Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot boot! consrv not found


  • This topic is locked This topic is locked
8 replies to this topic

#1 garyb525

garyb525

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 08 December 2011 - 10:53 AM

My son has a Toshiba Satellite A505 laptop that will no longer boot into Windows Vista either normally or Safe Mode. It attempts to boot and then returns a BSOD with an error message c0000135 (unable to locate component). The application failed to start because conserv.dll could not be found.

From my investigation, it appears that this situation is caused by a virus, but I would like some help tomake sure that I take the correct steps to remove the virus in the proper order.

Thanks.

Edited by hamluis, 08 December 2011 - 12:16 PM.
Moved from Vista to Am I Infected.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:27 PM

Posted 09 December 2011 - 12:56 AM

:welcome:

Lets give it a try. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 garyb525

garyb525
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 13 December 2011 - 09:33 AM

JSntgRvr,

Thanks for your help. Here is the log:

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.0
Ran by SYSTEM at 2011-12-13 08:29:56
Running from F:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7220768 2009-03-12] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-03-12] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1713448 2009-03-18] (Synaptics Incorporated)
HKLM\...\Run: [ThpSrv] C:\Windows\system32\thpsrv /logon [x]
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1451520 2009-04-14] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [236544 2009-03-24] (TOSHIBA Corporation)
HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe [1123840 2009-03-24] (TOSHIBA Corporation)
HKLM\...\Run: [TPCHWMsg] %ProgramFiles%\TOSHIBA\TPHM\TPCHWMsg.exe [613232 2009-04-09] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-21] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [909624 2009-08-05] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TUSBSleepChargeSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe [x]
HKLM-x32\...\Run: [PCMAgent] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [143360 2009-04-10] (CyberLink Corp.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2009-04-21] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TWebCamera] "%ProgramFiles(x86)%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [x]
HKLM-x32\...\Run: [NDSTray.exe] "C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe" [304496 2009-03-17] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [cfFncEnabler.exe] "C:\Program Files (x86)\TOSHIBA\ConfigFree\cfFncEnabler.exe" [16384 2009-03-24] (Toshiba Corporation)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295736 2011-02-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31072 2008-10-25] (Microsoft Corporation)
HKLM-x32\...\Run: [SearchSettings] C:\Program Files (x86)\Dealio Toolbar\SearchSettings.exe [1024512 2009-07-29] (Spigot, Inc.)
HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [200704 2009-04-10] (CyberLink)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [395144 2011-05-17] (Ask)
HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [273544 2011-07-02] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-10-09] (Apple Inc.)
HKLM-x32\...\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui [3722416 2011-09-06] (AVAST Software)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKU\Ben\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-07-05] (Google Inc.)
HKU\Ben\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Support\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-07-05] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 AgereModemAudio; C:\Windows\system32\agr64svc.exe [15872 2008-03-18] (Agere Systems)
2 avast! Antivirus; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [44768 2011-09-06] (AVAST Software)
2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
2 camsvc; C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [20544 2009-04-16] (TOSHIBA)
3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [206072 2010-10-12] (WildTangent, Inc.)
3 GSService; "C:\Windows\SysWOW64\GSService.exe" [745472 2011-03-31] ()
2 gupdate1ca13d8944ad3e0; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /svc [133104 2009-08-02] (Google Inc.)
3 IDriverT; "C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe" [69632 2005-11-14] (Macrovision Corporation)
3 Microsoft Office Groove Audit Service; "C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe" [65888 2008-10-25] (Microsoft Corporation)
3 ServiceLayer; "C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe" [430592 2008-04-07] (Nokia.)
3 SMServer; "C:\Windows\SysWOW64\snmvtsvc.exe" [243712 2011-03-31] (SMServer)
2 Thpsrv; C:\Windows\system32\ThpSrv.exe [535608 2008-08-22] (TOSHIBA Corporation)
2 TNaviSrv; C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe [83312 2009-03-30] (TOSHIBA Corporation)
2 RasMan32; C:\Windows\system32\secproc32.exe [x]

========================== Drivers (Whitelisted) =============

3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1253376 2008-03-21] (Agere Systems)
2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [24408 2011-09-06] (AVAST Software)
2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [65368 2011-09-06] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [42328 2011-09-06] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [601944 2011-09-06] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [301912 2011-09-06] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [58200 2011-09-06] (AVAST Software)
3 HSF_DPV; C:\Windows\System32\DRIVERS\VSTDPV6.SYS [1523712 2008-01-20] (Conexant Systems, Inc.)
3 pccsmcfd; C:\Windows\System32\DRIVERS\pccsmcfdx64.sys [29184 2007-09-17] (Nokia)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh64.sys [318568 2010-06-23] (Realtek )
3 sscdbus; C:\Windows\System32\DRIVERS\sscdbus.sys [105128 2007-07-03] (MCCI Corporation)
3 sscdmdfl; C:\Windows\System32\DRIVERS\sscdmdfl.sys [16040 2007-07-03] (MCCI Corporation)
3 sscdmdm; C:\Windows\System32\DRIVERS\sscdmdm.sys [142504 2007-07-03] (MCCI Corporation)
3 ss_bus; C:\Windows\System32\DRIVERS\ss_bus.sys [108296 2007-05-02] (MCCI Corporation)
3 ss_mdfl; C:\Windows\System32\DRIVERS\ss_mdfl.sys [19208 2007-05-02] (MCCI Corporation)
3 ss_mdm; C:\Windows\System32\DRIVERS\ss_mdm.sys [145160 2007-05-02] (MCCI Corporation)
3 TFsExDisk; \??\C:\Windows\System32\Drivers\TFsExDisk.sys [16392 2009-08-03] (Teruten Inc)
3 winachsf; C:\Windows\System32\DRIVERS\VSTCNXT6.SYS [724480 2008-01-20] (Conexant Systems, Inc.)
3 wmamp3DriverV32; C:\Windows\System32\drivers\wmamp3DriverV32.sys [34040 2011-03-31] (Windows ® Codename Longhorn DDK provider)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 msiserver; C:\Windows\System32\msiexec /V [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-12-08 07:47 - 2011-12-08 07:51 - 4292853760 __ASH C:\hiberfil.sys
2011-12-07 10:13 - 2011-12-07 10:17 - 0000000 ____D C:\mwb
2011-12-03 17:23 - 2011-12-08 09:18 - 0000000 ____D C:\FRST
2011-11-28 08:32 - 2011-12-07 08:39 - 1531030 ____A C:\Windows\ntbtlog.txt
2011-11-23 08:18 - 2011-11-23 08:18 - 0000000 ____D C:\Windows\System32\Macromed
2011-11-22 22:14 - 2011-11-22 22:14 - 0002126 ____A C:\Users\Public\Desktop\Google Earth.lnk
2011-11-19 22:09 - 2011-11-19 22:36 - 0000000 ____D C:\Users\Support\AppData\Local\Microsoft Games
2011-11-18 23:21 - 2011-11-18 23:21 - 0001767 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2011-11-18 18:33 - 2011-11-18 18:33 - 0000000 ____A C:\Users\Ben\AppData\Local\{9D397D57-EC2C-43C4-87BE-3E8B1FE04471}
2011-11-14 20:11 - 2011-09-20 13:06 - 1423744 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2011-11-14 20:11 - 2011-09-20 06:04 - 0040448 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2011-11-14 15:54 - 2011-11-14 15:54 - 0000000 ____A C:\Users\Ben\AppData\Local\{8163098A-699C-481A-A1F4-895810BE23DE}
2011-11-13 10:21 - 2011-11-13 10:21 - 0000000 ____D C:\Users\Support\AppData\Local\Apple
2011-11-13 08:28 - 2011-11-13 08:28 - 0000955 ____A C:\Users\Support\Desktop\Windows Media Player.lnk

============ 3 Months Modified Files and Folders =============

2011-12-08 09:18 - 2011-12-03 17:23 - 0000000 ____D C:\FRST
2011-12-08 07:51 - 2011-12-08 07:47 - 4292853760 __ASH C:\hiberfil.sys
2011-12-07 10:17 - 2011-12-07 10:13 - 0000000 ____D C:\mwb
2011-12-07 08:39 - 2011-11-28 08:32 - 1531030 ____A C:\Windows\ntbtlog.txt
2011-11-25 23:56 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\PolicyDefinitions
2011-11-25 21:38 - 2009-06-14 13:53 - 1464127 ____A C:\Windows\WindowsUpdate.log
2011-11-25 21:37 - 2009-08-02 17:31 - 0000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-11-25 17:17 - 2011-07-04 18:53 - 0000406 ____A C:\Windows\Tasks\PC Optimizer Pro64 startups.job
2011-11-25 17:17 - 2011-04-14 16:31 - 0000374 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2011-11-25 17:17 - 2009-08-02 17:31 - 0000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-11-25 17:17 - 2006-11-02 07:42 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-11-25 17:16 - 2011-04-27 13:30 - 0004392 ____A C:\Windows\System32\spsys.log
2011-11-25 17:16 - 2009-07-17 22:13 - 0000000 ____D C:\users\Ben
2011-11-25 17:16 - 2006-11-02 07:22 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-11-25 17:16 - 2006-11-02 07:22 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-11-25 15:44 - 2009-09-26 00:39 - 0000578 ___AH C:\Windows\Tasks\Norton Security Scan for Ben.job
2011-11-23 08:18 - 2011-11-23 08:18 - 0000000 ____D C:\Windows\System32\Macromed
2011-11-23 08:18 - 2011-06-24 10:23 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2011-11-22 22:14 - 2011-11-22 22:14 - 0002126 ____A C:\Users\Public\Desktop\Google Earth.lnk
2011-11-22 22:14 - 2009-05-02 22:58 - 0000000 ____D C:\Program Files (x86)\Google
2011-11-22 16:57 - 2006-11-02 04:46 - 0738362 ____A C:\Windows\System32\PerfStringBackup.INI
2011-11-22 16:53 - 2009-07-18 15:46 - 0022724 ____A C:\Windows\setupact.log
2011-11-22 16:24 - 2006-11-02 07:42 - 0032538 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-11-22 16:23 - 2009-08-02 17:20 - 0000000 ____D C:\Users\Ben\AppData\Roaming\Skype
2011-11-22 14:08 - 2009-08-02 17:22 - 0000000 ____D C:\Users\Ben\AppData\Roaming\skypePM
2011-11-21 17:48 - 2009-08-02 17:23 - 0002036 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2011-11-20 20:06 - 2009-11-19 17:30 - 0000680 ____A C:\Users\Ben\AppData\Local\d3d9caps.dat
2011-11-19 22:36 - 2011-11-19 22:09 - 0000000 ____D C:\Users\Support\AppData\Local\Microsoft Games
2011-11-19 13:58 - 2009-07-18 13:30 - 0000000 ____D C:\users\Support
2011-11-19 01:03 - 2006-11-02 04:33 - 86769664 ____A C:\Windows\System32\config\software_previous
2011-11-19 01:03 - 2006-11-02 04:33 - 41943040 ____A C:\Windows\System32\config\system_previous
2011-11-19 01:01 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\spool
2011-11-19 01:01 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\registration
2011-11-19 00:54 - 2006-11-02 04:33 - 55312384 ____A C:\Windows\System32\config\components_previous
2011-11-19 00:54 - 2006-11-02 04:33 - 0262144 ____A C:\Windows\System32\config\sam_previous
2011-11-18 23:23 - 2009-08-05 10:45 - 0070234 ____A C:\Windows\PFRO.log
2011-11-18 23:21 - 2011-11-18 23:21 - 0001767 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2011-11-18 23:21 - 2011-01-25 11:59 - 0000000 ____D C:\Program Files (x86)\QuickTime
2011-11-18 23:10 - 2010-09-02 10:49 - 0001807 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2011-11-18 23:10 - 2009-07-18 13:40 - 0000000 ____A C:\Windows\SysWOW64\config.nt
2011-11-18 23:04 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\System32\config\TxR
2011-11-18 22:53 - 2006-11-02 04:33 - 0524288 ____A C:\Windows\System32\config\default_previous
2011-11-18 22:53 - 2006-11-02 04:33 - 0262144 ____A C:\Windows\System32\config\security_previous
2011-11-18 18:33 - 2011-11-18 18:33 - 0000000 ____A C:\Users\Ben\AppData\Local\{9D397D57-EC2C-43C4-87BE-3E8B1FE04471}
2011-11-16 18:18 - 2009-07-18 13:32 - 0000000 ____D C:\Users\Support\AppData\Local\Google
2011-11-15 08:02 - 2009-07-17 22:16 - 0000000 ____D C:\Users\Ben\AppData\Local\Google
2011-11-14 21:50 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\Msdtc
2011-11-14 15:54 - 2011-11-14 15:54 - 0000000 ____A C:\Users\Ben\AppData\Local\{8163098A-699C-481A-A1F4-895810BE23DE}
2011-11-13 10:21 - 2011-11-13 10:21 - 0000000 ____D C:\Users\Support\AppData\Local\Apple
2011-11-13 08:28 - 2011-11-13 08:28 - 0000955 ____A C:\Users\Support\Desktop\Windows Media Player.lnk
2011-11-09 20:33 - 2006-11-02 05:33 - 0000000 ____D C:\Program Files\Common Files\System
2011-11-09 20:31 - 2006-11-02 04:35 - 52174280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-11-09 13:51 - 2009-05-02 22:57 - 0000000 ____D C:\Windows\SysWOW64\Macromed
2011-11-09 13:51 - 2009-05-02 22:35 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2011-11-09 09:37 - 2009-05-02 23:00 - 0000000 ____D C:\Users\All Users\WildTangent
2011-11-09 09:37 - 2009-05-02 23:00 - 0000000 ____D C:\ProgramData\WildTangent
2011-11-09 09:36 - 2011-11-09 09:36 - 0000000 ____D C:\Program Files (x86)\WildGames
2011-11-09 09:32 - 2011-11-09 09:32 - 0002351 ____N C:\Users\Public\Desktop\WildTangent Games App - toshiba.lnk
2011-11-09 09:31 - 2011-11-09 09:31 - 0000000 ____D C:\Program Files (x86)\WildTangent Games
2011-11-06 17:23 - 2009-07-18 15:22 - 0000000 ____D C:\Users\Support\AppData\Roaming\Apple Computer
2011-10-26 06:15 - 2009-07-17 22:14 - 0000000 ____D C:\Users\Ben\AppData\LocalLow
2011-10-24 20:07 - 2009-07-18 13:30 - 0000000 ____D C:\Users\Support\AppData\LocalLow
2011-10-24 12:29 - 2011-10-24 12:29 - 0094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
2011-10-24 12:29 - 2011-10-24 12:29 - 0069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
2011-10-19 09:39 - 2011-10-19 09:39 - 0000000 ____D C:\Windows\system64
2011-10-14 05:15 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\rescache
2011-10-14 04:58 - 2006-11-02 07:21 - 0419048 ____A C:\Windows\System32\FNTCACHE.DAT
2011-10-14 04:55 - 2009-12-08 15:33 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2011-10-13 22:30 - 2009-06-14 12:41 - 0000000 ____D C:\Users\All Users\Microsoft Help
2011-10-13 22:30 - 2009-06-14 12:41 - 0000000 ____D C:\ProgramData\Microsoft Help
2011-10-12 20:21 - 2011-10-12 20:21 - 0001705 ____A C:\Users\Public\Desktop\iTunes.lnk
2011-10-12 20:21 - 2011-10-12 20:20 - 0000000 ____D C:\Program Files\iTunes
2011-10-12 20:21 - 2011-10-12 20:20 - 0000000 ____D C:\Program Files (x86)\iTunes
2011-10-12 20:20 - 2011-10-12 20:20 - 0000000 ____D C:\Program Files\iPod
2011-10-12 20:11 - 2011-10-12 20:10 - 0000000 ____D C:\Program Files\Bonjour
2011-10-12 20:11 - 2011-10-12 20:10 - 0000000 ____D C:\Program Files (x86)\Bonjour
2011-10-12 20:06 - 2011-10-12 20:06 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2011-10-05 14:21 - 2011-10-05 14:21 - 0010370 ____A C:\Users\Ben\Documents\bleep Breast Cancer.docx
2011-10-05 11:43 - 2011-07-04 18:44 - 0000000 __SHD C:\Windows\SysWOW64\AI_RecycleBin
2011-10-05 11:35 - 2011-07-04 18:43 - 0000000 ____D C:\Program Files (x86)\Free Offers from Freeze.com
2011-10-05 11:33 - 2011-10-05 11:33 - 0000000 ____D C:\Users\Ben\Documents\My Downloads
2011-10-05 11:32 - 2011-10-05 11:32 - 0000000 ____D C:\Program Files (x86)\File Type Assistant
2011-10-05 11:22 - 2011-07-04 19:16 - 0000000 ____D C:\Users\Ben\AppData\Local\BearShare
2011-10-05 11:17 - 2011-10-05 11:17 - 0000000 ____D C:\Users\All Users\125E
2011-10-05 11:17 - 2011-10-05 11:17 - 0000000 ____D C:\ProgramData\125E
2011-09-27 14:57 - 2011-09-27 14:57 - 0194447 ____A C:\Users\Ben\Documents\blitzdriving.jpg
2011-09-20 13:06 - 2011-11-14 20:11 - 1423744 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2011-09-20 06:04 - 2011-11-14 20:11 - 0040448 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2011-09-16 09:23 - 2010-10-29 07:56 - 0001928 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2011-09-15 18:13 - 2011-09-15 18:13 - 0072853 ____A C:\Users\Ben\Documents\window.jpg
2011-09-15 18:12 - 2011-09-15 18:12 - 0120053 ____A C:\Users\Ben\Documents\bed2.jpg
2011-09-15 18:12 - 2011-09-15 18:12 - 0089047 ____A C:\Users\Ben\Documents\wolf.jpg
2011-09-15 18:12 - 2011-09-15 18:12 - 0057675 ____A C:\Users\Ben\Documents\bed1.jpg
2011-09-15 09:22 - 2011-09-15 09:22 - 0000118 ____A C:\Windows\System32\MRT.INI

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4093.04 MB
Available physical RAM: 3519.22 MB
Total Pagefile: 3840.9 MB
Available Pagefile: 3494.18 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (TI100343V0F) (Fixed) (Total:454.05 GB) (Free:357.7 GB) NTFS ==>[System with boot components]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.3 GB) NTFS
4 Drive f: (STORE N GO) (Removable) (Total:3.72 GB) (Free:2.49 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 0 B
Disk 1 Online 3820 MB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 454 GB 1501 MB
Partition 3 Primary 10 GB 456 GB

Disk: 0
Partition 2
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI100343V0F NTFS Partition 454 GB Healthy

==========================================================

Last Boot: 2011-11-25 17:24

======================= End Of Log ==========================

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:27 PM

Posted 13 December 2011 - 11:26 AM

Download the enclosed file to the USB drive.


Insert the USB drive into the ailing computer. Run FRST as you did before, except that this time around press the Fix button instead and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

If successful, restart in Normal Mode. If able to, run Combofix as follows:


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 garyb525

garyb525
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 13 December 2011 - 01:50 PM

Here are the log files you requested:

Fixlist.txt file

Start
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\system64
End

I've attached the combofix log since it was such a long list. FYI, when I download ComboFix from the first link you have above and ran it, it gave me a message saying that it was outdated. I closed out and downloaded the program from your site and it ran fine. You may just want to check out that first link.

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:27 PM

Posted 13 December 2011 - 08:41 PM

Lets check for remnants:

Perform a full scan with AVAST.

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 garyb525

garyb525
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 14 December 2011 - 10:02 AM

Working much better. I appreciate the help.

Attached Files



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:27 PM

Posted 14 December 2011 - 11:10 AM

Download the enclosed file.

Save it next to Combofix.

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


If the upload fails, Combofix created a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:27 PM

Posted 21 December 2011 - 09:40 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users