Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My Laptop Is Possessed! Multi rogue security apps [Closed]


  • This topic is locked This topic is locked

#31
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
I was just a blue cmd box that said scanning was going to start. But there was no activity of any kind. It went for 20 minutes or more and then I fudged up and rebooted.
  • 0

Advertisements


#32
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
You mean you have closed it? Fudge up is a word which I'm not sure the clearly meaning - after Google it means something like "going away from something", "avoid". Try to find this file: C:\combofix.txt - if there isn't such file please do the CF Scan again. If there is the file please post the content of the file. Please tell me exactly what issues you have with CF.

CF = ComboFix. :)
  • 0

#33
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Fudged up = Made a mistake.


ERROR
First I get the error message to disable Symantec and that I'm proceeding at my own risk.

CMD
Please wait.
ComboFix is preparing to run.

Attempting to create a new System Restore point.

ERROR
Next I get the error for Windows Recovery Console. And I choose no to downloading the file.

CMD
Scanning for infected files . . .
[blinking cursor]



There was no file under C:. I was already running ComboFix again. I'll be more patient, lol. What would be the maximum amount of time I should let this run?
  • 0

#34
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts

Fudged up = Made a mistake.

Thanks for the English lesson, Velarie. :)

What would be the maximum amount of time I should let this run?

30 - 40 minutes. Normally it runs 10 - 15 minutes, but on highly infected machines it can be longer.

Gerrit :)
  • 0

#35
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
I let it run for over 40 minutes. It never did anything. When I closed it, it printed a line, "^C^C" before closing.

I've also noticed that the last three or four times I booted the system, it has me go through the log in process twice before loading the desktop. Just FYI.
  • 0

#36
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
Sorry, I know it looks like I'm doing always the same, but I must see what the current state of the system is. Hopefully the scan below works without problems.

Do all the steps below in Normal Mode if possible.

First,
please do again a RKILL Scan. Download it from here and save it to your Desktop. Run it. Wait until it is finished and post the contents of RKILL.txt

Farbar Recovery Scan Tool (FRST)

  • Run FRST.
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

Then,
Search after that file: C:\ComboFix.txt. If the file exists please post the content of that file.
  • 0

#37
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
So after the laptop sat for two days (I was very busy) I booted it this morning and it loaded the REATOGO-X-PE completely. I ran FRST and log is below.

*****************************************************************8
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-02-2014 02
Ran by SYSTEM on REATOGO on 09-02-2014 11:44:45
Running from B:\Documents and Settings\Default User\Desktop
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet004
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingc...can-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingc...can-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [Scheduler] - C:\WINDOWS\SMINST\Scheduler.exe [94736 2014-01-30] ()
HKLM\...\Run: [Reminder] - C:\WINDOWS\Creator\Remind_XP.exe [94736 2014-01-30] ()
HKLM\...\Run: [Recguard] - C:\WINDOWS\Sminst\Recguard.exe [94736 2014-01-30] ()
HKLM\...\Run: [MsmqIntCert] - regsvr32 /s mqrt.dll
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [94736 2014-01-30] ()
HKLM\...\Run: [Cpqset] - C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe [94736 2014-01-30] ()
HKLM\...\Run: [CognizanceTS] - C:\Program Files\Hewlett-Packard\IAM\Bin\ASTSVCC.dll [17920 2003-12-22] (Cognizance Corporation)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [94736 2014-01-30] ()
HKLM\...\Run: [HPHmon06] - C:\WINDOWS\system32\hphmon06.exe [622592 2004-12-16] (Hewlett-Packard)
HKLM\...\Run: [HPDJ Taskbar Utility] - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb13.exe [172032 2004-11-24] (HP)
HKLM\...\Run: [MSConfig] - C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-14] (Microsoft Corporation)
Winlogon\Notify\AtiExtEvent: C:\Windows\system32\Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\NavLogon: C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
Winlogon\Notify\OneCard: C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Cognizance Corporation)
HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 1
Lsa: [Notification Packages] scecli ASWLNPkg

========================== Services (Whitelisted) =================

S4 !SASCORE; C:\AdwCleaner\newsas\SASCORE.EXE [120088 2013-10-10] (SUPERAntiSpyware.com)
S2 6to4; C:\WINDOWS\system32\6to4ex.dll [73748 2004-08-17] ()
S2 ASBroker; C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [74240 2007-02-06] (Cognizance Corporation)
S2 ASChannel; C:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll [131584 2006-06-22] (Cognizance Corporation)
S4 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [185968 2005-10-04] (Symantec Corporation)
S4 ccPwdSvc; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [83568 2005-10-04] (Symantec Corporation)
S4 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [177776 2005-10-04] (Symantec Corporation)
S4 DefWatch; C:\Program Files\Symantec AntiVirus\DefWatch.exe [20208 2005-11-15] (Symantec Corporation)
S4 HP Port Resolver; C:\WINDOWS\system32\hpbpro.exe [77824 2004-06-02] (Hewlett-Packard Company)
S4 HP Status Server; C:\WINDOWS\system32\hpboid.exe [73728 2004-06-02] (Hewlett-Packard Company)
S4 msftesql$PROPHETSQL; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [92952 2006-08-28] (Microsoft Corporation)
S4 MSIServer; C:\Windows\System32\msiexec.exe [78848 2008-04-14] ()
S2 MSMQ; C:\WINDOWS\system32\mqsvc.exe [4608 2008-04-14] (Microsoft Corporation)
S2 MSMQTriggers; C:\WINDOWS\system32\mqtgsvc.exe [117248 2008-04-14] (Microsoft Corporation)
S4 MSSQL$PROPHETSQL; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29181272 2008-12-18] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45272 2005-10-14] (Microsoft Corporation)
S4 PCA; C:\WINDOWS\SMINST\PCAngel.exe [294912 2006-01-12] (SoftThinks)
S4 SavRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [169200 2005-11-15] (symantec)
S4 SNDSrvc; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [214672 2005-10-19] (Symantec Corporation)
S4 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2008-01-17] (SolidWorks)
S4 SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [992864 2005-03-30] (Symantec Corporation)
S4 Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [1756912 2005-11-15] (Symantec Corporation)
S4 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [926712 2007-06-05] (RealVNC Ltd.)

==================== Drivers (Whitelisted) ====================

S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36864 2006-07-02] (Advanced Micro Devices)
S3 ATSWPDRV; C:\Windows\System32\DRIVERS\ATSwpDrv.sys [140808 2007-04-10] (AuthenTec, Inc.)
S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [604928 2006-11-01] (Broadcom Corporation)
S3 BTKRNL; C:\Windows\System32\DRIVERS\btkrnl.sys [868298 2007-02-14] (Broadcom Corporation.)
S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [67960 2007-02-14] (Broadcom Corporation.)
S1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2010-05-27] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [102448 2010-05-27] (Symantec Corporation)
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [43368 2013-05-23] (ThreatTrack Security)
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [24040 2013-09-04] (ThreatTrack Security)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2005-10-21] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2005-10-21] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2005-10-21] (HP)
S3 IFXTPM; C:\Windows\System32\DRIVERS\IFXTPM.SYS [36608 2006-09-19] (Infineon Technologies AG)
S3 MQAC; C:\WINDOWS\system32\drivers\mqac.sys [92544 2008-04-14] (Microsoft Corporation)
S3 mvb35316; C:\Windows\System32\Drivers\mvb35316.sys [12800 2009-02-09] ()
S3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100924.004\naveng.sys [85424 2010-07-15] (Symantec Corporation)
S3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100924.004\navex15.sys [1362608 2010-07-15] (Symantec Corporation)
S3 PalmUSBD; C:\Windows\System32\drivers\PalmUSBD.sys [16694 2004-06-09] (PalmSource, Inc.)
S3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S1 SASDIFSV; C:\AdwCleaner\newsas\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\AdwCleaner\newsas\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SAVRT; C:\Program Files\Symantec AntiVirus\savrt.sys [334984 2005-08-26] (Symantec Corporation)
S1 SAVRTPEL; C:\Program Files\Symantec AntiVirus\Savrtpel.sys [53896 2005-08-26] (Symantec Corporation)
S3 slabbus; C:\Windows\System32\DRIVERS\slabbus.sys [66672 2007-03-01] (MCCI)
S3 slabser; C:\Windows\System32\DRIVERS\slabser.sys [100400 2007-03-01] (MCCI)
S3 SMCIRDA; C:\Windows\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
S3 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [372832 2005-03-30] (Symantec Corporation)
S3 SymEvent; C:\Program Files\Symantec\SYMEVENT.SYS [108168 2005-09-17] (Symantec Corporation)
S3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [24720 2005-10-19] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [195728 2005-10-19] (Symantec Corporation)
S0 mafqlvq; No ImagePath
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
S3 VPROEVENTMONITOR; \??\C:\WINDOWS\system32\drivers\VProEventMonitor.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-06 16:37 - 2014-02-06 16:40 - 00000000 ___SD () C:\Machiavelli
2014-02-06 15:50 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-02-06 15:50 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-02-06 15:50 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\Windows\SWXCACLS.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2014-02-06 15:50 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2014-02-06 15:44 - 2014-02-06 15:49 - 00000000 ____D () C:\Qoobox
2014-02-06 15:44 - 2014-02-06 15:44 - 00000000 ____D () C:\Windows\erdnt
2014-02-05 14:02 - 2014-02-06 15:43 - 00000000 ____D () C:\FRST
2014-02-04 01:39 - 2014-02-04 01:39 - 00000000 ____D () C:\pukingsoft
2014-02-04 01:14 - 2014-02-04 01:14 - 00000000 _____ () C:\Windows\System32\SBRC.dat
2014-02-04 01:13 - 2013-09-04 14:57 - 00024040 _____ (ThreatTrack Security) C:\Windows\System32\Drivers\gfiutil.sys
2014-02-04 01:13 - 2013-05-23 08:39 - 00043368 _____ (ThreatTrack Security) C:\Windows\System32\Drivers\gfiark.sys
2014-02-04 01:11 - 2014-02-04 01:13 - 00000000 ____D () C:\VIPRERESCUE
2014-02-03 21:43 - 2013-04-04 15:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2014-02-03 21:31 - 2014-02-03 21:31 - 00000000 _____ () C:\Windows\System32\15724.exe
2014-02-03 21:11 - 2014-02-03 21:11 - 00000000 _____ () C:\Windows\System32\19169.exe
2014-02-03 20:19 - 2014-02-03 20:19 - 00000000 ____D () C:\Tech Support
2014-02-03 17:57 - 2014-02-04 01:32 - 00000000 ____D () C:\AdwCleaner
2014-02-03 17:55 - 2014-02-03 19:59 - 00005127 _____ () C:\Windows\setupapi.log
2014-02-03 16:30 - 2014-02-03 20:51 - 00000000 _____ () C:\Windows\System32\26500.exe
2014-02-03 16:25 - 2014-02-03 16:25 - 00094828 ____H () C:\Windows\wininst.exe
2014-02-03 16:25 - 2014-02-03 16:25 - 00094828 ____H () C:\Windows\system.exe
2014-01-30 16:11 - 2014-02-04 02:06 - 00000000 _____ () C:\Windows\System32\6334.exe
2014-01-30 12:52 - 2014-02-05 13:35 - 00000000 _____ () C:\Windows\System32\18467.exe
2014-01-30 12:12 - 2014-02-06 11:21 - 00000000 _____ () C:\Windows\System32\ES17.exe

==================== One Month Modified Files and Folders =======

2014-02-06 17:28 - 2010-09-26 22:28 - 00636786 _____ () C:\Windows\WindowsUpdate.log
2014-02-06 16:40 - 2014-02-06 16:37 - 00000000 ___SD () C:\Machiavelli
2014-02-06 16:38 - 2004-08-07 08:14 - 00678654 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-02-06 16:34 - 2010-09-26 22:35 - 00002206 _____ () C:\Windows\System32\wpa.dbl
2014-02-06 16:34 - 2007-10-04 10:36 - 00000000 ____D () C:\Windows\System32\Restore
2014-02-06 15:49 - 2014-02-06 15:44 - 00000000 ____D () C:\Qoobox
2014-02-06 15:46 - 2004-08-07 08:03 - 00000603 _____ () C:\Windows\win.ini
2014-02-06 15:46 - 2004-08-07 07:57 - 00000223 ___SH () C:\boot.ini
2014-02-06 15:46 - 2004-08-07 00:53 - 00000227 _____ () C:\Windows\system.ini
2014-02-06 15:44 - 2014-02-06 15:44 - 00000000 ____D () C:\Windows\erdnt
2014-02-06 15:43 - 2014-02-05 14:02 - 00000000 ____D () C:\FRST
2014-02-06 11:21 - 2014-01-30 12:12 - 00000000 _____ () C:\Windows\System32\ES17.exe
2014-02-06 11:21 - 2010-09-30 21:36 - 00000000 _____ () C:\Windows\System32\41.exe
2014-02-06 11:21 - 2010-09-30 21:35 - 00004278 _____ () C:\Windows\System32\warnings.html
2014-02-05 13:35 - 2014-01-30 12:52 - 00000000 _____ () C:\Windows\System32\18467.exe
2014-02-05 12:42 - 2010-09-26 22:38 - 00000216 _____ () C:\Windows\wiadebug.log
2014-02-05 12:42 - 2010-09-26 22:38 - 00000048 _____ () C:\Windows\wiaservc.log
2014-02-05 12:42 - 2010-09-26 22:36 - 00032652 _____ () C:\Windows\SchedLgU.Txt
2014-02-05 11:37 - 2007-10-04 11:31 - 00524288 _____ () C:\Windows\System32\config\ACEEvent.evt
2014-02-05 11:36 - 2007-10-04 12:06 - 00000000 ____D () C:\Windows\SMINST
2014-02-04 15:39 - 2007-12-03 23:12 - 00000000 __SHD () C:\Windows\CSC
2014-02-04 02:06 - 2014-01-30 16:11 - 00000000 _____ () C:\Windows\System32\6334.exe
2014-02-04 01:39 - 2014-02-04 01:39 - 00000000 ____D () C:\pukingsoft
2014-02-04 01:32 - 2014-02-03 17:57 - 00000000 ____D () C:\AdwCleaner
2014-02-04 01:14 - 2014-02-04 01:14 - 00000000 _____ () C:\Windows\System32\SBRC.dat
2014-02-04 01:13 - 2014-02-04 01:11 - 00000000 ____D () C:\VIPRERESCUE
2014-02-03 21:55 - 2007-12-03 22:48 - 00000000 ____D () C:\Windows\pss
2014-02-03 21:31 - 2014-02-03 21:31 - 00000000 _____ () C:\Windows\System32\15724.exe
2014-02-03 21:11 - 2014-02-03 21:11 - 00000000 _____ () C:\Windows\System32\19169.exe
2014-02-03 20:51 - 2014-02-03 16:30 - 00000000 _____ () C:\Windows\System32\26500.exe
2014-02-03 20:19 - 2014-02-03 20:19 - 00000000 ____D () C:\Tech Support
2014-02-03 19:59 - 2014-02-03 17:55 - 00005127 _____ () C:\Windows\setupapi.log
2014-02-03 16:25 - 2014-02-03 16:25 - 00094828 ____H () C:\Windows\wininst.exe
2014-02-03 16:25 - 2014-02-03 16:25 - 00094828 ____H () C:\Windows\system.exe
2014-02-03 15:47 - 2008-04-07 14:44 - 00000000 ____D () C:\Program Files\Symantec AntiVirus
2014-01-30 13:27 - 2007-10-04 12:06 - 00000000 ____D () C:\Windows\CREATOR

Files to move or delete:
====================
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At10.job
C:\Windows\Tasks\At100.job
C:\Windows\Tasks\At101.job
C:\Windows\Tasks\At102.job
C:\Windows\Tasks\At103.job
C:\Windows\Tasks\At104.job
C:\Windows\Tasks\At105.job
C:\Windows\Tasks\At106.job
C:\Windows\Tasks\At107.job
C:\Windows\Tasks\At108.job
C:\Windows\Tasks\At109.job
C:\Windows\Tasks\At11.job
C:\Windows\Tasks\At110.job
C:\Windows\Tasks\At111.job
C:\Windows\Tasks\At112.job
C:\Windows\Tasks\At113.job
C:\Windows\Tasks\At114.job
C:\Windows\Tasks\At115.job
C:\Windows\Tasks\At116.job
C:\Windows\Tasks\At117.job
C:\Windows\Tasks\At118.job
C:\Windows\Tasks\At119.job
C:\Windows\Tasks\At12.job
C:\Windows\Tasks\At120.job
C:\Windows\Tasks\At121.job
C:\Windows\Tasks\At122.job
C:\Windows\Tasks\At123.job
C:\Windows\Tasks\At124.job
C:\Windows\Tasks\At125.job
C:\Windows\Tasks\At126.job
C:\Windows\Tasks\At127.job
C:\Windows\Tasks\At128.job
C:\Windows\Tasks\At129.job
C:\Windows\Tasks\At13.job
C:\Windows\Tasks\At130.job
C:\Windows\Tasks\At131.job
C:\Windows\Tasks\At132.job
C:\Windows\Tasks\At133.job
C:\Windows\Tasks\At134.job
C:\Windows\Tasks\At135.job
C:\Windows\Tasks\At136.job
C:\Windows\Tasks\At137.job
C:\Windows\Tasks\At138.job
C:\Windows\Tasks\At139.job
C:\Windows\Tasks\At14.job
C:\Windows\Tasks\At140.job
C:\Windows\Tasks\At141.job
C:\Windows\Tasks\At142.job
C:\Windows\Tasks\At143.job
C:\Windows\Tasks\At144.job
C:\Windows\Tasks\At145.job
C:\Windows\Tasks\At146.job
C:\Windows\Tasks\At147.job
C:\Windows\Tasks\At148.job
C:\Windows\Tasks\At149.job
C:\Windows\Tasks\At15.job
C:\Windows\Tasks\At150.job
C:\Windows\Tasks\At151.job
C:\Windows\Tasks\At152.job
C:\Windows\Tasks\At153.job
C:\Windows\Tasks\At154.job
C:\Windows\Tasks\At155.job
C:\Windows\Tasks\At156.job
C:\Windows\Tasks\At157.job
C:\Windows\Tasks\At158.job
C:\Windows\Tasks\At159.job
C:\Windows\Tasks\At16.job
C:\Windows\Tasks\At160.job
C:\Windows\Tasks\At161.job
C:\Windows\Tasks\At162.job
C:\Windows\Tasks\At163.job
C:\Windows\Tasks\At164.job
C:\Windows\Tasks\At165.job
C:\Windows\Tasks\At166.job
C:\Windows\Tasks\At167.job
C:\Windows\Tasks\At168.job
C:\Windows\Tasks\At169.job
C:\Windows\Tasks\At17.job
C:\Windows\Tasks\At170.job
C:\Windows\Tasks\At171.job
C:\Windows\Tasks\At172.job
C:\Windows\Tasks\At173.job
C:\Windows\Tasks\At174.job
C:\Windows\Tasks\At175.job
C:\Windows\Tasks\At176.job
C:\Windows\Tasks\At177.job
C:\Windows\Tasks\At178.job
C:\Windows\Tasks\At179.job
C:\Windows\Tasks\At18.job
C:\Windows\Tasks\At180.job
C:\Windows\Tasks\At181.job
C:\Windows\Tasks\At182.job
C:\Windows\Tasks\At183.job
C:\Windows\Tasks\At184.job
C:\Windows\Tasks\At185.job
C:\Windows\Tasks\At186.job
C:\Windows\Tasks\At187.job
C:\Windows\Tasks\At188.job
C:\Windows\Tasks\At189.job
C:\Windows\Tasks\At19.job
C:\Windows\Tasks\At190.job
C:\Windows\Tasks\At191.job
C:\Windows\Tasks\At192.job
C:\Windows\Tasks\At193.job
C:\Windows\Tasks\At194.job
C:\Windows\Tasks\At195.job
C:\Windows\Tasks\At196.job
C:\Windows\Tasks\At197.job
C:\Windows\Tasks\At198.job
C:\Windows\Tasks\At199.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At20.job
C:\Windows\Tasks\At200.job
C:\Windows\Tasks\At201.job
C:\Windows\Tasks\At202.job
C:\Windows\Tasks\At203.job
C:\Windows\Tasks\At204.job
C:\Windows\Tasks\At205.job
C:\Windows\Tasks\At206.job
C:\Windows\Tasks\At207.job
C:\Windows\Tasks\At208.job
C:\Windows\Tasks\At209.job
C:\Windows\Tasks\At21.job
C:\Windows\Tasks\At210.job
C:\Windows\Tasks\At211.job
C:\Windows\Tasks\At212.job
C:\Windows\Tasks\At213.job
C:\Windows\Tasks\At214.job
C:\Windows\Tasks\At215.job
C:\Windows\Tasks\At216.job
C:\Windows\Tasks\At217.job
C:\Windows\Tasks\At218.job
C:\Windows\Tasks\At219.job
C:\Windows\Tasks\At22.job
C:\Windows\Tasks\At220.job
C:\Windows\Tasks\At221.job
C:\Windows\Tasks\At222.job
C:\Windows\Tasks\At223.job
C:\Windows\Tasks\At224.job
C:\Windows\Tasks\At225.job
C:\Windows\Tasks\At226.job
C:\Windows\Tasks\At227.job
C:\Windows\Tasks\At228.job
C:\Windows\Tasks\At229.job
C:\Windows\Tasks\At23.job
C:\Windows\Tasks\At230.job
C:\Windows\Tasks\At231.job
C:\Windows\Tasks\At232.job
C:\Windows\Tasks\At233.job
C:\Windows\Tasks\At234.job
C:\Windows\Tasks\At235.job
C:\Windows\Tasks\At236.job
C:\Windows\Tasks\At237.job
C:\Windows\Tasks\At238.job
C:\Windows\Tasks\At239.job
C:\Windows\Tasks\At24.job
C:\Windows\Tasks\At240.job
C:\Windows\Tasks\At241.job
C:\Windows\Tasks\At242.job
C:\Windows\Tasks\At243.job
C:\Windows\Tasks\At244.job
C:\Windows\Tasks\At245.job
C:\Windows\Tasks\At246.job
C:\Windows\Tasks\At247.job
C:\Windows\Tasks\At248.job
C:\Windows\Tasks\At249.job
C:\Windows\Tasks\At25.job
C:\Windows\Tasks\At250.job
C:\Windows\Tasks\At251.job
C:\Windows\Tasks\At252.job
C:\Windows\Tasks\At253.job
C:\Windows\Tasks\At254.job
C:\Windows\Tasks\At255.job
C:\Windows\Tasks\At256.job
C:\Windows\Tasks\At257.job
C:\Windows\Tasks\At258.job
C:\Windows\Tasks\At259.job
C:\Windows\Tasks\At26.job
C:\Windows\Tasks\At260.job
C:\Windows\Tasks\At261.job
C:\Windows\Tasks\At262.job
C:\Windows\Tasks\At263.job
C:\Windows\Tasks\At264.job
C:\Windows\Tasks\At265.job
C:\Windows\Tasks\At266.job
C:\Windows\Tasks\At267.job
C:\Windows\Tasks\At268.job
C:\Windows\Tasks\At269.job
C:\Windows\Tasks\At27.job
C:\Windows\Tasks\At270.job
C:\Windows\Tasks\At271.job
C:\Windows\Tasks\At272.job
C:\Windows\Tasks\At273.job
C:\Windows\Tasks\At274.job
C:\Windows\Tasks\At275.job
C:\Windows\Tasks\At276.job
C:\Windows\Tasks\At277.job
C:\Windows\Tasks\At278.job
C:\Windows\Tasks\At279.job
C:\Windows\Tasks\At28.job
C:\Windows\Tasks\At280.job
C:\Windows\Tasks\At281.job
C:\Windows\Tasks\At282.job
C:\Windows\Tasks\At283.job
C:\Windows\Tasks\At284.job
C:\Windows\Tasks\At285.job
C:\Windows\Tasks\At286.job
C:\Windows\Tasks\At287.job
C:\Windows\Tasks\At288.job
C:\Windows\Tasks\At289.job
C:\Windows\Tasks\At29.job
C:\Windows\Tasks\At290.job
C:\Windows\Tasks\At291.job
C:\Windows\Tasks\At292.job
C:\Windows\Tasks\At293.job
C:\Windows\Tasks\At294.job
C:\Windows\Tasks\At295.job
C:\Windows\Tasks\At296.job
C:\Windows\Tasks\At297.job
C:\Windows\Tasks\At298.job
C:\Windows\Tasks\At299.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At30.job
C:\Windows\Tasks\At300.job
C:\Windows\Tasks\At301.job
C:\Windows\Tasks\At302.job
C:\Windows\Tasks\At303.job
C:\Windows\Tasks\At304.job
C:\Windows\Tasks\At305.job
C:\Windows\Tasks\At306.job
C:\Windows\Tasks\At307.job
C:\Windows\Tasks\At308.job
C:\Windows\Tasks\At309.job
C:\Windows\Tasks\At31.job
C:\Windows\Tasks\At310.job
C:\Windows\Tasks\At311.job
C:\Windows\Tasks\At312.job
C:\Windows\Tasks\At313.job
C:\Windows\Tasks\At314.job
C:\Windows\Tasks\At315.job
C:\Windows\Tasks\At316.job
C:\Windows\Tasks\At317.job
C:\Windows\Tasks\At318.job
C:\Windows\Tasks\At319.job
C:\Windows\Tasks\At32.job
C:\Windows\Tasks\At320.job
C:\Windows\Tasks\At321.job
C:\Windows\Tasks\At322.job
C:\Windows\Tasks\At323.job
C:\Windows\Tasks\At324.job
C:\Windows\Tasks\At325.job
C:\Windows\Tasks\At326.job
C:\Windows\Tasks\At327.job
C:\Windows\Tasks\At328.job
C:\Windows\Tasks\At329.job
C:\Windows\Tasks\At33.job
C:\Windows\Tasks\At330.job
C:\Windows\Tasks\At331.job
C:\Windows\Tasks\At332.job
C:\Windows\Tasks\At333.job
C:\Windows\Tasks\At334.job
C:\Windows\Tasks\At335.job
C:\Windows\Tasks\At336.job
C:\Windows\Tasks\At337.job
C:\Windows\Tasks\At338.job
C:\Windows\Tasks\At339.job
C:\Windows\Tasks\At34.job
C:\Windows\Tasks\At340.job
C:\Windows\Tasks\At341.job
C:\Windows\Tasks\At342.job
C:\Windows\Tasks\At343.job
C:\Windows\Tasks\At344.job
C:\Windows\Tasks\At345.job
C:\Windows\Tasks\At346.job
C:\Windows\Tasks\At347.job
C:\Windows\Tasks\At348.job
C:\Windows\Tasks\At349.job
C:\Windows\Tasks\At35.job
C:\Windows\Tasks\At350.job
C:\Windows\Tasks\At351.job
C:\Windows\Tasks\At352.job
C:\Windows\Tasks\At353.job
C:\Windows\Tasks\At354.job
C:\Windows\Tasks\At355.job
C:\Windows\Tasks\At356.job
C:\Windows\Tasks\At357.job
C:\Windows\Tasks\At358.job
C:\Windows\Tasks\At359.job
C:\Windows\Tasks\At36.job
C:\Windows\Tasks\At360.job
C:\Windows\Tasks\At361.job
C:\Windows\Tasks\At362.job
C:\Windows\Tasks\At363.job
C:\Windows\Tasks\At364.job
C:\Windows\Tasks\At365.job
C:\Windows\Tasks\At366.job
C:\Windows\Tasks\At367.job
C:\Windows\Tasks\At368.job
C:\Windows\Tasks\At369.job
C:\Windows\Tasks\At37.job
C:\Windows\Tasks\At370.job
C:\Windows\Tasks\At371.job
C:\Windows\Tasks\At372.job
C:\Windows\Tasks\At373.job
C:\Windows\Tasks\At374.job
C:\Windows\Tasks\At375.job
C:\Windows\Tasks\At376.job
C:\Windows\Tasks\At377.job
C:\Windows\Tasks\At378.job
C:\Windows\Tasks\At379.job
C:\Windows\Tasks\At38.job
C:\Windows\Tasks\At380.job
C:\Windows\Tasks\At381.job
C:\Windows\Tasks\At382.job
C:\Windows\Tasks\At383.job
C:\Windows\Tasks\At384.job
C:\Windows\Tasks\At39.job
C:\Windows\Tasks\At4.job
C:\Windows\Tasks\At40.job
C:\Windows\Tasks\At41.job
C:\Windows\Tasks\At42.job
C:\Windows\Tasks\At43.job
C:\Windows\Tasks\At44.job
C:\Windows\Tasks\At45.job
C:\Windows\Tasks\At46.job
C:\Windows\Tasks\At47.job
C:\Windows\Tasks\At48.job
C:\Windows\Tasks\At49.job
C:\Windows\Tasks\At5.job
C:\Windows\Tasks\At50.job
C:\Windows\Tasks\At51.job
C:\Windows\Tasks\At52.job
C:\Windows\Tasks\At53.job
C:\Windows\Tasks\At54.job
C:\Windows\Tasks\At55.job
C:\Windows\Tasks\At56.job
C:\Windows\Tasks\At57.job
C:\Windows\Tasks\At58.job
C:\Windows\Tasks\At59.job
C:\Windows\Tasks\At6.job
C:\Windows\Tasks\At60.job
C:\Windows\Tasks\At61.job
C:\Windows\Tasks\At62.job
C:\Windows\Tasks\At63.job
C:\Windows\Tasks\At64.job
C:\Windows\Tasks\At65.job
C:\Windows\Tasks\At66.job
C:\Windows\Tasks\At67.job
C:\Windows\Tasks\At68.job
C:\Windows\Tasks\At69.job
C:\Windows\Tasks\At7.job
C:\Windows\Tasks\At70.job
C:\Windows\Tasks\At71.job
C:\Windows\Tasks\At72.job
C:\Windows\Tasks\At73.job
C:\Windows\Tasks\At74.job
C:\Windows\Tasks\At75.job
C:\Windows\Tasks\At76.job
C:\Windows\Tasks\At77.job
C:\Windows\Tasks\At78.job
C:\Windows\Tasks\At79.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At80.job
C:\Windows\Tasks\At81.job
C:\Windows\Tasks\At82.job
C:\Windows\Tasks\At83.job
C:\Windows\Tasks\At84.job
C:\Windows\Tasks\At85.job
C:\Windows\Tasks\At86.job
C:\Windows\Tasks\At87.job
C:\Windows\Tasks\At88.job
C:\Windows\Tasks\At89.job
C:\Windows\Tasks\At9.job
C:\Windows\Tasks\At90.job
C:\Windows\Tasks\At91.job
C:\Windows\Tasks\At92.job
C:\Windows\Tasks\At93.job
C:\Windows\Tasks\At94.job
C:\Windows\Tasks\At95.job
C:\Windows\Tasks\At96.job
C:\Windows\Tasks\At97.job
C:\Windows\Tasks\At98.job
C:\Windows\Tasks\At99.job


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================


==================== Memory info ===========================

Percentage of memory in use: 50%
Total physical RAM: 447.23 MB
Available physical RAM: 221.48 MB
Total Pagefile: 363.06 MB
Available Pagefile: 264.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.51 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:64.78 GB) (Free:27.32 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (USB DISK) (Removable) (Total:3.61 GB) (Free:3.6 GB) FAT32
Drive e: (HP_RECOVERY) (Fixed) (Total:9.74 GB) (Free:9.48 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 75 GB) (Disk ID: 95AA95AA)
Partition 1: (Active) - (Size=65 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=4 GB) - (Type=0C)

==================== End Of Log ============================
  • 0

#38
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
You are great! So well done! I will come with further instructions later, velarie. :)
  • 0

#39
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
:)
  • 0

#40
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
Hey velarie,

C:\pukingsoft

Can you tell me something about that? Do you know what this is?

 

In your logs I see a Backdoor. That means that your machine is infected with some nasty files which can steal some information. It is difficult to tell whether or not any data has been stolen and finding out which is true instead of doing countermeasures is unproductive. In this light, for your safety, assume that your log-in details and other information have been accessed by another source.
Below are the steps that you should administer:
  • Please disconnect from the Internet! Also don't use it while we are cleaning the infected machine. This is especially true when you are using the computer in question for online banking and other sites that require sensitive and personal information.
  • It is strongly advised that you change your passwords on a clean PC and notify the bank immediately to watch out for suspicious transactions.
I can try to clean the infection but I have to say your computer is very likely compromised and that there is no way to be sure your computer can ever again be trusted.Experts in the security community believe that a reformat and re-installation of the operating system is the best solution. Please peruse the following if you would like to know more:
Now - you decide if you want to reformat the PC or to cleaning the PC. Think of it and choose the best solution for you! Let me know of your decision. If you decide to go through the proceed, please proceed with the following steps.

 



Open notepad on a clean PC. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

C:\Windows\Tasks\At*.job
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
S2 6to4; C:\WINDOWS\system32\6to4ex.dll [73748 2004-08-17] ()
S3 mvb35316; C:\Windows\System32\Drivers\mvb35316.sys [12800 2009-02-09] ()
S0 mafqlvq; No ImagePath
C:\Windows\System32\15724.exe
C:\Windows\System32\19169.exe
C:\Windows\System32\26500.exe
C:\Windows\wininst.exe
C:\Windows\system.exe
C:\Windows\System32\6334.exe
C:\Windows\System32\18467.exe
C:\Windows\System32\ES17.exe
C:\Windows\System32\41.exe
C:\Windows\System32\warnings.html


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


On Windows XP: Now please boot into the PE (Preinstallation Environment) disk. (like you did before)

Run FRST and press the Fix button just once and wait.
The tool will generate a log on the flashdrive (Fixlog.txt) please post it in your reply.

 

Please boot the PC again. Tell me how is it working.
  • 0

Advertisements


#41
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Well that would explain why I had to hack into my own laptop when the password stopped working, lol. Right now it is just set to blank pass for admin anyway. I haven't connected it to my network/internet at all over concerns about the seriousness of the infection. This was a secondary machine and should not have any current banking or other sensitive data on it anymore. It hasn't even been used in some time.

However, in the documents folder I have data for an old business that I need for taxes. Is it possible to recover the system just enough to retrieve that data? There are no executables that I need just office documents. Could they be scanned before transferring to a new machine? If it weren't for that data I would have already wiped the system. I knew it was FUBAR. If it is possible to retrieve the data that would be awesome! I can wipe the system myself after that.

C:/pukingsoft was an alternate install location for MBAM or something else I did. If it has a body part, body function, expletive, food, or cookware in the application/folder title, it was probably me, lol.

So I am going to run FRST since I am interested in recovering my data. Let me know if you feel this is feasible.

Thanks,
Val
  • 0

#42
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Also, could you please identify which entries in the log indicate a backdoor so that I can watch for these in the future? Thanks!
  • 0

#43
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts

So I am going to run FRST since I am interested in recovering my data. Let me know if you feel this is feasible.

I would suggest that we get the system running and then saving the files. We can of course remove all the Malware etc. and then saving the data. Tell me what you like to do. Please do the FRST Fix.

Also, could you please identify which entries in the log indicate a backdoor so that I can watch for these in the future? Thanks!


S3 mvb35316; C:\Windows\System32\Drivers\mvb35316.sys [12800 2009-02-09] ()
C:\Windows\System32\15724.exe
C:\Windows\System32\19169.exe
C:\Windows\System32\26500.exe
C:\Windows\wininst.exe
C:\Windows\system.exe
C:\Windows\System32\6334.exe
C:\Windows\System32\18467.exe
C:\Windows\System32\ES17.exe
C:\Windows\System32\41.exe

These lines are related to this Backdoor and this RootKit.
  • 0

#44
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
FRST seemed to run fine. Log below. I had to force a reboot though and I'm not sure why. Booted to selective boot and got all the normal application and hardware errors, but no DLL error and no malicious pop ups and I only had to log in once. New error, "Scheduler has encountered a problem and needs to close." Opened msconfig and changed back to normal startup. Reboot. Normal app/HW errors and DLL error. Very slow boot. Explorer.exe, "Memory could not be written." Scheduler error. No malicious pop ups.

******************************************************
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-02-2014 02
Ran by SYSTEM at 2014-02-10 11:19:59 Run:3
Running from B:\Documents and Settings\Default User\Desktop
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
C:\Windows\Tasks\At*.job
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
S2 6to4; C:\WINDOWS\system32\6to4ex.dll [73748 2004-08-17] ()
S3 mvb35316; C:\Windows\System32\Drivers\mvb35316.sys [12800 2009-02-09] ()
S0 mafqlvq; No ImagePath
C:\Windows\System32\15724.exe
C:\Windows\System32\19169.exe
C:\Windows\System32\26500.exe
C:\Windows\wininst.exe
C:\Windows\system.exe
C:\Windows\System32\6334.exe
C:\Windows\System32\18467.exe
C:\Windows\System32\ES17.exe
C:\Windows\System32\41.exe
C:\Windows\System32\warnings.html
*****************

C:\Windows\Tasks\At*.job => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck => Value deleted successfully.
6to4 => Service deleted successfully.
mvb35316 => Service deleted successfully.
mafqlvq => Service deleted successfully.
C:\Windows\System32\15724.exe => Moved successfully.
C:\Windows\System32\19169.exe => Moved successfully.
C:\Windows\System32\26500.exe => Moved successfully.
C:\Windows\wininst.exe => Moved successfully.
C:\Windows\system.exe => Moved successfully.
C:\Windows\System32\6334.exe => Moved successfully.
C:\Windows\System32\18467.exe => Moved successfully.
C:\Windows\System32\ES17.exe => Moved successfully.
C:\Windows\System32\41.exe => Moved successfully.
C:\Windows\System32\warnings.html => Moved successfully.

==== End of Fixlog ====
  • 0

#45
velarie2112

velarie2112

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
I've got access to Task Manager and a command prompt again!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP