We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
We're aware that some users are currently experiencing slow loading times and errors on the Forum. Our tech team is working to resolve the issue. Thanks for your patience.
FBI Ransome virus- Desktop taken over!
Comments
-
Volume in drive C has no label.
Volume Serial Number is 209F-DA2A
Directory of C:\windows\pss
20/09/2012 14:20 <DIR> .
20/09/2012 14:20 <DIR> ..
16/08/2012 16:56 1,757 Adobe Reader Speed Launch.lnkCommon Startup
01/11/2009 14:47 211 boot.ini.backup
24/09/2009 17:39 231 system.ini.backup
04/10/2009 14:24 603 win.ini.backup
4 File(s) 2,802 bytes
2 Dir(s) 125,029,588,992 bytes free0 -
Do each of these in turn
First,
Go to start > run and copy the following command in and click ok (Don't include Code:)cmd /c copy %windir%\pss\boot.ini.backup C:\boot.ini
Then,
Go to start > run and copy the following command in and click ok (Don't include Code:)attrib +r +s +h c:\boot.ini
Finally,
Go to start > run and copy the following command in and click ok (Don't include Code:)cmd /c dir /Ah C:\ >>Log.txt&Log.txt&del Log.txt
Post the contents of the resulting notepad file.0 -
Volume in drive C has no label.
Volume Serial Number is 209F-DA2A
Directory of C:\
01/11/2009 14:47 211 boot.ini
20/10/2012 22:06 1,877,389,312 hiberfil.sys
24/09/2009 16:45 0 IO.SYS
24/09/2009 16:45 0 MSDOS.SYS
14/04/2008 13:00 47,564 NTDETECT.COM
14/04/2008 13:00 250,048 ntldr
20/10/2012 22:06 1,409,286,144 pagefile.sys
19/10/2012 14:02 <DIR> RECYCLER
24/09/2009 16:49 <DIR> System Volume Information
7 File(s) 3,286,973,279 bytes
2 Dir(s) 124,860,841,984 bytes free0 -
Re-run combofix - It should install the recovery console now. Let it update if it prompts that a new version is available.0
-
ComboFix 12-10-21.01 - New User 21/10/2012 11:02:10.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1790.914 [GMT 1:00]
Running from: c:\documents and settings\New User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\New User\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-21 to 2012-10-21 )))))))))))))))))))))))))))))))
.
.
2012-10-17 19:00 . 2012-10-18 11:28
dc----w- c:\documents and settings\New User\Local Settings\Application Data\Google
2012-10-17 19:00 . 2012-08-21 09:13 355632 -c--a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-17 19:00 . 2012-08-21 09:13 21256 -c--a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-17 19:00 . 2012-08-21 09:13 35928 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-17 19:00 . 2012-08-21 09:13 54232 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-17 19:00 . 2012-08-21 09:13 729752 -c--a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-17 19:00 . 2012-08-21 09:13 97608 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-17 19:00 . 2012-08-21 09:13 89624 -c--a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-17 19:00 . 2012-08-21 09:13 25256 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-17 18:59 . 2012-08-21 09:12 41224 -c--a-w- c:\windows\avastSS.scr
2012-10-17 18:59 . 2012-08-21 09:12 227648 -c--a-w- c:\windows\system32\aswBoot.exe
2012-10-17 18:58 . 2012-10-17 18:58
dc----w- c:\program files\AVAST Software
2012-10-17 18:58 . 2012-10-17 18:58
dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-10-16 19:54 . 2012-10-17 00:34
d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-10-09 14:04 . 2012-10-09 14:04
dc----w- c:\documents and settings\New User\Local Settings\Application Data\PCHealth
2012-09-23 11:01 . 2008-07-04 13:33 101120 -c--a-r- c:\windows\system32\drivers\ewusbmdm.sys
2012-09-23 11:01 . 2012-09-23 11:01
dc----w- c:\documents and settings\New User\Application Data\Vodafone
2012-09-23 11:01 . 2012-09-23 11:01
dc----w- c:\documents and settings\All Users\Application Data\InstallShield
2012-09-23 11:01 . 2012-09-23 11:01
dc----w- c:\documents and settings\LocalService\Application Data\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00
dc----w- c:\documents and settings\All Users\Application Data\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00
dc----w- c:\program files\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00
dc----w- c:\documents and settings\New User\Local Settings\Application Data\{3B8B09B1-BF28-4F18-9905-7E5CA2899C01}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 17:02 . 2012-03-30 07:38 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 17:02 . 2011-05-15 12:06 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-29 18:54 . 2012-02-29 22:19 22856 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 19:05 . 2012-08-30 19:05 13816 -c--a-w- c:\windows\system32\unikey.sys
2012-08-28 15:14 . 2008-04-14 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2008-04-14 12:00 43520 -c----w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2008-04-14 12:00 1469440 -c----w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2008-04-14 12:00 385024 -c----w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2008-04-14 12:00 177664 -c--a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29 . 2008-04-14 12:00 2192896 -c--a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2008-04-14 00:01 2069632 -c--a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 -c--a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13545472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-15 417792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 15:20 57344 -c----r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-30 19:06 59280 -c--a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 18:36 30040 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 18:33 421776 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-09-29 18:54 766536 -c--a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2008-10-09 14:33 2086912 -c--a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 04:42 1695232 -c----w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-17 14:24 13545472 -c--a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-09-17 14:24 1630208 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-15 16:23 417792 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-07-31 14:05 16806912
w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 13:06 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [17/10/2012 20:00 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/10/2012 20:00 355632]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\New User\Desktop\VCdRom.sys [19/12/2001 11:45 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/10/2012 20:00 21256]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [14/09/2012 17:22 399432]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 15:32 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/02/2012 23:19 22856]
R3 mtc0303;BIOS Service Provider;c:\windows\system32\drivers\Mtc0303.sys [04/07/2007 08:52 32896]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [24/09/2009 17:03 59264]
S0 rpekojj;rpekojj;c:\windows\system32\drivers\kudfrft.sys --> c:\windows\system32\drivers\kudfrft.sys [?]
S1 nflviuqa;nflviuqa;\??\c:\windows\system32\drivers\nflviuqa.sys --> c:\windows\system32\drivers\nflviuqa.sys [?]
S1 qhwxidei;qhwxidei;\??\c:\windows\system32\drivers\qhwxidei.sys --> c:\windows\system32\drivers\qhwxidei.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/10/2009 01:44 133104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/02/2012 23:19 676936]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [30/03/2012 08:38 250808]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys --> c:\windows\system32\DRIVERS\ew_hwusbdev.sys [?]
S3 filtertdidriver;filtertdidriver;c:\windows\system32\drivers\ewfiltertdidriver.sys --> c:\windows\system32\drivers\ewfiltertdidriver.sys [?]
S3 flashusb;flashusb;c:\windows\system32\drivers\flashusb.sys [03/06/2012 13:19 16384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [22/10/2009 16:35 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/10/2009 01:44 133104]
S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys --> c:\windows\system32\DRIVERS\ew_jucdcacm.sys [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys --> c:\windows\system32\DRIVERS\ew_jubusenum.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [03/06/2012 13:20 15896]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys --> c:\windows\system32\DRIVERS\ZTEusbnet.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:02]
.
2012-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-10-20 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-10-17 09:12]
.
2012-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc12f45672ead6.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 00:44]
.
2012-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc12f456b0e7fa.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 00:44]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.bigseekpro.com/gsmevolution0/{F29811B0-13BC-4072-B9AA-209A234F0ABB}
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-21 11:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\M*i*c*r*o*-*B*o*x* *"!\Micro-Box A.I.0\RestorePointInfo]
"SequenceNumber"="322"
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\nvLsp.dll
.
- - - - - - - > 'explorer.exe'(2264)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-10-21 11:07:49
ComboFix-quarantined-files.txt 2012-10-21 10:07
ComboFix2.txt 2012-10-18 11:36
.
Pre-Run: 124,580,552,704 bytes free
Post-Run: 124,589,338,624 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 067F34C9E89A8172224538EADF7D6AA70 -
Good, that all looks to have worked.
Run this combofix script.
If combofix tells you there is a newer version available, let it update.- Open Notepad
- Copy and paste the text present inside the code box below (Don't include Code:)
Driver:: rpekojj nflviuqa qhwxidei Rootkit:: c:\windows\system32\drivers\kudfrft.sys c:\windows\system32\drivers\nflviuqa.sys c:\windows\system32\drivers\qhwxidei.sys DDS:: mStart Page = hxxp://www.bigseekpro.com/gsmevolution0/{F29811B0-13BC-4072-B9AA-209A234F0ABB} uInternet Settings,ProxyOverride = *.local ClearJavaCache::- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
- Temporarily disable your anti-virus, before following the steps below.
- To disable your Antivirus, see here.
- Drag CFScript.txt into ComboFix.exe as the screenshot above shows.
- ComboFix will scan & may reboot when it finishes. Combofix.txt will open.
- Copy and paste the contents of the log here.
0 -
Followed the above steps... this is the response
Widows cannot access the specified device,path or folder. You may not have the appropriate permissions to access the items0 -
At what point? When you drag the text file into the combofix icon?0
-
No it's when I paste code in to Start>run process and then press OK. That's when this message appears.0
-
No, its different to what we were doing before.
You have to paste it into notepad. Save it as CFScript.txt and change the "Save as type" to "All Files" . save it to your desktop.
Then drag it into the combofix icon.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 354.4K Banking & Borrowing
- 254.4K Reduce Debt & Boost Income
- 455.4K Spending & Discounts
- 247.3K Work, Benefits & Business
- 604.1K Mortgages, Homes & Bills
- 178.5K Life & Family
- 261.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards