Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD Windows Vista 64 consrv.dll


  • This topic is locked This topic is locked
17 replies to this topic

#1 jephph1

jephph1

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 14 September 2011 - 05:30 PM

I've got a computer that is in an infinite reboot loop. Can't get in with Safe Mode or Last Known Good Configuration. All flash a blue screen that says "This application has failed to start because consrv was not found." There are no system restore points. I've tried Startup Repair and sfc /scannow which had to be run in offline mode. I tried to get in with ubcd4win to see if I could find consrv anywhere, but it seems that ubcd4win doesn't play nice with Vista 64 (Home Premium btw).

Thank you.

Edit: Just noticed the title says "conserv.dll" It should say "consrv"
Mod Edit: Fixed ~ Hamluis.

Edited by hamluis, 15 September 2011 - 07:59 AM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:25 PM

Posted 14 September 2011 - 09:10 PM

It looks like ZeroAccess rootkit.
I'll report this topic to appropriate malware people.
Hold on there.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:25 PM

Posted 14 September 2011 - 11:34 PM

Lets give it a try.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 jephph1

jephph1
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 15 September 2011 - 05:22 AM

There is no "Repair you computer" option in the advanced boot options.

Edited by Orange Blossom, 15 September 2011 - 10:42 AM.
Moved to log forum. ~ OB


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:25 PM

Posted 15 September 2011 - 01:04 PM

Do you have a Vista 64bit Recovery CD that can be use as a Repair Console?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 jephph1

jephph1
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 15 September 2011 - 03:25 PM

Done. Here it is:


Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.2.1
Ran by SYSTEM at 2011-09-15 16:17:01
Running from E:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] RAVCpl64.exe [x]
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1216808 2007-12-06] (Synaptics, Inc.)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16330272 2009-07-01] (NVIDIA Corporation)
HKLM\...\Run: [IntelWirelessWiMAX] "C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe" /tasktray /nosplash [1617920 2011-02-27] (Intel® Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-06] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-06] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418840 2011-03-06] (Intel Corporation)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe [98304 2008-08-18] (ASUS)
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe [8105984 2008-09-02] (ASUS)
HKLM-x32\...\Run: [ADSMTray] C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe [266240 2008-03-31] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKMEDIA] "C:\Program Files (x86)\ASUS\ATK Media\DMEDIA.EXE" [61440 2006-11-02] (ASUSTeK Computer INC.)
HKLM-x32\...\Run: [DirectConsole2] C:\Program Files (x86)\ASUS\Direct Console\Direct Console.exe [2705976 2008-08-20] (ASUSTek.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\real\realplayer\update\realsched.exe" -osboot [273544 2011-05-24] (RealNetworks, Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-07-19] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [449584 2011-07-06] (Malwarebytes Corporation)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Papa Jer\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2008-09-19] (Google Inc.)
HKU\Papa Jer\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Lsa: [Notification Packages] scecli
C:\Program Files\ASUS\ASUS Data Security Manager\ASPWDFLT
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 ADSMService; C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe [225280 2008-03-31] (ASUSTek Computer Inc.)
2 Akamai; C:\Program Files (x86)\Common Files\Akamai\netsession_win_2da1ebd.dll [3542616 2011-07-19] ()
2 ASLDRService; C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe [100920 2008-08-13] ()
2 ATKGFNEXSrv; C:\Program Files\ATKGFNEX\GFNEXSrv.exe [94208 2007-08-07] ()
3 DFSR; C:\Windows\System32\DFSR.exe [3433472 2009-04-10] (Microsoft Corporation)
2 Dhcp; C:\Windows\System32\dhcpcsvc.dll [268288 2009-04-10] (Microsoft Corporation)
2 DMAgent; "C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe" [499200 2011-02-27] (Red Bend Ltd.)
2 ehstart; C:\Windows\ehome\ehstart.dll [15360 2006-11-02] (Microsoft Corporation)
2 EMDMgmt; C:\Windows\System32\emdmgmt.dll [399360 2009-04-10] (Microsoft Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [366640 2011-07-06] (Malwarebytes Corporation)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
3 p2pimsvc; C:\Windows\System32\p2psvc.dll [836608 2009-04-10] (Microsoft Corporation)
3 PNRPAutoReg; C:\Windows\System32\p2psvc.dll [836608 2009-04-10] (Microsoft Corporation)
3 PNRPsvc; C:\Windows\System32\p2psvc.dll [836608 2009-04-10] (Microsoft Corporation)
2 rpcnetp; C:\Windows\System32\rpcnetp.exe [17408 2011-09-15] ()
2 slsvc; C:\Windows\System32\SLsvc.exe [2582016 2009-04-10] (Microsoft Corporation)
3 SLUINotify; C:\Windows\System32\SLUINotify.dll [73216 2009-04-10] (Microsoft Corporation)
2 spmgr; C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe [125496 2007-08-03] ()
2 Themes; C:\Windows\System32\shsvcs.dll [302080 2009-07-10] (Microsoft Corporation)
2 WiMAXAppSrv; "C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe" [885248 2011-02-27] (Intel® Corporation)
3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [1020768 2010-03-18] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

4 adpu160m; C:\Windows\System32\drivers\adpu160m.sys [126520 2008-01-20] (Adaptec, Inc.)
0 AsDsm; C:\Windows\System32\Drivers\AsDsm.sys [34872 2007-08-10] (Windows ® Codename Longhorn DDK provider)
2 ASMMAP64; \??\C:\Program Files\ATKGFNEX\ASMMAP64.sys [14904 2007-07-24] ()
3 bpenum; C:\Windows\System32\DRIVERS\bpenum.sys [75264 2011-02-17] (Intel Corporation)
3 bpmp; C:\Windows\System32\DRIVERS\bpmp.sys [174080 2011-02-17] (Intel Corporation)
3 bpusb; C:\Windows\System32\Drivers\bpusb.sys [81920 2011-02-17] (Intel Corporation)
0 Ecache; C:\Windows\System32\drivers\ecache.sys [155112 2009-04-10] (Microsoft Corporation)
2 ghaio; \??\C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys [17464 2007-08-02] ()
4 HpCISSs; C:\Windows\System32\drivers\hpcisss.sys [47672 2008-01-20] (Hewlett-Packard Company)
4 i2omp; C:\Windows\System32\drivers\i2omp.sys [35896 2008-01-20] (Microsoft Corporation)
4 iteatapi; C:\Windows\System32\drivers\iteatapi.sys [37480 2006-11-02] (Integrated Technology Express, Inc.)
3 itecir; C:\Windows\System32\DRIVERS\itecir.sys [59392 2007-12-18] (ITE Tech. Inc. )
4 iteraid; C:\Windows\System32\drivers\iteraid.sys [37480 2006-11-02] (Integrated Technology Express, Inc.)
3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [17464 2008-06-02] ( )
3 L1C; C:\Windows\System32\DRIVERS\L1C60x64.sys [76912 2011-03-23] (Atheros Communications, Inc.)
0 lullaby; C:\Windows\System32\DRIVERS\lullaby.sys [16440 2008-05-29] (Windows ® Codename Longhorn DDK provider)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25912 2011-07-06] (Malwarebytes Corporation)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [39016 2006-11-02] (LSI Logic Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ATK64AMD.sys [13680 2006-10-27] ()
3 NETwNv64; C:\Windows\System32\DRIVERS\NETwNv64.sys [7886848 2011-01-18] (Intel Corporation)
2 rimmptsk; C:\Windows\System32\DRIVERS\rimmpx64.sys [65024 2008-06-24] (REDC)
2 rimsptsk; C:\Windows\System32\DRIVERS\rimspx64.sys [55296 2007-07-26] (REDC)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh64.sys [221696 2009-09-02] (Realtek )
4 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [45624 2008-01-20] (Microsoft Corporation)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1878440 2008-04-01] ()
0 sptd; C:\Windows\System32\Drivers\sptd.sys [871408 2009-07-22] (Duplex Secure Ltd.)
4 Symc8xx; C:\Windows\System32\drivers\symc8xx.sys [49256 2006-11-02] (LSI Logic)
4 Sym_hi; C:\Windows\System32\drivers\sym_hi.sys [44648 2006-11-02] (LSI Logic)
4 Sym_u3; C:\Windows\System32\drivers\sym_u3.sys [48232 2006-11-02] (LSI Logic)
3 SynTP; C:\Windows\System32\DRIVERS\SynTP.sys [320048 2007-12-06] (Synaptics, Inc.)
3 tunmp; C:\Windows\System32\DRIVERS\tunmp.sys [18432 2008-01-20] (Microsoft Corporation)
4 uliahci; C:\Windows\System32\drivers\uliahci.sys [284728 2008-01-20] (ULi Electronics Inc.)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [148072 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [174696 2008-01-20] (Promise Technology, Inc.)
3 WpdUsb; C:\Windows\System32\DRIVERS\wpdusb.sys [46592 2009-09-30] (Microsoft Corporation)
3 yukonx64; C:\Windows\System32\DRIVERS\yk60x64.sys [273408 2006-10-03] (Marvell)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 msiserver; C:\Windows\System32\msiexec /V [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
4 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [x]
1 udklbzln; \??\C:\Windows\system32\drivers\udklbzln.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-09-15 16:16 - 2011-09-15 16:16 - 0000000 ____D C:\FRST
2011-09-13 17:47 - 2011-09-15 03:18 - 4294168576 __ASH C:\hiberfil.sys
2011-09-13 14:50 - 2011-09-13 15:09 - 2414555 ____A C:\PE-Files.txt
2011-09-13 14:00 - 2011-09-13 14:23 - 2414555 ____A C:\Win-Files.txt
2011-09-09 11:46 - 2011-09-13 17:45 - 0994514 ____A C:\Windows\ntbtlog.txt
2011-09-09 11:36 - 2011-09-15 03:18 - 0017408 ____A C:\Windows\SysWOW64\rpcnetp.exe
2011-09-09 11:33 - 2011-09-09 11:34 - 0000000 ____D C:\Windows\System32\MpEngineStore
2011-09-09 06:33 - 2011-09-09 06:33 - 545578496 ____A C:\Windows\MEMORY.DMP
2011-09-09 06:33 - 2011-09-09 06:33 - 0287632 ____A C:\Windows\Minidump\Mini090911-01.dmp
2011-09-09 06:33 - 2011-09-09 06:33 - 0000000 ____D C:\Windows\Minidump
2011-09-09 06:05 - 2011-09-09 06:05 - 0262144 ___AH C:\Windows\System32\config\SYSTEM.sav.LOG1
2011-09-09 06:05 - 2011-09-09 06:05 - 0000000 ___AH C:\Windows\System32\config\SYSTEM.sav.LOG2
2011-09-09 06:04 - 2011-09-09 06:04 - 0000000 ___AH C:\Windows\System32\config\SECURITY.sav.LOG2
2011-09-09 06:04 - 2011-09-09 06:04 - 0000000 ___AH C:\Windows\System32\config\SECURITY.sav.LOG1
2011-09-09 06:04 - 2011-09-09 06:04 - 0000000 ___AH C:\Windows\System32\config\SAM.sav.LOG2
2011-09-09 06:04 - 2011-09-09 06:04 - 0000000 ___AH C:\Windows\System32\config\SAM.sav.LOG1
2011-09-09 06:02 - 2011-09-09 06:05 - 0001492 ____A C:\Windows\System32\ASOROSet.bin
2011-09-09 05:54 - 2011-09-09 06:12 - 0000000 ____D C:\Users\Papa Jer\AppData\Roaming\Systweak
2011-09-09 05:54 - 2011-07-28 09:06 - 0018816 ____A (Systweak Inc., (www.systweak.com)) C:\Windows\System32\roboot64.exe
2011-09-08 10:13 - 2011-09-08 10:13 - 0000296 ____A C:\Windows\System32\spsys.log
2011-09-08 08:28 - 2011-09-08 08:28 - 0001614 ____A C:\Users\Papa Jer\Documents\License.avastlic
2011-09-08 06:39 - 2011-09-08 06:39 - 0000000 ____A C:\Windows\SysWOW64\config.nt
2011-09-08 06:38 - 2011-07-04 03:43 - 0253888 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2011-09-08 06:36 - 2011-09-08 06:38 - 0579962 ____A C:\Users\Papa Jer\AppData\Local\dd_vcredistMSI65D0.txt
2011-09-08 06:36 - 2011-09-08 06:38 - 0012444 ____A C:\Users\Papa Jer\AppData\Local\dd_vcredistUI65D0.txt
2011-09-08 06:35 - 2011-09-09 05:45 - 0000000 ____D C:\Users\All Users\AVAST Software
2011-09-08 06:35 - 2011-09-09 05:45 - 0000000 ____D C:\ProgramData\AVAST Software
2011-09-08 06:35 - 2011-09-08 06:35 - 0000000 ____D C:\Program Files\AVA
2011-09-07 18:03 - 2011-09-07 18:03 - 0000000 ____D C:\Users\Papa Jer\AppData\Roaming\Malwarebytes
2011-09-07 18:02 - 2011-09-07 18:03 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-07 18:02 - 2011-09-07 18:02 - 0000955 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2011-09-07 18:02 - 2011-09-07 18:02 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-09-07 18:02 - 2011-09-07 18:02 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-09-07 18:02 - 2011-07-06 15:52 - 0041272 ____A (Malwarebytes Corporation) C:\Windows\SysWOW64\Drivers\mbamswissarmy.sys
2011-09-07 18:02 - 2011-07-06 15:52 - 0025912 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-09-07 17:33 - 2011-09-07 17:33 - 0000000 ____A C:\Users\Papa Jer\AppData\Local\{A9109876-9FA5-4236-98FD-25EC4C2B804F}
2011-09-07 17:27 - 2011-09-07 17:27 - 0000000 ____A C:\Users\Papa Jer\AppData\Local\{2AA5ADA3-B459-4436-98BA-606F2CD20665}
2011-09-07 17:26 - 2011-09-07 17:26 - 0000000 ____A C:\Users\Papa Jer\AppData\Local\{88F82525-EAF7-4D5C-84EB-7C7AE16F1DAE}
2011-09-06 06:51 - 2011-09-06 06:51 - 0000000 ____D C:\Windows\system64
2011-08-27 07:24 - 2011-08-27 07:24 - 0001130 ____A C:\Users\Papa Jer\Desktop\RealPlayer.lnk
2011-08-22 07:43 - 2011-08-31 10:54 - 0052224 ____A C:\Users\Papa Jer\Documents\False Goals 4 and 5.doc
2011-08-18 05:47 - 2011-08-18 05:47 - 0035328 ____A C:\Users\Papa Jer\Documents\Peter and Heather.doc
2011-08-16 11:27 - 2011-08-16 11:27 - 0404640 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

============ 3 Months Modified Files and Folders =============

2011-09-15 16:16 - 2011-09-15 16:16 - 0000000 ____D C:\FRST
2011-09-15 03:18 - 2011-09-13 17:47 - 4294168576 __ASH C:\hiberfil.sys
2011-09-15 03:18 - 2011-09-09 11:36 - 0017408 ____A C:\Windows\SysWOW64\rpcnetp.exe
2011-09-15 03:18 - 2009-03-17 00:43 - 0017408 ____A C:\Windows\System32\rpcnetp.exe
2011-09-15 03:18 - 2006-11-02 07:21 - 0380832 ____A C:\Windows\System32\FNTCACHE.DAT
2011-09-13 17:45 - 2011-09-09 11:46 - 0994514 ____A C:\Windows\ntbtlog.txt
2011-09-13 15:09 - 2011-09-13 14:50 - 2414555 ____A C:\PE-Files.txt
2011-09-13 14:23 - 2011-09-13 14:00 - 2414555 ____A C:\Win-Files.txt
2011-09-11 15:30 - 2006-11-02 05:32 - 0000000 __SHD C:\$Recycle.Bin
2011-09-09 11:34 - 2011-09-09 11:33 - 0000000 ____D C:\Windows\System32\MpEngineStore
2011-09-09 11:34 - 2009-03-17 00:47 - 1629202 ____A C:\Windows\WindowsUpdate.log
2011-09-09 11:34 - 2006-11-02 07:42 - 0032530 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-09-09 11:34 - 2006-11-02 07:42 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-09-09 11:34 - 2006-11-02 07:22 - 0004016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-09-09 11:34 - 2006-11-02 07:22 - 0004016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-09-09 11:08 - 2010-01-07 06:13 - 0000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-09-09 09:29 - 2009-04-29 00:00 - 0000000 ____D C:\users\Papa Jer
2011-09-09 09:22 - 2010-02-21 19:17 - 0000000 ____D C:\Program Files (x86)\Adobe
2011-09-09 09:22 - 2008-09-19 03:14 - 0000000 ____D C:\Users\All Users\Adobe
2011-09-09 09:22 - 2008-09-19 03:14 - 0000000 ____D C:\ProgramData\Adobe
2011-09-09 07:24 - 2010-12-26 18:42 - 0000000 ___RD C:\Users\Papa Jer\Dropbox
2011-09-09 07:24 - 2010-12-26 18:39 - 0000000 ____D C:\Users\Papa Jer\AppData\Roaming\Dropbox
2011-09-09 07:24 - 2006-11-02 04:46 - 0705952 ____A C:\Windows\System32\PerfStringBackup.INI
2011-09-09 07:23 - 2010-01-07 06:13 - 0000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-09-09 07:23 - 2009-04-29 14:57 - 0271414 ____A C:\Users\All Users\nvModes.001
2011-09-09 07:23 - 2009-04-29 14:57 - 0271414 ____A C:\ProgramData\nvModes.001
2011-09-09 07:23 - 2009-04-29 14:32 - 0271414 ____A C:\Users\All Users\nvModes.dat
2011-09-09 07:23 - 2009-04-29 14:32 - 0271414 ____A C:\ProgramData\nvModes.dat
2011-09-09 06:36 - 2010-08-08 18:27 - 0044544 ____A (Absolute Software Corp.) C:\Windows\SysWOW64\agremove.exe
2011-09-09 06:33 - 2011-09-09 06:33 - 545578496 ____A C:\Windows\MEMORY.DMP
2011-09-09 06:33 - 2011-09-09 06:33 - 0287632 ____A C:\Windows\Minidump\Mini090911-01.dmp
2011-09-09 06:33 - 2011-09-09 06:33 - 0000000 ____D C:\Windows\Minidump
2011-09-09 06:12 - 2011-09-09 05:54 - 0000000 ____D C:\Users\Papa Jer\AppData\Roaming\Systweak
2011-09-09 06:10 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\System32\config\TxR
2011-09-09 06:07 - 2009-04-29 00:00 - 0045056 ____A C:\Windows\System32\acovcnt.exe
2011-09-09 06:05 - 2011-09-09 06:05 - 0262144 ___AH C:\Windows\System32\config\SYSTEM.sav.LOG1
2011-09-09 06:05 - 2011-09-09 06:05 - 0000000 ___AH C:\Windows\System32\config\SYSTEM.sav.LOG2
2011-09-09 06:05 - 2011-09-09 06:02 - 0001492 ____A C:\Windows\System32\ASOROSet.bin
2011-09-09 06:05 - 2006-11-02 04:33 - 28049408 ____A C:\Windows\System32\config\SYSTEM.bak
2011-09-09 06:05 - 2006-11-02 04:33 - 0262144 ____A C:\Windows\System32\config\SECURITY.bak
2011-09-09 06:04 - 2011-09-09 06:04 - 0000000 ___AH C:\Windows\System32\config\SECURITY.sav.LOG2
2011-09-09 06:04 - 2011-09-09 06:04 - 0000000 ___AH C:\Windows\System32\config\SECURITY.sav.LOG1
2011-09-09 06:04 - 2011-09-09 06:04 - 0000000 ___AH C:\Windows\System32\config\SAM.sav.LOG2
2011-09-09 06:04 - 2011-09-09 06:04 - 0000000 ___AH C:\Windows\System32\config\SAM.sav.LOG1
2011-09-09 06:04 - 2006-11-02 04:33 - 0053248 ____A C:\Windows\System32\config\SAM.bak
2011-09-09 06:02 - 2011-07-28 03:56 - 0000000 ____D C:\Windows\System32\config\RCCBakup
2011-09-09 05:45 - 2011-09-08 06:35 - 0000000 ____D C:\Users\All Users\AVAST Software
2011-09-09 05:45 - 2011-09-08 06:35 - 0000000 ____D C:\ProgramData\AVAST Software
2011-09-09 04:21 - 2009-04-29 16:39 - 0000424 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{8BB21992-3BBF-40F1-871F-44FD5EA91E2E}.job
2011-09-08 11:13 - 2009-04-30 07:54 - 0000000 ___RD C:\Users\Papa Jer\Desktop\Messages
2011-09-08 10:13 - 2011-09-08 10:13 - 0000296 ____A C:\Windows\System32\spsys.log
2011-09-08 08:28 - 2011-09-08 08:28 - 0001614 ____A C:\Users\Papa Jer\Documents\License.avastlic
2011-09-08 06:39 - 2011-09-08 06:39 - 0000000 ____A C:\Windows\SysWOW64\config.nt
2011-09-08 06:38 - 2011-09-08 06:36 - 0579962 ____A C:\Users\Papa Jer\AppData\Local\dd_vcredistMSI65D0.txt
2011-09-08 06:38 - 2011-09-08 06:36 - 0012444 ____A C:\Users\Papa Jer\AppData\Local\dd_vcredistUI65D0.txt
2011-09-08 06:35 - 2011-09-08 06:35 - 0000000 ____D C:\Program Files\AVA
2011-09-07 18:03 - 2011-09-07 18:03 - 0000000 ____D C:\Users\Papa Jer\AppData\Roaming\Malwarebytes
2011-09-07 18:03 - 2011-09-07 18:02 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-07 18:02 - 2011-09-07 18:02 - 0000955 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2011-09-07 18:02 - 2011-09-07 18:02 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-09-07 18:02 - 2011-09-07 18:02 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-09-07 17:33 - 2011-09-07 17:33 - 0000000 ____A C:\Users\Papa Jer\AppData\Local\{A9109876-9FA5-4236-98FD-25EC4C2B804F}
2011-09-07 17:27 - 2011-09-07 17:27 - 0000000 ____A C:\Users\Papa Jer\AppData\Local\{2AA5ADA3-B459-4436-98BA-606F2CD20665}
2011-09-07 17:26 - 2011-09-07 17:26 - 0000000 ____A C:\Users\Papa Jer\AppData\Local\{88F82525-EAF7-4D5C-84EB-7C7AE16F1DAE}
2011-09-07 13:34 - 2009-05-01 04:56 - 0000000 ___RD C:\Users\Papa Jer\Desktop\Missions
2011-09-06 06:51 - 2011-09-06 06:51 - 0000000 ____D C:\Windows\system64
2011-09-04 16:03 - 2011-03-29 11:12 - 0000000 ____D C:\Users\Papa Jer\Desktop\Apologetics
2011-09-02 06:49 - 2010-03-02 06:21 - 0000000 ____D C:\Users\Papa Jer\Desktop\Sunday School Sheets
2011-08-31 10:54 - 2011-08-22 07:43 - 0052224 ____A C:\Users\Papa Jer\Documents\False Goals 4 and 5.doc
2011-08-29 12:04 - 2006-11-02 07:07 - 0000000 ___RD C:\Users\Public\Recorded TV
2011-08-27 07:24 - 2011-08-27 07:24 - 0001130 ____A C:\Users\Papa Jer\Desktop\RealPlayer.lnk
2011-08-24 13:11 - 2009-04-30 07:44 - 0027648 ____A C:\Users\Papa Jer\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-08-19 05:16 - 2009-04-29 00:02 - 0000000 ____D C:\Users\Papa Jer\AppData\Local\Google
2011-08-18 05:47 - 2011-08-18 05:47 - 0035328 ____A C:\Users\Papa Jer\Documents\Peter and Heather.doc
2011-08-16 11:38 - 2008-09-19 03:18 - 0000000 ____D C:\Program Files (x86)\Microsoft Office
2011-08-16 11:27 - 2011-08-16 11:27 - 0404640 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2011-08-13 22:46 - 2011-08-13 22:46 - 0000680 ____A C:\Users\Papa Jer\AppData\Local\d3d9caps.dat
2011-08-11 12:56 - 2011-08-11 12:56 - 0000000 ____D C:\Windows\Sun
2011-08-11 12:33 - 2011-08-11 12:33 - 0836554 ____A C:\Users\Papa Jer\Documents\Pete.jpg
2011-08-11 10:18 - 2011-08-11 10:18 - 11818383 ____A C:\Users\Papa Jer\Documents\Untitled 1.odg
2011-08-11 09:13 - 2011-05-24 05:16 - 0000000 ____D C:\Users\Papa Jer\AppData\Roaming\Sammsoft
2011-08-11 08:52 - 2009-04-29 00:00 - 0108576 ____A C:\Users\Papa Jer\AppData\Local\GDIPFONTCACHEV1.DAT
2011-08-11 08:28 - 2011-08-11 08:28 - 0001077 ____A C:\Users\Papa Jer\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
2011-08-11 08:28 - 2011-08-11 08:28 - 0001077 ____A C:\Users\Papa Jer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
2011-08-11 08:27 - 2011-08-11 08:27 - 0000000 ____D C:\Users\Papa Jer\AppData\Roaming\OpenOffice.org
2011-08-11 08:26 - 2011-08-11 08:26 - 0001027 ____A C:\Users\Public\Desktop\OpenOffice.org 3.3.lnk
2011-08-11 08:25 - 2011-08-11 08:25 - 0000000 ____D C:\Program Files (x86)\OpenOffice.org 3
2011-08-11 08:24 - 2011-08-11 08:24 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2011-08-11 08:24 - 2011-08-11 08:24 - 0153376 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2011-08-11 08:24 - 2011-08-11 08:24 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2011-08-11 08:24 - 2011-08-11 08:24 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2011-08-11 08:24 - 2011-08-11 08:24 - 0000000 ____D C:\Users\All Users\Sun
2011-08-11 08:24 - 2011-08-11 08:24 - 0000000 ____D C:\ProgramData\Sun
2011-08-11 08:24 - 2011-08-11 08:24 - 0000000 ____D C:\Program Files (x86)\Java
2011-08-11 08:23 - 2011-08-11 08:18 - 0583184 ____A C:\Users\Papa Jer\AppData\Local\dd_vcredistMSI282F.txt
2011-08-11 08:23 - 2011-08-11 08:18 - 0014882 ____A C:\Users\Papa Jer\AppData\Local\dd_vcredistUI282F.txt
2011-08-11 08:23 - 2009-04-29 00:02 - 0000000 ____D C:\Users\Papa Jer\AppData\LocalLow
2011-08-11 08:18 - 2011-08-11 08:16 - 0574488 ____A C:\Users\Papa Jer\AppData\Local\dd_vcredistMSI2694.txt
2011-08-11 08:18 - 2011-08-11 08:16 - 0014786 ____A C:\Users\Papa Jer\AppData\Local\dd_vcredistUI2694.txt
2011-08-11 08:17 - 2006-11-02 05:33 - 0000000 ____D C:\Program Files\Common Files\Microsoft Shared
2011-08-10 23:09 - 2006-11-02 04:35 - 54065608 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-08-10 09:46 - 2009-05-01 04:58 - 0000000 ___RD C:\Users\Papa Jer\Desktop\Church
2011-08-09 03:54 - 2011-02-24 17:31 - 0001866 ____A C:\Users\Public\Desktop\Safari.lnk
2011-08-09 03:54 - 2011-02-24 17:31 - 0000000 ____D C:\Program Files (x86)\Safari
2011-08-09 03:50 - 2011-08-09 03:50 - 0001701 ____A C:\Users\Public\Desktop\iTunes.lnk
2011-08-09 03:50 - 2011-08-09 03:50 - 0000000 ____D C:\Program Files\iTunes
2011-08-09 03:50 - 2011-08-09 03:50 - 0000000 ____D C:\Program Files\iPod
2011-08-09 03:50 - 2011-08-09 03:50 - 0000000 ____D C:\Program Files (x86)\iTunes
2011-08-09 03:48 - 2011-08-09 03:48 - 0000000 ____D C:\Program Files\Bonjour
2011-08-09 03:48 - 2011-08-09 03:48 - 0000000 ____D C:\Program Files (x86)\Bonjour
2011-08-09 03:43 - 2011-08-09 03:42 - 0000000 ____D C:\Program Files (x86)\QuickTime
2011-08-09 03:42 - 2011-08-09 03:42 - 0001763 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2011-08-08 12:51 - 2011-03-17 05:16 - 0000000 ____D C:\Users\Papa Jer\Desktop\Marriage
2011-08-06 13:02 - 2011-05-18 08:28 - 0000000 ____D C:\Users\Papa Jer\Desktop\History Pics
2011-08-06 12:25 - 2011-01-19 09:08 - 0000000 ____D C:\Program Files (x86)\AVS4YOU
2011-08-06 06:28 - 2011-01-19 09:09 - 0000000 ____D C:\Users\Papa Jer\AppData\Roaming\AVS4YOU
2011-08-04 06:15 - 2011-08-04 06:15 - 0035328 ____A C:\Users\Papa Jer\Documents\Website wording.doc
2011-08-01 11:49 - 2011-08-01 11:49 - 0167281 ____A C:\Users\Papa Jer\Documents\pledges.pptx
2011-08-01 05:56 - 2011-08-01 05:56 - 0011438 ____A C:\Users\Papa Jer\Documents\Welcome to the website of Vorea Community Church.docx
2011-07-28 09:06 - 2011-09-09 05:54 - 0018816 ____A (Systweak Inc., (www.systweak.com)) C:\Windows\System32\roboot64.exe
2011-07-28 04:10 - 2011-07-28 03:36 - 0000000 ____D C:\Program Files (x86)\FYZip
2011-07-28 03:38 - 2011-07-28 03:38 - 8235010 ____A C:\Users\Papa Jer\Documents\Wedding.zipx
2011-07-28 03:36 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\Resources
2011-07-26 14:34 - 2011-07-26 14:34 - 0000000 ____A C:\Users\Papa Jer\Documents\image_7.jpeg
2011-07-26 14:34 - 2011-07-26 14:34 - 0000000 ____A C:\Users\Papa Jer\Documents\image_6.jpeg
2011-07-21 04:40 - 2011-07-20 12:40 - 0035328 ____A C:\Users\Papa Jer\Documents\Casey and Tia wedding.doc
2011-07-21 03:57 - 2011-01-08 07:35 - 0000000 ____D C:\Users\Papa Jer\Desktop\Messages2
2011-07-12 07:34 - 2011-07-12 07:34 - 0212840 ____A (Apple Inc.) C:\Windows\System32\dnssdX.dll
2011-07-12 07:34 - 2011-07-12 07:34 - 0096104 ____A (Apple Inc.) C:\Windows\System32\dns-sd.exe
2011-07-12 07:34 - 2011-07-12 07:34 - 0085864 ____A (Apple Inc.) C:\Windows\System32\dnssd.dll
2011-07-12 07:34 - 2011-07-12 07:34 - 0061288 ____A (Apple Inc.) C:\Windows\System32\jdns_sd.dll
2011-07-12 07:20 - 2011-07-12 07:20 - 0178536 ____A (Apple Inc.) C:\Windows\SysWOW64\dnssdX.dll
2011-07-12 07:20 - 2011-07-12 07:20 - 0083816 ____A (Apple Inc.) C:\Windows\SysWOW64\dns-sd.exe
2011-07-12 07:20 - 2011-07-12 07:20 - 0073064 ____A (Apple Inc.) C:\Windows\SysWOW64\dnssd.dll
2011-07-12 07:20 - 2011-07-12 07:20 - 0050536 ____A (Apple Inc.) C:\Windows\SysWOW64\jdns_sd.dll
2011-07-12 05:25 - 2009-05-26 12:46 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2011-07-12 05:23 - 2011-07-12 05:23 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2011-07-12 05:09 - 2011-02-24 17:29 - 0000629 ____A C:\Windows\System32\mapisvc.inf
2011-07-11 08:21 - 2011-07-11 05:04 - 0037888 ____A C:\Users\Papa Jer\Documents\WHAT DOES THE BIBLE SAY.doc
2011-07-08 04:29 - 2011-07-07 04:33 - 0031744 ____A C:\Users\Papa Jer\Documents\Jeremy and Ruzena wedding.doc
2011-07-06 15:52 - 2011-09-07 18:02 - 0041272 ____A (Malwarebytes Corporation) C:\Windows\SysWOW64\Drivers\mbamswissarmy.sys
2011-07-06 15:52 - 2011-09-07 18:02 - 0025912 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-07-05 14:37 - 2011-07-05 14:37 - 0094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
2011-07-05 14:37 - 2011-07-05 14:37 - 0069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
2011-07-04 03:43 - 2011-09-08 06:38 - 0253888 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2011-06-30 04:54 - 2011-06-30 04:54 - 0219645 ____A C:\Users\Papa Jer\Documents\fourth of july 2011.pptx
2011-06-29 11:47 - 2011-06-29 11:47 - 0117248 ____A C:\Users\Papa Jer\Documents\Invoice vbs 2011.doc
2011-06-28 12:54 - 2009-10-04 16:08 - 0000000 ____D C:\Program Files (x86)\Call of Duty

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe
[2009-09-11 05:04] - [2009-04-10 23:11] - 0405504 ____A (Microsoft Corporation) 6D0773A3A65D28B663F334C90441D01A

C:\Windows\System32\wininit.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0123904 ____A (Microsoft Corporation) 117EA87DF785CA1B9D821F6F213DCE07

C:\Windows\explorer.exe
[2009-09-11 05:04] - [2009-04-10 23:10] - 3079168 ____A (Microsoft Corporation) 6B08E54A451B3F95E4109DBA7E594270

C:\Windows\System32\Drivers\volsnap.sys
[2009-09-11 05:04] - [2009-04-10 23:15] - 0269288 ____A (Microsoft Corporation) 5280AADA24AB36B01A84A6424C475C8D


========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4094.29 MB
Available physical RAM: 3494.56 MB
Total Pagefile: 3824.22 MB
Available Pagefile: 3459.42 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (Vista64) (Fixed) (Total:286.37 GB) (Free:208.3 GB) NTFS
2 Drive d: (FRMCXFRE_EN_DVD) (CDROM) (Total:3.66 GB) (Free:0 GB) UDF
3 Drive e: () (Removable) (Total:3.73 GB) (Free:3.68 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==========================================================

Last Boot: 2011-09-09 06:48

======================= End Of Log ==========================

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:25 PM

Posted 15 September 2011 - 09:01 PM

Lets attempt to obtain a copy of the Boot Record.

Download MBRFix. Save and extract its contents to the desktop. Once extracted, there will be three files in the folder. Copy just the MBRFix64 application to the USB drive.

Also download the enclosed file to the USB drive.

Boot to the Windows CD and insert the USB drive.

Run FRST64 as you did before and this time around press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post its contents in your reply. It will also produce another file, MBRDUMP.txt, that although it may look a a text file, it is a hex file. You must attach this report on your reply instead of posting its contents.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 jephph1

jephph1
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 15 September 2011 - 09:49 PM

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.1)
Ran by SYSTEM at 2011-09-15 22:47:35 R:1
Running from E:\

==============================================


========= Req query HKLM\SYSTEM\ControlSet001\Control\Session Manager\SubSystems =========

'Req' is not recognized as an internal or external command,
operable program or batch file.

========= End of Reg: =========


========= BCDEDIT /ENUM =========


Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {4fc26b2a-858a-11dd-9e38-a4ed9944c69f}
displayorder {default}
toolsdisplayorder {memdiag}
timeout 30
resume No

Windows Boot Loader
-------------------
identifier {default}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {bootloadersettings}
osdevice partition=C:
systemroot \Windows
resumeobject {4fc26b2a-858a-11dd-9e38-a4ed9944c69f}
nx AlwaysOff

========= End of CMD: =========


========= E:\MbrFix64 /drive 0 savembr E:\MBRDUMP.txt =========


========= End of CMD: =========


==== End of Fixlog ====

Attached Files



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:25 PM

Posted 16 September 2011 - 12:14 AM

Missed a typo. Please download the enclosed file to the USB drive, overwriting the existing one.

Boot to the Windows CD and insert the USB drive.

Run FRST64 as you did before and this time around press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post its contents in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 jephph1

jephph1
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 16 September 2011 - 05:24 AM

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.1)
Ran by SYSTEM at 2011-09-16 06:23:21 R:3
Running from E:\

==============================================


========= Reg query HKLM\SYSTEM\ControlSet001\Control\Session Manager\SubSystems =========

ERROR: Invalid syntax.
Type "REG QUERY /?" for usage.

========= End of Reg: =========


==== End of Fixlog ====

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:25 PM

Posted 16 September 2011 - 11:21 AM

I guess I am missing something there. Lets attempt to fix the ZeroAccess Rootkit. Please download the enclosed file to the USB drive, overwriting the existing one.

Boot to the Windows CD and insert the USB drive.

Run FRST64 as you did before and this time around press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post its contents in your next reply.

Test if able to boot in Normal Mode. Let me know if successful

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 jephph1

jephph1
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 16 September 2011 - 02:27 PM

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.1)
Ran by SYSTEM at 2011-09-16 15:22:14 R:4
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

==== End of Fixlog ====

Success!

I have booted into normal mode.

You guys are good. Thank you very much. Is there anything else I need to do now?

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:25 PM

Posted 16 September 2011 - 10:09 PM

I believe you should check for malware and make sure this rootkit is gone. If you are able to connect to the Internet, lets run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 jephph1

jephph1
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 17 September 2011 - 08:19 AM

ComboFix 11-09-16.01 - Papa Jer 09/17/2011 8:34.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2204 [GMT -4:00]
Running from: c:\users\Papa Jer\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-17 to 2011-09-17 )))))))))))))))))))))))))))))))
.
.
2011-09-17 12:58 . 2011-09-17 12:58 17408 ----a-w- c:\windows\SysWow64\rpcnetp.dll
2011-09-17 12:57 . 2011-09-17 12:57 17408 ----a-w- c:\windows\SysWow64\rpcnetp.exe
2011-09-17 12:56 . 2011-09-17 13:00 -------- d-----w- c:\users\Papa Jer\AppData\Local\temp
2011-09-16 00:16 . 2011-09-16 14:22 -------- d-----w- C:\FRST
2011-09-09 19:33 . 2011-09-09 19:34 -------- d-----w- c:\windows\system32\MpEngineStore
2011-09-09 14:02 . 2011-09-09 14:05 1492 ----a-w- c:\windows\system32\ASOROSet.bin
2011-09-09 13:54 . 2011-09-09 14:12 -------- d-----w- c:\users\Papa Jer\AppData\Roaming\Systweak
2011-09-09 13:54 . 2011-07-28 17:06 18816 ----a-w- c:\windows\system32\roboot64.exe
2011-09-09 07:06 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{29030DB5-8014-4175-BF9B-88F89972BFE8}\mpengine.dll
2011-09-08 14:38 . 2011-07-04 11:43 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-08 14:35 . 2011-09-09 13:45 -------- d-----w- c:\programdata\AVAST Software
2011-09-08 14:35 . 2011-09-08 14:35 -------- d-----w- c:\program files\AVA
2011-09-08 02:03 . 2011-09-08 02:03 -------- d-----w- c:\users\Papa Jer\AppData\Roaming\Malwarebytes
2011-09-08 02:02 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-09-08 02:02 . 2011-09-08 02:02 -------- d-----w- c:\programdata\Malwarebytes
2011-09-08 02:02 . 2011-07-06 23:52 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-08 02:02 . 2011-09-08 02:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-09-06 14:51 . 2011-09-06 14:51 -------- d-----we c:\windows\system64
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-17 12:59 . 2009-04-29 08:00 45056 ----a-w- c:\windows\system32\acovcnt.exe
2011-09-17 12:57 . 2009-03-17 08:43 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-09-17 12:18 . 2010-08-09 02:27 44544 ----a-w- c:\windows\SysWow64\agremove.exe
2011-08-16 19:27 . 2011-08-16 19:27 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-11 16:24 . 2011-08-11 16:24 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-07-12 15:34 . 2011-07-12 15:34 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:34 . 2011-07-12 15:34 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:34 . 2011-07-12 15:34 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:34 . 2011-07-12 15:34 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2008-07-02 02:28 . 2008-07-02 02:28 61440 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Papa Jer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Papa Jer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Papa Jer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Papa Jer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-19 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HControlUser"="c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKOSD2"="c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe" [2008-09-03 8105984]
"ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-04-01 266240]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"DirectConsole2"="c:\program files (x86)\ASUS\Direct Console\Direct Console.exe" [2008-08-20 2705976]
"TkBellExe"="c:\program files (x86)\real\realplayer\update\realsched.exe" [2011-05-24 273544]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
.
c:\users\Papa Jer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Papa Jer\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
ImpulseNow.lnk - c:\program files (x86)\Stardock\Impulse\Now\ImpulseNow.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-07 135664]
R3 bpmp;Intel® Centrino® WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys [x]
R3 bpusb;Intel® Centrino® WiMAX 6050 Series Function Driver;c:\windows\system32\Drivers\bpusb.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-07 135664]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x64.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw5v64.sys [x]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
S0 rpcnetp;rpcnetp; [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2011-02-27 499200]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S3 bpenum;Intel® Centrino® WiMAX Enumerator;c:\windows\system32\DRIVERS\bpenum.sys [x]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NETwNv64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETwNv64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-07 14:12]
.
2011-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-07 14:12]
.
2011-09-17 c:\windows\Tasks\User_Feed_Synchronization-{8BB21992-3BBF-40F1-871F-44FD5EA91E2E}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 23:52 159744 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1_64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Papa Jer\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Papa Jer\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Papa Jer\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Papa Jer\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-06-13 6342688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1216808]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-02 16330272]
"IntelWirelessWiMAX"="c:\program files\Intel\WiMAX\Bin\WiMAXCU.exe" [2011-02-28 1617920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-07 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-07 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-07 418840]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files (x86)\Stardock\Fences\FencesMenu64.dll" [2009-10-02 134656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://odb.org/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.254.254
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\rpcnetp.exe
c:\program files\ASUS\NB Probe\SPM\spmgr.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2011-09-17 09:09:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-17 13:09
.
Pre-Run: 219,037,130,752 bytes free
Post-Run: 218,051,231,744 bytes free
.
- - End Of File - - C277D2D88BF65C284B238A21C31BAEC0

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:25 PM

Posted 17 September 2011 - 08:45 PM

I would recommend AVAST as an antivirus. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users