Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RCMP Virus


  • This topic is locked This topic is locked
38 replies to this topic

#1 caleman22

caleman22

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 13 April 2014 - 10:23 PM

Hello, I've got the RCMP virus, or at least that's what I think it's called. However, it's on a different computer.

 

When I turn that computer on and go into the desktop the virus automatically takes over the whole screen and nothing can be done to minimize it or shut it off. The computer is running Windows 8, and despite all the do it yourself guides, I can't get the computer to open in safe mode. I'm not sure what to do next.

 

Thanks.



BC AdBot (Login to Remove)

 


#2 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 18 April 2014 - 03:13 PM

Since I can't use the computer at all, I can't post the DDS logs. Still can't seem to figure it out...

#3 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 18 April 2014 - 03:54 PM

Hello and welcome to Bleeping Computer. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.
 
Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.
 
Do you have Windows 8 or 8.1? Can you at least get to the login screen? Do you have an install CD for Windows 8?
 
Once you answer these questions, we can get started.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#4 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 18 April 2014 - 05:48 PM

I first arrive at the screen which shows the time and date with a picture in the background. It also has symbols representing battery strength and a wifi connection. Pressing any key, I arrive at the login screen. Going any further activates the virus.

 

It's Windows 8, as far as I know.

 

Thanks



#5 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 18 April 2014 - 06:03 PM

As for the install cd, I dont have it at the moment. I am checking for it, but I dont think I have it anymore...



#6 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 18 April 2014 - 07:10 PM

Let me clarify what I said earlier...

 

I can get to the login page. If I log in, I'll arrive at the start menu with all the apps present. Going into the desktop at all activates the virus which then takes over the screen. I can get back to the start page with the apps. That's it.



#7 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 18 April 2014 - 08:22 PM

Ok. Here is what we need to do. You will need a USB flash drive.

 

First, on a clean computer, let's protect the flash drive to keep it from becoming infected.

 

Download/Run Panda USB Vaccine:
 
Please download Panda USB Vaccine from here to the desktop of your machine.
 
  •  
  • Right-click on USBVaccineSetup.exe and and select Run as Administrator >> follow the prompts in the installation wizard.
  • At the configuration screen(settings)...
  • Ensure both Run Panda USB Vaccine automatically when computer boots (/resident mode) & Automatically vaccinate any newly inserted USB key are selected >> plus NTFS support
  • Now click on Next> >> ensure Launch Panda USB Vaccine is selected >> clcik on Finish.
  • Insert the USB Drive in your machine...it will be automatically vaccinated(as will any USB drives connected in the future).
 
Note: You may uninstall Panda USB Vaccine when we have completed the Malware Removal process if you so wish. Though my advise would be to keep it installed.
 
Now, download Farbar Recovery Scan Tool x64 and save it to the flash drive. Then plug the drive into the infected computer.
 
While at the login screen, hold down the shift key and click on the power icon in the bottom right of the screen. Still holding shift, select restart.
 

Select the Trouble shoot option   
  
Select%20option8.JPG
  
Select Advanced  option
  
advanced8.JPG
  
Select Command prompt   
  
command%208.JPG
  
At the command prompt type the following  :
  
notepad.JPG
 
  •  

  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
 
FRST.PNG
 
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 


If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#8 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 18 April 2014 - 08:34 PM

Ok, I'm waiting at the please wait screen now. I did everything and just hit the reset but it's been on this screen for awhile now.



#9 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 18 April 2014 - 08:36 PM

the loading screen still, with the little balls moving around in a circle.



#10 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 18 April 2014 - 08:40 PM

still waiting on the same screen. i believe this computer has conduit infection as well as the ukash rcmp virus.



#11 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 18 April 2014 - 08:42 PM

got in. i'll let you know how it goes



#12 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 18 April 2014 - 08:54 PM

this usb is causing problems, i think it will work with my other one. I need to get it from work, which I can't do until tomorrow. Sorry, but that's it for today.

 

I'll see you in 12 hours with an update.



#13 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 19 April 2014 - 08:09 AM

:thumbup2:

 

P.S. The weekend may be a little slow for responses from me.


If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#14 caleman22

caleman22
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 20 April 2014 - 11:18 AM

I used a different USB. Here is the report:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-04-2014 01
Ran by SYSTEM on MININT-BI7LTPU on 20-04-2014 11:16:53
Running from F:\
Windows 8 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM-x32\...\Run: [fst_ca_65] => C:\Program Files (x86)\fst_ca_65\fst_ca_65.exe [3984336 2014-03-10] ()
HKLM-x32\...\RunOnce: [upfst_ca_65.exe] - C:\Users\jeremy\AppData\Local\fst_ca_65\upfst_ca_65.exe -runonce [3234256 2014-03-10] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\jeremy\...\Run: [Driver Detective] => C:\Program Files (x86)\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe [4680600 2014-02-20] (PC Drivers Headquarters)
HKU\jeremy\...\Run: [Exetender] => C:\Program Files (x86)\Hoopla\GPlayer.exe [5043096 2014-02-13] (Exent Technologies Ltd.)
HKU\jeremy\...\Run: [Browser Infrastructure Helper] => C:\Users\jeremy\AppData\Local\Smartbar\Application\Smartbar.exe [21536 2014-02-09] (Smartbar)
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => "C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll" File Not Found
Startup: C:\Users\jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8r7trjod8.lnk
ShortcutTarget: 8r7trjod8.lnk -> C:\ProgramData\8dojrt7r8.cpp ()
Startup: C:\Users\jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
ShortcutTarget: MyPC Backup.lnk -> C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe (MyPCBackup.com)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
 
==================== Services (Whitelisted) =================
 
S3 ASUS InstantOn; C:\Program Files\ASUS\P4G\InsOnSrv.exe [277120 2013-06-19] (ASUS)
S3 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe [72192 2012-12-18] ()
S2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [36392 2014-02-18] (Just Develop It)
S2 CltMngSvc; C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe [2454816 2014-03-03] (Conduit)
S3 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [220856 2012-11-30] (McAfee, Inc.)
S3 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
S3 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S3 McAWFwk; C:\Program Files\Common Files\mcafee\ActWiz\McAWFwk.exe [334760 2012-12-21] (McAfee, Inc.)
S3 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [220856 2012-11-30] (McAfee, Inc.)
S3 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [220856 2012-11-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [388240 2012-11-23] (McAfee, Inc.)
S3 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [220856 2012-11-30] (McAfee, Inc.)
S3 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [220856 2012-11-30] (McAfee, Inc.)
S3 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [220856 2012-11-30] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1007288 2012-10-06] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218320 2012-11-09] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [177680 2012-11-09] (McAfee, Inc.)
S3 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [220856 2012-11-30] (McAfee, Inc.)
S2 Re-markit; C:\Program Files (x86)\Re-markit-soft\Re-markit157.exe [194048 2014-03-13] ()
S2 WajamUpdaterV3; C:\Program Files (x86)\Wajam\Updater\WajamUpdaterV3.exe [114176 2013-10-25] (Wajam)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16048 2013-10-24] (Microsoft Corporation)
S2 Winmgmt; C:\ProgramData\8r7trjod8.zvv [332536 2014-03-13] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S3 ATP; C:\Windows\System32\drivers\AsusTP.sys [65784 2013-06-28] (ASUS Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [69672 2012-11-09] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197264 2012-05-28] (McAfee, Inc.)
S3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [14992 2012-08-01] ( )
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [178840 2012-11-09] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309400 2012-11-09] (McAfee, Inc.)
S3 mfeavfk01; No ImagePath
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69168 2012-11-09] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515528 2012-11-09] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771096 2012-11-09] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [328976 2012-11-02] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [97208 2012-11-02] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [339776 2012-11-09] (McAfee, Inc.)
S2 X5XSEx_Pr152; C:\Program Files (x86)\Hoopla\X5XSEx_Pr152.Sys [56584 2013-07-18] (Exent Technologies Ltd.)
S0 msahci; 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-04-18 20:45 - 2014-04-18 20:51 - 00000000 ____D () C:\FRST
2014-04-18 17:37 - 2014-04-18 17:37 - 00000000 ____D () C:\Users\Default\AppData\Roaming\ASUS WebStorage
2014-04-18 17:37 - 2014-04-18 17:37 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\ASUS WebStorage
2014-04-18 17:37 - 2014-04-18 17:37 - 00000000 ____D () C:\Packages
2014-04-18 17:01 - 2014-04-18 17:01 - 00001422 _____ () C:\Users\jeremy\AppData\Roaming\aps.scan.results
2014-03-23 16:12 - 2014-03-23 16:12 - 00281088 _____ () C:\Windows\System32\FNTCACHE.DAT
 
==================== One Month Modified Files and Folders =======
 
2014-04-18 20:51 - 2014-04-18 20:45 - 00000000 ____D () C:\FRST
2014-04-18 17:41 - 2014-03-12 22:14 - 01507310 _____ () C:\Windows\WindowsUpdate.log
2014-04-18 17:38 - 2013-10-18 09:13 - 00003268 _____ () C:\Windows\System32\Tasks\AsusVibeSchedule
2014-04-18 17:38 - 2013-10-18 09:13 - 00003028 _____ () C:\Windows\System32\Tasks\ASUS USB Charger Plus
2014-04-18 17:38 - 2013-10-18 09:13 - 00003004 _____ () C:\Windows\System32\Tasks\ASUS Splendid ColorU
2014-04-18 17:37 - 2014-04-18 17:37 - 00000000 ____D () C:\Users\Default\AppData\Roaming\ASUS WebStorage
2014-04-18 17:37 - 2014-04-18 17:37 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\ASUS WebStorage
2014-04-18 17:37 - 2014-04-18 17:37 - 00000000 ____D () C:\Packages
2014-04-18 17:37 - 2013-10-18 09:14 - 00003056 _____ () C:\Windows\System32\Tasks\ASUS P4G
2014-04-18 17:37 - 2013-10-18 09:13 - 00002988 _____ () C:\Windows\System32\Tasks\ASUS Splendid ACMON
2014-04-18 17:37 - 2013-10-18 09:05 - 00003540 _____ () C:\Windows\System32\Tasks\ASUS Smart Gesture Launcher
2014-04-18 17:35 - 2014-03-13 08:54 - 00001596 _____ () C:\Windows\Tasks\media enhance-updater.job
2014-04-18 17:35 - 2014-03-13 08:54 - 00001500 _____ () C:\Windows\Tasks\free ven-updater.job
2014-04-18 17:35 - 2014-03-13 08:54 - 00001450 _____ () C:\Windows\Tasks\media enhance-enabler.job
2014-04-18 17:35 - 2014-03-13 08:53 - 00003110 _____ () C:\Windows\Tasks\media enhance-chromeinstaller.job
2014-04-18 17:35 - 2014-03-13 08:53 - 00002378 _____ () C:\Windows\Tasks\media enhance-firefoxinstaller.job
2014-04-18 17:35 - 2014-03-13 08:53 - 00002254 _____ () C:\Windows\Tasks\free ven-firefoxinstaller.job
2014-04-18 17:35 - 2014-03-13 08:53 - 00001550 _____ () C:\Windows\Tasks\media enhance-codedownloader.job
2014-04-18 17:35 - 2014-03-13 08:53 - 00001454 _____ () C:\Windows\Tasks\free ven-codedownloader.job
2014-04-18 17:35 - 2014-03-13 08:53 - 00001354 _____ () C:\Windows\Tasks\free ven-enabler.job
2014-04-18 17:35 - 2014-03-13 08:53 - 00000282 _____ () C:\Windows\Tasks\SpeedUpMyPC Startup.job
2014-04-18 17:35 - 2014-03-13 08:52 - 00003090 _____ () C:\Windows\Tasks\free ven-chromeinstaller.job
2014-04-18 17:35 - 2014-03-13 08:52 - 00000402 _____ () C:\Windows\Tasks\Re-markit Update.job
2014-04-18 17:35 - 2014-03-13 08:52 - 00000400 _____ () C:\Windows\Tasks\Re-markit_wd.job
2014-04-18 17:35 - 2014-03-13 08:52 - 00000000 ____D () C:\Users\jeremy\AppData\Local\fst_ca_65
2014-04-18 17:35 - 2012-07-25 23:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-18 17:34 - 2012-07-26 00:12 - 00000000 ____D () C:\Windows\System32\sru
2014-04-18 17:11 - 2014-03-12 22:23 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1030370165-1943745879-2876373953-1001
2014-04-18 17:01 - 2014-04-18 17:01 - 00001422 _____ () C:\Users\jeremy\AppData\Roaming\aps.scan.results
2014-04-18 17:01 - 2014-03-13 08:54 - 00000580 _____ () C:\Users\jeremy\AppData\Roaming\aps.scan.quick.results
2014-04-18 17:01 - 2014-03-13 08:54 - 00000159 _____ () C:\Users\jeremy\AppData\Roaming\aps.uninstall.scan.results
2014-04-18 17:00 - 2014-03-13 08:53 - 00000288 _____ () C:\Windows\Tasks\SpeedUpMyPC Maintenance.job
2014-04-18 16:46 - 2014-03-13 08:53 - 00000000 ____D () C:\Program Files (x86)\media enhance
2014-04-18 16:46 - 2014-03-13 08:52 - 00000000 ____D () C:\Program Files (x86)\free ven
2014-04-18 16:32 - 2014-03-12 22:14 - 00000000 ____D () C:\users\jeremy
2014-04-18 15:11 - 2012-07-26 00:12 - 00000000 ____D () C:\Windows\WinStore
2014-04-18 15:11 - 2012-07-26 00:12 - 00000000 ____D () C:\Windows\SysWOW64\zh-HK
2014-04-18 15:11 - 2012-07-26 00:12 - 00000000 ____D () C:\Windows\System32\zh-HK
2014-04-18 15:11 - 2012-07-26 00:12 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-04-18 15:11 - 2012-07-25 21:26 - 00262144 ___SH () C:\Windows\System32\config\BBI
2014-04-18 15:10 - 2012-07-26 00:12 - 00000000 ____D () C:\Program Files\Windows Defender
2014-04-18 15:10 - 2012-07-26 00:12 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2014-04-18 14:40 - 2012-07-25 21:26 - 00262144 ___SH () C:\Windows\System32\config\ELAM
2014-03-23 16:12 - 2014-03-23 16:12 - 00281088 _____ () C:\Windows\System32\FNTCACHE.DAT
 
Files to move or delete:
====================
C:\ProgramData\8r7trjod8.fee
C:\ProgramData\8r7trjod8.zvv
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
 
 
Some content of TEMP:
====================
C:\Users\jeremy\AppData\Local\Temp\air1AA2.exe
C:\Users\jeremy\AppData\Local\Temp\air4846.exe
C:\Users\jeremy\AppData\Local\Temp\air49C9.exe
C:\Users\jeremy\AppData\Local\Temp\airA2D.exe
C:\Users\jeremy\AppData\Local\Temp\airE65.exe
C:\Users\jeremy\AppData\Local\Temp\airE693.exe
C:\Users\jeremy\AppData\Local\Temp\arlqmbu9.dll
C:\Users\jeremy\AppData\Local\Temp\BackupSetup.exe
C:\Users\jeremy\AppData\Local\Temp\bvlbzkyz.dll
C:\Users\jeremy\AppData\Local\Temp\IEHistory.exe
C:\Users\jeremy\AppData\Local\Temp\InstalledPrograms.exe
C:\Users\jeremy\AppData\Local\Temp\nsm4962.exe
C:\Users\jeremy\AppData\Local\Temp\nsn31D1.exe
C:\Users\jeremy\AppData\Local\Temp\ShoppinHelper2.exe
C:\Users\jeremy\AppData\Local\Temp\SPSetup.exe
C:\Users\jeremy\AppData\Local\Temp\Upgrader.exe
C:\Users\jeremy\AppData\Local\Temp\vcredist_x64.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2014-03-13 08:55:10
Restore point made on: 2014-03-17 15:36:39
Restore point made on: 2014-03-17 16:02:01
Restore point made on: 2014-03-17 16:02:05
Restore point made on: 2014-04-18 14:54:15
 
==================== Memory info =========================== 
 
Percentage of memory in use: 12%
Total physical RAM: 8077.73 MB
Available physical RAM: 7105.29 MB
Total Pagefile: 8077.73 MB
Available Pagefile: 7131.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:279.45 GB) (Free:239.36 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (Data) (Fixed) (Total:398.07 GB) (Free:397.86 GB) NTFS
Drive f: () (Removable) (Total:3.76 GB) (Free:1.99 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 699 GB) (Disk ID: 0FE4DC0A)
 
Partition: GPT Partition Type.
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type.
 
 
LastRegBack: 2014-04-18 14:51
 
==================== End Of Log ============================


#15 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 20 April 2014 - 07:12 PM

Did you get an additions.txt log on the flash drive as well?


If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users