Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer doesn't boot and this may be caused by remnants of zeroaccess and / or malicious partition.


  • This topic is locked This topic is locked
5 replies to this topic

#1 sa91899

sa91899

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 30 March 2012 - 11:24 PM

"starting at Step 6."...

Step 6 - Disable your CD Emulation Software

Could not complete. Will not boot into Windows

Step 7 - Download and Run DDS which will create a log of programs running on your computer.

Could not complete. Will not boot into windows

Step 8 - Create a GMER Log (32-bit versions of Windows only)

Could not complete. This is a 64bit system

hmmm... 92 views and 0 replies...

Am I up a creek without a paddle???

EDIT: Please be patient. There are over 90 unanswered topics in this forum at present and the current average wait time to receive help is 5 days. ~Budapest

Edited by Budapest, 03 April 2012 - 12:43 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 AM

Posted 05 April 2012 - 11:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/448258 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:33 AM

Posted 06 April 2012 - 05:26 PM

Hi,

Please do the following:

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 sa91899

sa91899
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 09 April 2012 - 12:11 PM

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 9-04-2012 23:55:58
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-09-07] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-09-07] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-09-07] (Intel Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-18] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1890088 2010-03-17] (Synaptics Incorporated)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3179288 2010-01-06] (Dell Inc.)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [207350 2011-01-25] ()
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1436736 2011-06-15] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-06-08] (Intel Corporation)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1486392 2011-04-05] (McAfee, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1391272 2012-01-03] (Ask)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [273544 2011-05-24] (RealNetworks, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-08-19] (Apple Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKU\Brooke\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-24] (Google Inc.)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2012-01-04] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 DellDigitalDelivery; "C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe" [141192 2010-11-16] (Dell Products, LP.)
2 dirms_defragmentation; C:\Windows\System32\Cinemsup.dll [6656 2009-07-13] (Oak Technology Inc.)
2 IAStorDataMgrSvc; "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe" [13336 2010-06-08] (Intel Corporation)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [509416 2010-10-07] (McAfee, Inc.)
4 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [200056 2011-04-14] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [245352 2011-04-14] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [149032 2011-04-14] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
2 Toolbar Updater Service; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [199904 2011-03-24] ()
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-03-03] (Intel Corporation)
3 McAWFwk; c:\PROGRA~1\mcafee\msc\mcawfwk.exe [x]
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [63056 2011-04-14] (McAfee, Inc.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [121376 2011-04-14] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [190520 2011-04-14] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [441840 2011-04-14] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [530304 2011-04-14] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75160 2011-04-14] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [94992 2011-04-14] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [283744 2011-04-14] (McAfee, Inc.)
3 NWADI; C:\Windows\System32\DRIVERS\NWADIenum.sys [247808 2008-06-02] (Novatel Wireless Inc)
3 NWUSBCDFIL64; C:\Windows\System32\Drivers\NWUSBCDFIL64.sys [25600 2008-07-07] (Novatel Wireless Inc.)
3 NWUSBPort; C:\Windows\System32\DRIVERS\nwusbser.sys [213120 2008-05-09] (Microsoft Corporation)
3 NWUSBPort2; C:\Windows\System32\DRIVERS\nwusbser2.sys [213120 2008-05-09] (Novatel Wireless Inc.)
3 SMSIVZAM5X64; \??\C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [43032 2009-03-20] (Smith Micro Inc.)
1 bfdhvqky; \??\C:\Windows\system32\drivers\bfdhvqky.sys [x]
1 bkaebnla; \??\C:\Windows\system32\drivers\bkaebnla.sys [x]
1 bkgocofn; \??\C:\Windows\system32\drivers\bkgocofn.sys [x]
1 lbufigad; \??\C:\Windows\system32\drivers\lbufigad.sys [x]
1 litettkl; \??\C:\Windows\system32\drivers\litettkl.sys [x]
3 mfeavfk01; [x]
1 nsdlmxtd; \??\C:\Windows\system32\drivers\nsdlmxtd.sys [x]
1 oplljmld; \??\C:\Windows\system32\drivers\oplljmld.sys [x]
3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]
1 puxkjkaq; \??\C:\Windows\system32\drivers\puxkjkaq.sys [x]
1 pzumusvo; \??\C:\Windows\system32\drivers\pzumusvo.sys [x]
1 rzukkhbd; \??\C:\Windows\system32\drivers\rzukkhbd.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: dirms_defragmentation

============ One Month Created Files and Folders ==============

2012-03-29 23:55 - 2012-03-29 23:55 - 0000000 ____D C:\FRST
2012-03-21 22:41 - 2012-03-26 15:08 - 0522634 ____A C:\Windows\ntbtlog.txt
2012-03-21 19:21 - 2012-01-31 07:44 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-03-21 19:07 - 2012-03-21 19:07 - 0000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-03-21 19:06 - 2012-03-21 19:07 - 0000000 ____D C:\Program Files\Microsoft Security Client
2012-03-21 19:05 - 2010-04-09 06:06 - 0374664 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-03-21 18:57 - 2012-03-21 18:58 - 10165440 ____A (Microsoft Corporation) C:\Users\Brooke\Downloads\mseinstall.exe

============ 3 Months Modified Files and Folders =============

2012-03-29 23:55 - 2012-03-29 23:55 - 0000000 ____D C:\FRST
2012-03-29 22:46 - 2011-03-27 23:02 - 1502621696 __ASH C:\hiberfil.sys
2012-03-26 15:08 - 2012-03-21 22:41 - 0522634 ____A C:\Windows\ntbtlog.txt
2012-03-21 22:02 - 2011-03-27 23:05 - 1116621 ____A C:\Windows\WindowsUpdate.log
2012-03-21 21:47 - 2011-05-24 07:56 - 0000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-03-21 21:25 - 2011-05-24 07:56 - 0000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-03-21 20:11 - 2011-07-05 16:42 - 0000000 ____D C:\Users\Brooke\Local Settings\ElevatedDiagnostics
2012-03-21 20:11 - 2011-07-05 16:42 - 0000000 ____D C:\Users\Brooke\Local Settings\Application Data\ElevatedDiagnostics
2012-03-21 20:11 - 2011-07-05 16:42 - 0000000 ____D C:\Users\Brooke\AppData\Local\ElevatedDiagnostics
2012-03-21 19:33 - 2011-05-23 21:26 - 0000000 ____D C:\Program Files (x86)\Ask.com
2012-03-21 19:25 - 2009-07-13 23:45 - 0013872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-21 19:25 - 2009-07-13 23:45 - 0013872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-21 19:20 - 2009-07-14 00:13 - 0747782 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-21 19:15 - 2011-04-05 13:12 - 0000000 ____D C:\Users\Default\Local Settings\SoftThinks
2012-03-21 19:15 - 2011-04-05 13:12 - 0000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
2012-03-21 19:15 - 2011-04-05 13:12 - 0000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2012-03-21 19:15 - 2011-04-05 13:12 - 0000000 ____D C:\Users\Default User\Local Settings\SoftThinks
2012-03-21 19:15 - 2011-04-05 13:12 - 0000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
2012-03-21 19:15 - 2011-04-05 13:12 - 0000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2012-03-21 19:15 - 2011-03-28 00:03 - 0000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2012-03-21 19:14 - 2012-02-05 12:55 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-03-21 19:13 - 2009-07-14 00:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-03-21 19:13 - 2009-07-13 23:51 - 0056450 ____A C:\Windows\setupact.log
2012-03-21 19:07 - 2012-03-21 19:07 - 0000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-03-21 19:07 - 2012-03-21 19:06 - 0000000 ____D C:\Program Files\Microsoft Security Client
2012-03-21 19:07 - 2011-05-04 22:19 - 0761932 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-03-21 18:58 - 2012-03-21 18:57 - 10165440 ____A (Microsoft Corporation) C:\Users\Brooke\Downloads\mseinstall.exe
2012-03-21 18:51 - 2011-04-05 13:10 - 0027805 ____A C:\stp.log
2012-03-21 18:48 - 2011-03-27 23:37 - 0081980 ____A C:\Windows\PFRO.log
2012-02-12 19:03 - 2012-01-15 11:08 - 0007084 ____A C:\Users\Brooke\Application Data\9677d2c3
2012-02-12 19:03 - 2012-01-15 11:08 - 0007084 ____A C:\Users\Brooke\AppData\Roaming\9677d2c3
2012-02-12 19:03 - 2012-01-15 11:08 - 0007060 ____A C:\Users\Brooke\Local Settings\Application Data\5cdd01cd
2012-02-12 19:03 - 2012-01-15 11:08 - 0007060 ____A C:\Users\Brooke\Local Settings\5cdd01cd
2012-02-12 19:03 - 2012-01-15 11:08 - 0007060 ____A C:\Users\Brooke\AppData\Local\5cdd01cd
2012-02-12 19:03 - 2012-01-15 11:08 - 0006984 ____A C:\Users\All Users\e26aa57b
2012-02-12 19:03 - 2012-01-15 11:08 - 0006984 ____A C:\Users\All Users\Application Data\e26aa57b
2012-02-12 19:03 - 2012-01-15 11:08 - 0006984 ____A C:\ProgramData\e26aa57b
2012-02-05 12:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\Resources
2012-01-31 07:44 - 2012-03-21 19:21 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-01-15 11:21 - 2011-04-05 13:13 - 0000000 ____D C:\Users\Brooke\Local Settings\VirtualStore
2012-01-15 11:21 - 2011-04-05 13:13 - 0000000 ____D C:\Users\Brooke\Local Settings\Application Data\VirtualStore
2012-01-15 11:21 - 2011-04-05 13:13 - 0000000 ____D C:\Users\Brooke\AppData\Local\VirtualStore
2012-01-15 11:19 - 2012-01-15 11:18 - 0004200 ____A C:\Windows\SysWOW64\jupdate-1.6.0_30-b12.log
2012-01-15 11:19 - 2011-05-24 07:52 - 0000000 ____D C:\Program Files (x86)\Java
2012-01-15 11:14 - 2011-09-04 16:51 - 0000000 ____D C:\Users\Brooke\Local Settings\Windows Live
2012-01-15 11:14 - 2011-09-04 16:51 - 0000000 ____D C:\Users\Brooke\Local Settings\Application Data\Windows Live
2012-01-15 11:14 - 2011-09-04 16:51 - 0000000 ____D C:\Users\Brooke\AppData\Local\Windows Live
2012-01-15 11:08 - 2012-01-15 11:08 - 0000000 ____D C:\Windows\system64
2012-01-15 11:08 - 2009-07-14 00:37 - 0000000 ____D C:\Windows\SysWOW64\sysprep
2012-01-15 11:05 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\rescache
2012-01-15 03:29 - 2011-05-07 21:54 - 0000374 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2012-01-15 03:07 - 2011-06-24 21:05 - 54008112 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-01-14 21:24 - 2011-05-24 07:56 - 0000000 ____D C:\Users\Brooke\Local Settings\Google
2012-01-14 21:24 - 2011-05-24 07:56 - 0000000 ____D C:\Users\Brooke\Local Settings\Application Data\Google
2012-01-14 21:24 - 2011-05-24 07:56 - 0000000 ____D C:\Users\Brooke\AppData\Local\Google
2012-01-04 03:37 - 2011-03-27 23:54 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-01-04 03:37 - 2009-07-13 23:45 - 0274320 ____A C:\Windows\System32\FNTCACHE.DAT
2012-01-04 03:35 - 2009-07-13 22:20 - 0000000 ____D C:\Program Files\Common Files\System


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 27%
Total physical RAM: 1910.68 MB
Available physical RAM: 1381.5 MB
Total Pagefile: 1910.68 MB
Available Pagefile: 1368.82 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:218.14 GB) (Free:171.59 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (Recovery) (Fixed) (Total:14.65 GB) (Free:8 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (LEXAR) (Removable) (Total:0.93 GB) (Free:0.75 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 959 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 218 GB 14 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 DELLUTILITY FAT Partition 100 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D Recovery NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 218 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 959 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E LEXAR FAT32 Removable 959 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-21 20:02

======================= End Of Log ==========================

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:33 AM

Posted 09 April 2012 - 12:39 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
script removed
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 03 July 2012 - 09:34 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:33 AM

Posted 21 April 2012 - 08:50 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users