Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus that caused Windows 7 64bit Startup Repair loop


  • This topic is locked This topic is locked
18 replies to this topic

#1 Jukeboxx

Jukeboxx

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 30 December 2011 - 10:59 PM

Hello,

The other day I got a virus on my laptop, and I thought it was just another regular scareware program. I've been infected before so I simply ran rkill and then malwarebytes in safe mode, as I usually do. MWB detected 5 infections, which I promptly removed and restarted the computer. However, when I restarted, the computer was still slow, and Mozilla Firefox refused to start. so I figured the virus wasn't removed, and I tried to run rkill, but everytime I ran rkill three windows popped up saying "Installation failed" and rkill did not stop any programs. Confounded, I ran malwarebytes, superantispyware, and TDSS killer and none of them found anything. After much research I found that it was some sort of backdoor trojan... I ran Microsoft's safety scanner and it detected a trojan, but upon restarting I got caught in a startup loop. When i start my computer the HP logo comes up, then the windows logo, but then it quickly restarts, showing the HP logo then an option that says that I can either try to start Windows normally or do a startup repair. When I try to do a startup repair, it fails. I unfortunately was too stupid to establish any system restore points :(. If you guys could help me either get my data or fix this problem it would be amazing.

Thanks guys, I really appreciate what you guys have done for me and my computers!!!!

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:32 PM

Posted 31 December 2011 - 05:40 AM

Hello Jukeboxx,

Welcome to Bleeping Computer. I will assist you with this issue.

Also I'm moving this topic to malware removal forum.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#3 Jukeboxx

Jukeboxx
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 31 December 2011 - 01:04 PM

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.1
Ran by SYSTEM at 2011-12-31 12:59:45
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1560872 2008-07-24] (Synaptics, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-09-10] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [387608 2009-09-10] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365592 2009-09-10] (Intel Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-23] (IDT, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1436736 2011-06-15] (Microsoft Corporation)
HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150016 2008-08-20] (Hewlett-Packard)
HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [479744 2008-07-24] (WDC)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [499768 2009-09-01] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [x]
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [EfficientDiary] [x]
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1230704 2011-03-21] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Default\...\Run: [ooVoo.exe] C:\Program Files (x86)\ooVoo\ooVoo.exe /minimized [22631608 2011-05-18] (ooVoo LLC)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Default User\...\Run: [ooVoo.exe] C:\Program Files (x86)\ooVoo\ooVoo.exe /minimized [22631608 2011-05-18] (ooVoo LLC)
HKU\Inhak\...\Run: [Google Update] "C:\Users\Inhak\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2009-11-02] (Google Inc.)
HKU\Inhak\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\Inhak\...\Run: [Spotify] "C:\Users\Inhak\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [3984048 2011-12-15] (Spotify Ltd)
HKU\Inhak\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5486464 2011-12-08] (SUPERAntiSpyware.com)
HKLM\...\Winlogon: [Userinit] c:\windows\system32\userinit.exe [30720 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 hpsrv; C:\Windows\System32\Hpservice.exe [23040 2008-03-18] (Hewlett-Packard Corporation)
2 IAStorDataMgrSvc; "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe" [13336 2010-03-03] (Intel Corporation)
3 IDriverT; "C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" [69632 2005-04-03] (Macrovision Corporation)
2 LPDSVC; C:\Windows\System32\lpdsvc.dll [45568 2009-07-13] (Microsoft Corporation)
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-17] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe [247808 2010-03-23] (IDT, Inc.)
2 WDBtnMgrSvc.exe; "C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe" [118272 2008-07-24] (WDC)
2 MSCamSvc; "C:\Program Files\Microsoft LifeCam\MSCamS64.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 Accelerometer; C:\Windows\System32\DRIVERS\Accelerometer.sys [40296 2008-03-27] (Hewlett-Packard Corporation)
3 enecir; C:\Windows\System32\DRIVERS\enecir.sys [70656 2009-06-28] (ENE TECHNOLOGY INC.)
3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [34120 2010-02-11] (LogMeIn, Inc.)
0 hpdskflt; C:\Windows\System32\DRIVERS\hpdskflt.sys [26984 2008-03-27] (Hewlett-Packard Corporation)
3 ManyCam; C:\Windows\System32\DRIVERS\ManyCam_x64.sys [27136 2008-03-12] (ManyCam LLC.)
2 RMCAST; C:\Windows\System32\DRIVERS\RMCAST.sys [146432 2010-11-20] (Microsoft Corporation)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh64.sys [174592 2008-08-06] (Realtek Corporation )
3 RTSTOR; C:\Windows\System32\drivers\RTSTOR64.SYS [68096 2008-09-19] (Realtek Semiconductor Corp.)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-02-22] (Duplex Secure Ltd.)
1 aghurhie; \??\C:\Windows\system32\drivers\aghurhie.sys [x]
4 eabfiltr; [x]
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\c:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-12-31 12:59 - 2011-12-31 13:00 - 0000000 ____D C:\FRST
2011-12-27 04:21 - 2011-12-27 05:37 - 0000000 ____D C:\Windows\System32\MpEngineStore
2011-12-27 04:06 - 2011-12-27 05:38 - 0007442 ____A C:\Windows\WindowsUpdate.log
2011-12-27 04:04 - 2011-12-27 04:04 - 0002030 ____A C:\Windows\setupact.log
2011-12-27 04:04 - 2011-12-27 04:04 - 0000000 ____A C:\Windows\setuperr.log
2011-12-27 03:55 - 2011-12-27 03:58 - 76872384 ____A (Microsoft Corporation) C:\Users\Inhak\Downloads\msert.exe
2011-12-27 03:54 - 2011-12-27 03:55 - 10165440 ____A (Microsoft Corporation) C:\Users\Inhak\Downloads\mseinstall(1).exe
2011-12-27 03:44 - 2011-12-27 03:45 - 0176514 ____A C:\TDSSKiller.2.6.25.0_27.12.2011_06.44.02_log.txt
2011-12-27 03:43 - 2011-12-23 11:52 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Inhak\Desktop\TDSSKiller.exe
2011-12-27 03:43 - 2010-12-31 22:14 - 0002254 ____A C:\Users\Inhak\Desktop\eula.txt
2011-12-27 03:36 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Desktop\WiNlOgOn.exe
2011-12-27 03:36 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Desktop\uSeRiNiT.exe
2011-12-27 03:36 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Desktop\rkill.scr
2011-12-27 03:36 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Desktop\iExplore.exe
2011-12-27 03:36 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Desktop\eXplorer.exe
2011-12-27 03:36 - 2011-12-12 00:26 - 1008120 ____A C:\Users\Inhak\Desktop\rkill.exe
2011-12-27 03:34 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Downloads\rkill.scr
2011-12-27 03:34 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Downloads\rkill(1).exe
2011-12-27 03:34 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Downloads\iExplore.exe
2011-12-27 03:34 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Downloads\eXplorer.exe
2011-12-27 03:33 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Downloads\rkill.com
2011-12-27 03:28 - 2011-12-27 03:44 - 0153688 ____A C:\Windows\ntbtlog.txt
2011-12-27 03:23 - 2011-12-27 03:23 - 0584192 ____A (OldTimer Tools) C:\Users\Inhak\Downloads\OTL.exe
2011-12-27 03:16 - 2011-12-27 03:17 - 0156822 ____A C:\TDSSKiller.2.6.25.0_27.12.2011_06.16.28_log.txt
2011-12-27 03:15 - 2011-12-27 03:15 - 1558406 ____A C:\Users\Inhak\Downloads\tdsskiller.zip
2011-12-27 02:36 - 2011-12-27 03:47 - 0000000 ____D C:\Program Files\SUPERAntiSpyware
2011-12-27 02:36 - 2011-12-27 02:36 - 0001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2011-12-27 02:36 - 2011-12-27 02:36 - 0000000 ____D C:\Users\Inhak\AppData\Roaming\SUPERAntiSpyware.com
2011-12-27 02:36 - 2011-12-27 02:36 - 0000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2011-12-27 02:36 - 2011-12-27 02:36 - 0000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2011-12-27 02:35 - 2011-12-27 02:36 - 13732320 ____A (SUPERAntiSpyware.com) C:\Users\Inhak\Downloads\SUPERAntiSpyware.exe
2011-12-27 02:05 - 2011-12-27 04:07 - 0000574 ____A C:\rkill.log
2011-12-27 01:59 - 2011-12-27 02:04 - 0006886 __ASH C:\Users\Inhak\AppData\Local\i3prsmyfgk135bhl
2011-12-27 01:59 - 2011-12-27 02:04 - 0006886 __ASH C:\Users\All Users\i3prsmyfgk135bhl
2011-12-27 01:59 - 2011-12-27 02:04 - 0006886 __ASH C:\ProgramData\i3prsmyfgk135bhl
2011-12-27 01:59 - 2011-12-27 01:59 - 0000000 ____D C:\Windows\system64
2011-12-26 22:07 - 2011-12-26 22:07 - 0000000 ____D C:\Users\Inhak\Documents\CC semester 5
2011-12-25 18:09 - 2011-12-25 18:09 - 0000000 ____D C:\Users\Inhak\Documents\GomPlayer
2011-12-25 18:08 - 2011-12-25 20:22 - 0000000 ____D C:\Program Files (x86)\GRETECH
2011-12-25 18:06 - 2011-12-25 18:08 - 7881576 ____A (Gretech Corporation) C:\Users\Inhak\Downloads\GOMPLAYERENSETUP.EXE
2011-12-23 00:56 - 2011-12-27 03:06 - 0000000 ___RD C:\Users\Inhak\Dropbox
2011-12-23 00:56 - 2011-12-23 00:56 - 0001043 ____A C:\Users\Inhak\Desktop\Dropbox.lnk
2011-12-23 00:54 - 2011-12-27 04:06 - 0000000 ____D C:\Users\Inhak\AppData\Roaming\Dropbox
2011-12-23 00:54 - 2011-12-23 00:54 - 0001023 ____A C:\Users\Inhak\Start Menu\Programs\Startup\Dropbox.lnk
2011-12-23 00:54 - 2011-12-23 00:54 - 0001023 ____A C:\Users\Inhak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2011-12-23 00:48 - 2011-12-23 00:49 - 15033280 ____A (Dropbox, Inc.) C:\Users\Inhak\Downloads\Dropbox 1.2.49.exe
2011-12-15 21:51 - 2011-12-27 03:05 - 0000000 ____D C:\Users\Inhak\AppData\Local\Spotify
2011-12-15 21:50 - 2011-12-27 04:03 - 0000000 ____D C:\Users\Inhak\AppData\Roaming\Spotify
2011-12-14 22:43 - 2011-12-14 22:43 - 0087502 ____A C:\Users\Inhak\Documents\Resume.pdf
2011-12-14 02:11 - 2011-12-14 02:38 - 0020480 ____A C:\Users\Inhak\Downloads\Resume Research.doc
2011-12-14 00:28 - 2011-12-14 03:50 - 0022528 ____A C:\Users\Inhak\Downloads\Film Resume 2012.doc
2011-12-13 17:09 - 2011-12-13 17:09 - 0981887 ____A C:\Users\Inhak\Downloads\Associate Chapter Test Study Guide.zip
2011-12-13 17:08 - 2011-11-10 22:49 - 12261888 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-12-13 17:08 - 2011-11-10 21:40 - 10991104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-12-13 17:08 - 2011-11-04 21:41 - 1188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-12-13 17:08 - 2011-11-04 21:38 - 9018880 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-12-13 17:08 - 2011-11-04 20:35 - 0981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-12-13 17:08 - 2011-11-04 20:34 - 1231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-12-13 17:08 - 2011-11-04 20:31 - 5997056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-12-13 17:08 - 2011-10-25 21:21 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2011-12-13 17:07 - 2011-11-23 20:52 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-12-13 17:07 - 2011-11-10 22:49 - 0247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-12-13 17:07 - 2011-11-10 21:40 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-12-13 17:07 - 2011-11-04 21:41 - 1494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-12-13 17:07 - 2011-11-04 21:41 - 0134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-12-13 17:07 - 2011-11-04 21:38 - 0702464 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2011-12-13 17:07 - 2011-11-04 21:38 - 0097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-12-13 17:07 - 2011-11-04 21:37 - 2454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-12-13 17:07 - 2011-11-04 21:37 - 0064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-12-13 17:07 - 2011-11-04 21:32 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-12-13 17:07 - 2011-11-04 20:34 - 0132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-12-13 17:07 - 2011-11-04 20:31 - 0599552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2011-12-13 17:07 - 2011-11-04 20:31 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-12-13 17:07 - 2011-11-04 20:30 - 2073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-12-13 17:07 - 2011-11-04 20:30 - 0048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-12-13 17:07 - 2011-11-04 20:26 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2011-12-13 17:07 - 2011-11-04 19:32 - 1638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-12-13 17:07 - 2011-11-04 18:48 - 1638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-12-13 17:07 - 2011-10-14 22:31 - 0723456 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
2011-12-13 17:07 - 2011-10-14 21:38 - 0534528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
2011-12-12 22:42 - 2011-12-12 22:44 - 44590735 ____A C:\Users\Inhak\Downloads\ForceMajeure.zip
2011-12-12 00:26 - 2011-12-12 00:26 - 1008120 ____A C:\Users\Inhak\Downloads\rkill.exe

============ 3 Months Modified Files and Folders =============

2011-12-31 13:00 - 2011-12-31 12:59 - 0000000 ____D C:\FRST
2011-12-28 23:10 - 2009-11-02 15:54 - 3145089024 __ASH C:\hiberfil.sys
2011-12-27 05:38 - 2011-12-27 04:06 - 0007442 ____A C:\Windows\WindowsUpdate.log
2011-12-27 05:37 - 2011-12-27 04:21 - 0000000 ____D C:\Windows\System32\MpEngineStore
2011-12-27 05:24 - 2010-02-02 18:21 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1989861713-1273768066-3040038507-1000UA.job
2011-12-27 04:39 - 2009-09-20 20:29 - 0000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-12-27 04:12 - 2009-11-02 14:59 - 0009728 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2011-12-27 04:12 - 2009-11-02 14:59 - 0009728 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2011-12-27 04:08 - 2011-01-30 21:51 - 0002057 ____A C:\Windows\epplauncher.mif
2011-12-27 04:07 - 2011-12-27 02:05 - 0000574 ____A C:\rkill.log
2011-12-27 04:06 - 2011-12-23 00:54 - 0000000 ____D C:\Users\Inhak\AppData\Roaming\Dropbox
2011-12-27 04:06 - 2009-11-02 16:02 - 0000191 ____A C:\Users\All Users\HPWALog.txt
2011-12-27 04:06 - 2009-11-02 16:02 - 0000191 ____A C:\ProgramData\HPWALog.txt
2011-12-27 04:04 - 2011-12-27 04:04 - 0002030 ____A C:\Windows\setupact.log
2011-12-27 04:04 - 2011-12-27 04:04 - 0000000 ____A C:\Windows\setuperr.log
2011-12-27 04:04 - 2009-09-20 20:29 - 0000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-12-27 04:04 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-12-27 04:03 - 2011-12-15 21:50 - 0000000 ____D C:\Users\Inhak\AppData\Roaming\Spotify
2011-12-27 03:58 - 2011-12-27 03:55 - 76872384 ____A (Microsoft Corporation) C:\Users\Inhak\Downloads\msert.exe
2011-12-27 03:55 - 2011-12-27 03:54 - 10165440 ____A (Microsoft Corporation) C:\Users\Inhak\Downloads\mseinstall(1).exe
2011-12-27 03:47 - 2011-12-27 02:36 - 0000000 ____D C:\Program Files\SUPERAntiSpyware
2011-12-27 03:45 - 2011-12-27 03:44 - 0176514 ____A C:\TDSSKiller.2.6.25.0_27.12.2011_06.44.02_log.txt
2011-12-27 03:44 - 2011-12-27 03:28 - 0153688 ____A C:\Windows\ntbtlog.txt
2011-12-27 03:34 - 2011-12-27 03:36 - 1008141 ____A C:\Users\Inhak\Desktop\WiNlOgOn.exe
2011-12-27 03:34 - 2011-12-27 03:36 - 1008141 ____A C:\Users\Inhak\Desktop\uSeRiNiT.exe
2011-12-27 03:34 - 2011-12-27 03:36 - 1008141 ____A C:\Users\Inhak\Desktop\rkill.scr
2011-12-27 03:34 - 2011-12-27 03:36 - 1008141 ____A C:\Users\Inhak\Desktop\iExplore.exe
2011-12-27 03:34 - 2011-12-27 03:36 - 1008141 ____A C:\Users\Inhak\Desktop\eXplorer.exe
2011-12-27 03:34 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Downloads\rkill.scr
2011-12-27 03:34 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Downloads\rkill(1).exe
2011-12-27 03:34 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Downloads\iExplore.exe
2011-12-27 03:34 - 2011-12-27 03:34 - 1008141 ____A C:\Users\Inhak\Downloads\eXplorer.exe
2011-12-27 03:34 - 2011-12-27 03:33 - 1008141 ____A C:\Users\Inhak\Downloads\rkill.com
2011-12-27 03:23 - 2011-12-27 03:23 - 0584192 ____A (OldTimer Tools) C:\Users\Inhak\Downloads\OTL.exe
2011-12-27 03:20 - 2010-06-01 19:04 - 0000000 ____D C:\Windows\Minidump
2011-12-27 03:17 - 2011-12-27 03:16 - 0156822 ____A C:\TDSSKiller.2.6.25.0_27.12.2011_06.16.28_log.txt
2011-12-27 03:15 - 2011-12-27 03:15 - 1558406 ____A C:\Users\Inhak\Downloads\tdsskiller.zip
2011-12-27 03:06 - 2011-12-23 00:56 - 0000000 ___RD C:\Users\Inhak\Dropbox
2011-12-27 03:05 - 2011-12-15 21:51 - 0000000 ____D C:\Users\Inhak\AppData\Local\Spotify
2011-12-27 02:36 - 2011-12-27 02:36 - 0001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2011-12-27 02:36 - 2011-12-27 02:36 - 0000000 ____D C:\Users\Inhak\AppData\Roaming\SUPERAntiSpyware.com
2011-12-27 02:36 - 2011-12-27 02:36 - 0000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2011-12-27 02:36 - 2011-12-27 02:36 - 0000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2011-12-27 02:36 - 2011-12-27 02:35 - 13732320 ____A (SUPERAntiSpyware.com) C:\Users\Inhak\Downloads\SUPERAntiSpyware.exe
2011-12-27 02:04 - 2011-12-27 01:59 - 0006886 __ASH C:\Users\Inhak\AppData\Local\i3prsmyfgk135bhl
2011-12-27 02:04 - 2011-12-27 01:59 - 0006886 __ASH C:\Users\All Users\i3prsmyfgk135bhl
2011-12-27 02:04 - 2011-12-27 01:59 - 0006886 __ASH C:\ProgramData\i3prsmyfgk135bhl
2011-12-27 02:01 - 2009-08-29 07:42 - 0000000 ____D C:\Users\Inhak\AppData\Roaming\Skype
2011-12-27 01:59 - 2011-12-27 01:59 - 0000000 ____D C:\Windows\system64
2011-12-26 22:08 - 2011-06-12 08:17 - 0000000 ____D C:\Users\Inhak\Documents\CC semester 4
2011-12-26 22:07 - 2011-12-26 22:07 - 0000000 ____D C:\Users\Inhak\Documents\CC semester 5
2011-12-26 21:55 - 2010-02-02 18:21 - 0000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1989861713-1273768066-3040038507-1000Core.job
2011-12-26 02:46 - 2011-07-03 12:17 - 0000000 ____D C:\Users\Inhak\Downloads\2. Classical
2011-12-26 02:45 - 2011-07-03 19:39 - 0000000 ____D C:\Users\Inhak\Downloads\songs
2011-12-26 02:16 - 2009-09-08 10:42 - 0000000 ____D C:\Users\Inhak\Documents\Azureus Downloads
2011-12-26 01:44 - 2009-07-13 21:13 - 0735882 ____A C:\Windows\System32\PerfStringBackup.INI
2011-12-25 23:49 - 2010-12-27 21:55 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-25 20:22 - 2011-12-25 18:08 - 0000000 ____D C:\Program Files (x86)\GRETECH
2011-12-25 18:09 - 2011-12-25 18:09 - 0000000 ____D C:\Users\Inhak\Documents\GomPlayer
2011-12-25 18:08 - 2011-12-25 18:06 - 7881576 ____A (Gretech Corporation) C:\Users\Inhak\Downloads\GOMPLAYERENSETUP.EXE
2011-12-24 19:32 - 2011-07-24 05:36 - 0000000 ____D C:\Program Files (x86)\StarCraft II
2011-12-24 19:28 - 2009-10-21 16:41 - 0000000 ____D C:\Program Files (x86)\Steam
2011-12-24 13:04 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2011-12-23 11:52 - 2011-12-27 03:43 - 1578288 ____A (Kaspersky Lab ZAO) C:\Users\Inhak\Desktop\TDSSKiller.exe
2011-12-23 00:56 - 2011-12-23 00:56 - 0001043 ____A C:\Users\Inhak\Desktop\Dropbox.lnk
2011-12-23 00:56 - 2009-11-02 15:02 - 0000000 ____D C:\users\Inhak
2011-12-23 00:54 - 2011-12-23 00:54 - 0001023 ____A C:\Users\Inhak\Start Menu\Programs\Startup\Dropbox.lnk
2011-12-23 00:54 - 2011-12-23 00:54 - 0001023 ____A C:\Users\Inhak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2011-12-23 00:49 - 2011-12-23 00:48 - 15033280 ____A (Dropbox, Inc.) C:\Users\Inhak\Downloads\Dropbox 1.2.49.exe
2011-12-22 21:34 - 2009-07-13 21:08 - 0032636 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-12-21 20:40 - 2009-08-28 19:28 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2011-12-21 19:42 - 2009-09-20 20:31 - 0002344 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2011-12-14 22:43 - 2011-12-14 22:43 - 0087502 ____A C:\Users\Inhak\Documents\Resume.pdf
2011-12-14 03:50 - 2011-12-14 00:28 - 0022528 ____A C:\Users\Inhak\Downloads\Film Resume 2012.doc
2011-12-14 02:38 - 2011-12-14 02:11 - 0020480 ____A C:\Users\Inhak\Downloads\Resume Research.doc
2011-12-14 00:45 - 2009-07-13 20:45 - 0365216 ____A C:\Windows\System32\FNTCACHE.DAT
2011-12-14 00:43 - 2009-08-29 21:33 - 0000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2011-12-14 00:02 - 2009-11-16 10:51 - 54867776 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2011-12-13 17:09 - 2011-12-13 17:09 - 0981887 ____A C:\Users\Inhak\Downloads\Associate Chapter Test Study Guide.zip
2011-12-12 22:44 - 2011-12-12 22:42 - 44590735 ____A C:\Users\Inhak\Downloads\ForceMajeure.zip
2011-12-12 00:26 - 2011-12-27 03:36 - 1008120 ____A C:\Users\Inhak\Desktop\rkill.exe
2011-12-12 00:26 - 2011-12-12 00:26 - 1008120 ____A C:\Users\Inhak\Downloads\rkill.exe
2011-11-25 23:34 - 2011-07-07 16:59 - 0000000 ____D C:\Users\Inhak\Downloads\w. carlos - clockworkorange
2011-11-25 18:06 - 2011-07-27 14:33 - 9372633 ____A C:\Users\Inhak\Downloads\02 Last Friday Night (T.G.I.F.).mp3
2011-11-25 16:35 - 2011-10-18 00:23 - 0000000 ____D C:\Program Files (x86)\Diablo II
2011-11-25 16:27 - 2011-11-25 16:27 - 0026625 ___SH C:\Users\Inhak\Downloads\AlbumArt_{E2EC3652-5B11-4FDD-8C74-5731C75D1EE7}_Large.jpg
2011-11-25 16:27 - 2011-11-25 16:27 - 0005941 ___SH C:\Users\Inhak\Downloads\AlbumArt_{E2EC3652-5B11-4FDD-8C74-5731C75D1EE7}_Small.jpg
2011-11-25 16:26 - 2011-11-25 16:26 - 0013979 ___SH C:\Users\Inhak\Downloads\AlbumArt_{537FA0AF-253F-43B5-A8EB-2016072EF136}_Large.jpg
2011-11-25 16:26 - 2011-11-25 16:26 - 0003130 ___SH C:\Users\Inhak\Downloads\AlbumArt_{537FA0AF-253F-43B5-A8EB-2016072EF136}_Small.jpg
2011-11-25 16:25 - 2011-11-25 16:25 - 0007318 ___SH C:\Users\Inhak\Downloads\AlbumArt_{502B1742-795F-48F9-B36E-F4C59E348192}_Large.jpg
2011-11-25 16:25 - 2011-11-25 16:25 - 0002156 ___SH C:\Users\Inhak\Downloads\AlbumArt_{502B1742-795F-48F9-B36E-F4C59E348192}_Small.jpg
2011-11-24 09:41 - 2011-11-24 09:41 - 0002172 ____A C:\Users\Public\Desktop\Google Earth.lnk
2011-11-24 09:40 - 2009-09-20 20:28 - 0000000 ____D C:\Program Files (x86)\Google
2011-11-24 09:23 - 2009-08-28 19:28 - 0000000 ____D C:\Users\Inhak\AppData\Roaming\Mozilla
2011-11-23 20:52 - 2011-12-13 17:07 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-11-23 09:56 - 2011-07-13 09:33 - 0000000 ____D C:\Program Files (x86)\SKT Sync 3.0
2011-11-23 09:50 - 2011-11-23 09:50 - 0000000 ___RD C:\Users\Inhak\Documents\Scanned Documents
2011-11-23 09:50 - 2011-11-23 09:50 - 0000000 ____D C:\Users\Inhak\Documents\Fax
2011-11-23 09:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\ModemLogs
2011-11-23 09:40 - 2011-11-23 09:40 - 0000000 ____D C:\divx
2011-11-23 09:03 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2011-11-18 07:57 - 2011-11-18 06:14 - 0018154 ____A C:\Users\Inhak\Downloads\il valore della famiglia.odt
2011-11-12 21:14 - 2011-08-21 21:27 - 0000000 ____D C:\Users\Inhak\riotsGamesLogs
2011-11-10 22:49 - 2011-12-13 17:08 - 12261888 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-11-10 22:49 - 2011-12-13 17:07 - 0247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-11-10 22:49 - 2011-11-10 22:49 - 0108618 ____A C:\Users\Inhak\Downloads\Visitaalmuseo_f11(1).docx
2011-11-10 22:48 - 2011-11-10 22:48 - 0108618 ____A C:\Users\Inhak\Downloads\Visitaalmuseo_f11.docx
2011-11-10 21:40 - 2011-12-13 17:08 - 10991104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-11-10 21:40 - 2011-12-13 17:07 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-11-10 18:51 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2011-11-10 18:51 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2011-11-06 16:25 - 2011-11-06 16:25 - 0032339 ____A C:\Users\Inhak\Downloads\Project Elephant Final.txt
2011-11-04 21:41 - 2011-12-13 17:08 - 1188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-11-04 21:41 - 2011-12-13 17:07 - 1494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-11-04 21:41 - 2011-12-13 17:07 - 0134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-11-04 21:38 - 2011-12-13 17:08 - 9018880 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-11-04 21:38 - 2011-12-13 17:07 - 0702464 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2011-11-04 21:38 - 2011-12-13 17:07 - 0097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-11-04 21:37 - 2011-12-13 17:07 - 2454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-11-04 21:37 - 2011-12-13 17:07 - 0064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-11-04 21:32 - 2011-12-13 17:07 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-11-04 20:35 - 2011-12-13 17:08 - 0981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-11-04 20:34 - 2011-12-13 17:08 - 1231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-11-04 20:34 - 2011-12-13 17:07 - 0132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-11-04 20:31 - 2011-12-13 17:08 - 5997056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-11-04 20:31 - 2011-12-13 17:07 - 0599552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2011-11-04 20:31 - 2011-12-13 17:07 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-11-04 20:30 - 2011-12-13 17:07 - 2073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-11-04 20:30 - 2011-12-13 17:07 - 0048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-11-04 20:26 - 2011-12-13 17:07 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2011-11-04 19:32 - 2011-12-13 17:07 - 1638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-11-04 18:48 - 2011-12-13 17:07 - 1638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-11-01 22:15 - 2011-11-01 19:27 - 0007327 ____A C:\Users\Inhak\Downloads\Project one.celtx
2011-11-01 19:39 - 2011-11-01 19:39 - 0000000 ____D C:\Program Files (x86)\SecureW2
2011-10-25 21:21 - 2011-12-13 17:08 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2011-10-20 20:50 - 2011-10-16 19:02 - 0000000 ____D C:\Users\Inhak\AppData\Roaming\Mumble
2011-10-18 00:26 - 2011-10-18 00:25 - 0001089 ____A C:\Users\Public\Desktop\Diablo II - Lord of Destruction.lnk
2011-10-16 20:29 - 2009-11-02 16:02 - 0087968 ____A C:\Users\Inhak\AppData\Local\GDIPFONTCACHEV1.DAT
2011-10-16 20:14 - 2009-12-24 11:08 - 0011497 ____A C:\Users\All Users\hpzinstall.log
2011-10-16 20:14 - 2009-12-24 11:08 - 0011497 ____A C:\ProgramData\hpzinstall.log
2011-10-16 19:08 - 2011-10-16 19:08 - 0002375 ____A C:\Users\Inhak\Documents\MumbleAutomaticCertificateBackup.p12
2011-10-16 19:02 - 2011-10-16 19:02 - 0000000 ____D C:\Users\Inhak\AppData\Local\Mumble
2011-10-16 18:59 - 2011-10-16 18:59 - 0000974 ____A C:\Users\Public\Desktop\Mumble.lnk
2011-10-16 18:59 - 2011-10-16 18:59 - 0000000 ____D C:\Program Files (x86)\Mumble
2011-10-16 18:58 - 2011-10-16 18:58 - 15254016 ____A C:\Users\Inhak\Downloads\mumble-1.2.3.msi
2011-10-16 18:37 - 2011-10-16 18:36 - 2678867 ____A (Blizzard Entertainment) C:\Users\Inhak\Downloads\Downloader_Diablo2_Lord_of_Destruction_enUS.exe
2011-10-15 23:10 - 2011-10-15 23:10 - 2764856 ____A (Blizzard Entertainment) C:\Users\Inhak\Downloads\Downloader_Diablo2_enUS.exe
2011-10-14 22:31 - 2011-12-13 17:07 - 0723456 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
2011-10-14 21:38 - 2011-12-13 17:07 - 0534528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
2011-10-14 00:22 - 2009-01-13 08:56 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3999.19 MB
Available physical RAM: 3432.33 MB
Total Pagefile: 3997.34 MB
Available Pagefile: 3417.38 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:285.05 GB) (Free:60.86 GB) NTFS ==>[Drive with boot components]
2 Drive d: (RECOVERY) (Fixed) (Total:13.04 GB) (Free:2.02 GB) NTFS ==>[Drive with boot components]
5 Drive g: (PATRIOT) (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 2048 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 1912 MB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 285 GB 1024 KB
Partition 2 Primary 13 GB 285 GB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 285 GB Healthy

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 13 GB Healthy

==========================================================

Last Boot: 2011-12-24 12:57

======================= End Of Log ==========================

Edited by Jukeboxx, 31 December 2011 - 01:07 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:32 PM

Posted 31 December 2011 - 08:38 PM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
1 aghurhie; \??\C:\Windows\system32\drivers\aghurhie.sys [x]
2011-12-27 01:59 - 2011-12-27 02:04 - 0006886 __ASH C:\Users\Inhak\AppData\Local\i3prsmyfgk135bhl
2011-12-27 01:59 - 2011-12-27 02:04 - 0006886 __ASH C:\Users\All Users\i3prsmyfgk135bhl
2011-12-27 01:59 - 2011-12-27 02:04 - 0006886 __ASH C:\ProgramData\i3prsmyfgk135bhl
Folder: C:\Windows\system64
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also reboot, let it boot normally and tell me how it went.

#5 Jukeboxx

Jukeboxx
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 31 December 2011 - 10:55 PM

I am now on my laptop!!! yay! Thank you! Everything seems to be in order. However, I cannot activate Microsoft Security Essentials or Windows Firewall at all.

the log was too long so I will attach it as a file.

Edited by Jukeboxx, 31 December 2011 - 11:10 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:32 PM

Posted 01 January 2012 - 06:48 AM

Great. :thumbup2:

To submit the log:

#7 Jukeboxx

Jukeboxx
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 05 January 2012 - 03:03 AM

Just wanted to tell you that I sent it.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:32 PM

Posted 05 January 2012 - 06:38 AM

Thanks, I received the log.

Is the condition of the computer the same? I ask the question because of the time between the posts.

#9 Jukeboxx

Jukeboxx
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 07 January 2012 - 08:20 AM

Yes, there is one thing that you could help me with... my MSE and windows firewall cannot be turned on for some reason. It gives me some numerical error.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:32 PM

Posted 07 January 2012 - 08:25 AM

Let's first check if there is anything left. Then repair the firewall en MSE. Please don't run any other tool and don't change anything on the system until we are done.

Please download Malwarebytes' Anti-Malware from one of these locations:
malwarebytes.org
majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by farbar, 07 January 2012 - 08:25 AM.


#11 Jukeboxx

Jukeboxx
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 08 January 2012 - 06:24 AM

MSE works now. I had to reinstall it. But the firewall still doesn't work.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Inhak :: INHAK-LAPTOP [administrator]

1/8/2012 6:09:35 AM
mbam-log-2012-01-08 (06-09-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179932
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:32 PM

Posted 08 January 2012 - 10:46 AM

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check "Windows Firewall".
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#13 Jukeboxx

Jukeboxx
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 13 January 2012 - 11:37 AM

Farbar Service Scanner
Ran by Inhak (administrator) on 13-01-2012 at 11:37:31
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************



Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


File Check:
========
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:32 PM

Posted 14 January 2012 - 08:32 AM

  • Open a notepad (Start > Run and type in Notepad )

    Copy and paste the text in code box into it.

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc]
    "DisplayName"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23090"
    "Group"="NetworkProvider"
    "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
      74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
      00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
      6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
      00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00
    "Description"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23091"
    "ObjectName"="NT Authority\\LocalService"
    "ErrorControl"=dword:00000001
    "Start"=dword:00000002
    "Type"=dword:00000020
    "DependOnService"=hex(7):6d,00,70,00,73,00,64,00,72,00,76,00,00,00,62,00,66,00,\
      65,00,00,00,00,00
    "ServiceSidType"=dword:00000003
    "RequiredPrivileges"=hex(7):53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,\
      00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,\
      72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,75,\
      00,64,00,69,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
      00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,\
      00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
      53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,\
      00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\
      65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,\
      00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,\
      6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,\
      00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
    "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
      00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Parameters]
    "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
      00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
      6d,00,70,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
    "ServiceDllUnloadOnStop"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Parameters\PortKeywords]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Parameters\PortKeywords\DHCP]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Parameters\PortKeywords\IPTLSIn]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Parameters\PortKeywords\IPTLSOut]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Parameters\PortKeywords\Teredo]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Security]
    "Security"=hex:01,00,14,80,b4,00,00,00,c0,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,84,00,05,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
      00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,28,00,15,00,\
      00,00,01,06,00,00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,\
      0e,a7,8b,eb,ca,7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,\
      00,00,00,05,12,00,00,00
    
    
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm. It should look like Posted Image
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
  • Please download RestoreBFE and run it.
    If needed reboot and tell me if the firewall is running.

Edited by farbar, 14 January 2012 - 10:13 AM.
Edited the broken link


#15 Jukeboxx

Jukeboxx
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 15 January 2012 - 05:23 PM

Yes firewall is working now.

One more thing; my MSE will not update. How do I fix this problem?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users