Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

total hijack


  • This topic is locked This topic is locked
31 replies to this topic

#1 oscelot

oscelot

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 23 October 2014 - 03:33 PM

My computer was recently hijacked by one of those nasty moneypak viruses. I can't access the os normally or in either of the two safe modes. I've scoured through all of the self help guides to no avail. I've even tried using the hitman bootloader but that doesn't work either. I was instructed to post a dds log but am unable to do that at the moment. This computer has all of the company financials on it and it is imperative that I get it working again. Please help! Thanks

BC AdBot (Login to Remove)

 


m

#2 oscelot

oscelot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 24 October 2014 - 11:34 PM

My original post:
Help please! My computer is on complete lock down and I am at my wits end.

I was on Google Chrome when all of a sudden the screen was hijacked by a window that claimed to be from the department of justice. At this point, I couldn't do anything with the computer except force a reboot. Then, upon restart in normal mode, a dialog box comes up that says windows is shutting down because of the nt authority\system and that the dcom server process launcher terminated unexpectedly.

So far, I have tried to restart normally with no success. I've tried to restore to the last known good configuration with no success. I've tried to restart into safe mode but I get a blue screen that says to check for viruses on the computer. Lastly, I've tried to reboot the system with hitman which didn't work either. Normal system startup is working except for the nt authority system error and the hijack. Needless to say, I'm beyond frustrated at this point.

Please help. Thanks

#3 oscelot

oscelot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 24 October 2014 - 11:42 PM

Update...

I have been able to boot up using hirens boot cd and mini xp. I've run mbam which has discovered a few threats, but can't seem to completely remove all of the threats because subsequent mbam scans still show a couple of threats remaining. I'm new to this boot method and could definitely use some help understanding and executing it properly.

Another important note: when I try to reboot via the hdd in normal mode, I still get the dcom server process error message and the computer automatically shuts down after 60 seconds.

I have a sinking feeling that this thing is thoroughly infected. Any help will be greatly appreciated.

#4 oscelot

oscelot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 28 October 2014 - 11:21 AM

I have come to a stand still with this computer. I have tried different rescue disks without any luck. I still cant access the normal operating system (or either of the 2 safe modes) and therefore don't have access to any of my files. I'm getting desperate, but don't have any other resources to go to for help. Please help.



#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 PM

Posted 28 October 2014 - 03:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/553066 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,579 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:45 PM

Posted 29 October 2014 - 07:29 AM

Hello, if you still need help with this issue, please do the following.
  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
    :spacer:
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt
    :spacer:
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 oscelot

oscelot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 29 October 2014 - 07:34 AM

I still need help, please.

 

I have run some utilities in minixp and I think I have been able to take care of the dcom server process error but the os is still hijacked. I have not been able to run any logs because I am working out of minixp and the programs don't provide an option to select which drive you want to scan. They default to the emulated drive (X) which does me no good. Here is a list of the programs that I have run (not necessarily in this order):

 

ClamWin

Malwarebytes

Tdsskiller

Gmer

 

I've also tried to run superantispyware but it results in an immediate BSOD.

 

Still using Hirens Boot CD and minixp...



#8 oscelot

oscelot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 29 October 2014 - 07:41 AM

I have HBCD on my only flash drive, right now. I will have to get another flash drive and then I will try the farbar tool. Thanks



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,579 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:45 PM

Posted 29 October 2014 - 08:26 AM

Hiren's is not allowed at BC, we won't use it because it uses illegally distributed Microsoft files as well as some copyright-protected or questionable applications.

However, we shouldn't need it either. :)

This infection is usually residing in the user-specific registry, meaning there is very little you can do about it from a PE disk unless you know exactly what you're looking for.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 oscelot

oscelot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 29 October 2014 - 11:48 PM

Im running windows xp and can get to the recovery console but am unable to run the farbar file that is on the flash drive...

#11 oscelot

oscelot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 30 October 2014 - 12:35 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2014
Ran by SYSTEM on MiniXP on 30-10-2014 00:10:55
Running from D:\frst
Platform: Microsoft Windows XP (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2593056 2014-09-13] ()
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [2461504 2014-09-17] (NVIDIA Corporation)
HKLM\...\Winlogon: [UIHost] C:\Windows\system32\logonui.exe [514560 2008-04-14] (Microsoft Corporation)
HKU\All Users\...\RunOnce: [NeroHomeFirstStart] => C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe [19752 2008-12-12] (Nero AG)
HKU\Default User\...\RunOnce: [NeroHomeFirstStart] => C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe [19752 2008-12-12] (Nero AG)
HKU\Guest\...\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe [1840424 2008-12-12] (Nero AG)
HKU\Guest\...\Run: [Aim6] => "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
HKU\Guest\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIIUE.EXE [249440 2012-02-27] (SEIKO EPSON CORPORATION)
HKU\Guest\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\LocalService\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\NetworkService\...\Policies\Explorer: [NoSetActiveDesktop] 0
Startup: C:\Documents and Settings\Preston\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\14616DA.cpp (No File)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-08-14] (SUPERAntiSpyware.com)
S4 CoordinatorServiceHost; C:\Program Files\SolidWorks\swScheduler\DTSCoordinatorService.exe [87336 2010-10-05] (Dassault Systèmes SolidWorks Corp.)
S4 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [44032 1999-12-13] (Creative Technology Ltd)
S4 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [539744 2012-05-10] (SEIKO EPSON CORPORATION)
S4 EpsonScanSvc; C:\WINDOWS\system32\EscSvc.exe [122000 2011-12-12] (Seiko Epson Corporation)
S4 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2010-11-03] (Flexera Software, Inc.)
S4 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [172032 2006-09-08] ()
S4 InCDsrv; C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe [1442088 2008-08-08] (Nero AG)
S4 MoboroboDeviceService; C:\Program Files\MoboRobo\MoboroboDeviceService.exe [72184 2014-07-31] ()
S4 MSSQL$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe [9158656 2008-12-18] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [73728 2005-05-04] (Microsoft Corporation)
S4 msvsmon80; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2799808 2005-09-23] (Microsoft Corporation)
S4 NeroRegInCDSrv; C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [53032 2008-08-08] (Nero AG)
S4 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [172090 2006-09-08] (NVIDIA Corporation)
S4 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [118784 2007-01-22] (NVIDIA)
S2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1796928 2014-09-17] (NVIDIA Corporation)
S4 Remote Solver for Flow Simulation 2011; C:\Program Files\SolidWorks\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [89864 2010-09-08] (Mentor Graphics Corporation)
S4 RemoteAccess; C:\Windows\system32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
S4 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2010-11-03] (SolidWorks)
S4 SQLAgent$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE [323584 2005-05-04] (Microsoft Corporation)
S4 Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [1251720 2008-04-15] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 AmdPPM; C:\Windows\System32\DRIVERS\AmdPPM.sys [33792 2007-04-17] (Advanced Micro Devices)
S3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [340176 2006-08-17] (Creative Technology Ltd)
S3 ctlsb16; C:\Windows\System32\drivers\ctlsb16.sys [96256 2001-08-17] (Copyright © Creative Technology Ltd. 1994-2001)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [239168 2011-11-20] (DT Soft Ltd)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2009-08-27] (Symantec Corporation)
S3 ENTECH; C:\WINDOWS\system32\DRIVERS\ENTECH.sys [21664 2004-10-26] (EnTech Taiwan)
S3 ET5Drv; C:\WINDOWS\system32\Drivers\ET5Drv.sys [186584 2004-09-21] (Microsoft Corporation)
S2 Hardlock; C:\WINDOWS\system32\drivers\hardlock.sys [670208 2004-11-05] (Aladdin Knowledge Systems Ltd.)
S4 InCDfs; C:\Windows\System32\drivers\InCDFs.sys [128424 2008-08-08] (Nero AG)
S1 InCDPass; C:\Windows\System32\drivers\InCDPass.sys [38952 2008-08-08] (Nero AG)
S1 InCDRec; C:\Windows\System32\drivers\InCDRec.sys [18088 2008-08-08] (Nero AG)
S1 incdrm; C:\Windows\System32\drivers\InCDRm.sys [40488 2008-08-08] (Nero AG)
S0 JGOGO; C:\Windows\System32\DRIVERS\JGOGO.sys [6912 2006-02-07] (JMicron )
S0 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [43264 2006-06-02] (JMicron Technology Corp.)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [110296 2014-10-23] (Malwarebytes Corporation)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
S3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [52736 2006-03-22] (NVIDIA Corporation)
S3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [129184 2014-09-17] (NVIDIA Corporation)
S3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [18944 2006-03-22] (NVIDIA Corporation)
S3 NVR0Dev; C:\WINDOWS\nvoclock.sys [6912 2007-01-22] (NVidia Corp.)
S1 NVTCP; C:\Windows\System32\DRIVERS\NVTcp.sys [109568 2006-03-22] (NVIDIA Corporation)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 sftfs; C:\Program Files\Microsoft Application Virtualization Client\drivers\sftfsXP.sys [543064 2009-09-23] (Microsoft Corporation)
S3 sftplay; C:\Program Files\Microsoft Application Virtualization Client\drivers\sftplayXP.sys [190312 2009-09-23] (Microsoft Corporation)
S3 Sftredir; C:\Windows\System32\DRIVERS\Sftredirxp.sys [21864 2009-09-23] (Microsoft Corporation)
S3 sftvol; C:\Program Files\Microsoft Application Virtualization Client\drivers\sftvolXP.sys [14680 2009-09-23] (Microsoft Corporation)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2010-11-02] (Duplex Secure Ltd.)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13464 2013-06-24] ()
S2 symlcbrd; C:\WINDOWS\system32\drivers\symlcbrd.sys [10344 2007-02-13] (Symantec Corporation)
S3 TunRDriverV32; C:\Windows\System32\drivers\TunRDriverV32.sys [506496 2008-03-13] (Windows ® 2000/XP)
S3 TunRVideo32; C:\Windows\System32\DRIVERS\TunRVideo32.sys [3768 2008-03-13] (Windows ® 2000 DDK provider)
S3 AgereSoftModem; system32\DRIVERS\AGRSM.sys [X]
S0 AmdAcpi; No ImagePath
S1 AmdK8; system32\DRIVERS\AmdK8.sys [X]
S3 AmdLLD; system32\DRIVERS\AmdLLD.sys [X]
S3 AMDPCI; \??\C:\DOCUME~1\Preston\LOCALS~1\Temp\AMDPCI.sys [X]
S3 amdtools; No ImagePath
S3 dgderdrv; System32\drivers\dgderdrv.sys [X]
S3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [X]
S3 hitmanpro36; \??\C:\WINDOWS\system32\drivers\hitmanpro36.sys [X]
S3 IntcAzAudAddService; system32\drivers\RtkHDAud.sys [X]
S4 IntelIde; No ImagePath
S3 mcdbus; No ImagePath
S1 MoboroboAssDriver; system32\drivers\MoboroboAssDriver.sys [X]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S3 RimUsb; System32\Drivers\RimUsb.sys [X]
S1 SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys [X]
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S0 sqcfvcsa; System32\drivers\vpss.sys [X]
S3 SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20100402.001\symidsco.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-30 00:10 - 2014-10-30 00:10 - 00000000 ____D () C:\FRST
2014-10-29 22:50 - 2014-10-29 22:50 - 01105408 _____ (Farbar) C:\Windows\FRST.exe
2014-10-29 07:36 - 2014-10-29 07:36 - 01104896 _____ (Farbar) C:\Documents and Settings\Preston\Desktop\FRST.exe
2014-10-29 07:23 - 2014-10-29 07:23 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\Preston\Desktop\HijackThis.exe
2014-10-29 07:23 - 2014-10-29 07:23 - 00002313 _____ () C:\Documents and Settings\Preston\Desktop\hijackthis.log
2014-10-29 07:19 - 2014-10-29 07:19 - 00688992 ____R (Swearware) C:\Documents and Settings\Preston\Desktop\dds.com
2014-10-28 21:17 - 2014-10-28 21:17 - 04181856 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Preston\Desktop\tdsskiller.exe
2014-10-28 13:44 - 2014-10-28 13:44 - 00021504 _____ () C:\Documents and Settings\Preston\Desktop\Uninstall.dat
2014-10-28 13:44 - 2014-10-28 13:44 - 00002576 _____ () C:\Documents and Settings\Preston\Desktop\Uninstall.dat-journal
2014-10-28 13:43 - 2014-10-28 13:43 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\Plugins
2014-10-28 11:23 - 2014-10-28 11:30 - 164258168 _____ () C:\Documents and Settings\Preston\Desktop\setup_11.0.3.8.x01_2014_10_28_17_28.exe
2014-10-28 10:40 - 2014-10-28 10:40 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\ImageWriter
2014-10-28 10:24 - 2014-10-28 10:33 - 158404608 _____ () C:\Documents and Settings\Preston\Desktop\trinity-rescue-kit.3.4-build-372.iso
2014-10-28 09:41 - 2014-10-28 10:06 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\sardu
2014-10-28 04:57 - 2014-10-28 04:57 - 12290974 _____ (ImageWriter Developers ) C:\Documents and Settings\Preston\Desktop\Win32DiskImager-0.9.5-install.exe
2014-10-28 03:56 - 2014-10-28 03:58 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\kaspersky
2014-10-28 03:53 - 2014-10-28 03:53 - 00387584 _____ () C:\Documents and Settings\Preston\Desktop\rescue2usb.exe
2014-10-28 03:20 - 2014-10-28 03:20 - 01088549 _____ (pendrivelinux.com) C:\Documents and Settings\Preston\Desktop\Universal-USB-Installer-1.9.5.6.exe
2014-10-28 02:02 - 2014-10-28 02:14 - 308711424 _____ () C:\Documents and Settings\Preston\Desktop\kav_rescue_10.iso
2014-10-28 01:57 - 2014-10-28 01:57 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\[BOOT]
2014-10-28 01:55 - 2014-10-28 01:57 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\rescue
2014-10-28 01:55 - 2013-03-02 21:00 - 00000000 _____ () C:\Documents and Settings\Preston\Desktop\livecd
2014-10-28 01:55 - 2013-02-27 21:00 - 00002048 _____ () C:\Documents and Settings\Preston\Desktop\boot.catalog
2014-10-28 01:55 - 2013-01-30 21:00 - 02949120 _____ () C:\Documents and Settings\Preston\Desktop\efi.img
2014-10-25 14:28 - 2014-10-25 14:29 - 16281688 _____ () C:\Documents and Settings\Preston\Desktop\RogueKiller.exe
2014-10-25 13:34 - 2014-10-25 13:41 - 163861200 _____ () C:\Program Files\setup_11.0.3.8.x01_2014_10_25_20_28.exe
2014-10-02 03:05 - 2014-10-02 03:05 - 00000000 ____D () C:\Documents and Settings\Preston\Local Settings\Application Data\NVIDIA
2014-10-02 03:04 - 2014-10-23 20:14 - 00001474 _____ () C:\Windows\System32\nvAppTimestamps
2014-10-02 02:59 - 2014-10-02 02:59 - 00000000 ____D () C:\Program Files\AGEIA Technologies
2014-10-02 02:58 - 2014-10-02 02:58 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-02 02:58 - 2014-10-02 02:58 - 00000000 _____ () C:\Windows\setupact.log
2014-10-02 02:58 - 2014-09-17 04:47 - 00906048 _____ (NVIDIA Corporation) C:\Windows\System32\nvhdagenco3220103.dll
2014-10-02 02:58 - 2014-09-17 04:47 - 00129184 _____ (NVIDIA Corporation) C:\Windows\System32\Drivers\nvhda32.sys
2014-10-02 02:58 - 2014-09-17 04:47 - 00028448 _____ (NVIDIA Corporation) C:\Windows\System32\nvhdap32.dll
2014-10-02 02:58 - 2014-09-13 23:33 - 11276288 _____ (NVIDIA Corporation) C:\Windows\System32\nvopencl.dll
2014-10-02 02:58 - 2014-09-13 23:33 - 01933532 _____ () C:\Windows\System32\nvdata.data
2014-10-02 02:58 - 2014-09-13 23:33 - 01041096 _____ (NVIDIA Corporation) C:\Windows\System32\nvdispco3234411.dll
2014-10-02 02:58 - 2014-09-13 23:33 - 00907592 _____ (NVIDIA Corporation) C:\Windows\System32\nvdispgenco3234411.dll
2014-10-02 02:58 - 2014-09-13 23:33 - 00361672 _____ (NVIDIA Corporation) C:\Windows\System32\nvEncodeAPI.dll
2014-10-02 02:58 - 2014-09-11 12:43 - 03961833 _____ () C:\Windows\System32\nvcoproc.bin
2014-10-02 02:57 - 2014-10-02 02:57 - 00000000 ____D () C:\NVIDIA
2014-10-02 02:17 - 2014-10-29 11:29 - 00206565 _____ () C:\Windows\setupapi.log
2014-10-01 20:09 - 2014-10-01 20:09 - 06692632 _____ (SUPERAntiSpyware) C:\Documents and Settings\Preston\Desktop\SUPERAntiSpyware.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-29 11:40 - 2013-02-14 08:18 - 00002064 _____ () C:\Windows\System32\settingsbkup.sfm
2014-10-29 11:40 - 2013-02-14 08:18 - 00002064 _____ () C:\Windows\System32\settings.sfm
2014-10-29 11:39 - 2013-12-20 19:09 - 01456068 _____ () C:\Windows\WindowsUpdate.log
2014-10-29 11:39 - 2013-01-29 16:19 - 00032610 _____ () C:\Windows\SchedLgU.Txt
2014-10-29 11:39 - 2013-01-29 16:19 - 00000216 _____ () C:\Windows\wiadebug.log
2014-10-29 11:39 - 2007-02-13 07:13 - 00000278 __SHC () C:\Documents and Settings\Preston\ntuser.ini
2014-10-29 11:31 - 2007-02-13 00:53 - 00661630 ____C () C:\Windows\System32\PerfStringBackup.INI
2014-10-29 11:30 - 2010-12-08 05:28 - 01425252 _____ () C:\Windows\System32\nvdrsdb1.bin
2014-10-29 11:30 - 2010-12-08 05:28 - 00000001 _____ () C:\Windows\System32\nvdrssel.bin
2014-10-29 11:29 - 2014-01-10 01:33 - 00000000 ____D () C:\Documents and Settings\Preston\Local Settings\temp
2014-10-29 11:29 - 2004-08-04 12:00 - 00013646 _____ () C:\Windows\System32\wpa.dbl
2014-10-29 11:27 - 2013-01-29 16:19 - 00000050 _____ () C:\Windows\wiaservc.log
2014-10-25 14:09 - 2012-09-04 06:43 - 00000663 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-25 00:02 - 2007-02-13 00:49 - 00000372 __RSH () C:\boot.ini
2014-10-23 20:12 - 2014-07-07 14:53 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-10-15 00:36 - 2012-01-04 04:58 - 00514560 __SHC () C:\Documents and Settings\Preston\Desktop\Thumbs.db
2014-10-15 00:33 - 2008-11-01 13:07 - 00009728 __SHC () C:\Windows\Thumbs.db
2014-10-14 01:35 - 2010-12-08 05:28 - 01421432 ____C () C:\Windows\System32\nvdrsdb0.bin
2014-10-09 02:54 - 2007-10-02 14:46 - 00000182 _____ () C:\Windows\NeroDigital.ini
2014-10-08 19:39 - 2014-01-13 06:46 - 00662840 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2014-10-02 02:59 - 2007-02-13 08:35 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2014-10-02 02:58 - 2007-02-13 00:45 - 00000000 ____D () C:\Windows\Help

Files to move or delete:
====================
C:\Documents and Settings\Preston\config.dat


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2004-08-04 12:00] - [2014-03-12 10:48] - 4756480 ____A (Microsoft Corporation) b6221eb5c423da6d675b984654bb524c



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,579 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:45 PM

Posted 30 October 2014 - 02:13 AM

Hi, good news, we found the culprit. :) We just need to search for a file first, because the infection has patched a Microsoft file which will need to be replaced.

 

Please rerun FRST and type user32.dll in the Search box. Click the Search button. When the search is done, save the log and post it in your next reply.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 oscelot

oscelot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 30 October 2014 - 07:25 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2014
Ran by SYSTEM on MiniXP on 30-10-2014 00:10:55
Running from D:\frst
Platform: Microsoft Windows XP (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2593056 2014-09-13] ()
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [2461504 2014-09-17] (NVIDIA Corporation)
HKLM\...\Winlogon: [UIHost] C:\Windows\system32\logonui.exe [514560 2008-04-14] (Microsoft Corporation)
HKU\All Users\...\RunOnce: [NeroHomeFirstStart] => C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe [19752 2008-12-12] (Nero AG)
HKU\Default User\...\RunOnce: [NeroHomeFirstStart] => C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe [19752 2008-12-12] (Nero AG)
HKU\Guest\...\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe [1840424 2008-12-12] (Nero AG)
HKU\Guest\...\Run: [Aim6] => "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
HKU\Guest\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIIUE.EXE [249440 2012-02-27] (SEIKO EPSON CORPORATION)
HKU\Guest\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\LocalService\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\NetworkService\...\Policies\Explorer: [NoSetActiveDesktop] 0
Startup: C:\Documents and Settings\Preston\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\14616DA.cpp (No File)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-08-14] (SUPERAntiSpyware.com)
S4 CoordinatorServiceHost; C:\Program Files\SolidWorks\swScheduler\DTSCoordinatorService.exe [87336 2010-10-05] (Dassault Systèmes SolidWorks Corp.)
S4 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [44032 1999-12-13] (Creative Technology Ltd)
S4 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [539744 2012-05-10] (SEIKO EPSON CORPORATION)
S4 EpsonScanSvc; C:\WINDOWS\system32\EscSvc.exe [122000 2011-12-12] (Seiko Epson Corporation)
S4 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2010-11-03] (Flexera Software, Inc.)
S4 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [172032 2006-09-08] ()
S4 InCDsrv; C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe [1442088 2008-08-08] (Nero AG)
S4 MoboroboDeviceService; C:\Program Files\MoboRobo\MoboroboDeviceService.exe [72184 2014-07-31] ()
S4 MSSQL$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe [9158656 2008-12-18] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [73728 2005-05-04] (Microsoft Corporation)
S4 msvsmon80; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2799808 2005-09-23] (Microsoft Corporation)
S4 NeroRegInCDSrv; C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [53032 2008-08-08] (Nero AG)
S4 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [172090 2006-09-08] (NVIDIA Corporation)
S4 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [118784 2007-01-22] (NVIDIA)
S2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1796928 2014-09-17] (NVIDIA Corporation)
S4 Remote Solver for Flow Simulation 2011; C:\Program Files\SolidWorks\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [89864 2010-09-08] (Mentor Graphics Corporation)
S4 RemoteAccess; C:\Windows\system32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
S4 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2010-11-03] (SolidWorks)
S4 SQLAgent$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE [323584 2005-05-04] (Microsoft Corporation)
S4 Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [1251720 2008-04-15] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 AmdPPM; C:\Windows\System32\DRIVERS\AmdPPM.sys [33792 2007-04-17] (Advanced Micro Devices)
S3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [340176 2006-08-17] (Creative Technology Ltd)
S3 ctlsb16; C:\Windows\System32\drivers\ctlsb16.sys [96256 2001-08-17] (Copyright © Creative Technology Ltd. 1994-2001)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [239168 2011-11-20] (DT Soft Ltd)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2009-08-27] (Symantec Corporation)
S3 ENTECH; C:\WINDOWS\system32\DRIVERS\ENTECH.sys [21664 2004-10-26] (EnTech Taiwan)
S3 ET5Drv; C:\WINDOWS\system32\Drivers\ET5Drv.sys [186584 2004-09-21] (Microsoft Corporation)
S2 Hardlock; C:\WINDOWS\system32\drivers\hardlock.sys [670208 2004-11-05] (Aladdin Knowledge Systems Ltd.)
S4 InCDfs; C:\Windows\System32\drivers\InCDFs.sys [128424 2008-08-08] (Nero AG)
S1 InCDPass; C:\Windows\System32\drivers\InCDPass.sys [38952 2008-08-08] (Nero AG)
S1 InCDRec; C:\Windows\System32\drivers\InCDRec.sys [18088 2008-08-08] (Nero AG)
S1 incdrm; C:\Windows\System32\drivers\InCDRm.sys [40488 2008-08-08] (Nero AG)
S0 JGOGO; C:\Windows\System32\DRIVERS\JGOGO.sys [6912 2006-02-07] (JMicron )
S0 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [43264 2006-06-02] (JMicron Technology Corp.)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [110296 2014-10-23] (Malwarebytes Corporation)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
S3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [52736 2006-03-22] (NVIDIA Corporation)
S3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [129184 2014-09-17] (NVIDIA Corporation)
S3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [18944 2006-03-22] (NVIDIA Corporation)
S3 NVR0Dev; C:\WINDOWS\nvoclock.sys [6912 2007-01-22] (NVidia Corp.)
S1 NVTCP; C:\Windows\System32\DRIVERS\NVTcp.sys [109568 2006-03-22] (NVIDIA Corporation)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 sftfs; C:\Program Files\Microsoft Application Virtualization Client\drivers\sftfsXP.sys [543064 2009-09-23] (Microsoft Corporation)
S3 sftplay; C:\Program Files\Microsoft Application Virtualization Client\drivers\sftplayXP.sys [190312 2009-09-23] (Microsoft Corporation)
S3 Sftredir; C:\Windows\System32\DRIVERS\Sftredirxp.sys [21864 2009-09-23] (Microsoft Corporation)
S3 sftvol; C:\Program Files\Microsoft Application Virtualization Client\drivers\sftvolXP.sys [14680 2009-09-23] (Microsoft Corporation)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2010-11-02] (Duplex Secure Ltd.)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13464 2013-06-24] ()
S2 symlcbrd; C:\WINDOWS\system32\drivers\symlcbrd.sys [10344 2007-02-13] (Symantec Corporation)
S3 TunRDriverV32; C:\Windows\System32\drivers\TunRDriverV32.sys [506496 2008-03-13] (Windows ® 2000/XP)
S3 TunRVideo32; C:\Windows\System32\DRIVERS\TunRVideo32.sys [3768 2008-03-13] (Windows ® 2000 DDK provider)
S3 AgereSoftModem; system32\DRIVERS\AGRSM.sys [X]
S0 AmdAcpi; No ImagePath
S1 AmdK8; system32\DRIVERS\AmdK8.sys [X]
S3 AmdLLD; system32\DRIVERS\AmdLLD.sys [X]
S3 AMDPCI; \??\C:\DOCUME~1\Preston\LOCALS~1\Temp\AMDPCI.sys [X]
S3 amdtools; No ImagePath
S3 dgderdrv; System32\drivers\dgderdrv.sys [X]
S3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [X]
S3 hitmanpro36; \??\C:\WINDOWS\system32\drivers\hitmanpro36.sys [X]
S3 IntcAzAudAddService; system32\drivers\RtkHDAud.sys [X]
S4 IntelIde; No ImagePath
S3 mcdbus; No ImagePath
S1 MoboroboAssDriver; system32\drivers\MoboroboAssDriver.sys [X]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S3 RimUsb; System32\Drivers\RimUsb.sys [X]
S1 SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys [X]
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S0 sqcfvcsa; System32\drivers\vpss.sys [X]
S3 SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20100402.001\symidsco.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-30 00:10 - 2014-10-30 00:10 - 00000000 ____D () C:\FRST
2014-10-29 22:50 - 2014-10-29 22:50 - 01105408 _____ (Farbar) C:\Windows\FRST.exe
2014-10-29 07:36 - 2014-10-29 07:36 - 01104896 _____ (Farbar) C:\Documents and Settings\Preston\Desktop\FRST.exe
2014-10-29 07:23 - 2014-10-29 07:23 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\Preston\Desktop\HijackThis.exe
2014-10-29 07:23 - 2014-10-29 07:23 - 00002313 _____ () C:\Documents and Settings\Preston\Desktop\hijackthis.log
2014-10-29 07:19 - 2014-10-29 07:19 - 00688992 ____R (Swearware) C:\Documents and Settings\Preston\Desktop\dds.com
2014-10-28 21:17 - 2014-10-28 21:17 - 04181856 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Preston\Desktop\tdsskiller.exe
2014-10-28 13:44 - 2014-10-28 13:44 - 00021504 _____ () C:\Documents and Settings\Preston\Desktop\Uninstall.dat
2014-10-28 13:44 - 2014-10-28 13:44 - 00002576 _____ () C:\Documents and Settings\Preston\Desktop\Uninstall.dat-journal
2014-10-28 13:43 - 2014-10-28 13:43 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\Plugins
2014-10-28 11:23 - 2014-10-28 11:30 - 164258168 _____ () C:\Documents and Settings\Preston\Desktop\setup_11.0.3.8.x01_2014_10_28_17_28.exe
2014-10-28 10:40 - 2014-10-28 10:40 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\ImageWriter
2014-10-28 10:24 - 2014-10-28 10:33 - 158404608 _____ () C:\Documents and Settings\Preston\Desktop\trinity-rescue-kit.3.4-build-372.iso
2014-10-28 09:41 - 2014-10-28 10:06 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\sardu
2014-10-28 04:57 - 2014-10-28 04:57 - 12290974 _____ (ImageWriter Developers ) C:\Documents and Settings\Preston\Desktop\Win32DiskImager-0.9.5-install.exe
2014-10-28 03:56 - 2014-10-28 03:58 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\kaspersky
2014-10-28 03:53 - 2014-10-28 03:53 - 00387584 _____ () C:\Documents and Settings\Preston\Desktop\rescue2usb.exe
2014-10-28 03:20 - 2014-10-28 03:20 - 01088549 _____ (pendrivelinux.com) C:\Documents and Settings\Preston\Desktop\Universal-USB-Installer-1.9.5.6.exe
2014-10-28 02:02 - 2014-10-28 02:14 - 308711424 _____ () C:\Documents and Settings\Preston\Desktop\kav_rescue_10.iso
2014-10-28 01:57 - 2014-10-28 01:57 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\[BOOT]
2014-10-28 01:55 - 2014-10-28 01:57 - 00000000 ____D () C:\Documents and Settings\Preston\Desktop\rescue
2014-10-28 01:55 - 2013-03-02 21:00 - 00000000 _____ () C:\Documents and Settings\Preston\Desktop\livecd
2014-10-28 01:55 - 2013-02-27 21:00 - 00002048 _____ () C:\Documents and Settings\Preston\Desktop\boot.catalog
2014-10-28 01:55 - 2013-01-30 21:00 - 02949120 _____ () C:\Documents and Settings\Preston\Desktop\efi.img
2014-10-25 14:28 - 2014-10-25 14:29 - 16281688 _____ () C:\Documents and Settings\Preston\Desktop\RogueKiller.exe
2014-10-25 13:34 - 2014-10-25 13:41 - 163861200 _____ () C:\Program Files\setup_11.0.3.8.x01_2014_10_25_20_28.exe
2014-10-02 03:05 - 2014-10-02 03:05 - 00000000 ____D () C:\Documents and Settings\Preston\Local Settings\Application Data\NVIDIA
2014-10-02 03:04 - 2014-10-23 20:14 - 00001474 _____ () C:\Windows\System32\nvAppTimestamps
2014-10-02 02:59 - 2014-10-02 02:59 - 00000000 ____D () C:\Program Files\AGEIA Technologies
2014-10-02 02:58 - 2014-10-02 02:58 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-02 02:58 - 2014-10-02 02:58 - 00000000 _____ () C:\Windows\setupact.log
2014-10-02 02:58 - 2014-09-17 04:47 - 00906048 _____ (NVIDIA Corporation) C:\Windows\System32\nvhdagenco3220103.dll
2014-10-02 02:58 - 2014-09-17 04:47 - 00129184 _____ (NVIDIA Corporation) C:\Windows\System32\Drivers\nvhda32.sys
2014-10-02 02:58 - 2014-09-17 04:47 - 00028448 _____ (NVIDIA Corporation) C:\Windows\System32\nvhdap32.dll
2014-10-02 02:58 - 2014-09-13 23:33 - 11276288 _____ (NVIDIA Corporation) C:\Windows\System32\nvopencl.dll
2014-10-02 02:58 - 2014-09-13 23:33 - 01933532 _____ () C:\Windows\System32\nvdata.data
2014-10-02 02:58 - 2014-09-13 23:33 - 01041096 _____ (NVIDIA Corporation) C:\Windows\System32\nvdispco3234411.dll
2014-10-02 02:58 - 2014-09-13 23:33 - 00907592 _____ (NVIDIA Corporation) C:\Windows\System32\nvdispgenco3234411.dll
2014-10-02 02:58 - 2014-09-13 23:33 - 00361672 _____ (NVIDIA Corporation) C:\Windows\System32\nvEncodeAPI.dll
2014-10-02 02:58 - 2014-09-11 12:43 - 03961833 _____ () C:\Windows\System32\nvcoproc.bin
2014-10-02 02:57 - 2014-10-02 02:57 - 00000000 ____D () C:\NVIDIA
2014-10-02 02:17 - 2014-10-29 11:29 - 00206565 _____ () C:\Windows\setupapi.log
2014-10-01 20:09 - 2014-10-01 20:09 - 06692632 _____ (SUPERAntiSpyware) C:\Documents and Settings\Preston\Desktop\SUPERAntiSpyware.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-29 11:40 - 2013-02-14 08:18 - 00002064 _____ () C:\Windows\System32\settingsbkup.sfm
2014-10-29 11:40 - 2013-02-14 08:18 - 00002064 _____ () C:\Windows\System32\settings.sfm
2014-10-29 11:39 - 2013-12-20 19:09 - 01456068 _____ () C:\Windows\WindowsUpdate.log
2014-10-29 11:39 - 2013-01-29 16:19 - 00032610 _____ () C:\Windows\SchedLgU.Txt
2014-10-29 11:39 - 2013-01-29 16:19 - 00000216 _____ () C:\Windows\wiadebug.log
2014-10-29 11:39 - 2007-02-13 07:13 - 00000278 __SHC () C:\Documents and Settings\Preston\ntuser.ini
2014-10-29 11:31 - 2007-02-13 00:53 - 00661630 ____C () C:\Windows\System32\PerfStringBackup.INI
2014-10-29 11:30 - 2010-12-08 05:28 - 01425252 _____ () C:\Windows\System32\nvdrsdb1.bin
2014-10-29 11:30 - 2010-12-08 05:28 - 00000001 _____ () C:\Windows\System32\nvdrssel.bin
2014-10-29 11:29 - 2014-01-10 01:33 - 00000000 ____D () C:\Documents and Settings\Preston\Local Settings\temp
2014-10-29 11:29 - 2004-08-04 12:00 - 00013646 _____ () C:\Windows\System32\wpa.dbl
2014-10-29 11:27 - 2013-01-29 16:19 - 00000050 _____ () C:\Windows\wiaservc.log
2014-10-25 14:09 - 2012-09-04 06:43 - 00000663 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-25 00:02 - 2007-02-13 00:49 - 00000372 __RSH () C:\boot.ini
2014-10-23 20:12 - 2014-07-07 14:53 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-10-15 00:36 - 2012-01-04 04:58 - 00514560 __SHC () C:\Documents and Settings\Preston\Desktop\Thumbs.db
2014-10-15 00:33 - 2008-11-01 13:07 - 00009728 __SHC () C:\Windows\Thumbs.db
2014-10-14 01:35 - 2010-12-08 05:28 - 01421432 ____C () C:\Windows\System32\nvdrsdb0.bin
2014-10-09 02:54 - 2007-10-02 14:46 - 00000182 _____ () C:\Windows\NeroDigital.ini
2014-10-08 19:39 - 2014-01-13 06:46 - 00662840 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2014-10-02 02:59 - 2007-02-13 08:35 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2014-10-02 02:58 - 2007-02-13 00:45 - 00000000 ____D () C:\Windows\Help

Files to move or delete:
====================
C:\Documents and Settings\Preston\config.dat


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2004-08-04 12:00] - [2014-03-12 10:48] - 4756480 ____A (Microsoft Corporation) b6221eb5c423da6d675b984654bb524c



#14 oscelot

oscelot
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 30 October 2014 - 07:26 AM

that is great news! I can't wait to get back up and running.

 

thank you!



#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,579 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:45 PM

Posted 30 October 2014 - 07:29 AM

You now clicked the Scan button, after entering the file name in the search box, you need to click the search button instead. :)


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users