Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Shield Infection Leads To Stop 0xc000021a


  • Please log in to reply
5 replies to this topic

#1 Rose In RoseBear

Rose In RoseBear

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 02 March 2012 - 06:40 AM

Gentlebeings:

My HP portable running Vista Home Premium was infected by Security Shield. As I was trying to exit all my open windows, I got a blue screen with stop 0xc000021a.

I would gather the information you requested, but the system won't boot to Safe Mode with Networking, or even to plain old Safe Mode.

I have a bootable Vista Home Premium CD, and have, in fact, booted to it. I am currently on the Install Windows screen. Should I try a system repair (to deal with the stop code) before I attempt to remove Security Shield using the given instructions? Or would another course of action be best?

Thank you all in advance for your kind support and generous patience!

Rose

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:19 AM

Posted 02 March 2012 - 03:07 PM

Welcome to the forum, Rose in RoseBear!

Let's see if we can get a hold of the infected computer...

You will need a USB flash/pen drive and access to a clean computer for the procedure outlined below.

Also, you may want to print these instructions for easier access to them.

Now, if the system is 64-bit, download Farbar Recovery Scan Tool x64
Save the program to the >> USB flash/pen drive.

For 32- bit systems download Farbar Recovery Scan Tool.
Save the program to the >> USB flash drive.

Next, plug the flash drive into the infected computer.

To enter System Recovery Options using the Windows Vista Installation Disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click: Next
  • Select the Operating System you want to repair, and then click: Next
  • Select your user account and click: Next

On the System Recovery Options menu you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the Command window, at the bliking cursor type notepad and press: Enter
[*]In Notepad, under the File menu select: Open
[*]Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
[*]Close out of Notepad.
[*]Click the Command window.
[*]For 64-bit Vista version, type g:\frst64.exe (for 32-bit Vista version, use: g:\frst.exe), and press: Enter
Note: Replace the drive letter g with the drive letter of your flash drive!
[*]The tool will start and prepare to run. Follow the prompts.
[*]Click Yes to the disclaimer.
[*]Press the Scan button.
[*]The program saves the FRST.txt, on the flash drive.
[*]Click the Command prompt window, type exit, and press: Enter
[*]Back at the System Recovery Options, press: ShutDown[/list]
Please remove the USB flash drive from the infected computer, plug it into the clean computer, and copy/paste the FRST.txt in your reply.

Old duck...


#3 Rose In RoseBear

Rose In RoseBear
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 03 March 2012 - 01:58 AM

Task completed:

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 01-03-2012
Ran by SYSTEM at 03-03-2012 00:47:07
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-17] (Synaptics, Inc.)
HKLM\...\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0" [222504 2007-12-24] (CyberLink Corp.)
HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [468264 2008-06-11] (CyberLink Corp.)
HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [202032 2008-03-14] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [80896 2007-08-22] (Hewlett-Packard)
HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [70912 2008-04-15] (Hewlett-Packard)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1318816 2011-11-22] (McAfee, Inc.)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13797920 2009-07-23] (NVIDIA Corporation)
HKLM\...\Run: [Bart Station] C:\Program Files\EarthLink\ISP\ISP8230\BIN\PPCOLink.exe -STATION [25920 2009-10-02] ()
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-03-07] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Marsha Jackson\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2289664 2008-02-26] (Hewlett-Packard Company)
HKU\Marsha Jackson\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
HKU\Marsha Jackson\...\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp [50528 2007-12-19] (AOL LLC)
HKU\Marsha Jackson\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-05-16] (Google Inc.)
HKU\Marsha Jackson\...\Run: [SmAudio] C:\Program Files\Conexant\SmartAudio\SmAudio.exe -c [2685496 2008-05-29] (Conexant)
HKU\Marsha Jackson\...\Run: [L08AXLRD_28412399] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m [351000 2007-05-21] (Microsoft Corporation)
HKU\Marsha Jackson\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

================================ Services (Whitelisted) ==================

2 AcfXAudioService; C:\Windows\system32\ACFXAU32.dll [410624 2011-11-08] (Conexant Systems, Inc.)
3 GameConsoleService; "C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [181784 2007-12-04] (WildTangent, Inc.)
3 GoogleDesktopManager-061008-081103; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [29744 2008-12-15] (Google)
2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [135664 2010-04-29] (Google Inc.)
3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [135664 2010-04-29] (Google Inc.)
2 McAfee SiteAdvisor Service; "C:\Program Files\McAfee\SiteAdvisor\McSACore.exe" [95200 2012-01-13] (McAfee, Inc.)
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [361712 2011-03-17] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166288 2011-12-06] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [160608 2011-12-06] (McAfee, Inc.)
2 mfevtp; "C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe" [150856 2011-12-06] (McAfee, Inc.)
3 Microsoft SharePoint Workspace Audit Service; "C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" /auditservice [31125880 2011-06-12] (Microsoft Corporation)
4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 [3004416 2007-11-07] (Microsoft Corporation)
4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [124240 2010-03-18] (Microsoft Corporation)
4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
2 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [361808 2008-04-26] ()
2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [272024 2007-01-09] ()
2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
4 SQLAgent$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

3 acfva; C:\Windows\System32\DRIVERS\ACFVA32.sys [87424 2011-11-08] (Conexant Systems Inc.)
0 AFS; C:\Windows\System32\Drivers\AFS.sys [79052 2008-12-15] (Oak Technology Inc.)
3 BCM43XV; C:\Windows\System32\DRIVERS\bcmwl6.sys [464384 2006-11-01] (Broadcom Corporation)
3 cfwids; C:\Windows\System32\drivers\cfwids.sys [57600 2011-10-15] (McAfee, Inc.)
3 dgcfltr; C:\Windows\System32\DRIVERS\ACFDCP32.sys [28928 2011-11-08] (Conexant Systems, Inc.)
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [200704 2008-01-20] (Conexant Systems, Inc.)
2 mdmxsdk; C:\Windows\System32\DRIVERS\ACFSDK32.sys [12672 2011-11-08] (Conexant)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121256 2011-10-15] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180816 2011-10-15] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59456 2011-10-15] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [338176 2011-10-15] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464176 2011-10-15] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64880 2011-10-15] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87656 2011-10-15] (McAfee, Inc.)
1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [165680 2011-10-15] (McAfee, Inc.)
0 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 NVHDA; C:\Windows\System32\drivers\nvhda32v.sys [43040 2008-05-09] (NVIDIA Corporation)
3 nvsmu; C:\Windows\System32\DRIVERS\nvsmu.sys [14848 2008-04-24] (NVIDIA Corporation)
3 OA004Ufd; C:\Windows\System32\DRIVERS\OA004Ufd.sys [144672 2008-06-03] (Creative Technology Ltd.)
3 OA004Vid; C:\Windows\System32\DRIVERS\OA004Vid.sys [269760 2008-07-17] (Creative Technology Ltd.)
4 RsFx0103; C:\Windows\System32\DRIVERS\RsFx0103.sys [239336 2009-03-30] (Microsoft Corporation)
3 RTSTOR; C:\Windows\System32\drivers\RTSTOR.SYS [62464 2008-06-05] (Realtek Semiconductor Corp.)
0 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [41016 2008-01-20] (Microsoft Corporation)
0 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
0 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2008-01-20] (Promise Technology, Inc.)
3 VSPerfDrv100; \??\C:\Program Files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [54144 2011-01-18] (Microsoft Corporation)
2 XAudio; C:\Windows\System32\DRIVERS\ACFXAU32.sys [8704 2011-11-08] (Conexant Systems, Inc.)
1 eabfiltr; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 mfeavfk01; [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-03-03 00:46 - 2012-03-03 00:46 - 0000000 ____D C:\FRST
2012-03-02 22:35 - 2012-03-02 22:36 - 0133784 ____A C:\Windows\Minidump\Mini030312-01.dmp
2012-03-02 22:33 - 2012-03-02 22:39 - 2951106560 __ASH C:\hiberfil.sys
2012-02-02 16:12 - 2012-02-02 16:12 - 0000000 ____D C:\Users\All Users\VS
2012-02-02 16:12 - 2012-02-02 16:12 - 0000000 ____D C:\ProgramData\VS
2012-02-02 16:04 - 2012-02-02 16:04 - 0001972 ____A C:\Windows\IE9_main.log
2012-02-02 14:39 - 2011-11-23 05:37 - 2043904 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-02 14:39 - 2011-10-27 00:01 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-02-02 14:39 - 2011-10-27 00:01 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-02-02 14:39 - 2011-10-25 07:56 - 0049152 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2012-02-02 14:39 - 2011-03-03 07:40 - 0028672 ____A (Microsoft Corporation) C:\Windows\System32\Apphlpdm.dll
2012-02-02 14:39 - 2011-03-03 05:35 - 4240384 ____A (Microsoft) C:\Windows\System32\GameUXLegacyGDFs.dll
2012-02-02 14:38 - 2011-11-25 07:59 - 0376320 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-02-02 14:38 - 2011-11-18 12:23 - 1205064 ____A (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2012-02-02 14:38 - 2011-11-18 09:47 - 0066560 ____A (Microsoft Corporation) C:\Windows\System32\packager.dll
2012-02-02 14:38 - 2011-11-16 22:48 - 0440192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-02-02 14:38 - 2011-11-16 08:23 - 0377344 ____A (Microsoft Corporation) C:\Windows\System32\winhttp.dll
2012-02-02 14:38 - 2011-11-16 08:23 - 0278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-02-02 14:38 - 2011-11-16 08:23 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\secur32.dll
2012-02-02 14:38 - 2011-11-16 08:21 - 1259008 ____A (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2012-02-02 14:38 - 2011-11-16 06:12 - 0009728 ____A (Microsoft Corporation) C:\Windows\System32\lsass.exe
2012-02-02 14:38 - 2011-10-25 07:58 - 1314816 ____A (Microsoft Corporation) C:\Windows\System32\quartz.dll
2012-02-02 14:38 - 2011-10-25 07:58 - 0497152 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-02-02 14:38 - 2011-10-17 22:18 - 0726528 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-02 14:38 - 2011-10-14 08:03 - 0189952 ____A (Microsoft Corporation) C:\Windows\System32\winmm.dll
2012-02-02 14:38 - 2011-10-14 08:02 - 0429056 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
2012-02-02 14:38 - 2011-10-14 08:00 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\mciseq.dll
2012-02-02 14:38 - 2011-09-20 13:02 - 0905088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-02-02 14:37 - 2011-11-02 22:22 - 0916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-02 14:37 - 2011-11-02 22:21 - 1212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-02 14:37 - 2011-11-02 22:17 - 2000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-02 14:37 - 2011-11-02 22:17 - 0025600 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-02 14:36 - 2011-11-02 22:21 - 0105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-02 14:36 - 2011-11-02 22:18 - 5978112 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-02 14:36 - 2011-11-02 22:18 - 0611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-02-02 14:36 - 2011-11-02 22:18 - 0602112 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-02-02 14:36 - 2011-11-02 22:17 - 1469440 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-02 14:36 - 2011-11-02 22:17 - 11081728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-02 14:36 - 2011-11-02 22:17 - 0387584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-02-02 14:36 - 2011-11-02 21:22 - 0385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-02-02 14:35 - 2011-11-08 06:42 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-02-02 14:35 - 2011-11-02 22:20 - 0206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-02-02 14:35 - 2011-11-02 22:18 - 0066560 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-02 14:35 - 2011-11-02 22:18 - 0055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-02-02 14:35 - 2011-11-02 22:17 - 0184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-02-02 14:35 - 2011-11-02 22:17 - 0164352 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-02 14:35 - 2011-11-02 22:17 - 0109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-02-02 14:35 - 2011-11-02 22:17 - 0071680 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-02-02 14:35 - 2011-11-02 22:17 - 0055808 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-02-02 14:35 - 2011-11-02 22:17 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-02-02 14:35 - 2011-11-02 20:45 - 0174080 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-02-02 14:35 - 2011-11-02 20:45 - 0133632 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-02-02 14:35 - 2011-11-02 20:44 - 0013312 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-02-02 14:35 - 2011-11-02 20:43 - 1638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-02 13:50 - 2012-02-02 14:14 - 0001778 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk

============ 3 Months Modified Files and Folders ===============

2012-03-03 00:46 - 2012-03-03 00:46 - 0000000 ____D C:\FRST
2012-03-03 00:32 - 2011-10-09 22:33 - 0000000 ____D C:\Users\All Users\McAfee Security Scan
2012-03-03 00:32 - 2011-10-09 22:33 - 0000000 ____D C:\ProgramData\McAfee Security Scan
2012-03-03 00:32 - 2008-12-14 19:57 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-03-03 00:32 - 2008-12-14 19:57 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-03-03 00:32 - 2008-12-14 17:35 - 0000000 ____D C:\users\Marsha Jackson
2012-03-03 00:32 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\spool
2012-03-03 00:32 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\Msdtc
2012-03-03 00:32 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\registration
2012-03-03 00:32 - 2006-11-02 02:22 - 102236160 ____A C:\Windows\System32\config\software_previous
2012-03-03 00:29 - 2006-11-02 02:22 - 25427968 ____A C:\Windows\System32\config\system_previous
2012-03-03 00:28 - 2006-11-02 02:22 - 4456448 ____A C:\Windows\System32\config\default_previous
2012-03-03 00:28 - 2006-11-02 02:22 - 38535168 ____A C:\Windows\System32\config\components_previous
2012-03-03 00:28 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\security_previous
2012-03-03 00:28 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\sam_previous
2012-03-02 22:40 - 2008-12-14 19:08 - 0096582 ____A C:\Users\All Users\nvModes.001
2012-03-02 22:40 - 2008-12-14 19:08 - 0096582 ____A C:\ProgramData\nvModes.001
2012-03-02 22:40 - 2006-11-02 05:01 - 0032534 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-03-02 22:40 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-03-02 22:40 - 2006-11-02 04:47 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-02 22:40 - 2006-11-02 04:47 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-02 22:39 - 2012-03-02 22:33 - 2951106560 __ASH C:\hiberfil.sys
2012-03-02 22:36 - 2012-03-02 22:35 - 0133784 ____A C:\Windows\Minidump\Mini030312-01.dmp
2012-03-02 22:35 - 2012-01-21 03:24 - 0000000 ____D C:\Windows\Minidump
2012-03-02 22:33 - 2012-01-21 03:23 - 125721225 ____A C:\Windows\MEMORY.DMP
2012-03-02 22:33 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\config\TxR
2012-02-28 22:22 - 2008-01-20 18:47 - 0203504 ____A C:\Windows\PFRO.log
2012-02-28 22:17 - 2008-12-14 18:49 - 0096582 ____A C:\Users\All Users\nvModes.dat
2012-02-28 22:17 - 2008-12-14 18:49 - 0096582 ____A C:\ProgramData\nvModes.dat
2012-02-28 20:17 - 2008-09-29 07:07 - 1957580 ____A C:\Windows\WindowsUpdate.log
2012-02-22 21:54 - 2008-12-14 21:08 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-02-03 02:58 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2012-02-03 02:57 - 2010-04-29 11:20 - 0000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-02-03 02:46 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\rescache
2012-02-03 02:23 - 2006-11-02 04:47 - 1221408 ____A C:\Windows\System32\FNTCACHE.DAT
2012-02-02 18:24 - 2008-08-04 10:13 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-02-02 18:24 - 2008-08-04 10:13 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-02-02 17:57 - 2011-02-11 22:23 - 0000000 ____D C:\Program Files\Microsoft Visual Studio 10.0
2012-02-02 17:04 - 2008-12-27 21:52 - 0000000 ____D C:\Program Files\Common Files\Merge Modules
2012-02-02 17:00 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\microsoft shared
2012-02-02 16:13 - 2008-12-27 21:52 - 0000000 ____D C:\Program Files\Microsoft SDKs
2012-02-02 16:12 - 2012-02-02 16:12 - 0000000 ____D C:\Users\All Users\VS
2012-02-02 16:12 - 2012-02-02 16:12 - 0000000 ____D C:\ProgramData\VS
2012-02-02 16:04 - 2012-02-02 16:04 - 0001972 ____A C:\Windows\IE9_main.log
2012-02-02 16:02 - 2011-02-12 03:31 - 0000039 ____A C:\Windows\vbaddin.ini
2012-02-02 15:48 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\System
2012-02-02 15:48 - 2006-11-02 02:23 - 0000219 ____A C:\Windows\win.ini
2012-02-02 15:13 - 2006-11-02 02:33 - 0884086 ____A C:\Windows\System32\PerfStringBackup.INI
2012-02-02 14:14 - 2012-02-02 13:50 - 0001778 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2012-02-02 14:10 - 2010-04-29 11:20 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-02-02 14:10 - 2008-09-29 07:55 - 0000246 ____A C:\Users\Public\Documents\hpqp.ini
2012-02-02 14:06 - 2008-12-14 21:08 - 0000889 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-01-25 05:15 - 2012-01-25 05:15 - 0154272 ____A C:\Windows\Minidump\Mini012512-04.dmp
2012-01-25 04:45 - 2012-01-25 04:45 - 0154272 ____A C:\Windows\Minidump\Mini012512-03.dmp
2012-01-25 04:16 - 2012-01-25 04:16 - 0154272 ____A C:\Windows\Minidump\Mini012512-02.dmp
2012-01-25 03:46 - 2012-01-25 03:46 - 0154272 ____A C:\Windows\Minidump\Mini012512-01.dmp
2012-01-22 01:30 - 2012-01-22 01:30 - 0001773 ____A C:\Users\Public\Desktop\NetZero Quick Help.lnk
2012-01-22 01:30 - 2012-01-22 01:30 - 0001674 ____A C:\Users\Public\Desktop\NetZero Internet.lnk
2012-01-22 01:30 - 2010-04-29 11:16 - 0000000 ____D C:\NetZeroInstaller
2012-01-22 01:29 - 2010-04-29 11:17 - 0000000 ____D C:\Program Files\NetZero
2012-01-22 01:28 - 2010-04-29 11:17 - 0000000 ____D C:\Users\All Users\NetZero
2012-01-22 01:28 - 2010-04-29 11:17 - 0000000 ____D C:\ProgramData\NetZero
2012-01-21 12:41 - 2011-05-14 22:04 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-01-21 12:36 - 2012-01-21 12:36 - 0154272 ____A C:\Windows\Minidump\Mini012112-10.dmp
2012-01-21 10:29 - 2012-01-21 10:29 - 0154272 ____A C:\Windows\Minidump\Mini012112-09.dmp
2012-01-21 09:45 - 2012-01-21 09:45 - 0154272 ____A C:\Windows\Minidump\Mini012112-08.dmp
2012-01-21 09:00 - 2012-01-21 09:00 - 0154272 ____A C:\Windows\Minidump\Mini012112-07.dmp
2012-01-21 08:16 - 2012-01-21 08:16 - 0154272 ____A C:\Windows\Minidump\Mini012112-06.dmp
2012-01-21 07:31 - 2012-01-21 07:31 - 0154272 ____A C:\Windows\Minidump\Mini012112-05.dmp
2012-01-21 06:47 - 2012-01-21 06:46 - 0154272 ____A C:\Windows\Minidump\Mini012112-04.dmp
2012-01-21 05:01 - 2012-01-21 05:01 - 0154272 ____A C:\Windows\Minidump\Mini012112-03.dmp
2012-01-21 04:17 - 2012-01-21 04:16 - 0154272 ____A C:\Windows\Minidump\Mini012112-02.dmp
2012-01-21 03:24 - 2012-01-21 03:24 - 0154272 ____A C:\Windows\Minidump\Mini012112-01.dmp
2012-01-21 02:53 - 2008-12-14 20:26 - 0000000 ____D C:\Users\Marsha Jackson\AppData\Local\Google
2012-01-04 15:15 - 2006-11-02 02:24 - 52128560 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 2813.81 MB
Available physical RAM: 2339.29 MB
Total Pagefile: 2605.11 MB
Available Pagefile: 2448.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:223.03 GB) (Free:44.51 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (HP_RECOVERY) (Fixed) (Total:9.85 GB) (Free:1.73 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF
5 Drive g: () (Removable) (Total:3.73 GB) (Free:3.69 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 2232 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 223 GB 32 KB
Partition 2 Primary 10 GB 223 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 223 GB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D HP_RECOVERY NTFS Partition 10 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3819 MB 16 KB

======================================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 3819 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-02-25 09:12

======================= End Of Log ==========================

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:19 AM

Posted 03 March 2012 - 01:11 PM

Rose In RoseBear,

Thanks for providing the information.

Have a couple of questions for you, all part of the puzzle...

When you attempt to boot with the laptop, how far does the system go?

Posted Image
Do you get to the Windows loading bar (image above)?
Does it go beyond the loading bar?


Also on the following entries:

2012-03-03 00:32 - 2006-11-02 02:22 - 102236160 ____A C:\Windows\System32\config\software_previous
2012-03-03 00:29 - 2006-11-02 02:22 - 25427968 ____A C:\Windows\System32\config\system_previous
2012-03-03 00:28 - 2006-11-02 02:22 - 4456448 ____A C:\Windows\System32\config\default_previous
2012-03-03 00:28 - 2006-11-02 02:22 - 38535168 ____A C:\Windows\System32\config\components_previous
2012-03-03 00:28 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\security_previous
2012-03-03 00:28 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\sam_previous


They normally show when recovering a corrupted Registry that prevents Windows from starting.
It looks as if there was an attempt at replacing sections of the Registry (called hives), but from where?
Did you take any action that would create these files?

Old duck...


#5 Rose In RoseBear

Rose In RoseBear
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 03 March 2012 - 02:05 PM

Doin':

When allowed to boot from the HD, the system gets to the login screen (user account icons displayed). There seems to be something off about the video definition --- it's not 1024x768, but it's better than 640x480.

And, yes, the system went through a repair attempt before I could get to the command prompt option.

Dare I try to log in?

Rose

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:19 AM

Posted 03 March 2012 - 04:18 PM

Thanks for the info! :thumbup2:


...the system won't boot to Safe Mode with Networking, or even to plain old Safe Mode

Well, that is better than the above^^


...the system went through a repair attempt before I could get to the command prompt option

Did FRST run from the System Recovery Options > Command Prompt?


When allowed to boot from the HD, the system gets to the login screen (user account icons displayed).


Do log in, and let us know if you were able to, and whether Security Shield is still showing up.

Please do not get too ambitious if you can boot normally, though... :mellow:


However, do the following:

Task 1:
Upload the following file, as it might help in determining what is going wrong:

2012-03-02 22:35 - 2012-03-02 22:36 - 0133784 ____A C:\Windows\Minidump\Mini030312-01.dmp

Click on this link: http://www.bleepingcomputer.com/submit-malware.php?channel=66
  • Click Browse... and navigate to C:\Windows\Minidump\Mini030312-01.dmp
  • Highlight the file and click: Open
  • Click: Send File


Task 2:
Please submit C:\Windows\System32\Drivers\AFS.sys for analysis to VirusTotal:
http://www.virustotal.com/

When you get to the website, use the Browse button to navigate to the location of the file.
Click on the file, then, click the Open button.
The file is now displayed in the Submit Box.

Scroll down and click Send File, and wait for the results.

If you get a message saying: File has already been analyzed, click Reanalyze file now
Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address there.

Then, provide the http:\\ address to the results page in your reply.

After doing the two tasks outlined above, please try to stay off the Internet using the infected computer until you get my reply.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users