Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Poweliks Infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 arcacar9

arcacar9

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 26 January 2015 - 07:02 PM

OK, this is a first for me. I have always been able to use your self-help files to solve all/any problems I have had. So here goes.

 

I was handed this PC with the info that it would not boot completely. Once I started the PC, AVG came up and kept telling me it was cleaning the registry of the file Poweliks. This continued to pop up for awhile. During this time I was able to see the AVG program screen. I saw that no scan had ever been ran on this version of AVG2013 (free) . So, I started a complete scan . After the scan was complete it was showing that it had cleaned 11 files off the PC and most had to do with the trojan Poweliks. Now, once I closed the AVG screen I have not been able to open anything except 'Task Manager'. Next, I did a search on your site for the trogan Poweliks and found the instructions for removal. Via the 'Task Manager' I was able to bring up the 'Run' line and tried the inetcpl.cpl and it opened the settings for IE. Reset all to the default settings, closed the IE settings box and still do not have a Desktop. I have tried running 'Explorer' via 'Task Manager'. The desktop might appear for two seconds, but then it crashes. I have tried 'Safe Mode' and it just keeps resetting or refreshing the screen every 5 seconds.Just about the time you start the program or Windows Explorer the screen will flash , close explorer and bring up the 'Help' screen again. Because of all of this, I do not know how I will be able to run any scan tool so I can send to you. Please help with any thing you can.

 

I do not have the original Windows 7 CD, but can get it if needed. 



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:11 AM

Posted 26 January 2015 - 07:12 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

rufus-128.png + FRST.gif Scan with FRST from the Recovery Environment

On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html




To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Edited by deeprybka, 26 January 2015 - 07:14 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 arcacar9

arcacar9
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 26 January 2015 - 07:26 PM

Step 1. This answer covers all three steps. I can not get to my desktop. The only way I can run any programs is to open 'Task Manager', click on 'File',
                Then click on 'New Task' (run). 
 
Step 2
 
Step 3 


#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:11 AM

Posted 26 January 2015 - 07:33 PM

There is only one step...
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 arcacar9

arcacar9
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 26 January 2015 - 08:19 PM

My mistake. I did not read all the instructions. Here is the FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-01-2015 01
Ran by SYSTEM on MININT-NOFFE5G on 26-01-2015 19:15:50
Running from e:\
Platform: Windows 7 Home Premium (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [lxctmon.exe] => C:\Program Files (x86)\Lexmark 5400 Series\lxctmon.exe [291760 2006-11-22] ()
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Lexmark 5400 Series\ezprint.exe [82864 2006-11-22] (Lexmark International Inc.)
HKLM\...\Run: [LXCTCATS] => rundll32 C:\Windows\system32\spool\DRIVERS\x64\3\LXCTtime.dll,RunDLLEntry
HKU\Jean\...\Run: [AVG-Secure-Search-Update_1213b] => C:\Users\Jean\AppData\Roaming\AVG 1213b Campaign\AVG-Secure-Search-Update-1213b.exe /PROMPT /mid=0e5b252c597847d381aed1544f79d134-4eb718094a70f928197f0b63234f95b84d84a9ee /CMPID=1213b
HKU\Jean\...\Run: [AVG-Secure-Search-Update_0214c] => C:\Users\Jean\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=0e5b252c597847d381aed1544f79d134-4eb718094a70f928197f0b63234f95b84d84a9ee /CMPID=0214c
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [267440 2015-01-22] (Adobe Systems Incorporated)
S4 aspnet_state; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [50864 2014-04-11] (Microsoft Corporation)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3247120 2014-12-16] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [289328 2014-12-16] (AVG Technologies CZ, s.r.o.)
S3 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [90776 2014-03-20] (Microsoft Corporation)
S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [124088 2014-04-11] (Microsoft Corporation)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42856 2010-11-20] (Microsoft Corporation)
S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [116648 2013-12-22] (Google Inc.)
S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [116648 2013-12-22] (Google Inc.)
S3 idsvc; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [859280 2014-06-30] (Microsoft Corporation)
S2 lxct_device; C:\Windows\system32\lxctcoms.exe [566192 2006-11-22] ( )
S3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [119408 2014-09-01] (Mozilla Foundation)
S4 NetMsmqActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139944 2014-04-11] (Microsoft Corporation)
S4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139944 2014-04-11] (Microsoft Corporation)
S4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139944 2014-04-11] (Microsoft Corporation)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139944 2014-04-11] (Microsoft Corporation)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-13] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [152344 2014-06-30] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [244504 2014-07-21] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-17] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [237848 2014-10-24] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [328984 2014-06-17] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123672 2014-10-29] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-17] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [269080 2014-10-20] (AVG Technologies CZ, s.r.o.)
S3 b06bdrv; C:\Windows\system32\drivers\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation)
S3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation)
S3 e1express; C:\Windows\System32\DRIVERS\e1e6032e.sys [278016 2009-06-10] (Intel Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [6180832 2009-09-23] (Intel Corporation)
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-13] (Microsoft Corporation)
S3 rt70x64; C:\Windows\System32\DRIVERS\netr7064.sys [388448 2010-04-27] (Ralink Technology Corp.)
S3 VST64HWBS2; C:\Windows\System32\DRIVERS\VSTBS26.SYS [411136 2009-06-10] (Conexant Systems, Inc.)
S3 VST64_DPV; C:\Windows\System32\DRIVERS\VSTDPV6.SYS [1485312 2009-06-10] (Conexant Systems, Inc.)
S3 winachsf; C:\Windows\System32\DRIVERS\VSTCNXT6.SYS [740864 2009-06-10] (Conexant Systems, Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-26 19:15 - 2015-01-26 19:15 - 00000000 ____D () C:\FRST
2015-01-26 15:15 - 2015-01-26 15:15 - 00000000 ____D () C:\Windows\ERDNT
2015-01-26 15:14 - 2015-01-26 15:15 - 00000000 ___SD () C:\32788R22FWJFW
2015-01-26 13:06 - 2015-01-26 13:06 - 00826697 _____ () C:\ProgramData\SPL4356.tmp
2015-01-24 13:03 - 2015-01-24 13:03 - 00826697 _____ () C:\ProgramData\SPL31C9.tmp
2015-01-24 12:59 - 2015-01-24 12:59 - 00826697 _____ () C:\ProgramData\SPL3014.tmp
2015-01-24 11:13 - 2015-01-24 11:13 - 00826697 _____ () C:\ProgramData\SPL1AD0.tmp
2015-01-24 09:10 - 2015-01-24 09:10 - 00008542 _____ () C:\Users\Jean\Desktop\HELP_DECRYPT.HTML
2015-01-24 09:10 - 2015-01-24 09:10 - 00004214 _____ () C:\Users\Jean\Desktop\HELP_DECRYPT.TXT
2015-01-24 09:10 - 2015-01-24 09:10 - 00000272 _____ () C:\Users\Jean\Desktop\HELP_DECRYPT.URL
2015-01-24 09:09 - 2015-01-24 09:09 - 00008542 _____ () C:\Users\Jean\HELP_DECRYPT.HTML
2015-01-24 09:09 - 2015-01-24 09:09 - 00004214 _____ () C:\Users\Jean\HELP_DECRYPT.TXT
2015-01-24 09:09 - 2015-01-24 09:09 - 00000272 _____ () C:\Users\Jean\HELP_DECRYPT.URL
2015-01-24 09:08 - 2015-01-24 09:08 - 00826697 _____ () C:\ProgramData\SPL46B0.tmp
2015-01-24 08:32 - 2015-01-24 08:32 - 00008542 _____ () C:\Users\Jean\Downloads\HELP_DECRYPT.HTML
2015-01-24 08:32 - 2015-01-24 08:32 - 00004214 _____ () C:\Users\Jean\Downloads\HELP_DECRYPT.TXT
2015-01-24 08:32 - 2015-01-24 08:32 - 00000272 _____ () C:\Users\Jean\Downloads\HELP_DECRYPT.URL
2015-01-24 08:31 - 2015-01-24 08:31 - 00008542 _____ () C:\Users\Jean\Documents\HELP_DECRYPT.HTML
2015-01-24 08:31 - 2015-01-24 08:31 - 00004214 _____ () C:\Users\Jean\Documents\HELP_DECRYPT.TXT
2015-01-24 08:31 - 2015-01-24 08:31 - 00000272 _____ () C:\Users\Jean\Documents\HELP_DECRYPT.URL
2015-01-24 08:15 - 2015-01-24 08:15 - 00008542 _____ () C:\Users\Jean\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-24 08:15 - 2015-01-24 08:15 - 00008542 _____ () C:\Users\Jean\AppData\HELP_DECRYPT.HTML
2015-01-24 08:15 - 2015-01-24 08:15 - 00004214 _____ () C:\Users\Jean\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-24 08:15 - 2015-01-24 08:15 - 00004214 _____ () C:\Users\Jean\AppData\HELP_DECRYPT.TXT
2015-01-24 08:15 - 2015-01-24 08:15 - 00000272 _____ () C:\Users\Jean\AppData\Roaming\HELP_DECRYPT.URL
2015-01-24 08:15 - 2015-01-24 08:15 - 00000272 _____ () C:\Users\Jean\AppData\HELP_DECRYPT.URL
2015-01-24 08:07 - 2015-01-24 08:07 - 00008542 _____ () C:\Users\Jean\AppData\Local\HELP_DECRYPT.HTML
2015-01-24 08:07 - 2015-01-24 08:07 - 00004214 _____ () C:\Users\Jean\AppData\Local\HELP_DECRYPT.TXT
2015-01-24 08:07 - 2015-01-24 08:07 - 00000272 _____ () C:\Users\Jean\AppData\Local\HELP_DECRYPT.URL
2015-01-24 07:57 - 2015-01-24 07:57 - 00008542 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-24 07:57 - 2015-01-24 07:57 - 00004214 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-24 07:57 - 2015-01-24 07:57 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-01-24 07:43 - 2015-01-24 07:43 - 00000432 ____H () C:\ProgramData\@system3.att
2015-01-24 07:42 - 2015-01-24 07:42 - 00000696 _____ () C:\ProgramData\@system.temp
2015-01-24 07:42 - 2015-01-24 07:42 - 00000480 ____H () C:\Users\Jean\AppData\Roaming\麽鎒駓覜
2015-01-24 07:41 - 2015-01-26 13:07 - 00000000 ____D () C:\Users\Jean\AppData\Roaming\FrameworkUpdate
2015-01-24 07:40 - 2015-01-26 15:30 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-01-24 07:40 - 2015-01-26 13:07 - 00000000 ___HD () C:\f85275ff
2015-01-24 07:40 - 2015-01-24 07:43 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-21 09:29 - 2015-01-21 09:29 - 00826697 _____ () C:\ProgramData\SPL8750.tmp
2015-01-14 01:45 - 2014-12-18 19:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2015-01-14 01:45 - 2014-12-18 17:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxdav.sys
2015-01-14 01:45 - 2014-12-11 21:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2015-01-14 01:45 - 2014-12-11 21:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\System32\srcore.dll
2015-01-14 01:45 - 2014-12-11 21:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\System32\rstrui.exe
2015-01-14 01:45 - 2014-12-11 21:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\System32\srclient.dll
2015-01-14 01:45 - 2014-12-11 09:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\System32\TSWbPrxy.exe
2015-01-14 01:45 - 2014-12-05 20:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-26 16:19 - 2013-12-16 19:21 - 01311796 _____ () C:\Windows\WindowsUpdate.log
2015-01-26 16:12 - 2013-12-17 14:23 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-26 15:29 - 2009-07-13 20:45 - 00028944 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-26 15:29 - 2009-07-13 20:45 - 00028944 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-26 15:26 - 2009-07-13 21:13 - 00781790 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-01-26 15:21 - 2009-07-13 20:51 - 00029564 _____ () C:\Windows\setupact.log
2015-01-26 15:15 - 2011-12-20 19:57 - 00000000 ____D () C:\Qoobox
2015-01-26 14:53 - 2013-12-16 18:43 - 00000000 ____D () C:\Users\Jean\AppData\Local\VirtualStore
2015-01-26 14:32 - 2014-04-23 14:21 - 00016198 _____ () C:\lxct.log
2015-01-26 13:07 - 2013-12-17 14:31 - 00000000 ____D () C:\ProgramData\AVG2014
2015-01-24 13:03 - 2013-12-29 10:16 - 00000000 ____D () C:\Program Files\Lx_cats
2015-01-24 09:09 - 2013-12-16 18:43 - 00000000 ____D () C:\users\Jean
2015-01-24 08:30 - 2013-12-16 14:40 - 00000000 ___SD () C:\Users\Jean\Documents\My Data Sources
2015-01-24 08:24 - 2013-12-16 14:33 - 00000000 ____D () C:\Users\Jean\Desktop\security 2011
2015-01-24 08:15 - 2013-12-18 13:48 - 00000000 ____D () C:\Users\Jean\AppData\Roaming\Mozilla
2015-01-24 08:08 - 2013-12-30 07:24 - 00000000 ____D () C:\Users\Jean\AppData\Roaming\5400 Series
2015-01-24 08:08 - 2013-12-17 19:45 - 00000000 ____D () C:\Users\Jean\AppData\Roaming\Adobe
2015-01-24 08:07 - 2013-12-29 09:51 - 00000000 ____D () C:\Users\Jean\AppData\Local\SlimWare Utilities Inc
2015-01-24 08:07 - 2013-12-18 13:48 - 00000000 ____D () C:\Users\Jean\AppData\Local\Mozilla
2015-01-24 08:06 - 2013-12-19 22:56 - 00000000 ____D () C:\Users\Jean\AppData\Local\Microsoft Games
2015-01-24 07:58 - 2013-12-22 11:53 - 00000000 ____D () C:\Users\Jean\AppData\Local\Google
2015-01-24 07:38 - 2013-12-22 11:53 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-24 01:51 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-01-24 01:05 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\SysWOW64
2015-01-15 01:04 - 2013-12-17 15:21 - 00000000 ____D () C:\Windows\System32\MRT
2015-01-15 01:01 - 2013-12-17 15:21 - 113365784 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2015-01-08 06:39 - 2014-04-24 05:19 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-12-30 14:16 - 2009-07-13 21:32 - 00000000 ____D () C:\Windows\System32\FxsTmp
 
Some content of TEMP:
====================
C:\Users\Jean\AppData\Local\Temp\update.exe
 
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe
[2013-12-18 14:05] - [2011-02-24 22:19] - 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3
 
C:\Windows\System32\winlogon.exe
[2014-10-14 22:55] - [2014-07-16 18:07] - 0455168 ____A (Microsoft Corporation) 8CEBD9D0A0A879CDE9F36F4383B7CAEA
 
C:\Windows\System32\wininit.exe
[2009-07-13 15:52] - [2009-07-13 17:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA
 
C:\Windows\System32\svchost.exe
[2009-07-13 15:31] - [2009-07-13 17:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D
 
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
 
C:\Windows\System32\User32.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B
 
C:\Windows\System32\userinit.exe
[2010-11-20 19:24] - [2010-11-20 19:24] - 0030720 ____A (Microsoft Corporation) BAFE84E637BF7388C96EF48D4D3FDD53
 
C:\Windows\System32\rpcss.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2010-11-20 19:23] - [2010-11-20 19:23] - 0295808 ____A (Microsoft Corporation) 0D08D2F3B3FF84E433346669B5E0F639
 
 
==================== Restore Points  =========================
 
Restore point made on: 2014-12-19 01:00:45
Restore point made on: 2014-12-26 22:40:26
Restore point made on: 2015-01-03 22:00:26
Restore point made on: 2015-01-11 22:00:23
Restore point made on: 2015-01-15 01:00:44
Restore point made on: 2015-01-22 22:00:24
Restore point made on: 2015-01-24 01:00:29
 
==================== Memory info =========================== 
 
Percentage of memory in use: 21%
Total physical RAM: 2037.18 MB
Available physical RAM: 1606.1 MB
Total Pagefile: 2037.18 MB
Available Pagefile: 1610.85 MB
Total Virtual: 2047.88 MB
Available Virtual: 1947.3 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:462.4 GB) (Free:409.66 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (HITMANPRO) (Removable) (Total:7.46 GB) (Free:7.46 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=55 MB) - (Type=DE)
Partition 2: (Active) - (Size=462.4 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=3.3 GB) - (Type=DB)
 
========================================================
Disk: 1 (Size: 7.5 GB) (Disk ID: 512F897D)
Partition 1: (Active) - (Size=7.5 GB) - (Type=0B)
 
 
LastRegBack: 2015-01-23 22:32
 
==================== End Of Log ============================


#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:11 AM

Posted 27 January 2015 - 06:24 AM

Hi,
looks like your PC is badly infected and your files are encrypted. I would recommend to reinstall your Windows.


Step 1

frst.pngfrstfix.png
Please download the attached fixlist txt.gif and save it in the same directory to the flash drive as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.
Attached File  fixlist.txt   52bytes   3 downloads
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:11 AM

Posted 31 January 2015 - 06:16 PM

Hi,

3 Day Inactivity

This is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 48 hours, this thread will be closed due to inactivity.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:11 AM

Posted 03 February 2015 - 09:19 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users