My Laptop Is Possessed! Multi rogue security apps [Closed]
#31
Posted 06 February 2014 - 03:04 PM
#32
Posted 06 February 2014 - 03:29 PM
CF = ComboFix.
#33
Posted 06 February 2014 - 03:35 PM
ERROR
First I get the error message to disable Symantec and that I'm proceeding at my own risk.
CMD
Please wait.
ComboFix is preparing to run.
Attempting to create a new System Restore point.
ERROR
Next I get the error for Windows Recovery Console. And I choose no to downloading the file.
CMD
Scanning for infected files . . .
[blinking cursor]
There was no file under C:. I was already running ComboFix again. I'll be more patient, lol. What would be the maximum amount of time I should let this run?
#34
Posted 06 February 2014 - 03:40 PM
Thanks for the English lesson, Velarie.Fudged up = Made a mistake.
30 - 40 minutes. Normally it runs 10 - 15 minutes, but on highly infected machines it can be longer.What would be the maximum amount of time I should let this run?
Gerrit
#35
Posted 06 February 2014 - 04:21 PM
I've also noticed that the last three or four times I booted the system, it has me go through the log in process twice before loading the desktop. Just FYI.
#36
Posted 07 February 2014 - 09:45 AM
Do all the steps below in Normal Mode if possible.
First,
please do again a RKILL Scan. Download it from here and save it to your Desktop. Run it. Wait until it is finished and post the contents of RKILL.txt
Farbar Recovery Scan Tool (FRST)
- Run FRST.
- Click Scan to start FRST.
- When FRST finishes scanning, a log, FRST.txt, will open.
- Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.
Then,
Search after that file: C:\ComboFix.txt. If the file exists please post the content of that file.
#37
Posted 09 February 2014 - 11:45 AM
*****************************************************************8
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-02-2014 02
Ran by SYSTEM on REATOGO on 09-02-2014 11:44:45
Running from B:\Documents and Settings\Default User\Desktop
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet004
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingc...can-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingc...can-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo...very-scan-tool/
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [Scheduler] - C:\WINDOWS\SMINST\Scheduler.exe [94736 2014-01-30] ()
HKLM\...\Run: [Reminder] - C:\WINDOWS\Creator\Remind_XP.exe [94736 2014-01-30] ()
HKLM\...\Run: [Recguard] - C:\WINDOWS\Sminst\Recguard.exe [94736 2014-01-30] ()
HKLM\...\Run: [MsmqIntCert] - regsvr32 /s mqrt.dll
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [94736 2014-01-30] ()
HKLM\...\Run: [Cpqset] - C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe [94736 2014-01-30] ()
HKLM\...\Run: [CognizanceTS] - C:\Program Files\Hewlett-Packard\IAM\Bin\ASTSVCC.dll [17920 2003-12-22] (Cognizance Corporation)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [94736 2014-01-30] ()
HKLM\...\Run: [HPHmon06] - C:\WINDOWS\system32\hphmon06.exe [622592 2004-12-16] (Hewlett-Packard)
HKLM\...\Run: [HPDJ Taskbar Utility] - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb13.exe [172032 2004-11-24] (HP)
HKLM\...\Run: [MSConfig] - C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-14] (Microsoft Corporation)
Winlogon\Notify\AtiExtEvent: C:\Windows\system32\Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\NavLogon: C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
Winlogon\Notify\OneCard: C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Cognizance Corporation)
HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 1
Lsa: [Notification Packages] scecli ASWLNPkg
========================== Services (Whitelisted) =================
S4 !SASCORE; C:\AdwCleaner\newsas\SASCORE.EXE [120088 2013-10-10] (SUPERAntiSpyware.com)
S2 6to4; C:\WINDOWS\system32\6to4ex.dll [73748 2004-08-17] ()
S2 ASBroker; C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [74240 2007-02-06] (Cognizance Corporation)
S2 ASChannel; C:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll [131584 2006-06-22] (Cognizance Corporation)
S4 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [185968 2005-10-04] (Symantec Corporation)
S4 ccPwdSvc; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [83568 2005-10-04] (Symantec Corporation)
S4 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [177776 2005-10-04] (Symantec Corporation)
S4 DefWatch; C:\Program Files\Symantec AntiVirus\DefWatch.exe [20208 2005-11-15] (Symantec Corporation)
S4 HP Port Resolver; C:\WINDOWS\system32\hpbpro.exe [77824 2004-06-02] (Hewlett-Packard Company)
S4 HP Status Server; C:\WINDOWS\system32\hpboid.exe [73728 2004-06-02] (Hewlett-Packard Company)
S4 msftesql$PROPHETSQL; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [92952 2006-08-28] (Microsoft Corporation)
S4 MSIServer; C:\Windows\System32\msiexec.exe [78848 2008-04-14] ()
S2 MSMQ; C:\WINDOWS\system32\mqsvc.exe [4608 2008-04-14] (Microsoft Corporation)
S2 MSMQTriggers; C:\WINDOWS\system32\mqtgsvc.exe [117248 2008-04-14] (Microsoft Corporation)
S4 MSSQL$PROPHETSQL; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29181272 2008-12-18] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45272 2005-10-14] (Microsoft Corporation)
S4 PCA; C:\WINDOWS\SMINST\PCAngel.exe [294912 2006-01-12] (SoftThinks)
S4 SavRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [169200 2005-11-15] (symantec)
S4 SNDSrvc; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [214672 2005-10-19] (Symantec Corporation)
S4 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2008-01-17] (SolidWorks)
S4 SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [992864 2005-03-30] (Symantec Corporation)
S4 Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [1756912 2005-11-15] (Symantec Corporation)
S4 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [926712 2007-06-05] (RealVNC Ltd.)
==================== Drivers (Whitelisted) ====================
S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36864 2006-07-02] (Advanced Micro Devices)
S3 ATSWPDRV; C:\Windows\System32\DRIVERS\ATSwpDrv.sys [140808 2007-04-10] (AuthenTec, Inc.)
S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [604928 2006-11-01] (Broadcom Corporation)
S3 BTKRNL; C:\Windows\System32\DRIVERS\btkrnl.sys [868298 2007-02-14] (Broadcom Corporation.)
S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [67960 2007-02-14] (Broadcom Corporation.)
S1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2010-05-27] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [102448 2010-05-27] (Symantec Corporation)
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [43368 2013-05-23] (ThreatTrack Security)
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [24040 2013-09-04] (ThreatTrack Security)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2005-10-21] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2005-10-21] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2005-10-21] (HP)
S3 IFXTPM; C:\Windows\System32\DRIVERS\IFXTPM.SYS [36608 2006-09-19] (Infineon Technologies AG)
S3 MQAC; C:\WINDOWS\system32\drivers\mqac.sys [92544 2008-04-14] (Microsoft Corporation)
S3 mvb35316; C:\Windows\System32\Drivers\mvb35316.sys [12800 2009-02-09] ()
S3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100924.004\naveng.sys [85424 2010-07-15] (Symantec Corporation)
S3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100924.004\navex15.sys [1362608 2010-07-15] (Symantec Corporation)
S3 PalmUSBD; C:\Windows\System32\drivers\PalmUSBD.sys [16694 2004-06-09] (PalmSource, Inc.)
S3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S1 SASDIFSV; C:\AdwCleaner\newsas\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\AdwCleaner\newsas\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SAVRT; C:\Program Files\Symantec AntiVirus\savrt.sys [334984 2005-08-26] (Symantec Corporation)
S1 SAVRTPEL; C:\Program Files\Symantec AntiVirus\Savrtpel.sys [53896 2005-08-26] (Symantec Corporation)
S3 slabbus; C:\Windows\System32\DRIVERS\slabbus.sys [66672 2007-03-01] (MCCI)
S3 slabser; C:\Windows\System32\DRIVERS\slabser.sys [100400 2007-03-01] (MCCI)
S3 SMCIRDA; C:\Windows\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
S3 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [372832 2005-03-30] (Symantec Corporation)
S3 SymEvent; C:\Program Files\Symantec\SYMEVENT.SYS [108168 2005-09-17] (Symantec Corporation)
S3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [24720 2005-10-19] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [195728 2005-10-19] (Symantec Corporation)
S0 mafqlvq; No ImagePath
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
S3 VPROEVENTMONITOR; \??\C:\WINDOWS\system32\drivers\VProEventMonitor.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-02-06 16:37 - 2014-02-06 16:40 - 00000000 ___SD () C:\Machiavelli
2014-02-06 15:50 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-02-06 15:50 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-02-06 15:50 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\Windows\SWXCACLS.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2014-02-06 15:44 - 2014-02-06 15:49 - 00000000 ____D () C:\Qoobox
2014-02-06 15:44 - 2014-02-06 15:44 - 00000000 ____D () C:\Windows\erdnt
2014-02-05 14:02 - 2014-02-06 15:43 - 00000000 ____D () C:\FRST
2014-02-04 01:39 - 2014-02-04 01:39 - 00000000 ____D () C:\pukingsoft
2014-02-04 01:14 - 2014-02-04 01:14 - 00000000 _____ () C:\Windows\System32\SBRC.dat
2014-02-04 01:13 - 2013-09-04 14:57 - 00024040 _____ (ThreatTrack Security) C:\Windows\System32\Drivers\gfiutil.sys
2014-02-04 01:13 - 2013-05-23 08:39 - 00043368 _____ (ThreatTrack Security) C:\Windows\System32\Drivers\gfiark.sys
2014-02-04 01:11 - 2014-02-04 01:13 - 00000000 ____D () C:\VIPRERESCUE
2014-02-03 21:43 - 2013-04-04 15:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2014-02-03 21:31 - 2014-02-03 21:31 - 00000000 _____ () C:\Windows\System32\15724.exe
2014-02-03 21:11 - 2014-02-03 21:11 - 00000000 _____ () C:\Windows\System32\19169.exe
2014-02-03 20:19 - 2014-02-03 20:19 - 00000000 ____D () C:\Tech Support
2014-02-03 17:57 - 2014-02-04 01:32 - 00000000 ____D () C:\AdwCleaner
2014-02-03 17:55 - 2014-02-03 19:59 - 00005127 _____ () C:\Windows\setupapi.log
2014-02-03 16:30 - 2014-02-03 20:51 - 00000000 _____ () C:\Windows\System32\26500.exe
2014-02-03 16:25 - 2014-02-03 16:25 - 00094828 ____H () C:\Windows\wininst.exe
2014-02-03 16:25 - 2014-02-03 16:25 - 00094828 ____H () C:\Windows\system.exe
2014-01-30 16:11 - 2014-02-04 02:06 - 00000000 _____ () C:\Windows\System32\6334.exe
2014-01-30 12:52 - 2014-02-05 13:35 - 00000000 _____ () C:\Windows\System32\18467.exe
2014-01-30 12:12 - 2014-02-06 11:21 - 00000000 _____ () C:\Windows\System32\ES17.exe
==================== One Month Modified Files and Folders =======
2014-02-06 17:28 - 2010-09-26 22:28 - 00636786 _____ () C:\Windows\WindowsUpdate.log
2014-02-06 16:40 - 2014-02-06 16:37 - 00000000 ___SD () C:\Machiavelli
2014-02-06 16:38 - 2004-08-07 08:14 - 00678654 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-02-06 16:34 - 2010-09-26 22:35 - 00002206 _____ () C:\Windows\System32\wpa.dbl
2014-02-06 16:34 - 2007-10-04 10:36 - 00000000 ____D () C:\Windows\System32\Restore
2014-02-06 15:49 - 2014-02-06 15:44 - 00000000 ____D () C:\Qoobox
2014-02-06 15:46 - 2004-08-07 08:03 - 00000603 _____ () C:\Windows\win.ini
2014-02-06 15:46 - 2004-08-07 07:57 - 00000223 ___SH () C:\boot.ini
2014-02-06 15:46 - 2004-08-07 00:53 - 00000227 _____ () C:\Windows\system.ini
2014-02-06 15:44 - 2014-02-06 15:44 - 00000000 ____D () C:\Windows\erdnt
2014-02-06 15:43 - 2014-02-05 14:02 - 00000000 ____D () C:\FRST
2014-02-06 11:21 - 2014-01-30 12:12 - 00000000 _____ () C:\Windows\System32\ES17.exe
2014-02-06 11:21 - 2010-09-30 21:36 - 00000000 _____ () C:\Windows\System32\41.exe
2014-02-06 11:21 - 2010-09-30 21:35 - 00004278 _____ () C:\Windows\System32\warnings.html
2014-02-05 13:35 - 2014-01-30 12:52 - 00000000 _____ () C:\Windows\System32\18467.exe
2014-02-05 12:42 - 2010-09-26 22:38 - 00000216 _____ () C:\Windows\wiadebug.log
2014-02-05 12:42 - 2010-09-26 22:38 - 00000048 _____ () C:\Windows\wiaservc.log
2014-02-05 12:42 - 2010-09-26 22:36 - 00032652 _____ () C:\Windows\SchedLgU.Txt
2014-02-05 11:37 - 2007-10-04 11:31 - 00524288 _____ () C:\Windows\System32\config\ACEEvent.evt
2014-02-05 11:36 - 2007-10-04 12:06 - 00000000 ____D () C:\Windows\SMINST
2014-02-04 15:39 - 2007-12-03 23:12 - 00000000 __SHD () C:\Windows\CSC
2014-02-04 02:06 - 2014-01-30 16:11 - 00000000 _____ () C:\Windows\System32\6334.exe
2014-02-04 01:39 - 2014-02-04 01:39 - 00000000 ____D () C:\pukingsoft
2014-02-04 01:32 - 2014-02-03 17:57 - 00000000 ____D () C:\AdwCleaner
2014-02-04 01:14 - 2014-02-04 01:14 - 00000000 _____ () C:\Windows\System32\SBRC.dat
2014-02-04 01:13 - 2014-02-04 01:11 - 00000000 ____D () C:\VIPRERESCUE
2014-02-03 21:55 - 2007-12-03 22:48 - 00000000 ____D () C:\Windows\pss
2014-02-03 21:31 - 2014-02-03 21:31 - 00000000 _____ () C:\Windows\System32\15724.exe
2014-02-03 21:11 - 2014-02-03 21:11 - 00000000 _____ () C:\Windows\System32\19169.exe
2014-02-03 20:51 - 2014-02-03 16:30 - 00000000 _____ () C:\Windows\System32\26500.exe
2014-02-03 20:19 - 2014-02-03 20:19 - 00000000 ____D () C:\Tech Support
2014-02-03 19:59 - 2014-02-03 17:55 - 00005127 _____ () C:\Windows\setupapi.log
2014-02-03 16:25 - 2014-02-03 16:25 - 00094828 ____H () C:\Windows\wininst.exe
2014-02-03 16:25 - 2014-02-03 16:25 - 00094828 ____H () C:\Windows\system.exe
2014-02-03 15:47 - 2008-04-07 14:44 - 00000000 ____D () C:\Program Files\Symantec AntiVirus
2014-01-30 13:27 - 2007-10-04 12:06 - 00000000 ____D () C:\Windows\CREATOR
Files to move or delete:
====================
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At10.job
C:\Windows\Tasks\At100.job
C:\Windows\Tasks\At101.job
C:\Windows\Tasks\At102.job
C:\Windows\Tasks\At103.job
C:\Windows\Tasks\At104.job
C:\Windows\Tasks\At105.job
C:\Windows\Tasks\At106.job
C:\Windows\Tasks\At107.job
C:\Windows\Tasks\At108.job
C:\Windows\Tasks\At109.job
C:\Windows\Tasks\At11.job
C:\Windows\Tasks\At110.job
C:\Windows\Tasks\At111.job
C:\Windows\Tasks\At112.job
C:\Windows\Tasks\At113.job
C:\Windows\Tasks\At114.job
C:\Windows\Tasks\At115.job
C:\Windows\Tasks\At116.job
C:\Windows\Tasks\At117.job
C:\Windows\Tasks\At118.job
C:\Windows\Tasks\At119.job
C:\Windows\Tasks\At12.job
C:\Windows\Tasks\At120.job
C:\Windows\Tasks\At121.job
C:\Windows\Tasks\At122.job
C:\Windows\Tasks\At123.job
C:\Windows\Tasks\At124.job
C:\Windows\Tasks\At125.job
C:\Windows\Tasks\At126.job
C:\Windows\Tasks\At127.job
C:\Windows\Tasks\At128.job
C:\Windows\Tasks\At129.job
C:\Windows\Tasks\At13.job
C:\Windows\Tasks\At130.job
C:\Windows\Tasks\At131.job
C:\Windows\Tasks\At132.job
C:\Windows\Tasks\At133.job
C:\Windows\Tasks\At134.job
C:\Windows\Tasks\At135.job
C:\Windows\Tasks\At136.job
C:\Windows\Tasks\At137.job
C:\Windows\Tasks\At138.job
C:\Windows\Tasks\At139.job
C:\Windows\Tasks\At14.job
C:\Windows\Tasks\At140.job
C:\Windows\Tasks\At141.job
C:\Windows\Tasks\At142.job
C:\Windows\Tasks\At143.job
C:\Windows\Tasks\At144.job
C:\Windows\Tasks\At145.job
C:\Windows\Tasks\At146.job
C:\Windows\Tasks\At147.job
C:\Windows\Tasks\At148.job
C:\Windows\Tasks\At149.job
C:\Windows\Tasks\At15.job
C:\Windows\Tasks\At150.job
C:\Windows\Tasks\At151.job
C:\Windows\Tasks\At152.job
C:\Windows\Tasks\At153.job
C:\Windows\Tasks\At154.job
C:\Windows\Tasks\At155.job
C:\Windows\Tasks\At156.job
C:\Windows\Tasks\At157.job
C:\Windows\Tasks\At158.job
C:\Windows\Tasks\At159.job
C:\Windows\Tasks\At16.job
C:\Windows\Tasks\At160.job
C:\Windows\Tasks\At161.job
C:\Windows\Tasks\At162.job
C:\Windows\Tasks\At163.job
C:\Windows\Tasks\At164.job
C:\Windows\Tasks\At165.job
C:\Windows\Tasks\At166.job
C:\Windows\Tasks\At167.job
C:\Windows\Tasks\At168.job
C:\Windows\Tasks\At169.job
C:\Windows\Tasks\At17.job
C:\Windows\Tasks\At170.job
C:\Windows\Tasks\At171.job
C:\Windows\Tasks\At172.job
C:\Windows\Tasks\At173.job
C:\Windows\Tasks\At174.job
C:\Windows\Tasks\At175.job
C:\Windows\Tasks\At176.job
C:\Windows\Tasks\At177.job
C:\Windows\Tasks\At178.job
C:\Windows\Tasks\At179.job
C:\Windows\Tasks\At18.job
C:\Windows\Tasks\At180.job
C:\Windows\Tasks\At181.job
C:\Windows\Tasks\At182.job
C:\Windows\Tasks\At183.job
C:\Windows\Tasks\At184.job
C:\Windows\Tasks\At185.job
C:\Windows\Tasks\At186.job
C:\Windows\Tasks\At187.job
C:\Windows\Tasks\At188.job
C:\Windows\Tasks\At189.job
C:\Windows\Tasks\At19.job
C:\Windows\Tasks\At190.job
C:\Windows\Tasks\At191.job
C:\Windows\Tasks\At192.job
C:\Windows\Tasks\At193.job
C:\Windows\Tasks\At194.job
C:\Windows\Tasks\At195.job
C:\Windows\Tasks\At196.job
C:\Windows\Tasks\At197.job
C:\Windows\Tasks\At198.job
C:\Windows\Tasks\At199.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At20.job
C:\Windows\Tasks\At200.job
C:\Windows\Tasks\At201.job
C:\Windows\Tasks\At202.job
C:\Windows\Tasks\At203.job
C:\Windows\Tasks\At204.job
C:\Windows\Tasks\At205.job
C:\Windows\Tasks\At206.job
C:\Windows\Tasks\At207.job
C:\Windows\Tasks\At208.job
C:\Windows\Tasks\At209.job
C:\Windows\Tasks\At21.job
C:\Windows\Tasks\At210.job
C:\Windows\Tasks\At211.job
C:\Windows\Tasks\At212.job
C:\Windows\Tasks\At213.job
C:\Windows\Tasks\At214.job
C:\Windows\Tasks\At215.job
C:\Windows\Tasks\At216.job
C:\Windows\Tasks\At217.job
C:\Windows\Tasks\At218.job
C:\Windows\Tasks\At219.job
C:\Windows\Tasks\At22.job
C:\Windows\Tasks\At220.job
C:\Windows\Tasks\At221.job
C:\Windows\Tasks\At222.job
C:\Windows\Tasks\At223.job
C:\Windows\Tasks\At224.job
C:\Windows\Tasks\At225.job
C:\Windows\Tasks\At226.job
C:\Windows\Tasks\At227.job
C:\Windows\Tasks\At228.job
C:\Windows\Tasks\At229.job
C:\Windows\Tasks\At23.job
C:\Windows\Tasks\At230.job
C:\Windows\Tasks\At231.job
C:\Windows\Tasks\At232.job
C:\Windows\Tasks\At233.job
C:\Windows\Tasks\At234.job
C:\Windows\Tasks\At235.job
C:\Windows\Tasks\At236.job
C:\Windows\Tasks\At237.job
C:\Windows\Tasks\At238.job
C:\Windows\Tasks\At239.job
C:\Windows\Tasks\At24.job
C:\Windows\Tasks\At240.job
C:\Windows\Tasks\At241.job
C:\Windows\Tasks\At242.job
C:\Windows\Tasks\At243.job
C:\Windows\Tasks\At244.job
C:\Windows\Tasks\At245.job
C:\Windows\Tasks\At246.job
C:\Windows\Tasks\At247.job
C:\Windows\Tasks\At248.job
C:\Windows\Tasks\At249.job
C:\Windows\Tasks\At25.job
C:\Windows\Tasks\At250.job
C:\Windows\Tasks\At251.job
C:\Windows\Tasks\At252.job
C:\Windows\Tasks\At253.job
C:\Windows\Tasks\At254.job
C:\Windows\Tasks\At255.job
C:\Windows\Tasks\At256.job
C:\Windows\Tasks\At257.job
C:\Windows\Tasks\At258.job
C:\Windows\Tasks\At259.job
C:\Windows\Tasks\At26.job
C:\Windows\Tasks\At260.job
C:\Windows\Tasks\At261.job
C:\Windows\Tasks\At262.job
C:\Windows\Tasks\At263.job
C:\Windows\Tasks\At264.job
C:\Windows\Tasks\At265.job
C:\Windows\Tasks\At266.job
C:\Windows\Tasks\At267.job
C:\Windows\Tasks\At268.job
C:\Windows\Tasks\At269.job
C:\Windows\Tasks\At27.job
C:\Windows\Tasks\At270.job
C:\Windows\Tasks\At271.job
C:\Windows\Tasks\At272.job
C:\Windows\Tasks\At273.job
C:\Windows\Tasks\At274.job
C:\Windows\Tasks\At275.job
C:\Windows\Tasks\At276.job
C:\Windows\Tasks\At277.job
C:\Windows\Tasks\At278.job
C:\Windows\Tasks\At279.job
C:\Windows\Tasks\At28.job
C:\Windows\Tasks\At280.job
C:\Windows\Tasks\At281.job
C:\Windows\Tasks\At282.job
C:\Windows\Tasks\At283.job
C:\Windows\Tasks\At284.job
C:\Windows\Tasks\At285.job
C:\Windows\Tasks\At286.job
C:\Windows\Tasks\At287.job
C:\Windows\Tasks\At288.job
C:\Windows\Tasks\At289.job
C:\Windows\Tasks\At29.job
C:\Windows\Tasks\At290.job
C:\Windows\Tasks\At291.job
C:\Windows\Tasks\At292.job
C:\Windows\Tasks\At293.job
C:\Windows\Tasks\At294.job
C:\Windows\Tasks\At295.job
C:\Windows\Tasks\At296.job
C:\Windows\Tasks\At297.job
C:\Windows\Tasks\At298.job
C:\Windows\Tasks\At299.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At30.job
C:\Windows\Tasks\At300.job
C:\Windows\Tasks\At301.job
C:\Windows\Tasks\At302.job
C:\Windows\Tasks\At303.job
C:\Windows\Tasks\At304.job
C:\Windows\Tasks\At305.job
C:\Windows\Tasks\At306.job
C:\Windows\Tasks\At307.job
C:\Windows\Tasks\At308.job
C:\Windows\Tasks\At309.job
C:\Windows\Tasks\At31.job
C:\Windows\Tasks\At310.job
C:\Windows\Tasks\At311.job
C:\Windows\Tasks\At312.job
C:\Windows\Tasks\At313.job
C:\Windows\Tasks\At314.job
C:\Windows\Tasks\At315.job
C:\Windows\Tasks\At316.job
C:\Windows\Tasks\At317.job
C:\Windows\Tasks\At318.job
C:\Windows\Tasks\At319.job
C:\Windows\Tasks\At32.job
C:\Windows\Tasks\At320.job
C:\Windows\Tasks\At321.job
C:\Windows\Tasks\At322.job
C:\Windows\Tasks\At323.job
C:\Windows\Tasks\At324.job
C:\Windows\Tasks\At325.job
C:\Windows\Tasks\At326.job
C:\Windows\Tasks\At327.job
C:\Windows\Tasks\At328.job
C:\Windows\Tasks\At329.job
C:\Windows\Tasks\At33.job
C:\Windows\Tasks\At330.job
C:\Windows\Tasks\At331.job
C:\Windows\Tasks\At332.job
C:\Windows\Tasks\At333.job
C:\Windows\Tasks\At334.job
C:\Windows\Tasks\At335.job
C:\Windows\Tasks\At336.job
C:\Windows\Tasks\At337.job
C:\Windows\Tasks\At338.job
C:\Windows\Tasks\At339.job
C:\Windows\Tasks\At34.job
C:\Windows\Tasks\At340.job
C:\Windows\Tasks\At341.job
C:\Windows\Tasks\At342.job
C:\Windows\Tasks\At343.job
C:\Windows\Tasks\At344.job
C:\Windows\Tasks\At345.job
C:\Windows\Tasks\At346.job
C:\Windows\Tasks\At347.job
C:\Windows\Tasks\At348.job
C:\Windows\Tasks\At349.job
C:\Windows\Tasks\At35.job
C:\Windows\Tasks\At350.job
C:\Windows\Tasks\At351.job
C:\Windows\Tasks\At352.job
C:\Windows\Tasks\At353.job
C:\Windows\Tasks\At354.job
C:\Windows\Tasks\At355.job
C:\Windows\Tasks\At356.job
C:\Windows\Tasks\At357.job
C:\Windows\Tasks\At358.job
C:\Windows\Tasks\At359.job
C:\Windows\Tasks\At36.job
C:\Windows\Tasks\At360.job
C:\Windows\Tasks\At361.job
C:\Windows\Tasks\At362.job
C:\Windows\Tasks\At363.job
C:\Windows\Tasks\At364.job
C:\Windows\Tasks\At365.job
C:\Windows\Tasks\At366.job
C:\Windows\Tasks\At367.job
C:\Windows\Tasks\At368.job
C:\Windows\Tasks\At369.job
C:\Windows\Tasks\At37.job
C:\Windows\Tasks\At370.job
C:\Windows\Tasks\At371.job
C:\Windows\Tasks\At372.job
C:\Windows\Tasks\At373.job
C:\Windows\Tasks\At374.job
C:\Windows\Tasks\At375.job
C:\Windows\Tasks\At376.job
C:\Windows\Tasks\At377.job
C:\Windows\Tasks\At378.job
C:\Windows\Tasks\At379.job
C:\Windows\Tasks\At38.job
C:\Windows\Tasks\At380.job
C:\Windows\Tasks\At381.job
C:\Windows\Tasks\At382.job
C:\Windows\Tasks\At383.job
C:\Windows\Tasks\At384.job
C:\Windows\Tasks\At39.job
C:\Windows\Tasks\At4.job
C:\Windows\Tasks\At40.job
C:\Windows\Tasks\At41.job
C:\Windows\Tasks\At42.job
C:\Windows\Tasks\At43.job
C:\Windows\Tasks\At44.job
C:\Windows\Tasks\At45.job
C:\Windows\Tasks\At46.job
C:\Windows\Tasks\At47.job
C:\Windows\Tasks\At48.job
C:\Windows\Tasks\At49.job
C:\Windows\Tasks\At5.job
C:\Windows\Tasks\At50.job
C:\Windows\Tasks\At51.job
C:\Windows\Tasks\At52.job
C:\Windows\Tasks\At53.job
C:\Windows\Tasks\At54.job
C:\Windows\Tasks\At55.job
C:\Windows\Tasks\At56.job
C:\Windows\Tasks\At57.job
C:\Windows\Tasks\At58.job
C:\Windows\Tasks\At59.job
C:\Windows\Tasks\At6.job
C:\Windows\Tasks\At60.job
C:\Windows\Tasks\At61.job
C:\Windows\Tasks\At62.job
C:\Windows\Tasks\At63.job
C:\Windows\Tasks\At64.job
C:\Windows\Tasks\At65.job
C:\Windows\Tasks\At66.job
C:\Windows\Tasks\At67.job
C:\Windows\Tasks\At68.job
C:\Windows\Tasks\At69.job
C:\Windows\Tasks\At7.job
C:\Windows\Tasks\At70.job
C:\Windows\Tasks\At71.job
C:\Windows\Tasks\At72.job
C:\Windows\Tasks\At73.job
C:\Windows\Tasks\At74.job
C:\Windows\Tasks\At75.job
C:\Windows\Tasks\At76.job
C:\Windows\Tasks\At77.job
C:\Windows\Tasks\At78.job
C:\Windows\Tasks\At79.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At80.job
C:\Windows\Tasks\At81.job
C:\Windows\Tasks\At82.job
C:\Windows\Tasks\At83.job
C:\Windows\Tasks\At84.job
C:\Windows\Tasks\At85.job
C:\Windows\Tasks\At86.job
C:\Windows\Tasks\At87.job
C:\Windows\Tasks\At88.job
C:\Windows\Tasks\At89.job
C:\Windows\Tasks\At9.job
C:\Windows\Tasks\At90.job
C:\Windows\Tasks\At91.job
C:\Windows\Tasks\At92.job
C:\Windows\Tasks\At93.job
C:\Windows\Tasks\At94.job
C:\Windows\Tasks\At95.job
C:\Windows\Tasks\At96.job
C:\Windows\Tasks\At97.job
C:\Windows\Tasks\At98.job
C:\Windows\Tasks\At99.job
==================== Known DLLs (Whitelisted) ============
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points (XP) =====================
==================== Memory info ===========================
Percentage of memory in use: 50%
Total physical RAM: 447.23 MB
Available physical RAM: 221.48 MB
Total Pagefile: 363.06 MB
Available Pagefile: 264.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.51 MB
==================== Drives ================================
Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:64.78 GB) (Free:27.32 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (USB DISK) (Removable) (Total:3.61 GB) (Free:3.6 GB) FAT32
Drive e: (HP_RECOVERY) (Fixed) (Total:9.74 GB) (Free:9.48 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 75 GB) (Disk ID: 95AA95AA)
Partition 1: (Active) - (Size=65 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=4 GB) - (Type=0C)
==================== End Of Log ============================
#38
Posted 09 February 2014 - 12:03 PM
#39
Posted 09 February 2014 - 12:04 PM
#40
Posted 10 February 2014 - 06:59 AM
Can you tell me something about that? Do you know what this is?C:\pukingsoft
In your logs I see a Backdoor. That means that your machine is infected with some nasty files which can steal some information. It is difficult to tell whether or not any data has been stolen and finding out which is true instead of doing countermeasures is unproductive. In this light, for your safety, assume that your log-in details and other information have been accessed by another source.
Below are the steps that you should administer:
- Please disconnect from the Internet! Also don't use it while we are cleaning the infected machine. This is especially true when you are using the computer in question for online banking and other sites that require sensitive and personal information.
- It is strongly advised that you change your passwords on a clean PC and notify the bank immediately to watch out for suspicious transactions.
- How do I respond to possible identity theft, or to someone stealing my credit card or bank account number?
- When should I re-format? How should I reinstall?
Open notepad on a clean PC. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
C:\Windows\Tasks\At*.job
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
S2 6to4; C:\WINDOWS\system32\6to4ex.dll [73748 2004-08-17] ()
S3 mvb35316; C:\Windows\System32\Drivers\mvb35316.sys [12800 2009-02-09] ()
S0 mafqlvq; No ImagePath
C:\Windows\System32\15724.exe
C:\Windows\System32\19169.exe
C:\Windows\System32\26500.exe
C:\Windows\wininst.exe
C:\Windows\system.exe
C:\Windows\System32\6334.exe
C:\Windows\System32\18467.exe
C:\Windows\System32\ES17.exe
C:\Windows\System32\41.exe
C:\Windows\System32\warnings.html
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
On Windows XP: Now please boot into the PE (Preinstallation Environment) disk. (like you did before)
Run FRST and press the Fix button just once and wait.
The tool will generate a log on the flashdrive (Fixlog.txt) please post it in your reply.
Please boot the PC again. Tell me how is it working.
#41
Posted 10 February 2014 - 10:05 AM
However, in the documents folder I have data for an old business that I need for taxes. Is it possible to recover the system just enough to retrieve that data? There are no executables that I need just office documents. Could they be scanned before transferring to a new machine? If it weren't for that data I would have already wiped the system. I knew it was FUBAR. If it is possible to retrieve the data that would be awesome! I can wipe the system myself after that.
C:/pukingsoft was an alternate install location for MBAM or something else I did. If it has a body part, body function, expletive, food, or cookware in the application/folder title, it was probably me, lol.
So I am going to run FRST since I am interested in recovering my data. Let me know if you feel this is feasible.
Thanks,
Val
#42
Posted 10 February 2014 - 10:08 AM
#43
Posted 10 February 2014 - 10:26 AM
I would suggest that we get the system running and then saving the files. We can of course remove all the Malware etc. and then saving the data. Tell me what you like to do. Please do the FRST Fix.So I am going to run FRST since I am interested in recovering my data. Let me know if you feel this is feasible.
Also, could you please identify which entries in the log indicate a backdoor so that I can watch for these in the future? Thanks!
S3 mvb35316; C:\Windows\System32\Drivers\mvb35316.sys [12800 2009-02-09] () C:\Windows\System32\15724.exe C:\Windows\System32\19169.exe C:\Windows\System32\26500.exe C:\Windows\wininst.exe C:\Windows\system.exe C:\Windows\System32\6334.exe C:\Windows\System32\18467.exe C:\Windows\System32\ES17.exe C:\Windows\System32\41.exe
These lines are related to this Backdoor and this RootKit.
#44
Posted 10 February 2014 - 11:38 AM
******************************************************
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-02-2014 02
Ran by SYSTEM at 2014-02-10 11:19:59 Run:3
Running from B:\Documents and Settings\Default User\Desktop
Boot Mode: Recovery
==============================================
Content of fixlist:
*****************
C:\Windows\Tasks\At*.job
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
S2 6to4; C:\WINDOWS\system32\6to4ex.dll [73748 2004-08-17] ()
S3 mvb35316; C:\Windows\System32\Drivers\mvb35316.sys [12800 2009-02-09] ()
S0 mafqlvq; No ImagePath
C:\Windows\System32\15724.exe
C:\Windows\System32\19169.exe
C:\Windows\System32\26500.exe
C:\Windows\wininst.exe
C:\Windows\system.exe
C:\Windows\System32\6334.exe
C:\Windows\System32\18467.exe
C:\Windows\System32\ES17.exe
C:\Windows\System32\41.exe
C:\Windows\System32\warnings.html
*****************
C:\Windows\Tasks\At*.job => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck => Value deleted successfully.
6to4 => Service deleted successfully.
mvb35316 => Service deleted successfully.
mafqlvq => Service deleted successfully.
C:\Windows\System32\15724.exe => Moved successfully.
C:\Windows\System32\19169.exe => Moved successfully.
C:\Windows\System32\26500.exe => Moved successfully.
C:\Windows\wininst.exe => Moved successfully.
C:\Windows\system.exe => Moved successfully.
C:\Windows\System32\6334.exe => Moved successfully.
C:\Windows\System32\18467.exe => Moved successfully.
C:\Windows\System32\ES17.exe => Moved successfully.
C:\Windows\System32\41.exe => Moved successfully.
C:\Windows\System32\warnings.html => Moved successfully.
==== End of Fixlog ====
#45
Posted 10 February 2014 - 11:45 AM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users