Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security Pro/ madefender.exe


  • This topic is locked This topic is locked
4 replies to this topic

#1 jephph

jephph

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 09 May 2014 - 09:45 AM

Hey guys.  I've got a laptop here that's been infected.  I looked up the specific virus removal, and they all have you run a program to try to remove the infection.  The problem is that I can't run any of the programs, no matter how they're masked.  I've tried all of the MBAM Chameleon files, and all of the RKIll extensions as well.  The only thing I can run on the computer is text files.  I tried renaming some of the programs to text files, but that didn't work either.  I've tried it all in safe mode as well.  Nothing runs.  I noticed that most of the instructions for removing Internet Security virus are from 2013.  Maybe this is a new version of the virus..?  Any help would be much appreciated.



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:52 AM

Posted 10 May 2014 - 07:08 AM


Hello jephph

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
I want you to poste the FRST.txt report into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jephph

jephph
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 10 May 2014 - 08:45 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-05-2014 01
Ran by SYSTEM on MININT-4TVQ08J on 09-05-2014 16:19:11
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/down...an-tool/dl/81/ 
Download link for 64-Bit Version: http://www.bleepingcomputer.com/down...an-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2480936 2010-12-20] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6602856 2011-01-11] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [37960 2013-05-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-11-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [421736 2011-12-08] (Apple Inc.)
HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [577408 2012-02-15] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SelectRebates] => C:\Program Files (x86)\SelectRebates\SelectRebates.exe [886752 2010-11-01] ()
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [103768 2009-09-12] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2552856 2014-04-21] ()
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4971024 2014-03-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\RunOnce: [NCPluginUpdater] - "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update [21720 2014-04-22] (Hewlett-Packard)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\Alicia\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [17351304 2011-10-13] (Skype Technologies S.A.)
HKU\Alicia\...\Run: [AVG-Secure-Search-Update_0913a] => C:\Users\Alicia\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 8723bb1e3a6147d3a1aafd3fcc0676f4-934d5dc3d8dc8e769db1ba664331484d722e8777 --CMPID 0913a

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3782672 2014-02-23] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-23] (AVG Technologies CZ, s.r.o.)
S2 lxdx_device; C:\Windows\system32\lxdxcoms.exe [1039872 2009-10-16] ( )
S2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [116632 2012-07-17] ()
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
S2 vToolbarUpdater3.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\3.0.0\ToolbarUpdater.exe [1801240 2014-04-21] (AVG Secure Search)
S3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [X]

==================== Drivers (Whitelisted) ====================

S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-03-27] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [237336 2014-04-18] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [192792 2014-03-27] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [236824 2014-03-27] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [324376 2014-03-27] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [130840 2014-03-31] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [32536 2014-03-27] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-03-31] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50464 2014-04-21] (AVG Technologies)
S3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-05-09 16:18 - 2014-05-09 16:19 - 00000000 ____D () C:\FRST
2014-05-09 06:15 - 2014-05-09 06:13 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Alicia\Desktop\rkill.rtf.com
2014-05-09 06:15 - 2014-05-09 06:12 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Alicia\Desktop\rkill (1).exe
2014-05-09 05:57 - 2014-05-09 05:58 - 00000000 ____D () C:\Users\Alicia\Desktop\Pics
2014-05-09 05:57 - 2014-05-09 05:51 - 49566984 _____ (GridinSoft LLC) C:\Users\Alicia\Desktop\gtk-2.2.2.9-setup.exe
2014-05-09 05:57 - 2014-05-09 05:47 - 04164448 _____ (Kaspersky Lab ZAO) C:\Users\Alicia\Desktop\tdsskiller (3).exe
2014-05-09 05:57 - 2014-05-09 05:47 - 00015648 _____ (GridinSoft LLC. All rights reserved.) C:\Users\Alicia\Desktop\madefender.exe.exe
2014-05-09 05:36 - 2014-05-09 05:47 - 00000000 ____D () C:\Users\Alicia\Desktop\mbam-chameleon-1.62.1.1000
2014-05-03 07:52 - 2014-05-09 05:59 - 00110080 _____ () C:\Windows\WindowsUpdate.log
2014-05-03 07:49 - 2014-05-09 05:34 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-03 07:49 - 2014-05-03 07:49 - 00000862 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-21 06:05 - 2014-04-22 02:13 - 00000000 ____D () C:\ProgramData\AVG Security Toolbar
2014-04-21 06:05 - 2014-04-22 02:09 - 00000000 ____D () C:\Users\Alicia\AppData\Local\AVG Web TuneUp
2014-04-21 06:05 - 2014-04-21 06:03 - 00050464 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2014-04-21 06:04 - 2014-04-21 06:05 - 00000000 ____D () C:\ProgramData\AVG Web TuneUp
2014-04-21 06:04 - 2014-04-21 06:04 - 00000000 ____D () C:\ProgramData\AVG Secure Search
2014-04-21 06:04 - 2014-04-21 06:04 - 00000000 ____D () C:\Program Files (x86)\AVG Web TuneUp
2014-04-18 11:01 - 2014-04-18 11:01 - 00237336 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdrivera.sys
2014-04-17 14:01 - 2014-04-17 14:01 - 00000000 ____S () C:\Windows\System32\wvqkvyc.oiu
2014-04-15 15:04 - 2014-05-09 11:39 - 00000072 _____ () C:\Windows\System32\auzeypw.tbk
2014-04-15 14:53 - 2014-04-15 14:53 - 00000064 _____ () C:\Windows\System32\qcom.cyf
2014-04-15 14:53 - 2014-04-15 14:53 - 00000000 _____ () C:\Windows\System32\czxj.lym
2014-04-15 14:37 - 2014-04-15 14:37 - 00234915 ____S () C:\Windows\System32\yhgpdqc.hyd
2014-04-11 04:55 - 2014-03-30 17:16 - 23134208 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-04-11 04:55 - 2014-03-30 17:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-04-11 04:55 - 2014-03-04 01:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2014-04-11 04:55 - 2014-03-04 01:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2014-04-11 04:55 - 2014-03-04 01:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2014-04-11 04:55 - 2014-03-04 01:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2014-04-11 04:55 - 2014-03-04 01:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2014-04-11 04:55 - 2014-02-03 18:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\msiscsi.sys
2014-04-11 04:55 - 2014-02-03 18:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\storport.sys
2014-04-11 04:55 - 2014-02-03 18:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Diskdump.sys
2014-04-11 04:55 - 2014-02-03 18:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\iologmsg.dll
2014-04-11 04:53 - 2014-01-23 18:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2014-04-10 04:08 - 2014-04-10 04:28 - 00000000 ____D () C:\Users\Alicia\Desktop\alicia's phone

==================== One Month Modified Files and Folders =======

2014-05-09 16:19 - 2014-05-09 16:18 - 00000000 ____D () C:\FRST
2014-05-09 11:39 - 2014-04-15 15:04 - 00000072 _____ () C:\Windows\System32\auzeypw.tbk
2014-05-09 09:32 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-05-09 06:13 - 2014-05-09 06:15 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Alicia\Desktop\rkill.rtf.com
2014-05-09 06:12 - 2014-05-09 06:15 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Alicia\Desktop\rkill (1).exe
2014-05-09 05:59 - 2014-05-03 07:52 - 00110080 _____ () C:\Windows\WindowsUpdate.log
2014-05-09 05:58 - 2014-05-09 05:57 - 00000000 ____D () C:\Users\Alicia\Desktop\Pics
2014-05-09 05:51 - 2014-05-09 05:57 - 49566984 _____ (GridinSoft LLC) C:\Users\Alicia\Desktop\gtk-2.2.2.9-setup.exe
2014-05-09 05:47 - 2014-05-09 05:57 - 04164448 _____ (Kaspersky Lab ZAO) C:\Users\Alicia\Desktop\tdsskiller (3).exe
2014-05-09 05:47 - 2014-05-09 05:57 - 00015648 _____ (GridinSoft LLC. All rights reserved.) C:\Users\Alicia\Desktop\madefender.exe.exe
2014-05-09 05:47 - 2014-05-09 05:36 - 00000000 ____D () C:\Users\Alicia\Desktop\mbam-chameleon-1.62.1.1000
2014-05-09 05:42 - 2009-07-13 20:45 - 00032064 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-09 05:42 - 2009-07-13 20:45 - 00032064 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-09 05:41 - 2009-07-13 21:13 - 00782510 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-05-09 05:36 - 2009-07-13 20:51 - 00083992 _____ () C:\Windows\setupact.log
2014-05-09 05:34 - 2014-05-03 07:49 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-09 05:34 - 2012-01-14 12:15 - 00000000 ____D () C:\users\Alicia
2014-05-03 07:57 - 2012-01-14 09:21 - 00003934 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{406271A2-5C4F-4B73-A93B-115D35C5CAA7}
2014-05-03 07:49 - 2014-05-03 07:49 - 00000862 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-30 09:02 - 2011-04-09 13:03 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-04-29 13:13 - 2013-08-13 13:50 - 00000000 ____D () C:\ProgramData\MFAData
2014-04-29 13:09 - 2010-11-20 19:47 - 00360316 _____ () C:\Windows\PFRO.log
2014-04-28 12:06 - 2012-04-01 05:03 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-04-26 06:19 - 2014-02-19 13:49 - 00003192 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAlicia
2014-04-22 02:13 - 2014-04-21 06:05 - 00000000 ____D () C:\ProgramData\AVG Security Toolbar
2014-04-22 02:10 - 2012-01-24 15:35 - 00000000 ____D () C:\Users\Alicia\AppData\Roaming\Skype
2014-04-22 02:09 - 2014-04-21 06:05 - 00000000 ____D () C:\Users\Alicia\AppData\Local\AVG Web TuneUp
2014-04-21 06:05 - 2014-04-21 06:04 - 00000000 ____D () C:\ProgramData\AVG Web TuneUp
2014-04-21 06:04 - 2014-04-21 06:04 - 00000000 ____D () C:\ProgramData\AVG Secure Search
2014-04-21 06:04 - 2014-04-21 06:04 - 00000000 ____D () C:\Program Files (x86)\AVG Web TuneUp
2014-04-21 06:03 - 2014-04-21 06:05 - 00050464 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2014-04-18 11:01 - 2014-04-18 11:01 - 00237336 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdrivera.sys
2014-04-17 14:01 - 2014-04-17 14:01 - 00000000 ____S () C:\Windows\System32\wvqkvyc.oiu
2014-04-15 14:53 - 2014-04-15 14:53 - 00000064 _____ () C:\Windows\System32\qcom.cyf
2014-04-15 14:53 - 2014-04-15 14:53 - 00000000 _____ () C:\Windows\System32\czxj.lym
2014-04-15 14:37 - 2014-04-15 14:37 - 00234915 ____S () C:\Windows\System32\yhgpdqc.hyd
2014-04-13 14:34 - 2012-01-30 11:58 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-04-12 15:17 - 2014-04-02 13:39 - 00000000 ____D () C:\Windows\System32\MpEngineStore
2014-04-12 14:59 - 2013-08-13 15:43 - 00000000 ____D () C:\Windows\System32\MRT
2014-04-12 14:46 - 2013-08-13 15:43 - 90655440 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-04-11 08:18 - 2012-09-17 15:59 - 00000000 ____D () C:\Program Files (x86)\SelectRebates
2014-04-11 08:18 - 2011-04-09 13:13 - 00000000 ____D () C:\ProgramData\RoxioNow
2014-04-10 04:28 - 2014-04-10 04:08 - 00000000 ____D () C:\Users\Alicia\Desktop\alicia's phone

Files to move or delete:
====================
C:\Users\Alicia\acrobat.exe
C:\Users\Alicia\acrobatreader.exe
C:\Users\Alicia\alg.exe
C:\Users\Alicia\chrome.exe
C:\Users\Alicia\jqs.exe
C:\Users\Alicia\msconfig.exe
C:\Users\Alicia\notepad.exe
C:\Users\Alicia\teamviewer.exe
C:\Users\Alicia\vlcplayer.exe


Some content of TEMP:
====================
C:\Users\Alicia\AppData\Local\Temp\MotorolaDeviceManager_2.2.28.exe
C:\Users\Alicia\AppData\Local\Temp\sp64126.exe
C:\Users\Alicia\AppData\Local\Temp\UninstallHPSA.exe


==================== Known DLLs (Whitelisted) ================

C:\Windows\SysWOW64\kernel32.dll IS MISSING <==== ATTENTION!

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 0515072 ____A (Microsoft Corporation) D597C5F688351270B04265403298C857

ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== Restore Points =========================

Restore point made on: 2014-05-03 23:04:51
Restore point made on: 2014-05-06 13:39:39
Restore point made on: 2014-05-06 23:03:29
Restore point made on: 2014-05-08 08:43:49
Restore point made on: 2014-05-09 05:40:31

==================== Memory info =========================== 

Percentage of memory in use: 21%
Total physical RAM: 3001.89 MB
Available physical RAM: 2345.99 MB
Total Pagefile: 3000.04 MB
Available Pagefile: 2338.77 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:284.21 GB) (Free:18.97 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:13.58 GB) (Free:1.69 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (Harper) (CDROM) (Total:0.08 GB) (Free:0 GB) CDFS
Drive g: (STORE N GO) (Removable) (Total:3.73 GB) (Free:3.66 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 7B0CBEB5)
Partition 00: (Active) - (Size=0) - (Type=00) ATTENTION ===> 0 byte partition bootkit.
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=284 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.


LastRegBack: 2014-02-21 02:51

==================== End Of Log ============================



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:52 AM

Posted 12 May 2014 - 05:27 AM

I am closing this as you are getting help in another forum

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:52 AM

Posted 12 May 2014 - 06:51 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users