Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista64 2012 Security Center Malware


  • This topic is locked This topic is locked
6 replies to this topic

#1 thedscman

thedscman

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 03 January 2012 - 10:01 PM

Over the holidays, my neighbor's computer got infected with one of those fake AV programs. They had an expired version of Norton's, so I was able to download and Microsoft Security Essentials. It would not complete the security essentials definitions update until I found the task preventing it from running. Once it was killed, the update finally finished and detected several infections. Going through the Security Essentials recommended actions of removing all the infections, I thought everything was fixed.

After rebooting, it started loading vista, it gave me a BSOD indicating consvr was missing. I loaded the Vista setup disk, and performed an automatic startup fix to no avail. I then tried to do a system restore. Once again, no results.

Error Message:
STOP: C0000135 {Unable to Locate Component}
This application has failed to start because consrv was not found. Re-installing the application may fix this problem.


I don't want to reinstall, but it appears I'm running out of options. Does someone know how to get past the BSOD? I feel it's a residual registry entry that didn't get cleaned.

Edited by thedscman, 03 January 2012 - 10:08 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,920 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:54 AM

Posted 07 January 2012 - 08:44 AM

Hello, and sorry for the delay.

Do you have a vista DVD or do you see the Repair Windows option when you tap F8 on boot up?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 thedscman

thedscman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 18 January 2012 - 11:08 AM

I can get into the repair center and have run the FRST64. I've attached the resultant log file.

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.1
Ran by SYSTEM at 2012-01-17 12:37:07
Running from F:\Antivirus
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe [172032 2009-02-06] ()
HKLM\...\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe [333344 2008-08-18] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16138784 2009-03-08] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [82464 2009-03-08] (NVIDIA Corporation)
HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [915512 2009-03-05] (Hewlett-Packard)
HKLM\...\Run: [MRT] "C:\Windows\system32\MRT.exe" /R [54867776 2011-12-07] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1436736 2011-06-15] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75016 2008-12-04] (Hewlett-Packard)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2009-02-02] (CyberLink Corp.)
HKLM-x32\...\Run: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [1328424 2009-04-09] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [185640 2009-04-09] (CyberLink)
HKLM-x32\...\Run: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2009-03-19] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [Microsoft Default Manager] "c:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [224616 2009-02-06] (Microsoft Corp.)
HKLM-x32\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2780432 2009-05-08] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [YSearchProtection] "C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [111856 2009-02-23] (Yahoo! Inc)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [248040 2010-02-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-03-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [142120 2010-04-28] (Apple Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [623880 2008-11-18] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [MozillaAgent] C:\Windows\Temp\_ex-68.exe [884736 2011-12-21] (K73y9wOQxXQF)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] c:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1644088 2009-04-03] (Hewlett-Packard)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] c:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1644088 2009-04-03] (Hewlett-Packard)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [2152152 2011-12-21] (Lavasoft Limited)
2 LVPrcS64; "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe" [190488 2009-04-30] (Logitech Inc.)
2 QBCFMonitorService; "C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [24576 2009-03-07] (Intuit)
3 QBFCService; "C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [61440 2008-11-18] (Intuit Inc.)
3 getPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll [x]
2 HP Health Check Service; "c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
2 LightScribeService; "c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe" [x]
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]
2 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 [x]

========================== Drivers (Whitelisted) =============

3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-12-21] ()
0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [69376 2011-12-12] (Lavasoft AB)
3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-04-30] ()
3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-04-30] ()
3 NVENETFD; C:\Windows\System32\DRIVERS\nvmfdx64.sys [1498016 2008-08-01] (NVIDIA Corporation)
0 nvrd64; C:\Windows\System32\drivers\nvrd64.sys [167456 2008-11-12] (NVIDIA Corporation)
3 nvsmu; C:\Windows\System32\DRIVERS\nvsmu.sys [27168 2008-05-22] (NVIDIA Corporation)
0 nvstor64; C:\Windows\System32\drivers\nvstor64.sys [170016 2008-11-12] (NVIDIA Corporation)
1 dmigintt; \??\C:\Windows\system32\drivers\dmigintt.sys [x]
1 ebuzjvlu; \??\C:\Windows\system32\drivers\ebuzjvlu.sys [x]
1 emncgzvi; \??\C:\Windows\system32\drivers\emncgzvi.sys [x]
1 fwqsesxo; \??\C:\Windows\system32\drivers\fwqsesxo.sys [x]
1 imtatlli; \??\C:\Windows\system32\drivers\imtatlli.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
1 jhhgzjoh; \??\C:\Windows\system32\drivers\jhhgzjoh.sys [x]
1 kaazvpra; \??\C:\Windows\system32\drivers\kaazvpra.sys [x]
3 msiserver; C:\Windows\System32\msiexec /V [x]
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\ENG64.SYS [x]
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\EX64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 oarwzgaa; \??\C:\Windows\system32\drivers\oarwzgaa.sys [x]
1 payfknlj; \??\C:\Windows\system32\drivers\payfknlj.sys [x]
3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [x]
1 pkgpgddn; \??\C:\Windows\system32\drivers\pkgpgddn.sys [x]
1 rkfpydlz; \??\C:\Windows\system32\drivers\rkfpydlz.sys [x]
1 rvaorqfl; \??\C:\Windows\system32\drivers\rvaorqfl.sys [x]
1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [x]
1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [x]
1 tkjubttd; \??\C:\Windows\system32\drivers\tkjubttd.sys [x]
4 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [x]
1 ufaefiet; \??\C:\Windows\system32\drivers\ufaefiet.sys [x]
1 vlntfaqp; \??\C:\Windows\system32\drivers\vlntfaqp.sys [x]
1 vumuykco; \??\C:\Windows\system32\drivers\vumuykco.sys [x]
1 yhdldodz; \??\C:\Windows\system32\drivers\yhdldodz.sys [x]
1 zhvncfva; \??\C:\Windows\system32\drivers\zhvncfva.sys [x]
1 zstlzron; \??\C:\Windows\system32\drivers\zstlzron.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-01-17 12:36 - 2012-01-17 12:36 - 0000000 ____D C:\FRST
2011-12-21 19:10 - 2011-12-30 10:43 - 0458116 ____A C:\Windows\ntbtlog.txt
2011-12-21 14:04 - 2011-12-21 09:35 - 0055384 ____A (Sunbelt Software) C:\Windows\System32\Drivers\SBREDrv.sys
2011-12-21 14:00 - 2010-10-19 12:51 - 0270720 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2011-12-21 13:46 - 2011-12-21 13:47 - 0068024 ____A C:\TDSSKiller.2.6.23.0_21.12.2011_15.46.58_log.txt
2011-12-21 13:10 - 2011-12-21 13:11 - 0134112 ____A C:\TDSSKiller.2.6.23.0_21.12.2011_15.10.32_log.txt
2011-12-21 13:10 - 2011-12-21 13:10 - 1577264 ____A (Kaspersky Lab ZAO) C:\Users\Parents\Downloads\tdsskiller.exe
2011-12-21 09:18 - 2011-12-21 09:18 - 0721296 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2011-12-21 09:18 - 2011-12-21 09:18 - 0002154 ____A C:\Windows\epplauncher.mif
2011-12-21 09:17 - 2011-12-21 09:18 - 0000000 ____D C:\Program Files\Microsoft Security Client
2011-12-21 09:17 - 2011-12-21 09:17 - 0000000 ____D C:\Program Files (x86)\Microsoft Security Client
2011-12-21 09:03 - 2011-12-21 13:52 - 0000526 ____A C:\rkill.log
2011-12-21 09:02 - 2011-12-21 09:04 - 1008141 ____A C:\Users\Parents\Downloads\eXplorer.exe
2011-12-21 09:00 - 2011-12-21 09:00 - 0000969 ____A C:\Users\Public\Desktop\Ad-Aware.lnk
2011-12-21 09:00 - 2011-12-21 09:00 - 0000969 ____A C:\Users\All Users\Desktop\Ad-Aware.lnk
2011-12-21 09:00 - 2011-12-21 09:00 - 0000000 ____D C:\Users\All Users\Lavasoft
2011-12-21 09:00 - 2011-12-21 09:00 - 0000000 ____D C:\Users\All Users\Application Data\Lavasoft
2011-12-21 09:00 - 2011-12-21 09:00 - 0000000 ____D C:\ProgramData\Lavasoft
2011-12-21 09:00 - 2011-12-21 09:00 - 0000000 ____D C:\Program Files (x86)\Lavasoft
2011-12-21 09:00 - 2011-12-12 08:07 - 0069376 ____A (Lavasoft AB) C:\Windows\System32\Drivers\Lbd.sys
2011-12-21 07:59 - 2011-12-21 07:59 - 2401792 ____A (Microsoft Corporation) C:\Users\Parents\Local Settings\mqx.exe.old
2011-12-21 07:59 - 2011-12-21 07:59 - 2401792 ____A (Microsoft Corporation) C:\Users\Parents\Local Settings\Application Data\mqx.exe.old
2011-12-21 07:59 - 2011-12-21 07:59 - 2401792 ____A (Microsoft Corporation) C:\Users\Parents\AppData\Local\mqx.exe.old
2011-12-21 05:58 - 2011-12-21 05:58 - 0001395 _RASH C:\Windows\System32\Drivers\etc\hosts
2011-12-21 05:58 - 2011-12-21 05:58 - 0000118 ____A C:\Windows\System32\MRT.INI
2011-12-20 21:09 - 2011-12-20 21:09 - 0000000 ____D C:\Windows\system64
2011-12-18 19:41 - 2011-12-18 19:41 - 0081920 __ASH C:\Users\Parents\My Documents\ehthumbs_vista.db
2011-12-18 19:41 - 2011-12-18 19:41 - 0081920 __ASH C:\Users\Parents\Documents\ehthumbs_vista.db

============ 3 Months Modified Files and Folders =============

2012-01-17 12:36 - 2012-01-17 12:36 - 0000000 ____D C:\FRST
2011-12-30 14:12 - 2009-09-01 17:02 - 0000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2011-12-30 10:43 - 2011-12-21 19:10 - 0458116 ____A C:\Windows\ntbtlog.txt
2011-12-21 18:38 - 2008-01-20 19:26 - 0277974 ____A C:\Windows\PFRO.log
2011-12-21 18:37 - 2009-06-19 01:14 - 2046067 ____A C:\Windows\WindowsUpdate.log
2011-12-21 18:37 - 2006-11-02 07:42 - 0032618 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-12-21 18:37 - 2006-11-02 07:42 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-12-21 18:37 - 2006-11-02 07:22 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-12-21 18:37 - 2006-11-02 07:22 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-12-21 18:09 - 2011-04-10 09:47 - 0000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-12-21 13:52 - 2011-12-21 09:03 - 0000526 ____A C:\rkill.log
2011-12-21 13:47 - 2011-12-21 13:46 - 0068024 ____A C:\TDSSKiller.2.6.23.0_21.12.2011_15.46.58_log.txt
2011-12-21 13:11 - 2011-12-21 13:10 - 0134112 ____A C:\TDSSKiller.2.6.23.0_21.12.2011_15.10.32_log.txt
2011-12-21 13:10 - 2011-12-21 13:10 - 1577264 ____A (Kaspersky Lab ZAO) C:\Users\Parents\Downloads\tdsskiller.exe
2011-12-21 09:35 - 2011-12-21 14:04 - 0055384 ____A (Sunbelt Software) C:\Windows\System32\Drivers\SBREDrv.sys
2011-12-21 09:18 - 2011-12-21 09:18 - 0721296 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2011-12-21 09:18 - 2011-12-21 09:18 - 0002154 ____A C:\Windows\epplauncher.mif
2011-12-21 09:18 - 2011-12-21 09:17 - 0000000 ____D C:\Program Files\Microsoft Security Client
2011-12-21 09:17 - 2011-12-21 09:17 - 0000000 ____D C:\Program Files (x86)\Microsoft Security Client
2011-12-21 09:09 - 2011-04-10 09:47 - 0000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-12-21 09:04 - 2011-12-21 09:02 - 1008141 ____A C:\Users\Parents\Downloads\eXplorer.exe
2011-12-21 09:00 - 2011-12-21 09:00 - 0000969 ____A C:\Users\Public\Desktop\Ad-Aware.lnk
2011-12-21 09:00 - 2011-12-21 09:00 - 0000969 ____A C:\Users\All Users\Desktop\Ad-Aware.lnk
2011-12-21 09:00 - 2011-12-21 09:00 - 0000000 ____D C:\Users\All Users\Lavasoft
2011-12-21 09:00 - 2011-12-21 09:00 - 0000000 ____D C:\Users\All Users\Application Data\Lavasoft
2011-12-21 09:00 - 2011-12-21 09:00 - 0000000 ____D C:\ProgramData\Lavasoft
2011-12-21 09:00 - 2011-12-21 09:00 - 0000000 ____D C:\Program Files (x86)\Lavasoft
2011-12-21 07:59 - 2011-12-21 07:59 - 2401792 ____A (Microsoft Corporation) C:\Users\Parents\Local Settings\mqx.exe.old
2011-12-21 07:59 - 2011-12-21 07:59 - 2401792 ____A (Microsoft Corporation) C:\Users\Parents\Local Settings\Application Data\mqx.exe.old
2011-12-21 07:59 - 2011-12-21 07:59 - 2401792 ____A (Microsoft Corporation) C:\Users\Parents\AppData\Local\mqx.exe.old
2011-12-21 05:58 - 2011-12-21 05:58 - 0001395 _RASH C:\Windows\System32\Drivers\etc\hosts
2011-12-21 05:58 - 2011-12-21 05:58 - 0000118 ____A C:\Windows\System32\MRT.INI
2011-12-21 05:58 - 2011-03-30 12:51 - 0000000 __SHD C:\Users\Parents\Application Data\SystemProc
2011-12-21 05:58 - 2011-03-30 12:51 - 0000000 __SHD C:\Users\Parents\AppData\Roaming\SystemProc
2011-12-21 05:53 - 2006-11-02 04:46 - 0703388 ____A C:\Windows\System32\PerfStringBackup.INI
2011-12-20 21:22 - 2009-08-24 16:25 - 0000000 ____D C:\Users\Parents\Local Settings\VirtualStore
2011-12-20 21:22 - 2009-08-24 16:25 - 0000000 ____D C:\Users\Parents\Local Settings\Application Data\VirtualStore
2011-12-20 21:22 - 2009-08-24 16:25 - 0000000 ____D C:\Users\Parents\AppData\Local\VirtualStore
2011-12-20 21:18 - 2011-06-02 11:45 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2011-12-20 21:09 - 2011-12-20 21:09 - 0000000 ____D C:\Windows\system64
2011-12-18 19:41 - 2011-12-18 19:41 - 0081920 __ASH C:\Users\Parents\My Documents\ehthumbs_vista.db
2011-12-18 19:41 - 2011-12-18 19:41 - 0081920 __ASH C:\Users\Parents\Documents\ehthumbs_vista.db
2011-12-17 11:33 - 2009-08-29 11:53 - 0000052 ____A C:\Windows\SysWOW64\DOErrors.log
2011-12-16 05:30 - 2009-08-24 16:30 - 0000342 ____A C:\Windows\Tasks\HPCeeScheduleForParents.job
2011-12-15 01:03 - 2009-09-01 16:35 - 0000000 ____D C:\Users\All Users\Microsoft Help
2011-12-15 01:03 - 2009-09-01 16:35 - 0000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2011-12-15 01:03 - 2009-09-01 16:35 - 0000000 ____D C:\ProgramData\Microsoft Help
2011-12-14 17:11 - 2011-06-02 11:49 - 0002027 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2011-12-14 17:11 - 2011-06-02 11:49 - 0002027 ____A C:\Users\All Users\Desktop\Google Chrome.lnk
2011-12-12 08:07 - 2011-12-21 09:00 - 0069376 ____A (Lavasoft AB) C:\Windows\System32\Drivers\Lbd.sys
2011-12-12 05:36 - 2011-11-11 16:30 - 0012968 ____A C:\Users\Parents\My Documents\BPC note card label.docx
2011-12-12 05:36 - 2011-11-11 16:30 - 0012968 ____A C:\Users\Parents\Documents\BPC note card label.docx
2011-12-09 06:45 - 2011-12-09 05:45 - 0039975 ____A C:\Users\Parents\My Documents\PTO Spreadsheet 11.30.11.xlsx
2011-12-09 06:45 - 2011-12-09 05:45 - 0039975 ____A C:\Users\Parents\Documents\PTO Spreadsheet 11.30.11.xlsx
2011-12-08 16:38 - 2009-09-01 16:03 - 0000000 ____D C:\Users\Parents\My Documents\From Old Computer
2011-12-08 16:38 - 2009-09-01 16:03 - 0000000 ____D C:\Users\Parents\Documents\From Old Computer
2011-12-07 10:26 - 2006-11-02 04:35 - 54867776 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-12-06 10:48 - 2011-12-06 10:48 - 0037664 ____A C:\Users\Parents\My Documents\11-12 PTO budget.xls.xlsx
2011-12-06 10:48 - 2011-12-06 10:48 - 0037664 ____A C:\Users\Parents\Documents\11-12 PTO budget.xls.xlsx
2011-12-06 10:47 - 2011-07-27 09:19 - 0037664 ____A C:\Users\Parents\My Documents\11-12 Jills simplfied budget.xlsx
2011-12-06 10:47 - 2011-07-27 09:19 - 0037664 ____A C:\Users\Parents\Documents\11-12 Jills simplfied budget.xlsx
2011-12-06 05:40 - 2011-12-06 05:40 - 0036957 ____A C:\Users\Parents\My Documents\11-12 Jills simplfied budget.pdf
2011-12-06 05:40 - 2011-12-06 05:40 - 0036957 ____A C:\Users\Parents\Documents\11-12 Jills simplfied budget.pdf
2011-12-05 12:42 - 2011-11-07 19:02 - 0000000 ____D C:\Users\All Users\Intuit
2011-12-05 12:42 - 2011-11-07 19:02 - 0000000 ____D C:\Users\All Users\Application Data\Intuit
2011-12-05 12:42 - 2011-11-07 19:02 - 0000000 ____D C:\ProgramData\Intuit
2011-12-05 12:42 - 2006-11-02 07:21 - 0329648 ____A C:\Windows\System32\FNTCACHE.DAT
2011-12-02 15:40 - 2010-04-02 11:58 - 0000000 ____D C:\Users\Parents\Desktop\MY PICTURES
2011-12-01 18:22 - 2011-10-01 11:38 - 0336303 ____A C:\Users\Parents\My Documents\PTO Deposit Log.xlsx
2011-12-01 18:22 - 2011-10-01 11:38 - 0336303 ____A C:\Users\Parents\Documents\PTO Deposit Log.xlsx
2011-11-30 11:42 - 2009-08-24 16:58 - 0000552 ____A C:\Windows\Tasks\PCDRScheduledMaintenance.job
2011-11-30 08:00 - 2009-09-01 17:02 - 0022213 ____A C:\Windows\System32\lvcoinst.log
2011-11-29 17:47 - 2011-04-10 09:47 - 0000000 ____D C:\Users\Parents\Local Settings\Google
2011-11-29 17:47 - 2011-04-10 09:47 - 0000000 ____D C:\Users\Parents\Local Settings\Application Data\Google
2011-11-29 17:47 - 2011-04-10 09:47 - 0000000 ____D C:\Users\Parents\AppData\Local\Google
2011-11-27 17:44 - 2011-10-30 17:01 - 0010291 ____A C:\Users\Parents\My Documents\Matthew.docx
2011-11-27 17:44 - 2011-10-30 17:01 - 0010291 ____A C:\Users\Parents\Documents\Matthew.docx
2011-11-12 14:22 - 2009-09-04 13:31 - 0018944 ____A C:\Users\Parents\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini.old
2011-11-12 14:22 - 2009-09-04 13:31 - 0018944 ____A C:\Users\Parents\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini.old
2011-11-12 14:22 - 2009-09-04 13:31 - 0018944 ____A C:\Users\Parents\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini.old
2011-11-11 08:36 - 2011-11-11 08:18 - 0039970 ____A C:\Users\Parents\My Documents\11-12 Spreadsheet 10.31.11.xlsx
2011-11-11 08:36 - 2011-11-11 08:18 - 0039970 ____A C:\Users\Parents\Documents\11-12 Spreadsheet 10.31.11.xlsx
2011-11-07 19:15 - 2009-08-24 16:25 - 0000000 ____D C:\users\Parents
2011-11-07 19:08 - 2011-11-07 19:08 - 0000000 ____D C:\Users\Parents\Local Settings\Intuit
2011-11-07 19:08 - 2011-11-07 19:08 - 0000000 ____D C:\Users\Parents\Local Settings\Application Data\Intuit
2011-11-07 19:08 - 2011-11-07 19:08 - 0000000 ____D C:\Users\Parents\AppData\Local\Intuit
2011-11-07 19:08 - 2009-08-24 16:29 - 0082056 ____A C:\Users\Parents\Local Settings\GDIPFONTCACHEV1.DAT
2011-11-07 19:08 - 2009-08-24 16:29 - 0082056 ____A C:\Users\Parents\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2011-11-07 19:08 - 2009-08-24 16:29 - 0082056 ____A C:\Users\Parents\AppData\Local\GDIPFONTCACHEV1.DAT
2011-11-07 19:06 - 2011-11-07 19:06 - 0002335 ____A C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
2011-11-07 19:06 - 2011-11-07 19:06 - 0002020 ____A C:\Users\Public\Desktop\QuickBooks Pro 2009.lnk
2011-11-07 19:06 - 2011-11-07 19:06 - 0002020 ____A C:\Users\All Users\Desktop\QuickBooks Pro 2009.lnk
2011-11-07 19:06 - 2011-11-07 18:58 - 0000095 ____A C:\Windows\QBChanUtil_Trigger.ini
2011-11-07 19:02 - 2011-11-07 19:02 - 0000000 ____D C:\Users\Public\Documents\Intuit
2011-11-07 19:02 - 2011-11-07 19:02 - 0000000 ____D C:\Users\All Users\Documents\Intuit
2011-11-07 19:02 - 2011-11-07 19:02 - 0000000 ____D C:\Program Files (x86)\Intuit
2011-11-07 18:58 - 2011-11-07 18:58 - 0000000 ____D C:\Users\All Users\SQL Anywhere 10
2011-11-07 18:58 - 2011-11-07 18:58 - 0000000 ____D C:\Users\All Users\Application Data\SQL Anywhere 10
2011-11-07 18:58 - 2011-11-07 18:58 - 0000000 ____D C:\ProgramData\SQL Anywhere 10
2011-11-05 10:30 - 2009-05-09 04:28 - 0000000 ____D C:\Users\All Users\WildTangent
2011-11-05 10:30 - 2009-05-09 04:28 - 0000000 ____D C:\Users\All Users\Application Data\WildTangent
2011-11-05 10:30 - 2009-05-09 04:28 - 0000000 ____D C:\ProgramData\WildTangent
2011-10-29 12:22 - 2011-10-29 12:22 - 0813492 ____A C:\Users\Parents\My Documents\shiloh book report.docx
2011-10-29 12:22 - 2011-10-29 12:22 - 0813492 ____A C:\Users\Parents\Documents\shiloh book report.docx
2011-10-27 16:05 - 2011-10-27 16:05 - 0041133 ____A C:\Users\Parents\My Documents\HDR Matthew.JPG
2011-10-27 16:05 - 2011-10-27 16:05 - 0041133 ____A C:\Users\Parents\Documents\HDR Matthew.JPG
2011-10-23 19:03 - 2009-05-09 04:36 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0406016 ____A (Microsoft Corporation) 856491FCED98093D824B9EB2892F564A

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 7934.31 MB
Available physical RAM: 7064.21 MB
Total Pagefile: 7462.12 MB
Available Pagefile: 7035.82 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:684.77 GB) (Free:520.26 GB) NTFS ==>[Drive with boot components]
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:13.87 GB) (Free:1.96 GB) NTFS
4 Drive f: () (Removable) (Total:14.92 GB) (Free:0.44 GB) FAT32
5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 699 GB 0 B
Disk 1 Online 15 GB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 685 GB 32 KB
Partition 2 Primary 14 GB 685 GB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C HP NTFS Partition 685 GB Healthy

Disk: 0
Partition 2
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D FACTORY_IMA NTFS Partition 14 GB Healthy

==========================================================

Last Boot: 2011-12-21 06:29

======================= End Of Log ==========================

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,920 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:54 AM

Posted 18 January 2012 - 12:14 PM

Hi again, that shows the problem. The following script should fix the infected registry entry.


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


SubSystems: [Windows] ==> ZeroAccess

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 thedscman

thedscman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 18 January 2012 - 05:56 PM

Woot back in business... I was able to get back into Vista. I still can't update Security Essentials as it hangs during the search phase. I was able to get a scan based on the Dec 21 definitions and it found a couple of things that were removed.

Fixlog.txt

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.1)
Ran by SYSTEM at 2012-01-18 14:44:53 R:1
Running from F:\Antivirus

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

==== End of Fixlog ====

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,920 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:54 AM

Posted 19 January 2012 - 01:50 AM

Next lets see what else is hiding there. :)

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,920 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:54 AM

Posted 26 January 2012 - 05:07 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users