27 20:12 - 00461312 _____ (Microsoft Corporation) C:\Windows\System32\scavengeui.dll
2013-10-10 10:23 - 2013-08-01 07:09 - 00983488 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-10-10 10:23 - 2013-07-20 05:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2013-10-10 10:23 - 2013-07-20 05:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2013-10-10 10:23 - 2013-07-12 05:41 - 00100864 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbcir.sys
2013-10-10 10:23 - 2013-07-04 07:57 - 00259584 _____ (Microsoft Corporation) C:\Windows\System32\WebClnt.dll
2013-10-10 10:23 - 2013-07-04 07:50 - 00633856 _____ (Microsoft Corporation) C:\Windows\System32\comctl32.dll
2013-10-10 10:23 - 2013-07-04 07:50 - 00102400 _____ (Microsoft Corporation) C:\Windows\System32\davclnt.dll
2013-10-10 10:23 - 2013-07-04 06:57 - 00205824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll
2013-10-10 10:23 - 2013-07-04 06:51 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll
2013-10-10 10:23 - 2013-07-04 06:50 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2013-10-10 10:23 - 2013-07-04 05:11 - 00140800 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxdav.sys
2013-10-10 10:23 - 2013-07-02 23:05 - 00076800 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidclass.sys
2013-10-10 10:23 - 2013-07-02 23:05 - 00032896 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidparse.sys
2013-10-10 10:23 - 2013-06-25 17:55 - 00785624 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2013-10-10 10:23 - 2013-06-06 00:50 - 00041472 _____ (Microsoft Corporation) C:\Windows\System32\lpk.dll
2013-10-10 10:23 - 2013-06-06 00:49 - 00100864 _____ (Microsoft Corporation) C:\Windows\System32\fontsub.dll
2013-10-10 10:23 - 2013-06-06 00:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\System32\dciman32.dll
2013-10-10 10:23 - 2013-06-06 00:47 - 00046080 _____ (Adobe Systems) C:\Windows\System32\atmlib.dll
2013-10-10 10:23 - 2013-06-05 23:57 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2013-10-10 10:23 - 2013-06-05 23:51 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2013-10-10 10:23 - 2013-06-05 23:50 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2013-10-10 10:23 - 2013-06-05 22:30 - 00368128 _____ (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2013-10-10 10:23 - 2013-06-05 22:01 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-10-10 10:23 - 2013-06-05 22:01 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2013-10-05 14:52 - 2013-10-06 14:55 - 00000000 ____D C:\Users\Guest\AppData\Local\Google
2013-09-30 22:05 - 2013-09-30 22:05 - 00000000 ____D C:\Users\Guest\AppData\Local\Adobe
 
==================== One Month Modified Files and Folders =======
 
2013-10-28 22:58 - 2013-10-28 22:58 - 00000000 ____D C:\FRST
2013-10-28 19:24 - 2013-06-16 08:06 - 00004540 _____ C:\Windows\setupact.log
2013-10-28 19:24 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-27 20:39 - 2013-05-21 19:26 - 00003440 _____ C:\Windows\System32\Tasks\PCDEventLauncherTask
2013-10-27 20:36 - 2012-06-18 15:09 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-27 20:35 - 2012-04-22 08:49 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-27 20:35 - 2011-12-20 15:53 - 01335723 _____ C:\Windows\WindowsUpdate.log
2013-10-27 20:24 - 2013-06-09 19:21 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-27 20:24 - 2013-06-09 19:21 - 00002185 _____ C:\ProgramData\Desktop\Google Chrome.lnk
2013-10-27 20:21 - 2011-12-25 11:41 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2013-10-27 20:20 - 2013-10-27 20:19 - 00003860 _____ C:\Users\Tito\Desktop\Rkill.txt
2013-10-27 20:19 - 2013-10-27 20:19 - 00000000 ____D C:\Users\Tito\Desktop\rkill
2013-10-27 20:17 - 2011-12-25 09:51 - 00000000 ____D C:\users\Tito
2013-10-27 19:31 - 2012-04-22 08:49 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-27 19:27 - 2009-07-13 23:45 - 00021296 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-27 19:27 - 2009-07-13 23:45 - 00021296 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-24 21:14 - 2013-10-24 21:14 - 00299520 _____ C:\Users\Tito\AppData\Roaming\Ukr3ad6G
2013-10-24 21:14 - 2013-10-24 21:14 - 00299520 _____ C:\Users\Tito\AppData\Local\2ZpjkRo8K73
2013-10-24 21:14 - 2013-10-24 21:14 - 00299520 _____ C:\ProgramData\v8bZYACuNd
2013-10-11 10:04 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-10-11 02:49 - 2009-07-14 00:13 - 00778834 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-11 02:45 - 2009-07-13 23:45 - 00275712 _____ C:\Windows\System32\FNTCACHE.DAT
2013-10-11 02:44 - 2013-06-09 22:32 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-11 02:44 - 2013-06-09 22:32 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-11 02:20 - 2011-02-10 11:10 - 00772558 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-10-11 02:14 - 2013-08-14 02:01 - 00000000 ____D C:\Windows\System32\MRT
2013-10-11 02:10 - 2012-06-18 15:03 - 80541720 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-10-10 10:17 - 2012-04-22 08:49 - 00003890 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-10 10:17 - 2012-04-22 08:49 - 00003638 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-10 10:16 - 2012-06-18 15:09 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-10 10:16 - 2012-06-18 15:09 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-10-10 10:16 - 2011-12-20 15:55 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-06 14:55 - 2013-10-05 14:52 - 00000000 ____D C:\Users\Guest\AppData\Local\Google
2013-10-05 13:36 - 2012-01-15 13:21 - 00000000 ____D C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2013-09-30 22:05 - 2013-09-30 22:05 - 00000000 ____D C:\Users\Guest\AppData\Local\Adobe
2013-09-30 22:05 - 2013-09-03 20:54 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Adobe
 
ZeroAccess:
C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}
C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}\@
 
Files to move or delete:
====================
C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe
 
 
Some content of TEMP:
====================
C:\Users\Tito\AppData\Local\Temp\udyywpqluypepfttbjo.dll
C:\Users\Tito\AppData\Local\Temp\udyywpqluypepfttbjo.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
7
Restore point made on: 2013-09-13 02:00:56
Restore point made on: 2013-09-13 02:01:53
Restore point made on: 2013-09-21 06:30:03
Restore point made on: 2013-09-30 21:36:51
Restore point made on: 2013-10-08 19:31:13
Restore point made on: 2013-10-11 02:01:15
Restore point made on: 2013-10-27 21:00:50
 
==================== Memory info =========================== 
 
Percentage of memory in use: 26%
Total physical RAM: 1790.98 MB
Available physical RAM: 1312.11 MB
Total Pagefile: 1790.98 MB
Available Pagefile: 1299.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:405.79 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.69 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive i: (WNR1000v2) (CDROM) (Total:0.16 GB) (Free:0 GB) CDFS
Drive j: (TRAVELDRIVE) (Removable) (Total:0.92 GB) (Free:0.92 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 239ED0CA)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=451 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 949 MB) (Disk ID: 12E3AA6C)
Partition 1: (Active) - (Size=949 MB) - (Type=0B)
 
 
LastRegBack: 2013-10-27 20:54
 
==================== End Of Log ============================

Edited by Diesel350, 28 October 2013 - 07:05 PM.


#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:11 PM

Posted 28 October 2013 - 10:31 PM

Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it to the Desktop, and name it: fixlist.txt
 
start
HKLM-x32\...\Run: [] - [x]
HKU\Tito\...\Run: [PO9dGsNAvSY.exe] - C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe 
HKU\Tito\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Tito\...\Command Processor: "C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe" <===== ATTENTION!
C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}
C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}\@
C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe
C:\Users\Tito\AppData\Local\Temp\udyywpqluypepfttbjo.dll
C:\Users\Tito\AppData\Local\Temp\udyywpqluypepfttbjo.exe
end
Once again, double-click FRST64[/i to run it.

When the tool opens click Yes to disclaimer.

Press the Fix button, only once, and wait.

When done, FRST produces [i]Fixlog.txt
on the Desktop.

Please provide the Fixlog.txt on your reply.

Old duck...


#9 Diesel350

Diesel350
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 29 October 2013 - 10:37 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-10-2013
Ran by SYSTEM at 2013-10-29 15:30:33 Run:1
Running from K:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] - [x]
HKU\Tito\...\Run: [PO9dGsNAvSY.exe] - C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe 
HKU\Tito\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Tito\...\Command Processor: "C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe" <===== ATTENTION!
C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}
C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}\@
C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe
C:\Users\Tito\AppData\Local\Temp\udyywpqluypepfttbjo.dll
C:\Users\Tito\AppData\Local\Temp\udyywpqluypepfttbjo.exe
end
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKU\Tito\Software\Microsoft\Windows\CurrentVersion\Run\\PO9dGsNAvSY.exe => Value deleted successfully.
HKU\Tito\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Tito\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493} => Moved successfully.
"C:\Users\Tito\AppData\Local\{1eec86ba-c694-fb3b-2b98-8aef98b2c493}\@" => File/Directory not found.
C:\Users\Tito\AppData\Local\ZF9e3u28\PO9dGsNAvSY.exe => Moved successfully.
C:\Users\Tito\AppData\Local\Temp\udyywpqluypepfttbjo.dll => Moved successfully.
C:\Users\Tito\AppData\Local\Temp\udyywpqluypepfttbjo.exe => Moved successfully.
 
==== End of Fixlog ====


#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:11 PM

Posted 29 October 2013 - 11:00 AM

Whether I log in normally or through safe mode I end up getting just a black screen.

I cannot even access my desktop icons.

 

 

Is the above still happening?


Old duck...


#11 Diesel350

Diesel350
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 29 October 2013 - 11:08 AM

 

Whether I log in normally or through safe mode I end up getting just a black screen.

I cannot even access my desktop icons.

 

 

Is the above still happening?

 

No, I am now able to access my desktop icons on both modes.



#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:11 PM

Posted 29 October 2013 - 04:52 PM

Good job!!  :thumbup2:

 

See if you can get HitmanPro to run now:

http://www.bleepingcomputer.com/virus-removal/remove-mandiant-usa-cyber-security-ransomware

 

To obtain a report of the scan results, press: Save log
It has a name such as: HitmanPro_xxxxxxxx_xxxx
 

Please post the HitmanPro log in your reply.


Old duck...


#13 Diesel350

Diesel350
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 29 October 2013 - 06:48 PM

Good job!!  :thumbup2:

 

See if you can get HitmanPro to run now:

http://www.bleepingcomputer.com/virus-removal/remove-mandiant-usa-cyber-security-ransomware

 

To obtain a report of the scan results, press: Save log
It has a name such as: HitmanPro_xxxxxxxx_xxxx
 

Please post the HitmanPro log in your reply.

Nope, it still will not let me boot Hitman pro from the USB.



#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:11 PM

Posted 29 October 2013 - 07:59 PM

That may also mean that there is something not right with the USB HitmanPro install.

 

Let's see what MBAM shows...

 

Please run Malwarebytes Anti-Malware (MBAM):

http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Save to the Desktop

Double-click the downloaded MBAM file to run it.

 

When the installation begins, follow the prompts in the setup process.

Do not make any changes to default settings and when the program has finished installing, make sure only the following options are checked:

>Update Malwarebytes’ Anti-Malware

>Launch Malwarebytes’ Anti-Malware

Uncheck:

>Enable free trial of Malwarebytes Anti-Malware PRO

Click on the Finish button.

 

If an update is found, the program automatically updates itself.

At the program console, on the Scanner tab, and select: Perform Quick Scan

 

Next, click on the Scan button.

 

When the Malwarebytes scan is completed, click on: Show Results

When presented with a screen showing the malware detected, make sure everything is Checked, and click on: Remove Selected

 

When removal is completed, a report opens in Notepad.

 

>>  Please copy/paste the entire contents of the MBAM report in your reply.

 

Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware


Old duck...


#15 Diesel350

Diesel350
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 29 October 2013 - 08:27 PM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.29.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Tito :: TITO-PC [administrator]

10/30/2013 1:22:13 AM
mbam-log-2013-10-30 (01-22-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247946
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\ProgramData\Tarma Installer (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.

Files Detected: 5
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.

(end)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users