Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
fbi ransomeware/white screen
Message
<blockquote data-quote="travis" data-source="post: 143477" data-attributes="member: 14723"><p>Kuttus,</p><p>Thank you for your help. </p><p></p><p>Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-10-2013</p><p>Ran by SYSTEM on MININT-JMNALUH on 08-11-2013 23:39:07</p><p>Running from G:\</p><p>Windows 7 Home Premium (X64) OS Language: English(US)</p><p>Internet Explorer Version 10</p><p>Boot Mode: Recovery</p><p></p><p>The current controlset is ControlSet002</p><p><strong>ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.</strong></p><p></p><p>==================== Registry (Whitelisted) ==================</p><p></p><p>HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)</p><p>HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe [828960 2009-08-05] (Acer Incorporated)</p><p>HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)</p><p>HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()</p><p>HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [499608 2011-03-30] (Adobe Systems Incorporated)</p><p>HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)</p><p>Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)</p><p>HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1157640 2009-08-18] (Dritek System Inc.)</p><p>HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe [588648 2009-07-24] (Symantec Corporation)</p><p>HKLM-x32\...\Run: [lxdvmon.exe] - C:\Program Files (x86) (x86)\Lexmark X5400 Series\lxdvmon.exe [455336 2007-11-02] ()</p><p>HKLM-x32\...\Run: [lxdvamon] - C:\Program Files (x86) (x86)\Lexmark X5400 Series\lxdvamon.exe [25256 2007-11-02] ()</p><p>HKLM-x32\...\Run: [Monitor] - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe [443728 2009-11-10] (LeapFrog Enterprises, Inc.)</p><p>HKLM-x32\...\Run: [EEventManager] - C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)</p><p>HKLM-x32\...\Run: [] - [x]</p><p>HKLM-x32\...\Run: [AT&T Communication Manager] - C:\Program Files (x86)\AT&T\Communication Manager\ATTCM.exe [883272 2009-10-09] (ATT)</p><p>HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)</p><p>HKLM-x32\...\Run: [AdobeCS5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-22] (Adobe Systems Incorporated)</p><p>HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)</p><p>HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)</p><p>HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)</p><p>HKLM-x32\...\Run: [SignIn] - C:\Program Files (x86)\Microsoft Online Services\Sign In\SignIn.exe [1742704 2011-03-16] (Microsoft Corporation)</p><p>HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrobat_sl.exe [36800 2012-07-27] (Adobe Systems Incorporated)</p><p>HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe [823224 2012-07-27] (Adobe Systems Inc.)</p><p>HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)</p><p>HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()</p><p>HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()</p><p>HKU\Owner\...\Run: [MobiLink Lite] - C:\Program Files (x86)\Novatel Wireless\Mobilink\Lite.exe [401480 2008-01-11] (Novatel Wireless)</p><p>HKU\Owner\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4280184 2012-03-08] (Microsoft Corporation)</p><p>HKU\Owner\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.)</p><p>HKU\Owner\...\Run: [Akamai NetSession Interface] - C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-04] (Akamai Technologies, Inc.)</p><p>HKU\Owner\...\Run: [Artisan 710(Network)] - C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFSA.EXE /FU "C:\Users\Owner\AppData\Local\Temp\E_S63B2.tmp" /EF "HKCU"</p><p>HKU\Owner\...\Run: [SearchProtection] - C:\Users\Owner\AppData\Roaming\Search Protection\SearchProtection.exe [740712 2013-05-22] (Spigot, Inc.)</p><p>HKU\Owner\...\Run: [Gateway Update] - regsvr32.exe C:\Users\Owner\AppData\Local\Gateway\fsqnagmrpeff.dll</p><p>HKU\Owner\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Owner\AppData\Local\111a93b4-8dac-46e4-b299-213b24a3ccfcad\abdacebbaccfcad.exe [122880 2013-08-20] () <===== ATTENTION</p><p>HKU\Owner\...\Winlogon: [Shell] explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat [163840 2013-07-08] (SmartWall Software Int) <==== ATTENTION </p><p>Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncsfjwaeoaqcwsanlhg.lnk</p><p>ShortcutTarget: ncsfjwaeoaqcwsanlhg.lnk -> C:\Users\Owner\AppData\Local\Temp\ghlnaswcqaoeawjfscn.bfg ()</p><p></p><p>==================== Services (Whitelisted) =================</p><p></p><p>S2 Akamai; c:\program files (x86)\common files\akamai/netsession_win_8fa3539.dll [4569856 2013-07-01] (Akamai Technologies, Inc.)</p><p>S3 ATTRcAppSvc; C:\Program Files (x86)\AT&T\Communication Manager\RcAppSvc.exe [121416 2009-10-09] (SmithMicro Inc.)</p><p>S3 CAATT; C:\Program Files (x86)\AT&T\Communication Manager\ConAppsSvc.exe [125512 2009-10-09] (SmithMicro Inc.)</p><p>S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)</p><p>S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)</p><p></p><p>==================== Drivers (Whitelisted) ====================</p><p></p><p>S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)</p><p>S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)</p><p>S3 PCTINDIS5X64; C:\Windows\system32\PCTINDIS5X64.SYS [43032 2009-10-09] (Smith Micro Inc.)</p><p>S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)</p><p>S3 swmsflt; C:\Windows\System32\DRIVERS\swmsflt.sys [34304 2009-01-14] ()</p><p>S3 SWNC8UA3; C:\Windows\System32\DRIVERS\swnc8ua3.sys [227840 2009-03-31] (Sierra Wireless Inc.)</p><p>S3 SWUMXA3; C:\Windows\System32\DRIVERS\swumxa3.sys [198528 2009-05-04] (Sierra Wireless Inc.)</p><p></p><p>==================== NetSvcs (Whitelisted) ===================</p><p></p><p></p><p>==================== One Month Created Files and Folders ========</p><p></p><p>2013-11-08 23:38 - 2013-11-08 23:38 - 00000000 ____D C:\FRST</p><p></p><p>==================== One Month Modified Files and Folders =======</p><p></p><p>2013-11-08 23:38 - 2013-11-08 23:38 - 00000000 ____D C:\FRST</p><p></p><p>ZeroAccess:</p><p>C:\$Recycle.Bin\S-1-5-21-3567909126-1194767173-2892429766-1000\$58278a142a791e1a6e064c706832dbf7</p><p></p><p>Files to move or delete:</p><p>====================</p><p>C:\Users\Owner\AppData\Local\111a93b4-8dac-46e4-b299-213b24a3ccfcad\abdacebbaccfcad.exe</p><p>C:\Users\Owner\AppData\Roaming\skype.dat</p><p>C:\Users\Owner\AppData\Roaming\skype.ini</p><p>C:\Windows\svchost.exe</p><p>ATTENTION ====> Check for partition/boot infection.</p><p>C:\ProgramData\ncsfjwaeoaqcwsanlhg.reg</p><p>C:\Users\Owner\conhost.exe</p><p>C:\Users\Owner\rundll32.exe</p><p>C:\Users\Owner\vlcplayer.exe</p><p>C:\Users\Owner\windowsupdate.exe</p><p>C:\Users\Owner\winlogon.exe</p><p>C:\Windows\Tasks\{0F257AA3-27F2-46FA-B80D-C6F704F102E5}.job</p><p></p><p></p><p>Some content of TEMP:</p><p>====================</p><p>C:\Users\Owner\AppData\Local\Temp\01365982607774.exe</p><p>C:\Users\Owner\AppData\Local\Temp\ghlnaswcqaoeawjfscn.bfg</p><p>C:\Users\Owner\AppData\Local\Temp\InstallFlashPlayer.exe</p><p>C:\Users\Owner\AppData\Local\Temp\ndhflthicuxjcddswoy.bfg</p><p>C:\Users\Owner\AppData\Local\Temp\notepad.exe</p><p>C:\Users\Owner\AppData\Local\Temp\RealPlayer_20130122.exe</p><p>C:\Users\Owner\AppData\Local\Temp\{EE93872D-50FA-48DB-B506-19D38602FFF2}-27.0.1453.116_27.0.1453.110_chrome_updater.exe</p><p></p><p></p><p>==================== Known DLLs (Whitelisted) ================</p><p></p><p></p><p>==================== Bamital & volsnap Check =================</p><p></p><p>C:\Windows\System32\winlogon.exe => MD5 is legit</p><p>C:\Windows\System32\wininit.exe => MD5 is legit</p><p>C:\Windows\SysWOW64\wininit.exe => MD5 is legit</p><p>C:\Windows\explorer.exe => MD5 is legit</p><p>C:\Windows\SysWOW64\explorer.exe => MD5 is legit</p><p>C:\Windows\System32\svchost.exe => MD5 is legit</p><p>C:\Windows\SysWOW64\svchost.exe => MD5 is legit</p><p>C:\Windows\System32\services.exe => MD5 is legit</p><p>C:\Windows\System32\User32.dll => MD5 is legit</p><p>C:\Windows\SysWOW64\User32.dll => MD5 is legit</p><p>C:\Windows\System32\userinit.exe => MD5 is legit</p><p>C:\Windows\SysWOW64\userinit.exe => MD5 is legit</p><p>C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit</p><p></p><p>==================== EXE ASSOCIATION =====================</p><p></p><p>HKLM\...\.exe: exefile => OK</p><p>HKLM\...\exefile\DefaultIcon: %1 => OK</p><p>HKLM\...\exefile\open\command: "%1" %* => OK</p><p></p><p>==================== Restore Points =========================</p><p></p><p>16</p><p>Restore point made on: 2013-07-18 01:11:49</p><p>Restore point made on: 2013-07-19 07:55:12</p><p>Restore point made on: 2013-07-23 10:16:29</p><p>Restore point made on: 2013-07-24 00:00:38</p><p>Restore point made on: 2013-07-28 09:21:39</p><p>Restore point made on: 2013-07-29 21:50:41</p><p>Restore point made on: 2013-07-31 10:28:06</p><p>Restore point made on: 2013-08-04 10:32:48</p><p>Restore point made on: 2013-08-09 08:32:30</p><p>Restore point made on: 2013-08-12 23:07:00</p><p>Restore point made on: 2013-08-14 09:05:33</p><p>Restore point made on: 2013-08-15 09:10:58</p><p>Restore point made on: 2013-08-20 09:24:09</p><p>Restore point made on: 2013-08-20 09:42:19</p><p>Restore point made on: 2013-08-21 06:45:10</p><p>Restore point made on: 2013-08-21 15:36:42</p><p></p><p>==================== Memory info =========================== </p><p></p><p>Percentage of memory in use: 16%</p><p>Total physical RAM: 4025.98 MB</p><p>Available physical RAM: 3360.89 MB</p><p>Total Pagefile: 4024.13 MB</p><p>Available Pagefile: 3364.8 MB</p><p>Total Virtual: 8192 MB</p><p>Available Virtual: 8191.88 MB</p><p></p><p>==================== Drives ================================</p><p></p><p>Drive c: (Gateway) (Fixed) (Total:453.66 GB) (Free:340.3 GB) NTFS</p><p>Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:3.24 GB) NTFS</p><p>Drive g: (RUTH KOC) (Removable) (Total:0.11 GB) (Free:0.11 GB) FAT</p><p>Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS</p><p>Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]</p><p></p><p>==================== MBR & Partition Table ==================</p><p></p><p>========================================================</p><p>Disk: 0 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: 0CC6A173)</p><p>Partition 1: (Not Active) - (Size=12 GB) - (Type=27)</p><p>Partition 2: (Active) - (Size=102 MB) - (Type=07 NTFS)</p><p>Partition 3: (Not Active) - (Size=454 GB) - (Type=07 NTFS)</p><p></p><p>========================================================</p><p>Disk: 1 (Size: 117 MB) (Disk ID: 00000000)</p><p>Partition 1: (Active) - (Size=117 MB) - (Type=06)</p><p></p><p></p><p>LastRegBack: 2013-08-18 09:18</p><p></p><p>==================== End Of Log ============================</p></blockquote><p></p>
[QUOTE="travis, post: 143477, member: 14723"] Kuttus, Thank you for your help. Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-10-2013 Ran by SYSTEM on MININT-JMNALUH on 08-11-2013 23:39:07 Running from G:\ Windows 7 Home Premium (X64) OS Language: English(US) Internet Explorer Version 10 Boot Mode: Recovery The current controlset is ControlSet002 [b]ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.[/b] ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor) HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe [828960 2009-08-05] (Acer Incorporated) HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated) HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] () HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [499608 2011-03-30] (Adobe Systems Incorporated) HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1157640 2009-08-18] (Dritek System Inc.) HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe [588648 2009-07-24] (Symantec Corporation) HKLM-x32\...\Run: [lxdvmon.exe] - C:\Program Files (x86) (x86)\Lexmark X5400 Series\lxdvmon.exe [455336 2007-11-02] () HKLM-x32\...\Run: [lxdvamon] - C:\Program Files (x86) (x86)\Lexmark X5400 Series\lxdvamon.exe [25256 2007-11-02] () HKLM-x32\...\Run: [Monitor] - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe [443728 2009-11-10] (LeapFrog Enterprises, Inc.) HKLM-x32\...\Run: [EEventManager] - C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [] - [x] HKLM-x32\...\Run: [AT&T Communication Manager] - C:\Program Files (x86)\AT&T\Communication Manager\ATTCM.exe [883272 2009-10-09] (ATT) HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.) HKLM-x32\...\Run: [AdobeCS5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-22] (Adobe Systems Incorporated) HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated) HKLM-x32\...\Run: [SignIn] - C:\Program Files (x86)\Microsoft Online Services\Sign In\SignIn.exe [1742704 2011-03-16] (Microsoft Corporation) HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrobat_sl.exe [36800 2012-07-27] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe [823224 2012-07-27] (Adobe Systems Inc.) HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.) HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] () HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] () HKU\Owner\...\Run: [MobiLink Lite] - C:\Program Files (x86)\Novatel Wireless\Mobilink\Lite.exe [401480 2008-01-11] (Novatel Wireless) HKU\Owner\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4280184 2012-03-08] (Microsoft Corporation) HKU\Owner\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.) HKU\Owner\...\Run: [Akamai NetSession Interface] - C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-04] (Akamai Technologies, Inc.) HKU\Owner\...\Run: [Artisan 710(Network)] - C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFSA.EXE /FU "C:\Users\Owner\AppData\Local\Temp\E_S63B2.tmp" /EF "HKCU" HKU\Owner\...\Run: [SearchProtection] - C:\Users\Owner\AppData\Roaming\Search Protection\SearchProtection.exe [740712 2013-05-22] (Spigot, Inc.) HKU\Owner\...\Run: [Gateway Update] - regsvr32.exe C:\Users\Owner\AppData\Local\Gateway\fsqnagmrpeff.dll HKU\Owner\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Owner\AppData\Local\111a93b4-8dac-46e4-b299-213b24a3ccfcad\abdacebbaccfcad.exe [122880 2013-08-20] () <===== ATTENTION HKU\Owner\...\Winlogon: [Shell] explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat [163840 2013-07-08] (SmartWall Software Int) <==== ATTENTION Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncsfjwaeoaqcwsanlhg.lnk ShortcutTarget: ncsfjwaeoaqcwsanlhg.lnk -> C:\Users\Owner\AppData\Local\Temp\ghlnaswcqaoeawjfscn.bfg () ==================== Services (Whitelisted) ================= S2 Akamai; c:\program files (x86)\common files\akamai/netsession_win_8fa3539.dll [4569856 2013-07-01] (Akamai Technologies, Inc.) S3 ATTRcAppSvc; C:\Program Files (x86)\AT&T\Communication Manager\RcAppSvc.exe [121416 2009-10-09] (SmithMicro Inc.) S3 CAATT; C:\Program Files (x86)\AT&T\Communication Manager\ConAppsSvc.exe [125512 2009-10-09] (SmithMicro Inc.) S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation) S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation) S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation) S3 PCTINDIS5X64; C:\Windows\system32\PCTINDIS5X64.SYS [43032 2009-10-09] (Smith Micro Inc.) S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd) S3 swmsflt; C:\Windows\System32\DRIVERS\swmsflt.sys [34304 2009-01-14] () S3 SWNC8UA3; C:\Windows\System32\DRIVERS\swnc8ua3.sys [227840 2009-03-31] (Sierra Wireless Inc.) S3 SWUMXA3; C:\Windows\System32\DRIVERS\swumxa3.sys [198528 2009-05-04] (Sierra Wireless Inc.) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-11-08 23:38 - 2013-11-08 23:38 - 00000000 ____D C:\FRST ==================== One Month Modified Files and Folders ======= 2013-11-08 23:38 - 2013-11-08 23:38 - 00000000 ____D C:\FRST ZeroAccess: C:\$Recycle.Bin\S-1-5-21-3567909126-1194767173-2892429766-1000\$58278a142a791e1a6e064c706832dbf7 Files to move or delete: ==================== C:\Users\Owner\AppData\Local\111a93b4-8dac-46e4-b299-213b24a3ccfcad\abdacebbaccfcad.exe C:\Users\Owner\AppData\Roaming\skype.dat C:\Users\Owner\AppData\Roaming\skype.ini C:\Windows\svchost.exe ATTENTION ====> Check for partition/boot infection. C:\ProgramData\ncsfjwaeoaqcwsanlhg.reg C:\Users\Owner\conhost.exe C:\Users\Owner\rundll32.exe C:\Users\Owner\vlcplayer.exe C:\Users\Owner\windowsupdate.exe C:\Users\Owner\winlogon.exe C:\Windows\Tasks\{0F257AA3-27F2-46FA-B80D-C6F704F102E5}.job Some content of TEMP: ==================== C:\Users\Owner\AppData\Local\Temp\01365982607774.exe C:\Users\Owner\AppData\Local\Temp\ghlnaswcqaoeawjfscn.bfg C:\Users\Owner\AppData\Local\Temp\InstallFlashPlayer.exe C:\Users\Owner\AppData\Local\Temp\ndhflthicuxjcddswoy.bfg C:\Users\Owner\AppData\Local\Temp\notepad.exe C:\Users\Owner\AppData\Local\Temp\RealPlayer_20130122.exe C:\Users\Owner\AppData\Local\Temp\{EE93872D-50FA-48DB-B506-19D38602FFF2}-27.0.1453.116_27.0.1453.110_chrome_updater.exe ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= 16 Restore point made on: 2013-07-18 01:11:49 Restore point made on: 2013-07-19 07:55:12 Restore point made on: 2013-07-23 10:16:29 Restore point made on: 2013-07-24 00:00:38 Restore point made on: 2013-07-28 09:21:39 Restore point made on: 2013-07-29 21:50:41 Restore point made on: 2013-07-31 10:28:06 Restore point made on: 2013-08-04 10:32:48 Restore point made on: 2013-08-09 08:32:30 Restore point made on: 2013-08-12 23:07:00 Restore point made on: 2013-08-14 09:05:33 Restore point made on: 2013-08-15 09:10:58 Restore point made on: 2013-08-20 09:24:09 Restore point made on: 2013-08-20 09:42:19 Restore point made on: 2013-08-21 06:45:10 Restore point made on: 2013-08-21 15:36:42 ==================== Memory info =========================== Percentage of memory in use: 16% Total physical RAM: 4025.98 MB Available physical RAM: 3360.89 MB Total Pagefile: 4024.13 MB Available Pagefile: 3364.8 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ==================== Drives ================================ Drive c: (Gateway) (Fixed) (Total:453.66 GB) (Free:340.3 GB) NTFS Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:3.24 GB) NTFS Drive g: (RUTH KOC) (Removable) (Total:0.11 GB) (Free:0.11 GB) FAT Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: 0CC6A173) Partition 1: (Not Active) - (Size=12 GB) - (Type=27) Partition 2: (Active) - (Size=102 MB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=454 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 117 MB) (Disk ID: 00000000) Partition 1: (Active) - (Size=117 MB) - (Type=06) LastRegBack: 2013-08-18 09:18 ==================== End Of Log ============================ [/QUOTE]
Insert quotes…
Verification
Post reply
Top
