Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ICE Cyber Crime Center Fixlist Request - FRST.txt enclosed


  • This topic is locked This topic is locked
2 replies to this topic

#1 bmac9949

bmac9949

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 26 May 2014 - 01:23 PM

Hello and thank you in advance for any help you may be able to provide.  I have the ICE Cyber Crime Center Malware that disables all Safe Mode startup, but have been able to run FRST and generate FRST.txt via the Repair My Computer menu.  However, I have no knowledge of how to transition this file into a fix list, so if anyone could assist with that it would be greatly appreciated.  Thanks again for your help.  The FRST.txt is below:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-05-2014 02

Ran by SYSTEM on MININT-SHIB8LO on 26-05-2014 18:00:21
Running from D:\
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Apple_KbdMgr] => C:\Program Files\Boot Camp\Bootcamp.exe [743776 2013-01-16] (Apple Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291280 2013-01-02] (Intel Corporation)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
Startup: C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
ShortcutTarget: explorer.lnk -> C:\ProgramData\7F77BB05A964640F6D592CFBA78E5556\qf6jvhf.cpp (Microsoft Corporation)
 
==================== Services (Whitelisted) =================
 
S2 AppleOSSMgr; C:\Windows\system32\AppleOSSMgr.exe [226144 2013-01-16] ()
S2 Winmgmt; C:\ProgramData\7F77BB05A964640F6D592CFBA78E5556\fhvj6fq.dot [333040 2014-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S3 applemtm; C:\Windows\System32\DRIVERS\applemtm.sys [12288 2011-06-17] (Apple Inc.)
S3 applemtp; C:\Windows\System32\DRIVERS\applemtp.sys [38912 2011-06-17] (Apple Inc.)
S3 B57ports; C:\Windows\System32\DRIVERS\b57ports.sys [44544 2012-12-10] (Broadcom Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-05-26 18:00 - 2014-05-26 18:00 - 00000000 ____D () C:\FRST
2014-05-26 09:46 - 2014-05-26 09:50 - 00001726 _____ () C:\ProgramData\RUNDLL32.EXE-2956-F.txt
2014-05-26 09:17 - 2014-05-26 09:18 - 00001147 _____ () C:\ProgramData\RUNDLL32.EXE-2508-F.txt
2014-05-26 09:04 - 2014-05-26 09:12 - 00000000 ____D () C:\ProgramData\7F77BB05A964640F6D592CFBA78E5556
2014-05-26 07:39 - 2014-05-26 07:39 - 00001378 _____ () C:\Users\Brian\Desktop\KSP - Shortcut.lnk
2014-05-26 07:36 - 2014-05-26 07:36 - 00001429 _____ () C:\Users\Brian\Desktop\Launcher - Shortcut.lnk
2014-05-25 10:13 - 2014-05-25 10:14 - 00000000 ____D () C:\Program Files (x86)\KSP_win
2014-05-25 10:06 - 2014-05-25 10:11 - 477432300 ____R () C:\Users\Brian\Downloads\ksp-win-0-23-5.zip
2014-05-15 09:40 - 2014-05-15 09:40 - 00000000 ____D () C:\Users\Brian\Downloads\en_office_suite_2007_service_pack_1_x86_cd_x13-87877
2014-05-15 09:35 - 2014-05-15 09:40 - 00003114 _____ () C:\Users\Brian\Desktop\SecureDownloadManager.log
2014-05-15 09:35 - 2014-05-15 09:35 - 00003139 _____ () C:\Users\Brian\Desktop\Shortcut to SecureDownloadManager.exe.lnk
2014-05-15 09:35 - 2014-05-15 09:35 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\e-academy Inc
2014-05-15 09:35 - 2014-05-15 09:35 - 00000000 ____D () C:\Users\Brian\AppData\Local\e-academy Inc
 
==================== One Month Modified Files and Folders =======
 
2014-05-26 18:00 - 2014-05-26 18:00 - 00000000 ____D () C:\FRST
2014-05-26 14:45 - 2013-11-21 03:47 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-05-26 14:45 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-26 09:50 - 2014-05-26 09:46 - 00001726 _____ () C:\ProgramData\RUNDLL32.EXE-2956-F.txt
2014-05-26 09:50 - 2009-07-13 20:45 - 00021872 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-26 09:50 - 2009-07-13 20:45 - 00021872 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-26 09:48 - 2009-07-13 20:51 - 00042256 _____ () C:\Windows\setupact.log
2014-05-26 09:18 - 2014-05-26 09:17 - 00001147 _____ () C:\ProgramData\RUNDLL32.EXE-2508-F.txt
2014-05-26 09:16 - 2013-11-21 02:44 - 00512359 _____ () C:\Windows\WindowsUpdate.log
2014-05-26 09:12 - 2014-05-26 09:04 - 00000000 ____D () C:\ProgramData\7F77BB05A964640F6D592CFBA78E5556
2014-05-26 07:39 - 2014-05-26 07:39 - 00001378 _____ () C:\Users\Brian\Desktop\KSP - Shortcut.lnk
2014-05-26 07:39 - 2009-07-13 21:13 - 00778150 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-05-26 07:36 - 2014-05-26 07:36 - 00001429 _____ () C:\Users\Brian\Desktop\Launcher - Shortcut.lnk
2014-05-25 11:43 - 2013-11-22 15:16 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\uTorrent
2014-05-25 10:14 - 2014-05-25 10:13 - 00000000 ____D () C:\Program Files (x86)\KSP_win
2014-05-25 10:11 - 2014-05-25 10:06 - 477432300 ____R () C:\Users\Brian\Downloads\ksp-win-0-23-5.zip
2014-05-15 09:40 - 2014-05-15 09:40 - 00000000 ____D () C:\Users\Brian\Downloads\en_office_suite_2007_service_pack_1_x86_cd_x13-87877
2014-05-15 09:40 - 2014-05-15 09:35 - 00003114 _____ () C:\Users\Brian\Desktop\SecureDownloadManager.log
2014-05-15 09:35 - 2014-05-15 09:35 - 00003139 _____ () C:\Users\Brian\Desktop\Shortcut to SecureDownloadManager.exe.lnk
2014-05-15 09:35 - 2014-05-15 09:35 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\e-academy Inc
2014-05-15 09:35 - 2014-05-15 09:35 - 00000000 ____D () C:\Users\Brian\AppData\Local\e-academy Inc
2014-04-26 11:20 - 2013-11-22 15:24 - 00000000 ____D () C:\Users\Brian\AppData\Local\PMB Files
2014-04-26 11:20 - 2013-11-22 15:24 - 00000000 ____D () C:\ProgramData\PMB Files
 
Some content of TEMP:
====================
C:\Users\Brian\AppData\Local\Temp\drm_dialogs.dll
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7400009.dll
C:\Users\Brian\AppData\Local\Temp\IntelxHCISetup.exe
C:\Users\Brian\AppData\Local\Temp\swt-win32-3349.dll
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 9%
Total physical RAM: 8098.7 MB
Available physical RAM: 7340.43 MB
Total Pagefile: 8096.9 MB
Available Pagefile: 7348.59 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (BOOTCAMP) (Fixed) (Total:70.78 GB) (Free:4.48 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 234 GB) (Disk ID: 72115FA0)
 
Partition: GPT Partition Type.
Partition 2: (Not Active) - (Size=162 GB) - (Type=AF)
Partition 3: (Not Active) - (Size=620 MB) - (Type=AB)
Partition 4: (Active) - (Size=71 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 20A52C1C)
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)
 
 
LastRegBack: 2014-02-28 09:14
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:08 AM

Posted 29 May 2014 - 10:12 PM

:welcome:

 

Download the enclosed file. [attachment=150828:fixlist.txt]

 

Save it in the same location FRST is saved.

 

Run FRST and click on the Fix button.

 

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.
 
Restart in Normal Mode. Let me now the outcome.

Edited by JSntgRvr, 29 May 2014 - 10:14 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:08 AM

Posted 27 July 2014 - 11:06 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users