Ransomware Trojan

**eddyb** · 2014-07-20, 02:18

Hello again, sorry so soon,

I got the same pop-up as one month ago, asking permission to make a registry change:

(link) http://forums.spybot.info/showthread...egistry-hijack

so this time allowed it (as was Shelf Life's recommendation previously).

It has now implemented a Police-type Trojan, requiring UKash or similar, and had a webcam section that took over my webcam. I've booted in safe-mode, ran spybot (found nothing) and thought I'd need help, what with what I've heard about Cryptolocker recently.

I run eRunt and seems like it worked fine.

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.65.2
Run by Ed and Lou 2 at 0:36:50 on 2014-07-20
.
============== Running Processes ================
.
C:\Program Files (x86)\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [DellSupportCenter] "c:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{D34D4A84-3E9D-40D5-A6D9-93A100A1B04F} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{D34D4A84-3E9D-40D5-A6D9-93A100A1B04F}\A5978554C4F57303932357B656 : DHCPNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - <no file>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.125\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [IntelliType Pro] "c:\Program Files\Microsoft Device Center\itype.exe"
x64-Run: [IntelliPoint] "c:\Program Files\Microsoft Device Center\ipoint.exe"
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ed and Lou 2\AppData\Roaming\Mozilla\Firefox\Profiles\wfdrlyc3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll
.
============= SERVICES / DRIVERS ===============
.
R? AERTFilters;Andrea RT Filters Service
R? aswHwid;avast! HardwareID
R? aswMonFlt;aswMonFlt
R? aswRvrt;avast! Revert
R? aswSnx;aswSnx
R? aswSP;aswSP
R? aswStm;aswStm
R? aswVmm;avast! VM Monitor
R? avast! Antivirus;avast! Antivirus
R? btusbflt;Bluetooth USB Filter
R? btwl2cap;Bluetooth L2CAP Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64
R? CtClsFlt;Creative Camera Class Upper Filter Driver
R? cvhsvc;Client Virtualization Handler
R? dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)
R? DockLoginService;Dock Login Service
R? fssfltr;fssfltr
R? fsssvc;Windows Live Family Safety Service
R? Impcd;Impcd
R? IntcDAud;Intel(R) Display Audio
R? LVPr2M64;Logitech LVPr2M64 Driver
R? LVPrcS64;Process Monitor
R? LVRS64;Logitech RightSound Filter Driver
R? LVUVC64;Logitech QuickCam E3500(UVC)
R? MBAMProtector;MBAMProtector
R? MBAMScheduler;MBAMScheduler
R? MBAMService;MBAMService
R? MBAMSwissArmy;MBAMSwissArmy
R? MBAMWebAccessControl;MBAMWebAccessControl
R? PSI;PSI
R? RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader
R? SBSDWSCService;SBSD Security Center Service
R? Secunia PSI Agent;Secunia PSI Agent
R? Secunia Update Agent;Secunia Update Agent
R? Sftfs;Sftfs
R? sftlist;Application Virtualization Client
R? Sftplay;Sftplay
R? Sftredir;Sftredir
R? Sftvol;Sftvol
R? sftvsa;Application Virtualization Service Agent
R? ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.)
R? TomTomHOMEService;TomTomHOMEService
R? UNS;Intel(R) Management & Security Application User Notification Service
R? WatAdminSvc;Windows Activation Technologies Service
R? wlcrasvc;Windows Live Mesh remote connections service
S? BcmVWL;Broadcom Virtual Wireless
S? gfibto;gfibto
S? HECIx64;Intel(R) Management Engine Interface
S? L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller
S? PxHlpa64;PxHlpa64
.
=============== Created Last 30 ================
.
2014-07-19 22:50:34 -------- d-----w- C:\FRST
2014-07-19 22:39:16 -------- d-----w- C:\ProgramData\788B23B92244C6B9DBB5C906F76891A9
2014-07-19 21:13:15 29208 ----a-w- C:\Windows\System32\drivers\aswHwid.sys
2014-07-19 21:12:52 43152 ----a-w- C:\Windows\avastSS.scr
2014-07-19 20:43:23 -------- d-----w- C:\Users\Ed and Lou 2\AppData\Local\Adobe
2014-07-18 16:01:25 10924376 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{94E67583-ADBF-4E59-B6ED-E41357CBABC7}\mpengine.dll
2014-07-17 16:59:34 98216 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-07-10 21:37:36 -------- d-s---w- C:\Windows\System32\CompatTel
2014-07-10 19:00:33 516096 ----a-w- C:\Windows\System32\aepdu.dll
2014-07-10 19:00:33 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-07-10 18:52:16 163504 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-06-27 20:32:20 536576 ----a-w- C:\Windows\SysWow64\sqlite3.dll
2014-06-26 21:42:49 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-06-26 21:41:57 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-06-26 21:41:57 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-06-26 21:41:57 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-06-26 21:41:57 -------- d-----w- C:\ProgramData\Malwarebytes
2014-06-26 21:41:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-06-20 22:57:57 -------- d-----w- C:\ProgramData\F321AC108F210EF99933826ED58525E0
.
==================== Find3M ====================
.
2014-07-19 21:12:54 93568 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2014-07-19 21:12:54 92008 ----a-w- C:\Windows\System32\drivers\aswStm.sys
2014-07-19 21:12:54 79184 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2014-07-19 21:12:54 65776 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2014-07-19 21:12:54 224896 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2014-07-19 21:12:54 1041168 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2014-07-08 19:12:32 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-07-08 19:12:32 699056 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 0:39:00.38 ===============

aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-07-20 00:48:03
-----------------------------
00:48:03.397 OS Version: Windows x64 6.1.7600
00:48:03.397 Number of processors: 4 586 0x2505
00:48:03.397 ComputerName: EDANDLOU2-PC UserName: Ed and Lou 2
00:48:04.317 Initialize success
00:48:04.349 VM: driver load error: 2
00:48:06.579 AVAST engine defs: 14071901
00:48:17.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
00:48:17.078 Disk 0 Vendor: Hitachi_ PB3O Size: 305245MB BusType: 3
00:48:17.172 Disk 0 MBR read successfully
00:48:17.172 Disk 0 MBR scan
00:48:17.718 Disk 0 Windows 7 default MBR code
00:48:17.733 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 100 MB offset 2048
00:48:17.952 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 206848
00:48:17.983 Disk 0 Boot: NTFS code=1
00:48:18.139 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290143 MB offset 30926848
00:48:18.326 Disk 0 scanning C:\Windows\system32\drivers
00:48:29.433 Service scanning
00:48:58.231 Modules scanning
00:48:58.231 Disk 0 trace - called modules:
00:48:58.262 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
00:48:58.262 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004be1060]
00:48:58.262 3 CLASSPNP.SYS[fffff88001ad943f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004902050]
00:48:58.761 AVAST engine scan C:\Windows
00:49:00.540 AVAST engine scan C:\Windows\system32
00:51:10.301 AVAST engine scan C:\Windows\system32\drivers
00:51:22.828 AVAST engine scan C:\Users\Ed and Lou 2
01:10:25.118 AVAST engine scan C:\ProgramData
01:14:49.525 Scan finished successfully
01:15:56.205 Disk 0 MBR has been saved successfully to "C:\Users\Ed and Lou 2\Desktop\MBR.dat"
01:15:56.205 The log file has been saved successfully to "C:\Users\Ed and Lou 2\Desktop\aswMBR.txt"

Thread: Ransomware Trojan

Thread Tools

Display

Threaded View

Ransomware Trojan

Posting Permissions