Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

FBI Ransom virus [Solved]

Started by gbtx01 , Sep 17 2012 01:41 PM

This topic is locked

#1
gbtx01

Posted 17 September 2012 - 01:41 PM

Member

Member
24 posts

Well, I have managed to get a virus on my computer it is a variant of the FBI Moneypak Ransom virus. When I turn the computer on it gives me the FBI page and won't let me go anywhere else or close the page. If I unplug the internet cable it just gives me a wait 30 seconds screen.

I am unable to reboot the computer in safe mode. It starts to reboot and then my monitor goes blank and displays "Information Out of Range 63.9kHz/59Hz"

This computer has a lot of family photos I would like to recover.

I am currently using my laptop to view this website because I can't use the infected computer at all. Any help would be greatly appreciated. Thanks

#2
CompCav

Posted 17 September 2012 - 02:12 PM

Member 5k

Expert
12,454 posts

Hi, gbtx01! :welcome:My nick name is CompCav and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any questions or you are unsure about anything, just ask and I will help you out.

If you have resolved the issues you were originally experiencing, or have received help elsewhere, please let me know so that this topic can be closed.

Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. One of the steps I will be asking you to do requires you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.

If you are ready to get started, please review and follow these guidelines so that we resolve your issues in a timely and effective manner:

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
Please make sure to carefully read any instructions that I give you. Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. These instructions are not suitable for any other computer, even if the issues are fairly similar.
Do not do things I do not ask for, such as running a spyware scan on your computer. However, the one thing that you should always do, is to make sure your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Just do a Copy/Paste of the entire contents of the log file inside your post and submit.
You must reply within four days failure to reply will result in the topic being closed!
Please do not PM me directly for help. If you have any questions, post them in this topic. PM me only if I have not responded to your last post in 2 days.
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to ultimately reformat your hard drive and reinstall the operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Please have the software and storage media for backing up your data available.

What operating system is on the infected machine (XP, Vista, 7)?

If it is Vista or 7 what bit (32 or 64)?

Can you make CD/DVD's with the laptop for use on the infected machine?

Do you have a USB flash drive of several megabytes or more?

Regards,

CompCav

#3
gbtx01

Posted 17 September 2012 - 02:27 PM

Member

Topic Starter
Member
24 posts

Operating System is Windows XP

I can't make CDs on this laptop but I can go down the road to a computer that can make CDs if needed

Yes I have a thumb drive with needed memory

#4
CompCav

Posted 17 September 2012 - 02:34 PM

Member 5k

Expert
12,454 posts

IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.

- Download OTLPEStd.exe from the following link and save it to your Desktop: mirror1.
- Download eeepcfr.zip from the following link and save it to your Desktop: the mirror
- Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror
Once you have 7-zip install, decompress OTLPEStd.exe by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop
Open the folder OTLPEStd which will be created in the same location as OTLPEStd.exe and right-click OTLPE_New_Std.iso. Select 7-Zip and from the submenu select Extract files... and extract the content onto your Desktop in a OTLPE folder:
Please also decompress eeepcfr to your systemroot (usually C:\).
Empty the flash drive you want to install OTLPE on.
Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
Press any key when asked to in the black window that opens.
As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
For Drive Label: type in OTLPE.
Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
Finally check Enable File Copy.
Click on Start, accept the disclaimers and wait for the program to finish.

Your bootable flash drive should now be ready to boot your computer but we need one more piece to get the information we need:

Download Farbar Recovery Scan Tool and save it to the flash drive also.

Reboot your system using the USB boot drive you just created.(Usually BIOS screen says what Fn key to push to get the boot menu)
As the program needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
Your system should now display a Reatogo desktop
Note : as you are running from CD it is not exactly speedy
Locate the flash drive with FRST and double click
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

#5
gbtx01

Posted 17 September 2012 - 04:30 PM

Member

Topic Starter
Member
24 posts

Step #1 is complete.

Step #2 when I right click on OTLPEStd file I do not have "zip-7" as an choice.

Choices are Open, Run as administrator, trouble shoot compatability, etc

What do I do?

As you can probably tell my computer knowledge is at the low end of the computer retard scale.

#6
CompCav

Posted 17 September 2012 - 04:35 PM

Member 5k

Expert
12,454 posts

Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror

Just click on the link (the mirror) and download the 7-zip installer to your desktop.

Run the installer to install 7-Zip.

Once it is installed you will have the option for 7-Zip as shown in the picture above :thumbsup:

Regards,

CompCav

#7
gbtx01

Posted 17 September 2012 - 05:02 PM

Member

Topic Starter
Member
24 posts

Same problem. I have installed the 7-zip and can open it via the windows Icon in the bottom left corner of screen.

The OTLPEStd icon does have some little blue/yellow shield icon resting over the desktop icon. I don't know what that means though. thanks.

#8
CompCav

Posted 17 September 2012 - 06:28 PM

Member 5k

Expert
12,454 posts

What is the operating system of the laptop you are installing it on?

Did you reboot after installing to see if 7-zip has been added to your right click menu?

Regards,

CompCav

#9
gbtx01

Posted 18 September 2012 - 11:22 AM

Member

Topic Starter
Member
24 posts

I can't get it to open properly on the laptop so I will need to go burn a CD at another computer. Can you please post the proper instructions for that. Thanks you
GBTX01

#10
CompCav

Posted 18 September 2012 - 11:30 AM

Member 5k

Expert
12,454 posts

Certainly

We will need to create a CD and additionally use a USB drive

Please print these instruction out so that you know what you are doing

Download OTLPENet.exe to your desktop
Download Farbar Recovery Scan Tool and save it to a flash drive.
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your infected system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
Your system should now display a Reatogo desktop
Note : as you are running from CD it is not exactly speedy
Insert the USB with FRST
Locate the flash drive with FRST and double click
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

#11
gbtx01

Posted 19 September 2012 - 01:32 PM

Member

Topic Starter
Member
24 posts

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-09-2012
Ran by SYSTEM at 19-09-2012 15:27:45
Running from I:\
Microsoft Windows XP (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [13680640 2009-01-16] (NVIDIA Corporation)
HKLM\...\Run: [nwiz] nwiz.exe /install [x]
HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]
HKLM\...\Run: [Alcmtr] ALCMTR.EXE [x]
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [86016 2009-01-16] (NVIDIA Corporation)
HKLM\...\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe [2042208 2011-10-17] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [413696 2009-05-26] (Apple Inc.)
HKLM\...\Run: [VERIZONDM] "C:\Program Files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM [206120 2010-07-20] (SupportSoft, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [40uIGqLFae94KbA] C:\Documents and Settings\User\Application Data\JfCqQ5JC.exe [250727 2012-09-17] ()
HKU\User\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
HKU\User\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [1695232 2008-04-14] (Microsoft Corporation)
HKU\User\...\Run: [4249330759] C:\Documents and Settings\User\Local Settings\Application Data\xry.exe [1679360 2011-06-21] (Microsoft Corporation)
HKU\User\...\Run: [40uIGqLFae94KbA] C:\Documents and Settings\User\Application Data\JfCqQ5JC.exe [250727 2012-09-17] ()
HKU\User\...\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_Plugin.exe -update plugin [233936 2010-11-11] (Adobe Systems, Inc.)
HKU\User\...\Policies\system: [DisableTaskMgr] 1
HKU\User\...\Policies\system: [DisableRegistryTools] 1
HKU\User\...\Policies\Explorer: [NoDesktop] 1
HKU\User\...\Winlogon: [Shell] C:\Documents and Settings\User\Application Data\JfCqQ5JC.exe [250727 2012-09-17] ()
HKLM\...\Winlogon: [Shell] C:\Documents and Settings\User\Application Data\JfCqQ5JC.exe [x ] ()
Winlogon\Notify\avgrsstarter: avgrsstx.dll (AVG Technologies CZ, s.r.o.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 Apple Mobile Device; "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" [144712 2009-07-09] (Apple Inc.)
2 avg8emc; C:\PROGRA~1\AVG\AVG8\avgemc.exe [908056 2009-08-14] (AVG Technologies CZ, s.r.o.)
2 avg8wd; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [297752 2010-07-13] (AVG Technologies CZ, s.r.o.)
2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [352248 2012-08-03] (Verizon)
2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
2 sprtsvc_verizondm; C:\Program Files\VERIZONDM\bin\sprtsvc.exe /service /p verizondm [206120 2010-07-20] (SupportSoft, Inc.)
2 tgsrvc_verizondm; C:\Program Files\VERIZONDM\bin\tgsrvc.exe /p verizondm [185640 2010-07-20] (SupportSoft, Inc.)
3 clr_optimization_v2.0.50727_32; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [x]
3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [x]
4 HidServ; C:\Windows\System32\hidserv.dll [x]
3 idsvc; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [x]
2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
4 NetTcpPortSharing; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [x]

==================== Drivers (Whitelisted) ====================

3 ADM8511; C:\Windows\System32\DRIVERS\ADM8511.SYS [20160 2001-08-17] (ADMtek Incorporated)
1 AmdPPM; C:\Windows\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
1 AvgLdx86; C:\Windows\System32\Drivers\avgldx86.sys [335240 2009-08-14] (AVG Technologies CZ, s.r.o.)
1 AvgMfx86; C:\Windows\System32\Drivers\avgmfx86.sys [27784 2009-08-14] (AVG Technologies CZ, s.r.o.)
1 AvgTdiX; C:\Windows\System32\Drivers\avgtdix.sys [108552 2009-08-14] (AVG Technologies CZ, s.r.o.)
3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)
3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2009-08-26] (HP)
3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2009-08-26] (HP)
3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2009-08-26] (HP)
3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [54784 2008-08-01] (NVIDIA Corporation)
0 nvgts; C:\Windows\System32\DRIVERS\nvgts.sys [145952 2008-11-12] (NVIDIA Corporation)
3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [22016 2008-08-01] (NVIDIA Corporation)
0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [20576 2005-05-12] (Sonic Solutions)
4 Abiosdsk; [x]
4 abp480n5; [x]
4 adpu160m; [x]
4 Aha154x; [x]
4 aic78u2; [x]
4 aic78xx; [x]
4 AliIde; [x]
4 amsint; [x]
4 asc; [x]
4 asc3350p; [x]
4 asc3550; [x]
4 Atdisk; [x]
4 cd20xrnt; [x]
1 Changer; [x]
4 CmdIde; [x]
4 Cpqarray; [x]
4 dac2w2k; [x]
4 dac960nt; [x]
4 dpti2o; [x]
4 hpn; [x]
1 i2omgmt; [x]
4 i2omp; [x]
4 ini910u; [x]
4 IntelIde; [x]
1 lbrtfdc; [x]
4 mraid35x; [x]
1 PCIDump; [x]
3 PDCOMP; [x]
3 PDFRAME; [x]
3 PDRELI; [x]
3 PDRFRAME; [x]
4 perc2; [x]
4 perc2hib; [x]
4 ql1080; [x]
4 Ql10wnt; [x]
4 ql12160; [x]
4 ql1240; [x]
4 ql1280; [x]
4 Simbad; [x]
4 Sparrow; [x]
4 symc810; [x]
4 symc8xx; [x]
4 sym_hi; [x]
4 sym_u3; [x]
4 TosIde; [x]
4 ultra; [x]
4 ViaIde; [x]
3 WDICA; [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2012-09-19 15:27 - 2012-09-19 15:27 - 00000000 ____D C:\FRST
2012-09-17 11:25 - 2012-09-17 11:25 - 00000000 ____D C:\Windows\CSC
2012-09-17 10:49 - 2012-09-17 10:49 - 00250727 ____A C:\Documents and Settings\User\ms.exe
2012-09-17 10:49 - 2012-09-17 10:49 - 00250727 ____A C:\Documents and Settings\User\Application Data\JfCqQ5JC.exe
2012-09-04 16:02 - 2012-09-04 16:02 - 00000000 ____D C:\Documents and Settings\User\Local Settings\Application Data\PCHealth

==================== 3 Months Modified Files ==================

2012-09-17 15:19 - 2009-08-14 16:51 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-09-17 11:41 - 2009-09-30 01:06 - 00000159 ____A C:\Windows\wiadebug.log
2012-09-17 11:41 - 2009-09-30 01:06 - 00000049 ____A C:\Windows\wiaservc.log
2012-09-17 11:41 - 2009-08-14 17:16 - 00000062 __ASH C:\Documents and Settings\User\Local Settings\desktop.ini
2012-09-17 11:41 - 2009-08-14 17:00 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-09-17 11:41 - 2009-08-14 17:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-17 11:34 - 2009-08-14 16:47 - 01880062 ____A C:\Windows\WindowsUpdate.log
2012-09-17 10:58 - 2006-03-15 08:00 - 00013646 ____A C:\Windows\System32\wpa.dbl
2012-09-17 10:49 - 2012-09-17 10:49 - 00250727 ____A C:\Documents and Settings\User\ms.exe
2012-09-17 10:49 - 2012-09-17 10:49 - 00250727 ____A C:\Documents and Settings\User\Application Data\JfCqQ5JC.exe
2012-09-17 10:40 - 2011-06-21 11:08 - 00017550 __ASH C:\Documents and Settings\User\Local Settings\Application Data\44ac61mpu26vuwj12330qu71824
2012-09-17 10:40 - 2011-06-21 11:08 - 00017550 __ASH C:\Documents and Settings\All Users\Application Data\44ac61mpu26vuwj12330qu71824
2012-08-18 00:01 - 2010-08-15 22:39 - 00065626 ____A C:\Windows\Rp_SPA.log
2012-07-19 03:42 - 2009-08-14 17:21 - 00199557 ____A C:\Windows\System32\nvapps.xml
2012-07-19 03:41 - 2009-08-14 17:00 - 00019750 ____A C:\Windows\SchedLgU.Txt
2012-06-29 13:50 - 2012-06-29 13:50 - 00023304 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-06-28 13:47 - 2012-06-28 13:47 - 00036750 ____A C:\Windows\System32\install.log
2012-06-28 13:47 - 2012-06-28 13:47 - 00000260 ____A C:\Windows\System32\cmdVBS.vbs
2012-06-28 13:47 - 2012-06-28 13:47 - 00000256 ____A C:\Windows\System32\MSIevent.bat

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2012-09-16 20:11 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP669

RP: -> 2012-09-15 12:36 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP668

RP: -> 2012-09-14 10:01 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP667

RP: -> 2012-09-13 07:19 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP666

RP: -> 2012-09-10 21:31 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP665

RP: -> 2012-09-07 10:14 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP664

RP: -> 2012-09-05 15:09 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP663

RP: -> 2012-09-04 15:00 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP662

RP: -> 2012-09-02 16:24 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP661

RP: -> 2012-08-31 12:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP660

RP: -> 2012-08-29 21:22 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP659

RP: -> 2012-08-28 08:15 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP658

RP: -> 2012-08-23 12:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP657

RP: -> 2012-08-22 12:09 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP656

RP: -> 2012-08-20 14:32 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP655

RP: -> 2012-08-19 14:07 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP654

RP: -> 2012-08-17 17:50 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP653

RP: -> 2012-08-16 15:41 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP652

RP: -> 2012-08-14 23:16 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP651

RP: -> 2012-08-13 22:24 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP650

RP: -> 2012-08-11 11:54 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP649

RP: -> 2012-08-10 11:38 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP648

RP: -> 2012-08-07 23:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP647

RP: -> 2012-08-06 23:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP646

RP: -> 2012-08-05 22:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP645

RP: -> 2012-08-04 21:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP644

RP: -> 2012-08-03 20:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP643

RP: -> 2012-08-02 19:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP642

RP: -> 2012-08-01 18:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP641

RP: -> 2012-07-31 17:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP640

RP: -> 2012-07-30 16:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP639

RP: -> 2012-07-29 15:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP638

RP: -> 2012-07-28 14:50 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP637

RP: -> 2012-07-27 13:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP636

RP: -> 2012-07-26 12:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP635

RP: -> 2012-07-25 11:51 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP634

RP: -> 2012-07-24 10:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP633

RP: -> 2012-07-23 09:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP632

RP: -> 2012-07-22 09:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP631

RP: -> 2012-07-21 09:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP630

RP: -> 2012-07-20 08:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP629

RP: -> 2012-07-19 07:46 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP628

RP: -> 2012-07-18 06:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP627

RP: -> 2012-07-17 05:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP626

RP: -> 2012-07-16 04:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP625

RP: -> 2012-07-15 04:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP624

RP: -> 2012-07-14 03:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP623

RP: -> 2012-07-13 02:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP622

RP: -> 2012-07-12 01:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP621

RP: -> 2012-07-11 00:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP620

RP: -> 2012-07-09 23:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP619

RP: -> 2012-07-08 22:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP618

RP: -> 2012-07-07 21:57 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP617

RP: -> 2012-07-06 20:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP616

RP: -> 2012-07-05 19:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP615

RP: -> 2012-07-04 18:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP614

RP: -> 2012-07-03 17:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP613

RP: -> 2012-07-02 16:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP612

RP: -> 2012-07-01 15:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP611

RP: -> 2012-06-30 14:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP610

RP: -> 2012-06-29 13:59 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP609

RP: -> 2012-06-28 13:56 - 028672 _restore{36F0D524-0E35-44FE-A32A-2A7F68D475EE}\RP608

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 1982.48 MB
Available physical RAM: 1729.23 MB
Total Pagefile: 1813.52 MB
Available Pagefile: 1753.03 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.54 MB

==================== Partitions =============================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: () (Fixed) (Total:232.88 GB) (Free:210.09 GB) NTFS ==>[Drive with boot components (Windows XP)]
8 Drive i: () (Removable) (Total:15.3 GB) (Free:15.3 GB) FAT32
9 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 5 Online 233 GB 0 B

Partitions of Disk 5:
===============

The disk management services could not complete the operation.

=========================================================
==================== End Of Log ============================

#12
CompCav

Posted 19 September 2012 - 01:45 PM

Member 5k

Expert
12,454 posts

Step 1.

Download the enclosed file.

fixlist.txt 1.21KB 121 downloads

Save it in the USB drive.

Insert the USB drive into the ailing computer. Run FRST as you did before, except that this time around click on the Fix button.

The tool will make a log on the flashdrive (Fixlog.txt) please post it it your reply.

Step 2.
Attempt to boot in Normal Mode. If successful, run Combofix as follows:
Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. This infection will require a reboot to correct so make sure these are turned off and will not turn back on at reboot. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions
3. If you cannot connect to the internet or have other issues after ComboFix completes,simply reboot the computer.

Step 3.

Please post:

fixlog.txt
ComboFix.txt

What are the current issues with your computer?

#13
gbtx01

Posted 19 September 2012 - 02:29 PM

Member

Topic Starter
Member
24 posts

ComboFix 12-09-18.07 - User 09/19/2012 15:20:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1475 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\44ac61mpu26vuwj12330qu71824
c:\documents and settings\All Users\Favorites\Error Cleaner.url
c:\documents and settings\All Users\Favorites\Privacy Protector.url
c:\documents and settings\All Users\Favorites\Spyware&Malware Protection.url
c:\documents and settings\User\Application Data\Roaming
c:\documents and settings\User\Application Data\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#piephahn.com\settings.sol
c:\documents and settings\User\Application Data\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
c:\documents and settings\User\Desktop\Search.lnk
c:\documents and settings\User\Favorites\Error Cleaner.url
c:\documents and settings\User\Favorites\Privacy Protector.url
c:\documents and settings\User\Favorites\Spyware&Malware Protection.url
c:\documents and settings\User\Local Settings\Application Data\bb73b.dll
c:\documents and settings\User\Local Settings\Application Data\xry.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-19 to 2012-09-19 )))))))))))))))))))))))))))))))
.
.
2012-09-19 19:27 . 2012-09-19 19:27 -------- d-----w- C:\FRST
2012-09-04 20:02 . 2012-09-04 20:02 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth
2012-08-28 12:18 . 2012-08-28 12:18 -------- d-----w- C:\ProgramData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-28 17:47 . 2012-06-28 17:47 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2012-06-28 17:47 . 2012-06-28 17:47 256 ----a-w- c:\windows\system32\MSIevent.bat
2012-08-10 14:54 . 2012-06-25 17:35 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-16 13680640]
"nwiz"="nwiz.exe" [2009-01-16 1657376]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-16 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2010-07-20 206120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50001:UDP"= 50001:UDP:IHA_MessageCenter
.
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 352248]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [7/20/2010 1:29 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [7/20/2010 1:29 AM 185640]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [8/14/2009 6:09 PM 20160]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/25/2012 12:35 PM 113120]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - AvgLdx86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2uy0jkor.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-19 15:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-09-19 15:24:19
ComboFix-quarantined-files.txt 2012-09-19 20:24
.
Pre-Run: 225,675,018,240 bytes free
Post-Run: 228,027,895,808 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 258C8FFF90ECDFEED82F14F033C7738F

#14
gbtx01

Posted 19 September 2012 - 02:30 PM

Member

Topic Starter
Member
24 posts

#15
gbtx01

Posted 19 September 2012 - 02:32 PM

Member

Topic Starter
Member
24 posts

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-09-2012
Ran by SYSTEM at 2012-09-19 16:05:02 Run:1
Running from I:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\40uIGqLFae94KbA Value deleted successfully.
HKEY_USERS\User\Software\Microsoft\Windows\CurrentVersion\Run\\4249330759 Value deleted successfully.
HKEY_USERS\User\Software\Microsoft\Windows\CurrentVersion\Run\\40uIGqLFae94KbA Value deleted successfully.
HKEY_USERS\User\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_USERS\User\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableRegistryTools Value deleted successfully.
HKEY_USERS\User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDesktop Value deleted successfully.
HKEY_USERS\User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .
C:\Documents and Settings\User\ms.exe moved successfully.
C:\Documents and Settings\User\Application Data\JfCqQ5JC.exe moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\44ac61mpu26vuwj12330qu71824 moved successfully.
C:\Documents and Settings\All Users\Application Data\44ac61mpu26vuwj12330qu71824 moved successfully.

==== End of Fixlog ====