Ransomware Trojan
Hello again, sorry so soon,
I got the same pop-up as one month ago, asking permission to make a registry change:
(link) http://forums.spybot.info/showthread...egistry-hijack
so this time allowed it (as was Shelf Life's recommendation previously).
It has now implemented a Police-type Trojan, requiring UKash or similar, and had a webcam section that took over my webcam. I've booted in safe-mode, ran spybot (found nothing) and thought I'd need help, what with what I've heard about Cryptolocker recently.
I run eRunt and seems like it worked fine.
DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.65.2
Run by Ed and Lou 2 at 0:36:50 on 2014-07-20
.
============== Running Processes ================
.
C:\Program Files (x86)\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [DellSupportCenter] "c:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{D34D4A84-3E9D-40D5-A6D9-93A100A1B04F} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{D34D4A84-3E9D-40D5-A6D9-93A100A1B04F}\A5978554C4F57303932357B656 : DHCPNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - <no file>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.125\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [IntelliType Pro] "c:\Program Files\Microsoft Device Center\itype.exe"
x64-Run: [IntelliPoint] "c:\Program Files\Microsoft Device Center\ipoint.exe"
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ed and Lou 2\AppData\Roaming\Mozilla\Firefox\Profiles\wfdrlyc3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll
.
============= SERVICES / DRIVERS ===============
.
R? AERTFilters;Andrea RT Filters Service
R? aswHwid;avast! HardwareID
R? aswMonFlt;aswMonFlt
R? aswRvrt;avast! Revert
R? aswSnx;aswSnx
R? aswSP;aswSP
R? aswStm;aswStm
R? aswVmm;avast! VM Monitor
R? avast! Antivirus;avast! Antivirus
R? btusbflt;Bluetooth USB Filter
R? btwl2cap;Bluetooth L2CAP Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64
R? CtClsFlt;Creative Camera Class Upper Filter Driver
R? cvhsvc;Client Virtualization Handler
R? dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)
R? DockLoginService;Dock Login Service
R? fssfltr;fssfltr
R? fsssvc;Windows Live Family Safety Service
R? Impcd;Impcd
R? IntcDAud;Intel(R) Display Audio
R? LVPr2M64;Logitech LVPr2M64 Driver
R? LVPrcS64;Process Monitor
R? LVRS64;Logitech RightSound Filter Driver
R? LVUVC64;Logitech QuickCam E3500(UVC)
R? MBAMProtector;MBAMProtector
R? MBAMScheduler;MBAMScheduler
R? MBAMService;MBAMService
R? MBAMSwissArmy;MBAMSwissArmy
R? MBAMWebAccessControl;MBAMWebAccessControl
R? PSI;PSI
R? RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader
R? SBSDWSCService;SBSD Security Center Service
R? Secunia PSI Agent;Secunia PSI Agent
R? Secunia Update Agent;Secunia Update Agent
R? Sftfs;Sftfs
R? sftlist;Application Virtualization Client
R? Sftplay;Sftplay
R? Sftredir;Sftredir
R? Sftvol;Sftvol
R? sftvsa;Application Virtualization Service Agent
R? ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.)
R? TomTomHOMEService;TomTomHOMEService
R? UNS;Intel(R) Management & Security Application User Notification Service
R? WatAdminSvc;Windows Activation Technologies Service
R? wlcrasvc;Windows Live Mesh remote connections service
S? BcmVWL;Broadcom Virtual Wireless
S? gfibto;gfibto
S? HECIx64;Intel(R) Management Engine Interface
S? L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller
S? PxHlpa64;PxHlpa64
.
=============== Created Last 30 ================
.
2014-07-19 22:50:34 -------- d-----w- C:\FRST
2014-07-19 22:39:16 -------- d-----w- C:\ProgramData\788B23B92244C6B9DBB5C906F76891A9
2014-07-19 21:13:15 29208 ----a-w- C:\Windows\System32\drivers\aswHwid.sys
2014-07-19 21:12:52 43152 ----a-w- C:\Windows\avastSS.scr
2014-07-19 20:43:23 -------- d-----w- C:\Users\Ed and Lou 2\AppData\Local\Adobe
2014-07-18 16:01:25 10924376 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{94E67583-ADBF-4E59-B6ED-E41357CBABC7}\mpengine.dll
2014-07-17 16:59:34 98216 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-07-10 21:37:36 -------- d-s---w- C:\Windows\System32\CompatTel
2014-07-10 19:00:33 516096 ----a-w- C:\Windows\System32\aepdu.dll
2014-07-10 19:00:33 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-07-10 18:52:16 163504 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-06-27 20:32:20 536576 ----a-w- C:\Windows\SysWow64\sqlite3.dll
2014-06-26 21:42:49 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-06-26 21:41:57 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-06-26 21:41:57 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-06-26 21:41:57 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-06-26 21:41:57 -------- d-----w- C:\ProgramData\Malwarebytes
2014-06-26 21:41:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-06-20 22:57:57 -------- d-----w- C:\ProgramData\F321AC108F210EF99933826ED58525E0
.
==================== Find3M ====================
.
2014-07-19 21:12:54 93568 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2014-07-19 21:12:54 92008 ----a-w- C:\Windows\System32\drivers\aswStm.sys
2014-07-19 21:12:54 79184 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2014-07-19 21:12:54 65776 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2014-07-19 21:12:54 224896 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2014-07-19 21:12:54 1041168 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2014-07-08 19:12:32 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-07-08 19:12:32 699056 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 0:39:00.38 ===============
aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-07-20 00:48:03
-----------------------------
00:48:03.397 OS Version: Windows x64 6.1.7600
00:48:03.397 Number of processors: 4 586 0x2505
00:48:03.397 ComputerName: EDANDLOU2-PC UserName: Ed and Lou 2
00:48:04.317 Initialize success
00:48:04.349 VM: driver load error: 2
00:48:06.579 AVAST engine defs: 14071901
00:48:17.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
00:48:17.078 Disk 0 Vendor: Hitachi_ PB3O Size: 305245MB BusType: 3
00:48:17.172 Disk 0 MBR read successfully
00:48:17.172 Disk 0 MBR scan
00:48:17.718 Disk 0 Windows 7 default MBR code
00:48:17.733 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 100 MB offset 2048
00:48:17.952 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 206848
00:48:17.983 Disk 0 Boot: NTFS code=1
00:48:18.139 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290143 MB offset 30926848
00:48:18.326 Disk 0 scanning C:\Windows\system32\drivers
00:48:29.433 Service scanning
00:48:58.231 Modules scanning
00:48:58.231 Disk 0 trace - called modules:
00:48:58.262 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
00:48:58.262 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004be1060]
00:48:58.262 3 CLASSPNP.SYS[fffff88001ad943f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004902050]
00:48:58.761 AVAST engine scan C:\Windows
00:49:00.540 AVAST engine scan C:\Windows\system32
00:51:10.301 AVAST engine scan C:\Windows\system32\drivers
00:51:22.828 AVAST engine scan C:\Users\Ed and Lou 2
01:10:25.118 AVAST engine scan C:\ProgramData
01:14:49.525 Scan finished successfully
01:15:56.205 Disk 0 MBR has been saved successfully to "C:\Users\Ed and Lou 2\Desktop\MBR.dat"
01:15:56.205 The log file has been saved successfully to "C:\Users\Ed and Lou 2\Desktop\aswMBR.txt"
Attached Files
Posting Permissions
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
Forum Rules