Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Agent.0BGen & Trojan.Agent.ED - hard drive files encrypted


  • This topic is locked This topic is locked
3 replies to this topic

#1 rturanc

rturanc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 19 January 2015 - 04:26 PM

It looks like Thursday afternoon a virus started to take over my laptop.  Initially, the computer slowed way down.  I tried to clean up the hard drive with windows utilities.  Then I ran Malwarebytes, which temporarily improved performance.  The next day, it was once again running very slow.  I re-ran Malwarebytes and then ran SuperAntiSpyware.  As I recall, both times that I ran Malwarebytes, it found trojan files.

 

I never received any messages asking for ransom money or anything else announcing the virus prior to running Malwarebytes.

 

The virus has encrypted all of my files.  Most of my files are on an external hard drive.  I have not found any that are not encrypted.

 

The virus has also used up all of the previously available 30+ gb of hard drive space on the internal drive.

 

I have since ordered a new laptop.  I'm ready to move on from the HP Elitebook.  What I really need is to be able to unencrypt the files that are on the external hard drive.

 

Any help would be greatly appreciated!

 

DDS Log

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64  
Internet Explorer: 9.0.8112.16592  BrowserJavaVersion: 10.25.2
Run by 467065 at 15:31:59 on 2015-01-19
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3887.209 [GMT -5:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe
C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Microsoft Device Center\itype.exe
C:\Program Files\Microsoft Device Center\ipoint.exe
C:\Program Files (x86)\McAfee\Endpoint Encryption for PC\SbTokWatch.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files (x86)\eFax Messenger 4.4\J2GTray.exe
C:\Program Files (x86)\CA\DSM\bin\cfSysTray.exe
C:\Program Files (x86)\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files (x86)\McAfee\Endpoint Encryption for PC\SbTokWatch.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\CA\SC\CAM\bin\cam.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\CA\SC\Csam\SockAdapter\bin\csampmux.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\syswow64\cmmon32.exe
C:\Windows\syswow64\ctfmon.exe
C:\Windows\syswow64\dvdupgrd.exe
C:\Windows\syswow64\dvdupgrd.exe
C:\Windows\syswow64\systray.exe
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\dllhst3g.exe
C:\Windows\syswow64\cmmon32.exe
C:\Windows\syswow64\systray.exe
C:\Windows\syswow64\msfeedssync.exe
C:\Windows\syswow64\dpnsvr.exe
C:\Windows\syswow64\dpnsvr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = Preserve
mStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\18.1.9.799\AVG Secure Search_toolbar.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\18.1.9.799\AVG Secure Search_toolbar.dll
uRun: [SafeBootTokWatch] "C:\Program Files (x86)\McAfee\Endpoint Encryption for PC\SbTokWatch.exe"
uRun: [eFax 4.4] "C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe" /R
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware1\SUPERAntiSpyware.exe
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [CAF_SystemTray] "C:\Program Files (x86)\CA\DSM\bin\cfSysTray.exe"
mRun: [DsmSxplog] "C:\Program Files (x86)\CA\DSM\Bin\sxpstub.exe"
mRun: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
mRun: [SafeBootTrayManager] "C:\Program Files (x86)\SafeBoot Tray Manager\SbTrayManager.exe"
mRun: [SafeBootTokenWatcher] "C:\Program Files (x86)\McAfee\Endpoint Encryption for PC\SbTokWatch.exe"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [AT&T Communication Manager] "C:\Program Files (x86)\AT&T\Communication Manager\ATTCM.exe" -a
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Check Point VPN] "C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGui.exe"
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
StartupFolder: C:\Users\467065\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EFAX44~1.LNK - C:\Program Files (x86)\eFax Messenger 4.4\J2GTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-System: legalnoticecaption = Property of FedEx
mPolicies-System: legalnoticetext = For AUTHORIZED USERS ONLY!
mPolicies-System: CompatibleRUPSecurity = dword:1
mPolicies-System: HideShutdownScripts = dword:0
mPolicies-System: MaxGPOScriptWait = dword:600
mPolicies-System: HideFastUserSwitching = dword:0
mPolicies-Windows\System: AddAdminGroupToRUP = dword:1
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{620220F3-0872-48C4-B5A3-1AA39A75C532} : DHCPNameServer = 199.82.243.70 146.18.173.70
TCP: Interfaces\{66B4A632-BEDE-43AE-8055-64C23CD8E556} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{EE8DA002-9274-48A8-B31E-4C74CF26E493} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{EE8DA002-9274-48A8-B31E-4C74CF26E493}\0716E63686F616E646C65666479737 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{EE8DA002-9274-48A8-B31E-4C74CF26E493}\6416C6C637C4962627162797 : DHCPNameServer = 192.168.1.4
TCP: Interfaces\{EE8DA002-9274-48A8-B31E-4C74CF26E493}\D4F647F627F6C616 : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{EE8DA002-9274-48A8-B31E-4C74CF26E493}\F42716E67656D41676E6F6C69616D27657563747 : DHCPNameServer = 209.18.47.61 209.18.47.62
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll
AppInit_DLLs= c:\progra~2\citrix\icacli~1\rshook.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.99\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = about:blank
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [IntelliType Pro] "c:\Program Files\Microsoft Device Center\itype.exe"
x64-Run: [IntelliPoint] "c:\Program Files\Microsoft Device Center\ipoint.exe"
x64-Run: [obrtbr] "C:\Windows\System32\rundll32.exe" "C:\Users\467065\AppData\Roaming\obrtbr.dll",_Count
x64-Run: [linge] ",STRICTERRORS
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2012-2-7 782968]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2012-2-7 344176]
R0 SBAlg;SBAlg;C:\Windows\System32\drivers\sbalg.sys [2012-8-8 60128]
R0 SbFsLock;SbFsLock;C:\Windows\System32\drivers\sbfslock.sys [2012-8-8 15688]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-9-19 50976]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2012-5-17 93272]
R1 RsvLock;RsvLock;C:\Windows\System32\drivers\rsvlock.sys [2012-8-8 58184]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware1\saskutil64.sys [2011-7-12 12368]
R1 SbFlop;SbFlop;C:\Windows\System32\drivers\sbflop.sys [2012-8-8 23368]
R1 SbRegFlt;SbRegFlt;C:\Windows\System32\drivers\sbregflt.sys [2012-8-8 15688]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2012-8-8 340656]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2012-8-8 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2012-8-8 158976]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-8-8 317440]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-8-21 129752]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2012-2-7 311600]
R3 rcSmCard;rcSmCard;C:\Windows\System32\drivers\rcSmCard.sys [2012-3-18 34384]
R3 rcVidCap;rcVidCap;C:\Windows\System32\drivers\rcVidMpt.sys [2012-3-18 11344]
R3 rismcx64;RICOH Smart Card Reader;C:\Windows\System32\drivers\rismcx64.sys [2012-8-8 59008]
R3 vna_ap;Check Point Virtual Network Adapter - Apollo;C:\Windows\System32\drivers\vnaap.sys [2011-1-12 161256]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware1\sasdifsv64.sys [2011-7-22 14928]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2012-5-24 71168]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2012-2-7 107032]
S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;C:\Windows\System32\PCTINDIS5X64.sys [2010-9-2 43032]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-5-24 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-5-24 31232]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
.
=============== Created Last 30 ================
.
2015-01-16 18:34:23    --------    dc----w-    C:\Program Files\SUPERAntiSpyware1
2015-01-08 13:26:38    146432    ----a-w-    C:\Windows\SysWow64\msaudite.dll
2015-01-08 13:26:38    146432    ----a-w-    C:\Windows\System32\msaudite.dll
2015-01-08 13:26:37    681984    ----a-w-    C:\Windows\SysWow64\adtschema.dll
2015-01-08 13:26:37    681984    ----a-w-    C:\Windows\System32\adtschema.dll
2015-01-08 13:26:35    683520    ----a-w-    C:\Windows\System32\termsrv.dll
2015-01-08 13:26:28    1190912    ----a-w-    C:\Windows\System32\WindowsCodecs.dll
2015-01-08 13:26:28    1011200    ----a-w-    C:\Windows\SysWow64\WindowsCodecs.dll
2015-01-08 13:22:29    878080    ----a-w-    C:\Windows\System32\IMJP10K.DLL
2015-01-08 13:22:29    701440    ----a-w-    C:\Windows\SysWow64\IMJP10K.DLL
2015-01-08 13:22:27    680960    ----a-w-    C:\Windows\System32\audiosrv.dll
2015-01-08 13:22:27    500224    ----a-w-    C:\Windows\System32\AUDIOKSE.dll
2015-01-08 13:22:27    442880    ----a-w-    C:\Windows\SysWow64\AUDIOKSE.dll
2015-01-08 13:22:27    440832    ----a-w-    C:\Windows\System32\AudioEng.dll
2015-01-08 13:22:27    374784    ----a-w-    C:\Windows\SysWow64\AudioEng.dll
2015-01-08 13:22:27    296448    ----a-w-    C:\Windows\System32\AudioSes.dll
2015-01-08 13:22:27    284672    ----a-w-    C:\Windows\System32\EncDump.dll
2015-01-08 13:22:27    195584    ----a-w-    C:\Windows\SysWow64\AudioSes.dll
2015-01-08 13:22:12    3198976    ----a-w-    C:\Windows\System32\win32k.sys
2015-01-05 14:20:13    --------    dc----w-    C:\Program Files (x86)\NVIDIA Corporation
.
==================== Find3M  ====================
.
2015-01-19 20:11:04    129752    -c--a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-11-21 11:14:22    63704    -c--a-w-    C:\Windows\System32\drivers\mwac.sys
2014-11-21 11:14:12    93400    -c--a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-11-21 11:14:08    25816    -c--a-w-    C:\Windows\System32\drivers\mbam.sys
2014-11-14 21:01:31    2048    ----a-w-    C:\Windows\SysWow64\msxml3r.dll
2014-11-14 21:01:31    2048    ----a-w-    C:\Windows\System32\msxml3r.dll
2014-11-14 21:01:31    1882624    ----a-w-    C:\Windows\System32\msxml3.dll
2014-11-14 21:01:31    1237504    ----a-w-    C:\Windows\SysWow64\msxml3.dll
2014-11-14 21:01:16    77824    ----a-w-    C:\Windows\System32\packager.dll
2014-11-14 21:01:16    67584    ----a-w-    C:\Windows\SysWow64\packager.dll
2014-11-14 21:01:01    861696    ----a-w-    C:\Windows\System32\oleaut32.dll
2014-11-14 21:01:01    571904    ----a-w-    C:\Windows\SysWow64\oleaut32.dll
.
============= FINISH: 15:34:20.51 ===============



BC AdBot (Login to Remove)

 


m

#2 rturanc

rturanc
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 20 January 2015 - 11:17 AM

I just found the Cryptowall 3.0 files on the hard drive.  I read the FAQ at

 

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

 

so, I guess that's all I really need to know.  Thank you for the information.



#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:33 AM

Posted 20 January 2015 - 10:54 PM

Greetings,

Thank you for letting us know. It is unfortunate you were hit with the Cryptowall.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:33 AM

Posted 20 January 2015 - 10:54 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users