Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

lost programs post trojan removal tools


  • This topic is locked This topic is locked
58 replies to this topic

#1 zeka

zeka

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 11 November 2011 - 05:58 PM

Hi,
I was Running xp, pc. Mcafee suddenly gave me a fakealert grb(trojan) message. System restore ran automatically, then microsoft warning(fake no doubt) saying purchase full version of the product- with a host of error messages-9 errors,

I used Malware bytes when running in safe mode(the only way I could get into the system). Malware bytes asked to reboot after running in safe mode, which I did, and then ran super antispyware in normal mode to check as per your website instructions.
The pc has stopped displaying the background image,programs and shortcuts on the desktop.
I'm thinking about a system restore at this point?
Here are the logs below
Any help at this point would be highly regarded.
Thank you so much Zara
email address:
removed to protect from spambots. ~ OB
ps - I am using another pc to post this as I can't access firefox, but explorer does run on the pc now slowly. The logs were copied from notepad to to this pc so I could mail you.
Ta in advance,


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8137

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

11/11/2011 10:48:46 PM
mbam-log-2011-11-11 (22-48-46).txt

Scan type: Quick scan
Objects scanned: 223138
Time elapsed: 16 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/12/2011 at 01:57 AM

Application Version : 5.0.1134

Core Rules Database Version : 7778
Trace Rules Database Version: 5590

Scan type : Complete Scan
Total Scan Time : 02:50:12

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 593
Memory threats detected : 0
Registry items scanned : 40295
Registry threats detected : 0
File items scanned : 172751
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\sleepy\Cookies\CA6VSL6Z.txt [ /atdmt.com ]
C:\Documents and Settings\sleepy\Cookies\CAODUZWD.txt [ /atdmt.combing.com ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CAEV8T6F.txt [ Cookie:administrator@atdmt.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CACPUP5M.txt [ Cookie:administrator@apmebf.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CA0T9D30.txt [ Cookie:administrator@revsci.net/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CAJKXLJW.txt [ Cookie:administrator@adxpose.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CA9AYDUL.txt [ Cookie:administrator@kontera.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CA6R45I3.txt [ Cookie:administrator@doubleclick.net/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CAG563OZ.txt [ Cookie:administrator@questionmarket.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CACJ2DEP.txt [ Cookie:administrator@serving-sys.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CAS5ER05.txt [ Cookie:administrator@mediaplex.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CA5HJACL.txt [ Cookie:administrator@ad.yieldmanager.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CAC9AR4T.txt [ Cookie:administrator@h.atdmt.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\CAGPQ723.txt [ Cookie:administrator@accounts.google.com/ ]


Files Infected:
(No malicious items detected)

Edited by Orange Blossom, 15 November 2011 - 11:28 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:02 PM

Posted 12 November 2011 - 02:04 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 zeka

zeka
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 15 November 2011 - 09:58 PM

I was browsing internet when Mcafee suddenly gave me a fakealert grb(trojan) message. Then System Restore program ran automatically, then microsoft warning saying purchase full version of the product- with a host of error messages-9 errors (5 System restore fixed when i clicked on Fix button)

I used Malware bytes when running in safe mode(the only way I could get into the system). Malware bytes asked to reboot after running in safe mode, which I did, and then ran Super Antispyware in normal mode to check as per your website instructions. Then System Restore stoped running and dumping windows with all the 9 errors.

The pc has stopped displaying the background image,programs and shortcuts on the desktop.

Here are the logs below:

dds log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Run by sleepy at 8:21:00 on 2011-11-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1164 [GMT 10:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\ArchVision\ArchVision Content Manager\rpcACMapp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\ABBYY Lingvo 9.0 Multilingual Dictionary\Lvagent.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Lexmark 4800 Series\lxdemon.exe
C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Yandex\Yupdate\yupdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
c:\program files\real\realplayer\update\realsched.exe
c:\program files\real\realplayer\RealPlay.exe
C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=3070528
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111011195223.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\documents and settings\sleepy\application data\flashgetbho\FlashGetBHO3.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: ßíäåêñ.Áàð: {91397d20-1446-11d4-8af4-0040ca1127b6} - c:\program files\yandex\yandexbarie\yndbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [Yupdate!] "c:\program files\common files\yandex\yupdate\yupdate.exe"
uRun: [AdobeBridge]
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
mRun: [Lingvo Launcher] "c:\program files\abbyy lingvo 9.0 multilingual dictionary\Lvagent.exe" /STARTUP
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [lxdemon.exe] "c:\program files\lexmark 4800 series\lxdemon.exe"
mRun: [lxdeamon] "c:\program files\lexmark 4800 series\lxdeamon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [WD Anywhere Backup] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent
mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
StartupFolder: c:\docume~1\sleepy\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\sleepy\application data\dropbox\bin\Dropbox.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download All By FlashGet3 - c:\documents and settings\sleepy\application data\flashgetbho\GetAllUrl.htm
IE: Download By FlashGet3 - c:\documents and settings\sleepy\application data\flashgetbho\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {8DAE90AD-4583-4977-9DD4-4360F7A45C74}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: kuaiche.com\software
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{EE256182-2FF3-4EAE-B214-6416DE27A158} : DhcpNameServer = 192.168.2.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sleepy\application data\mozilla\firefox\profiles\odwvwzfc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\common-use signing interface\bin\npCsiPlugin.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 461864]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-8-17 89624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 ArchVision Content Manager Service;ArchVision Content Manager Service;c:\program files\archvision\archvision content manager\rpcacmapp.exe --service --path "c:\program files\archvision\archvision content manager" --> c:\program files\archvision\archvision content manager\rpcacmapp.exe --service --path c:\program files\archvision\ArchVision Content Manager [?]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-11-13 67584]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-8-17 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-8-17 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-8-17 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-8-17 166024]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2008-11-8 25824]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-8-17 160344]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-8-17 148520]
R2 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2008-9-17 139264]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-6-25 3032360]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-8-17 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-8-17 180072]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-8-17 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-8-17 338040]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-8-17 83688]
S0 ioinklh;ioinklh;c:\windows\system32\drivers\qtmx.sys --> c:\windows\system32\drivers\qtmx.sys [?]
S2 0198561218699251mcinstcleanup;McAfee Application Installer Cleanup (0198561218699251); [x]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-8-17 214904]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;"c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsmax2009_32server.exe" --> c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [?]
S3 Drmecgonwwf;Drmecgonwwf;c:\windows\system32\drivers\kbdhid.sys [2004-8-4 14592]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-8-17 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-8-17 87808]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-5-28 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-5-28 40552]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-6-25 15144]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-11-14 16:35:13 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-14 07:27:49 -------- d-----w- c:\program files\CCleaner
2011-11-13 06:05:13 575962 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-13 06:05:05 -------- d-----w- c:\windows\system32\msmq
2011-11-13 03:10:14 -------- d-----w- c:\documents and settings\sleepy\local settings\application data\Safe mirror
2011-11-13 03:09:17 -------- d-----w- c:\program files\Cobian Backup 10
2011-11-11 11:47:34 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-11 11:47:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-25 02:53:28 -------- d-----w- c:\documents and settings\sleepy\application data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-10-25 02:53:28 -------- d-----w- c:\documents and settings\sleepy\application data\Adobe Mini Bridge CS5
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-09-26 01:41:20 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 01:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 01:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys
2011-09-05 13:56:22 667136 ---ha-w- c:\windows\system32\wininet.dll
2011-09-05 13:56:22 61952 ---ha-w- c:\windows\system32\tdc.ocx
2011-09-05 13:56:21 81920 ---ha-w- c:\windows\system32\ieencode.dll
2011-09-05 12:35:09 369664 ---ha-w- c:\windows\system32\html.iec
2011-08-19 05:59:30 148520 ---ha-w- c:\windows\system32\mfevtps.exe
2011-08-17 13:49:54 138496 ---ha-w- c:\windows\system32\drivers\afd.sys
2007-11-18 12:31:42 401720 ---ha-w- c:\program files\hijackthis.exe
.
============= FINISH: 8:28:13.48 ===============

Help i can't see my programms, like they are here but i can't run them - the history tray is empthy next to the programm itself.

I couldn't get GMER scan complete coz my computer crashes and when i reboot my pc i get a file on desktop named Notebook.txt :
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

What to do now?
Thank you
Zara

Attached Files


Edited by Orange Blossom, 15 November 2011 - 11:29 PM.
Merged topics. ~ OB


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 16 November 2011 - 06:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427462 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 zeka

zeka
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 16 November 2011 - 09:56 PM

Before I was browsing internet when Mcafee suddenly gave me a fakealert grb(trojan) message. Then System Restore program ran automatically, then microsoft warning saying purchase full version of the product- with a host of error messages-9 errors (5 System restore fixed when i clicked on Fix button).
I used Malware bytes when running in safe mode(the only way I could get into the system). Malware bytes asked to reboot after running in safe mode, which I did, and then ran Super Antispyware in normal mode to check as per your website instructions. Then System Restore stoped running and dumping windows with all the 9 errors. And after i run McAfee which found another 25 Trojans and blocked them and all my files are back now and desktop shortcuts. I couldn't see my programms, like they were here but i couldn't run them - the history tray is empthy next to the programm itself. I also couldn't get GMER scan complete coz my computer crashed and when i reboot my pc i get a file on desktop named desktop-Notebook.txt which had message in it:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787


At the moment my computer momuse freeze after i reboot pc. And even in safe mode my mouse will not move.
My installed OS is Microsoft Windows XP Professional Service Pack2 but i am not sure 32 or 64 bit system. Its Dell dimension E521 Athlon ™ 64 X 2 Desktop w/Dual-Core Processing. I have original Microsoft Windows XP Professional SP2 CD.
Please help me what to do now??
Thank you so much for your time spend
Zara

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:02 PM

Posted 17 November 2011 - 09:20 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

This looks quite badly infected, Zeka, but let's have a bash.

We have an option of doing a system restore but not through the usual channels as they may be infected.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Insert the USB drive and CD in the Sick computer and boot the computer from the CD
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#7 zeka

zeka
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 18 November 2011 - 06:14 AM

hi m0le,
I paste enum.log for your review. Thank you for your help.



50.5M Nov 18 10:50 /mnt/sda2/WINDOWS/system32/config/SOFTWARE
19.8M Nov 18 10:50 /mnt/sda2/WINDOWS/system32/config/SYSTEM

0 Mar 4 2008 /sda2/System Volume Information/_restore{46DE8921-1D39-44D2-A9E9-64119261F211}/Fifoed(2)/snapshot(2)/_REGISTRY_MACHINE_SOFTWARE
0 Mar 9 2008 /sda2/System Volume Information/_restore{46DE8921-1D39-44D2-A9E9-64119261F211}/Fifoed(3)/snapshot(2)/_REGISTRY_MACHINE_SOFTWARE
0 Mar 11 2008 /sda2/System Volume Information/_restore{46DE8921-1D39-44D2-A9E9-64119261F211}/Fifoed(4)/snapshot(2)/_REGISTRY_MACHINE_SOFTWARE
0 Mar 12 2008 /sda2/System Volume Information/_restore{46DE8921-1D39-44D2-A9E9-64119261F211}/Fifoed(5)/snapshot(2)/_REGISTRY_MACHINE_SOFTWARE
0 Mar 12 2008 /sda2/System Volume Information/_restore{46DE8921-1D39-44D2-A9E9-64119261F211}/Fifoed(6)/snapshot(2)/_REGISTRY_MACHINE_SOFTWARE
50.4M Aug 24 17:00 /sda2/~/RP1390/~SOFTWARE
50.4M Aug 25 17:36 /sda2/~/RP1391/~SOFTWARE
50.4M Aug 26 17:57 /sda2/~/RP1392/~SOFTWARE
50.4M Aug 27 18:06 /sda2/~/RP1393/~SOFTWARE
50.4M Aug 28 19:06 /sda2/~/RP1394/~SOFTWARE
50.4M Aug 29 19:44 /sda2/~/RP1395/~SOFTWARE
50.4M Aug 30 19:50 /sda2/~/RP1396/~SOFTWARE
50.4M Aug 31 19:57 /sda2/~/RP1397/~SOFTWARE
50.4M Sep 2 08:40 /sda2/~/RP1398/~SOFTWARE
50.4M Sep 3 09:02 /sda2/~/RP1399/~SOFTWARE
50.4M Sep 4 09:34 /sda2/~/RP1400/~SOFTWARE
50.4M Sep 5 09:39 /sda2/~/RP1401/~SOFTWARE
50.4M Sep 6 10:18 /sda2/~/RP1402/~SOFTWARE
50.4M Sep 7 13:41 /sda2/~/RP1403/~SOFTWARE
50.4M Sep 7 17:00 /sda2/~/RP1404/~SOFTWARE
50.4M Sep 8 17:28 /sda2/~/RP1405/~SOFTWARE
50.4M Sep 9 18:00 /sda2/~/RP1406/~SOFTWARE
50.4M Sep 10 18:45 /sda2/~/RP1407/~SOFTWARE
50.4M Sep 11 19:42 /sda2/~/RP1408/~SOFTWARE
50.4M Sep 12 19:46 /sda2/~/RP1409/~SOFTWARE
50.4M Sep 16 12:56 /sda2/~/RP1411/~SOFTWARE
50.4M Sep 16 17:00 /sda2/~/RP1412/~SOFTWARE
50.4M Sep 18 04:29 /sda2/~/RP1413/~SOFTWARE
50.4M Sep 18 04:54 /sda2/~/RP1414/~SOFTWARE
50.4M Sep 18 04:54 /sda2/~/RP1415/~SOFTWARE
50.4M Sep 19 12:27 /sda2/~/RP1416/~SOFTWARE
50.4M Sep 20 13:04 /sda2/~/RP1417/~SOFTWARE
50.4M Sep 24 00:27 /sda2/~/RP1418/~SOFTWARE
50.4M Sep 25 01:04 /sda2/~/RP1419/~SOFTWARE
50.4M Sep 26 02:04 /sda2/~/RP1420/~SOFTWARE
50.4M Sep 28 17:00 /sda2/~/RP1421/~SOFTWARE
50.4M Oct 3 12:34 /sda2/~/RP1422/~SOFTWARE
50.4M Oct 4 12:49 /sda2/~/RP1423/~SOFTWARE
50.4M Oct 5 13:00 /sda2/~/RP1424/~SOFTWARE
50.4M Oct 6 13:16 /sda2/~/RP1425/~SOFTWARE
50.4M Oct 7 14:04 /sda2/~/RP1426/~SOFTWARE
50.4M Oct 10 02:24 /sda2/~/RP1429/~SOFTWARE
50.4M Oct 11 09:46 /sda2/~/RP1430/~SOFTWARE
50.4M Aug 24 13:39 /sda2/~/RP1389/~SOFTWARE
50.4M Sep 15 12:31 /sda2/~/RP1410/~SOFTWARE
50.4M Oct 11 11:01 /sda2/~/RP1431/~SOFTWARE
50.4M Nov 2 04:35 /sda2/~/RP1452/~SOFTWARE
50.4M Oct 12 12:01 /sda2/~/RP1432/~SOFTWARE
50.4M Oct 13 12:17 /sda2/~/RP1433/~SOFTWARE
50.4M Oct 14 12:39 /sda2/~/RP1434/~SOFTWARE
50.4M Oct 15 13:22 /sda2/~/RP1435/~SOFTWARE
50.4M Oct 16 14:22 /sda2/~/RP1436/~SOFTWARE
50.4M Oct 17 15:22 /sda2/~/RP1437/~SOFTWARE
50.4M Oct 18 16:22 /sda2/~/RP1438/~SOFTWARE
50.4M Oct 19 17:22 /sda2/~/RP1439/~SOFTWARE
50.4M Oct 20 18:22 /sda2/~/RP1440/~SOFTWARE
50.4M Oct 21 19:22 /sda2/~/RP1441/~SOFTWARE
50.4M Oct 22 20:22 /sda2/~/RP1442/~SOFTWARE
50.4M Oct 23 20:23 /sda2/~/RP1443/~SOFTWARE
50.4M Oct 24 21:22 /sda2/~/RP1444/~SOFTWARE
50.4M Oct 25 22:22 /sda2/~/RP1445/~SOFTWARE
50.4M Oct 26 23:23 /sda2/~/RP1446/~SOFTWARE
50.4M Oct 28 00:26 /sda2/~/RP1447/~SOFTWARE
50.4M Oct 29 01:35 /sda2/~/RP1448/~SOFTWARE
50.4M Oct 30 01:35 /sda2/~/RP1449/~SOFTWARE
50.4M Oct 31 02:45 /sda2/~/RP1450/~SOFTWARE
50.4M Nov 1 03:53 /sda2/~/RP1451/~SOFTWARE
50.4M Nov 3 13:25 /sda2/~/RP1453/~SOFTWARE
50.4M Nov 4 13:49 /sda2/~/RP1454/~SOFTWARE
50.4M Nov 5 06:40 /sda2/~/RP1455/~SOFTWARE
50.4M Nov 5 06:41 /sda2/~/RP1456/~SOFTWARE
50.4M Nov 5 06:55 /sda2/~/RP1457/~SOFTWARE
50.4M Nov 5 07:02 /sda2/~/RP1458/~SOFTWARE
50.4M Nov 5 07:06 /sda2/~/RP1460/~SOFTWARE
50.4M Nov 5 07:12 /sda2/~/RP1461/~SOFTWARE
50.4M Nov 5 07:13 /sda2/~/RP1462/~SOFTWARE
50.4M Nov 5 07:15 /sda2/~/RP1464/~SOFTWARE
50.4M Nov 6 08:35 /sda2/~/RP1466/~SOFTWARE
50.4M Nov 7 09:30 /sda2/~/RP1467/~SOFTWARE
50.4M Nov 8 09:41 /sda2/~/RP1468/~SOFTWARE
50.4M Nov 8 13:24 /sda2/~/RP1469/~SOFTWARE
50.4M Nov 9 13:55 /sda2/~/RP1470/~SOFTWARE
50.4M Nov 9 17:00 /sda2/~/RP1471/~SOFTWARE
50.4M Nov 10 17:36 /sda2/~/RP1472/~SOFTWARE
50.4M Nov 11 17:55 /sda2/~/RP1473/~SOFTWARE
50.4M Nov 13 03:59 /sda2/~/RP1474/~SOFTWARE
50.4M Nov 13 06:16 /sda2/~/RP1475/~SOFTWARE
50.4M Nov 14 06:30 /sda2/~/RP1476/~SOFTWARE
50.4M Nov 16 03:18 /sda2/~/RP1477/~SOFTWARE
50.4M Aug 19 08:13 /sda2/~/RP1386/~SOFTWARE
50.4M Aug 20 08:48 /sda2/~/RP1387/~SOFTWARE
50.4M Aug 21 09:36 /sda2/~/RP1388/~SOFTWARE
19.1M Aug 24 17:00 /sda2/~/RP1390/~SYSTEM
19.1M Aug 25 17:36 /sda2/~/RP1391/~SYSTEM
19.1M Aug 26 17:57 /sda2/~/RP1392/~SYSTEM
19.1M Aug 27 18:06 /sda2/~/RP1393/~SYSTEM
19.1M Aug 28 19:07 /sda2/~/RP1394/~SYSTEM
19.1M Aug 29 19:44 /sda2/~/RP1395/~SYSTEM
19.1M Aug 30 19:51 /sda2/~/RP1396/~SYSTEM
19.1M Aug 31 19:57 /sda2/~/RP1397/~SYSTEM
19.1M Sep 2 08:40 /sda2/~/RP1398/~SYSTEM
19.1M Sep 3 09:02 /sda2/~/RP1399/~SYSTEM
19.1M Sep 4 09:34 /sda2/~/RP1400/~SYSTEM
19.1M Sep 5 09:39 /sda2/~/RP1401/~SYSTEM
19.1M Sep 6 10:18 /sda2/~/RP1402/~SYSTEM
19.1M Sep 7 13:41 /sda2/~/RP1403/~SYSTEM
19.1M Sep 7 17:00 /sda2/~/RP1404/~SYSTEM
19.1M Sep 8 17:28 /sda2/~/RP1405/~SYSTEM
19.1M Sep 9 18:00 /sda2/~/RP1406/~SYSTEM
19.1M Sep 10 18:45 /sda2/~/RP1407/~SYSTEM
19.1M Sep 11 19:42 /sda2/~/RP1408/~SYSTEM
19.1M Sep 12 19:46 /sda2/~/RP1409/~SYSTEM
19.1M Sep 16 12:56 /sda2/~/RP1411/~SYSTEM
19.1M Sep 16 17:00 /sda2/~/RP1412/~SYSTEM
19.1M Sep 18 04:29 /sda2/~/RP1413/~SYSTEM
19.1M Sep 18 04:54 /sda2/~/RP1414/~SYSTEM
19.1M Sep 18 04:54 /sda2/~/RP1415/~SYSTEM
19.1M Sep 19 12:27 /sda2/~/RP1416/~SYSTEM
19.1M Sep 20 13:04 /sda2/~/RP1417/~SYSTEM
19.1M Sep 24 00:27 /sda2/~/RP1418/~SYSTEM
19.1M Sep 25 01:04 /sda2/~/RP1419/~SYSTEM
19.1M Sep 26 02:04 /sda2/~/RP1420/~SYSTEM
19.1M Sep 28 17:00 /sda2/~/RP1421/~SYSTEM
19.1M Oct 3 12:34 /sda2/~/RP1422/~SYSTEM
19.1M Oct 4 12:49 /sda2/~/RP1423/~SYSTEM
19.1M Oct 5 13:00 /sda2/~/RP1424/~SYSTEM
19.1M Oct 6 13:16 /sda2/~/RP1425/~SYSTEM
19.1M Oct 7 14:04 /sda2/~/RP1426/~SYSTEM
19.1M Oct 10 02:24 /sda2/~/RP1429/~SYSTEM
19.1M Oct 11 09:46 /sda2/~/RP1430/~SYSTEM
19.1M Aug 24 13:39 /sda2/~/RP1389/~SYSTEM
19.1M Sep 15 12:31 /sda2/~/RP1410/~SYSTEM
19.1M Oct 11 11:01 /sda2/~/RP1431/~SYSTEM
19.1M Nov 2 04:35 /sda2/~/RP1452/~SYSTEM
19.1M Oct 12 12:01 /sda2/~/RP1432/~SYSTEM
19.1M Oct 13 12:17 /sda2/~/RP1433/~SYSTEM
19.1M Oct 14 12:39 /sda2/~/RP1434/~SYSTEM
19.1M Oct 15 13:22 /sda2/~/RP1435/~SYSTEM
19.1M Oct 16 14:22 /sda2/~/RP1436/~SYSTEM
19.1M Oct 17 15:22 /sda2/~/RP1437/~SYSTEM
19.1M Oct 18 16:22 /sda2/~/RP1438/~SYSTEM
19.1M Oct 19 17:22 /sda2/~/RP1439/~SYSTEM
19.1M Oct 20 18:22 /sda2/~/RP1440/~SYSTEM
19.1M Oct 21 19:22 /sda2/~/RP1441/~SYSTEM
19.1M Oct 22 20:22 /sda2/~/RP1442/~SYSTEM
19.1M Oct 23 20:23 /sda2/~/RP1443/~SYSTEM
19.1M Oct 24 21:22 /sda2/~/RP1444/~SYSTEM
19.1M Oct 25 22:22 /sda2/~/RP1445/~SYSTEM
19.1M Oct 26 23:23 /sda2/~/RP1446/~SYSTEM
19.1M Oct 28 00:26 /sda2/~/RP1447/~SYSTEM
19.1M Oct 29 01:35 /sda2/~/RP1448/~SYSTEM
19.1M Oct 30 01:35 /sda2/~/RP1449/~SYSTEM
19.1M Oct 31 02:45 /sda2/~/RP1450/~SYSTEM
19.1M Nov 1 03:53 /sda2/~/RP1451/~SYSTEM
19.1M Nov 3 13:25 /sda2/~/RP1453/~SYSTEM
19.1M Nov 4 13:50 /sda2/~/RP1454/~SYSTEM
19.1M Nov 5 06:40 /sda2/~/RP1455/~SYSTEM
19.1M Nov 5 06:41 /sda2/~/RP1456/~SYSTEM
19.1M Nov 5 06:55 /sda2/~/RP1457/~SYSTEM
19.1M Nov 5 07:02 /sda2/~/RP1458/~SYSTEM
19.1M Nov 5 07:06 /sda2/~/RP1460/~SYSTEM
19.1M Nov 5 07:12 /sda2/~/RP1461/~SYSTEM
19.1M Nov 5 07:13 /sda2/~/RP1462/~SYSTEM
19.1M Nov 5 07:15 /sda2/~/RP1464/~SYSTEM
19.1M Nov 6 08:35 /sda2/~/RP1466/~SYSTEM
19.1M Nov 7 09:30 /sda2/~/RP1467/~SYSTEM
19.1M Nov 8 09:41 /sda2/~/RP1468/~SYSTEM
19.1M Nov 8 13:24 /sda2/~/RP1469/~SYSTEM
19.1M Nov 9 13:55 /sda2/~/RP1470/~SYSTEM
19.1M Nov 9 17:00 /sda2/~/RP1471/~SYSTEM
19.1M Nov 10 17:36 /sda2/~/RP1472/~SYSTEM
19.1M Nov 11 17:55 /sda2/~/RP1473/~SYSTEM
19.1M Nov 13 03:59 /sda2/~/RP1474/~SYSTEM
19.1M Nov 13 06:17 /sda2/~/RP1475/~SYSTEM
19.1M Nov 14 06:30 /sda2/~/RP1476/~SYSTEM
19.1M Nov 16 03:18 /sda2/~/RP1477/~SYSTEM
19.1M Aug 19 08:13 /sda2/~/RP1386/~SYSTEM
19.1M Aug 20 08:48 /sda2/~/RP1387/~SYSTEM
19.1M Aug 21 09:36 /sda2/~/RP1388/~SYSTEM

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:02 PM

Posted 18 November 2011 - 06:04 PM

We have some good points here. Please rerun the xPUD system as shown

Let's see if there is an available registry backup we can use to help get your computer booting properly
  • Boot the Sick computer again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r then press Enter
  • Type 1394
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review
Posted Image
m0le is a proud member of UNITE

#9 zeka

zeka
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 18 November 2011 - 08:38 PM

hi m0le,
here is restore.log:

SOFTWARE hive restored from RP1394
SYSTEM hive restored from RP1394
SECURITY hive restored from RP1394
SAM hive restored from RP1394

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:02 PM

Posted 20 November 2011 - 05:35 AM

Can you now try and run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#11 zeka

zeka
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 20 November 2011 - 07:33 AM

Hi m0le,
after rebooting pc 3 time coz mouse was frozen, it started "Cheking file system on C:" When it will finish i will try to save the log.

#12 zeka

zeka
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 20 November 2011 - 07:59 AM

The mouse is still frozen after "Cheking file system". I tried to reboot computer in safe mode but is just hangs and doesn't boot. What to do now? please help...

#13 zeka

zeka
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 20 November 2011 - 09:38 AM

Just an update. I ran an XP boot disk as the system was frozen "mouse frozen" then ran the XP repair disk and now i am on a boot loop unable to access safe mode or any other function.
Plsss Help.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:02 PM

Posted 20 November 2011 - 07:59 PM

Boot the system using xPUD, we'll try a different restore point first. If it freezes post back, do not do anything else.

  • Boot the Sick computer
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r then press Enter
  • Type 1393
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review
Posted Image
m0le is a proud member of UNITE

#15 zeka

zeka
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 20 November 2011 - 10:07 PM

I couldn't boot computer into normal windows coz i am in boot loop, it keeps looping and on black screen written: We appologize for inconvenience, but windows did not start successfully. A recent hardware or software change might have caused this. It asks to "choose last known Good Configuration ro revert to the most recent settings that worked". so when i press on Start Windows Normally" it just keeps getting me back here again.

restore.log:

SOFTWARE hive restored from RP1393
SYSTEM hive restored from RP1393
SECURITY hive restored from RP1393
SAM hive restored from RP1393




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users