Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with crypto virus and do not know how to remove it


  • This topic is locked This topic is locked
10 replies to this topic

#1 gregbsens

gregbsens

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 28 March 2015 - 02:02 PM

Hi my friend is retired and does not use his pc often.  So when he brought it to me two weeks ago it was actually infected the second week of Feb.
 
When I saw the desktop and that it said go to this web address and pay a 'ransom'.  I thought this is some sort of joke and didn't think it was true.  So I treated it like any other malware.
 
I put the system into safemode.  Ran Malwarebytes.  When that didn't work I ran malwarebytes and combofix.  After that I removed all startup programs from msconfig that looked suspicious and recovered 'system restore' from the registry in hopes of recovering the files with shadow copy.
 
Well, this is by far beyond my expertise.  And I hope I have not made anything worse which would hinder any of you helping with this issue.
 
sincerely
 
Grateful for any help   :)
 
 Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by John (administrator) on RKWL01 on 28-03-2015 13:50:59
Running from C:\Users\John\Desktop
Loaded Profiles: John (Available profiles: John)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
( ) C:\Windows\System32\dlcccoms.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimService\SlimServiceFactory.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Atheros) C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.3.336.0\McCSPServiceHost.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell) C:\Program Files (x86)\Dell Photo AIO Printer 924\dlccmon.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Dell) C:\Users\John\AppData\Local\Apps\2.0\PN1MQOMC.DW9\C9ZP18JD.J1L\dell..tion_0f612f649c4a10af_0005.0005_9914611622934cec\DellSystemDetect.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
(Microsoft Corporation) C:\Users\John\AppData\Local\Microsoft\OneDrive\OneDrive.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimService\SlimService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\runas.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\saUI.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\csisyncclient.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [dlccmon.exe] => C:\Program Files (x86)\Dell Photo AIO Printer 924\dlccmon.exe [431600 2007-01-30] (Dell)
HKLM\...\Run: [DLCCCATS] => rundll32 C:\Windows\system32\spool\DRIVERS\x64\3\DLCCtime.dll,RunDLLEntry
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [Dell Registration] => C:\Program Files (x86)\System Registration\prodreg.exe [4165440 2011-08-04] (Dell, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [FlashPlayerUpdate] => C:\Users\John\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [143360 2015-03-23] ()
HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\klojket-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\klojket.dll ()
Winlogon\Notify\ojketkl-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ojketkl.dll ()
Winlogon\Notify\pgkunge-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\pgkunge.dll ()
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-386175665-270596159-318734568-1000\...\Run: [DellSystemDetect] => C:\Users\John\AppData\Local\Apps\2.0\PN1MQOMC.DW9\C9ZP18JD.J1L\dell..tion_0f612f649c4a10af_0005.0005_9914611622934cec\DellSystemDetect.exe [253952 2014-03-16] (Dell)
HKU\S-1-5-21-386175665-270596159-318734568-1000\...\Run: [SlimCleaner Plus] => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe [26165056 2014-11-17] (SlimWare Utilities, Inc.)
HKU\S-1-5-21-386175665-270596159-318734568-1000\...\Run: [OneDrive] => C:\Users\John\AppData\Local\Microsoft\OneDrive\OneDrive.exe [281248 2015-03-09] (Microsoft Corporation)
HKU\S-1-5-21-386175665-270596159-318734568-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-386175665-270596159-318734568-1000\...\Run: [HahfOvikx] => regsvr32.exe "C:\ProgramData\HahfOvikx\LaxhIbupi.pik"
HKU\S-1-5-21-386175665-270596159-318734568-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_77_ActiveX.exe [531848 2014-03-16] (Adobe Systems Incorporated)
HKU\S-1-5-21-386175665-270596159-318734568-1000\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-18\...\Run: [klojket] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\klojket.dll",klojket <===== ATTENTION
HKU\S-1-5-18\...\Run: [ojketkl] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\ojketkl.dll",ojketkl <===== ATTENTION
HKU\S-1-5-18\...\Run: [pgkunge] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\pgkunge.dll",pgkunge <===== ATTENTION
HKU\S-1-5-18\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\John\AppData\Local\Microsoft\OneDrive\17.3.4726.0226\amd64\FileSyncShell64.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\John\AppData\Local\Microsoft\OneDrive\17.3.4726.0226\amd64\FileSyncShell64.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\John\AppData\Local\Microsoft\OneDrive\17.3.4726.0226\amd64\FileSyncShell64.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\John\AppData\Local\Microsoft\OneDrive\17.3.4726.0226\FileSyncShell.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\John\AppData\Local\Microsoft\OneDrive\17.3.4726.0226\FileSyncShell.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\John\AppData\Local\Microsoft\OneDrive\17.3.4726.0226\FileSyncShell.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-386175665-270596159-318734568-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-386175665-270596159-318734568-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-386175665-270596159-318734568-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-386175665-270596159-318734568-1000 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKU\S-1-5-21-386175665-270596159-318734568-1000 -> {34092166-BCAD-40D7-9A26-B859B7050D2D} URL =
SearchScopes: HKU\S-1-5-21-386175665-270596159-318734568-1000 -> {3762B762-82C1-4618-AE2A-B7B1105C074B} URL = http://search.yahoo.com/search?fr=mcafee&type=A011US679&p={SearchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-02-10] (Microsoft Corporation)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll [2013-07-03] (Qualcomm®Atheros®)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-01-28] (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2015-02-10] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-02-10] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-03-16] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-01-28] (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2015-02-10] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-03-16] (Oracle Corporation)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-01-28] (McAfee, Inc.)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-01-28] (McAfee, Inc.)
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-01-28] (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-01-28] (McAfee, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-01-28] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-01-28] (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\MSC\McSnIePl64.dll [2014-04-25] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll [2014-04-25] (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5879661D-C6D7-4173-BE15-942C6200CB98}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{818284CC-9516-4048-8D85-81CC65398EF1}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{8DB97DA2-65E9-4B87-A180-F08B72EB8BFC}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{E9C6B359-D840-4349-A1B9-597C4EEA29BC}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8

FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2014-04-25] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1210150.dll [2014-03-11] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-04] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-04] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-03-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-03-16] (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2014-04-25] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-03-28] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2014-03-27]

Chrome:
=======
CHR Profile: C:\Users\John\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (SiteAdvisor) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2015-01-19]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-28]
CHR Extension: (Google Wallet) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-19]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-02-26]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-02-26]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

Locked "6c023a03c663116c" service could not be unlocked. <===== ATTENTION

R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [312448 2013-07-03] (Windows ® Win 7 DDK provider) [File not signed]
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2714800 2015-02-10] (Microsoft Corporation)
R2 dlcc_device; C:\Windows\system32\dlcccoms.exe [566768 2007-01-30] ( )
R2 dlcc_device; C:\Windows\SysWOW64\dlcccoms.exe [538096 2007-01-30] ( )
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-10-31] (McAfee, Inc.)
S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [14696 2013-07-30] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-25] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-02-19] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.3.336.0\McCSPServiceHost.exe [422632 2014-11-21] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-10-31] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-10-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [601864 2014-12-03] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-10-31] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-10-31] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1050952 2014-11-06] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [221832 2014-10-01] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [189920 2014-10-01] (McAfee, Inc.)
S2 SetupARService; C:\Program Files (x86)\Realtek\Audio\SetupAfterRebootService.exe [24576 2014-03-18] (Realtek Semiconductor.) [File not signed]
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2013-11-21] (SoftThinks SAS)
R2 SlimService; C:\Program Files\SlimService\SlimServiceFactory.exe [244544 2014-11-17] (SlimWare Utilities, Inc.)
U2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-02-20] (Microsoft Corporation)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2013-06-21] (Atheros) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 6c023a03c663116c; C:\Windows\System32\Drivers\6c023a03c663116c.sys [75704 2015-03-06] () <===== ATTENTION Necurs Rootkit?
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R3 BTATH_LWFLT; C:\Windows\System32\DRIVERS\btath_lwflt.sys [77464 2013-07-02] (Qualcomm Atheros)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72136 2014-10-01] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2013-07-24] (Intel Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-03-28] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-09-04] (Intel Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181584 2014-10-01] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313680 2014-10-01] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [526360 2014-10-01] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786304 2014-10-01] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [447440 2014-09-19] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96600 2014-09-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348560 2014-10-01] (McAfee, Inc.)
R0 mountmgr; C:\Windows\System32\drivers\mountmgr.sys [94592 2010-11-20] () [File not signed]
S3 mpio; C:\Windows\system32\drivers\mpio.sys [155008 2010-11-20] () [File not signed]
R3 mpsdrv; C:\Windows\System32\drivers\mpsdrv.sys [77312 2009-07-13] () [File not signed]
S3 MRxDAV; C:\Windows\system32\drivers\mrxdav.sys [141312 2014-12-18] () [File not signed]
R3 mrxsmb; C:\Windows\System32\DRIVERS\mrxsmb.sys [158208 2013-07-01] () [File not signed]
R3 mrxsmb10; C:\Windows\System32\DRIVERS\mrxsmb10.sys [288768 2013-07-01] () [File not signed]
R3 mrxsmb20; C:\Windows\System32\DRIVERS\mrxsmb20.sys [128000 2013-07-01] () [File not signed]
S3 msahci; C:\Windows\system32\drivers\msahci.sys [31104 2010-11-20] () [File not signed]
S3 msdsm; C:\Windows\system32\drivers\msdsm.sys [140672 2010-11-20] () [File not signed]
R1 Msfs; C:\Windows\System32\Drivers\Msfs.sys [26112 2009-07-13] ()
S3 mshidkmdf; C:\Windows\System32\drivers\mshidkmdf.sys [8192 2009-07-13] () [File not signed]
R0 msisadrv; C:\Windows\System32\drivers\msisadrv.sys [15424 2009-07-13] () [File not signed]
S3 MSKSSRV; C:\Windows\System32\drivers\MSKSSRV.sys [11136 2009-07-13] () [File not signed]
S3 MSPCLOCK; C:\Windows\System32\drivers\MSPCLOCK.sys [7168 2009-07-13] () [File not signed]
S3 MSPQM; C:\Windows\System32\drivers\MSPQM.sys [6784 2009-07-13] () [File not signed]
S3 MsRPC; C:\Windows\System32\Drivers\MsRPC.sys [366976 2010-11-20] ()
R1 mssmbios; C:\Windows\System32\DRIVERS\mssmbios.sys [32320 2009-07-13] () [File not signed]
S3 MSTEE; C:\Windows\System32\drivers\MSTEE.sys [8064 2009-07-13] () [File not signed]
S3 MTConfig; C:\Windows\system32\drivers\MTConfig.sys [15360 2009-07-13] () [File not signed]
R0 Mup; C:\Windows\System32\Drivers\mup.sys [60496 2009-07-13] () [File not signed]
R3 NativeWifiP; C:\Windows\System32\DRIVERS\nwifi.sys [318976 2009-07-13] () [File not signed]
R0 NDIS; C:\Windows\System32\drivers\ndis.sys [950128 2013-07-01] () [File not signed]
S3 NdisCap; C:\Windows\System32\DRIVERS\ndiscap.sys [35328 2009-07-13] () [File not signed]
R3 NdisTapi; C:\Windows\System32\DRIVERS\ndistapi.sys [24064 2009-07-13] () [File not signed]
R3 Ndisuio; C:\Windows\System32\DRIVERS\ndisuio.sys [56832 2010-11-20] () [File not signed]
R3 NdisWan; C:\Windows\System32\DRIVERS\ndiswan.sys [164352 2010-11-20] () [File not signed]
R3 NDProxy; C:\Windows\System32\Drivers\NDProxy.sys [57856 2010-11-20] ()
R1 NetBIOS; C:\Windows\System32\DRIVERS\netbios.sys [44544 2009-07-13] () [File not signed]
R1 NetBT; C:\Windows\System32\DRIVERS\netbt.sys [261632 2010-11-20] () [File not signed]
S3 nfrd960; C:\Windows\system32\drivers\nfrd960.sys [51264 2009-07-13] () [File not signed]
R1 Npfs; C:\Windows\System32\Drivers\Npfs.sys [44032 2009-07-13] ()
R1 nsiproxy; C:\Windows\System32\drivers\nsiproxy.sys [24576 2009-07-13] () [File not signed]
R3 Ntfs; C:\Windows\System32\Drivers\Ntfs.sys [1684928 2014-01-23] ()
R1 Null; C:\Windows\System32\Drivers\Null.sys [6144 2009-07-13] () [File not signed]
S3 nvraid; C:\Windows\system32\drivers\nvraid.sys [148352 2013-07-01] () [File not signed]
S3 nvstor; C:\Windows\system32\drivers\nvstor.sys [166272 2013-07-01] () [File not signed]
S3 nv_agp; C:\Windows\system32\drivers\nv_agp.sys [122960 2009-07-13] () [File not signed]
S3 ohci1394; C:\Windows\system32\drivers\ohci1394.sys [72832 2009-07-13] () [File not signed]
S3 Parport; C:\Windows\system32\drivers\parport.sys [97280 2009-07-13] () [File not signed]
R0 partmgr; C:\Windows\System32\drivers\partmgr.sys [75120 2013-07-01] () [File not signed]
R0 pci; C:\Windows\System32\drivers\pci.sys [184704 2010-11-20] () [File not signed]
S3 pciide; C:\Windows\system32\drivers\pciide.sys [12352 2009-07-13] () [File not signed]
S3 pcmcia; C:\Windows\system32\drivers\pcmcia.sys [220752 2009-07-13] () [File not signed]
R0 pcw; C:\Windows\System32\drivers\pcw.sys [50768 2009-07-13] () [File not signed]
R2 PEAUTH; C:\Windows\System32\drivers\peauth.sys [651264 2009-07-13] () [File not signed]
R3 PptpMiniport; C:\Windows\System32\DRIVERS\raspptp.sys [111104 2010-11-20] () [File not signed]
S3 Processor; C:\Windows\system32\drivers\processr.sys [60416 2009-07-13] () [File not signed]
R1 Psched; C:\Windows\System32\DRIVERS\pacer.sys [131584 2010-11-20] () [File not signed]
S3 ql2300; C:\Windows\system32\drivers\ql2300.sys [1524816 2009-07-13] () [File not signed]
S3 ql40xx; C:\Windows\system32\drivers\ql40xx.sys [128592 2009-07-13] () [File not signed]
S3 QWAVEdrv; C:\Windows\system32\drivers\qwavedrv.sys [46592 2009-07-13] () [File not signed]
S3 RasAcd; C:\Windows\System32\DRIVERS\rasacd.sys [14848 2009-07-13] () [File not signed]
R3 RasAgileVpn; C:\Windows\System32\DRIVERS\AgileVpn.sys [60416 2009-07-13] () [File not signed]
R3 Rasl2tp; C:\Windows\System32\DRIVERS\rasl2tp.sys [129536 2010-11-20] () [File not signed]
R3 RasPppoe; C:\Windows\System32\DRIVERS\raspppoe.sys [92672 2009-07-13] () [File not signed]
R3 RasSstp; C:\Windows\System32\DRIVERS\rassstp.sys [83968 2009-07-13] () [File not signed]
R1 rdbss; C:\Windows\System32\DRIVERS\rdbss.sys [309248 2010-11-20] () [File not signed]
S3 rdpbus; C:\Windows\system32\drivers\rdpbus.sys [24064 2009-07-13] () [File not signed]
R1 RDPCDD; C:\Windows\System32\DRIVERS\RDPCDD.sys [7680 2009-07-13] () [File not signed]
R1 RDPENCDD; C:\Windows\System32\drivers\rdpencdd.sys [7680 2009-07-13] () [File not signed]
R1 RDPREFMP; C:\Windows\System32\drivers\rdprefmp.sys [8192 2009-07-13] () [File not signed]
S3 RDPWD; C:\Windows\System32\Drivers\RDPWD.sys [212480 2014-07-16] ()
R0 rdyboost; C:\Windows\System32\drivers\rdyboost.sys [213888 2010-11-20] () [File not signed]
R3 RFCOMM; C:\Windows\System32\DRIVERS\rfcomm.sys [158720 2009-07-13] () [File not signed]
R2 rspndr; C:\Windows\System32\DRIVERS\rspndr.sys [76800 2009-07-13] () [File not signed]
R3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [263896 2013-07-09] () [File not signed]
R3 RTL8167; C:\Windows\System32\DRIVERS\Rt64win7.sys [849992 2013-04-10] () [File not signed]
S3 sbp2port; C:\Windows\system32\drivers\sbp2port.sys [103808 2010-11-20] () [File not signed]
S3 scfilter; C:\Windows\System32\DRIVERS\scfilter.sys [29696 2010-11-20] () [File not signed]
S3 sdbus; C:\Windows\system32\drivers\sdbus.sys [109056 2010-11-20] () [File not signed]
R2 secdrv; C:\Windows\System32\Drivers\secdrv.sys [23040 2009-06-10] ()
S3 Serenum; C:\Windows\system32\drivers\serenum.sys [23552 2009-07-13] () [File not signed]
S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-13] () [File not signed]
S3 sermouse; C:\Windows\system32\drivers\sermouse.sys [26624 2009-07-13] () [File not signed]
S3 sffdisk; C:\Windows\system32\drivers\sffdisk.sys [14336 2009-07-13] () [File not signed]
S3 sffp_mmc; C:\Windows\system32\drivers\sffp_mmc.sys [13824 2009-07-13] () [File not signed]
S3 sffp_sd; C:\Windows\system32\drivers\sffp_sd.sys [14336 2010-11-20] () [File not signed]
S3 sfloppy; C:\Windows\system32\drivers\sfloppy.sys [16896 2009-07-13] () [File not signed]
S3 SiSRaid2; C:\Windows\system32\drivers\SiSRaid2.sys [43584 2009-07-13] () [File not signed]
S3 SiSRaid4; C:\Windows\system32\drivers\sisraid4.sys [80464 2009-07-13] () [File not signed]
S3 Smb; C:\Windows\System32\DRIVERS\smb.sys [93184 2009-07-13] () [File not signed]
R0 spldr; C:\Windows\System32\Drivers\spldr.sys [19008 2009-07-13] ()
R3 srv; C:\Windows\System32\DRIVERS\srv.sys [467456 2013-07-01] () [File not signed]
R3 srv2; C:\Windows\System32\DRIVERS\srv2.sys [410112 2013-07-01] () [File not signed]
R3 srvnet; C:\Windows\System32\DRIVERS\srvnet.sys [168448 2013-07-01] () [File not signed]
S3 stexstor; C:\Windows\system32\drivers\stexstor.sys [24656 2009-07-13] () [File not signed]
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [16152 2014-12-14] () [File not signed]
R3 swenum; C:\Windows\System32\DRIVERS\swenum.sys [12496 2009-07-13] () [File not signed]
R0 Tcpip; C:\Windows\System32\drivers\tcpip.sys [1903552 2014-04-04] () [File not signed]
S3 TCPIP6; C:\Windows\System32\DRIVERS\tcpip.sys [1903552 2014-04-04] () [File not signed]
R2 tcpipreg; C:\Windows\System32\drivers\tcpipreg.sys [45568 2013-07-01] () [File not signed]
S3 TDPIPE; C:\Windows\System32\drivers\tdpipe.sys [15872 2009-07-13] () [File not signed]
S3 TDTCP; C:\Windows\System32\drivers\tdtcp.sys [23552 2013-07-01] () [File not signed]
R1 tdx; C:\Windows\System32\DRIVERS\tdx.sys [119296 2014-11-10] () [File not signed]
R1 TermDD; C:\Windows\System32\DRIVERS\termdd.sys [63360 2010-11-20] () [File not signed]
S3 tssecsrv; C:\Windows\System32\DRIVERS\tssecsrv.sys [39936 2014-07-16] () [File not signed]
S3 TsUsbFlt; C:\Windows\System32\drivers\tsusbflt.sys [59392 2010-11-20] () [File not signed]
S3 TsUsbGD; C:\Windows\system32\drivers\TsUsbGD.sys [31232 2010-11-20] () [File not signed]
R3 tunnel; C:\Windows\System32\DRIVERS\tunnel.sys [125440 2010-11-20] () [File not signed]
S3 uagp35; C:\Windows\system32\drivers\uagp35.sys [64080 2009-07-13] () [File not signed]
S4 udfs; C:\Windows\System32\DRIVERS\udfs.sys [328192 2010-11-20] () [File not signed]
S3 uliagpkx; C:\Windows\system32\drivers\uliagpkx.sys [64592 2009-07-13] () [File not signed]
R3 umbus; C:\Windows\System32\DRIVERS\umbus.sys [48640 2010-11-20] () [File not signed]
S3 UmPass; C:\Windows\system32\drivers\umpass.sys [9728 2009-07-13] () [File not signed]
S3 usbccgp; C:\Windows\System32\DRIVERS\usbccgp.sys [99840 2013-11-26] () [File not signed]
S3 usbcir; C:\Windows\system32\drivers\usbcir.sys [100864 2014-02-20] () [File not signed]
R3 usbehci; C:\Windows\system32\drivers\usbehci.sys [53248 2013-11-26] () [File not signed]
R3 usbhub; C:\Windows\System32\DRIVERS\usbhub.sys [343040 2013-11-26] () [File not signed]
S3 usbohci; C:\Windows\system32\drivers\usbohci.sys [25600 2014-02-20] () [File not signed]
S3 usbprint; C:\Windows\System32\DRIVERS\usbprint.sys [25088 2009-07-13] () [File not signed]
S3 usbscan; C:\Windows\System32\DRIVERS\usbscan.sys [42496 2014-02-20] () [File not signed]
S3 USBSTOR; C:\Windows\System32\DRIVERS\USBSTOR.SYS [91648 2013-07-01] () [File not signed]
S3 usbuhci; C:\Windows\system32\drivers\usbuhci.sys [30720 2014-02-20] () [File not signed]
R0 vdrvroot; C:\Windows\System32\drivers\vdrvroot.sys [36432 2009-07-13] () [File not signed]
S3 vga; C:\Windows\System32\DRIVERS\vgapnp.sys [29184 2009-07-13] () [File not signed]
R1 VgaSave; C:\Windows\System32\drivers\vga.sys [29184 2009-07-13] () [File not signed]
S3 vhdmp; C:\Windows\system32\drivers\vhdmp.sys [215936 2010-11-20] () [File not signed]
S3 viaide; C:\Windows\system32\drivers\viaide.sys [17488 2009-07-13] () [File not signed]
R0 volmgr; C:\Windows\System32\drivers\volmgr.sys [71552 2010-11-20] () [File not signed]
R0 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [363392 2010-11-20] () [File not signed]
R0 volsnap; C:\Windows\System32\drivers\volsnap.sys [296320 2013-07-01] () [File not signed]
S3 vsmraid; C:\Windows\system32\drivers\vsmraid.sys [161872 2009-07-13] () [File not signed]
R3 vwifibus; C:\Windows\System32\DRIVERS\vwifibus.sys [24576 2009-07-13] () [File not signed]
R1 vwififlt; C:\Windows\System32\DRIVERS\vwififlt.sys [59904 2009-07-13] () [File not signed]
S3 WacomPen; C:\Windows\system32\drivers\wacompen.sys [27776 2009-07-13] () [File not signed]
S3 WANARP; C:\Windows\System32\DRIVERS\wanarp.sys [88576 2010-11-20] () [File not signed]
R1 Wanarpv6; C:\Windows\System32\DRIVERS\wanarp.sys [88576 2010-11-20] () [File not signed]
S3 Wd; C:\Windows\system32\drivers\wd.sys [21056 2009-07-13] () [File not signed]
R0 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [785624 2014-02-20] () [File not signed]
R1 WfpLwf; C:\Windows\System32\DRIVERS\wfplwf.sys [12800 2009-07-13] () [File not signed]
S3 WIMMount; C:\Windows\System32\drivers\wimmount.sys [22096 2009-07-13] () [File not signed]
S3 WmiAcpi; C:\Windows\system32\drivers\wmiacpi.sys [14336 2009-07-13] () [File not signed]
R1 ws2ifsl; C:\Windows\system32\drivers\ws2ifsl.sys [21504 2009-07-13] () [File not signed]
R3 WudfPf; C:\Windows\System32\drivers\WudfPf.sys [87040 2012-07-25] () [File not signed]
S3 WUDFRd; C:\Windows\System32\DRIVERS\WUDFRd.sys [198656 2012-07-25] () [File not signed]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-28 13:50 - 2015-03-28 13:51 - 00036275 _____ () C:\Users\John\Desktop\FRST.txt
2015-03-28 13:50 - 2015-03-28 13:50 - 02095616 _____ (Farbar) C:\Users\John\Desktop\FRST64.exe
2015-03-28 13:05 - 2015-03-28 13:51 - 00000000 ____D () C:\FRST
2015-03-28 13:00 - 2015-03-28 13:00 - 00000000 ___HD () C:\OneDriveTemp
2015-03-28 12:42 - 2015-03-28 12:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2015-03-23 18:36 - 2015-03-28 12:40 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-03-23 17:12 - 2015-03-23 17:18 - 00005338 _____ () C:\Windows\WindowsUpdate.log
2015-03-23 17:12 - 2015-03-23 17:18 - 00000180 _____ () C:\Windows\setupact.log
2015-03-23 17:12 - 2015-03-23 17:12 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-21 13:57 - 2015-03-21 13:57 - 00040487 _____ () C:\ComboFix.txt
2015-03-21 01:21 - 2015-03-21 01:21 - 00046615 _____ () C:\old_ComboFix.txt
2015-03-21 00:58 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-03-21 00:58 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-03-21 00:58 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-03-21 00:58 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-03-21 00:58 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-03-21 00:58 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2015-03-21 00:58 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2015-03-21 00:58 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2015-03-21 00:46 - 2015-03-23 17:16 - 00004282 _____ () C:\Windows\PFRO.log
2015-03-20 22:15 - 2015-03-20 22:15 - 05325696 _____ (Piriform Ltd) C:\Users\John\Downloads\ccsetup503.exe
2015-03-20 22:15 - 2015-03-20 22:15 - 00000824 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-03-20 22:15 - 2015-03-20 22:15 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-20 21:56 - 2015-03-20 21:34 - 05615380 ____R (Swearware) C:\Users\John\Desktop\ComboFix.exe
2015-03-20 21:38 - 2015-03-21 13:57 - 00000000 ____D () C:\Qoobox
2015-03-20 21:37 - 2015-03-21 01:19 - 00000000 ____D () C:\Windows\erdnt
2015-03-20 20:06 - 2015-03-20 20:06 - 00000000 ___RD () C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2015-03-17 11:25 - 2015-03-17 11:28 - 00018944 ___SH () C:\Users\John\Thumbs.db
2015-03-17 10:17 - 2015-03-28 13:25 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-17 10:17 - 2015-03-17 10:17 - 00001100 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-17 10:17 - 2015-03-17 10:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-17 10:17 - 2015-03-17 10:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-17 10:17 - 2015-03-17 10:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-03-17 10:17 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-17 10:17 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-17 10:17 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-03-11 12:48 - 2015-03-17 10:42 - 00000000 _RSHD () C:\Windows\M-5024050685935868304020
2015-03-08 06:30 - 2015-03-12 10:22 - 00000000 ____H () C:\Users\John\AppData\Roaming\winmgr.txt
2015-03-06 19:19 - 2013-09-23 14:49 - 00197704 _____ () C:\Windows\system32\Drivers\HipShieldK.sys
2015-03-06 12:39 - 2015-03-06 12:39 - 00075704 _____ () C:\Windows\system32\Drivers\6c023a03c663116c.sys
2015-03-05 23:23 - 2015-03-05 23:23 - 00105622 __RSH () C:\Windows\SysWOW64\csrss.exe
2015-03-05 05:51 - 2015-03-10 12:08 - 00000000 ____D () C:\Users\John\AppData\Roaming\fesbo
2015-03-01 18:43 - 2015-03-12 17:32 - 00003672 _____ () C:\Windows\System32\Tasks\vssadmin
2015-03-01 17:19 - 2015-03-01 18:41 - 00003582 _____ () C:\Windows\System32\Tasks\DisplaySwitch
2015-02-28 13:46 - 2015-03-01 17:12 - 00003592 _____ () C:\Windows\System32\Tasks\takeown
2015-02-26 18:06 - 2015-02-26 18:06 - 04320054 _____ () C:\Users\John\Documents\!Decrypt-All-Files-wdhrbwj.bmp
2015-02-26 18:06 - 2015-02-26 18:06 - 00001266 _____ () C:\Users\John\Documents\!Decrypt-All-Files-wdhrbwj.txt
2015-02-26 17:34 - 2015-02-26 18:06 - 01321119 _____ () C:\ProgramData\igxmdzg.html
2015-02-26 01:34 - 2015-02-28 13:40 - 00003580 _____ () C:\Windows\System32\Tasks\regini

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-28 13:31 - 2014-03-19 23:08 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-28 13:10 - 2014-12-14 11:55 - 00004960 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for RKWL01-John RKWL01
2015-03-28 13:09 - 2009-07-13 23:45 - 00028352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-28 13:09 - 2009-07-13 23:45 - 00028352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-28 13:08 - 2014-03-16 10:51 - 00000000 ____D () C:\Users\John\AppData\Local\CrashDumps
2015-03-28 13:05 - 2009-07-14 00:13 - 00783606 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-28 13:00 - 2014-03-28 17:31 - 00000000 ___RD () C:\Users\John\OneDrive
2015-03-28 12:40 - 2014-03-22 13:05 - 00000000 ____D () C:\Program Files\Dl_cats
2015-03-28 12:40 - 2014-03-19 23:08 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-23 17:31 - 2014-03-19 23:09 - 00002185 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-23 17:24 - 2014-02-20 18:30 - 00000000 ____D () C:\Program Files (x86)\Dell Backup and Recovery
2015-03-23 17:17 - 2014-03-16 10:55 - 00000000 ____D () C:\Users\John\AppData\Local\Apps\2.0
2015-03-23 17:16 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-21 13:56 - 2009-07-13 21:34 - 00000215 _____ () C:\Windows\system.ini
2015-03-21 01:21 - 2009-07-13 22:20 - 00000000 __RHD () C:\Users\Default
2015-03-21 00:46 - 2014-02-20 18:23 - 00000000 ____D () C:\Windows\en
2015-03-21 00:45 - 2014-06-12 20:32 - 00000000 ____D () C:\Windows\pss
2015-03-20 23:31 - 2014-12-14 01:00 - 00000000 ____D () C:\Windows\Minidump
2015-03-20 23:31 - 2011-02-10 09:02 - 00000000 ____D () C:\Windows\panther
2015-03-20 23:26 - 2015-02-20 22:26 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2015-03-20 23:25 - 2015-02-03 09:40 - 00000000 ____D () C:\ProgramData\HahfOvikx
2015-03-20 20:05 - 2009-07-13 22:20 - 00000000 __RSD () C:\Windows\Media
2015-03-20 20:01 - 2014-03-16 09:34 - 00000000 ____D () C:\Users\John\Documents\Bluetooth Folder
2015-03-18 15:19 - 2014-03-28 17:01 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2015-03-17 11:25 - 2014-03-16 07:26 - 00000000 ____D () C:\Users\John
2015-03-17 11:17 - 2015-02-14 09:41 - 00000000 ___HD () C:\Users\John\AppData\Roaming\C9FCDBAF
2015-03-17 11:17 - 2015-02-03 09:42 - 00000000 ____D () C:\Windows\FrameworkUpdate
2015-03-17 11:17 - 2014-03-16 10:55 - 00000000 ____D () C:\Users\John\AppData\Local\Deployment
2015-03-17 10:43 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\Branding
2015-03-17 10:42 - 2015-01-30 14:13 - 00000000 ____D () C:\Users\John\AppData\Roaming\Eslay
2015-03-17 10:42 - 2014-02-20 19:52 - 00000000 __SHD () C:\Users\John\AppData\Roaming\didrbufs
2015-03-12 11:02 - 2014-12-14 12:02 - 00000364 _____ () C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - John).job
2015-03-11 11:06 - 2014-03-16 09:57 - 00000000 ____D () C:\Users\John\AppData\Local\Adobe
2015-03-11 11:06 - 2014-03-16 09:34 - 00000000 ____D () C:\Users\John\AppData\Local\BMExplorer
2015-03-10 11:41 - 2015-02-09 19:44 - 00200521 _____ () C:\dlcc.log
2015-03-09 20:21 - 2014-03-28 17:13 - 00002151 _____ () C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk
2015-03-06 19:19 - 2014-02-20 18:25 - 00000000 ____D () C:\ProgramData\McAfee
2015-03-06 19:17 - 2014-03-27 20:51 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2015-03-06 14:36 - 2015-02-25 16:58 - 00000000 ____D () C:\Users\John\AppData\Local\Macromedia
2015-03-06 14:36 - 2014-03-19 23:08 - 00000000 ____D () C:\Users\John\AppData\Local\Google
2015-03-05 23:20 - 2011-02-10 09:01 - 00000000 ____D () C:\dell
2015-02-26 17:28 - 2014-12-13 14:42 - 00000000 ____D () C:\Program Files (x86)\Dell Digital Delivery
2015-02-26 17:28 - 2014-02-20 18:13 - 00000000 ____D () C:\Program Files (x86)\Dell Wireless
2015-02-26 17:27 - 2014-12-14 12:01 - 00000000 ____D () C:\Program Files\SlimCleaner Plus
2015-02-26 17:24 - 2014-02-20 18:39 - 00000000 ____D () C:\ProgramData\Atheros
2015-02-26 02:20 - 2015-02-11 22:51 - 00000000 ____D () C:\Users\John\AppData\Roaming\Mozilla
2015-02-26 01:37 - 2014-03-27 20:57 - 00000000 ____D () C:\Program Files (x86)\McAfee

==================== Files in the root of some directories =======

2015-02-23 17:02 - 2015-02-23 17:02 - 0000036 _____ () C:\Users\John\AppData\Roaming\focus.log
2015-02-04 09:57 - 2015-02-04 09:57 - 0008632 _____ () C:\Users\John\AppData\Roaming\HELP_DECRYPT.HTML
2015-02-04 09:57 - 2015-02-04 09:57 - 0045888 _____ () C:\Users\John\AppData\Roaming\HELP_DECRYPT.PNG
2015-02-04 09:57 - 2015-02-04 09:57 - 0000300 _____ () C:\Users\John\AppData\Roaming\HELP_DECRYPT.URL
2015-03-08 06:30 - 2015-03-12 10:22 - 0000000 ____H () C:\Users\John\AppData\Roaming\winmgr.txt
2015-02-04 09:56 - 2015-02-04 09:56 - 0008632 _____ () C:\Users\John\AppData\Local\HELP_DECRYPT.HTML
2015-02-04 09:56 - 2015-02-04 09:56 - 0045888 _____ () C:\Users\John\AppData\Local\HELP_DECRYPT.PNG
2015-02-04 09:56 - 2015-02-04 09:56 - 0000300 _____ () C:\Users\John\AppData\Local\HELP_DECRYPT.URL
2014-02-20 18:11 - 2014-02-20 18:11 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-02-04 09:55 - 2015-02-04 09:55 - 0008632 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-02-04 09:55 - 2015-02-04 09:55 - 0045888 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-02-04 09:55 - 2015-02-04 09:55 - 0000300 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-02-26 17:34 - 2015-02-26 18:06 - 1321119 _____ () C:\ProgramData\igxmdzg.html

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys
[2013-07-01 14:16] - [2013-07-01 14:16] - 0296320 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\Drivers\volsnap.sys No Company Name <===== ATTENTION!



testsigning: ==> testsigning is on. Check for possible unsigned rootkit driver <===== ATTENTION!


LastRegBack: 2015-03-20 20:58

==================== End Of Log ============================
 
Attached File  FRST.txt   47.09KB   1 downloads
Attached File  Addition.txt   36.81KB   2 downloads

Edited by nasdaq, 29 March 2015 - 08:55 AM.
FRST log posted.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:49 PM

Posted 29 March 2015 - 09:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is the infection we are dialing with.
http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information
There is nothing we can do to restore the damaged files.

We can however clean the bad files and restrictions placed on your computer.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
Winlogon\Notify\klojket-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\klojket.dll ()
Winlogon\Notify\ojketkl-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ojketkl.dll ()
Winlogon\Notify\pgkunge-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\pgkunge.dll ()
HKU\S-1-5-21-386175665-270596159-318734568-1000\...\Run: [HahfOvikx] => regsvr32.exe "C:\ProgramData\HahfOvikx\LaxhIbupi.pik"
HKU\S-1-5-18\...\Run: [klojket] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\klojket.dll",klojket <===== ATTENTION
HKU\S-1-5-18\...\Run: [ojketkl] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\ojketkl.dll",ojketkl <===== ATTENTION
HKU\S-1-5-18\...\Run: [pgkunge] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\pgkunge.dll",pgkunge <===== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-386175665-270596159-318734568-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-386175665-270596159-318734568-1000 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
Locked "6c023a03c663116c" service could not be unlocked. <===== ATTENTION
U5 6c023a03c663116c; C:\Windows\System32\Drivers\6c023a03c663116c.sys [75704 2015-03-06] () <===== ATTENTION Necurs Rootkit?
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
C:\Windows\System32\Drivers\6c023a03c663116c.sys
C:\Users\John\Documents\!Decrypt-All-Files-wdhrbwj.bmp
C:\Users\John\Documents\!Decrypt-All-Files-wdhrbwj.txt
C:\ProgramData\igxmdzg.html
Task: {7CD39EA9-41AF-4D4E-9443-597FDE227997} - \avayvaxvaa No Task File <==== ATTENTION
C:\Users\John\AppData\Roaming\HELP_DECRYPT.HTML
C:\Users\John\AppData\Roaming\HELP_DECRYPT.PNG
C:\Users\John\AppData\Roaming\HELP_DECRYPT.URL
C:\Users\John\AppData\Local\HELP_DECRYPT.HTML
C:\Users\John\AppData\Local\HELP_DECRYPT.PNG
C:\Users\John\AppData\Local\HELP_DECRYPT.URL
C:\ProgramData\HELP_DECRYPT.HTML
C:\ProgramData\HELP_DECRYPT.PNG
C:\ProgramData\HELP_DECRYPT.URL
C:\ProgramData\igxmdzg.html

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download and run the Win32/Necurs cleaner?
http://kb.eset.com/esetkb/index?page=content&id=SOLN3137
Restart the computer normally when done.
<<<>>>

How is the computer running now?

#3 gregbsens

gregbsens
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 29 March 2015 - 08:38 PM

Thank you so much for your help and the link about the infection.  The link provided information about a tool on shadow copy.  The tool listed some ooooold shadow copied the virus didn't get to!   :)  I think once this whole thing is resolved all I have to do is remove the new extensions created from the virus and restore those versions from shadow copy.  That's half comment half question, I've never been in this position before, so if you have any input I would appreciate it.  
 
I've allowed the system to run for a little while now.  It seems to be ok, I don't have a lot of refrence.  It's certainly running better than before but I don't know what exactly it ran like before the virus.  IE will slow down a little from time to time but to be honest that may be expected.   However with a coding error during page opens here and there.  It's probably time time for a re-install.
 
McAfee is as broken as ever, but it's now able to open a security report, says 1700 Trojans.  I was able to run a scan in safe mode early on before it stopped working so maybe that's when it came up with that count.  It was not able to open the security report  before today so that is also promising.  It still can not enable real time scanning, nor can it scan the pc.  Time for a re-install, what a joke.
 
Overall I'm positive of the results.  Is there another scan I can run to see if there is anything else lurking after the fix I ran for you?
 
Here is the log from running the FRST fix.
 
Eset Netcurs said there was no infection.
 
Attached File  Fixlog.txt   5.97KB   1 downloads

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by John at 2015-03-29 18:46:48 Run:1
Running from C:\Users\John\Desktop
Loaded Profiles: John (Available profiles: John)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
Winlogon\Notify\klojket-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\klojket.dll ()
Winlogon\Notify\ojketkl-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ojketkl.dll ()
Winlogon\Notify\pgkunge-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\pgkunge.dll ()
HKU\S-1-5-21-386175665-270596159-318734568-1000\...\Run: [HahfOvikx] => regsvr32.exe "C:\ProgramData\HahfOvikx\LaxhIbupi.pik"
HKU\S-1-5-18\...\Run: [klojket] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\klojket.dll",klojket <===== ATTENTION
HKU\S-1-5-18\...\Run: [ojketkl] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\ojketkl.dll",ojketkl <===== ATTENTION
HKU\S-1-5-18\...\Run: [pgkunge] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\pgkunge.dll",pgkunge <===== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-386175665-270596159-318734568-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-386175665-270596159-318734568-1000 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
Locked "6c023a03c663116c" service could not be unlocked. <===== ATTENTION
U5 6c023a03c663116c; C:\Windows\System32\Drivers\6c023a03c663116c.sys [75704 2015-03-06] () <===== ATTENTION Necurs Rootkit?
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
C:\Windows\System32\Drivers\6c023a03c663116c.sys
C:\Users\John\Documents\!Decrypt-All-Files-wdhrbwj.bmp
C:\Users\John\Documents\!Decrypt-All-Files-wdhrbwj.txt
C:\ProgramData\igxmdzg.html
Task: {7CD39EA9-41AF-4D4E-9443-597FDE227997} - \avayvaxvaa No Task File <==== ATTENTION
C:\Users\John\AppData\Roaming\HELP_DECRYPT.HTML
C:\Users\John\AppData\Roaming\HELP_DECRYPT.PNG
C:\Users\John\AppData\Roaming\HELP_DECRYPT.URL
C:\Users\John\AppData\Local\HELP_DECRYPT.HTML
C:\Users\John\AppData\Local\HELP_DECRYPT.PNG
C:\Users\John\AppData\Local\HELP_DECRYPT.URL
C:\ProgramData\HELP_DECRYPT.HTML
C:\ProgramData\HELP_DECRYPT.PNG
C:\ProgramData\HELP_DECRYPT.URL
C:\ProgramData\igxmdzg.html

End
*****************

Processes closed successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klojket" => Key deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ojketkl" => Key deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pgkunge" => Key deleted successfully.
HKU\S-1-5-21-386175665-270596159-318734568-1000\Software\Microsoft\Windows\CurrentVersion\Run\\HahfOvikx => value deleted successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\klojket => value deleted successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ojketkl => value deleted successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\pgkunge => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-386175665-270596159-318734568-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-21-386175665-270596159-318734568-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
Locked "6c023a03c663116c" service could not be unlocked. <===== ATTENTION => Error: No automatic fix found for this entry.
6c023a03c663116c => Error deleting Service
catchme => Service deleted successfully.
Could not move "C:\Windows\System32\Drivers\6c023a03c663116c.sys" => Scheduled to move on reboot.
C:\Users\John\Documents\!Decrypt-All-Files-wdhrbwj.bmp => Moved successfully.
C:\Users\John\Documents\!Decrypt-All-Files-wdhrbwj.txt => Moved successfully.
C:\ProgramData\igxmdzg.html => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7CD39EA9-41AF-4D4E-9443-597FDE227997}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7CD39EA9-41AF-4D4E-9443-597FDE227997}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avayvaxvaa" => Key deleted successfully.
C:\Users\John\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\John\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\John\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\John\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\John\AppData\Local\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\John\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
C:\ProgramData\HELP_DECRYPT.HTML => Moved successfully.
C:\ProgramData\HELP_DECRYPT.PNG => Moved successfully.
C:\ProgramData\HELP_DECRYPT.URL => Moved successfully.
"C:\ProgramData\igxmdzg.html" => File/Directory not found.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-03-29 18:48:47)<=

"C:\Windows\System32\Drivers\6c023a03c663116c.sys" => File could not move.

==== End of Fixlog 18:48:47 ====

Edited by nasdaq, 30 March 2015 - 08:50 AM.


#4 gregbsens

gregbsens
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 30 March 2015 - 08:33 AM

oh boy, was I dumb to leave the computer running overnight?

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 3/30/2015
Scan Time: 8:04:34 AM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.03.30.05
Rootkit Database: v2015.03.26.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: John
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 357954
Time Elapsed: 22 min, 29 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 1
Trojan.Agent.ED, HKU\S-1-5-21-386175665-270596159-318734568-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|HahfOvikx, regsvr32.exe "C:\ProgramData\HahfOvikx\LaxhIbupi.pik", Quarantined, [109d4a012f5bf145164ff048b0523bc5]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 1
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}, Delete-on-Reboot, [703d9bb0ed9d6fc78586d6d66b985ba5], 
 
Files: 2
Trojan.Agent.ED, C:\ProgramData\HahfOvikx\LaxhIbupi.pik, Quarantined, [109d4a012f5bf145164ff048b0523bc5], 
Trojan.Agent.FPED, C:\Windows\Installer\{08258A3E-0883-4694-9120-365410BB83F0}\setup.exe, Quarantined, [5459212a800aae88c05177754db83bc5], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:49 PM

Posted 30 March 2015 - 09:16 AM


I just saw you last post.
This refers to your previous post.

===

What is the extension given to the damaged files?

===


Do not do any restore until all is well.

You can restore your files from backup.
http://windows.microsoft.com/en-ca/windows7/recover-lost-or-deleted-files

===


 

IE will slow down a little from time to time but to be honest that may be expected. However with a coding error during page opens here and there


Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

The coding error can be stopped in your IE settings.

Open IE > TOOLS > Internet Options
Click the Advanced tab
Under the Browsing section.

Remove the check mark under "Display a notification about every script error"

Click the Apply button.

===
 

McAfee is as broken as ever,


Yes you may have to re-install if all fails.
===

This is resisting the removal.
U5 6c023a03c663116c; C:\Windows\System32\Drivers\6c023a03c663116c.sys [75704 2015-03-06] () <===== ATTENTION Necurs Rootkit?

Download and run this Malwarebytes Anti-Rootkit
https://www.malwarebytes.org/antirootkit/
Post the log for my review.

Run the Farbar tool and post a fresh FRST log for my review.

Edited by nasdaq, 30 March 2015 - 09:19 AM.


#6 gregbsens

gregbsens
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 30 March 2015 - 10:06 PM

interesting that one of the rootkits had the name "Netcurs" in it.   I ran the ESET tool again just to be sure, same result: nothing.

 

 

Attached File  FRST.txt   33.05KB   1 downloads



#7 gregbsens

gregbsens
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 30 March 2015 - 10:11 PM

Oh here are the results from the malwarebytes rootkit.

 

Attached File  mbar-log-2015-03-30 (21-12-16).txt   3.24KB   2 downloads

Attached File  system-log.txt   50.57KB   1 downloads



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:49 PM

Posted 31 March 2015 - 08:41 AM

Your last FRST log is clean.
Malwarebytes removed the last bad driver.

How is the computer running now?

#9 gregbsens

gregbsens
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 31 March 2015 - 07:32 PM

Man that's great to hear!  I'm so grateful for your help.  :)

 

I'll let the system run for awhile and see what happens.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:49 PM

Posted 01 April 2015 - 07:37 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:49 PM

Posted 06 April 2015 - 07:44 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users