Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ukash Ransomware Virus question

  • This topic is locked This topic is locked
3 replies to this topic

#1 gotrekt


  • Members
  • 23 posts
  • Gender:Not Telling
  • Location:clouds
  • Local time:04:39 AM

Posted 31 December 2014 - 12:45 AM

Hello guys even though i knew this site for a long time ,i've never really needed any assistant with malware related problems so i did not feel the need to register. However yesterday while i was browsing a website, a new tab opened in my firefox browser displaying a notification from the "Greek Police" that my computer was going to be blocked because of illegal activities(child porn and zoophilie WTF??) if i was not going to pay a fee of 100 euros with ukash or paysafe card. I tried to close the tab with the (x) but unfortunetaly not only the tab didnt close but new tabs with the same website opened. Now even though i knew it was a fake site ( scareware ) i felt kinda panicked and i turned off the computer( with power button) and i disconnected my internet connection. Immediately i restarted the computer again to check what would happen , expecting my computer desktop being hijacked with this nasty malware. I was suprised to see that everything was looking fine nothing suspicious on my desktop and when i checked task manager processes i didnt see any weird names. The next step i did was to clear everything on firefox ( temp files,history etc ) and to scan my computer with MalwareBytes and Microsoft Essentials Antivirus. They didnt find any malicious applications so i thought my computer was propably safe, but i decided to to scan it again in safe mode to be 99% sure that i was not infected. I restarted my computer again and then when i have tried to get into safe mode i could not ( i was having a black screen and a white blink line at the top left ) and then windows were starting normaly. So my question is why is this happening ? I mean is it caused by this virus or is something related to hardware problems. I remember using safe mode one week ago and i could get it work easy.Also how is it possible that my computer was not locked by this virus as i have read on forums that this virus is hijacking your desktop and you cant unlock it , if you dont pay the fee.


My questions are

1) Is the safe mode problem caused by the virus ?

2) How is it possible that malwarebytes and microsoft essentials didnt find any threats after doing a full scan?


Thanks for reading guys i hope someone can provide me some insight.


Here is also a screenshot of that website not from me but it was the same message and interface



DDS ChatLog


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17280  BrowserJavaVersion: 10.60.2
Run by User at 6:59:54 on 2014-12-31
Microsoft Windows 7 Ultimate   6.1.7601.1.1253.30.1033.18.3317.1119 [GMT 2:00]
AV: Kaspersky Internet Security *Disabled/Outdated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Kaspersky Internet Security *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
============== Running Processes ================
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\TeamViewer\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\ASUS\GamerOSD\ATKFastUserSwitching.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
============== Pseudo HJT Report ===============
uStart Page = hxxp://google.com/
uSearch Bar = Preserve
uProxyOverride = localhost;; <local>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - c:\program files\internet explorer\iedvtool.dll
EB: F12 Developer Tools: {28BCCB9A-E66B-463C-82A4-09F320DE94D7} - c:\program files\internet explorer\F12Tools.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sony PC Companion] "c:\program files\sony\sony pc companion\PCCompanion.exe" /Background
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Facebook Update] "c:\users\user\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\x86\CLIStart.exe" MSRun
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer =
TCP: Interfaces\{24B49745-8DD8-47E8-9D9F-E06C23C3E3F6} : DHCPNameServer =
TCP: Interfaces\{49F4924E-E27E-4767-BF57-A292B6EAD8E8} : DHCPNameServer =
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\39.0.2171.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
================= FIREFOX ===================
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\vbfe23zl.default-1415370461910\
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\user\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\user\appdata\local\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_16_0_0_235.dll
============= SERVICES / DRIVERS ===============
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2010-10-6 156200]
R0 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [2010-5-7 268840]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2012-8-2 25696]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 44000]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 145040]
R1 MpKsl2dc1113e;MpKsl2dc1113e;c:\programdata\microsoft\microsoft antimalware\definition updates\{cc8bbac4-9011-4abf-9d07-ce51c930a0e3}\MpKsl2dc1113e.sys [2014-12-30 39464]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2014-9-16 208896]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 356128]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-6-7 13336]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-6-7 110752]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-11-7 1871160]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-11-7 969016]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2014-7-17 95920]
R2 TeamViewer;TeamViewer 10;c:\program files\teamviewer\TeamViewer_Service.exe [2014-12-10 5419792]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2012-1-18 450848]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2014-6-21 77824]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2011-6-7 223960]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-5-25 25696]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-7-25 25696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-26 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-11-7 114904]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-11-7 51928]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-8-22 288120]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-10-26 64904]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-10-26 146568]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2013-7-8 159208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2014-12-11 315496]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
S3 DFX11_1;DFX Audio Enhancer 11.1;c:\windows\system32\drivers\dfx11_1.sys [2012-8-30 24424]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2012-10-26 12400]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-9-10 108032]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2013-1-31 22656]
S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr28u.sys [2011-6-7 945504]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-6-23 15872]
S3 Sony PC Companion;Sony PC Companion;c:\program files\sony\sony pc companion\PCCService.exe [2012-10-26 155320]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-14 1343400]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
=============== Created Last 30 ================
2014-12-30 19:14:21    --------    d-----w-    C:\FRST
2014-12-30 18:12:10    39464    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{cc8bbac4-9011-4abf-9d07-ce51c930a0e3}\MpKsl2dc1113e.sys
2014-12-30 18:05:15    9054624    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{cc8bbac4-9011-4abf-9d07-ce51c930a0e3}\mpengine.dll
2014-12-30 18:04:10    908840    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{51a4aded-6980-4e38-b49d-935f171e37bc}\gapaengine.dll
2014-12-30 17:25:25    --------    d-----w-    c:\users\user\appdata\local\Adobe
2014-12-30 05:08:42    --------    d-----w-    c:\users\user\appdata\local\ATI
2014-12-30 05:08:33    --------    d-----w-    c:\users\user\appdata\local\Macromedia
2014-12-27 21:41:00    --------    d-----w-    c:\program files\Microsoft Security Client
2014-12-22 23:49:50    --------    d-----w-    c:\programdata\SecTaskMan
2014-12-22 23:49:47    --------    d-----w-    c:\program files\Security Task Manager
2014-12-17 14:00:38    --------    d-----w-    c:\users\user\.android
2014-12-09 15:24:31    --------    d-----w-    c:\users\user\appdata\roaming\AMD
2014-12-03 20:20:54    62576    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{c6efedf0-49fa-483c-8bef-e39adfbbdef2}\offreg.dll
2014-12-03 06:31:20    227048    ----a-w-    c:\program files\internet explorer\plugins\nppdf32.dll
==================== Find3M  ====================
2014-12-31 04:54:09    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-23 16:07:55    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-23 16:07:55    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-11-24 12:04:58    229000    ------w-    c:\windows\system32\MpSigStub.exe
2014-11-21 04:14:20    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-11-21 04:14:10    75480    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 04:14:06    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
============= FINISH:  7:01:21,30 ===============

Edited by gotrekt, 31 December 2014 - 08:43 AM.

BC AdBot (Login to Remove)



#2 gotrekt

  • Topic Starter

  • Members
  • 23 posts
  • Gender:Not Telling
  • Location:clouds
  • Local time:04:39 AM

Posted 04 January 2015 - 03:57 AM



1)Safe Mode problem :


Hey guys i am back, so for the Safe Mode problem i had i managed to fix it . After turning on my computer and pressing the F8 button (WIndows 7) nothing was happening, the advanced boot menu was not showing and instead windows were starting normally. At the start i believed that the ukash virus modified my registry and blocked safe mode somehow. However considering that i could actually get in safe mode using the msconfig.exe utility, i searched for other possible reasons for the specific problem. First of all i have used the System File Checker tool. The command for this is typing in CMD sfc /scannow and Enter but i couldnt see any problems in the log file created after scanning finished. So my second option was to ckeck my hard disk for errors. This can be done easily by going to My Computer->Properties of Local Disk (C:) -> Tools -> On Error Checking -> Check Now -> Tick Automatically Check for Errors -> OK. So now usually when you do this step when you reboot the computer your hard drive is going to be checked for errors that are going to be fixed automatically. Then again when i restarted my computer, nothing happened and windows started normaly. I was pretty sure something was wrong with my hard drive or my registry was modified( still not sure if that was caused from the virus ). I googled this problem and found an article about this at http://www.thewindowsclub.com/check-disk-will-not-run-at-startup ( BE EXTREMELY CAREFUL TO FOLLOW THE EXACT ORDER ) because deleting or modifying something wrong in registry can make your system unbootable. Anyway i did what the guy said and then when i did the same procedure as above for the hard drive my computer checked for errors. Finaly after the procedure finished my computer restarted this time i pressed F8 and Safe Mode appeared and was working good.


So i wanted to share this for anyone that maybe has the same problem with me and hopefuly they can follow the instructions to fix it!!


How to start Safe Mode when F8 is not working.


How to:

Start->Run->msconfig.exe->boot->boot options->Tick on Safe boot and choose minimal.




2) MalwareBytes and Antivirus found no threats:


For the second question as i said my av and malwarebytes didnt find any threats but i was curious how was this even possible. At the start i believed i was pretty fked because the virus was a new variant that could not be detected. Well i decided to use the tools from your website ( AdwCleaner and JunkWare ) and they actually found some malware thank god not dangerous though but still  some crappy toolbars ( thanks mom ;p). I also had used the DDS tool and i didnt find any suspicious processes.


Edited by gotrekt, 05 January 2015 - 12:23 AM.

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,555 posts
  • Gender:Male
  • Local time:09:39 PM

Posted 05 January 2015 - 12:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/561580 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,555 posts
  • Gender:Male
  • Local time:09:39 PM

Posted 05 January 2015 - 10:45 AM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users