system
April 28, 2016, 6:57am
1
Hi there I have came here to seek some help with a heavily infected computer a friend gave to me yesterday what it does is it keeps spewing BSOD messages every 10-20 minutes after boot up now these errors are volmgrx.sys, ntfs.sys and the last one doesn’t list anything. I have tried installing an antivirus to no prevail, because it will freeze and as soon as I click on something it will go haywire.
I have managed to get Malwarebytes running through the whole scan which has detected 2186 threats and restarted it, but then the problems returned.
I believe this computer has the DarkSky trojan, but I am entirely unsure since I am not fast enough to do other scans before it cuts out once more.
Any help will be appreciated
Regards RK
Eddy
April 28, 2016, 7:00am
2
Follow the instructions in the sticky at the top of this forum and attach the logs to your next post.
system
April 28, 2016, 7:18am
3
Here is the logs:
Sorry the exceeding characters were 20000 so I uploaded them to filedropper.
Eddy
April 28, 2016, 7:39am
4
You need to ATTACH the requested logs to your post.
system
April 28, 2016, 7:49am
5
Here they are sorry for my whoopsie
Pondus
April 28, 2016, 9:02am
6
Malware experts are usually online after 15:00 European time.
Could you let me know how the system is after this
No sign of darksky
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-11-21]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.226\SSScheduler.exe (No File)
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32
HKU\S-1-5-21-1664292602-29874959-3751813097-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32
URLSearchHook: HKLM-x32 - uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll (Conduit Ltd.)
URLSearchHook: HKLM-x32 - Produtools Manuals 2.1 B Toolbar - {6c3d3bd4-75f8-4283-bb97-1e22c4c090df} - C:\Program Files (x86)\Produtools_Manuals_2.1_B\prxtbProd.dll (Conduit Ltd.)
SearchScopes: HKLM-x32 -> {23088cf8-eaf8-4bb3-a251-9ba61557ac75} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^Z1^xdm039^S00820^au&si=CIq6p76Ntq8CFVGApAodnAq7jw&ptb=63693EFA-9681-4AE7-BC07-0D1619A8DE64&psa=&ind=2012041501&st=sb&n=77ed511d&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> 0FAD3F3B94814C3FBCD3F6CE480D3F81 URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3282146&CUI=UN38782262412366171
SearchScopes: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> {23088cf8-eaf8-4bb3-a251-9ba61557ac75} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^Z1^xdm039^S00820^au&si=CIq6p76Ntq8CFVGApAodnAq7jw&ptb=63693EFA-9681-4AE7-BC07-0D1619A8DE64&psa=&ind=2012041501&st=sb&n=77ed511d&searchfor={searchTerms}
BHO-x32: Toolbar BHO -> {631acb68-57c3-48af-9cc5-fcec0837ffd3} -> C:\Program Files (x86)\FilmFanatic\bar\1.bin\pabar.dll [2012-04-15] (MindSpark)
BHO-x32: uTorrentControl2 Toolbar -> {687578b9-7132-4a7a-80e4-30ee31099e03} -> C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll [2011-05-09] (Conduit Ltd.)
BHO-x32: Produtools Manuals 2.1 B Toolbar -> {6c3d3bd4-75f8-4283-bb97-1e22c4c090df} -> C:\Program Files (x86)\Produtools_Manuals_2.1_B\prxtbProd.dll [2012-11-06] (Conduit Ltd.)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL No File
BHO-x32: Search Assistant BHO -> {d5e9b421-c309-41de-9014-800a2adcdeb0} -> C:\Program Files (x86)\FilmFanatic\bar\1.bin\paSrcAs.dll [2012-04-15] (MindSpark)
Toolbar: HKLM-x32 - FilmFanatic - {0b84b4b4-8af8-4f1f-91fe-074a666f6425} - C:\Program Files (x86)\FilmFanatic\bar\1.bin\pabar.dll [2012-04-15] (MindSpark)
Toolbar: HKLM-x32 - uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll [2011-05-09] (Conduit Ltd.)
Toolbar: HKLM-x32 - Produtools Manuals 2.1 B Toolbar - {6c3d3bd4-75f8-4283-bb97-1e22c4c090df} - C:\Program Files (x86)\Produtools_Manuals_2.1_B\prxtbProd.dll [2012-11-06] (Conduit Ltd.)
Toolbar: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> No Name - {0B84B4B4-8AF8-4F1F-91FE-074A666F6425} - No File
Toolbar: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> No Name - {687578B9-7132-4A7A-80E4-30EE31099E03} - No File
Toolbar: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> No Name - {6C3D3BD4-75F8-4283-BB97-1E22C4C090DF} - No File
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 - No File
FF Plugin-x32: @FilmFanatic.com/Plugin -> C:\Program Files (x86)\FilmFanatic\bar\1.bin\NPpaStub.dll [2012-04-15] (MindSpark)
FF HKLM-x32\...\Firefox\Extensions: [paffxtbr@FilmFanatic.com] - C:\Program Files (x86)\FilmFanatic\bar\1.bin
FF Extension: No Name - C:\Program Files (x86)\FilmFanatic\bar\1.bin [2012-04-15]
CHR Plugin: (MindSpark Toolbar Platform Plugin Stub) - C:\Program Files (x86)\FilmFanatic\bar\1.bin\NPpaStub.dll (MindSpark)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.111\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.111\pdf.dll => No File
CHR Plugin: (Wondershare Video Convert Chrome Plugin) - C:\Users\Morne Du Plessis\AppData\Local\Google\Chrome\User Data\Default\Extensions\chgdeabpmphfhkoemjjglmilajldekbp\6.0.0_0\npSVRChromePlugin.dll => No File
CHR Plugin: (WildTangent Games App V2 Presence Detector) - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\3\NP_wtapp.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll => No File
CHR Extension: (Norton Identity Safe) - C:\Users\Morne Du Plessis\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2014-10-21]
CHR Extension: (Norton Security Toolbar) - C:\Users\Morne Du Plessis\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2013-08-25]
CHR Extension: (uTorrentControl2) - C:\Users\Morne Du Plessis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc [2013-08-23]
R2 FilmFanaticService; C:\Program Files (x86)\FilmFanatic\bar\1.bin\pabarsvc.exe [42504 2012-04-15] (COMPANYVERS_NAME)
2016-03-15 20:37 - 2016-03-15 20:37 - 00000000 ____D C:\Program Files (x86)\GUM8E59.tmp
2016-03-15 20:37 - 2016-03-15 20:37 - 00000000 _____ C:\Program Files (x86)\GUT8E5A.tmp
2016-04-27 22:53 - 2012-04-15 07:27 - 00000000 ____D C:\ProgramData\boost_interprocess
Task: {085C792D-8C5B-4483-8EC5-F741720DBD42} - System32\Tasks\Norton 360\Norton Error Processor => C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\SymErr.exe
Task: {1489314A-ED4F-4FB5-BB63-E4ED4E36B870} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\WSCStub.exe
Task: {5152B730-BBB4-4393-A744-388D5480470D} - System32\Tasks\{1DE3973A-EE90-4BE1-B3AD-B556D993EF34} => F:\CROCCLIP.EXE
Task: {8DC01453-9EC3-4912-9C30-A9582E5D1E10} - System32\Tasks\{5DBA60D4-9843-4C76-BCAB-22D38DED08B9} => F:\CROCCLIP.EXE
Task: {9DAB9644-0421-432B-B446-0485079306F1} - System32\Tasks\{4E8CDFC3-F403-4D26-8336-EED61E9F4DD1} => F:\CROCCLIP.EXE
C:\Program Files\Common Files\mcafee
C:\Program Files (x86)\FilmFanatic
C:\Program Files (x86)\uTorrentControl2
C:\Program Files (x86)\Produtools_Manuals_2.1_B
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
system
April 29, 2016, 12:36am
9
Yes well I am scanning it with a second computer with a e-sata dock at the moment. Seems to be an SSD, but yes when i’m done scanning I will run that text file.
PS: It will take some time though
Well after a long time I eventually gave up, back up th clients documents and proceeded to do a PC Reset (Used image provided in a special partition. All is good and no blue screens, no viruses nothing, besides the crapware which I removed.
But thanks for helping me anyway