1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Crytolocker infection

Discussion in 'Malware and Virus Removal Archive' started by Jeremie, 2014/04/09.

  1. 2014/04/09
    Jeremie

    Jeremie Inactive Thread Starter

    Joined:
    2011/01/06
    Messages:
    117
    Likes Received:
    0
    [Inactive] Crytolocker infection

    CrytopLocker infection

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/5/2009 11:23:04 AM
    System Uptime: 4/9/2014 9:32:04 AM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0JJW8N
    Processor: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz | Socket 775 | 2926/266mhz
    .
    ==== Disk Partitions =========================
    .
    B: is NetworkDisk (NTFS) - 105 GiB total, 60.421 GiB free.
    C: is FIXED (NTFS) - 218 GiB total, 173.892 GiB free.
    D: is CDROM ()
    O: is NetworkDisk (NTFS) - 932 GiB total, 928.147 GiB free.
    Z: is NetworkDisk (NTFS) - 40 GiB total, 3.627 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: Security Processor Loader Driver
    Device ID: ROOT\LEGACY_SPLDR\0000
    Manufacturer:
    Name: Security Processor Loader Driver
    PNP Device ID: ROOT\LEGACY_SPLDR\0000
    Service: spldr
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    32 Bit HP CIO Components Installer
    Adobe Flash Player 12 ActiveX
    Adobe Flash Player 12 Plugin
    Adobe Reader XI (11.0.06)
    Anti-phishing Domain Advisor
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    BlackBerry Desktop Software 6.0.2
    Bonjour
    CCleaner
    D3DX10
    Dell Backup and Recovery Manager
    Dell Edoc Viewer
    eBLVD Host Software 8.0
    Google Calendar Sync
    Google Chrome
    Google Earth Plug-in
    Google Update Helper
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    Intel® Matrix Storage Manager
    iTunes
    Java 7 Update 51
    Java Auto Updater
    Junk Mail filter update
    LogMeIn
    Malwarebytes Anti-Malware version 1.75.0.1300
    Microsoft .NET Framework 4.5.1
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MobileMe Control Panel
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Norton Internet Security
    OGA Notifier 2.0.0048.0
    OpenOffice.org 3.3
    PowerDVD DX
    Practice Manager 10 Workstation
    Practice Manager n-tier Framework Client
    Practice Manager PM Purger Client Adapter
    Practice Manager Update Agent
    QuickTime 7
    Realtek High Definition Audio Driver
    Safari
    Saga Practice Manager and Plugins
    Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2760415) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2817641) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2837615) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2850022) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
    Security Update for Microsoft Office Outlook 2007 (KB2825644) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2837617) 32-Bit Edition
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2878234) 32-Bit Edition
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VZAccess Manager for RIM
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Player Firefox Plugin
    WinRAR archiver
    Yahoo! Detect
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/9/2014 9:40:14 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    4/9/2014 9:36:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments " " in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    4/9/2014 9:36:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments " " in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    4/9/2014 9:33:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments " " in order to run the server: {000C101C-0000-0000-C000-000000000046}
    4/9/2014 9:32:39 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments " " in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    4/9/2014 9:32:39 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments " " in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    4/9/2014 9:32:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    4/9/2014 9:32:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments " " in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    4/9/2014 9:32:21 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments " " in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    4/9/2014 9:32:20 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
    4/9/2014 9:32:18 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain LATRONICA due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    4/9/2014 9:31:19 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147014847
    4/9/2014 9:31:19 AM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
    4/9/2014 9:30:07 AM, Error: Microsoft-Windows-GroupPolicy [1058] - The processing of Group Policy failed. Windows attempted to read the file \\Latronica.com\sysvol\Latronica.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled.
    4/9/2014 9:19:17 AM, Error: Microsoft-Windows-TerminalServices-Printers [1111] - Driver HP DeskJet 540 required for printer HP DeskJet 540 is unknown. Contact the administrator to install the driver before you log in again.
    4/9/2014 9:05:02 AM, Error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: A device attached to the system is not functioning.
    4/9/2014 8:01:45 AM, Error: Microsoft-Windows-GroupPolicy [1030] - The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
    4/8/2014 9:55:21 AM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/8/2014 9:55:16 AM, Error: Service Control Manager [7031] - The Service Sendori service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/8/2014 9:55:03 AM, Error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    4/8/2014 9:54:50 AM, Error: Service Control Manager [7031] - The Application Sendori service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/8/2014 9:54:35 AM, Error: Service Control Manager [7034] - The sndappv2 service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
    Jeremie,
    #1
  2. 2014/04/09
    Jeremie

    Jeremie Inactive Thread Starter

    Joined:
    2011/01/06
    Messages:
    117
    Likes Received:
    0
    DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
    Internet Explorer: 11.0.9600.16521 BrowserJavaVersion: 10.51.2
    Run by AA at 9:42:00 on 2014-04-09
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3037.1882 [GMT -4:00]
    .
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\ctfmon.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Users\aa\AppData\Local\Citrix\GoToAssist Corporate\1019\GoToAssist_Corporate_Customer.exe
    C:\Users\aa\AppData\Local\Temp\Citrix\GoToAssist Corporate\1019\g2a60F4.tmp\G2AInstaller.exe
    C:\Users\aa\AppData\Local\Temp\Citrix\GoToAssist Corporate\1019\g2a60F4.tmp\g2aservice.exe
    C:\Users\aa\AppData\Local\Temp\Citrix\GoToAssist Corporate\1019\g2a60F4.tmp\g2acomm.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Users\aa\AppData\Local\Temp\Citrix\GoToAssist Corporate\1019\g2a60F4.tmp\g2alaunchercustomer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Users\aa\AppData\Local\Temp\Citrix\GoToAssist Corporate\1019\g2a60F4.tmp\g2auicustomer.exe
    C:\Users\aa\AppData\Local\Temp\Citrix\GoToAssist Corporate\1019\g2a60F4.tmp\g2asessioncontrol.exe
    C:\Users\aa\AppData\Local\Temp\Citrix\GoToAssist Corporate\1019\g2a60F4.tmp\g2achat.exe
    C:\Users\aa\AppData\Local\Temp\Citrix\GoToAssist Corporate\1019\g2a60F4.tmp\g2aremotediagnostics.exe
    C:\Users\aa\AppData\Local\Temp\Citrix\GoToAssist Corporate\1019\g2a60F4.tmp\g2ahostnoui.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Users\aa\AppData\Local\Vvfpuowsiyozhft.exe
    C:\Users\aa\AppData\Local\Vvfpuowsiyozhft.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com
    BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: My Web Search: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -
    uRun: [CryptoLocker] c:\users\aa\appdata\local\Vvfpuowsiyozhft.exe
    uRunOnce: [*CryptoLocker] c:\users\aa\appdata\local\Vvfpuowsiyozhft.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe "
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe "
    mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [Regedit32] c:\windows\system32\regedit.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    mPolicies-System: SoftwareSASGeneration = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
    TCP: Interfaces\{76AD80F1-41D0-46D3-9769-F1CFE3EE94A5} : NameServer = 192.168.1.4,167.206.7.4
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\33.0.1750.154\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    .
    ============= SERVICES / DRIVERS ===============
    .
    S2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2009-11-16 81920]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
    S2 eBLVD;eBLVD;c:\program files\eblvd\ebhost.exe [2010-10-7 588768]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 375120]
    S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [2011-11-23 34320]
    S2 Update Agent;Practice Manager Update Agent;c:\program files\common files\pmgsoftware\esd\PM.Deployment.EsdService.exe [2007-11-23 61440]
    S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-3-12 108032]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-4-9 40776]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-5 1343400]
    SUnknown fytwqcrf;fytwqcrf; [x]
    .
    =============== Created Last 30 ================
    .
    2014-04-09 13:36:42 411552 ----a-w- c:\windows\system32\drivers\fytwqcrf.sys
    2014-04-09 13:36:41 -------- d-----w- c:\programdata\AVAST Software
    2014-04-09 13:35:56 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2014-04-09 13:33:22 -------- d-----w- c:\users\aa\appdata\local\Citrix
    2014-04-08 21:53:16 951296 --sh--w- c:\users\aa\appdata\local\Vvfpuowsiyozhft.exe
    2014-04-08 16:42:08 101888 ----a-w- c:\users\aa\disetypkidoz.exe
    2014-04-08 16:42:07 100864 ----a-w- c:\users\aa\mosodcysbear.exe
    2014-04-08 13:39:25 56320 ----a-w- c:\windows\system32\drivers\b1d4cc0cc31232b.sys
    2014-04-08 07:17:13 7969936 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6d427322-2f33-4cc8-9d61-0f67e9bde386}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2014-03-11 18:44:05 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2014-03-11 18:44:05 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2014-03-11 18:44:04 5777288 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    2014-03-01 23:15:58 181 ----a-w- c:\windows\system32\xsysym.dll
    2014-03-01 04:11:20 2724864 ----a-w- c:\windows\system32\mshtml.tlb
    2014-03-01 04:10:48 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
    2014-03-01 03:52:43 61952 ----a-w- c:\windows\system32\iesetup.dll
    2014-03-01 03:51:53 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
    2014-03-01 03:38:26 112128 ----a-w- c:\windows\system32\ieUnatt.exe
    2014-03-01 03:38:23 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
    2014-03-01 03:37:35 553472 ----a-w- c:\windows\system32\jscript9diag.dll
    2014-03-01 03:31:30 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
    2014-03-01 03:14:15 4244480 ----a-w- c:\windows\system32\jscript9.dll
    2014-03-01 03:00:08 1964032 ----a-w- c:\windows\system32\inetcpl.cpl
    2014-03-01 02:32:16 1820160 ----a-w- c:\windows\system32\wininet.dll
    2014-02-07 01:07:56 2349056 ----a-w- c:\windows\system32\win32k.sys
    2014-02-04 02:04:22 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2014-02-04 02:04:11 509440 ----a-w- c:\windows\system32\qedit.dll
    2014-01-29 02:06:47 381440 ----a-w- c:\windows\system32\wer.dll
    2014-01-28 14:09:42 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2014-01-28 14:09:42 85832 ----a-w- c:\windows\system32\LMIinit.dll
    2014-01-28 14:09:42 53064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2014-01-28 14:09:42 31560 ----a-w- c:\windows\system32\LMIport.dll
    2014-01-28 02:07:07 185344 ----a-w- c:\windows\system32\wwansvc.dll
    2014-01-27 16:33:47 243128 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
    2014-01-17 21:24:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2014-01-17 21:24:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    ============= FINISH: 9:43:00.06 ===============
     
    Jeremie,
    #2


  3. to hide this advert.

  4. 2014/04/09
    Jeremie

    Jeremie Inactive Thread Starter

    Joined:
    2011/01/06
    Messages:
    117
    Likes Received:
    0
    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2014.04.09.04

    Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 11.0.9600.16521
    AA :: LLF2-PC [administrator]

    4/9/2014 9:46:21 AM
    MBAM-log-2014-04-09 (09-55-38).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 446642
    Time elapsed: 7 minute(s), 21 second(s)

    Memory Processes Detected: 2
    C:\Users\aa\AppData\Local\Vvfpuowsiyozhft.exe (Trojan.Agent) -> 3960 -> No action taken.
    C:\Users\aa\AppData\Local\Vvfpuowsiyozhft.exe (Trojan.Agent) -> 4004 -> No action taken.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D} (PUP.Optional.MindSpark.A) -> No action taken.

    Registry Values Detected: 3
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|CryptoLocker (Trojan.Agent) -> Data: C:\Users\aa\AppData\Local\Vvfpuowsiyozhft.exe -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|*CryptoLocker (Trojan.Agent) -> Data: C:\Users\aa\AppData\Local\Vvfpuowsiyozhft.exe -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Regedit32 (Trojan.Agent) -> Data: C:\Windows\system32\regedit.exe -> No action taken.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Users\aa\AppData\Local\Temp\smcoc.exe (Trojan.Email.FakeDoc) -> No action taken.
    C:\Users\aa\AppData\Local\Vvfpuowsiyozhft.exe (Trojan.Agent) -> No action taken.

    (end)
     
    Jeremie,
    #3
  5. 2014/04/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================

    One crucial question...are your files encrypted by Cryptolocker?
     
    broni,
    #4
  6. 2014/04/09
    Jeremie

    Jeremie Inactive Thread Starter

    Joined:
    2011/01/06
    Messages:
    117
    Likes Received:
    0
    yes. files are encrypted and it seems shadow copies are no longer existent. It seems I only have the option of restoring from last months backup or paying the ransom :(

    I'm assuming there's nothing you know of?
     
    Jeremie,
    #5
  7. 2014/04/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #6
  8. 2014/04/10
    Jeremie

    Jeremie Inactive Thread Starter

    Joined:
    2011/01/06
    Messages:
    117
    Likes Received:
    0
    I think things are clear. Can you assist in a clean up? I'm not finding any traces ,but would like to be extra sure.
     
    Jeremie,
    #7
  9. 2014/04/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Do you mean you restored your computer form a backup?
     
    broni,
    #8

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...