Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crowti and other trojans, constant update flash player prompts, etc.


  • This topic is locked This topic is locked
61 replies to this topic

#1 blahx

blahx

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 29 October 2014 - 02:00 AM

Hi,

 

The problem started a few days ago with prompts to debug webpage everytime I used IE.

After I entered safe mode today and ran malwarebytes then deleted several Trojan files and registry values, the problem escalated.

When I restarted to normal mode, MSE kept popping up for Crowti detections. 

Several of my file folders became corrupted with a new internet shortcut "INSTALL_TOR" in the folder.

My computer is running very slow and when I open task manager, it indicates a long list of programs are running but the list automatically disappears after a few seconds. 

 

Please help!

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17344
Run by Zach at 2:37:41 on 2014-10-29
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2022.494 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileOpen\Services\FileOpenManagerSvc32.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Users\Zach\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
C:\Program Files\Microsoft\BingBar\7.3.132.0\SeaPort.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\IEEtwCollector.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Zach\AppData\Local\Temp\nsw9392.tmp\nsF476.tmp
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Zach\AppData\Local\Temp\nsw9392.tmp\PEV.DAT
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k WindowsMobile
.
============== Pseudo HJT Report ===============
.
BHO: Upromise RewardU Toolbar BHO: {2E1946E4-D51E-6074-C16F-ED7E0D98A8E4} - c:\program files\upromise rewardu toolbar\Upromise RewardU Toolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.3.132.0\BingExt.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Upromise RewardU Toolbar: {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - c:\program files\upromise rewardu toolbar\Upromise RewardU Toolbar.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Upromise RewardU Toolbar: {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - c:\program files\upromise rewardu toolbar\Upromise RewardU Toolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\microsoft\bingbar\7.3.132.0\BingExt.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - c:\program files\internet explorer\iedvtool.dll
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
uRun: [ChromeUpdate] c:\users\zach\appdata\roaming\ChromeUpdate.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [Windows Mobile-based device management] c:\windows\windowsmobile\wmdcBase.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [FileOpenBroker] c:\program files\fileopen\services\FileOpenBroker32.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\zach\appdata\roaming\microsoft\windows\start menu\programs\startup\3041764.exe
StartupFolder: c:\users\zach\appdata\roaming\microsoft\windows\start menu\programs\startup\3041764.exe.vir
StartupFolder: c:\users\zach\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\zach\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{04BEC125-0481-4449-902C-7058C17533EA} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{04BEC125-0481-4449-902C-7058C17533EA}\75966696 : DHCPNameServer = 192.168.15.1
TCP: Interfaces\{04BEC125-0481-4449-902C-7058C17533EA}\E4F4B4941402930393F543335323 : DHCPNameServer = 192.168.137.1
TCP: Interfaces\{5C1C9C3B-6B8C-4841-9F08-F297C63F06A3} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{BC4C7B45-2BF1-4062-9A56-017673EAB2A2} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{C1A2196D-FB3D-412C-87F2-6F1E9F3224FA} : DHCPNameServer = 192.168.15.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.104\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2009-7-13 4608]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]
R1 MpKsl1231bfab;MpKsl1231bfab;c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\MpKsl1231bfab.sys [2014-10-29 39464]
R1 MpKsl83602391;MpKsl83602391;c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\MpKsl83602391.sys [2014-10-28 39464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-6-30 114904]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-5-16 39272]
S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr28u.sys [2014-4-11 1228864]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 95920]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-10-27 49152]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2014-10-29 05:37:41 62576 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\offreg.dll
2014-10-29 05:35:26 39464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\MpKsl1231bfab.sys
2014-10-29 00:32:44 39464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\MpKsl83602391.sys
2014-10-29 00:17:18 130048 ----a-w- c:\users\zach\appdata\roaming\microsoft\windows\start menu\programs\startup\3041764.exe
2014-10-29 00:15:00 -------- d-----w- c:\users\zach\appdata\roaming\Kineciep
2014-10-29 00:14:39 -------- d-----w- c:\users\zach\appdata\roaming\Ehicebny
2014-10-29 00:14:21 87200 ----a-w- c:\programdata\wrnhoah.tmp
2014-10-29 00:13:47 14939468 ----a-w- c:\users\zach\appdata\roaming\ChromeUpdate.exe
2014-10-29 00:10:33 130048 ----a-w- c:\users\zach\appdata\roaming\microsoft\windows\start menu\programs\startup\3041764.exe.vir
2014-10-29 00:10:24 130048 ----a-w- c:\users\zach\appdata\roaming\3041764.exe
2014-10-29 00:10:19 -------- d--h--w- C:\3041764
2014-10-28 23:57:38 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\mpengine.dll
2014-10-28 01:52:06 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-10-27 22:54:43 5703168 ----a-w- c:\windows\system32\mstscax.dll
2014-10-27 07:53:11 -------- d-----w- c:\windows\rescache
2014-10-27 04:54:55 32256 ----a-w- c:\windows\system32\TsUsbGDCoInstaller.dll
2014-10-27 04:54:51 12800 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-10-27 04:54:50 49152 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2014-10-27 04:54:49 855552 ----a-w- c:\windows\system32\rdvidcrl.dll
2014-10-27 04:54:49 53248 ----a-w- c:\windows\system32\tsgqec.dll
2014-10-27 04:54:49 50176 ----a-w- c:\windows\system32\MsRdpWebAccess.dll
2014-10-27 04:54:49 17920 ----a-w- c:\windows\system32\wksprtPS.dll
2014-10-27 04:54:49 14336 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-10-27 04:54:48 76288 ----a-w- c:\windows\system32\TSWbPrxy.exe
2014-10-27 04:54:48 350208 ----a-w- c:\windows\system32\wksprt.exe
2014-10-27 04:54:48 1068544 ----a-w- c:\windows\system32\mstsc.exe
2014-10-26 02:58:26 0 ----a-w- c:\windows\system32\opmkzb.dll
2014-10-26 02:58:19 38912 ----a-w- c:\windows\system32\vtjfe.dll
2014-10-15 20:44:21 372736 ----a-w- c:\windows\system32\rastls.dll
2014-10-15 20:44:17 156824 ----a-w- c:\windows\system32\mscorier.dll
2014-10-15 20:44:17 1131664 ----a-w- c:\windows\system32\dfshim.dll
2014-10-15 20:44:16 81560 ----a-w- c:\windows\system32\mscories.dll
2014-10-15 20:44:03 523264 ----a-w- c:\windows\system32\termsrv.dll
2014-10-15 20:44:02 304128 ----a-w- c:\windows\system32\winlogon.exe
2014-10-15 20:44:02 157696 ----a-w- c:\windows\system32\winsta.dll
2014-10-15 20:44:01 130048 ----a-w- c:\windows\system32\rdpcorekmts.dll
2014-10-15 20:44:00 184320 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2014-10-15 20:43:59 65536 ----a-w- c:\windows\system32\TSpkg.dll
2014-10-15 20:43:59 17408 ----a-w- c:\windows\system32\credssp.dll
2014-10-15 20:43:58 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2014-10-15 20:43:34 2363904 ----a-w- c:\windows\system32\msi.dll
2014-10-15 20:43:23 67072 ----a-w- c:\windows\system32\packager.dll
2014-10-01 19:35:08 908840 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{075e8617-8903-432b-a309-1212cbc3fda7}\gapaengine.dll
2014-10-01 00:09:05 519680 ----a-w- c:\windows\system32\qdvd.dll
.
==================== Find3M  ====================
.
2014-10-29 05:51:10 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-10 01:44:58 230912 ----a-w- c:\windows\system32\generaltel.dll
2014-10-10 01:44:35 396288 ----a-w- c:\windows\system32\aepdu.dll
2014-10-10 01:39:38 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-10-01 15:11:24 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-01 15:11:14 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-01 15:11:10 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-29 00:41:36 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-09-25 22:32:04 2017280 ----a-w- c:\windows\system32\inetcpl.cpl
2014-09-22 06:41:56 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-09-19 01:25:12 4201472 ----a-w- c:\windows\system32\jscript9.dll
2014-09-19 01:14:57 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-09-19 01:14:44 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-09-19 01:02:07 454656 ----a-w- c:\windows\system32\vbscript.dll
2014-09-19 01:01:47 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-09-19 01:01:03 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-09-19 00:59:40 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-09-19 00:50:16 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-09-19 00:50:15 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-09-19 00:49:31 597504 ----a-w- c:\windows\system32\jscript9diag.dll
2014-09-19 00:44:23 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-09-19 00:36:23 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-09-19 00:18:55 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-09-18 23:59:11 1810944 ----a-w- c:\windows\system32\wininet.dll
2014-09-09 21:47:10 2048 ----a-w- c:\windows\system32\tzres.dll
2014-08-23 01:46:55 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-01 11:35:06 793600 ----a-w- c:\windows\system32\TSWorkspace.dll
.
============= FINISH:  2:44:14.79 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,631 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 03 November 2014 - 02:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/553794 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 blahx

blahx
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 03 November 2014 - 01:00 PM

Hi!
 
I haven't done anything to my computer since my last post, but a few things to add.
When I start the computer, a window pops up that says 3041764.exe.vir fails to launch.
My computer files have been encrypted by Cryptowall 2.0, but the ransom letter has disappeared from my desktop and the website fails to launch due to security issues.
And my Microsoft Security Center service is turned off but I can't turn it back on.
 
Thanks!
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17344
Run by Zach at 12:42:29 on 2014-11-03
Microsoft Windows 7 Professional   6.1.7601.1.12Attached File  attach.txt   12.93KB   0 downloads52.1.1033.18.2022.1018 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft\BingBar\7.3.132.0\BBSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Explorer.EXE
C:\Program Files\FileOpen\Services\FileOpenManagerSvc32.exe
C:\Windows\system32\msiexec.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Users\Zach\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
BHO: Upromise RewardU Toolbar BHO: {2E1946E4-D51E-6074-C16F-ED7E0D98A8E4} - c:\program files\upromise rewardu toolbar\Upromise RewardU Toolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.3.132.0\BingExt.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Upromise RewardU Toolbar: {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - c:\program files\upromise rewardu toolbar\Upromise RewardU Toolbar.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Upromise RewardU Toolbar: {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - c:\program files\upromise rewardu toolbar\Upromise RewardU Toolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\microsoft\bingbar\7.3.132.0\BingExt.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - c:\program files\internet explorer\iedvtool.dll
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
uRun: [ChromeUpdate] c:\users\zach\appdata\roaming\ChromeUpdate.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [Windows Mobile-based device management] c:\windows\windowsmobile\wmdcBase.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [FileOpenBroker] c:\program files\fileopen\services\FileOpenBroker32.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\zach\appdata\roaming\microsoft\windows\start menu\programs\startup\3041764.exe.vir
StartupFolder: c:\users\zach\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\zach\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\zach\appdata\roaming\microsoft\windows\start menu\programs\startup\INSTALL_TOR.URL
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{04BEC125-0481-4449-902C-7058C17533EA} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{04BEC125-0481-4449-902C-7058C17533EA}\75966696 : DHCPNameServer = 192.168.15.1
TCP: Interfaces\{04BEC125-0481-4449-902C-7058C17533EA}\E4F4B4941402930393F543335323 : DHCPNameServer = 192.168.137.1
TCP: Interfaces\{5C1C9C3B-6B8C-4841-9F08-F297C63F06A3} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{BC4C7B45-2BF1-4062-9A56-017673EAB2A2} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{C1A2196D-FB3D-412C-87F2-6F1E9F3224FA} : DHCPNameServer = 192.168.15.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.104\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2009-7-13 4608]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]
R1 MpKsl877b66ec;MpKsl877b66ec;c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\MpKsl877b66ec.sys [2014-11-3 39464]
R2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.3.132.0\BBSvc.EXE [2014-3-11 193696]
R2 FileOpenManagerSvc;FileOpen Manager Service;c:\program files\fileopen\services\FileOpenManagerSvc32.exe [2012-4-30 213888]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 95920]
R2 RalinkRegistryWriter;RalinkRegistryWriter;c:\program files\ralink\common\RaRegistry.exe [2014-4-11 375872]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-8-22 288120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.3.132.0\SeaPort.EXE [2014-3-11 247968]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-5-16 39272]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-10-15 108032]
S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr28u.sys [2014-4-11 1228864]
S3 RaMediaServer;RaMediaServer;c:\program files\ralink\common\RaMediaServer.exe [2014-4-11 621632]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-10-26 49152]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-20 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2014-11-03 17:42:51 62576 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\offreg.dll
2014-11-03 17:40:47 39464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\MpKsl877b66ec.sys
2014-10-29 00:15:00 -------- d-----w- c:\users\zach\appdata\roaming\Kineciep
2014-10-29 00:14:39 -------- d-----w- c:\users\zach\appdata\roaming\Ehicebny
2014-10-29 00:14:21 87200 ----a-w- c:\programdata\wrnhoah.tmp
2014-10-29 00:13:47 14939468 ----a-w- c:\users\zach\appdata\roaming\ChromeUpdate.exe
2014-10-29 00:10:33 130048 ----a-w- c:\users\zach\appdata\roaming\microsoft\windows\start menu\programs\startup\3041764.exe.vir
2014-10-28 23:57:38 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{34ab4c6e-fd5f-47ef-9c29-361843884484}\mpengine.dll
2014-10-28 01:52:06 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-10-27 22:54:43 5703168 ----a-w- c:\windows\system32\mstscax.dll
2014-10-27 07:53:11 -------- d-----w- c:\windows\rescache
2014-10-27 04:54:55 32256 ----a-w- c:\windows\system32\TsUsbGDCoInstaller.dll
2014-10-27 04:54:51 12800 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-10-27 04:54:50 49152 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2014-10-27 04:54:49 855552 ----a-w- c:\windows\system32\rdvidcrl.dll
2014-10-27 04:54:49 53248 ----a-w- c:\windows\system32\tsgqec.dll
2014-10-27 04:54:49 50176 ----a-w- c:\windows\system32\MsRdpWebAccess.dll
2014-10-27 04:54:49 17920 ----a-w- c:\windows\system32\wksprtPS.dll
2014-10-27 04:54:49 14336 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-10-27 04:54:48 76288 ----a-w- c:\windows\system32\TSWbPrxy.exe
2014-10-27 04:54:48 350208 ----a-w- c:\windows\system32\wksprt.exe
2014-10-27 04:54:48 1068544 ----a-w- c:\windows\system32\mstsc.exe
2014-10-26 02:58:26 0 ----a-w- c:\windows\system32\opmkzb.dll
2014-10-26 02:58:19 38912 ----a-w- c:\windows\system32\vtjfe.dll
2014-10-15 20:44:21 372736 ----a-w- c:\windows\system32\rastls.dll
2014-10-15 20:44:17 156824 ----a-w- c:\windows\system32\mscorier.dll
2014-10-15 20:44:17 1131664 ----a-w- c:\windows\system32\dfshim.dll
2014-10-15 20:44:16 81560 ----a-w- c:\windows\system32\mscories.dll
2014-10-15 20:44:03 523264 ----a-w- c:\windows\system32\termsrv.dll
2014-10-15 20:44:02 304128 ----a-w- c:\windows\system32\winlogon.exe
2014-10-15 20:44:02 157696 ----a-w- c:\windows\system32\winsta.dll
2014-10-15 20:44:01 130048 ----a-w- c:\windows\system32\rdpcorekmts.dll
2014-10-15 20:44:00 184320 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2014-10-15 20:43:59 65536 ----a-w- c:\windows\system32\TSpkg.dll
2014-10-15 20:43:59 17408 ----a-w- c:\windows\system32\credssp.dll
2014-10-15 20:43:58 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2014-10-15 20:43:34 2363904 ----a-w- c:\windows\system32\msi.dll
2014-10-15 20:43:23 67072 ----a-w- c:\windows\system32\packager.dll
.
==================== Find3M  ====================
.
2014-10-29 05:51:10 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-10 01:44:58 230912 ----a-w- c:\windows\system32\generaltel.dll
2014-10-10 01:44:35 396288 ----a-w- c:\windows\system32\aepdu.dll
2014-10-10 01:39:38 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-10-01 15:11:24 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-01 15:11:14 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-01 15:11:10 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-29 00:41:36 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-09-25 22:32:04 2017280 ----a-w- c:\windows\system32\inetcpl.cpl
2014-09-25 01:40:50 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-22 06:41:56 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-09-19 01:25:12 4201472 ----a-w- c:\windows\system32\jscript9.dll
2014-09-19 01:14:57 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-09-19 01:14:44 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-09-19 01:02:07 454656 ----a-w- c:\windows\system32\vbscript.dll
2014-09-19 01:01:47 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-09-19 01:01:03 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-09-19 00:59:40 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-09-19 00:50:16 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-09-19 00:50:15 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-09-19 00:49:31 597504 ----a-w- c:\windows\system32\jscript9diag.dll
2014-09-19 00:44:23 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-09-19 00:36:23 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-09-19 00:18:55 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-09-18 23:59:11 1810944 ----a-w- c:\windows\system32\wininet.dll
2014-09-09 21:47:10 2048 ----a-w- c:\windows\system32\tzres.dll
2014-08-23 01:46:55 305152 ----a-w- c:\windows\system32\gdi32.dll
.
============= FINISH: 12:45:11.93 ===============

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 05 November 2014 - 09:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is the infection we are dealing witn.
Read it carefully.
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Do you have a good backup image that you can use to restore your files?
===

Remove these two items from your Startup folder.

StartupFolder: c:\users\zach\appdata\roaming\microsoft\windows\start menu\programs\startup\3041764.exe.vir
StartupFolder: c:\users\zach\appdata\roaming\microsoft\windows\start menu\programs\startup\INSTALL_TOR.URL

Restart the computer nornally.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.


Wait for further instructions.

#5 blahx

blahx
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 05 November 2014 - 10:53 AM

Thanks Nasdaq!
I have read through Cryptowall 2.0 information and support topic.
I don't have backups for most of the files, and I do understand that I'll probably never recover them.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-11-2014
Ran by Zach (administrator) on ZACH-PC on 05-11-2014 10:31:50
Running from C:\Users\Zach\Desktop
Loaded Profile: Zach (Available profiles: Zach & Guest)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.3.132.0\BBSvc.EXE
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(FileOpen Systems Inc.) C:\Program Files\FileOpen\Services\FileOpenManagerSvc32.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Ralink Technology, Corp.) C:\Program Files\Ralink\Common\RaRegistry.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Windows\WindowsMobile\wmdcBase.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(FileOpen Systems Inc.) C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Ralink Technology, Corp.) C:\Program Files\Ralink\Common\RaUI.exe
(Dropbox, Inc.) C:\Users\Zach\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
(Microsoft Corporation) C:\Windows\System32\extrac32.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2014-09-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2014-09-04] (Adobe Systems Inc.)
HKLM\...\Run: [Windows Mobile-based device management] => C:\Windows\WindowsMobile\wmdcBase.exe [648072 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [FileOpenBroker] => C:\Program Files\FileOpen\Services\FileOpenBroker32.exe [836480 2012-04-30] (FileOpen Systems Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-05-15] (Apple Inc.)
HKU\S-1-5-21-42790080-3355320830-272773808-1000\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1104288 2014-09-04] (Adobe Systems Incorporated)
HKU\S-1-5-21-42790080-3355320830-272773808-1000\...\Run: [ChromeUpdate] => C:\Users\Zach\AppData\Roaming\ChromeUpdate.exe [14939468 2014-10-28] ()
HKU\S-1-5-21-42790080-3355320830-272773808-1000\...\MountPoints2: F - "F:\WD Drive Unlock.exe" autoplay=true
HKU\S-1-5-21-42790080-3355320830-272773808-1000\...\MountPoints2: {165df83d-7e87-11e3-90cb-0019d1e2a01d} - "F:\WD Drive Unlock.exe" autoplay=true
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
ShortcutTarget: Ralink Wireless Utility.lnk -> C:\Program Files\Ralink\Common\RaUI.exe (Ralink Technology, Corp.)
Startup: C:\Users\Zach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Zach\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=U219DHP&pc=U219
SearchScopes: HKCU - {74D4A3E1-CBB6-4C37-94AD-9D855734F3F3} URL = http://olmcdn.upromise.com/search.html?ourmark=4&qs={searchTerms}
BHO: Upromise RewardU Toolbar BHO -> {2E1946E4-D51E-6074-C16F-ED7E0D98A8E4} -> C:\Program Files\Upromise RewardU Toolbar\Upromise RewardU Toolbar.dll (Freecause Inc.)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Upromise RewardU Toolbar - {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - C:\Program Files\Upromise RewardU Toolbar\Upromise RewardU Toolbar.dll (Freecause Inc.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - Upromise RewardU Toolbar - {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - C:\Program Files\Upromise RewardU Toolbar\Upromise RewardU Toolbar.dll (Freecause Inc.)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Winsock: Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\w9kgpgdd.default
FF DefaultSearchEngine: Yahoo
FF DefaultSearchUrl: hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF SelectedSearchEngine: Yahoo
FF Homepage: hxxp://whobut.wbmason.com/MyLists.aspx
FF Keyword.URL: hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\Zach\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF SearchPlugin: C:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\w9kgpgdd.default\searchplugins\imdb.xml
FF Extension: Move Media Player - C:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\w9kgpgdd.default\Extensions\moveplayer@movenetworks.com [2008-05-14]
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2010-11-18]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [Not Found]
FF Extension: Move Media Player - C:\Documents and Settings\Zach\Application Data\Mozilla\Firefox\Profiles\w9kgpgdd.default\extensions\moveplayer@movenetworks.com [2008-05-14]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]

Chrome:
=======
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSearchURL: Default -> https://www.bing.com/search?setmkt=en-US&q={searchTerms}
CHR DefaultNewTabURL: Default -> https://www.bing.com/chrome/newtab?setmkt=en-US
CHR DefaultSuggestURL: Default -> http://api.bing.com/osjson.aspx?query={searchTerms}&language={language}
CHR Profile: C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-28]
CHR Extension: (Google Drive) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-28]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-06]
CHR Extension: (YouTube) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-28]
CHR Extension: (Google Search) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-28]
CHR Extension: (Google Wallet) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-28]
CHR Extension: (Gmail) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-28]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093872 2007-08-11] (Symantec Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]
R2 RalinkRegistryWriter; C:\Program Files\Ralink\Common\RaRegistry.exe [375872 2011-03-31] (Ralink Technology, Corp.)
S3 RaMediaServer; C:\Program Files\Ralink\Common\RaMediaServer.exe [621632 2011-03-04] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 amacpi; C:\Windows\System32\DRIVERS\null.sys [4608 2009-07-13] (Microsoft Corporation)
S3 DELL_A02; C:\Windows\System32\DRIVERS\PRISMA02.sys [344736 2004-10-01] (Conexant Systems, Inc.)
S3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [15720 2012-04-18] (GARMIN Corp.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
R1 MpKslad61e365; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DC50F646-5BF4-4973-B7BB-52FF63873047}\MpKslad61e365.sys [39464 2014-11-05] (Microsoft Corporation)
R3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1228864 2011-04-28] (Ralink Technology Corp.)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-05 10:31 - 2014-11-05 10:41 - 00016338 _____ () C:\Users\Zach\Desktop\FRST.txt
2014-11-05 10:31 - 2014-11-05 10:32 - 00000000 ____D () C:\FRST
2014-11-05 10:27 - 2014-11-05 10:28 - 01106432 _____ (Farbar) C:\Users\Zach\Desktop\FRST.exe
2014-11-03 12:45 - 2014-11-03 12:45 - 00015782 _____ () C:\Users\Zach\Desktop\dds.txt
2014-11-03 12:45 - 2014-11-03 12:45 - 00013243 _____ () C:\Users\Zach\Desktop\attach.txt
2014-10-29 02:36 - 2014-10-29 02:36 - 00000278 _____ () C:\Users\Zach\INSTALL_TOR.URL
2014-10-29 02:36 - 2014-10-29 02:36 - 00000278 _____ () C:\Users\Zach\Desktop\INSTALL_TOR.URL
2014-10-29 02:23 - 2014-10-29 02:23 - 00004226 _____ () C:\Users\Zach\Downloads\DECRYPT_INSTRUCTION.TXT
2014-10-29 02:23 - 2014-10-29 02:23 - 00004226 _____ () C:\Users\Zach\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-29 02:23 - 2014-10-29 02:23 - 00000278 _____ () C:\Users\Zach\Downloads\INSTALL_TOR.URL
2014-10-29 02:23 - 2014-10-29 02:23 - 00000278 _____ () C:\Users\Zach\Documents\INSTALL_TOR.URL
2014-10-29 01:25 - 2014-10-29 01:25 - 00688992 _____ (Swearware) C:\Users\Zach\Downloads\dds.com
2014-10-29 01:24 - 2014-10-29 01:28 - 00688992 ____R (Swearware) C:\Users\Zach\Desktop\dds.com
2014-10-29 00:38 - 2014-10-29 00:38 - 00004226 _____ () C:\Users\Zach\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-28 19:53 - 2014-10-29 00:38 - 00000278 _____ () C:\Users\Zach\AppData\Roaming\INSTALL_TOR.URL
2014-10-28 19:53 - 2014-10-29 00:38 - 00000278 _____ () C:\Users\Zach\AppData\INSTALL_TOR.URL
2014-10-28 19:50 - 2014-10-28 19:50 - 00000278 _____ () C:\Users\Zach\AppData\Local\INSTALL_TOR.URL
2014-10-28 19:33 - 2014-10-28 19:33 - 00000278 _____ () C:\Users\Guest\INSTALL_TOR.URL
2014-10-28 19:33 - 2014-10-28 19:33 - 00000278 _____ () C:\Users\Guest\AppData\Roaming\INSTALL_TOR.URL
2014-10-28 19:33 - 2014-10-28 19:33 - 00000278 _____ () C:\Users\Guest\AppData\INSTALL_TOR.URL
2014-10-28 19:15 - 2014-10-28 19:31 - 00000000 ____D () C:\Users\Zach\AppData\Roaming\Kineciep
2014-10-28 19:14 - 2014-11-05 10:39 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-28 19:14 - 2014-11-05 10:25 - 00001368 _____ () C:\ProgramData\@system.att
2014-10-28 19:14 - 2014-10-28 19:31 - 00000000 ____D () C:\Users\Zach\AppData\Roaming\Ehicebny
2014-10-28 19:14 - 2014-10-28 19:14 - 00000276 _____ () C:\Users\Guest\AppData\Local\INSTALL_TOR.URL
2014-10-28 19:13 - 2014-11-05 10:25 - 00001104 ____H () C:\ProgramData\@system2.att
2014-10-28 19:13 - 2014-10-28 19:14 - 14939468 _____ () C:\Users\Zach\AppData\Roaming\ChromeUpdate.exe
2014-10-28 19:13 - 2014-10-28 19:13 - 00000448 ____H () C:\Users\Zach\AppData\Roaming\麽鎒駓覜
2014-10-28 19:13 - 2014-10-28 19:13 - 00000276 _____ () C:\ProgramData\INSTALL_TOR.URL
2014-10-27 17:54 - 2014-09-04 20:52 - 05703168 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-10-27 02:53 - 2014-10-27 02:53 - 00000000 ____D () C:\Windows\rescache
2014-10-26 23:54 - 2013-10-01 19:42 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2014-10-26 23:54 - 2013-10-01 19:32 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-10-26 23:54 - 2013-10-01 19:30 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-10-26 23:54 - 2013-10-01 19:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2014-10-26 23:54 - 2013-10-01 19:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2014-10-26 23:54 - 2013-10-01 18:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2014-10-26 23:54 - 2013-10-01 18:45 - 00032256 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2014-10-26 23:54 - 2013-10-01 18:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2014-10-26 23:54 - 2013-10-01 18:00 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2014-10-26 23:54 - 2013-10-01 17:53 - 00350208 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2014-10-26 23:54 - 2013-10-01 17:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-10-26 23:05 - 2014-10-26 23:06 - 117500664 _____ (Microsoft Corporation) C:\Users\Zach\Desktop\msert.exe
2014-10-26 22:14 - 2014-10-28 19:09 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-25 22:43 - 2014-10-25 22:43 - 00000028 _____ () C:\Windows\system32\u
2014-10-25 21:58 - 2014-10-25 21:58 - 00000000 _____ () C:\Windows\system32\opmkzb.dll
2014-10-15 15:45 - 2014-10-09 20:44 - 00396288 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-10-15 15:45 - 2014-10-09 20:44 - 00230912 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-10-15 15:45 - 2014-10-09 20:39 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-10-15 15:45 - 2014-10-06 21:04 - 00331448 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-10-15 15:45 - 2014-09-28 19:41 - 02379264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-15 15:45 - 2014-09-25 17:46 - 00365056 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-15 15:45 - 2014-09-25 17:46 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-15 15:45 - 2014-09-25 17:46 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-15 15:45 - 2014-09-25 17:43 - 11807232 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-15 15:45 - 2014-09-25 17:32 - 02017280 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-15 15:45 - 2014-09-18 20:44 - 17484800 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-15 15:45 - 2014-09-18 20:25 - 04201472 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-15 15:45 - 2014-09-18 20:14 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-10-15 15:45 - 2014-09-18 20:14 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-10-15 15:45 - 2014-09-18 20:02 - 00454656 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-10-15 15:45 - 2014-09-18 20:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-10-15 15:45 - 2014-09-18 20:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-10-15 15:45 - 2014-09-18 19:59 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-10-15 15:45 - 2014-09-18 19:55 - 02187264 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-15 15:45 - 2014-09-18 19:54 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-10-15 15:45 - 2014-09-18 19:53 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-10-15 15:45 - 2014-09-18 19:51 - 00440320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-10-15 15:45 - 2014-09-18 19:50 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-10-15 15:45 - 2014-09-18 19:50 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-10-15 15:45 - 2014-09-18 19:49 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-10-15 15:45 - 2014-09-18 19:44 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-10-15 15:45 - 2014-09-18 19:36 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-10-15 15:45 - 2014-09-18 19:32 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-10-15 15:45 - 2014-09-18 19:20 - 00677888 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-10-15 15:45 - 2014-09-18 19:20 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-15 15:45 - 2014-09-18 19:18 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-10-15 15:45 - 2014-09-18 18:59 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-15 15:45 - 2014-09-18 18:53 - 01190400 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-15 15:45 - 2014-09-18 18:52 - 00678400 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-10-15 15:44 - 2014-09-04 00:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2014-10-15 15:44 - 2014-07-16 20:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2014-10-15 15:44 - 2014-07-16 20:39 - 00523264 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-10-15 15:44 - 2014-07-16 20:39 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-10-15 15:44 - 2014-07-16 20:39 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2014-10-15 15:44 - 2014-07-16 20:03 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2014-10-15 15:44 - 2014-06-18 17:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-15 15:44 - 2014-06-18 17:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-15 15:44 - 2014-06-18 17:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-10-15 15:43 - 2014-09-17 20:32 - 02363904 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-10-15 15:43 - 2014-09-12 20:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-10-15 15:43 - 2014-07-16 20:39 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-10-15 15:43 - 2014-07-16 20:39 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-10-15 15:43 - 2014-07-16 20:02 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2014-10-13 22:14 - 2014-10-14 21:27 - 00000000 ____D () C:\Users\Zach\Desktop\AD
2014-10-13 21:40 - 2014-10-13 21:41 - 00000000 ____D () C:\Users\Zach\Desktop\ATOL
2014-10-13 13:34 - 2014-10-28 22:32 - 00000000 ____D () C:\Users\Zach\Desktop\IT
2014-10-13 11:05 - 2014-10-13 11:05 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-05 10:31 - 2009-07-13 23:34 - 00025216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-05 10:31 - 2009-07-13 23:34 - 00025216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-05 10:29 - 2010-11-18 11:54 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-05 10:24 - 2010-11-19 13:02 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-05 10:24 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-05 10:23 - 2009-07-13 23:39 - 00052486 _____ () C:\Windows\setupact.log
2014-11-05 10:22 - 2010-11-19 13:02 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-03 13:01 - 2010-11-18 14:36 - 01068269 _____ () C:\Windows\WindowsUpdate.log
2014-11-03 12:54 - 2014-06-06 18:08 - 00000000 ____D () C:\Users\Zach\Desktop\Video
2014-11-03 12:43 - 2010-11-18 11:51 - 00000000 ____D () C:\Users\Zach
2014-10-29 02:36 - 2014-03-06 16:26 - 00000000 ___RD () C:\Users\Zach\Dropbox
2014-10-29 02:23 - 2007-06-20 08:45 - 00000000 ____D () C:\Users\Zach\Documents\Zach
2014-10-29 02:22 - 2008-01-22 12:27 - 00000000 ____D () C:\Users\Zach\Documents\To do lists
2014-10-29 02:22 - 2007-06-20 08:52 - 00000000 ____D () C:\Users\Zach\Documents\T.Byrne Forms and Such
2014-10-29 02:21 - 2012-04-10 11:30 - 00000000 ___SD () C:\Users\Zach\Documents\My Data Sources
2014-10-29 02:21 - 2008-06-10 09:30 - 00000000 ____D () C:\Users\Zach\Documents\Surveyor
2014-10-29 02:21 - 2007-07-30 13:04 - 00000000 ____D () C:\Users\Zach\Documents\New Folder
2014-10-29 00:51 - 2014-06-30 15:09 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-29 00:39 - 2014-01-06 16:14 - 00000000 ____D () C:\Users\Zach\AppData\Roaming\Dropbox
2014-10-29 00:37 - 2011-03-31 12:23 - 00000000 ____D () C:\Users\Zach\Desktop\New folder (2)
2014-10-28 22:32 - 2014-08-20 16:52 - 00000000 ____D () C:\Users\Zach\Desktop\hair
2014-10-28 22:32 - 2014-06-06 18:02 - 00000000 ____D () C:\Users\Zach\Desktop\BMA
2014-10-28 22:32 - 2014-04-28 19:58 - 00000000 ____D () C:\Users\Zach\AppData\Roaming\Apple Computer
2014-10-28 22:32 - 2013-09-11 13:07 - 00000000 ____D () C:\Users\Zach\AppData\Roaming\Real
2014-10-28 22:32 - 2010-11-30 09:58 - 00000000 ____D () C:\Users\Zach\AppData\Roaming\Stamps.com Internet Postage
2014-10-28 22:32 - 2010-11-19 13:02 - 00000000 ____D () C:\Users\Zach\AppData\Local\Google
2014-10-28 22:32 - 2010-11-18 13:26 - 00000000 ____D () C:\Users\Zach\AppData\Roaming\Adobe
2014-10-28 22:32 - 2010-11-18 12:38 - 00000000 ____D () C:\Users\Guest\AppData\Roaming\Mozilla
2014-10-28 22:32 - 2010-11-18 12:18 - 00000000 ____D () C:\Users\Zach\AppData\Local\Apple Computer
2014-10-28 22:32 - 2010-11-18 12:17 - 00000000 ____D () C:\Users\Zach\AppData\Roaming\Mozilla
2014-10-28 22:32 - 2010-11-18 12:17 - 00000000 ____D () C:\Users\Zach\AppData\Local\Mozilla
2014-10-28 22:32 - 2010-11-18 12:12 - 00000000 ____D () C:\Users\Guest
2014-10-28 20:22 - 2010-11-18 13:15 - 00118682 _____ () C:\Windows\PFRO.log
2014-10-28 19:55 - 2010-11-18 12:38 - 00000000 ____D () C:\Users\Guest\AppData\Local\Mozilla
2014-10-28 19:42 - 2013-01-23 15:22 - 00000000 ____D () C:\Users\Guest\AppData\Roaming\Adobe
2014-10-28 19:41 - 2013-09-11 13:06 - 00000000 ____D () C:\ProgramData\Real
2014-10-28 19:41 - 2010-11-18 12:38 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-10-28 19:32 - 2010-11-18 14:32 - 00000000 ____D () C:\Windows\Panther
2014-10-28 01:08 - 2014-03-27 20:15 - 00000000 ____D () C:\Users\Zach\AppData\Roaming\vlc
2014-10-27 20:22 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Branding
2014-10-27 02:17 - 2009-07-13 21:37 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-10-25 20:37 - 2014-03-20 20:44 - 00030576 _____ () C:\Users\Zach\Desktop\Grocery coupons.xlsx
2014-10-24 21:48 - 2014-06-30 15:08 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-23 17:25 - 2014-06-30 15:09 - 00001063 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-23 17:25 - 2014-06-30 15:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-17 13:48 - 2014-04-28 20:45 - 00002136 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-16 15:48 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-10-16 15:09 - 2009-07-13 23:33 - 00409416 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-16 02:29 - 2014-05-01 19:01 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-10-16 02:27 - 2010-11-18 12:04 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-16 02:23 - 2013-07-21 02:03 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-16 02:07 - 2011-05-17 10:26 - 100290944 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-10-13 22:33 - 2014-01-30 14:04 - 00000000 ____D () C:\Users\Zach\AppData\Local\Citrix
2014-10-13 11:05 - 2010-11-18 13:23 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-10-13 11:05 - 2010-11-18 13:23 - 00000000 ____D () C:\Program Files\Adobe

Files to move or delete:
====================
C:\Users\Guest\jagex_runescape_preferences.dat
C:\Users\Zach\gosetup.exe
C:\Users\Zach\jagex_runescape_preferences.dat


Some content of TEMP:
====================
C:\Users\Zach\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpwu52ki.dll
C:\Users\Zach\AppData\Local\Temp\ose00000.exe
C:\Users\Zach\AppData\Local\Temp\_is2EAC.exe
C:\Users\Zach\AppData\Local\Temp\_is9B0F.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-27 02:46

==================== End Of Log ============================

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 05 November 2014 - 11:46 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

HKLM\...\Run: [] => [X]
HKU\S-1-5-21-42790080-3355320830-272773808-1000\...\Run: [ChromeUpdate] => C:\Users\Zach\AppData\Roaming\ChromeUpdate.exe [14939468 2014-10-28] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
Task: {2A98073B-5518-4374-8B56-F15ABA02F6B8} - System32\Tasks\Security Center Update - 1698511502 => C:\Users\Zach\AppData\Roaming\Ehicebny\imute.exe <==== ATTENTION
C:\Users\Zach\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpwu52ki.dll
C:\Users\Zach\AppData\Local\Temp\ose00000.exe
C:\Users\Zach\AppData\Local\Temp\_is2EAC.exe
C:\Users\Zach\AppData\Local\Temp\_is9B0F.exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

http://screen317.spywareinfoforum.org/SecurityCheck.exe%5Dhere[/url].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#7 blahx

blahx
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 05 November 2014 - 12:28 PM

The computer is running much better now!
Thanks nasdaq!

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-11-2014
Ran by Zach at 2014-11-05 12:01:16 Run:1
Running from C:\Users\Zach\Desktop\FRST
Loaded Profile: Zach (Available profiles: Zach & Guest)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

HKLM\...\Run: [] => [X]
HKU\S-1-5-21-42790080-3355320830-272773808-1000\...\Run: [ChromeUpdate] => C:\Users\Zach\AppData\Roaming\ChromeUpdate.exe [14939468 2014-10-28] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
Task: {2A98073B-5518-4374-8B56-F15ABA02F6B8} - System32\Tasks\Security Center Update - 1698511502 => C:\Users\Zach\AppData\Roaming\Ehicebny\imute.exe <==== ATTENTION
C:\Users\Zach\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpwu52ki.dll
C:\Users\Zach\AppData\Local\Temp\ose00000.exe
C:\Users\Zach\AppData\Local\Temp\_is2EAC.exe
C:\Users\Zach\AppData\Local\Temp\_is9B0F.exe

End
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\S-1-5-21-42790080-3355320830-272773808-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ChromeUpdate => value deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} => not found.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} => not found.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} => not found.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} => not found.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} => not found.
C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2A98073B-5518-4374-8B56-F15ABA02F6B8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A98073B-5518-4374-8B56-F15ABA02F6B8}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1698511502 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1698511502" => Key deleted successfully.
"C:\Users\Zach\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpwu52ki.dll" => File/Directory not found.
C:\Users\Zach\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\Zach\AppData\Local\Temp\_is2EAC.exe => Moved successfully.
C:\Users\Zach\AppData\Local\Temp\_is9B0F.exe => Moved successfully.

==== End of Fixlog ====


# AdwCleaner v3.311 - Report created 05/11/2014 at 12:15:54
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : Zach - ZACH-PC
# Running from : C:\Users\Zach\Desktop\adwcleaner_3.311.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\ddpocmpoechljihmgemoaahhmadaenbc
Key Deleted : HKLM\SOFTWARE\Classes\FreeCauseURLSearchHook.FCToolbarURLSearchHook
Key Deleted : HKLM\SOFTWARE\Classes\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100987.FCTB000100987Pos
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100987.FCTB000100987Pos.1
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100987.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100987.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.3

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344


-\\ Mozilla Firefox v

[ File : C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\gn6frfrt.default\prefs.js ]


[ File : C:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\w9kgpgdd.default\prefs.js ]


-\\ Google Chrome v38.0.2125.104

[ File : C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2050 octets] - [05/11/2014 12:12:49]
AdwCleaner[S0].txt - [1999 octets] - [05/11/2014 12:15:54]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2059 octets] ##########


Results of screen317's Security Check version 0.99.89
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Adobe Reader XI
Google Chrome 37.0.2062.124
Google Chrome 38.0.2125.104
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 28% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 05 November 2014 - 02:04 PM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 blahx

blahx
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 05 November 2014 - 09:02 PM

Hi nasdaq,

A few more issues. There is an alert that Windows Security Center services is turned off, and I cannot turn it back on.
Also, I noticed when I initially open task manager, It says that CPU usage is at >50%, but then reverts back to 1-2% in two seconds. Im not running any programs or doing anything on the computer, so I don't know why it is so high.

Thanks

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 06 November 2014 - 10:13 AM

There is an alert that Windows Security Center services is turned off, and I cannot turn it back on.

Run the automatic fix for Windows 7 on this page.
http://support.microsoft.com/kb/2519899

===

When done check your CPU and let me know if that issue as been solved.

#11 blahx

blahx
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 06 November 2014 - 02:13 PM

Thanks! that issue has been resolved.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 07 November 2014 - 07:35 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 07 November 2014 - 11:27 AM

This topic has been re-opened at the request of the person who originally posted.

posted from a PM message

I still have a few more issues that need resolving.

1. Is it normal that my CPU usage is so high (>50%) when I open task manager but reverts back 10% after a few seconds?

2. When I open the webpage msn.com I still get the following message:
" Do you want to debug this webpage? This webpage contains errors that might prevent it from displaying or working correctly..."
This is initially what happened when my virus started two weeks ago. How do fix this error?

Thanks!

Edited by nasdaq, 07 November 2014 - 11:29 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 07 November 2014 - 11:35 AM

No. 1.

I do not think so. Possibly a program takes a long time to start.
This could be caused by a wrong version of a driver, file.

Check for missing or corrupted Operating files in your system.

Execute the instructions on this page.
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html
===

Check also your Microsoft Updates you may be missing an important one.


Keep me posted.
===

No, 2,

Check these settings.

Open IE > Tools Menu > Internet Options > Advanced tab.

Under the Browsing section.

Place a check under these two lines

Disable Script Debugging (EI)
Disable Script Debugging (Others)

Click the Apply button.

How is it now?

#15 blahx

blahx
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 07 November 2014 - 12:13 PM

Sorry, I haven't done the above two steps yet because I was in the process of restoring previous versions of my files and I encountered other issues. I was running malwarebytes to scan and it detected two trogan agents. MSE was detecting crowti from the decryption instruction text files. But more importantly as I was restoring, my previous versions were getting deleted. I have possibly one/two restore points with uncrypted files left, so I turned off that computer. What should I do?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users