Heavily Infected PC

Hi there I have came here to seek some help with a heavily infected computer a friend gave to me yesterday what it does is it keeps spewing BSOD messages every 10-20 minutes after boot up now these errors are volmgrx.sys, ntfs.sys and the last one doesn’t list anything. I have tried installing an antivirus to no prevail, because it will freeze and as soon as I click on something it will go haywire.

I have managed to get Malwarebytes running through the whole scan which has detected 2186 threats and restarted it, but then the problems returned.

I believe this computer has the DarkSky trojan, but I am entirely unsure since I am not fast enough to do other scans before it cuts out once more.

Any help will be appreciated :slight_smile:

Regards RK

Follow the instructions in the sticky at the top of this forum and attach the logs to your next post.

Here is the logs:

online backup

file upload

Sorry the exceeding characters were 20000 so I uploaded them to filedropper.

You need to ATTACH the requested logs to your post.

Here they are sorry for my whoopsie :slight_smile:

Malware experts are usually online after 15:00 European time.

The MBam log is missing.

Could you let me know how the system is after this

No sign of darksky

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid} HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid} HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid} Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-11-21] ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.226\SSScheduler.exe (No File) HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32 HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32 HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32 HKU\S-1-5-21-1664292602-29874959-3751813097-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32 URLSearchHook: HKLM-x32 - uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll (Conduit Ltd.) URLSearchHook: HKLM-x32 - Produtools Manuals 2.1 B Toolbar - {6c3d3bd4-75f8-4283-bb97-1e22c4c090df} - C:\Program Files (x86)\Produtools_Manuals_2.1_B\prxtbProd.dll (Conduit Ltd.) SearchScopes: HKLM-x32 -> {23088cf8-eaf8-4bb3-a251-9ba61557ac75} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^Z1^xdm039^S00820^au&si=CIq6p76Ntq8CFVGApAodnAq7jw&ptb=63693EFA-9681-4AE7-BC07-0D1619A8DE64&psa=&ind=2012041501&st=sb&n=77ed511d&searchfor={searchTerms} SearchScopes: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> 0FAD3F3B94814C3FBCD3F6CE480D3F81 URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3282146&CUI=UN38782262412366171 SearchScopes: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> {23088cf8-eaf8-4bb3-a251-9ba61557ac75} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^Z1^xdm039^S00820^au&si=CIq6p76Ntq8CFVGApAodnAq7jw&ptb=63693EFA-9681-4AE7-BC07-0D1619A8DE64&psa=&ind=2012041501&st=sb&n=77ed511d&searchfor={searchTerms} BHO-x32: Toolbar BHO -> {631acb68-57c3-48af-9cc5-fcec0837ffd3} -> C:\Program Files (x86)\FilmFanatic\bar\1.bin\pabar.dll [2012-04-15] (MindSpark) BHO-x32: uTorrentControl2 Toolbar -> {687578b9-7132-4a7a-80e4-30ee31099e03} -> C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll [2011-05-09] (Conduit Ltd.) BHO-x32: Produtools Manuals 2.1 B Toolbar -> {6c3d3bd4-75f8-4283-bb97-1e22c4c090df} -> C:\Program Files (x86)\Produtools_Manuals_2.1_B\prxtbProd.dll [2012-11-06] (Conduit Ltd.) BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL No File BHO-x32: Search Assistant BHO -> {d5e9b421-c309-41de-9014-800a2adcdeb0} -> C:\Program Files (x86)\FilmFanatic\bar\1.bin\paSrcAs.dll [2012-04-15] (MindSpark) Toolbar: HKLM-x32 - FilmFanatic - {0b84b4b4-8af8-4f1f-91fe-074a666f6425} - C:\Program Files (x86)\FilmFanatic\bar\1.bin\pabar.dll [2012-04-15] (MindSpark) Toolbar: HKLM-x32 - uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll [2011-05-09] (Conduit Ltd.) Toolbar: HKLM-x32 - Produtools Manuals 2.1 B Toolbar - {6c3d3bd4-75f8-4283-bb97-1e22c4c090df} - C:\Program Files (x86)\Produtools_Manuals_2.1_B\prxtbProd.dll [2012-11-06] (Conduit Ltd.) Toolbar: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> No Name - {0B84B4B4-8AF8-4F1F-91FE-074A666F6425} - No File Toolbar: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> No Name - {687578B9-7132-4A7A-80E4-30EE31099E03} - No File Toolbar: HKU\S-1-5-21-1664292602-29874959-3751813097-1001 -> No Name - {6C3D3BD4-75F8-4283-BB97-1E22C4C090DF} - No File Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 - No File FF Plugin-x32: @FilmFanatic.com/Plugin -> C:\Program Files (x86)\FilmFanatic\bar\1.bin\NPpaStub.dll [2012-04-15] (MindSpark) FF HKLM-x32\...\Firefox\Extensions: [paffxtbr@FilmFanatic.com] - C:\Program Files (x86)\FilmFanatic\bar\1.bin FF Extension: No Name - C:\Program Files (x86)\FilmFanatic\bar\1.bin [2012-04-15] CHR Plugin: (MindSpark Toolbar Platform Plugin Stub) - C:\Program Files (x86)\FilmFanatic\bar\1.bin\NPpaStub.dll (MindSpark) CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.111\ppGoogleNaClPluginChrome.dll => No File CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.111\pdf.dll => No File CHR Plugin: (Wondershare Video Convert Chrome Plugin) - C:\Users\Morne Du Plessis\AppData\Local\Google\Chrome\User Data\Default\Extensions\chgdeabpmphfhkoemjjglmilajldekbp\6.0.0_0\npSVRChromePlugin.dll => No File CHR Plugin: (WildTangent Games App V2 Presence Detector) - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\3\NP_wtapp.dll => No File CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll => No File CHR Extension: (Norton Identity Safe) - C:\Users\Morne Du Plessis\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2014-10-21] CHR Extension: (Norton Security Toolbar) - C:\Users\Morne Du Plessis\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2013-08-25] CHR Extension: (uTorrentControl2) - C:\Users\Morne Du Plessis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc [2013-08-23] R2 FilmFanaticService; C:\Program Files (x86)\FilmFanatic\bar\1.bin\pabarsvc.exe [42504 2012-04-15] (COMPANYVERS_NAME) 2016-03-15 20:37 - 2016-03-15 20:37 - 00000000 ____D C:\Program Files (x86)\GUM8E59.tmp 2016-03-15 20:37 - 2016-03-15 20:37 - 00000000 _____ C:\Program Files (x86)\GUT8E5A.tmp 2016-04-27 22:53 - 2012-04-15 07:27 - 00000000 ____D C:\ProgramData\boost_interprocess Task: {085C792D-8C5B-4483-8EC5-F741720DBD42} - System32\Tasks\Norton 360\Norton Error Processor => C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\SymErr.exe Task: {1489314A-ED4F-4FB5-BB63-E4ED4E36B870} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\WSCStub.exe Task: {5152B730-BBB4-4393-A744-388D5480470D} - System32\Tasks\{1DE3973A-EE90-4BE1-B3AD-B556D993EF34} => F:\CROCCLIP.EXE Task: {8DC01453-9EC3-4912-9C30-A9582E5D1E10} - System32\Tasks\{5DBA60D4-9843-4C76-BCAB-22D38DED08B9} => F:\CROCCLIP.EXE Task: {9DAB9644-0421-432B-B446-0485079306F1} - System32\Tasks\{4E8CDFC3-F403-4D26-8336-EED61E9F4DD1} => F:\CROCCLIP.EXE

C:\Program Files\Common Files\mcafee
C:\Program Files (x86)\FilmFanatic
C:\Program Files (x86)\uTorrentControl2
C:\Program Files (x86)\Produtools_Manuals_2.1_B
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Yes well I am scanning it with a second computer with a e-sata dock at the moment. Seems to be an SSD, but yes when i’m done scanning I will run that text file.

PS: It will take some time though

Well after a long time I eventually gave up, back up th clients documents and proceeded to do a PC Reset (Used image provided in a special partition. All is good and no blue screens, no viruses nothing, besides the crapware which I removed.

But thanks for helping me anyway :slight_smile: