Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

86 year old mother has Malware - "PUP.Remote"


  • This topic is locked This topic is locked
54 replies to this topic

#1 kathoderayblue

kathoderayblue

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 09 January 2014 - 11:56 PM

My mother (86 years old!) has just reported a problem with her computer, and also tells me she has purchased 2 things on 2 different websites in the last couple days. Yesterday, someone who called himself a "Certified Microsoft Technician" called her on the phone and told her to do some things on her computer, insisting that she has been infected and that her computer will be destroyed if she doesn't have him fix it. He "offered" to help her for $199.00. I've had this happen to me, so I know it's a scam. Anyway, her computer won't start, however I was able to start it in SAFE mode without a problem, updated and ran "Malawarebytes," which found PUP.Remote and supposedly removed it. However, the Avast Antivirus program has been blocked, and I cannot restart her computer in anything but SAFE.
 
She has Windows XP on a computer built by a local computer store. I can give you more information when I'm back to her house, such as processor and memory information, although I know she has tons of free memory, very little on her computer.
 
I tried to run something called hijackthis in safe mode, however, it won't run in SAFE, and I can't get on with a normal boot, it says it's going to shut down, and then it freezes on the "shut down" screen and needs to be forced off.
 
Please, if there is someone out there who can advised me, I will have to go to her place Friday, or Saturday, with my laptop and try to do whatever you recommend.
 
Thank you!! (she lives 30 minutes away from me, so I'm hoping to cram as much in as possible while I'm there)
 
Sincerely,
 
Kathy

Edit: Moved topic from Windows Vista to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:52 PM

Posted 10 January 2014 - 01:18 AM

Hello Kathy -

No time to panic now, if it is not ticking and turning Red, you are still OK -

Yesterday, someone who called himself a "Certified Microsoft Technician"

We all know that he was a scammer (usually Indian ?).

I tried to run something called hijackthis in safe mode <= This program is not used much today, plus you would need to know what to do with it.

 

Please start the computer in Safe Mode with Networking, if you can, then post back here.

 

When you get to the screen with Safe Mode options, you can use the Arrow keys near the numbers. First try to select "Last Known Good ....... " and hit Enter, then if not able to do this you will try for Safe Mode with Networking and hit Enter, and as a last option just select Safe Mode .......

Also try to purchase 1 or 2 USB Flash Drives (little memory sticks), unless you have 1 or 2.
We will use these to put programs onto her system, and try to get replies with them.

 

Personally I would like to see the Malwarebytes Anti-Malware log that removed the item.

More directions when you can get to reply -

 

Thank You -



#3 kathoderayblue

kathoderayblue
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 10 January 2014 - 03:00 AM

I have not been back to her house, however, just so you know, I can easily start in Safe Mode with Networking.

 

I didn't try "Last Known Good (Configuration, I think it is?)" because I thought, perhaps, it wouldn't really change anything. But I can easily do that. I have a couple of memory sticks & will bring them with me. That's a good idea. I will bring, as I said, my laptop to download programs to the sticks so we can install them, as you suggest. 

 

I can also get the last Malwarebytes Anti-Malware log for you & post it here.

 

Thank you for the encouragement also!! I hope to do this Friday.

 

Kathy



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:52 PM

Posted 10 January 2014 - 04:51 AM

You are Welcome to any help we can provide.

 

Last Known Good (Configuration <= You are correct, but I get lazy at times :whistle:

 

I have this on watch, so I will be notified during the day as you post. If I do not respond in a hurry, I may not be here or home for a few hours -

 

Regards -



#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:52 PM

Posted 10 January 2014 - 04:00 PM

Hello -

I am posting these early just if I miss you later.

These are some basic scans that may show if there are problems and where they are.

Not all of these will run in Safe Mode, so it is important we get this running in Normal Mode.

 

First -

Download Screen317 Security Check and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to do so.

 

Next -

Please download MiniToolBox to Desktop and run it.
Checkmark following boxes:

* List content of Hosts
* Flush DNS
* Report IE Proxy Settings
* Reset IE Proxy Settings
* Report FF Proxy Settings
* Reset FF Proxy Settings
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (do NOT change any settings here)
* List Users, Partitions and Memory size
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click Go and Copy / Paste the result. (result.txt)

 

Next -

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

NOTE - If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. rKill.txt log will also be present on your desktop.

 

 

Last -

Please download Junkware Removal Tool by thisisu and save it to your Desktop.
* Close all open programs and shut down any protection/security software now to avoid potential conflicts.
* Double-click on JRT.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* The tool will open and start scanning your system.
* Please be patient as this can take a while to complete depending on your system's specifications.
* On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
* Copy and paste the contents of JRT.txt in your next reply.
This tool will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons, browser helper objects (BHOs) and other junkware to include many related registry entries (values, keys).

 

 

If any program can not be downloaded, try to use a USB drive to install it (or tell me).

If the Logs can not be posted back, send them to a USB drive and then post them.

In this area we use Copy and Paste <= Quick guide for you, if you are not sure.

 

If our efforts are useless, the Experts Forum Area may always be able to help better.

 

 

Thank You -



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:52 PM

Posted 10 January 2014 - 06:32 PM

Just to help you I have included this tutorial from another site How To Start Windows XP in Safe Mode.
Use the 7 step guide version in this case, as we are not sure of the problems.

Tim Fisher from about.com is usually quite good with his guides. As are the ones on Bleep Computer, but this is just an extra idea for you.

Try the option to Start Windows Normally, and we may just get lucky.
If not, just go back to Safe Mode with Networking.

 

 

Thank You -



#7 kathoderayblue

kathoderayblue
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 10 January 2014 - 08:02 PM

Hi, for starters, here is the Malawarebytes scan:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.10.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: OWNER-44F723B7A [administrator]

1/9/2014 5:51:29 PM
mbam-log-2014-01-09 (17-51-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233479
Time elapsed: 6 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Owner\My Documents\Downloads\AA_v3.3.exe (PUP.RemoteAdmin.Ammyy) -> Quarantined and deleted successfully.

(end)

NNow I'm going to try and do "Last working configuration." Then I'll try & follow your other instructions and post as necessary,

Thank you.



#8 kathoderayblue

kathoderayblue
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 10 January 2014 - 08:20 PM

I cannot log into Windows Normally. I get a window that says something like:

"This system is shutting down. Please save all work in progress and log off. It says this is initiated by Owner and has these numbers: 44F723B7A, and then something else, I couldn't get it all written down, and I don't want to try again unless you think it would be helpful.

 

Here's my "security check" log:

 Results of screen317's Security Check version 0.99.78  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````

 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
 avast! Free Antivirus    
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File  
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 25  
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Flash Player     11.9.900.170  
 Adobe Reader 10.1.8 Adobe Reader out of Date!  
 Mozilla Firefox (26.0)
 Google Chrome 31.0.1650.57  
 Google Chrome 31.0.1650.63  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 4%
````````````````````End of Log``````````````````````
 

 

#9 kathoderayblue

kathoderayblue
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 10 January 2014 - 08:29 PM

Mini Toolkit report:

MiniToolBox by Farbar  Version: 18-12-2013
Ran by Administrator (administrator) on 10-01-2014 at 17:22:36
Running from "C:\Documents and Settings\Administrator\My Documents\Downloads"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Network
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1       localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com

There are 15471 more lines starting with "127.0.0.1"


========================= Event log errors: ===============================

Application errors:
==================
Error: (01/09/2014 09:23:32 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x100012cb.
Error in creating result PEAP-TLV in response to received PEAP-TLV (spoolsv.exe!ld!)

Error: (01/09/2014 09:21:40 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x100012cb.
Error in creating result PEAP-TLV in response to received PEAP-TLV (spoolsv.exe!ld!)

Error: (01/09/2014 09:20:07 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x1001bb66.
Processing media-specific event for [spoolsv.exe!ws!]

Error: (01/09/2014 09:19:52 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x100012cb.
Error in creating result PEAP-TLV in response to received PEAP-TLV (spoolsv.exe!ld!)

Error: (01/09/2014 09:18:00 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x100012cb.
Error in creating result PEAP-TLV in response to received PEAP-TLV (spoolsv.exe!ld!)

Error: (01/09/2014 09:16:08 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x100012cb.
Error in creating result PEAP-TLV in response to received PEAP-TLV (spoolsv.exe!ld!)

Error: (01/09/2014 09:14:19 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x100012cb.
Error in creating result PEAP-TLV in response to received PEAP-TLV (spoolsv.exe!ld!)

Error: (01/09/2014 09:12:29 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x100012cb.
Error in creating result PEAP-TLV in response to received PEAP-TLV (spoolsv.exe!ld!)

Error: (01/09/2014 09:10:37 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x100012cb.
Error in creating result PEAP-TLV in response to received PEAP-TLV (spoolsv.exe!ld!)

Error: (01/09/2014 09:08:45 AM) (Source: Application Error) (User: )
Description: Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x100012cb.
Error in creating result PEAP-TLV in response to received PEAP-TLV (spoolsv.exe!ld!)


System errors:
=============
Error: (01/10/2014 05:08:48 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
aswRvrt
aswSnx
aswSP
aswTdi
aswVmm
Fips
intelppm
Lbd

Error: (01/10/2014 05:07:41 PM) (Source: DCOM) (User: OWNER-44F723B7A)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (01/10/2014 05:07:33 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/10/2014 05:05:38 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (01/10/2014 05:03:48 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (01/10/2014 05:02:50 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/10/2014 04:43:04 PM) (Source: DCOM) (User: OWNER-44F723B7A)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (01/10/2014 04:15:39 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
aswRvrt
aswSnx
aswSP
aswTdi
aswVmm
Fips
intelppm
Lbd

Error: (01/10/2014 04:14:29 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/09/2014 07:41:00 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}


Microsoft Office Sessions:
=========================
Error: (01/09/2014 09:23:32 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.0100012cb

Error: (01/09/2014 09:21:40 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.0100012cb

Error: (01/09/2014 09:20:07 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.01001bb66

Error: (01/09/2014 09:19:52 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.0100012cb

Error: (01/09/2014 09:18:00 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.0100012cb

Error: (01/09/2014 09:16:08 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.0100012cb

Error: (01/09/2014 09:14:19 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.0100012cb

Error: (01/09/2014 09:12:29 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.0100012cb

Error: (01/09/2014 09:10:37 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.0100012cb

Error: (01/09/2014 09:08:45 AM) (Source: Application Error)(User: )
Description: spoolsv.exe5.1.2600.6024unknown0.0.0.0100012cb


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 3.1.1)
6500_E709_Help (Version: 1.00.0000)
6500_E709n (Version: 50.0.165.000)
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Adobe AIR (Version: 1.0.4990)
Adobe AIR (Version: 1.0.8.4990)
Adobe Download Manager (Version: 1.6.2.103)
Adobe Flash Player 10 ActiveX (Version: 10.3.181.26)
Adobe Flash Player 11 Plugin (Version: 11.9.900.170)
Adobe Reader X (10.1.8) (Version: 10.1.8)
Apple Mobile Device Support (Version: 2.1.2.7)
avast! Free Antivirus (Version: 9.0.2011)
Bonjour (Version: 1.0.105)
bpd_scan (Version: 3.00.0000)
BPDSoftware (Version: 50.0.165.000)
BPDSoftware_Ini (Version: 1.00.0000)
BufferChm (Version: 120.0.194.000)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Critical Update for Windows Media Player 11 (KB959772)
Destination Component (Version: 110.0.0.0)
DeviceDiscovery (Version: 120.0.194.000)
DocMgr (Version: 120.0.000.000)
DocProc (Version: 12.0.0.0)
eNeighborhoods Personal Edition (Version: 5.50.1000)
Fax (Version: 120.0.194.000)
FileASSASSIN (Version: 1.06)
FormViewer (Version: 4.1.3016)
Google Chrome (Version: 31.0.1650.63)
Google Update Helper (Version: 1.3.22.3)
GPBaseService2 (Version: 120.0.194.000)
HP Document Manager 2.0 (Version: 2.0)
HP Imaging Device Functions 12.0 (Version: 12.0)
HP Officejet 6500 E709 Series (Version: 12.0)
HP Photosmart Essential 3.5 (Version: 3.5)
HP Solution Center 12.0 (Version: 12.0)
HPPhotoSmartDiscLabelContent1 (Version: 2.04.0000)
HPPhotosmartEssential (Version: 2.04.0000)
HPProductAssistant (Version: 120.0.194.000)
Intel® Graphics Media Accelerator Driver (Version: 6.14.10.4436)
iPod To Computer Transfer 4.8
iTunes (Version: 8.0.2.20)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional (Version: 10.0.6626.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.50727.363)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Mozilla Firefox 26.0 (x86 en-US) (Version: 26.0)
Mozilla Maintenance Service (Version: 26.0)
MP4 Converter 1.0
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB933579) (Version: 6.10.1200.0)
Network (Version: 120.0.194.000)
OCR Software by I.R.I.S. 12.0 (Version: 12.0)
Panda USB Vaccine 1.0.1.4
ProductContext (Version: 50.0.165.000)
QuickTime (Version: 7.55.90.70)
REALTEK GbE & FE Ethernet PCI NIC Driver (Version: 1.05.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.5324)
Scan (Version: 12.0.0.0)
Sid Meier's SimGolf
Skype™ 6.9 (Version: 6.9.106)
SolutionCenter (Version: 120.0.194.000)
Spybot - Search & Destroy (Version: 1.6.2)
Status (Version: 120.0.194.000)
Toolbox (Version: 120.0.194.000)
TrayApp (Version: 120.0.194.000)
UnloadSupport (Version: 11.0.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows Internet Explorer 8 (KB972636) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB2904266) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
VC 9.0 Runtime (Version: 1.0.0)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
Vz In Home Agent (Version: 7.06.10)
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 120.0.194.000)
Windows Essentials Media Codec Pack 1.0 (Version: 1.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows PowerShell™ 1.0 (Version: 2)
Windows XP Service Pack 3 (Version: 20080414.031525)
WINForms Desktop
XML Paper Specification Shared Components Pack 1.0

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 9%
Total physical RAM: 3063.48 MB
Available physical RAM: 2785.69 MB
Total Pagefile: 5971.53 MB
Available Pagefile: 5897.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.84 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:149.04 GB) (Free:104.76 GB) NTFS

========================= Users: ========================================

User accounts for \\OWNER-44F723B7A

Administrator            Guest                    HelpAssistant            
Owner                    SUPPORT_388945a0         


**** End of log ****

 



#10 kathoderayblue

kathoderayblue
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 10 January 2014 - 08:35 PM

RKILL:

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/10/2014 05:31:02 PM in x86 mode. (Safe Mode)
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * System Restore Disabled

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   "DisableSR" = dword:00000001

Checking Windows Service Integrity:

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Manual

 * System Restore Service (srservice) is not Running.
   Startup Type set to: Automatic

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic

 * Automatic Updates (wuauserv) is not Running.
   Startup Type set to: Automatic

 * System Restore Filter Driver (sr) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1       localhost
  127.0.0.1    www.007guard.com
  127.0.0.1    007guard.com
  127.0.0.1    008i.com
  127.0.0.1    www.008k.com
  127.0.0.1    008k.com
  127.0.0.1    www.00hq.com
  127.0.0.1    00hq.com
  127.0.0.1    010402.com
  127.0.0.1    www.032439.com
  127.0.0.1    032439.com
  127.0.0.1    www.0scan.com
  127.0.0.1    0scan.com
  127.0.0.1    1000gratisproben.com
  127.0.0.1    www.1000gratisproben.com
  127.0.0.1    1001namen.com
  127.0.0.1    www.1001namen.com
  127.0.0.1    100888290cs.com
  127.0.0.1    www.100888290cs.com
  127.0.0.1    www.100sexlinks.com

  20 out of 15491 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 01/10/2014 05:32:16 PM
Execution time: 0 hours(s), 1 minute(s), and 13 seconds(s)

 



#11 kathoderayblue

kathoderayblue
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 10 January 2014 - 08:45 PM

Junkware report:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Microsoft Windows XP x86
Ran by Administrator on Fri 01/10/2014 at 17:36:53.17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-839522115-1606980848-725345543-500\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\iminstaller
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2611275
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2648093



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\ammyy"
Successfully deleted: [Folder] "C:\Program Files\conduit"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 01/10/2014 at 17:42:20.73
End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#12 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:52 PM

Posted 10 January 2014 - 10:12 PM

AA_v3.3.exe (PUP.RemoteAdmin.Ammyy) <= This is usually fairly easy to pick as the scammers attempt to access the computer.

 

This may sound odd unless you have used it - MBAM Chameleon Link and How to run Chameleon
This is how to run Malwarebytes from Safe Mode ..... or from an infected computer.
MBAM Chameleon Link and How to run Chameleon
 

Unless required, please remove these via Add / Remove in Control Panel -
Google Chrome 31.0.1650.63 and  Google Chrome 31.0.1650.57
Adobe Reader 10.1.8
Adobe Flash Player 10
Java 7 Update 25
 

From the errors Description: The following boot-start or system-start driver(s) failed to load:
 aswRvrt
 aswSnx
 aswSP
 aswTdi
 aswVmm
These in the errors are related to avast! Free Antivirus.

I will post how to Uninstall it first, and we can reinstall later.

 

Thanks -



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:52 PM

Posted 10 January 2014 - 10:44 PM

....Avast ! uninstall tool    http://www.avast.com/en-au/uninstall-utility

 

This should work in Safe Mode, as many uninstallers prefer Safe Mode to prevent harm.



#14 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:52 PM

Posted 10 January 2014 - 11:25 PM

Still checking some basic errors, but there is not much to work with.

Can we estimate the general time and duration of the Fake phone call ??

Is there any Password to log into the computer ??

 

 

This should run with the current Safe Mode setup

 

Download TDSSKiller  and save it to your desktop.
Extract (unzip) its contents to your desktop.
* Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
* If an infected file is detected, the default action will be Cure, click on Continue.
* If a suspicious file is detected, the default action will be Skip, click on Continue.
* It may ask you to reboot the computer to complete the process. Click on Reboot Now.
* If no reboot is require, click on Report. A log file should appear.

* Please copy and paste the contents of that file here.
* If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt.
Please copy and paste the contents of that file here.

 

Thanks -



#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:52 PM

Posted 11 January 2014 - 03:55 AM

I will quote a short piece from the Legal Ammyy Company that the scammers tend to use -

This is added more for information, as I do not see this listed.

Please check All Programs, not Add / Remove, to see if there is any mention of it in there.

 

QUOTE -

If you got scammed (launched Ammyy Admin and granted access to your PC to a scammer and inputted your credit card requisites during the remote desktop connection session) please do the following:

1) Turn off your Internet connection, then turn off the PC and call your bank to freeze all your bank accounts.

 2) Boot your PC in the safe mode and check it for viruses (it's possible the scammers had run their malicious hidden software)

 3) If your Antivirus Software shows no warnings restart the PC and make sure Ammyy Admin Service isn't installed and doesn't run in automatic mode.

For this go to main window of Ammyy Admin -> Ammyy -> Service -> Remove. Then restart your PC again.
Copyright © 2014 Ammyy. All rights reserved

END QUOTE -

 

A lot depends if you use banking or Credit-cards on the computer.

I am thinking that we may need to use Hitman Pro to try and boot the computer.
Directions will be in my next post (in 10 minutes) -

 

Thanks -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users