We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
FBI Ransome virus- Desktop taken over!
Comments
-
Volume in drive C has no label.
Volume Serial Number is 209F-DA2A
Directory of C:\windows\pss
20/09/2012 14:20 <DIR> .
20/09/2012 14:20 <DIR> ..
16/08/2012 16:56 1,757 Adobe Reader Speed Launch.lnkCommon Startup
01/11/2009 14:47 211 boot.ini.backup
24/09/2009 17:39 231 system.ini.backup
04/10/2009 14:24 603 win.ini.backup
4 File(s) 2,802 bytes
2 Dir(s) 125,029,588,992 bytes free0 -
Do each of these in turn
First,
Go to start > run and copy the following command in and click ok (Don't include Code:)cmd /c copy %windir%\pss\boot.ini.backup C:\boot.ini
Then,
Go to start > run and copy the following command in and click ok (Don't include Code:)attrib +r +s +h c:\boot.ini
Finally,
Go to start > run and copy the following command in and click ok (Don't include Code:)cmd /c dir /Ah C:\ >>Log.txt&Log.txt&del Log.txt
Post the contents of the resulting notepad file.0 -
Volume in drive C has no label.
Volume Serial Number is 209F-DA2A
Directory of C:\
01/11/2009 14:47 211 boot.ini
20/10/2012 22:06 1,877,389,312 hiberfil.sys
24/09/2009 16:45 0 IO.SYS
24/09/2009 16:45 0 MSDOS.SYS
14/04/2008 13:00 47,564 NTDETECT.COM
14/04/2008 13:00 250,048 ntldr
20/10/2012 22:06 1,409,286,144 pagefile.sys
19/10/2012 14:02 <DIR> RECYCLER
24/09/2009 16:49 <DIR> System Volume Information
7 File(s) 3,286,973,279 bytes
2 Dir(s) 124,860,841,984 bytes free0 -
Re-run combofix - It should install the recovery console now. Let it update if it prompts that a new version is available.0
-
ComboFix 12-10-21.01 - New User 21/10/2012 11:02:10.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1790.914 [GMT 1:00]
Running from: c:\documents and settings\New User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\New User\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-21 to 2012-10-21 )))))))))))))))))))))))))))))))
.
.
2012-10-17 19:00 . 2012-10-18 11:28
dc----w- c:\documents and settings\New User\Local Settings\Application Data\Google
2012-10-17 19:00 . 2012-08-21 09:13 355632 -c--a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-17 19:00 . 2012-08-21 09:13 21256 -c--a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-17 19:00 . 2012-08-21 09:13 35928 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-17 19:00 . 2012-08-21 09:13 54232 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-17 19:00 . 2012-08-21 09:13 729752 -c--a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-17 19:00 . 2012-08-21 09:13 97608 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-17 19:00 . 2012-08-21 09:13 89624 -c--a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-17 19:00 . 2012-08-21 09:13 25256 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-17 18:59 . 2012-08-21 09:12 41224 -c--a-w- c:\windows\avastSS.scr
2012-10-17 18:59 . 2012-08-21 09:12 227648 -c--a-w- c:\windows\system32\aswBoot.exe
2012-10-17 18:58 . 2012-10-17 18:58
dc----w- c:\program files\AVAST Software
2012-10-17 18:58 . 2012-10-17 18:58
dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-10-16 19:54 . 2012-10-17 00:34
d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-10-09 14:04 . 2012-10-09 14:04
dc----w- c:\documents and settings\New User\Local Settings\Application Data\PCHealth
2012-09-23 11:01 . 2008-07-04 13:33 101120 -c--a-r- c:\windows\system32\drivers\ewusbmdm.sys
2012-09-23 11:01 . 2012-09-23 11:01
dc----w- c:\documents and settings\New User\Application Data\Vodafone
2012-09-23 11:01 . 2012-09-23 11:01
dc----w- c:\documents and settings\All Users\Application Data\InstallShield
2012-09-23 11:01 . 2012-09-23 11:01
dc----w- c:\documents and settings\LocalService\Application Data\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00
dc----w- c:\documents and settings\All Users\Application Data\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00
dc----w- c:\program files\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00
dc----w- c:\documents and settings\New User\Local Settings\Application Data\{3B8B09B1-BF28-4F18-9905-7E5CA2899C01}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 17:02 . 2012-03-30 07:38 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 17:02 . 2011-05-15 12:06 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-29 18:54 . 2012-02-29 22:19 22856 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 19:05 . 2012-08-30 19:05 13816 -c--a-w- c:\windows\system32\unikey.sys
2012-08-28 15:14 . 2008-04-14 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2008-04-14 12:00 43520 -c----w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2008-04-14 12:00 1469440 -c----w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2008-04-14 12:00 385024 -c----w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2008-04-14 12:00 177664 -c--a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29 . 2008-04-14 12:00 2192896 -c--a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2008-04-14 00:01 2069632 -c--a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 -c--a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13545472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-15 417792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 15:20 57344 -c----r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-30 19:06 59280 -c--a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 18:36 30040 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 18:33 421776 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-09-29 18:54 766536 -c--a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2008-10-09 14:33 2086912 -c--a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 04:42 1695232 -c----w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-17 14:24 13545472 -c--a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-09-17 14:24 1630208 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-15 16:23 417792 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-07-31 14:05 16806912
w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 13:06 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [17/10/2012 20:00 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/10/2012 20:00 355632]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\New User\Desktop\VCdRom.sys [19/12/2001 11:45 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/10/2012 20:00 21256]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [14/09/2012 17:22 399432]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 15:32 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/02/2012 23:19 22856]
R3 mtc0303;BIOS Service Provider;c:\windows\system32\drivers\Mtc0303.sys [04/07/2007 08:52 32896]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [24/09/2009 17:03 59264]
S0 rpekojj;rpekojj;c:\windows\system32\drivers\kudfrft.sys --> c:\windows\system32\drivers\kudfrft.sys [?]
S1 nflviuqa;nflviuqa;\??\c:\windows\system32\drivers\nflviuqa.sys --> c:\windows\system32\drivers\nflviuqa.sys [?]
S1 qhwxidei;qhwxidei;\??\c:\windows\system32\drivers\qhwxidei.sys --> c:\windows\system32\drivers\qhwxidei.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/10/2009 01:44 133104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/02/2012 23:19 676936]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [30/03/2012 08:38 250808]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys --> c:\windows\system32\DRIVERS\ew_hwusbdev.sys [?]
S3 filtertdidriver;filtertdidriver;c:\windows\system32\drivers\ewfiltertdidriver.sys --> c:\windows\system32\drivers\ewfiltertdidriver.sys [?]
S3 flashusb;flashusb;c:\windows\system32\drivers\flashusb.sys [03/06/2012 13:19 16384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [22/10/2009 16:35 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/10/2009 01:44 133104]
S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys --> c:\windows\system32\DRIVERS\ew_jucdcacm.sys [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys --> c:\windows\system32\DRIVERS\ew_jubusenum.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [03/06/2012 13:20 15896]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys --> c:\windows\system32\DRIVERS\ZTEusbnet.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:02]
.
2012-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-10-20 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-10-17 09:12]
.
2012-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc12f45672ead6.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 00:44]
.
2012-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc12f456b0e7fa.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 00:44]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.bigseekpro.com/gsmevolution0/{F29811B0-13BC-4072-B9AA-209A234F0ABB}
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-21 11:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\M*i*c*r*o*-*B*o*x* *"!\Micro-Box A.I.0\RestorePointInfo]
"SequenceNumber"="322"
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\nvLsp.dll
.
- - - - - - - > 'explorer.exe'(2264)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-10-21 11:07:49
ComboFix-quarantined-files.txt 2012-10-21 10:07
ComboFix2.txt 2012-10-18 11:36
.
Pre-Run: 124,580,552,704 bytes free
Post-Run: 124,589,338,624 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 067F34C9E89A8172224538EADF7D6AA70 -
Good, that all looks to have worked.
Run this combofix script.
If combofix tells you there is a newer version available, let it update.- Open Notepad
- Copy and paste the text present inside the code box below (Don't include Code:)
Driver:: rpekojj nflviuqa qhwxidei Rootkit:: c:\windows\system32\drivers\kudfrft.sys c:\windows\system32\drivers\nflviuqa.sys c:\windows\system32\drivers\qhwxidei.sys DDS:: mStart Page = hxxp://www.bigseekpro.com/gsmevolution0/{F29811B0-13BC-4072-B9AA-209A234F0ABB} uInternet Settings,ProxyOverride = *.local ClearJavaCache::- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
- Temporarily disable your anti-virus, before following the steps below.
- To disable your Antivirus, see here.
- Drag CFScript.txt into ComboFix.exe as the screenshot above shows.
- ComboFix will scan & may reboot when it finishes. Combofix.txt will open.
- Copy and paste the contents of the log here.
0 -
Followed the above steps... this is the response
Widows cannot access the specified device,path or folder. You may not have the appropriate permissions to access the items0 -
At what point? When you drag the text file into the combofix icon?0
-
No it's when I paste code in to Start>run process and then press OK. That's when this message appears.0
-
No, its different to what we were doing before.
You have to paste it into notepad. Save it as CFScript.txt and change the "Save as type" to "All Files" . save it to your desktop.
Then drag it into the combofix icon.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.2K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards