Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected MBR


  • This topic is locked This topic is locked
18 replies to this topic

#1 Night Train

Night Train

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 27 September 2011 - 05:38 PM

Hello all, I'm new here.

I have in my possession a Lenevo T410 Laptop dual booting Ubuntu and Windows 7. While not in my possession this laptop was struck with some sort of virus/malware/whatever you wish to call it. Now the windows side of the laptop is stuck in an infinite startup repair loop. Safe mode does not work, startup repair does not work, and obviously normal booting does not work. The Linux side of things works perfectly fine. So after a bit of troubleshooting and I put in Hiren's Boot CD and attempted to figure out what the problem was. When attempting to boot into windows from Hiren's boot cd, it gets to the Windows 7 logo and then BSOD, giving errorcode 0x7B. I attempted a virus scan and received nothing and then attempted to use combofix which stated the MBR was infected and the computer needed to reboot to fix it, this however did nothing. I also scanned with the other couple of rootkit removers but to no avail. Any help is greatly appreciated and I'm sorry if my explanation of certain things was not adequate.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:50 PM

Posted 27 September 2011 - 07:50 PM

I have asked someone to look here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 27 September 2011 - 11:07 PM

Thank you Boop, I appreciate that.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:50 PM

Posted 29 September 2011 - 03:57 PM

I am not familiar with Linux, but can attempt to help you with Windows.

Please post if the system is 64 or 32 bits. Also, tap on F8 at startup. Let me know if you are able to boot to the advanced menu, such as Repair your computer, Safe Mode and others.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:50 PM

Posted 29 September 2011 - 04:18 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved

Thanks JSntgRvr
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 29 September 2011 - 04:49 PM

The operating system is 64 bit and I am not able to boot to the advanced menu.

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:50 PM

Posted 29 September 2011 - 05:37 PM

Search for a recovery CD compatible to your System.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • If you are unable to boot to the Advanced Menu, the installation CD will contain the same options.
  • In the absence of a install CD, search for a Recovery CD compatible with your system and follow the
    same instructions.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 29 September 2011 - 08:26 PM

After running FRST64, this is my scan log:

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.2.3
Ran by SYSTEM at 2011-09-29 21:23:46
Running from E:\
Windows 7 Enterprise  Service Pack 1 (X64) OS Language: English(US) 
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2009-11-16] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2097960 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [nwiz] nwiz.exe /installquiet [x]
HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [2692520 2009-05-14] (ESET)
HKLM-x32\...\Run: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe [55808 2008-10-30] (Ricoh co.,Ltd.)
HKLM-x32\...\Run: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor [1128296 2010-05-11] (Lenovo Group Limited)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [395144 2011-05-17] (Ask)
HKU\Arbolr\...\Run: [ooVoo.exe] C:\Program Files (x86)\ooVoo\oovoo.exe /minimized [22631608 2011-05-18] (ooVoo LLC)
HKU\Arbolr\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [15147400 2011-05-26] (Skype Technologies S.A.)
HKU\Arbolr\...\Run: [SoMud] "C:\Program Files (x86)\SoMud\somud.exe" /bg [3888128 2011-06-27] ()
HKU\Arbolr\...\Run: [Facebook Update] "C:\Users\Arbolr\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [137536 2011-08-29] (Facebook Inc.)
HKU\Arbolr\...\Run: [AIMUpdate] C:\Users\Arbolr\AppData\Local\AIM\AIMUpdate\AIMupdt32.exe [84480 2011-09-11] (The Imaging Source Europe GmbH)
HKU\Arbolr\...\Run: [AppleProfilePolicy] rundll32.exe "C:\ProgramData\AppleProfilePolicy.dll",DllRegisterServer [111104 2011-09-11] (The Imaging Source Europe GmbH)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
Winlogon\Notify\AfsLogon: C:\Program Files\OpenAFS\Client\Program\afslogon.dll (OpenAFS Project)
Winlogon\Notify\psfus: C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll (UPEK Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Lsa: [Notification Packages] scecli
C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll

==================== Services (Whitelisted) ======

2 AdobeActiveFileMonitor7.0; C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [169312 2008-09-16] (Adobe Systems Incorporated)
3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [164200 2010-05-11] (Lenovo.)
3 EhttpSrv; "C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe" [23296 2009-05-14] (ESET)
2 ekrn; "C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe" [731840 2009-05-14] (ESET)
2 IBMPMSVC; C:\Windows\System32\ibmpmsvc.exe [45928 2009-11-17] (Lenovo.)
2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [116104 2009-02-10] ()
2 LENOVO.CAMMUTE; C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe [50536 2010-04-20] (Lenovo Group Limited)
2 LENOVO.TPKNRSVC; C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [74088 2010-04-20] (Lenovo Group Limited)
2 LkCitadelServer; C:\Windows\SysWOW64\lkcitdl.exe [695136 2009-09-29] (National Instruments, Inc.)
2 lkClassAds; C:\Windows\SysWOW64\lkads.exe [43056 2009-11-23] (National Instruments Corporation)
2 lkTimeSync; C:\Windows\SysWOW64\lktsrv.exe [53808 2009-11-23] (National Instruments Corporation)
2 mxssvr; "C:\Program Files (x86)\National Instruments\MAX\nimxs.exe" [12696 2009-06-15] (National Instruments Corporation)
2 NIDomainService; "C:\Program Files (x86)\National Instruments\Shared\Security\nidmsrv.exe" [358448 2009-11-23] (National Instruments Corporation)
4 NILM License Manager; "C:\Program Files (x86)\National Instruments\Shared\License Manager\Bin\lmgrd.exe" [1007616 2009-09-18] (Macrovision Corporation)
2 niSvcLoc; C:\Windows\SysWOW64\nisvcloc.exe -s [13896 2009-10-20] (National Instruments Corporation)
2 NITaggerService; "C:\Program Files (x86)\National Instruments\Shared\Tagger\tagsrv.exe" [745576 2009-11-23] (National Instruments Corporation)
3 OpcEnum; C:\Windows\SysWOW64\OpcEnum.exe [98304 2009-06-03] (OPC Foundation)
3 Power Manager DBC Service; "C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE" [75112 2010-05-11] (Lenovo)
3 TPHDEXLGSVC; C:\Windows\System32\TPHDEXLG64.exe [47656 2009-10-09] (Lenovo.)
3 TransarcAFSDaemon; "C:\Program Files\OpenAFS\Client\Program\afsd_service.exe" [823728 2010-07-06] (OpenAFS Project)
2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
4 SQLAgent$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [x]
4 SQLBrowser; "c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

3 5U877; C:\Windows\System32\DRIVERS\5U877.sys [163072 2009-12-14] (Ricoh co.,Ltd.)
0 DzHDD64; C:\Windows\System32\DRIVERS\DzHDD64.sys [30320 2010-05-11] (Lenovo.)
3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [294064 2009-12-09] (Intel Corporation)
2 eamon; C:\Windows\System32\DRIVERS\eamon.sys [142776 2009-05-14] (ESET)
1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [134024 2009-05-14] (ESET)
2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [121152 2009-05-14] (ESET)
3 IBMPMDRV; C:\Windows\System32\DRIVERS\ibmpmdrv.sys [32880 2009-11-17] (Lenovo.)
1 lenovo.smi; C:\Windows\System32\DRIVERS\smiifx64.sys [15400 2008-05-12] (Lenovo Group Limited)
3 msloop; C:\Windows\System32\DRIVERS\loop.sys [7680 2009-07-13] (Microsoft Corporation)
3 psadd; C:\Windows\System32\DRIVERS\psadd.sys [27136 2007-02-18] (Lenovo (United States) Inc.)
2 rimspci; C:\Windows\System32\DRIVERS\rimspe64.sys [61952 2009-10-25] (REDC)
4 RsFx0103; C:\Windows\System32\DRIVERS\RsFx0103.sys [311656 2009-03-29] (Microsoft Corporation)
0 Shockprf; C:\Windows\System32\DRIVERS\Apsx64.sys [136744 2009-10-09] (Lenovo.)
2 smihlp; \??\C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [13840 2009-03-13] (UPEK Inc.)
0 TPDIGIMN; C:\Windows\System32\DRIVERS\ApsHM64.sys [23592 2009-10-09] (Lenovo.)
3 TPM; C:\Windows\System32\drivers\tpm.sys [38400 2009-07-13] (Microsoft Corporation)
1 TPPWRIF; C:\Windows\System32\drivers\Tppwr64v.sys [13104 2010-05-11] ()
3 VSTWinDriver6; C:\Windows\System32\drivers\VSTwindrvr6.sys [252928 2008-07-03] (Jungo)

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-09-29 21:23 - 2011-09-29 21:24 - 0000000 ____D C:\FRST
2011-09-25 17:11 - 2011-09-25 17:11 - 0000162 ___AH C:\Users\Arbolr\Desktop\~$L Meetings_9_25_11.doc
2011-09-25 17:05 - 2011-09-25 17:05 - 0065536 __ASH C:\Windows\System32\config\components{0ab744fb-cc7d-11e0-aa90-e843e58d5ea3}.TxR.blf
2011-09-25 13:43 - 2011-09-25 13:43 - 0057856 ____A C:\Users\Arbolr\Desktop\LUL Meetings_9_25_11.doc
2011-09-23 15:24 - 2011-09-23 15:24 - 1759703 ____A C:\Users\Arbolr\Desktop\01_Track_01_(1).mp3
2011-09-22 18:18 - 2011-09-22 18:18 - 0000000 ____D C:\Users\Arbolr\Documents\IEA
2011-09-21 01:44 - 2011-09-21 09:12 - 0019947 ____A C:\Users\Arbolr\Documents\Thanksgiving Thesis.docx
2011-09-21 01:28 - 2011-09-21 09:10 - 0022674 ____A C:\Users\Arbolr\Documents\Thanksgiving.docx
2011-09-19 20:35 - 2011-09-19 20:35 - 0000000 ___AH C:\Users\Arbolr\Desktop\obsrnehwke.tmp
2011-09-14 08:57 - 2011-09-14 08:57 - 0020463 ____A C:\Users\Arbolr\Documents\Prison Studies.docx
2011-09-14 08:57 - 2011-09-14 08:57 - 0000162 ___AH C:\Users\Arbolr\Documents\~$ison Studies.docx
2011-09-14 08:53 - 2011-09-14 08:53 - 0019500 ____A C:\Users\Arbolr\Documents\Sullivan.docx
2011-09-14 08:53 - 2011-09-14 08:53 - 0000162 ___AH C:\Users\Arbolr\Documents\~$llivan.docx
2011-09-13 18:07 - 2011-09-13 21:33 - 0000000 ____D C:\Users\Arbolr\Documents\TxTBks
2011-09-11 14:29 - 2011-09-11 14:29 - 0279552 ____A (The Imaging Source Europe GmbH) C:\Windows\SysWOW64\wscui32.dll
2011-09-11 14:29 - 2011-09-11 14:29 - 0111104 ____A (The Imaging Source Europe GmbH) C:\Users\All Users\AppleProfilePolicy.dll
2011-09-11 14:29 - 2011-09-11 14:29 - 0111104 ____A (The Imaging Source Europe GmbH) C:\ProgramData\AppleProfilePolicy.dll
2011-09-08 00:23 - 2011-09-08 00:23 - 0032411 ____A C:\Users\Arbolr\Desktop\readmission-application.pdf
2011-09-03 11:12 - 2011-09-03 11:13 - 0535224 ____A C:\Windows\Minidump\090311-18376-01.dmp
2011-09-01 01:47 - 2011-09-01 01:47 - 2842850 ____A C:\Users\Arbolr\Documents\KVlatenight.docx
2011-08-30 23:21 - 2011-08-30 23:21 - 0015595 ____A C:\Users\Arbolr\Documents\TO DO.docx
2011-08-30 23:21 - 2011-08-30 23:21 - 0000162 ___AH C:\Users\Arbolr\Documents\~$TO DO.docx

============ 3 Months Modified Files and Folders =============

2011-09-29 21:24 - 2011-09-29 21:23 - 0000000 ____D C:\FRST
2011-09-26 22:41 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2011-09-26 22:40 - 2010-07-02 03:51 - 0000000 ____D C:\Users\All Users\FLEXnet
2011-09-26 22:40 - 2010-07-02 03:51 - 0000000 ____D C:\ProgramData\FLEXnet
2011-09-26 22:40 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2011-09-26 22:40 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2011-09-26 22:34 - 2011-06-05 11:24 - 0000000 ____D C:\Users\Arbolr\AppData\Roaming\Skype
2011-09-26 22:34 - 2010-11-08 20:45 - 0000000 ____D C:\Users\Arbolr\AppData\Roaming\FrostWire
2011-09-26 22:33 - 2011-06-05 11:25 - 0000000 ____D C:\Users\All Users\Skype Extras
2011-09-26 22:33 - 2011-06-05 11:25 - 0000000 ____D C:\ProgramData\Skype Extras
2011-09-26 22:33 - 2010-06-23 10:24 - 0000000 __RHD C:\MSOCache
2011-09-26 15:11 - 2010-08-27 18:28 - 0000000 ____D C:\users\Arbolr
2011-09-25 17:11 - 2011-09-25 17:11 - 0000162 ___AH C:\Users\Arbolr\Desktop\~$L Meetings_9_25_11.doc
2011-09-25 17:09 - 2011-06-05 11:25 - 0000000 ____D C:\Users\Arbolr\AppData\Roaming\skypePM
2011-09-25 17:08 - 2010-08-27 18:21 - 3110866944 __ASH C:\hiberfil.sys
2011-09-25 17:05 - 2011-09-25 17:05 - 0065536 __ASH C:\Windows\System32\config\components{0ab744fb-cc7d-11e0-aa90-e843e58d5ea3}.TxR.blf
2011-09-25 13:45 - 2011-06-08 19:06 - 0000000 ____D C:\Users\Arbolr\Documents\LUL
2011-09-25 13:44 - 2011-04-16 10:53 - 0000000 ____D C:\Users\Arbolr\Documents\LUL_AG
2011-09-25 13:43 - 2011-09-25 13:43 - 0057856 ____A C:\Users\Arbolr\Desktop\LUL Meetings_9_25_11.doc
2011-09-23 15:24 - 2011-09-23 15:24 - 1759703 ____A C:\Users\Arbolr\Desktop\01_Track_01_(1).mp3
2011-09-23 11:30 - 2011-08-17 22:06 - 0000000 ____D C:\Users\Arbolr\Documents\Outlook Files
2011-09-22 18:20 - 2010-09-07 19:22 - 0000000 ____D C:\Users\All Users\CanonIJPLM
2011-09-22 18:20 - 2010-09-07 19:22 - 0000000 ____D C:\ProgramData\CanonIJPLM
2011-09-22 18:18 - 2011-09-22 18:18 - 0000000 ____D C:\Users\Arbolr\Documents\IEA
2011-09-21 09:12 - 2011-09-21 01:44 - 0019947 ____A C:\Users\Arbolr\Documents\Thanksgiving Thesis.docx
2011-09-21 09:10 - 2011-09-21 01:28 - 0022674 ____A C:\Users\Arbolr\Documents\Thanksgiving.docx
2011-09-19 20:35 - 2011-09-19 20:35 - 0000000 ___AH C:\Users\Arbolr\Desktop\obsrnehwke.tmp
2011-09-14 23:00 - 2010-08-27 18:26 - 1136159 ____A C:\Windows\WindowsUpdate.log
2011-09-14 22:34 - 2011-08-29 19:29 - 0000932 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3564395635-571874076-422337642-1007UA.job
2011-09-14 19:40 - 2009-07-13 20:45 - 0016512 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2011-09-14 19:40 - 2009-07-13 20:45 - 0016512 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2011-09-14 19:34 - 2011-08-29 19:29 - 0000910 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3564395635-571874076-422337642-1007Core.job
2011-09-14 08:57 - 2011-09-14 08:57 - 0020463 ____A C:\Users\Arbolr\Documents\Prison Studies.docx
2011-09-14 08:57 - 2011-09-14 08:57 - 0000162 ___AH C:\Users\Arbolr\Documents\~$ison Studies.docx
2011-09-14 08:53 - 2011-09-14 08:53 - 0019500 ____A C:\Users\Arbolr\Documents\Sullivan.docx
2011-09-14 08:53 - 2011-09-14 08:53 - 0000162 ___AH C:\Users\Arbolr\Documents\~$llivan.docx
2011-09-13 21:33 - 2011-09-13 18:07 - 0000000 ____D C:\Users\Arbolr\Documents\TxTBks
2011-09-12 16:29 - 2009-07-13 21:13 - 0875190 ____A C:\Windows\System32\PerfStringBackup.INI
2011-09-12 16:26 - 2011-05-22 19:18 - 0004758 ____A C:\Windows\setupact.log
2011-09-12 16:23 - 2010-10-28 13:25 - 0636818 ____A C:\Users\Arbolr\Documents\Chem.zip
2011-09-11 15:29 - 2010-08-27 18:28 - 0000000 ____D C:\Users\Arbolr\AppData\LocalLow
2011-09-11 14:29 - 2011-09-11 14:29 - 0279552 ____A (The Imaging Source Europe GmbH) C:\Windows\SysWOW64\wscui32.dll
2011-09-11 14:29 - 2011-09-11 14:29 - 0111104 ____A (The Imaging Source Europe GmbH) C:\Users\All Users\AppleProfilePolicy.dll
2011-09-11 14:29 - 2011-09-11 14:29 - 0111104 ____A (The Imaging Source Europe GmbH) C:\ProgramData\AppleProfilePolicy.dll
2011-09-11 14:29 - 2010-09-22 14:37 - 0000000 ____D C:\Users\Arbolr\AppData\Local\AIM
2011-09-11 14:29 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sysprep
2011-09-08 21:28 - 2010-09-16 10:51 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2011-09-08 17:56 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-09-08 00:23 - 2011-09-08 00:23 - 0032411 ____A C:\Users\Arbolr\Desktop\readmission-application.pdf
2011-09-03 11:13 - 2011-09-03 11:12 - 0535224 ____A C:\Windows\Minidump\090311-18376-01.dmp
2011-09-03 11:12 - 2011-05-22 23:13 - 493535116 ____A C:\Windows\MEMORY.DMP
2011-09-03 11:12 - 2010-09-01 06:35 - 0000000 ____D C:\Windows\Minidump
2011-09-01 14:27 - 2011-08-02 23:25 - 0079872 ____A C:\Users\Arbolr\Documents\Appraisal__10.xls
2011-09-01 01:47 - 2011-09-01 01:47 - 2842850 ____A C:\Users\Arbolr\Documents\KVlatenight.docx
2011-08-30 23:21 - 2011-08-30 23:21 - 0015595 ____A C:\Users\Arbolr\Documents\TO DO.docx
2011-08-30 23:21 - 2011-08-30 23:21 - 0000162 ___AH C:\Users\Arbolr\Documents\~$TO DO.docx
2011-08-29 19:30 - 2011-08-29 19:29 - 0000000 ____D C:\Users\Arbolr\AppData\Local\Facebook
2011-08-29 19:29 - 2011-08-29 19:29 - 0493520 ____A (Facebook Inc.) C:\Users\Arbolr\Documents\FacebookVideoCallSetup_v1.2.203.0.exe
2011-08-29 19:29 - 2011-08-29 19:29 - 0493520 ____A (Facebook Inc.) C:\Users\Arbolr\Documents\FacebookVideoCallSetup_v1.2.203.0(2).exe
2011-08-29 14:01 - 2011-04-05 14:12 - 0000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2011-08-28 16:55 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2011-08-28 12:07 - 2011-08-18 07:46 - 0839759 ____A C:\Users\Arbolr\Documents\HVCC info.docx
2011-08-22 00:04 - 2011-08-22 00:04 - 0124158 ____A C:\Windows\ntbtlog.txt
2011-08-21 21:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2011-08-19 02:03 - 2009-07-13 21:08 - 0032588 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-08-18 09:10 - 2011-08-18 09:10 - 0056576 ____A C:\Users\Arbolr\Desktop\MFLOA_fall_2011.pdf
2011-08-18 09:04 - 2011-08-18 09:04 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Real
2011-08-18 09:04 - 2011-08-18 09:04 - 0000000 ____D C:\users\Administrator
2011-08-18 07:46 - 2011-08-18 07:46 - 0000162 ___AH C:\Users\Arbolr\Documents\~$CC info.docx
2011-08-17 00:07 - 2010-12-21 00:56 - 0000000 ____D C:\Users\Arbolr\AppData\Local\ElevatedDiagnostics
2011-08-11 21:56 - 2011-08-11 21:56 - 0058402 ____A C:\Users\Arbolr\Documents\MFLOA_fall_2011(2).pdf
2011-08-11 16:10 - 2011-08-11 16:10 - 0000000 ____D C:\Users\Arbolr\Documents\SoMud
2011-08-11 15:49 - 2011-08-11 15:49 - 0000000 ____D C:\Users\Arbolr\AppData\Roaming\SoMud
2011-08-11 15:49 - 2011-08-11 15:48 - 0000000 ____D C:\Program Files (x86)\SoMud FileBulldog Toolbar
2011-08-11 15:48 - 2011-08-11 15:48 - 0000963 ____A C:\Users\Public\Desktop\SoMud.lnk
2011-08-11 15:48 - 2011-08-11 15:48 - 0000000 ____D C:\Program Files (x86)\SoMud
2011-08-11 15:48 - 2011-08-11 15:48 - 0000000 ____D C:\Program Files (x86)\somototoolbar
2011-08-11 15:47 - 2011-08-11 15:47 - 16197357 ____A C:\Users\Arbolr\Documents\somud_installer.exe
2011-08-11 15:13 - 2011-08-11 15:13 - 0058402 ____A C:\Users\Arbolr\Documents\MFLOA_fall_2011.pdf
2011-08-11 10:59 - 2011-04-05 14:12 - 0000000 ____D C:\Users\Arbolr\AppData\Local\Thunderbird
2011-08-11 00:47 - 2011-08-11 00:47 - 0000000 ____D C:\Users\Arbolr\Documents\Dexter
2011-08-09 23:08 - 2010-06-23 09:17 - 54065608 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2011-08-09 23:07 - 2010-06-25 04:20 - 0869406 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2011-08-04 12:50 - 2011-08-04 12:50 - 0507896 ____A C:\Windows\Minidump\080411-20560-01.dmp
2011-08-02 23:42 - 2011-08-02 23:42 - 0068018 ____A C:\Users\Arbolr\Documents\AmazingAsian.jpg
2011-07-24 17:37 - 2011-07-24 17:37 - 0082428 ____A C:\Users\Arbolr\Documents\63578_430093355869_702425869_5605681_22387_n.jpg
2011-07-24 16:55 - 2011-07-24 16:55 - 0470434 ____A C:\Users\Arbolr\Documents\CPN2011_web.jpg
2011-07-21 23:34 - 2011-08-09 20:25 - 9322496 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-07-21 22:38 - 2011-08-09 20:25 - 5989376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-07-21 21:35 - 2011-08-09 20:24 - 1638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-07-21 20:56 - 2011-08-09 20:24 - 1638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-07-18 21:57 - 2011-07-18 21:57 - 0124101 ____A C:\Users\Arbolr\Documents\269166_10150240954808621_541803620_7621450_3551879_n.jpg
2011-07-15 21:26 - 2011-08-09 20:26 - 0362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2011-07-15 21:26 - 2011-08-09 20:26 - 0243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2011-07-15 21:26 - 2011-08-09 20:26 - 0214528 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2011-07-15 21:26 - 2011-08-09 20:26 - 0013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2011-07-15 21:24 - 2011-08-09 20:26 - 0016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2011-07-15 21:21 - 2011-08-09 20:26 - 1162240 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2011-07-15 21:21 - 2011-08-09 20:26 - 0422400 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2011-07-15 21:17 - 2011-08-09 20:26 - 0338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2011-07-15 21:04 - 2011-08-09 20:26 - 0006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-15 21:04 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2011-07-15 20:36 - 2011-08-09 20:26 - 0014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2011-07-15 20:31 - 2011-08-09 20:26 - 0025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2011-07-15 20:30 - 2011-08-09 20:26 - 1048576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2011-07-15 20:30 - 2011-08-09 20:26 - 0272384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2011-07-15 20:30 - 2011-08-09 20:26 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2011-07-15 20:19 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2011-07-15 18:26 - 2011-08-09 20:26 - 0007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2011-07-15 18:26 - 2011-08-09 20:26 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2011-07-15 18:21 - 2011-08-09 20:26 - 0006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2011-07-15 18:21 - 2011-08-09 20:26 - 0004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-15 18:21 - 2011-08-09 20:26 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-15 18:21 - 2011-08-09 20:26 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2011-07-15 11:21 - 2011-07-15 11:21 - 2049888 ____A C:\Users\Arbolr\Documents\Kesha LUL.png
2011-07-15 11:17 - 2011-07-15 11:17 - 0103650 ____A C:\Users\Arbolr\Documents\268169_10150234706616429_651291428_7581925_127410_n.jpg
2011-07-14 09:50 - 2009-07-13 20:45 - 0481584 ____A C:\Windows\System32\FNTCACHE.DAT
2011-07-11 09:48 - 2011-07-11 09:48 - 0800383 ____A C:\Users\Arbolr\Documents\16th CPN Flier Small.jpg
2011-07-11 09:40 - 2011-07-11 09:40 - 3523229 ____A C:\Users\Arbolr\Documents\16th CPN Flier_2.zip
2011-07-08 21:14 - 2011-08-24 11:00 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-07-08 20:30 - 2011-08-24 11:00 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2011-07-08 18:44 - 2011-08-09 20:26 - 0287744 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb10.sys
2011-07-08 12:44 - 2011-07-08 12:44 - 0293560 ____A C:\Windows\Minidump\070811-17955-01.dmp
2011-07-06 23:23 - 2011-07-06 23:21 - 0119842 ____A C:\Users\Arbolr\Documents\Resume Randy Arboleda.pdf
2011-07-06 23:22 - 2011-07-06 23:22 - 0118568 ____A C:\Users\Arbolr\Documents\Resume Randy Arboleda NEW.pdf
2011-07-06 23:21 - 2011-02-20 12:45 - 0041472 ____A C:\Users\Arbolr\Documents\Resume Randy Arboleda.doc
2011-07-03 09:38 - 2011-08-10 14:30 - 68186936 ____N C:\Users\Arbolr\Documents\IMG_1035.MOV

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ====================== 

Percentage of memory in use: 16%
Total physical RAM: 3955.67 MB
Available physical RAM: 3298.95 MB
Total Pagefile: 3953.87 MB
Available Pagefile: 3286.15 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:341.8 GB) (Free:194.85 GB) NTFS
2 Drive d: (Win7_sp1_32-64_EN-faXcooL) (CDROM) (Total:4.22 GB) (Free:0 GB) UDF
3 Drive e: (DIESEL) (Removable) (Total:3.73 GB) (Free:0.15 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==========================================================

Last Boot: 2011-09-22 22:51

======================= End Of Log ==========================


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:50 PM

Posted 29 September 2011 - 08:49 PM

Lets take a look at the Master Boot Record. See if you can follow these instructions:

Download MBRFix from here. Save and extract its contents to the desktop. Once extracted, copy only the MBRFix64 application to your flash drive.

Also download the enclosed file to the flash drive.

Insert the flash drive into the ailing computer and run FRST64 as you did before. This time around click on on the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply. It will also produce another file, MBRDUMP.txt. This file is a hex file. Do not post its contents. Rather attach it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 29 September 2011 - 08:56 PM

I believe I followed those instructions correctly, here is my fix log:

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.3)
Ran by SYSTEM at 2011-09-29 21:54:16 R:1
Running from E:\

==============================================


=========  E:\MbrFix64 /drive 0 savembr E:\MBRDUMP.txt  =========


========= End of CMD: =========


==== End of Fixlog ====

and attached is my MBR dump.

Attached File  MBRDUMP.txt   512bytes   3 downloads

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:50 PM

Posted 29 September 2011 - 09:12 PM

The MBR looks corrupted.

Download the enclosed file to the flash drive and overwrite the existing one.

Insert the flash drive into the ailing computer and run FRST64 as you did before. This time around click on on the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Attempt to boot in Normal Mode. If successful, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 29 September 2011 - 09:41 PM

After following the preceding instructions, here is my fixlog:

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.3)
Ran by SYSTEM at 2011-09-29 22:18:06 R:2
Running from E:\

==============================================


=========  bootrec /FixMbr =========

˙ūT h e   o p e r a t i o n   c o m p l e t e d   s u c c e s s f u l l y . 
 
========= End of CMD: =========


=========== Control: ===========

The operation completed successfully.

==== End of Control: ====

==== End of Fixlog ====

After fixing the MBR I was able to boot into windows normally, I follow the instructions and ran Combofix and below is the combofix log:

ComboFix 11-09-29.06 - Arbolr 09/29/2011  22:27:18.1.4 - x64
Microsoft Windows 7 Enterprise   6.1.7600.0.1252.1.1033.18.3956.2330 [GMT -4:00]
Running from: c:\users\Arbolr\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Outdated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Outdated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\AppleProfilePolicy.dll
c:\programdata\Roaming
c:\users\Arbolr\AppData\Local\AIM\AIMUpdate\AIMupdt32.dll
c:\users\Arbolr\AppData\Local\AIM\AIMUpdate\AIMupdt32.exe
c:\users\Arbolr\AppData\Roaming\Mozilla\Firefox\Profiles\kys9izwq.default\extensions\{9b0faf10-3d7a-4b9d-a504-dfceff76e254}
c:\users\Arbolr\AppData\Roaming\Mozilla\Firefox\Profiles\kys9izwq.default\extensions\{9b0faf10-3d7a-4b9d-a504-dfceff76e254}\chrome.manifest
c:\users\Arbolr\AppData\Roaming\Mozilla\Firefox\Profiles\kys9izwq.default\extensions\{9b0faf10-3d7a-4b9d-a504-dfceff76e254}\chrome\xulcache.jar
c:\users\Arbolr\AppData\Roaming\Mozilla\Firefox\Profiles\kys9izwq.default\extensions\{9b0faf10-3d7a-4b9d-a504-dfceff76e254}\defaults\preferences\xulcache.js
c:\users\Arbolr\AppData\Roaming\Mozilla\Firefox\Profiles\kys9izwq.default\extensions\{9b0faf10-3d7a-4b9d-a504-dfceff76e254}\install.rdf
c:\users\Arbolr\Documents\~WRL0001.tmp
c:\users\Arbolr\Documents\~WRL0466.tmp
c:\users\Arbolr\Documents\~WRL2386.tmp
c:\windows\system32\drivers\etc\lmhosts
c:\windows\SysWow64\wscui32.dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-08-28 to 2011-09-30  )))))))))))))))))))))))))))))))
.
.
2011-09-30 05:23 . 2011-09-30 05:24	--------	d-----w-	C:\FRST
2011-09-30 02:34 . 2011-09-30 02:34	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-09-30 02:21 . 2011-08-16 12:48	8862544	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{60F3000B-1E06-486B-B4D4-EB87AEC7C447}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-22 05:35 . 2011-08-10 04:24	1638912	----a-w-	c:\windows\system32\mshtml.tlb
2011-07-22 04:56 . 2011-08-10 04:24	1638912	----a-w-	c:\windows\SysWow64\mshtml.tlb
2011-07-16 05:26 . 2011-08-10 04:26	362496	----a-w-	c:\windows\system32\wow64win.dll
2011-07-16 05:26 . 2011-08-10 04:26	243200	----a-w-	c:\windows\system32\wow64.dll
2011-07-16 05:26 . 2011-08-10 04:26	13312	----a-w-	c:\windows\system32\wow64cpu.dll
2011-07-16 05:26 . 2011-08-10 04:26	214528	----a-w-	c:\windows\system32\winsrv.dll
2011-07-16 05:24 . 2011-08-10 04:26	16384	----a-w-	c:\windows\system32\ntvdm64.dll
2011-07-16 05:21 . 2011-08-10 04:26	422400	----a-w-	c:\windows\system32\KernelBase.dll
2011-07-16 05:17 . 2011-08-10 04:26	338432	----a-w-	c:\windows\system32\conhost.exe
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	4608	---ha-w-	c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	4096	---ha-w-	c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	4096	---ha-w-	c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	4608	---ha-w-	c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	4096	---ha-w-	c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	6144	---ha-w-	c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	5120	---ha-w-	c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	4096	---ha-w-	c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 05:04 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 04:36 . 2011-08-10 04:26	14336	----a-w-	c:\windows\SysWow64\ntvdm64.dll
2011-07-16 04:32 . 2011-08-10 04:26	44032	----a-w-	c:\windows\apppatch\acwow64.dll
2011-07-16 04:31 . 2011-08-10 04:26	25600	----a-w-	c:\windows\SysWow64\setup16.exe
2011-07-16 04:30 . 2011-08-10 04:26	5120	----a-w-	c:\windows\SysWow64\wow32.dll
2011-07-16 04:30 . 2011-08-10 04:26	272384	----a-w-	c:\windows\SysWow64\KernelBase.dll
2011-07-16 04:19 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	4096	---ha-w-	c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	4096	---ha-w-	c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	4608	---ha-w-	c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	4096	---ha-w-	c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	4096	---ha-w-	c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	5120	---ha-w-	c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	4096	---ha-w-	c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:26 . 2011-08-10 04:26	7680	----a-w-	c:\windows\SysWow64\instnm.exe
2011-07-16 02:26 . 2011-08-10 04:26	2048	----a-w-	c:\windows\SysWow64\user.exe
2011-07-16 02:21 . 2011-08-10 04:26	6144	---ha-w-	c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 04:26	4608	---ha-w-	c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 04:26	3584	---ha-w-	c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 04:26	3072	---ha-w-	c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 05:14 . 2011-08-24 19:00	2048	----a-w-	c:\windows\system32\tzres.dll
2011-07-09 04:30 . 2011-08-24 19:00	2048	----a-w-	c:\windows\SysWow64\tzres.dll
2011-07-09 02:44 . 2011-08-10 04:26	287744	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{652853ad-5592-4231-88c6-706613a52e61}]
2011-07-21 16:40	81920	----a-w-	c:\program files (x86)\somototoolbar\vmntemplateX.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 17:29	1490312	----a-w-	c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
"{652853ad-5592-4231-88c6-706613a52e61}"= "c:\program files (x86)\somototoolbar\vmntemplateX.dll" [2011-07-21 81920]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{652853ad-5592-4231-88c6-706613a52e61}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ooVoo.exe"="c:\program files (x86)\ooVoo\oovoo.exe" [2011-05-18 22631608]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-05-27 15147400]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"SoMud"="c:\program files (x86)\SoMud\somud.exe" [2011-06-28 3888128]
"Facebook Update"="c:\users\Arbolr\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-30 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2010-05-12 1128296]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages	REG_MULTI_SZ   	scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-05-12 164200]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2010-05-12 75112]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2009-05-14 731840]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-04-20 50536]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-04-20 74088]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [x]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 13840]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [x]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 VSTWinDriver6;VSTWinDriver6;c:\windows\system32\drivers\VSTwindrvr6.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3564395635-571874076-422337642-1007Core.job
- c:\users\Arbolr\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-30 03:29]
.
2011-09-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3564395635-571874076-422337642-1007UA.job
- c:\users\Arbolr\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-30 03:29]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-17 307768]
"nwiz"="nwiz.exe" [2010-03-18 1712744]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2692520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://som.startnow.com/?src=startpage&provider=bing&provider_name=bing&provider_code=Z061&partner_id=270&product_id=705&affiliate_id=&channel=campaign111&toolbar_id=13&toolbar_version=1.0.0.0&install_country=US&install_date=20110811&user_guid=A1F0C444F9BC4B4B86060A10F070F231&machine_id=95015de02610caab5f7c5da9a2fd9fce&browser=IE&os=win&os_version=6.1-x64-SP0
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download Web &Images with SoMud - c:\program files (x86)\SoMud\scripts\ie\images-url.html
IE: Download with SoMud - c:\program files (x86)\SoMud\scripts\ie\link-url.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Arbolr\AppData\Roaming\Mozilla\Firefox\Profiles\kys9izwq.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://som.startnow.com/?src=startpage&provider=bing&provider_name=bing&provider_code=Z061&partner_id=270&product_id=705&affiliate_id=&channel=campaign111&toolbar_id=13&toolbar_version=1.0.0.0&install_country=US&install_date=20110811&user_guid=A1F0C444F9BC4B4B86060A10F070F231&machine_id=95015de02610caab5f7c5da9a2fd9fce&browser=FF&os=win&os_version=6.1-x64-SP0
FF - prefs.js: keyword.URL - hxxp://som.startnow.com/s/?src=addrbar&provider=bing&provider_name=bing&provider_code=Z061&partner_id=270&product_id=705&affiliate_id=&channel=campaign111&toolbar_id=13&toolbar_version=1.0.0.0&install_country=US&install_date=20110811&user_guid=A1F0C444F9BC4B4B86060A10F070F231&machine_id=95015de02610caab5f7c5da9a2fd9fce&browser=FF&os=win&os_version=6.1-x64-SP0&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: SomotoToolbar: {652853ad-5592-4231-88c6-706613a52e61} - %profile%\extensions\{652853ad-5592-4231-88c6-706613a52e61}
FF - Ext: SoMud: mozillaextension@somud.com - c:\program files (x86)\SoMud\scripts\mozilla
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{007A569E-A103-4FA8-94E3-7724C6155CB1} - c:\windows\SysWow64\wscui32.dll
Wow6432Node-HKCU-Run-AIMUpdate - c:\users\Arbolr\AppData\Local\AIM\AIMUpdate\AIMupdt32.exe
Wow6432Node-HKCU-Run-AppleProfilePolicy - c:\programdata\AppleProfilePolicy.dll
Wow6432Node-HKU-Default-Run-AIMUpdate - c:\users\Arbolr\AppData\Local\AIM\AIMUpdate\AIMupdt32.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-29  22:37:02
ComboFix-quarantined-files.txt  2011-09-30 02:37
.
Pre-Run: 211,612,672,000 bytes free
Post-Run: 222,698,401,792 bytes free
.
- - End Of File - - 403F1F3C1E5641F0F9F4435B2AB388C8


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:50 PM

Posted 29 September 2011 - 09:57 PM

Ask.com as well as Somototoolbar are considered Adware. I would suggest you remove these from your system.

Lets search for remnants:

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Update and perform a Nod32 Full scan and let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 30 September 2011 - 02:13 AM

I removed both forms of adware that you suggested and ran malwarebytes afterwards which produced this log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7831

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/29/2011 11:10:56 PM
mbam-log-2011-09-29 (23-10-56).txt

Scan type: Quick scan
Objects scanned: 195222
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

It didn't detect anything. Afterwords I ran a full system scan with updated Nod32 which produced the following log, it is rather long so I am going to attach it here:

Attached File  Nod log.txt   307.93KB   2 downloads

In summary, it found seven infected files and either cleaned or deleted them.

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:50 PM

Posted 30 September 2011 - 11:03 AM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users