Sign in to follow this  
gainesjm8

Need help with ICE virus that disables safe mode and system restore

Recommended Posts

Hello,

 

I recently got the ICE virus and it appears to be a newer and more damaging version. I cannot start in Safe Mode nor will system restore work. So, I cannot get into my computer to start any Ad-Aware scans or anything.

 

I read up on several fixes for this and I saw some people were able to use the Farbar recovery tool. I got that tool and was able to run the FRST.txt file. I will post that information next.

Share this post


Link to post
Share on other sites

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-11-2013

Ran by SYSTEM on MININT-OLSVURQ on 24-11-2013 14:56:19

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 10

Boot Mode: Recovery

The current controlset is ControlSet002

ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] - [x]

HKLM\...\RunOnce: [*Restore] - C:\windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$ee7a252aea40aa019f34f9e5d2705423\n. ATTENTION! ====> ZeroAccess?

HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1294136 2009-10-06] (TOSHIBA Corporation)

HKLM-x32\...\Run: [ToshibaAppPlace] - C:\Program Files (x86)\TOSHIBA\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)

HKLM-x32\...\Run: [CitrixReceiver] - "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"

HKLM-x32\...\Run: [ConnectionCenter] - C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395656 2013-06-14] (Citrix Systems, Inc.)

HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Redirector] - C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153992 2013-06-14] (Citrix Systems, Inc.)

HKU\Jason\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-10-15] (Google Inc.)

HKU\Jason\...\Run: [bearShare] - C:\Program Files (x86)\BearShare Applications\BearShare\BearShare.exe [31164992 2013-06-24] (MusicLab, LLC)

HKU\Jason\...\Winlogon: [shell] explorer.exe,C:\Users\Jason\AppData\Roaming\skype.dat <==== ATTENTION

AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll [256568 2012-12-14] (Citrix Systems, Inc.)

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v0lrjfi.lnk

ShortcutTarget: v0lrjfi.lnk -> C:\PROGRA~3\ifjrl0v.dss (Корпорация Майкрософт)

==================== Services (Whitelisted) =================

S2 Citrix Licensing; C:\Program Files (x86)\Citrix\Licensing\LS\lmadmin.exe [6607184 2012-02-02] (Flexera Software, Inc.)

S2 CitrixLicensingConfigService; C:\Program Files (x86)\Citrix\Licensing\LicensingConfig\Service\Citrix.LicensingConfig.SdkWcfEndpoint.exe [21432 2011-12-14] (Citrix Systems, Inc.)

S3 Citrix_GTLicensingProv; C:\Program Files (x86)\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe [1680312 2012-02-02] (Citrix Systems, Inc.)

S2 CtxLSPortSvc; C:\Program Files (x86)\Citrix\Licensing\LS\CtxLSPortSvc.exe [359864 2012-02-02] (Citrix Systems, Inc.)

S2 N360; C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)

S2 Winmgmt; C:\ProgramData\jw8zjfrodr.pzz [64604 2013-09-02] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\BASHDefs\20131114.001\BHDrvx64.sys [1524824 2013-10-22] (Symantec Corporation)

S1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)

S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-11-20] (Symantec Corporation)

S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [137648 2013-11-20] (Symantec Corporation)

S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\IPSDefs\20131122.001\IDSvia64.sys [521816 2013-10-28] (Symantec Corporation)

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\VirusDefs\20131123.001\ENG64.SYS [126040 2013-11-02] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\VirusDefs\20131123.001\EX64.SYS [2099288 2013-11-02] (Symantec Corporation)

S1 SRTSP; C:\Windows\System32\Drivers\N360x64\1404000.028\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)

S1 SRTSPX; C:\Windows\system32\drivers\N360x64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)

S0 SymDS; C:\Windows\System32\drivers\N360x64\1404000.028\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)

S0 SymEFA; C:\Windows\System32\drivers\N360x64\1404000.028\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)

S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-06-17] (Symantec Corporation)

S1 SymIRON; C:\Windows\system32\drivers\N360x64\1404000.028\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)

S1 SymNetS; C:\Windows\System32\Drivers\N360x64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-24 14:48 - 2013-11-24 14:48 - 00000000 ____D C:\FRST

2013-11-24 10:01 - 2013-11-24 10:01 - 00000000 ____D C:\ProgramData\351E

2013-11-24 09:41 - 2013-11-24 09:41 - 00000000 ____D C:\ProgramData\3B3DD

2013-11-24 09:09 - 2013-11-24 09:09 - 00000000 ____D C:\ProgramData\223C5

2013-11-24 08:38 - 2013-11-24 08:38 - 00000000 ____D C:\ProgramData\1AC4

2013-11-24 08:33 - 2013-11-24 10:02 - 95025368 ____T C:\ProgramData\v0lrjfi.bxx

2013-11-24 08:33 - 2013-11-24 10:01 - 00000000 _____ C:\ProgramData\v0lrjfi.fvv

2013-11-24 08:33 - 2013-11-24 08:33 - 00205312 _____ (Корпорация Майкрософт) C:\ProgramData\ifjrl0v.dss

2013-11-24 08:33 - 2013-11-24 08:33 - 00060516 ____T (Microsoft Corporation) C:\ProgramData\v0lrjfi.pss

2013-11-17 12:53 - 2013-11-17 12:53 - 00000000 ____D C:\ProgramData\QuickSet

2013-11-17 12:53 - 2013-11-17 12:53 - 00000000 ____D C:\ProgramData\InstallMate

2013-11-14 14:35 - 2013-10-12 00:45 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-11-14 14:35 - 2013-10-12 00:43 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-11-14 14:35 - 2013-10-12 00:43 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-11-14 14:35 - 2013-10-12 00:43 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-11-14 14:35 - 2013-10-12 00:43 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-11-14 14:35 - 2013-10-12 00:43 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-11-14 14:35 - 2013-10-11 23:02 - 02049024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-11-14 14:35 - 2013-10-11 23:02 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-11-14 14:35 - 2013-10-11 23:02 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-11-14 14:35 - 2013-10-11 23:02 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-11-14 14:35 - 2013-10-11 23:02 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-11-14 14:35 - 2013-10-11 22:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-11-14 14:35 - 2013-10-11 22:08 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-11-14 14:35 - 2013-10-11 21:44 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-11-14 14:35 - 2013-10-11 21:15 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-11-14 14:34 - 2013-10-12 00:45 - 02241536 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-11-14 14:34 - 2013-10-12 00:45 - 01364992 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-11-14 14:34 - 2013-10-12 00:43 - 19269632 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-11-14 14:34 - 2013-10-12 00:43 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-11-14 14:34 - 2013-10-12 00:43 - 03959808 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-11-14 14:34 - 2013-10-12 00:43 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-11-14 14:34 - 2013-10-12 00:43 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-11-14 14:34 - 2013-10-12 00:43 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-11-14 14:34 - 2013-10-11 23:03 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-11-14 14:34 - 2013-10-11 23:03 - 01138176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-11-14 14:34 - 2013-10-11 23:02 - 14355968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-11-14 14:34 - 2013-10-11 23:02 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-11-14 14:34 - 2013-10-11 23:02 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-11-14 14:34 - 2013-10-11 23:02 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-11-14 14:34 - 2013-10-11 23:02 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-11-14 14:34 - 2013-10-11 23:02 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-11-13 16:07 - 2013-10-11 18:30 - 00830464 _____ (Microsoft Corporation) C:\Windows\System32\nshwfp.dll

2013-11-13 16:07 - 2013-10-11 18:29 - 00859648 _____ (Microsoft Corporation) C:\Windows\System32\IKEEXT.DLL

2013-11-13 16:07 - 2013-10-11 18:29 - 00324096 _____ (Microsoft Corporation) C:\Windows\System32\FWPUCLNT.DLL

2013-11-13 16:07 - 2013-10-11 18:03 - 00656896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll

2013-11-13 16:07 - 2013-10-11 18:01 - 00216576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL

2013-11-13 16:07 - 2013-10-05 12:25 - 01474048 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2013-11-13 16:07 - 2013-10-05 11:57 - 01168384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2013-11-13 16:07 - 2013-10-03 18:28 - 00190464 _____ (Microsoft Corporation) C:\Windows\System32\SmartcardCredentialProvider.dll

2013-11-13 16:07 - 2013-10-03 18:25 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\credui.dll

2013-11-13 16:07 - 2013-10-03 18:24 - 01930752 _____ (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-11-13 16:07 - 2013-10-03 17:58 - 00152576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SmartcardCredentialProvider.dll

2013-11-13 16:07 - 2013-10-03 17:56 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-11-13 16:07 - 2013-10-03 17:56 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credui.dll

2013-11-13 16:07 - 2013-10-02 18:23 - 00404480 _____ (Microsoft Corporation) C:\Windows\System32\gdi32.dll

2013-11-13 16:07 - 2013-10-02 18:00 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll

2013-11-13 16:07 - 2013-09-27 17:09 - 00497152 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys

2013-11-13 16:07 - 2013-09-24 18:26 - 00154560 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2013-11-13 16:07 - 2013-09-24 18:26 - 00095680 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2013-11-13 16:07 - 2013-09-24 18:23 - 00135680 _____ (Microsoft Corporation) C:\Windows\System32\sspicli.dll

2013-11-13 16:07 - 2013-09-24 18:23 - 00028672 _____ (Microsoft Corporation) C:\Windows\System32\sspisrv.dll

2013-11-13 16:07 - 2013-09-24 18:23 - 00028160 _____ (Microsoft Corporation) C:\Windows\System32\secur32.dll

2013-11-13 16:07 - 2013-09-24 18:22 - 00340992 _____ (Microsoft Corporation) C:\Windows\System32\schannel.dll

2013-11-13 16:07 - 2013-09-24 18:21 - 01447936 _____ (Microsoft Corporation) C:\Windows\System32\lsasrv.dll

2013-11-13 16:07 - 2013-09-24 18:21 - 00307200 _____ (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-11-13 16:07 - 2013-09-24 17:58 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2013-11-13 16:07 - 2013-09-24 17:57 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2013-11-13 16:07 - 2013-09-24 17:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2013-11-13 16:07 - 2013-09-24 17:56 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2013-11-13 16:07 - 2013-09-24 17:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\System32\lsass.exe

2013-11-13 16:07 - 2013-07-04 04:18 - 00458712 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2013-11-12 14:19 - 2013-11-24 07:55 - 00042951 _____ C:\Windows\IE11_main.log

==================== One Month Modified Files and Folders =======

2013-11-24 14:48 - 2013-11-24 14:48 - 00000000 ____D C:\FRST

2013-11-24 10:03 - 2011-12-10 18:56 - 01189714 _____ C:\Windows\WindowsUpdate.log

2013-11-24 10:03 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-11-24 10:03 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-11-24 10:02 - 2013-11-24 08:33 - 95025368 ____T C:\ProgramData\v0lrjfi.bxx

2013-11-24 10:01 - 2013-11-24 10:01 - 00000000 ____D C:\ProgramData\351E

2013-11-24 10:01 - 2013-11-24 08:33 - 00000000 _____ C:\ProgramData\v0lrjfi.fvv

2013-11-24 10:00 - 2010-10-15 09:41 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-11-24 10:00 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2013-11-24 10:00 - 2009-07-13 20:51 - 00039923 _____ C:\Windows\setupact.log

2013-11-24 09:41 - 2013-11-24 09:41 - 00000000 ____D C:\ProgramData\3B3DD

2013-11-24 09:22 - 2012-07-08 08:00 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-11-24 09:09 - 2013-11-24 09:09 - 00000000 ____D C:\ProgramData\223C5

2013-11-24 08:38 - 2013-11-24 08:38 - 00000000 ____D C:\ProgramData\1AC4

2013-11-24 08:36 - 2010-10-15 09:53 - 00587616 _____ C:\Windows\PFRO.log

2013-11-24 08:33 - 2013-11-24 08:33 - 00205312 _____ (Корпорация Майкрософт) C:\ProgramData\ifjrl0v.dss

2013-11-24 08:33 - 2013-11-24 08:33 - 00060516 ____T (Microsoft Corporation) C:\ProgramData\v0lrjfi.pss

2013-11-24 08:06 - 2010-10-15 09:41 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-11-24 07:55 - 2013-11-12 14:19 - 00042951 _____ C:\Windows\IE11_main.log

2013-11-24 07:53 - 2012-05-02 15:11 - 00000386 _____ C:\Windows\Tasks\WpsUpdateTask_Jason.job

2013-11-23 19:22 - 2011-12-10 18:37 - 00000000 ____D C:\Users\Jason\Desktop\New folder

2013-11-17 15:09 - 2013-09-28 07:52 - 00002194 _____ C:\Users\Public\Desktop\Google Chrome.lnk

2013-11-17 12:53 - 2013-11-17 12:53 - 00000000 ____D C:\ProgramData\QuickSet

2013-11-17 12:53 - 2013-11-17 12:53 - 00000000 ____D C:\ProgramData\InstallMate

2013-11-14 17:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-11-14 14:34 - 2013-08-15 17:21 - 00000000 ____D C:\Windows\System32\MRT

2013-11-14 14:30 - 2012-05-10 15:17 - 82896128 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe

ZeroAccess:

C:\Users\Jason\AppData\Local\Google\Desktop\Install

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-1843870552-1020890469-2507993533-1002\$ee7a252aea40aa019f34f9e5d2705423

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$ee7a252aea40aa019f34f9e5d2705423

Files to move or delete:

====================

C:\Users\Jason\AppData\Roaming\skype.ini

C:\ProgramData\ifjrl0v.dss

C:\ProgramData\jw8zjfrodr.ctrl

C:\ProgramData\jw8zjfrodr.pff

C:\ProgramData\PbKrfV.dat

C:\ProgramData\v0lrjfi.bxx

C:\ProgramData\v0lrjfi.fvv

C:\ProgramData\v0lrjfi.pss

C:\ProgramData\wll87tdrj.ctrl

C:\ProgramData\wll87tdrj.pff

C:\Users\Jason\chrome.exe

C:\Users\Jason\ctfmon.exe

C:\Users\Jason\icq.exe

C:\Users\Jason\msconfig.exe

C:\Users\Jason\mstsc.exe

C:\Users\Jason\opera.exe

C:\Users\Jason\teamviewer.exe

C:\Users\Jason\winlogon.exe

Some content of TEMP:

====================

C:\Users\Jason\AppData\Local\Temp\4wxpex9c.dll

C:\Users\Jason\AppData\Local\Temp\~tmf1726057174163717327.dll

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

13

Restore point made on: 2013-11-03 21:00:24

Restore point made on: 2013-11-11 09:36:59

Restore point made on: 2013-11-12 14:18:36

Restore point made on: 2013-11-14 14:29:52

Restore point made on: 2013-11-15 14:56:23

Restore point made on: 2013-11-16 07:29:48

Restore point made on: 2013-11-18 16:49:33

Restore point made on: 2013-11-19 15:38:20

Restore point made on: 2013-11-20 17:54:55

Restore point made on: 2013-11-21 16:36:39

Restore point made on: 2013-11-22 09:04:42

Restore point made on: 2013-11-23 11:49:24

Restore point made on: 2013-11-24 07:53:31

==================== Memory info ===========================

Percentage of memory in use: 21%

Total physical RAM: 2939.98 MB

Available physical RAM: 2309.99 MB

Total Pagefile: 2938.13 MB

Available Pagefile: 2375.47 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (TI106034W0C) (Fixed) (Total:221.24 GB) (Free:165.13 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive f: (KINGSTON) (Removable) (Total:14.89 GB) (Free:0.15 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 4DBC8B99)

Partition 1: (Active) - (Size=1 GB) - (Type=27)

Partition 2: (Not Active) - (Size=221 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=10 GB) - (Type=17)

========================================================

Disk: 1 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18)

Partition 1: (Active) - (Size=15 GB) - (Type=0C)

LastRegBack: 2013-11-19 21:13

==================== End Of Log ============================

Share this post


Link to post
Share on other sites

Hi gainesjm8,

 

The computer seems to have a very serious and difficult infection called ZeroAccess rootkit and it's probably faster and safer to reinstall Windows.

 

Have you yourself stored program files in your profile folder?

C:\Users\Jason\chrome.exe
C:\Users\Jason\ctfmon.exe
C:\Users\Jason\icq.exe
C:\Users\Jason\msconfig.exe
C:\Users\Jason\mstsc.exe
C:\Users\Jason\opera.exe
C:\Users\Jason\teamviewer.exe
C:\Users\Jason\winlogon.exe

It isn't normal to have program files there and it could be the infection that have stored malicious files there and given them common file names. If you have stored the files, please ignore those lines in the box below.

 

Please, start Notepad.
Copy all text that is in the box:

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$ee7a252aea40aa019f34f9e5d2705423\n. ATTENTION! ====> ZeroAccess?
HKU\Jason\...\Winlogon: [Shell] explorer.exe,C:\Users\Jason\AppData\Roaming\skype.dat <==== ATTENTION
Startup: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v0lrjfi.lnk
ShortcutTarget: v0lrjfi.lnk -> C:\PROGRA~3\ifjrl0v.dss (Корпорация Майкрософт)
S2 Winmgmt; C:\ProgramData\jw8zjfrodr.pzz [64604 2013-09-02] (Microsoft Corporation)
2013-11-24 10:01 - 2013-11-24 10:01 - 00000000 ____D C:\ProgramData\351E
2013-11-24 09:41 - 2013-11-24 09:41 - 00000000 ____D C:\ProgramData\3B3DD
2013-11-24 09:09 - 2013-11-24 09:09 - 00000000 ____D C:\ProgramData\223C5
2013-11-24 08:38 - 2013-11-24 08:38 - 00000000 ____D C:\ProgramData\1AC4
2013-11-24 08:33 - 2013-11-24 10:02 - 95025368 ____T C:\ProgramData\v0lrjfi.bxx
2013-11-24 08:33 - 2013-11-24 10:01 - 00000000 _____ C:\ProgramData\v0lrjfi.fvv
2013-11-24 08:33 - 2013-11-24 08:33 - 00205312 _____ (Корпорация Майкрософт) C:\ProgramData\ifjrl0v.dss
2013-11-24 08:33 - 2013-11-24 08:33 - 00060516 ____T (Microsoft Corporation) C:\ProgramData\v0lrjfi.pss
2013-11-24 10:00 - 2010-10-15 09:41 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-24 09:41 - 2013-11-24 09:41 - 00000000 ____D C:\ProgramData\3B3DD
2013-11-24 09:22 - 2012-07-08 08:00 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-24 09:09 - 2013-11-24 09:09 - 00000000 ____D C:\ProgramData\223C5
2013-11-24 08:38 - 2013-11-24 08:38 - 00000000 ____D C:\ProgramData\1AC4
2013-11-24 08:36 - 2010-10-15 09:53 - 00587616 _____ C:\Windows\PFRO.log
2013-11-24 08:33 - 2013-11-24 08:33 - 00205312 _____ (Корпорация Майкрософт) C:\ProgramData\ifjrl0v.dss
2013-11-24 08:33 - 2013-11-24 08:33 - 00060516 ____T (Microsoft Corporation) C:\ProgramData\v0lrjfi.pss
2013-11-24 08:06 - 2010-10-15 09:41 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Users\Jason\AppData\Local\Google\Desktop\Install
C:\$Recycle.Bin\S-1-5-21-1843870552-1020890469-2507993533-1002\$ee7a252aea40aa019f34f9e5d2705423
C:\$Recycle.Bin\S-1-5-18\$ee7a252aea40aa019f34f9e5d2705423
C:\Users\Jason\AppData\Roaming\skype.ini
C:\ProgramData\ifjrl0v.dss
C:\ProgramData\jw8zjfrodr.ctrl
C:\ProgramData\jw8zjfrodr.pff
C:\ProgramData\PbKrfV.dat
C:\ProgramData\v0lrjfi.bxx
C:\ProgramData\v0lrjfi.fvv
C:\ProgramData\v0lrjfi.pss
C:\ProgramData\wll87tdrj.ctrl
C:\ProgramData\wll87tdrj.pff
C:\Users\Jason\chrome.exe
C:\Users\Jason\ctfmon.exe
C:\Users\Jason\icq.exe
C:\Users\Jason\msconfig.exe
C:\Users\Jason\mstsc.exe
C:\Users\Jason\opera.exe
C:\Users\Jason\teamviewer.exe
C:\Users\Jason\winlogon.exe
and paste in Notepad. Check that no file names have been split on two lines.
Save the file as fixlist.txt on the flash drive.

On the infected computer, start FRST (32 bits Windows) or FRST64 (64 bits Windows) as last time, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the flash drive.
Please, paste the content of that file in your answer.

Please, check if the computer now can start in normal mode.
If yes, please follow the topic Read This Before You Post! and post the DDS logs to continue the cleaning process.

Share this post


Link to post
Share on other sites

Thanks a lot Cecelia. Was able to log in with normal mode and started running virus checker now. Below are the contents of the fixlog as requested. I didn't recognize anything in that \User\Jason folder as you noted so I didn't include it. Thanks again!!

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-11-2013
Ran by SYSTEM at 2013-11-26 22:04:46 Run:1
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$ee7a252aea40aa019f34f9e5d2705423\n. ATTENTION! ====> ZeroAccess?
HKU\Jason\...\Winlogon: [shell] explorer.exe,C:\Users\Jason\AppData\Roaming\skype.dat <==== ATTENTION
Startup: C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v0lrjfi.lnk
ShortcutTarget: v0lrjfi.lnk -> C:\PROGRA~3\ifjrl0v.dss (?????????? ??????????)
S2 Winmgmt; C:\ProgramData\jw8zjfrodr.pzz [64604 2013-09-02] (Microsoft Corporation)
2013-11-24 10:01 - 2013-11-24 10:01 - 00000000 ____D C:\ProgramData\351E
2013-11-24 09:41 - 2013-11-24 09:41 - 00000000 ____D C:\ProgramData\3B3DD
2013-11-24 09:09 - 2013-11-24 09:09 - 00000000 ____D C:\ProgramData\223C5
2013-11-24 08:38 - 2013-11-24 08:38 - 00000000 ____D C:\ProgramData\1AC4
2013-11-24 08:33 - 2013-11-24 10:02 - 95025368 ____T C:\ProgramData\v0lrjfi.bxx
2013-11-24 08:33 - 2013-11-24 10:01 - 00000000 _____ C:\ProgramData\v0lrjfi.fvv
2013-11-24 08:33 - 2013-11-24 08:33 - 00205312 _____ (?????????? ??????????) C:\ProgramData\ifjrl0v.dss
2013-11-24 08:33 - 2013-11-24 08:33 - 00060516 ____T (Microsoft Corporation) C:\ProgramData\v0lrjfi.pss
2013-11-24 10:00 - 2010-10-15 09:41 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-24 09:41 - 2013-11-24 09:41 - 00000000 ____D C:\ProgramData\3B3DD
2013-11-24 09:22 - 2012-07-08 08:00 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-24 09:09 - 2013-11-24 09:09 - 00000000 ____D C:\ProgramData\223C5
2013-11-24 08:38 - 2013-11-24 08:38 - 00000000 ____D C:\ProgramData\1AC4
2013-11-24 08:36 - 2010-10-15 09:53 - 00587616 _____ C:\Windows\PFRO.log
2013-11-24 08:33 - 2013-11-24 08:33 - 00205312 _____ (?????????? ??????????) C:\ProgramData\ifjrl0v.dss
2013-11-24 08:33 - 2013-11-24 08:33 - 00060516 ____T (Microsoft Corporation) C:\ProgramData\v0lrjfi.pss
2013-11-24 08:06 - 2010-10-15 09:41 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Users\Jason\AppData\Local\Google\Desktop\Install
C:\$Recycle.Bin\S-1-5-21-1843870552-1020890469-2507993533-1002\$ee7a252aea40aa019f34f9e5d2705423
C:\$Recycle.Bin\S-1-5-18\$ee7a252aea40aa019f34f9e5d2705423
C:\Users\Jason\AppData\Roaming\skype.ini
C:\ProgramData\ifjrl0v.dss
C:\ProgramData\jw8zjfrodr.ctrl
C:\ProgramData\jw8zjfrodr.pff
C:\ProgramData\PbKrfV.dat
C:\ProgramData\v0lrjfi.bxx
C:\ProgramData\v0lrjfi.fvv
C:\ProgramData\v0lrjfi.pss
C:\ProgramData\wll87tdrj.ctrl
C:\ProgramData\wll87tdrj.pff

*****************

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\Jason\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v0lrjfi.lnk => Moved successfully.
C:\PROGRA~3\ifjrl0v.dss => Moved successfully.
Winmgmt => Service restored successfully.
"C:\ProgramData\351E" => File/Directory not found.
C:\ProgramData\3B3DD => Moved successfully.
C:\ProgramData\223C5 => Moved successfully.
C:\ProgramData\1AC4 => Moved successfully.
C:\ProgramData\v0lrjfi.bxx => Moved successfully.
C:\ProgramData\v0lrjfi.fvv => Moved successfully.
"C:\ProgramData\ifjrl0v.dss" => File/Directory not found.
C:\ProgramData\v0lrjfi.pss => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
"C:\ProgramData\3B3DD" => File/Directory not found.
C:\Windows\Tasks\Adobe Flash Player Updater.job => Moved successfully.
"C:\ProgramData\223C5" => File/Directory not found.
"C:\ProgramData\1AC4" => File/Directory not found.
C:\Windows\PFRO.log => Moved successfully.
"C:\ProgramData\ifjrl0v.dss" => File/Directory not found.
"C:\ProgramData\v0lrjfi.pss" => File/Directory not found.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.
C:\Users\Jason\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-1843870552-1020890469-2507993533-1002\$ee7a252aea40aa019f34f9e5d2705423 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$ee7a252aea40aa019f34f9e5d2705423 => Moved successfully.
C:\Users\Jason\AppData\Roaming\skype.ini => Moved successfully.
"C:\ProgramData\ifjrl0v.dss" => File/Directory not found.
C:\ProgramData\jw8zjfrodr.ctrl => Moved successfully.
C:\ProgramData\jw8zjfrodr.pff => Moved successfully.
C:\ProgramData\PbKrfV.dat => Moved successfully.
"C:\ProgramData\v0lrjfi.bxx" => File/Directory not found.
"C:\ProgramData\v0lrjfi.fvv" => File/Directory not found.
"C:\ProgramData\v0lrjfi.pss" => File/Directory not found.
C:\ProgramData\wll87tdrj.ctrl => Moved successfully.
C:\ProgramData\wll87tdrj.pff => Moved successfully.

==== End of Fixlog ====

Share this post


Link to post
Share on other sites

Sorry, I meant that if you haven't stored the program files in C:\Users\Jason, they should be deleted. Can you delete them yourself?

C:\Users\Jason\chrome.exe
C
:\Users\Jason\ctfmon.exe
C
:\Users\Jason\icq.exe
C
:\Users\Jason\msconfig.exe
C
:\Users\Jason\mstsc.exe
C
:\Users\Jason\opera.exe
C
:\Users\Jason\teamviewer.exe
C
:\Users\Jason\winlogon.exe

 

Please, follow the topic Read This Before You Post! and post the DDS logs to continue the cleaning process.

Share this post


Link to post
Share on other sites

Due to lack of feedback, this topic has been closed.

 

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

 

Thank You !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this