Another Fake Police Virus

[Tim2014]

Hi, hopefully you guys can help. My Windows XP PC has the Police/Ukash infection- this blocks start-up and prevents me accessing safe mode too. I have run Hitman Pro - I had to boot this by CD as my PC does not have a boot from USB option in the boot menu. Hitman Pro starts but then hangs and stops as it says there is no internet connection, although there is one.

Next I have tried Kaspersky Rescue Disc. Full scan run. This finds a Trojan - HEUR:Exploit:java.generic , says it cannot be moved to quarantine & cannot be disinfected- the recommended action is to skip (ignore) it, which doesn't resolve my problem of course.

I still can't get to safe mode of course so the above bit about running OTL and aswMBR LOG is impossible for me as far as I know. Note I clicked on OTL log above just to let me post this, I can't actually run it.

(I do have an old XP pc which I've resurrected to use for this investigation - very slow but works- though I only have the one monitor) . Also the infected PC has a legitimate copy of XP (!) and I do have the original disks that came with it somewhere, although they are PC manufacturer ones so I'm not too sure what I could reinstall from them.

All ideas greatly appreciated

Thanks

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />
Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
• Download List Parts and save it to the flash drive also.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
• Next click List Parts and then click Scan
• It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.

 

[Tim2014]

Hi Kuttus, many thanks for your excellent instructions. I have run these applications and here are the results:

FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013
Ran by SYSTEM on REATOGO on 15-10-2013 21:10:57
Running from D:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 7
Boot Mode: Recovery

The current controlset is ControlSet003
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [RTHDCPL] - C:\Windows\RTHDCPL.EXE [16248320 2006-06-28] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SkyTel] - C:\Windows\SkyTel.EXE [2879488 2006-05-16] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] - C:\Windows\ALCMTR.EXE [69632 2005-05-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SpeedTouch USB Diagnostics] - C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe [4247552 2001-10-03] (Alcatel Bell)
HKLM\...\Run: [LogitechVideoRepair] - C:\Program Files\Logitech\Video\ISStart.exe [188416 2003-06-30] (Logitech Inc.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [COMODO Internet Security] - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [1800464 2010-01-29] (COMODO)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [77824 2010-06-26] (Apple Computer, Inc.)
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] - RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
HKLM\...\Run: [nwiz] - C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [1982312 2013-01-31] ()
HKLM\...\Policies\Explorer: [ClassicShell] 0
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKU\Tim\...\Policies\system: [NoVisualStyleChoice] 0
HKU\Tim\...\Policies\system: [NoColorChoice] 0
HKU\Tim\...\Policies\system: [NoSizeChoice] 0
AppInit_DLLs: C:\WINDOWS\system32\guard32.dll [ 2010-05-30] (COMODO)
Startup: C:\Documents and Settings\Tim\Start Menu\Programs\Startup\qjwtfwlb.lnk
ShortcutTarget: qjwtfwlb.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\blwftwjq.plz (Borland Software Corporation)
BootExecute: autocheck autochk * lsdelete

========================== Services (Whitelisted) =================

S2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [723632 2010-01-29] (COMODO)
S3 Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [1378040 2011-04-16] (Lavasoft)
S3 Sony Ericsson PCCompanion; C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [155344 2011-06-29] (Avanquest Software)
S2 UPHClean; C:\Program Files\UPHClean\uphclean.exe [399872 2010-09-13] (Windows (R) Codename Longhorn DDK provider)
S2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\blwftwjq.plz [176128 2013-10-13] (Borland Software Corporation)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

==================== Drivers (Whitelisted) ====================

S3 alcan5wn; C:\Windows\System32\DRIVERS\alcan5wn.sys [53920 2001-10-03] (Alcatel Bell)
S3 alcaudsl; C:\Windows\System32\DRIVERS\alcaudsl.sys [589776 2001-10-03] (Alcatel Bell)
S3 ASPI; C:\WINDOWS\System32\DRIVERS\ASPI32.sys [16512 2002-07-17] (Adaptec)
S1 cdrbsdrv; C:\Windows\System32\Drivers\cdrbsdrv.sys [13567 2004-03-08] (B.H.A Corporation)
S1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [134344 2010-05-30] (COMODO)
S1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [25160 2010-01-29] (COMODO)
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [30976 2013-10-14] ()
S0 Inspect; C:\Windows\System32\DRIVERS\inspect.sys [87104 2010-01-29] (COMODO)
S3 Lavasoft Kernexplorer; C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [15264 2010-11-29] ()
S0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [64288 2010-09-23] (Lavasoft AB)
S3 MSIRCOMM; C:\Windows\System32\DRIVERS\MSIRCOMM.sys [22016 2004-08-03] (Microsoft Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
S1 P3; C:\Windows\System32\DRIVERS\p3.sys [42496 2004-08-04] (Microsoft Corporation)
S3 PhilCam8116; C:\Windows\System32\DRIVERS\CamDrL21.sys [236121 2002-12-10] (Logitech Inc.)
S3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 s1039mdm; C:\Windows\System32\DRIVERS\s1039mdm.sys [124016 2010-03-15] (MCCI Corporation)
S3 Secdrv; C:\Windows\System32\DRIVERS\secdrv.sys [27440 2004-08-04] ()
S1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-15 21:10 - 2013-10-15 21:10 - 00000000 ____D C:\FRST
2013-10-15 14:33 - 2013-10-15 14:33 - 00003781 _____ C:\Windows\setupapi.log
2013-10-14 17:42 - 2013-10-14 20:00 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-10-14 15:47 - 2013-10-14 15:47 - 00030976 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-10-14 15:38 - 2013-10-14 15:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-10-13 19:38 - 2013-10-13 19:38 - 00000000 ____D C:\Windows\CSC
2013-10-13 19:10 - 2013-10-15 15:00 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\qjwtfwlb.pff
2013-10-13 19:10 - 2013-10-15 14:59 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\qjwtfwlb.ctrl
2013-10-13 19:10 - 2013-10-13 19:10 - 00176128 _____ (Borland Software Corporation) C:\Documents and Settings\All Users\Application Data\blwftwjq.plz
2013-10-13 13:00 - 2013-10-13 13:00 - 00000775 _____ C:\Documents and Settings\All Users\Desktop\TweakNow RegCleaner.lnk
2013-10-13 12:59 - 2013-10-13 13:06 - 00000000 ____D C:\Program Files\TweakNow RegCleaner
2013-10-13 12:59 - 2013-10-13 12:59 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner 2012
2013-10-13 12:59 - 2013-10-13 12:59 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner
2013-10-13 12:54 - 2013-10-14 19:02 - 00002649 _____ C:\Windows\WindowsUpdate.log
2013-10-13 11:12 - 2013-10-13 11:12 - 00000000 ____D C:\Windows\System32\appmgmt
2013-10-07 16:07 - 2013-10-07 16:07 - 00088992 _____ C:\Documents and Settings\Tim\My Documents\royalmailshares.odt
2013-09-24 15:12 - 2013-09-24 15:12 - 00000685 _____ C:\Documents and Settings\All Users\Desktop\SRWare Iron.lnk
2013-09-24 15:11 - 2013-09-24 15:11 - 00000000 ____D C:\Program Files\SRWare Iron
2013-09-24 15:11 - 2013-09-24 15:11 - 00000000 ____D C:\Documents and Settings\Tim\Local Settings\Application Data\Chromium

==================== One Month Modified Files and Folders =======

2013-10-15 21:10 - 2013-10-15 21:10 - 00000000 ____D C:\FRST
2013-10-15 15:00 - 2013-10-13 19:10 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\qjwtfwlb.pff
2013-10-15 14:59 - 2013-10-13 19:10 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\qjwtfwlb.ctrl
2013-10-15 14:42 - 2009-10-09 17:39 - 01474832 _____ C:\Windows\System32\Drivers\sfi.dat
2013-10-15 14:33 - 2013-10-15 14:33 - 00003781 _____ C:\Windows\setupapi.log
2013-10-15 14:33 - 2010-05-30 05:13 - 00324738 _____ C:\aaw7boot.log
2013-10-14 20:00 - 2013-10-14 17:42 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-10-14 19:02 - 2013-10-13 12:54 - 00002649 _____ C:\Windows\WindowsUpdate.log
2013-10-14 19:02 - 2009-10-09 09:10 - 00000178 ___SH C:\Documents and Settings\Tim\ntuser.ini
2013-10-14 19:02 - 2004-08-20 14:40 - 00032644 _____ C:\Windows\SchedLgU.Txt
2013-10-14 15:47 - 2013-10-14 15:47 - 00030976 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-10-14 15:38 - 2013-10-14 15:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-10-13 19:38 - 2013-10-13 19:38 - 00000000 ____D C:\Windows\CSC
2013-10-13 19:23 - 2013-05-03 14:30 - 00000178 ___SH C:\Documents and Settings\UpdatusUser\ntuser.ini
2013-10-13 19:10 - 2013-10-13 19:10 - 00176128 _____ (Borland Software Corporation) C:\Documents and Settings\All Users\Application Data\blwftwjq.plz
2013-10-13 13:10 - 2013-01-21 04:11 - 00054156 ____H C:\Windows\QTFont.qfn
2013-10-13 13:06 - 2013-10-13 12:59 - 00000000 ____D C:\Program Files\TweakNow RegCleaner
2013-10-13 13:00 - 2013-10-13 13:00 - 00000775 _____ C:\Documents and Settings\All Users\Desktop\TweakNow RegCleaner.lnk
2013-10-13 12:59 - 2013-10-13 12:59 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner 2012
2013-10-13 12:59 - 2013-10-13 12:59 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner
2013-10-13 12:58 - 2009-10-12 18:31 - 00000000 ____D C:\Documents and Settings\Tim\My Documents\My Received Files
2013-10-13 11:16 - 2010-02-28 20:34 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\Skype
2013-10-13 11:16 - 2010-02-28 20:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype
2013-10-13 11:14 - 2010-10-16 17:42 - 00000000 ____D C:\Program Files\Google
2013-10-13 11:13 - 2010-10-16 17:42 - 00000000 ____D C:\Documents and Settings\Tim\Local Settings\Application Data\Google
2013-10-13 11:12 - 2013-10-13 11:12 - 00000000 ____D C:\Windows\System32\appmgmt
2013-10-13 11:11 - 2010-09-10 13:46 - 00000000 ____D C:\Program Files\Nokia
2013-10-12 19:16 - 2009-10-11 15:26 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\Camfrog
2013-10-08 15:59 - 2010-05-08 17:27 - 00085504 ___SH C:\Documents and Settings\Tim\My Documents\Thumbs.db
2013-10-07 16:07 - 2013-10-07 16:07 - 00088992 _____ C:\Documents and Settings\Tim\My Documents\royalmailshares.odt
2013-10-05 17:33 - 2010-01-21 18:01 - 00106214 _____ C:\Documents and Settings\Tim\My Documents\Data Model.ods
2013-09-25 18:03 - 2012-12-03 16:08 - 00010754 _____ C:\Documents and Settings\Tim\My Documents\Paypal.ods
2013-09-24 15:12 - 2013-09-24 15:12 - 00000685 _____ C:\Documents and Settings\All Users\Desktop\SRWare Iron.lnk
2013-09-24 15:11 - 2013-09-24 15:11 - 00000000 ____D C:\Program Files\SRWare Iron
2013-09-24 15:11 - 2013-09-24 15:11 - 00000000 ____D C:\Documents and Settings\Tim\Local Settings\Application Data\Chromium

Some content of TEMP:
====================
C:\Documents and Settings\Tim\Local Settings\Temp\~tmf5723185867555416740.dll


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2004-08-20 13:07] - [2004-08-04 08:00] - 1032192 ____A (Microsoft Corporation) a0732187050030ae399b241436565e64

C:\Windows\System32\winlogon.exe
[2004-08-20 13:08] - [2004-08-04 08:00] - 0502272 ____A (Microsoft Corporation) 01c3346c241652f43aed8e2149881bfe

C:\Windows\System32\svchost.exe
[2004-08-20 13:08] - [2004-08-04 08:00] - 0014336 ____A (Microsoft Corporation) 8f078ae4ed187aaabc0a305146de6716

C:\Windows\System32\services.exe
[2004-08-20 13:08] - [2009-02-06 06:22] - 0110592 ____A (Microsoft Corporation) 4712531ab7a01b7ee059853ca17d39bd

C:\Windows\System32\User32.dll
[2004-08-20 13:08] - [2005-03-02 14:09] - 0577024 ____A (Microsoft Corporation) de2db164bbb35db061af0997e4499054

C:\Windows\System32\userinit.exe
[2004-08-20 13:08] - [2004-08-04 08:00] - 0024576 ____A (Microsoft Corporation) 39b1ffb03c2296323832acbae50d2aff

C:\Windows\System32\Drivers\volsnap.sys
[2004-08-20 13:08] - [2004-08-04 08:00] - 0052352 ____A (Microsoft Corporation) ee4660083deba849ff6c485d944b379b


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-10-14 16:25 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1310

RP: -> 2013-10-13 11:16 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1309

RP: -> 2013-10-13 05:46 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1308

RP: -> 2013-10-11 18:14 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1307

RP: -> 2013-10-10 17:46 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1306

RP: -> 2013-10-09 17:44 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1305

RP: -> 2013-10-08 16:35 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1304

RP: -> 2013-10-07 16:26 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1303

RP: -> 2013-10-06 15:34 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1302

RP: -> 2013-10-05 14:23 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1301

RP: -> 2013-10-03 17:02 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1300

RP: -> 2013-10-02 16:17 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1299

RP: -> 2013-09-30 16:25 - 028672 _restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP1298


==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 1022.42 MB
Available physical RAM: 816.95 MB
Total Pagefile: 905.99 MB
Available Pagefile: 842.3 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.16 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: (System) (Fixed) (Total:74.53 GB) (Free:58.01 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (HITMANPRO) (Removable) (Total:0.11 GB) (Free:0.09 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: 4C24C74F)
Partition 1: (Active) - (Size=75 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 125 MB) (Disk ID: 55F8DE93)
Partition 1: (Active) - (Size=118 MB) - (Type=0B)

==================== End Of Log ============================

Listparts:
ListParts by Farbar Version: 10-05-2013
Ran by SYSTEM (administrator) on 15-10-2013 at 21:13:42
Windows XP (X86)
Running From: D:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 1022.42 MB
Available physical RAM: 852.42 MB
Total Pagefile: 905.99 MB
Available Pagefile: 835.11 MB
Total Virtual: 2047.88 MB
Available Virtual: 2007.38 MB

======================= Partitions =========================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: (System) (Fixed) (Total:74.53 GB) (Free:58.01 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (HITMANPRO) (Removable) (Total:0.11 GB) (Free:0.09 GB) FAT32
4 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 0 B

Partitions of Disk 0:
===============

The disk management services could not complete the operation.

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 4C24C74F
Partition 1: (Active) - (Size=75 GB) - (Type=07 NTFS)


****** End Of Log ******

Thanks again and I look forward to seeing your reply



Tim

 

[kuttus]

Now please download this file and save it to your Flash Drive.

[attachment=5938]

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

 

[Tim2014]

Hi Kuttus, I am pleased to be able to tell you that this fix has worked perfectly - thanks! The log file is below. Is there anything I should do to scan or otherwise check that the PC is fully uninfected now? Oddly, on the same day this problem arose I had earlier run a full Adaware scan, a full Comodo scan and a registry cleanup, not because there was a problem but because I hadn't run anything other than scheduled Comodo scans for several months.

Thanks again for all your help

Tim



Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-10-2013
Ran by SYSTEM at 2013-10-16 21:42:31 Run:1
Running from D:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
ShortcutTarget: qjwtfwlb.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\blwftwjq.plz (Borland Software Corporation)
S2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\blwftwjq.plz [176128 2013-10-13] (Borland Software Corporation)
2013-10-13 19:10 - 2013-10-15 15:00 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\qjwtfwlb.pff
2013-10-13 19:10 - 2013-10-15 14:59 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\qjwtfwlb.ctrl
2013-10-13 19:10 - 2013-10-13 19:10 - 00176128 _____ (Borland Software Corporation) C:\Documents and Settings\All Users\Application Data\blwftwjq.plz
2013-10-13 13:00 - 2013-10-13 13:00 - 00000775 _____ C:\Documents and Settings\All Users\Desktop\TweakNow RegCleaner.lnk
2013-10-13 12:59 - 2013-10-13 13:06 - 00000000 ____D C:\Program Files\TweakNow RegCleaner
2013-10-13 12:59 - 2013-10-13 12:59 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner 2012
2013-10-13 12:59 - 2013-10-13 12:59 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner
2013-10-07 16:07 - 2013-10-07 16:07 - 00088992 _____ C:\Documents and Settings\Tim\My Documents\royalmailshares.odt
2013-10-15 15:00 - 2013-10-13 19:10 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\qjwtfwlb.pff
2013-10-15 14:59 - 2013-10-13 19:10 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\qjwtfwlb.ctrl
2013-10-15 14:42 - 2009-10-09 17:39 - 01474832 _____ C:\Windows\System32\Drivers\sfi.dat
2013-10-13 19:10 - 2013-10-13 19:10 - 00176128 _____ (Borland Software Corporation) C:\Documents and Settings\All Users\Application Data\blwftwjq.plz
2013-10-13 13:00 - 2013-10-13 13:00 - 00000775 _____ C:\Documents and Settings\All Users\Desktop\TweakNow RegCleaner.lnk
2013-10-13 12:59 - 2013-10-13 12:59 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner 2012
2013-10-13 12:59 - 2013-10-13 12:59 - 00000000 ____D C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner
2013-10-08 15:59 - 2010-05-08 17:27 - 00085504 ___SH C:\Documents and Settings\Tim\My Documents\Thumbs.db
*****************

C:\DOCUME~1\ALLUSE~1\APPLIC~1\blwftwjq.plz => Moved successfully.
winmgmt => Service restored successfully.
C:\Documents and Settings\All Users\Application Data\qjwtfwlb.pff => Moved successfully.
C:\Documents and Settings\All Users\Application Data\qjwtfwlb.ctrl => Moved successfully.
"C:\Documents and Settings\All Users\Application Data\blwftwjq.plz" => File/Directory not found.
C:\Documents and Settings\All Users\Desktop\TweakNow RegCleaner.lnk => Moved successfully.
C:\Program Files\TweakNow RegCleaner => Moved successfully.
C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner 2012 => Moved successfully.
C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner => Moved successfully.
C:\Documents and Settings\Tim\My Documents\royalmailshares.odt => Moved successfully.
"C:\Documents and Settings\All Users\Application Data\qjwtfwlb.pff" => File/Directory not found.
"C:\Documents and Settings\All Users\Application Data\qjwtfwlb.ctrl" => File/Directory not found.
C:\Windows\System32\Drivers\sfi.dat => Moved successfully.
"C:\Documents and Settings\All Users\Application Data\blwftwjq.plz" => File/Directory not found.
"C:\Documents and Settings\All Users\Desktop\TweakNow RegCleaner.lnk" => File/Directory not found.
"C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner 2012" => File/Directory not found.
"C:\Documents and Settings\Tim\Application Data\TweakNow RegCleaner" => File/Directory not found.
C:\Documents and Settings\Tim\My Documents\Thumbs.db => Moved successfully.

==== End of Fixlog ====

 

[Tim2014]

Hi Kuttus, just a follow up, I thought I'd run a full scan from Malware Bytes on it, the results are below. I have followed it's recommended actions which were to remove the registry value and the first and last file. Thanks again. Tim


Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.16.13

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.13
Tim :: YOUR-A5524CDEFA [administrator]

16/10/2013 23:51:48
MBAM-log-2013-10-17 (01-37-39).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 288148
Time elapsed: 45 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Documents and Settings\Tim\Local Settings\Temp\~tmf5723185867555416740.dll (Trojan.Ransom.ED) -> No action taken.
C:\Documents and Settings\Tim\My Documents\My Received Files\camfrog.exe (PUP.Optional.Spigot.A) -> No action taken.
C:\FRST\Quarantine\blwftwjq.plz (Trojan.Ransom.ED) -> No action taken.

(end)

 

[kuttus]

Okay... It is great to hear that the computer is booted back now. Let's do some more scans so that we can make sure there is no other infections remaining.


STEP 1: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Scan</>,then confirm each time with <>Ok</>.</li>
<li>After the Scan is Over press on Clean ,then confirm each time with <>Ok</>.
</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>

STEP 2: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

---

STEP 3 : Run a scan with Kaspersky TDSSKiller
<ol>
<li>Download Kaspersky TDSKiller from the below link.
<><a title="External link" href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" rel="external">KASPERKSY TDSSKILLER DOWNLOAD LINK</a></> <em>(This link will automatically download Kaspersky TDSSKiller on your computer)</em>
</li>
<li>Double-click on <>TDSSKiller.exe</> to run the application.
<img src="http://img4.imageshack.us/img4/1907/tdss1.png" alt="Posted Image" /></li>
<li>Click <>Change parameters</>
<img src="http://img593.imageshack.us/img593/288/tdss2.png" alt="Posted Image" /></li>
<li>Check the boxes next to <>Verify Driver Digital Signature</> and <>Detect TDLFS file system</>, then click <>OK</>
<img src="http://img521.imageshack.us/img521/1456/tdss3.png" alt="Posted Image" /></li>
<li>Click on the <>Start Scan</> button to begin the scan and wait for it to finish.
<>NOTE:</> Do not use the computer during the scan!</li>
<li>During the scan it will look similar to the image below:
<img src="http://img6.imageshack.us/img6/9136/tdss4.jpg" alt="Posted Image" /></li>
<li>When it finishes, you will either see a report that no threats were found like below:
<img src="http://img696.imageshack.us/img696/9898/tdss5.jpg" alt="Posted Image" />
If no threats are found at this point, just click the <>Report</> selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.</li>
<li>If any infection or suspected items are found, you will see a window similar to below:
<img src="http://img854.imageshack.us/img854/905/tdss7.jpg" alt="Posted Image" />
<ul>
<li>If you have files that are shown to fail <em>signature check</em> do not take any action on these. Make sure you select <>Skip</>. I will tell you what to do with these later. They may not be issues at all.</li>
<li>If <em>Suspicious objects</em> are detected, the default action will be Skip. Leave the default set to Skip.</li>
<li>If <em>Malicious objects</em> are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
Make sure that <>Cure</> is selected. <>VERY IMPORTANT!</> - If <em>Cure</em> is not available, please choose <>Skip</> instead. DO NOT choose Delete unless instructed to do so.</li>
</ul>
</li>
<li>Click <>Continue</> to apply selected actions.</li>
<li>A reboot may be required to complete disinfection. A window like the below will appear:
<img src="http://img828.imageshack.us/img828/4812/tdss6.jpg" alt="Posted Image" />
Reboot immediately if TDSSKiller states that one is needed.</li>
<li>Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like <>TDSSKiller.2.1.1_2.12.2012_14.17.04_log.txt</> which is based on the program version # and date and time run.</li>
<li>Attach this log to your next reply.</li>
</ol>
<hr />

 

[Tim2014]

Hi Kuttus, yes so far so good! Here are the scan results,two txt files below and the large one from TDSSKiller is attached. I am seeing an unfamiliar emssage at start-up which may be related too, I'll post that separately in a minute after rebooting (if it still appears).

Thanks again for your help


Tim




AdwCleaner v3.008 - Report created 17/10/2013 at 20:27:59
# Updated 17/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 2 (32 bits)
# Username : Tim - YOUR-A5524CDEFA
# Running from : C:\Documents and Settings\Tim\My Documents\My Received Files\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\PIP
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v7.0.5730.13


*************************

AdwCleaner[R0].txt - [967 octets] - [17/10/2013 20:25:49]
AdwCleaner[S0].txt - [903 octets] - [17/10/2013 20:27:59]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [962 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Microsoft Windows XP x86
Ran by Tim on 17/10/2013 at 20:33:56.70
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 17/10/2013 at 20:42:34.39
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[Tim2014]

Hi Kuttus, the pop-up box that appears after restarting is as follows. As it suggests, the file to which it refers does not seem to be in the directory C:\Documents and Settings\All Users\Application Data, even after setting explorer to show hidden files.


---------------------------
RUNDLL
---------------------------
Error loading C:\DOCUME~1\ALLUSE~1\APPLIC~1\blwftwjq.plz

The specified module could not be found.
---------------------------
OK
---------------------------

 

[kuttus]

Okay. Your Internet Seems really slow anyway...

We can check the start up issues also......

STEP 1: Clean your temporary files to gain more hard drive space and remove the junk files
<ol>
<li>Download Ccleaner from the below link:
CCLEANER DOWNLOAD LINK</a> <em>(This link will automatically download Ccleaner on your computer)</em></li>
<li>Install Ccleaner by following the prompts</li>
<li>Start Ccleaner and the following should be selected by default, if not, please select:
<img src="http://i52.tinypic.com/4l5a4i.png" alt="Posted Image" /></li>
<li>Click <img src="http://i56.tinypic.com/16jox2o.png" alt="Posted Image" /> and choose <img src="http://i40.tinypic.com/5x3nu8.gif" alt="Posted Image" /></li>
<li>Uncheck <img src="http://i51.tinypic.com/amuvj8.gif" alt="Posted Image" /></li>
<li>Then go back to <img src="http://i41.tinypic.com/2jb4qyb.gif" alt="Posted Image" /> and click <img src="http://i25.tinypic.com/nf47ev.gif" alt="Posted Image" /> to run it.</li>
<li>Exit CCleaner.</li>
</ol>

---

Now go to Tools -- > Start up -- > Windows (Start Up Items) -- > Save to Text File.
Now go to Tools -- > Start up -- > Schedule Task-- > Save to Text File.

Upload this two log files in your next replay.

 

[Tim2014]

Thanks Kuttus - yes it is rather slow, though I've no idea how you worked that out! Can you clarify point 5 above please- whatever image you posted doesn't display for me & there are 2 checked boxes in the advanced tab.

Many thanks

Tim

 

[kuttus]

Just click on Clean and go for other steps.

 

[Tim2014]

Hi Kuttus, here are the two txt files as requested-- though the scheduled tasks list came up completely empty - all suggestions welcomed anyway

Thanks again

Tim

 

[kuttus]

Are you still getting that Rundll error in the start up?

 

[Tim2014]

Yes, that does still appear as soon as my desktop loads. Is there any way to track what process is causing it?

 

[Tim2014]

Hi Kuttus, I had an idea at looking at that in process explorer - the bmp file attached is what I found, while a further breakdown of it is here out at
photobucket as I've run out of attachment space on here. I hope it's some help. Thanks again. Tim

 

[kuttus]

STEP 2: Run a scan with OTL by OldTimer
<ol><li>Download the OTL utility using the below link :
<><a title="External link" href="http://oldtimer.geekstogo.com/OTL.exe" rel="nofollow external">OTL DOWNLOAD LINK</a> <em>(This link will automatically download OTL on your computer)</em></></li>
<li>Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/07/OTL-logo.png" alt="" title="OTL-logo" width="106" height="118" class="alignnone size-full wp-image-3946" /></li>
<li>When the window appears, <>underneath Output</> at the top change it to <>Minimal Output</>.</li>
<li>Check the boxes beside <>LOP Check</> and <>Purity Check</>.</li>
<li>Click the<> Run Scan</> button.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/07/OTL.png" alt="" title="OTL" width="658" height="584" class="alignnone size-full wp-image-3945" /></li>
<li>When the scan completes, it will open two notepad windows. <>OTL.Txt</> and <>Extras.Txt</>. These are saved in the same location as OTL.
<>Please post this 2 logs in your first reply.</>.</li></ol>

Settings You need to Select in OTL

1. Click the Scan All Users checkbox.
2. Change Standard Registry to All.
3. Check the boxes beside LOP Check and Purity Check.

<em>Note: If OTL.exe will not run, it may be blocked by malware. Try these alternate versions: <a title="External link" href="http://www.itxassociates.com/OT-Tools/OTL.scr" rel="nofollow external">OTL.scr</a>, or <a title="External link" href="http://oldtimer.geekstogo.com/OTL.com" rel="nofollow external">OTL.com</a>.</em>

<hr />

 

[Tim2014]

Hi Kuttus, here are the two logs from OTL as requested. Thanks for your continuing help!


Tim

 

[kuttus]

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:OTL
O4 - Startup: C:\Documents and Settings\Tim\Start Menu\Programs\Startup\qjwtfwlb.lnk = C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation)
[2013/10/14 00:10:39 | 000,000,808 | ---- | M] () -- C:\Documents and Settings\Tim\Start Menu\Programs\Startup\qjwtfwlb.lnk
[2010/08/04 20:29:41 | 000,000,406 | ---- | C] () -- C:\Documents and Settings\Tim\Application Data\burnaware.ini
[2010/05/29 18:38:06 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\Tim\Application Data\vqdlkr.dat
[2010/02/04 00:42:06 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 


:commands
[emptytemp]
[reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

 

[Tim2014]

Hi Kuttus- I've run that as requested, here's the output below. I'm also pleased to report that the usual Rundll error message no longer appeared on reboot. Thanks again. Tim



All processes killed
========== OTL ==========
C:\Documents and Settings\Tim\Start Menu\Programs\Startup\qjwtfwlb.lnk moved successfully.
C:\WINDOWS\system32\rundll32.exe moved successfully.
File C:\Documents and Settings\Tim\Start Menu\Programs\Startup\qjwtfwlb.lnk not found.
C:\Documents and Settings\Tim\Application Data\burnaware.ini moved successfully.
C:\Documents and Settings\Tim\Application Data\vqdlkr.dat moved successfully.
C:\Documents and Settings\Tim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
File ptytemp] not found.
File boot] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 10222013_192000

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...