Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Arestocrat virus/malware

Started by rvander , Apr 19 2013 07:56 AM

  • Please log in to reply

#1
rvander
Posted 19 April 2013 - 07:56 AM

rvander

    New Member

  • Member
  • Pip
  • 3 posts
Receiving an extortion screen blocking all access to my computer (Windows 7 professional). The program is titled "Arestocrat". After searching the forum I found the only solutions have required a custom fix. Please help. This is my work computer and I'm totally hand-tied. Operating in safe mode now.
  • 0

Advertisements

#2
JSntgRvr
Posted 19 April 2013 - 10:27 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi and welcome.

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforu...isc-create.html


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:

      • Startup Repair
      • System Restore
      • Windows Complete PC Restore
      • Windows Memory Diagnostic Tool
      • Command Prompt
      Select Command Prompt

      Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  • 0

#3
rvander
Posted 19 April 2013 - 11:05 AM

rvander

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-04-2013
Ran by SYSTEM at 19-04-2013 11:56:05
Running from G:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2814760 2011-07-15] (Synaptics Incorporated)
HKLM\...\Run: [TpShocks] TpShocks.exe [x]
HKLM\...\Run: [ForteConfig] C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-25] ()
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [316032 2011-03-14] (Conexant systems, Inc.)
HKLM\...\Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [42344 2011-07-22] (Lenovo Group Limited)
HKLM\...\Run: [ALCKRESI.EXE] C:\Program Files\Lenovo\AutoLock\ALCKRESI.EXE [386408 2011-09-27] (Lenovo Group Limited)
HKLM\...\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup [85832 2011-07-14] (Authentec Inc.)
HKLM\...\Run: [AcWin7Hlpr] C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe [31592 2011-04-14] (Lenovo)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe [55808 2008-10-30] (Ricoh co.,Ltd.)
HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [112152 2011-01-16] (Intel Corporation)
HKLM-x32\...\Run: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor [1631296 2011-10-04] (Lenovo Group Limited)
HKLM-x32\...\Run: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot [4351712 2011-07-13] (Lenovo, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe" [115560 2010-01-25] (Symantec Corporation)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\WI3C8A~1\Datamngr\DATAMN~1.EXE [1694608 2011-12-06] (Bandoo Media, inc)
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1391272 2012-01-03] (Ask)
HKLM-x32\...\Run: [Conime] %windir%\system32\conime.exe [x]
HKLM-x32\...\Run: [kds_i30_i40] C:\Program Files (x86)\Kodak\Document Imaging\KDSEvents.exe [344064 2005-11-22] (Eastman Kodak Company)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [298376 2012-09-28] (LeapFrog Enterprises, Inc.)
HKU\ASP.NET v4.0 Classic\...\RunOnce: [] [x]
HKU\ASP.NET v4.0 Classic\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~2\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [159744 2009-03-24] ()
HKU\CoprAdmin\...\RunOnce: [] [x]
HKU\CoprAdmin\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~2\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [159744 2009-03-24] ()
HKU\Default\...\RunOnce: [] [x]
HKU\Default\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~2\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [159744 2009-03-24] ()
HKU\Default User\...\RunOnce: [] [x]
HKU\Default User\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~2\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [159744 2009-03-24] ()
HKU\DefaultAppPool\...\RunOnce: [] [x]
HKU\DefaultAppPool\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~2\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [159744 2009-03-24] ()
HKU\rvanderbok\...\Run: [LTT] C:\Program Files\PC-Doctor\EnableToolbarW32.exe [23120 2011-06-27] (PC-Doctor, Inc.)
HKU\rvanderbok\...\Run: [GoToMeeting] "C:\Users\rvanderbok\AppData\Local\Citrix\GoToMeeting\1082\g2mstart.exe" "/Trigger RunAtLogon" [40376 2013-02-07] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\rvanderbok\...\Run: [Google Update] "C:\Users\rvanderbok\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-08-29] (Google Inc.)
HKU\rvanderbok\...\Run: [Facebook Update] "C:\Users\rvanderbok\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2013-02-04] (Facebook Inc.)
HKU\rvanderbok\...\Run: [SoundDrivers] "C:\ProgramData\f34rfcdsfwe.exe" [38912 2013-04-18] (?????????? ??????????)
HKU\rvanderbok\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex [706776 2013-03-12] (Adobe Systems Incorporated)
HKU\rvanderbokAdmin\...\Run: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1 [x]
HKU\rvanderbokAdmin\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17418928 2012-07-13] (Skype Technologies S.A.)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM-x32\...\RunOnce: [1] C:\Users\rvanderbok\Desktop\Chameleon\mbam-chameleon.exe /r /p [218184 2012-08-15] ()
Winlogon\Notify\psfus: C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll (Authentec Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll
Lsa: [Notification Packages] scecli C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll ACGina
Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\HD Writer.lnk
ShortcutTarget: HD Writer.lnk -> C:\Program Files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe (Panasonic Corporation)

==================== Services (Whitelisted) ===================

2 ccEvtMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2010-01-25] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2010-01-25] (Symantec Corporation)
2 CxAudMsg; C:\Windows\system32\CxAudMsg64.exe [198784 2010-12-16] (Conexant Systems Inc.)
3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [478056 2011-10-04] (Lenovo.)
2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [133992 2011-07-11] (Lenovo Group Limited)
3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093880 2010-02-17] (Symantec Corporation)
2 MSSQLSERVER; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER [29293408 2010-12-10] (Microsoft Corporation)
2 NitroReaderDriverReadSpool2; "C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe" [216080 2012-07-18] (Nitro PDF Software)
2 PaperVision DataTransferAgent1; "C:\Program Files (x86)\Digitech Systems\PaperVision Capture\DSI.DataTransferAgent.Service.exe" [44368 2012-01-25] (Digitech Systems, Inc.)
2 PaperVision ProcessInitiator1; "C:\Program Files (x86)\Digitech Systems\PaperVision Capture\DSI.PVECommon.PVProcInit.exe" [26960 2012-01-25] (Digitech Systems, Inc.)
2 PVDMAutoSvc; C:\Program Files (x86)\Digitech Systems\Common Files\PVDMAutoSvc.EXE [102400 2003-08-14] (Digitech Systems, Inc.)
2 SmcService; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe" [3217344 2010-04-10] (Symantec Corporation)
4 SNAC; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE" [419656 2010-04-01] (Symantec Corporation)
2 SROSVC; C:\Program Files (x86)\Lenovo\Screen Reading Optimizer\SROSVC.exe [446800 2011-09-01] (Lenovo Group Limited)
2 Symantec AntiVirus; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe" [1822296 2010-04-01] (Symantec Corporation)
2 VIPAppService; "C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe" [81552 2012-12-02] (Symantec Corporation)
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
3 WajamUpdater; "C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" [109064 2012-06-14] (Wajam)
3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)

==================== Drivers (Whitelisted) =====================

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-08] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-08] (Symantec Corporation)
3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130418.018\ENG64.SYS [126192 2013-03-14] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130418.018\EX64.SYS [2087664 2013-03-14] (Symantec Corporation)
2 smihlp2; \??\C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [13128 2011-05-30] (Authentec Inc.)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [447536 2010-03-08] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [482352 2010-03-08] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2010-03-08] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2011-11-29] (Symantec Corporation)
3 Teefer2; C:\Windows\System32\Drivers\Teefer2.sys [64048 2009-12-28] (Symantec Corporation)
3 TVTI2C; C:\Windows\System32\Drivers\TVTI2C.sys [41536 2009-09-24] (Lenovo (United States) Inc.)
1 WPS; \??\C:\Windows\system32\drivers\wpsdrvnt.sys [52784 2010-04-10] (Symantec Corporation)
3 WpsHelper; C:\Windows\System32\Drivers\WpsHelper.sys [233120 2012-11-14] (Symantec Corporation)
1 KdsMm; \??\C:\Windows\system32\drivers\kdsmm.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-04-19 11:55 - 2013-04-19 11:55 - 00000000 ____D C:\FRST
2013-04-19 08:47 - 2013-04-19 08:47 - 00007704 ____A C:\Windows\System32\PerfStringBackup.TMP
2013-04-19 08:44 - 2013-04-19 08:44 - 01466773 ____A (Farbar) C:\Users\rvanderbok\Downloads\FRST64.exe
2013-04-19 04:49 - 2013-04-19 04:49 - 00000967 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-04-19 04:49 - 2013-04-19 04:49 - 00000000 ____D C:\Users\rvanderbokAdmin\AppData\Roaming\Malwarebytes
2013-04-19 04:49 - 2013-04-19 04:49 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-04-19 04:49 - 2013-04-19 04:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-04-19 04:49 - 2013-04-04 11:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-04-19 04:48 - 2013-04-19 04:49 - 00000000 ____D C:\Users\rvanderbok\Desktop\Chameleon
2013-04-19 04:12 - 2013-04-19 04:12 - 00000000 ____D C:\_OTL
2013-04-19 04:04 - 2013-04-19 04:04 - 00102234 ____A C:\Users\rvanderbok\Desktop\Extras.Txt
2013-04-19 04:03 - 2013-04-19 04:03 - 00103430 ____A C:\Users\rvanderbok\Desktop\OTL.Txt
2013-04-19 03:50 - 2013-04-19 03:50 - 00602112 ____A (OldTimer Tools) C:\Users\rvanderbok\Desktop\OTL.exe
2013-04-19 03:11 - 2013-04-19 03:11 - 02250054 ____A C:\ProgramData\1.bmp
2013-04-18 19:45 - 2013-04-18 19:45 - 00038912 ____A (?????????? ??????????) C:\ProgramData\f34rfcdsfwe.exe
2013-04-14 14:37 - 2013-02-21 22:57 - 17817088 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-14 14:37 - 2013-02-21 22:29 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-14 14:37 - 2013-02-21 22:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-14 14:37 - 2013-02-21 22:21 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-14 14:37 - 2013-02-21 22:20 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-14 14:37 - 2013-02-21 22:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-14 14:37 - 2013-02-21 22:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-14 14:37 - 2013-02-21 22:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-14 14:37 - 2013-02-21 22:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-14 14:37 - 2013-02-21 22:15 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-14 14:37 - 2013-02-21 22:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-14 14:37 - 2013-02-21 22:14 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-14 14:37 - 2013-02-21 22:13 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-14 14:37 - 2013-02-21 22:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-14 14:37 - 2013-02-21 22:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-14 14:37 - 2013-02-21 22:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-14 14:37 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-14 14:37 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-14 14:37 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-14 14:37 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-14 14:37 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-14 14:37 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-04-14 14:37 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-04-14 14:37 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-14 14:37 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-14 14:37 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-04-14 14:37 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-04-14 14:37 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-14 14:37 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-14 14:37 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-14 14:37 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-04-14 14:37 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-10 03:59 - 2013-02-14 22:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-10 03:59 - 2013-02-14 22:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-10 03:59 - 2013-02-14 22:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-10 03:59 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-10 03:59 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-10 03:59 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-04-10 03:58 - 2013-03-18 22:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-10 03:58 - 2013-03-18 21:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-10 03:58 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-10 03:58 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-10 03:58 - 2013-03-18 20:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-04-10 03:58 - 2013-03-18 19:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-10 03:58 - 2013-03-01 22:04 - 01655656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-10 03:58 - 2013-02-28 19:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-10 03:58 - 2013-01-23 22:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
2013-04-08 06:19 - 2013-04-08 06:19 - 00000000 ____A C:\t1j0.2
2013-04-08 06:19 - 2013-04-08 06:19 - 00000000 ____A C:\t1j0.1
2013-04-03 11:00 - 2013-04-03 11:00 - 00013300 ____A C:\Users\rvanderbok\Desktop\Outagamie ROD backfile.txt
2013-03-27 08:07 - 2013-03-27 08:08 - 00000000 ____D C:\Users\rvanderbok\Documents\Dwyer Instruments
2013-03-27 08:05 - 2013-03-27 08:06 - 00000000 ____D C:\Users\rvanderbok\Documents\Wexford County Michigan Clerk
2013-03-27 07:53 - 2013-04-04 06:54 - 00000000 ____D C:\Users\rvanderbok\Documents\Outagamie County Wisconsin ROD
2013-03-25 11:08 - 2013-03-25 11:08 - 00000000 ____D C:\Users\rvanderbok\AppData\Local\{B83F3DD1-1EFE-4611-8DBE-797AEF75A4A5}
2013-03-22 09:46 - 2013-03-22 09:46 - 00000000 ____D C:\Users\rvanderbok\AppData\Local\{9965F15C-3C7F-46F2-8E37-70D0A0DE8D77}

==================== One Month Modified Files and Folders =======

2013-04-19 11:55 - 2013-04-19 11:55 - 00000000 ____D C:\FRST
2013-04-19 08:47 - 2013-04-19 08:47 - 00007704 ____A C:\Windows\System32\PerfStringBackup.TMP
2013-04-19 08:44 - 2013-04-19 08:44 - 01466773 ____A (Farbar) C:\Users\rvanderbok\Downloads\FRST64.exe
2013-04-19 05:33 - 2012-01-23 09:13 - 00000000 ____D C:\Users\rvanderbok\Documents\Outlook Files
2013-04-19 05:14 - 2011-11-25 09:41 - 00000466 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2013-04-19 05:11 - 2012-03-28 12:02 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-04-19 05:11 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-19 05:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\inetsrv
2013-04-19 05:10 - 2010-11-20 19:47 - 00398918 ____A C:\Windows\PFRO.log
2013-04-19 05:10 - 2009-07-13 20:51 - 00072953 ____A C:\Windows\setupact.log
2013-04-19 04:49 - 2013-04-19 04:49 - 00000967 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-04-19 04:49 - 2013-04-19 04:49 - 00000000 ____D C:\Users\rvanderbokAdmin\AppData\Roaming\Malwarebytes
2013-04-19 04:49 - 2013-04-19 04:49 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-04-19 04:49 - 2013-04-19 04:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-04-19 04:49 - 2013-04-19 04:48 - 00000000 ____D C:\Users\rvanderbok\Desktop\Chameleon
2013-04-19 04:30 - 2011-11-07 23:22 - 02080210 ____A C:\Windows\WindowsUpdate.log
2013-04-19 04:28 - 2009-07-13 20:45 - 00031296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-19 04:28 - 2009-07-13 20:45 - 00031296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-19 04:27 - 2009-07-13 21:13 - 00935048 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-19 04:23 - 2011-11-25 09:41 - 00000528 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2013-04-19 04:18 - 2012-03-28 12:02 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-04-19 04:12 - 2013-04-19 04:12 - 00000000 ____D C:\_OTL
2013-04-19 04:04 - 2013-04-19 04:04 - 00102234 ____A C:\Users\rvanderbok\Desktop\Extras.Txt
2013-04-19 04:03 - 2013-04-19 04:03 - 00103430 ____A C:\Users\rvanderbok\Desktop\OTL.Txt
2013-04-19 03:50 - 2013-04-19 03:50 - 00602112 ____A (OldTimer Tools) C:\Users\rvanderbok\Desktop\OTL.exe
2013-04-19 03:11 - 2013-04-19 03:11 - 02250054 ____A C:\ProgramData\1.bmp
2013-04-19 03:11 - 2013-02-04 15:50 - 00000948 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-708785605-3543618096-3945989920-1000UA.job
2013-04-19 03:11 - 2012-08-29 12:31 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-708785605-3543618096-3945989920-1000UA.job
2013-04-19 03:11 - 2012-07-11 09:53 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-04-18 19:45 - 2013-04-18 19:45 - 00038912 ____A (?????????? ??????????) C:\ProgramData\f34rfcdsfwe.exe
2013-04-18 16:09 - 2013-02-04 15:50 - 00000926 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-708785605-3543618096-3945989920-1000Core.job
2013-04-18 10:44 - 2011-12-05 06:36 - 00000000 ____D C:\Users\rvanderbok\Documents\Cook County Department of Public Health
2013-04-18 10:29 - 2011-12-08 11:29 - 00000000 ____D C:\Users\rvanderbok\Documents\Personal
2013-04-18 08:30 - 2011-12-15 08:14 - 00000000 ____D C:\Users\rvanderbok\AppData\Roaming\Nitro PDF
2013-04-17 06:37 - 2012-08-29 12:31 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-708785605-3543618096-3945989920-1000Core.job
2013-04-17 06:35 - 2011-12-05 06:34 - 00000000 ____D C:\Users\rvanderbok\Documents\Illinois State
2013-04-15 17:55 - 2012-01-05 12:16 - 00000000 ____D C:\Users\rvanderbok\Documents\Turbo Tax
2013-04-14 15:02 - 2009-07-13 20:45 - 00450864 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-14 14:38 - 2011-11-25 08:56 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-14 14:36 - 2011-11-25 10:39 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-04-11 07:41 - 2011-12-05 06:38 - 00000000 ____D C:\Users\rvanderbok\Documents\Gander Mountain
2013-04-10 14:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-04-10 12:36 - 2011-12-05 06:41 - 00000000 ____D C:\Users\rvanderbok\Documents\Mercy- Port Huron
2013-04-10 12:33 - 2013-03-11 08:33 - 00000000 ____D C:\Users\rvanderbok\Documents\Sparrow Hospital
2013-04-10 04:15 - 2012-02-08 14:53 - 00000000 ____D C:\Users\rvanderbok\Documents\DataBases
2013-04-10 03:47 - 2012-08-29 12:32 - 00002408 ____A C:\Users\rvanderbok\Desktop\Google Chrome.lnk
2013-04-08 13:44 - 2011-12-05 06:47 - 00000000 ____D C:\Users\rvanderbok\Documents\St Marys Health Center - Jefferson City MO
2013-04-08 06:19 - 2013-04-08 06:19 - 00000000 ____A C:\t1j0.2
2013-04-08 06:19 - 2013-04-08 06:19 - 00000000 ____A C:\t1j0.1
2013-04-05 09:47 - 2012-02-01 08:22 - 00000000 ____D C:\Users\rvanderbok\AppData\Local\DVD Profiler
2013-04-05 09:42 - 2012-02-01 10:30 - 00000000 ____D C:\Users\rvanderbok\Documents\Droid_DVDP
2013-04-04 11:59 - 2011-12-05 06:35 - 00000000 ___RD C:\Users\rvanderbok\Documents\Marianjoy Rehab
2013-04-04 11:50 - 2013-04-19 04:49 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-04-04 06:54 - 2013-03-27 07:53 - 00000000 ____D C:\Users\rvanderbok\Documents\Outagamie County Wisconsin ROD
2013-04-03 12:41 - 2013-02-28 14:38 - 00000000 ____D C:\Users\rvanderbok\Documents\Osage Valley Electric Coop
2013-04-03 11:00 - 2013-04-03 11:00 - 00013300 ____A C:\Users\rvanderbok\Desktop\Outagamie ROD backfile.txt
2013-03-27 08:08 - 2013-03-27 08:07 - 00000000 ____D C:\Users\rvanderbok\Documents\Dwyer Instruments
2013-03-27 08:06 - 2013-03-27 08:05 - 00000000 ____D C:\Users\rvanderbok\Documents\Wexford County Michigan Clerk
2013-03-25 11:08 - 2013-03-25 11:08 - 00000000 ____D C:\Users\rvanderbok\AppData\Local\{B83F3DD1-1EFE-4611-8DBE-797AEF75A4A5}
2013-03-22 13:01 - 2011-12-05 06:51 - 00000000 ___RD C:\Users\rvanderbok\Documents\St Mary- Hobart
2013-03-22 09:46 - 2013-03-22 09:46 - 00000000 ____D C:\Users\rvanderbok\AppData\Local\{9965F15C-3C7F-46F2-8E37-70D0A0DE8D77}
2013-03-22 03:38 - 2011-11-07 23:25 - 00000000 ____D C:\Program Files (x86)\Google
2013-03-20 02:43 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-17 00:00:42
Restore point made on: 2013-03-19 00:00:54
Restore point made on: 2013-03-27 07:02:56
Restore point made on: 2013-04-03 14:13:37
Restore point made on: 2013-04-12 08:38:07
Restore point made on: 2013-04-14 14:34:47

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 3979.23 MB
Available physical RAM: 3122.05 MB
Total Pagefile: 3977.43 MB
Available Pagefile: 3108.16 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (Windows7_OS) (Fixed) (Total:448.67 GB) (Free:274.96 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (Lenovo_Recovery) (Fixed) (Total:15.62 GB) (Free:6.1 GB) NTFS
4 Drive g: () (Removable) (Total:0.12 GB) (Free:0.1 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM_DRV) (Fixed) (Total:1.46 GB) (Free:1.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 124 MB 0 B

Partitions of Disk 0:
===============

Disk ID: 19DB4BD2

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1500 MB 1024 KB
Partition 2 Primary 448 GB 1501 MB
Partition 3 Primary 15 GB 450 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM_DRV NTFS Partition 1500 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Windows7_OS NTFS Partition 448 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Lenovo_Reco NTFS Partition 15 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Disk ID: 44DE646A

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 123 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT Removable 123 MB Healthy

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 19DB4BD2

Partition 1:
=========
Hex: 8020210007591ABF0008000000E02E00
Active: YES
Type: 07 (NTFS)
Size: 1 GB

Partition 2:
=========
Hex: 00591BBF07FEFFFF00E82E0000701538
Active: NO
Type: 07 (NTFS)
Size: 449 GB

Partition 3:
=========
Hex: 00FEFFFF07FEFFFF005844380000F401
Active: NO
Type: 07 (NTFS)
Size: 16 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 44DE646A

Partition 1:
=========
Hex: 80010100061F20F720000000E0DF0300
Active: YES
Type: 06
Size: 124 MB


Last Boot: 2013-04-16 09:14

==================== End Of Log =============================
  • 0

#4
JSntgRvr
Posted 19 April 2013 - 12:35 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Download the enclosed file. [attachment=64313:fixlist.txt]

Save it next to FRST64 in the flash drive. Run FRST64 as you did before, except that this time around click on the Fix Button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

Boot in Normal Mode. If successful follow these steps:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

Posted Image

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please post it in your next reply.

Update and launch Malwarebytes Antimalware. Perform a quick Scan and post its report.
  • 0

#5
rvander
Posted 19 April 2013 - 08:33 PM

rvander

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I followed your instructions to run FRST64 clicking the fix button and it produced the following report:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-04-2013
Ran by SYSTEM at 2013-04-19 21:11:00 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\DATAMNGR Value deleted successfully.
HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater Value deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs Value was restored successfully .
C:\ProgramData\1.bmp moved successfully.
C:\ProgramData\f34rfcdsfwe.exe moved successfully.
C:\t1j0.2 moved successfully.
C:\t1j0.1 moved successfully.

==== End of Fixlog ====

I was able to reboot in normal mode without the extortion screen.

I downloaded ComboFix, but I can't disable my virus protection which is locked down by my System Admin at work. Is it safe to continue with your instructions without virus protection (Symantec Endpoint Protection) disabled?
  • 0

#6
JSntgRvr
Posted 19 April 2013 - 09:04 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hold on on Combofix.

Run AdwCleaner and Malwarebytes Anti malware.

Also,
  • Download RogueKiller (by tigzy) on the desktop
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan. Once finished, click on Report

Please post the contents of the RKreport.txt in your next Reply.

Close RogueKiller
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP