Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DECRYPT_INSTRUCTION files have been automatically created & my files are damaged


  • This topic is locked This topic is locked
16 replies to this topic

#1 plyp

plyp

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:25 AM

Posted 22 August 2014 - 08:10 AM

Symptoms

 

Last Saturday, I was surfing the net as usual. But then suddenly, my browser (IE 8) shutted itself down, twice.

 

After rebooting my machine, I realized my notepad files that I saved as UTF-8 encoding have become unreadable text or alien language text.

 

Later, I noticed the set of these 3 files on each of many of my folders :

1. DECRYPT_INSTRUCTION.html     Attached File  DECRYPT_INSTRUCTION.HTML   8KB   5 downloads

2. DECRYPT_INSTRUCTION.txt     Attached File  DECRYPT_INSTRUCTION.TXT   4.04KB   4 downloads

3. an internet shortcut named DECRYPT_INSTRUCTION (I right clicked to see its properties. Its URL is http://kpai7ycr7jxqkilp.totortoweb.com/d07a )

 

Many of my files that have the following extensions are broken :

1. txt

2. pdf

3. MP3

4. flv

5. JPEG

 

A few days ago, before I came to post here, I downloaded Kaspersky Virus Removal Tool and scanned my laptop. The result said something like, there are some files that have password protection. I myself don't know how to create a password to protect my file. So, who did that?

 

Another symptom is, sometimes my laptop freezes and when I reboot it, I got the blue screen.

 

 

 

 

 

My laptop

 

Dell Inspiron 1525
Windows Vista Home Premium
2007 Microsoft Coporation
Service Pack 2
Intel Pentium Dual CPU T2390 @ 1.86GHz 1.87 GHz

2.0 GB RAM

32 bit

Internet Explorer 8

 

My laptop got infected before with Smart Guard Fake Anti-virus (and could be some other virus/malware/trojan/something, I couldn't remember. This laptop is kinda old though). At that time my laptop was very damaged. My USB drive(s) got infected too.

 

I'm not sure if my machine has a real-time protection software, seems like no. I searched on Google but I don't know which one to choose from  :(

 

Please help me clean my laptop and my USB drives.

And please also help recover my damaged files as many of them are important for me.

 

Thank you.

 

 

 

 

 

DDS

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.67.2
Run by me at 23:57:49 on 2014-08-21
AV: AVG Anti-Virus Free *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\xampp\mysql\bin\mysqld.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\System32\StkASv2K.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [vufuencs] "c:\users\me\appdata\local\temp\35twapr42npvfdhku9p\appdata\local\dhdgjpwb.exe"
uRun: [hqkcomka] c:\users\me\appdata\local\temp\kqnbmidwv7fisalnryw\hqkcomka.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\me\appdata\roaming\micros~1\windows\startm~1\programs\startup\rasautou.lnk - c:\users\me\appdata\roaming\microsoft\windows\ieupdate\rasautou.exe
StartupFolder: c:\users\me\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\me\appdata\local\temp\_uninst_46898393.bat
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: Run = "c:\users\me\appdata\roaming\microsoft\windows\ieupdate\rasautou.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableVirtualization = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001051-0002-0051-ABCDEFFEDCBC} - <orphaned>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\wpclsp.dll
LSP: %windir%\system32\vsocklib.dll
Trusted Zone: dell.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 10.42.254.6 10.42.254.34
TCP: Interfaces\{4877D030-7E39-41D8-A09F-2DD50936215F} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{9493EA51-2071-4777-9E34-684956FB03AB} : DHCPNameServer = 10.42.254.6 10.42.254.34
TCP: Interfaces\{AB4AC2B4-9220-4BA1-9493-F598C36B6F39} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{F7AAB0F8-356C-4463-953C-7CB524915CED} : DHCPNameServer = 8.8.8.8 8.8.4.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\windows\system32\avgrsstx.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2012-10-24 71152]
R0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2013-8-10 61464]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-17 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-17 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-17 243024]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-12-10 73728]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 RalinkRegistryWriter;RalinkRegistryWriter;c:\program files\ralink\common\RaRegistry.exe [2014-7-29 372736]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-10-9 3275136]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2012-10-11 721048]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-10 111616]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2014-7-29 1202752]
RUnknown 1489405drv;1489405drv; [x]
RUnknown 69660479;69660479; [x]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-7-17 29416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-9-5 171680]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-8-8 15576]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-8-8 10200]
S3 RaMediaServer;Ralink UPnP Media Server;c:\program files\ralink\common\RaMediaServer.exe [2014-7-29 625728]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-19 753504]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.js: <filetype is not registered>
ShellExec: Opera.exe: open="c:\program files\opera\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2014-08-21 16:53:28 -------- d--h--w- c:\windows\PIF
2014-08-20 09:19:52 -------- d-----w- c:\programdata\Kaspersky Lab
2014-08-18 11:46:06 -------- d-----w- c:\program files\ESET
2014-08-18 11:25:18 -------- d-----w- c:\users\me\appdata\roaming\R-TT
2014-08-18 11:22:31 -------- d-----w- c:\program files\R-Studio
2014-08-17 13:48:59 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-08-16 10:34:14 263072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2014-08-16 06:32:36 -------- d-----w- c:\users\me\appdata\local\Temp
2014-08-16 05:31:10 -------- d--h--w- C:\610757c
2014-07-31 18:58:35 -------- d-----w- c:\users\me\appdata\roaming\Apuqozq
2014-07-31 18:56:53 -------- d-----w- c:\users\me\appdata\roaming\Wuhiorn
2014-07-29 08:11:15 -------- d-----w- c:\programdata\Ralink
2014-07-29 08:09:45 238944 ----a-w- c:\windows\system32\RaCoInst.dll
2014-07-29 08:09:45 1202752 ----a-w- c:\windows\system32\drivers\netr28u.sys
2014-07-29 08:09:44 -------- d-----w- c:\programdata\Ralink Driver
2014-07-29 08:09:37 795648 ----a-w- c:\windows\system32\RAIHV.dll
2014-07-29 08:09:37 117760 ----a-w- c:\windows\system32\RAEXTUI.dll
2014-07-29 08:09:36 480608 ----a-w- c:\windows\system32\DiagFunc.dll
2014-07-29 08:09:36 1608768 ----a-w- c:\windows\system32\RaCertMgr.dll
2014-07-24 15:34:08 -------- d-----w- c:\users\me\appdata\roaming\Esynlu
2014-07-24 15:33:48 -------- d-----w- c:\users\me\appdata\roaming\Ukusarik
2014-07-23 20:26:29 -------- d-----w- c:\users\me\appdata\roaming\Sevywyo
2014-07-23 20:25:02 -------- d-----w- c:\users\me\appdata\roaming\Cofatit
.
==================== Find3M  ====================
.
2014-08-19 09:00:08 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-03-21 02:58:11 18005296 ----a-w- c:\program files\IE9-WindowsVista-x86-enu.exe
2010-06-16 06:37:10 1714294 ----a-w- c:\program files\tvplayer.exe
2004-03-17 21:13:46 1028368 ----a-w- c:\program files\vbrun60sp6.exe
.
============= FINISH: 23:58:47.24 ===============

 

 

Attached File  attach.txt   12.7KB   2 downloads


Edited by plyp, 22 August 2014 - 01:48 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 27 August 2014 - 08:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/545279 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 plyp

plyp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:25 AM

Posted 27 August 2014 - 11:19 AM

YOU MUST tell me if you still need help!

To tell me this, please click on the following link and follow the instructions there.
 

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/545279 <<< CLICK THIS LINK

 

 

Yes, please. I still need help.

 

 

 

If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.

 

 

Eset Online Scanner detected "Filecoder.CR trojan".

Other details are in my first post.

 

 

 

A new DDS log.

  • Please do this even if you have previously posted logs for us.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.67.2
Run by me at 22:55:36 on 2014-08-27
AV: AVG Anti-Virus Free *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\xampp\mysql\bin\mysqld.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\System32\StkASv2K.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Naver\LINE\Line.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [vufuencs] "c:\users\me\appdata\local\temp\35twapr42npvfdhku9p\appdata\local\dhdgjpwb.exe"
uRun: [hqkcomka] c:\users\me\appdata\local\temp\kqnbmidwv7fisalnryw\hqkcomka.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\me\appdata\roaming\micros~1\windows\startm~1\programs\startup\rasautou.lnk - c:\users\me\appdata\roaming\microsoft\windows\ieupdate\rasautou.exe
StartupFolder: c:\users\me\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\me\appdata\local\temp\_uninst_46898393.bat
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: Run = "c:\users\me\appdata\roaming\microsoft\windows\ieupdate\rasautou.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableVirtualization = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001051-0002-0051-ABCDEFFEDCBC} - <orphaned>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\wpclsp.dll
LSP: %windir%\system32\vsocklib.dll
Trusted Zone: dell.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{4877D030-7E39-41D8-A09F-2DD50936215F} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{9493EA51-2071-4777-9E34-684956FB03AB} : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{AB4AC2B4-9220-4BA1-9493-F598C36B6F39} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{F7AAB0F8-356C-4463-953C-7CB524915CED} : DHCPNameServer = 8.8.8.8 8.8.4.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\windows\system32\avgrsstx.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2012-10-24 71152]
R0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2013-8-10 61464]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-17 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-17 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-17 243024]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-12-10 73728]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-10 111616]
RUnknown 1489405drv;1489405drv; [x]
RUnknown 69660479;69660479; [x]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-7-17 29416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2014-7-29 1202752]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-8-8 15576]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-8-8 10200]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.js: <filetype is not registered>
ShellExec: Opera.exe: open="c:\program files\opera\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2014-08-21 16:53:28 -------- d--h--w- c:\windows\PIF
2014-08-20 09:19:52 -------- d-----w- c:\programdata\Kaspersky Lab
2014-08-18 11:46:06 -------- d-----w- c:\program files\ESET
2014-08-18 11:25:18 -------- d-----w- c:\users\me\appdata\roaming\R-TT
2014-08-18 11:22:31 -------- d-----w- c:\program files\R-Studio
2014-08-17 13:48:59 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-08-16 10:34:14 263072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2014-08-16 06:32:36 -------- d-----w- c:\users\me\appdata\local\Temp
2014-08-16 05:31:10 -------- d--h--w- C:\610757c
2014-07-31 18:58:35 -------- d-----w- c:\users\me\appdata\roaming\Apuqozq
2014-07-31 18:56:53 -------- d-----w- c:\users\me\appdata\roaming\Wuhiorn
2014-07-29 08:11:15 -------- d-----w- c:\programdata\Ralink
2014-07-29 08:09:45 238944 ----a-w- c:\windows\system32\RaCoInst.dll
2014-07-29 08:09:45 1202752 ----a-w- c:\windows\system32\drivers\netr28u.sys
2014-07-29 08:09:44 -------- d-----w- c:\programdata\Ralink Driver
2014-07-29 08:09:37 795648 ----a-w- c:\windows\system32\RAIHV.dll
2014-07-29 08:09:37 117760 ----a-w- c:\windows\system32\RAEXTUI.dll
2014-07-29 08:09:36 480608 ----a-w- c:\windows\system32\DiagFunc.dll
2014-07-29 08:09:36 1608768 ----a-w- c:\windows\system32\RaCertMgr.dll
.
==================== Find3M  ====================
.
2014-08-19 09:00:08 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-03-21 02:58:11 18005296 ----a-w- c:\program files\IE9-WindowsVista-x86-enu.exe
2010-06-16 06:37:10 1714294 ----a-w- c:\program files\tvplayer.exe
2004-03-17 21:13:46 1028368 ----a-w- c:\program files\vbrun60sp6.exe
.
============= FINISH: 22:57:48.54 ===============
 

 

 

Attached File  attach.txt   10.92KB   1 downloads

 

 

 

 Please tell us if you have your original Windows CD/DVD available.

 

 

 Available.


Edited by plyp, 27 August 2014 - 11:32 AM.


#4 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 PM

Posted 28 August 2014 - 07:11 PM

plyp,

 

I'll be assisting you with your problems here.  First however, I need to review the material that you have provided to me. 

 

In the mean time, please refrain from making further changes to your computer as it can make it difficult for me to help you.

 

Thanks for your patience and I'll post back here with instructions as soon as possible.


//Dave

#5 plyp

plyp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:25 AM

Posted 28 August 2014 - 09:42 PM

Ok. Please let me know if you need more information. Thank you.



#6 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 PM

Posted 29 August 2014 - 10:00 AM

plyp,
 
As you may know from the text files planted all over your computer, you have been infected with the CryptoWall malware.  There's no easy way to tell somebody this, so I'll just give it to you straight.  Unfortunately, at this time there is no method to decrypt the files that have been encrypted.  It is possible that some time in the future, some method could be used to obtain the encryption keys used to encrypt your files, but until then, it is likely that your files are gone. 

 

For more information about Cryptowall, and your potential recovery options, please refer to the Bleepingcomputer Cryptowall guide.
 
Having said that, there are some things that we can try to attempt to restore your data, but it's likely that they will not work.  The best (most successful) method would to be to restore from backups.  Do you have any backups or do you employ backup software of any sort?
 
Also, there are malicious items still on your computer which are evident in the logs you provided  to me.  Once they have been taken care of we can discuss ways to attempt recovery of your files. 

 

  • Download Combofix from one of the following links:
    Link 1
    Link 2
     
  • Close any open browsers.
     
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
     
  • Open notepad and copy/paste the text in the quotebox below into it:
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Quote

    DDS::
    uRun: [vufuencs] "c:\users\me\appdata\local\temp\35twapr42npvfdhku9p\appdata\local\dhdgjpwb.exe"
    uRun: [hqkcomka] c:\users\me\appdata\local\temp\kqnbmidwv7fisalnryw\hqkcomka.exe
    StartupFolder: c:\users\me\appdata\roaming\micros~1\windows\startm~1\programs\startup\rasautou.lnk - c:\users\me\appdata\roaming\microsoft\windows\ieupdate\rasautou.exe
    uPolicies-Explorer: Run = "c:\users\me\appdata\roaming\microsoft\windows\ieupdate\rasautou.exe"
    StartupFolder: c:\users\me\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\me\appdata\local\temp\_uninst_46898393.bat
    DRIVER::
    1489405drv
    69660479

    CFScriptB-4.gif
    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

//Dave

#7 plyp

plyp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:25 AM

Posted 29 August 2014 - 12:28 PM

Thank you Dave.

 

For some types of file like .pdf, .html or.doc, I can re-download from the internet, or re-create them myself.

 

But the notepad files, mostly contain very important info. And it's like impossible to re-create them.

 

I usually create notepad files on the desktop. Then copy them to my USB drive(s). But sometimes when I make changes to the original files on the desktop, I didn't copy the edited version to my USB drive. So, the backup aren't really useful because they're outdated.

 

Both my laptop and USB drives are infected, I'm afraid to connect them together.

 

To me, notepad file is like a very simple type of file, just plain text, no image or anything complicated. Do you think it would be a little more easier to recover than the other types of file?

 

 

 

Here is the log. Did the log say anything about the cause of the infections? Thanks again.

 

 

ComboFix.txt

 

ComboFix 14-08-29.03 - me 29-Aug-14  22:48:40.2.2 - x86
Running from: c:\users\me\Desktop\ComboFix.exe
Command switches used :: c:\users\me\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_1489405DRV
-------\Legacy_69660479
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-28 to 2014-08-29  )))))))))))))))))))))))))))))))
.
.
2014-08-29 16:06 . 2014-08-29 16:12 -------- d-----w- c:\users\me\AppData\Local\temp
2014-08-29 16:06 . 2014-08-29 16:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-08-29 16:06 . 2014-08-29 16:06 -------- d-----w- c:\users\me!\AppData\Local\temp
2014-08-29 16:06 . 2014-08-29 16:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-08-21 16:53 . 2014-08-21 16:53 -------- d--h--w- c:\windows\PIF
2014-08-20 09:19 . 2014-08-20 09:19 -------- d-----w- c:\programdata\Kaspersky Lab
2014-08-18 11:46 . 2014-08-18 11:46 -------- d-----w- c:\program files\ESET
2014-08-18 11:25 . 2014-08-18 11:25 -------- d-----w- c:\users\me\AppData\Roaming\R-TT
2014-08-18 11:22 . 2014-08-18 11:22 -------- d-----w- c:\program files\R-Studio
2014-08-17 13:49 . 2014-08-17 13:49 -------- d-----w- c:\program files\Common Files\Java
2014-08-17 13:48 . 2014-07-25 05:55 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-08-16 10:34 . 2013-09-02 07:58 263072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2014-08-16 05:31 . 2014-08-16 08:06 -------- d-----w- C:\610757c
2014-07-31 18:58 . 2014-08-14 05:10 -------- d-----w- c:\users\me\AppData\Roaming\Apuqozq
2014-07-31 18:56 . 2014-08-14 05:10 -------- d-----w- c:\users\me\AppData\Roaming\Wuhiorn
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-19 09:00 . 2014-05-16 11:37 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-03-21 02:58 . 2013-03-21 02:57 18005296 ----a-w- c:\program files\IE9-WindowsVista-x86-enu.exe
2010-06-16 06:37 . 2010-06-16 06:37 1714294 ----a-w- c:\program files\tvplayer.exe
2004-03-17 21:13 . 2004-03-17 21:13 1028368 ----a-w- c:\program files\vbrun60sp6.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-07-03 3563520]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-10 50688]
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe -s [2014-7-29 12660072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Run"= "c:\users\me\AppData\Roaming\Microsoft\Windows\IEUpdate\rasautou.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-10 09:20 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-07-17 12:08 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
2012-02-26 14:42 1044992 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPreload]
2012-12-20 11:44 1476104 ----a-w- c:\program files\Samsung\Kies\Kies.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-12-20 11:44 310280 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 03:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
LSP: %windir%\system32\vsocklib.dll
Trusted Zone: dell.com
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
.
- - - - ORPHANS REMOVED - - - -
.
c:\users\me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rasautou.lnk - c:\users\me\AppData\Roaming\Microsoft\Windows\IEUpdate\rasautou.exe
c:\users\me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_46898393.lnk - c:\users\me\AppData\Local\Temp\_uninst_46898393.bat
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-29 23:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(832)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\AVG\AVG9\avgwdsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FileZilla Server\FileZilla Server.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\xampp\mysql\bin\mysqld.exe
c:\program files\Ralink\Common\RaRegistry.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\StkASv2K.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\conime.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\Ralink\Common\RaUI.exe
c:\program files\DellTPad\HidFind.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\WerFault.exe
.
**************************************************************************
.
Completion time: 2014-08-29  23:19:35 - machine was rebooted
ComboFix-quarantined-files.txt  2014-08-29 16:19
ComboFix2.txt  2014-08-16 05:31
.
Pre-Run: 67,492,958,208 bytes free
Post-Run: 71,145,431,040 bytes free
.
- - End Of File - - B1D9DAA433F3F68C8A9F890CB9A3A570
5C616939100B85E558DA92B899A0FC36
 

 



#8 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 PM

Posted 29 August 2014 - 10:53 PM

plyp,

 

Let me see if I can answer a few of your questions here.

 

 

Both my laptop and USB drives are infected, I'm afraid to connect them together.

If you are worried about your thumbdrives, you can always hold shift when inserting them to prevent any software from being automatically run (by autorun).  Your thumbdrives may not be infected, but if they were connected for some period of time while the computer was infected, it is possible that their contents have also been encrypted.

 

 

To me, notepad file is like a very simple type of file, just plain text, no image or anything complicated. Do you think it would be a little more easier to recover than the other types of file?

While it is true that a text file is more simple (in terms of its contents and internal structure) than say a word document or PDF file, the point of encryption is to make whatever is encrypted completely indistinguishable from its original form.  So without knowing the key which was used to encrypt your data it is effectively impossible to recover them through decryption.  You might consider thinking about whether  any of these files were attached to emails recently,  or if any of them were put in the recycling bin, or other places that might be unaffected.  There is also some file recovery software out there although the likelihood of that producing any results is very slim.

 

 

Did the log say anything about the cause of the infections?

I did not see any indicators to tell me how this happened.  It is often hard to speculate given the information we collect, but also it is hard to speculate because of the number of ways that one can infect their computer.  Common sources of malware infections can include such things as:

  • streaming video sites online (pirated movies/sports events, adult entertainment, etc)
  • Pirated media or programs
  • Malicious links in emails or websites

The list goes on, but suffice it to say, there's many different ways that this can happen.

 

 

Finally, I'm going to have you generate a new DDS log for me and post it back here.  Please do so using the same method as you did before.


//Dave

#9 plyp

plyp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:25 AM

Posted 30 August 2014 - 10:25 AM

Your thumbdrives may not be infected, but if they were connected for some period of time while the computer was infected, it is possible that their contents have also been encrypted.

 

 

I used my thumbdrives and external drives with public computers. At that time, I and some other people didn't know that those public computers are infected. Later, we found out that our drives are infected, but with another malware/virus, not Crytowall. So the files in my drives have not been encrypted. Please suggest me how can I scan my drives and show you the logs. Thank you.

 

 

 

DDS

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.67.2
Run by me at 22:01:29 on 2014-08-30
AV: AVG Anti-Virus Free *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\xampp\mysql\bin\mysqld.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\System32\StkASv2K.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\conime.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WerFault.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: Run = "c:\users\me\appdata\roaming\microsoft\windows\ieupdate\rasautou.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableVirtualization = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001051-0002-0051-ABCDEFFEDCBC} - <orphaned>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\wpclsp.dll
LSP: %windir%\system32\vsocklib.dll
Trusted Zone: dell.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{4877D030-7E39-41D8-A09F-2DD50936215F} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{9493EA51-2071-4777-9E34-684956FB03AB} : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{AB4AC2B4-9220-4BA1-9493-F598C36B6F39} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{F7AAB0F8-356C-4463-953C-7CB524915CED} : DHCPNameServer = 8.8.8.8 8.8.4.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\windows\system32\avgrsstx.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2012-10-24 71152]
R0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2013-8-10 61464]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-17 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-17 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-17 243024]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-12-10 73728]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 RalinkRegistryWriter;RalinkRegistryWriter;c:\program files\ralink\common\RaRegistry.exe [2014-7-29 372736]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-10-9 3275136]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2012-10-11 721048]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-10 111616]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-7-17 29416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-9-5 171680]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2014-7-29 1202752]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-8-8 15576]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-8-8 10200]
S3 RaMediaServer;Ralink UPnP Media Server;c:\program files\ralink\common\RaMediaServer.exe [2014-7-29 625728]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-19 753504]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
ShellExec: Opera.exe: open="c:\program files\opera\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2014-08-29 16:19:39 -------- d-----w- c:\users\me\appdata\local\temp
2014-08-29 16:18:07 -------- d-sh--w- C:\$RECYCLE.BIN
2014-08-29 15:43:25 -------- d-----w- C:\ComboFix
2014-08-21 16:53:28 -------- d--h--w- c:\windows\PIF
2014-08-20 09:19:52 -------- d-----w- c:\programdata\Kaspersky Lab
2014-08-18 11:46:06 -------- d-----w- c:\program files\ESET
2014-08-18 11:25:18 -------- d-----w- c:\users\me\appdata\roaming\R-TT
2014-08-18 11:22:31 -------- d-----w- c:\program files\R-Studio
2014-08-17 13:48:59 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-08-16 10:34:14 263072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2014-08-16 05:31:10 -------- d-----w- C:\610757c
2014-07-31 18:58:35 -------- d-----w- c:\users\me\appdata\roaming\Apuqozq
2014-07-31 18:56:53 -------- d-----w- c:\users\me\appdata\roaming\Wuhiorn
.
==================== Find3M  ====================
.
2014-08-19 09:00:08 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-03-21 02:58:11 18005296 ----a-w- c:\program files\IE9-WindowsVista-x86-enu.exe
2010-06-16 06:37:10 1714294 ----a-w- c:\program files\tvplayer.exe
2004-03-17 21:13:46 1028368 ----a-w- c:\program files\vbrun60sp6.exe
.
============= FINISH: 22:02:49.37 ===============
 

 

Attached File  attach.txt   9.84KB   0 downloads


Edited by plyp, 30 August 2014 - 10:32 AM.


#10 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 PM

Posted 01 September 2014 - 09:55 AM

Please suggest me how can I scan my drives and show you the logs.

We'll take care of that now.

 

Please insert all of the thumbdrives / Hard Drives in question making sure to hold shift while the drive is inserted.

We need to vaccinate the USB drive to prevent infection:

Please download USBVaccineSetup.exe from Panda Software to the desktop of your clean / working computer.
note: the download mirror is called MajorGeeks and the download should start automatically. please do not click any advertisements.

  • Insert your USB flash drive into the clean / working computer
  • Double-click on USBVaccineSetup.exe to install the program
  • Select your language, read and accept the agreement to continue
  • Choose if you would like the program to run at all times, and for all newly inserted USB drives
  • Click Next then Finish to complete the installation, the program will launch
  • Select your USB drive from the list, then click Vaccinate USB - repeat this process for each drive you have.
    note: optionally you can click Vaccinate computer as well, this disables removable items from automatically running on the system entirely
  • A message should appear that your USB drive was vaccinated. If not please report the error in your next post
  • Please leave the USB drives connected for the next steps.

Next, we need to run Combofix again:

  • Download Combofix from one of the following links:
    Link 1
    Link 2
     
  • Close any open browsers.
     
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
     
  • Open notepad and copy/paste the text in the quotebox below into it:
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    REGISTRY::
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "Run"=-
    
    FILE::
    c:\program files\tvplayer.exe
    c:\users\me\AppData\Roaming\Microsoft\Windows\IEUpdate\rasautou.exe
    
    FOLDER::
    c:\users\me\appdata\roaming\Apuqozq
    c:\users\me\appdata\roaming\Wuhiorn
    
    CFScriptB-4.gif
    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Lastly please generate a fresh DDS Log after all of this has been done and attach it to your next reply.


//Dave

#11 plyp

plyp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:25 AM

Posted 01 September 2014 - 03:02 PM

A message should appear that your USB drive was vaccinated.

 

 

Ok, they are vaccinated.

 

 

 

 

 

ComboFix 

 

ComboFix 14-08-31.01 - me 02-Sep-14   1:58.3.2 - x86
Running from: c:\users\me\Desktop\ComboFix.exe
Command switches used :: c:\users\me\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
FILE ::
"c:\program files\tvplayer.exe"
"c:\users\me\AppData\Roaming\Microsoft\Windows\IEUpdate\rasautou.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\me\appdata\roaming\Apuqozq
c:\users\me\appdata\roaming\Wuhiorn
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-01 to 2014-09-01  )))))))))))))))))))))))))))))))
.
.
2014-09-01 19:15 . 2014-09-01 19:17 -------- d-----w- c:\users\me\AppData\Local\temp
2014-09-01 19:15 . 2014-09-01 19:15 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-09-01 19:15 . 2014-09-01 19:15 -------- d-----w- c:\users\me!\AppData\Local\temp
2014-09-01 19:15 . 2014-09-01 19:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-01 18:36 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2014-09-01 18:36 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2014-09-01 18:36 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2014-09-01 18:36 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2014-09-01 18:35 . 2012-06-02 08:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2014-09-01 18:35 . 2012-06-02 08:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-09-01 17:55 . 2014-09-01 17:55 -------- d-----w- c:\programdata\Panda Security
2014-09-01 17:55 . 2014-09-01 18:49 -------- d-----w- c:\program files\Panda USB Vaccine
2014-08-21 16:53 . 2014-08-21 16:53 -------- d--h--w- c:\windows\PIF
2014-08-20 09:19 . 2014-08-20 09:19 -------- d-----w- c:\programdata\Kaspersky Lab
2014-08-18 11:46 . 2014-08-18 11:46 -------- d-----w- c:\program files\ESET
2014-08-18 11:25 . 2014-08-18 11:25 -------- d-----w- c:\users\me\AppData\Roaming\R-TT
2014-08-18 11:22 . 2014-08-18 11:22 -------- d-----w- c:\program files\R-Studio
2014-08-17 13:49 . 2014-08-17 13:49 -------- d-----w- c:\program files\Common Files\Java
2014-08-17 13:48 . 2014-07-25 05:55 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-08-16 10:34 . 2013-09-02 07:58 263072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2014-08-16 05:31 . 2014-08-16 08:06 -------- d-----w- C:\610757c
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-19 09:00 . 2014-05-16 11:37 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-03-21 02:58 . 2013-03-21 02:57 18005296 ----a-w- c:\program files\IE9-WindowsVista-x86-enu.exe
2010-06-16 06:37 . 2010-06-16 06:37 1714294 ----a-w- c:\program files\tvplayer.exe
2004-03-17 21:13 . 2004-03-17 21:13 1028368 ----a-w- c:\program files\vbrun60sp6.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-07-03 3563520]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-10 50688]
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe -s [2014-7-29 12660072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-10 09:20 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-07-17 12:08 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
2012-02-26 14:42 1044992 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPreload]
2012-12-20 11:44 1476104 ----a-w- c:\program files\Samsung\Kies\Kies.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-12-20 11:44 310280 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 03:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
LSP: %windir%\system32\vsocklib.dll
Trusted Zone: dell.com
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-09-02 02:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4860)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2014-09-02  02:21:47
ComboFix-quarantined-files.txt  2014-09-01 19:21
ComboFix2.txt  2014-08-29 16:19
ComboFix3.txt  2014-08-16 05:31
.
Pre-Run: 70,671,966,208 bytes free
Post-Run: 70,834,597,888 bytes free
.
- - End Of File - - 1F12A2D6BA750246804F2889A84DD895
5C616939100B85E558DA92B899A0FC36
 

 

 

 

 

DDS

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.67.2
Run by me at 2:34:18 on 2014-09-02
AV: AVG Anti-Virus Free *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\xampp\mysql\bin\mysqld.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\STacSV.exe
C:\Windows\System32\StkASv2K.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableVirtualization = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001051-0002-0051-ABCDEFFEDCBC} - <orphaned>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\wpclsp.dll
LSP: %windir%\system32\vsocklib.dll
Trusted Zone: dell.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{4877D030-7E39-41D8-A09F-2DD50936215F} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{9493EA51-2071-4777-9E34-684956FB03AB} : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{AB4AC2B4-9220-4BA1-9493-F598C36B6F39} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{F7AAB0F8-356C-4463-953C-7CB524915CED} : DHCPNameServer = 8.8.8.8 8.8.4.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\windows\system32\avgrsstx.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2012-10-24 71152]
R0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2013-8-10 61464]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-17 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-17 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-17 243024]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-12-10 73728]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 RalinkRegistryWriter;RalinkRegistryWriter;c:\program files\ralink\common\RaRegistry.exe [2014-7-29 372736]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2012-10-11 721048]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-10 111616]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-7-17 29416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-10-9 3275136]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-9-5 171680]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2014-7-29 1202752]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-8-8 15576]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-8-8 10200]
S3 RaMediaServer;Ralink UPnP Media Server;c:\program files\ralink\common\RaMediaServer.exe [2014-7-29 625728]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-19 753504]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
ShellExec: Opera.exe: open="c:\program files\opera\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2014-09-01 19:21:50 -------- d-----w- c:\users\me\appdata\local\temp
2014-09-01 19:20:20 -------- d-sh--w- C:\$RECYCLE.BIN
2014-09-01 18:54:13 -------- d-----w- C:\ComboFix
2014-09-01 18:36:11 2422272 ----a-w- c:\windows\system32\wucltux.dll
2014-09-01 18:35:55 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-09-01 18:35:55 171904 ----a-w- c:\windows\system32\wuwebv.dll
2014-09-01 17:55:27 -------- d-----w- c:\programdata\Panda Security
2014-09-01 17:55:19 -------- d-----w- c:\program files\Panda USB Vaccine
2014-08-21 16:53:28 -------- d--h--w- c:\windows\PIF
2014-08-20 09:19:52 -------- d-----w- c:\programdata\Kaspersky Lab
2014-08-18 11:46:06 -------- d-----w- c:\program files\ESET
2014-08-18 11:25:18 -------- d-----w- c:\users\me\appdata\roaming\R-TT
2014-08-18 11:22:31 -------- d-----w- c:\program files\R-Studio
2014-08-17 13:48:59 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-08-16 10:34:14 263072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2014-08-16 05:31:10 -------- d-----w- C:\610757c
.
==================== Find3M  ====================
.
2014-08-19 09:00:08 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-03-21 02:58:11 18005296 ----a-w- c:\program files\IE9-WindowsVista-x86-enu.exe
2010-06-16 06:37:10 1714294 ----a-w- c:\program files\tvplayer.exe
2004-03-17 21:13:46 1028368 ----a-w- c:\program files\vbrun60sp6.exe
.
============= FINISH:  2:34:48.74 ===============
 

 

 

Attached File  attach.txt   20.6KB   2 downloads

 

 

 



#12 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 PM

Posted 03 September 2014 - 06:40 AM

Okay, your computer is now looking clean. Given that, we can now that we can reasonably assume that your thumb drives are not going to reinfect your computer, it's time to assess damages.

 

I'm sure you are still missing some files, you can refer to the recovery section of the below guide to attempt to recover some files.  While it is unlikely that this process will work, it is still worth a shot. 

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#restore

 

Let me know if you need assistance with any of the steps in that article.


//Dave

#13 plyp

plyp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:25 AM

Posted 03 September 2014 - 09:02 AM

Thank you, Dave.

 

But 2 of my external drives are still showing some things strange.

 

1. External drive #1. As shown in the 1st picture.  Attached File  external-drive1_index.png   63.35KB   0 downloads

  • The no-name folder
  • $RECYCLE.BIN folder
  • RECYCLER folder.

All these 3 files, I did not create them. And I don't want to take a risk clicking on any of them.

 

2. External drive #2. As shown in the 2nd picture.  Attached File  external-drive2_index.png   72.49KB   0 downloads

  • old-folders - Shortcut. I created this folder. But when I clicked on it, it gave me the weird path name. Please see the 3rd picture, the empty blue space between the 2 black arrows.  Attached File  external-drive2_empty-space.png   25.67KB   0 downloads
  • k folder. I created this. Files inside this folder looked ok.
  • $RECYCLE.BIN folder. I did not create this.

I didn't take a note about the symptoms when they were first infected. As far as I remember, looked like the virus/malware created a shortcut and then hid my folders and files inside that shortcut. No damaged files, but it's possible that the virus/malware could still be sitting in these external drives. Could you please help me with this? Thank you.

 

And yes, I'm still missing my files :( I downloaded R-Studio from the link, but need time to experiment. And I'll get back to you.

 

 



#14 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 PM

Posted 06 September 2014 - 11:11 PM

plyp,

 

Sorry for the delay, I've been quite busy the last few days.  I hope to have a full fledged reply for you tomorrow.


//Dave

#15 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 PM

Posted 07 September 2014 - 10:17 AM

plyp,

 

Again, sorry for the delay in getting back to you here.  I have some answers for you and some more questions.

 

Both of these directories are created by windows and are used to manage files that are put in the recycle bin.  They usually exist, but are hidden from view (we can fix this later).

  • $RECYCLE.BIN folder
  • RECYCLER folder.

As for the directories with no names, those are slightly strange, but I would not consider them to be inherently harmful.

 

I'd like you to make sure hidden folders are displayed.

  1. Open Folder Options by clicking the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33_818, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.

  2. Click the View tab.

  3. Under Advanced settings:

    1. Make sure Show hidden files, folders, and drives is checked

    2. Uncheck Hide protected operating system filesIt will ask you if you are sure, click yes.

  4. Click OK and close out the dialogue boxes.

Once this has been completed, explore those no-name directories and see if your files are in there.


//Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users