Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

FBI Cybercrime Division Virus (Safe Mode not working) [Closed]


  • This topic is locked This topic is locked

#1
turkeestalker

turkeestalker

    Member

  • Member
  • PipPip
  • 35 posts
I contracted this virus yesterday. I searched online for a fix and found Hitman Pro, which got me past the lock. Yet I am unable still to restore to an earlier point, or start the computer in safe mode (it just loops the restart when attempted), which prevents me from using other tools to remove the virus. Any help would be greatly appreciated.
Thanks in advance,
Turkeestalker
  • 0

Advertisements


#2
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello turkeestalker

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe or e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
  • 0

#3
turkeestalker

turkeestalker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Gringo,
Thank you for you assistance with this. I did read your post, I dl'd Farbar scan tool for 32 bit to a flash drive, and attempted to follow your instructions.
I was unable to find an option to enter recovery console regardless of which 'F' key I attempted to press, that option never appeared in any of the lists.
I then attempted to reset the bios and boot from the cd, which I did, but was unable to get to a point of actually repairing anything. The options presented were different from those you had listed, and I did print out your instructions prior to beginning. I am using XP sp3, if that might make any difference. Any suggestions or questions for clarification?
  • 0

#4
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

Lets see if we can get this to run

  • Download OTLPE from either location and save it to your desktop:

    http://oldtimer.geek...om/OTLPEStd.exe
    http://ottools.noahd...et/OTLPEStd.exe
  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click Posted Image to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
  • OTL should now start.
  • Push Posted Image
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your next reply.

Gringo
  • 0

#5
turkeestalker

turkeestalker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
OTL logfile created on: 5/13/2013 6:08:02 AM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 204.72 Gb Free Space | 87.91% Space Free | Partition Type: NTFS
Drive D: | 111.79 Gb Total Space | 3.50 Gb Free Space | 3.13% Space Free | Partition Type: NTFS
Drive E: | 465.76 Gb Total Space | 428.22 Gb Free Space | 91.94% Space Free | Partition Type: NTFS
Drive G: | 994.25 Mb Total Space | 992.99 Mb Free Space | 99.87% Space Free | Partition Type: FAT32
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (YahooAUService)
SRV - File not found [Auto] -- -- (WinDefend)
SRV - File not found [Auto] -- -- (PSUAService)
SRV - File not found [On_Demand] -- -- (nosGetPlusHelper) getPlus®
SRV - File not found [Auto] -- -- (NanoServiceMain)
SRV - File not found [On_Demand] -- -- (MatSvc)
SRV - File not found [Auto] -- -- (JavaQuickStarterService)
SRV - File not found [Auto] -- -- (imonNT) Intel®
SRV - File not found [On_Demand] -- -- (getPlus® Helper) getPlus®
SRV - File not found [Auto] -- -- (Bonjour Service)
SRV - File not found [Auto] -- -- (ATI Smart)
SRV - File not found [Auto] -- -- (Ati HotKey Poller)
SRV - [2013/04/04 15:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 15:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2008/04/14 04:00:00 | 000,038,400 | ---- | M] (Microsoft Corporation) [Auto] -- D:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2006/06/26 02:03:56 | 000,091,696 | ---- | M] (Logitech Inc.) [Auto] -- C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2006/06/26 02:03:42 | 000,099,888 | ---- | M] (Logitech Inc.) [Auto] -- C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2002/09/20 07:20:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (wmamp3DriverV32)
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (Wdf01000)
DRV - File not found [Kernel | On_Demand] -- -- (vdrive)
DRV - File not found [Kernel | On_Demand] -- -- (usbser)
DRV - File not found [Kernel | On_Demand] -- -- (USBAAPL)
DRV - File not found [Kernel | On_Demand] -- -- (senfilt)
DRV - File not found [Kernel | On_Demand] -- -- (PSKMAD)
DRV - File not found [Kernel | Auto] -- -- (PSINProt)
DRV - File not found [File_System | Auto] -- -- (PSINProc)
DRV - File not found [Kernel | System] -- -- (PSINKNC)
DRV - File not found [File_System | Auto] -- -- (PSINFile)
DRV - File not found [Kernel | Auto] -- -- (PSINAflt)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (NTIDrvr)
DRV - File not found [Kernel | System] -- -- (NNSTLSC)
DRV - File not found [Kernel | System] -- -- (NNSSTRM)
DRV - File not found [Kernel | System] -- -- (NNSSMTP)
DRV - File not found [Kernel | System] -- -- (NNSPRV)
DRV - File not found [Kernel | System] -- -- (NNSPROT)
DRV - File not found [Kernel | System] -- -- (NNSPOP3)
DRV - File not found [Kernel | System] -- -- (NNSPICC)
DRV - File not found [Kernel | On_Demand] -- -- (NNSNAHS)
DRV - File not found [Kernel | System] -- -- (NNSIDS)
DRV - File not found [Kernel | System] -- -- (NNSHTTP)
DRV - File not found [Kernel | System] -- -- (NNSALPC)
DRV - File not found [Kernel | On_Demand] -- -- (motmodem)
DRV - File not found [Kernel | On_Demand] -- -- (mfesmfk)
DRV - File not found [Kernel | On_Demand] -- -- (mferkdk)
DRV - File not found [Kernel | On_Demand] -- -- (LVRS)
DRV - File not found [Kernel | On_Demand] -- -- (ltmodem5)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- -- (gameenum)
DRV - File not found [Kernel | On_Demand] -- -- (E100B) Intel®
DRV - File not found [Kernel | On_Demand] -- -- (cmuda3)
DRV - File not found [Kernel | On_Demand] -- -- (cmpci) C-Media PCI Audio Driver (WDM)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - File not found [Kernel | On_Demand] -- -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)
DRV - File not found [Kernel | On_Demand] -- -- (ati2mtag)
DRV - [2013/04/04 15:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/06/30 01:07:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/04/13 22:05:30 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\an983.sys -- (AN983)
DRV - [2006/06/26 02:03:40 | 000,023,472 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2006/06/26 02:03:36 | 001,952,816 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2006/06/26 02:03:28 | 001,587,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2006/06/22 18:29:47 | 000,961,072 | R--- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam PTZ(UVC)
DRV - [2006/06/22 18:29:47 | 000,020,272 | R--- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2006/06/22 18:29:46 | 000,038,960 | R--- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2006/06/22 18:29:43 | 000,055,984 | R--- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\lvselsus.sys -- (lvselsus)
DRV - [2006/06/22 18:29:40 | 001,413,424 | R--- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2003/05/09 01:00:56 | 000,033,248 | ---- | M] (Sonic Focus, Inc) [Kernel | System] -- C:\WINDOWS\system32\drivers\sf.sys -- (sf)
DRV - [2002/09/20 14:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E C7 53 01 98 8C 33 4F AB AB 47 7D 25 86 23 51 [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\Administrator_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 20 82 5B 3D 7F 22 CC 01 [binary data]
IE - HKU\Administrator_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\JDA.MINE_ON_D\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\JDA.MINE_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...omplete=0&hl=en
IE - HKU\JDA.MINE_ON_D\Software\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E C7 53 01 98 8C 33 4F AB AB 47 7D 25 86 23 51 [binary data]
IE - HKU\JDA.MINE_ON_D\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - Reg Error: Key error. File not found
IE - HKU\JDA.MINE_ON_D\..\URLSearchHook: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - File not found
IE - HKU\JDA.MINE_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\JDA.MINE_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\LocalService_ON_D\Software\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E C7 53 01 98 8C 33 4F AB AB 47 7D 25 86 23 51 [binary data]

IE - HKU\NetworkService_ON_D\Software\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E C7 53 01 98 8C 33 4F AB AB 47 7D 25 86 23 51 [binary data]
IE - HKU\NetworkService_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\systemprofile_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: File not found
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff

[2012/12/16 10:45:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2008/04/14 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - File not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - File not found
O2 - BHO: (Panda Security Toolbar) - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - File not found
O3 - HKLM\..\Toolbar: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - File not found
O3 - HKLM\..\Toolbar: (Panda Security Toolbar) - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - File not found
O3 - HKU\JDA.MINE_ON_D\..\Toolbar\WebBrowser: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] File not found
O4 - HKLM..\Run: [IMONTRAY] File not found
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam10\QuickCam10.exe ()
O4 - HKLM..\Run: [LVCOMSX] C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe (Logitech Inc.)
O4 - HKLM..\Run: [Panda Security URL Filtering] File not found
O4 - HKLM..\Run: [PSUAMain] File not found
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [nltide_2] File not found
O4 - HKU\Administrator_ON_D..\RunOnce: [FlashPlayerUpdate] File not found
O4 - HKU\Administrator_ON_D..\RunOnce: [nltide_2] File not found
O4 - HKU\systemprofile_ON_D..\RunOnce: [nltide_2] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\JDA.MINE_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\JDA.MINE_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKU\JDA.MINE_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\JDA.MINE_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\LocalService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - File not found
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - File not found
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - File not found
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1351543462031 (MUWebControl Class)
O16 - DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} http://www.gunbroker...230999680000000 (Image Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoft...s/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 68.94.157.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/05 17:39:18 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2013/05/11 12:47:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2013/05/03 22:35:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2013/04/29 06:28:04 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2013/04/29 06:27:41 | 000,800,824 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Application Data\DPInst.exe
[2013/04/29 06:27:41 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Application Data\gacutil.exe
[2013/04/29 06:27:41 | 000,036,352 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Application Data\PnPutil.exe
[2013/04/29 06:27:39 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2013/04/29 06:27:39 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2013/04/29 06:27:39 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2013/04/29 06:27:39 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2013/04/29 06:27:39 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2013/04/29 06:27:39 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2013/04/29 06:27:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Temp
[2013/04/29 06:27:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2013/04/29 06:27:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\KODAK AiO Home Center1771956769
[2013/04/29 06:27:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2013/04/29 06:27:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Eastman_Kodak_Company
[2013/04/29 06:27:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2013/04/29 06:27:38 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2013/04/29 06:27:38 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
[2013/04/29 06:27:38 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2013/04/29 06:27:38 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
[2013/04/29 06:27:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2013/04/29 06:27:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Recent
[2013/04/29 06:27:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2013/04/28 13:46:15 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2013/04/28 12:18:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\D4919A3AD3C6FD240000D490C5AF0218
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/05/13 05:53:10 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\PrintProjects Communicator.job
[2013/05/13 05:35:44 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-796845957-1364589140-1644491937-1003.job
[2013/05/13 05:35:44 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-796845957-1364589140-1644491937-1003.job
[2013/05/13 05:04:18 | 000,000,366 | -H-- | M] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2013/05/13 03:14:03 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/05/12 22:45:42 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/05/12 22:45:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/05/12 22:45:04 | 2146,164,736 | -HS- | M] () -- C:\hiberfil.sys
[2013/05/12 22:45:02 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2013/05/12 15:40:52 | 000,002,315 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
[2013/05/11 12:56:51 | 000,030,464 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro37.sys
[2013/05/11 12:53:03 | 000,005,214 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2013/05/02 11:28:50 | 000,238,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/05/11 12:56:51 | 000,030,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro37.sys
[2013/05/11 12:53:03 | 000,005,214 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2013/04/29 09:36:43 | 2146,164,736 | -HS- | C] () -- C:\hiberfil.sys
[2013/04/29 06:27:41 | 000,000,181 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\gacutil.exe.config
[2013/04/29 06:27:40 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
[2013/04/29 06:27:40 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
[2013/02/15 21:30:14 | 000,000,073 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2013/02/05 22:24:10 | 000,001,534 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
[2012/12/28 08:41:26 | 000,006,688 | ---- | C] () -- C:\WINDOWS\System32\Digita.sys
[2012/12/28 08:41:25 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\TransportUSB.dll
[2012/12/28 08:41:25 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\TransportSerial.dll
[2012/12/28 08:41:21 | 000,335,872 | ---- | C] () -- C:\WINDOWS\System32\ldf252.dll
[2012/12/16 10:44:01 | 000,723,230 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2012/12/16 10:44:01 | 000,183,544 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2012/12/13 05:22:22 | 000,022,334 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2012/12/11 21:17:16 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/12/11 20:47:00 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/12/11 20:40:54 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/12/11 14:31:53 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/12/11 14:29:09 | 000,120,544 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/17 10:02:02 | 000,001,052 | R--- | C] () -- \reatogoMenu.ini
[2011/07/17 09:58:27 | 000,000,000 | R--- | C] () -- \WIN51IP.SP2
[2011/07/17 09:58:26 | 000,000,000 | R--- | C] () -- \WIN51IP
[2008/04/14 04:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 04:00:00 | 000,472,866 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 04:00:00 | 000,075,960 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 04:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 04:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/06/26 02:03:40 | 000,023,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2006/03/24 07:06:41 | 000,000,053 | R--- | C] () -- \AUTORUN.INF
[2005/07/16 17:36:50 | 000,240,128 | R--- | C] () -- \reatogoMenu.exe

========== LOP Check ==========

[2013/03/05 17:49:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Temp
[2012/12/18 09:44:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Temp
[2011/07/17 10:03:09 | 000,000,000 | R--D | M] -- \I386
[2011/07/17 09:58:33 | 000,000,000 | R--D | M] -- \PROGRAMS
[2011/07/17 10:02:33 | 000,000,000 | R--D | M] -- \SFX
[2013/04/28 12:25:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\D4919A3AD3C6FD240000D490C5AF0218
[2013/02/05 22:22:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
[2013/05/11 12:53:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/12/17 12:17:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrintProjects
[2012/12/17 09:41:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Visan
[2013/05/13 05:04:18 | 000,000,366 | -H-- | M] () -- C:\WINDOWS\Tasks\MpIdleTask.job
[2013/05/13 05:53:10 | 000,000,452 | ---- | M] () -- C:\WINDOWS\Tasks\PrintProjects Communicator.job

========== Purity Check ==========


< End of report >
  • 0

#6
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Try this please. You will need a USB drive.

Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net...loads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
  • 0

#7
turkeestalker

turkeestalker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Gringo,
I made it to step 14, '•Press F12 and choose to boot from the USB', no such luck. On my pc, it is f10 that gives me the option of booting from the hard drive or from a removable usb device. I select the usb device, and it goes back to the screen, We're sorry, windows was not shut down properly due to a power failure or a reset button being pressed... then gives options to start windows normally, safe mode, safe mode with networking, or command prompt. I can not boot from the usb device and I followed your instructions to the letter to the best of my knowlege. Much the same as how I am not able to get to safe mode.
Any other suggestions?
  • 0

#8
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Lets try it from a CD

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
  • 0

#9
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
  • 0

#10
turkeestalker

turkeestalker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I apoloize Grigo, I did as you asked, but ran into a snag identifying the flash drive. I have a few different things plugged into this pc, including a secondary hd. My intent is to unplug everything else and attempt it again, but since that evening life stepped in the way. I will dive in as soon as I can.
  • 0

#11
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
no problem and I will check on you later



gringo
  • 0

#12
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
  • 0

#13
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP