Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOP: c0000135 {Unable To Locate Component} ... consrv was not found.


  • This topic is locked This topic is locked
36 replies to this topic

#1 woodstock107

woodstock107

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 18 April 2012 - 09:23 AM

Good morning,

I recently picked up a fake security center virus, updated and ran Malwarebytes and Spybot in safe mode, but still had a hijacker in firefox creating popups and redirecting links. A friend recommended Combofix and supplied a link - which I see here on the forums accompanied by the text "Only run if instructed to do so."
After running Combofix in safe mode, my laptop restarted and a text file of changes and deletions was generated. I had some trepidation about this process - I thought it would present possible issues and I would make decisions about them, like some other tools.
On boot this morning, my system stops and provides the error:

STOP: c0000135 {Unable To Locate Component}
This application has failed to start because consrv was not found. Re-installing the application may fix this problem.


I realize this is my fault - I should have done more research and been more wary of an easy fix.
Any help would be brilliant. Thank you all so much!

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:11 PM

Posted 19 April 2012 - 10:29 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 woodstock107

woodstock107
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 19 April 2012 - 11:55 AM

Gringo,

Thanks SO much for your response!

When I press F8 to bring up the Advanced Boot Options, System Recovery is not one of the choices. I have in that menu:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging
Enable low-resolution Video
Last Known Good Configuration (which I tried before coming here and did not boot ether)
Directory Services Restore Mode
Debugging Mode
Disable automatic restart on system failure
Disable driver signature

Start Windows Normally


I've read that pressing F9 will cause my Asus G1S to open the Boot Manager, which gives me the option to boot from Windows Setup [EMS Enabled]
I can choose F8 on that menu, but the choices are the same.
I have no idea what will happen if I boot from this normally hidden partition and was wary to just give it a shot.

I don't have an Installation Disc.

I *did* download FRST 64 and save it to a thumb drive, to have it ready.

Thank you again, your efforts are very much appreciated!!

woodstock

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:11 PM

Posted 19 April 2012 - 12:04 PM

Hello


what is the make and model and operating system of the computer


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 woodstock107

woodstock107
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 19 April 2012 - 12:31 PM

I have Windows Vista 64 on an Asus G1s

Thanks!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:11 PM

Posted 19 April 2012 - 12:45 PM

Hello


boot into the recovery partition and see if you can get to the recovery environment there
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 woodstock107

woodstock107
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 19 April 2012 - 01:09 PM

Gringo,

I booted from the recovery partition. A message came up saying "All files on all partitions will be lost using the Asus Recovery CD ... Asus will not be liable for damages from use of this CD." I did not proceed past that prompt. I get the feeling that the Recovery CD will just format, partition and reinstall Windows from that partition.

Is there another environment I can boot into? Can I make some sort of boot CD or use another program so that I can run FRST? I have Ultimate Boot Disk for Windows. It's an XP based boot CD that I have used to recover files from computers that wont boot before. Should I try and run FRST under that?

I'm sorry that this seems to be more complicated that usual. Again, thank you so much for your help!

woodstock

PS - While replying to you, I got a call from work, I'll have to go in for a couple hours, I should be back in about three hours. Thank you!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:11 PM

Posted 19 April 2012 - 01:14 PM

Hello


I want you to use system restore - it should be able to get you back into windows but still infected


see if you have a friend with a vista install disk to get into the recovery environment


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 woodstock107

woodstock107
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 19 April 2012 - 03:27 PM

I'm on it - I don't know how long that will take, but I'll keep you posted!

Thanks again, you're fantastic!

Woodstock.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:11 PM

Posted 19 April 2012 - 03:52 PM

I will be in and out for the next 4 hours then I will be online for 8 hours
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 woodstock107

woodstock107
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 19 April 2012 - 05:13 PM

Gringo,

Vista Recover Disc is on it's way. I looked into the Asus Recovery Partition and it's definitely just an opportunity to format and reinstall.
I should be able to get that log file soon!

Thanks!
Woodstock

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:11 PM

Posted 19 April 2012 - 06:35 PM

ok I will be on the look out for you - did you try system restore?



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 woodstock107

woodstock107
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 19 April 2012 - 06:42 PM

Huzzah!

The log file from FRST!

Scan result of Farbar Recovery Scan Tool Version: 16-04-2012
Ran by SYSTEM at 19-04-2012 19:20:47
Running from F:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [842240 2007-08-27] (Motorola Inc.)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1216808 2007-12-06] (Synaptics, Inc.)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
HKLM\...\Run: [snp325] C:\Windows\vsnp325.exe [835584 2007-05-10] ()
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-19] (Microsoft Corporation)
HKU\Experience\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2008-06-09] (Hewlett-Packard Company)
HKU\Owner\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 68.105.28.12 68.105.29.12 68.105.28.11
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 ASLDRService; C:\Program Files (x86)\ATK Hotkey\ASLDRSrv.exe [94208 2007-10-02] ()
2 ATKGFNEXSrv; C:\Program Files\ATKGFNEX\GFNEXSrv.exe [94208 2007-08-07] ()
2 cxusb; C:\Windows\System32\e1000.dll [6656 2008-01-19] (Oak Technology Inc.)
3 FLEXnet Licensing Service; "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [654848 2009-02-13] (Macrovision Europe Ltd.)
2 IntuitUpdateServiceV4; "C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" [13672 2011-08-25] (Intuit Inc.)
3 LBTServ; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [160784 2009-07-20] (Logitech, Inc.)
3 Microsoft Office Groove Audit Service; "C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe" [65888 2008-10-25] (Microsoft Corporation)
2 MotoConnect Service; C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe [92928 2009-12-14] ()
3 NBService; C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe [774144 2006-11-10] (Nero AG)
2 Nero BackItUp Scheduler 4.0; C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe [935208 2008-12-05] (Nero AG)
3 p2pimsvc; C:\Windows\SysWow64\p2psvc.dll [658944 2008-01-18] (Microsoft Corporation)
3 p2psvc; C:\Windows\SysWow64\p2psvc.dll [658944 2008-01-18] (Microsoft Corporation)
3 PNRPAutoReg; C:\Windows\SysWow64\p2psvc.dll [658944 2008-01-18] (Microsoft Corporation)
3 PNRPsvc; C:\Windows\SysWow64\p2psvc.dll [658944 2008-01-18] (Microsoft Corporation)
3 rcp_service; C:\Program Files (x86)\ReaConverter 5.5 Pro\rcp_scheduler.exe [558592 2007-11-30] (ReaSoft)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
3 SCardSvr; C:\Windows\SysWow64\SCardSvr.dll [95232 2008-01-18] (Microsoft Corporation)
2 spmgr; C:\Program Files (x86)\ASUS\NB Probe\SPM\spmgr.exe [125496 2007-08-03] ()
2 Themes; C:\Windows\SysWow64\shsvcs.dll [247296 2008-01-18] (Microsoft Corporation)
4 TlntSvr; C:\Windows\System32\tlntsvr.exe [88064 2008-01-19] (Microsoft Corporation)
3 usprserv; C:\Windows\System32\svchost.exe -k netsvcs [27648 2008-01-19] (Microsoft Corporation)
3 usprserv; C:\Windows\SysWow64\svchost.exe -k netsvcs [21504 2008-01-18] (Microsoft Corporation)
4 NMIndexingService; "C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe" [x]
3 rpcapd; "%ProgramFiles(x86)%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles(x86)%\WinPcap\rpcapd.ini" [x]
2 SPService; c:\windows\system32\config\systemprofile\appdata\roaming\adobe\sp.dll [x]

========================== Drivers (Whitelisted) =============

2 ASMMAP64; \??\C:\Program Files\ATKGFNEX\ASMMAP64.sys [14904 2007-07-24] ()
3 dump_wmimmc; C:\Windows\SysWow64\Drivers\dump_wmimmc.sys [141612 2008-07-29] ()
0 fltsrv; C:\Windows\System32\Drivers\fltsrv.sys [133728 2012-01-14] (Acronis)
2 ghaio; \??\C:\Program Files (x86)\ASUS\NB Probe\SPM\ghaio.sys [17464 2007-08-02] ()
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-18] (LogMeIn, Inc.)
0 JGOGO; C:\Windows\System32\Drivers\JGOGO.sys [8704 2006-02-07] (JMicron )
0 JRAID; C:\Windows\System32\Drivers\JRAID.sys [71680 2007-04-11] (JMicron Technology Corp.)
3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [13168 2007-02-08] ( )
3 LHidFilt; C:\Windows\System32\Drivers\LHidFilt.sys [55312 2009-06-17] (Logitech, Inc.)
3 LMouFilt; C:\Windows\System32\Drivers\LMouFilt.sys [57872 2009-06-17] (Logitech, Inc.)
0 lullaby; C:\Windows\System32\Drivers\lullaby.sys [15928 2007-09-26] (Windows ® Codename Longhorn DDK provider)
3 LUsbFilt; C:\Windows\System32\Drivers\LUsbFilt.sys [40720 2007-04-11] (Logitech, Inc.)
3 MODEMCSA; C:\Windows\System32\Drivers\MODEMCSA.sys [24064 2008-01-18] (Microsoft Corporation)
3 motccgp; C:\Windows\System32\Drivers\motccgp.sys [20992 2009-06-19] (Motorola)
3 motccgpfl; C:\Windows\System32\Drivers\motccgpfl.sys [9216 2009-01-29] (Motorola)
3 motmodem; C:\Windows\System32\Drivers\motmodem.sys [30208 2009-10-27] (Motorola)
3 MTsensor; C:\Windows\System32\DRIVERS\ATK64AMD.sys [13680 2006-10-27] ()
3 NETw3v64; C:\Windows\System32\Drivers\NETw3v64.sys [2471424 2006-10-03] (Intel® Corporation)
3 NETw4v64; C:\Windows\System32\Drivers\NETw4v64.sys [3196416 2007-09-25] (Intel Corporation)
2 NPF; C:\Windows\System32\Drivers\NPF.sys [35344 2010-06-25] (CACE Technologies, Inc.)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh64.sys [125952 2007-08-02] (Realtek Corporation )
3 smserial; C:\Windows\System32\Drivers\smserial.sys [1122304 2007-08-27] (Motorola Inc.)
3 SNP2UVC; C:\Windows\System32\Drivers\SNP2UVC.sys [1829888 2007-09-30] ()
3 SNP325; C:\Windows\System32\Drivers\SNP325.sys [617984 2009-01-12] (Sonix Co. Ltd.)
3 StillCam; C:\Windows\System32\DRIVERS\serscan.sys [12288 2008-01-18] (Microsoft Corporation)
3 TPM; C:\Windows\System32\Drivers\TPM.sys [49256 2006-11-02] (Microsoft Corporation)
3 usbaudio; C:\Windows\SysWow64\Drivers\usbaudio.sys [39840 1998-08-21] (Microsoft Corporation)
3 usbhub; C:\Windows\SysWow64\Drivers\usbhub.sys [27184 1998-08-21] (Microsoft Corporation)
0 vidsflt61; C:\Windows\System32\DRIVERS\vsflt61.sys [142944 2012-01-14] (Acronis)
2 ASInsHelp; \??\C:\Windows\SysWow64\drivers\AsInsHelp64.sys [x]
1 Beep; [x]
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NPPTNT2; \??\C:\Windows\system32\npptNT2.sys [x]
3 NSNDIS5; \??\C:\Windows\system32\NSNDIS5.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 X6va006; \??\C:\Users\Owner\AppData\Local\Temp\006820B.tmp [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: cxusb
NETSVC: SE2Emgmt
NETSVCx32: Themes

============ One Month Created Files and Folders ==============

2012-04-19 19:20 - 2008-03-16 14:08 - 0000000 ____D C:\FRST
2012-04-17 19:12 - - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-17 18:32 - 2007-07-13 05:09 - 0016804 ____A C:\ComboFix.txt
2012-04-17 18:22 - 2012-04-17 18:22 - 0000000 ___AH C:\Windows\System32\config\COMPONENTS.tmp.LOG2
2012-04-17 18:22 - 2006-11-02 04:50 - 0000000 ___AH C:\Windows\System32\config\COMPONENTS.tmp.LOG1
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SAM.tmp.LOG2
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-04-17 18:21 - 2006-11-02 06:59 - 0000000 ___AH C:\Windows\System32\config\SAM.tmp.LOG1
2012-04-17 18:21 - 2006-11-02 04:50 - 0262144 ___AH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-04-17 18:21 - 2006-11-02 04:50 - 0000000 ___AH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-04-17 18:21 - 2006-11-02 04:50 - 0000000 ___AH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-04-17 18:21 - 2006-11-02 04:50 - 0000000 ___AH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-04-17 18:02 - 2012-04-04 10:34 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-04-17 18:02 - 2011-01-29 07:30 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-04-17 18:02 - 2010-08-12 21:56 - 0000000 ____D C:\Qoobox
2012-04-17 18:02 - 2009-12-09 21:22 - 0000000 ____D C:\Windows\ERDNT
2012-04-17 18:02 - 2008-01-19 00:00 - 0080412 ____A C:\Windows\grep.exe
2012-04-17 18:02 - 2006-11-02 07:07 - 0256000 ____A C:\Windows\PEV.exe
2012-04-17 18:02 - 2006-11-02 07:04 - 0068096 ____A C:\Windows\zip.exe
2012-04-17 18:02 - 2006-11-02 05:33 - 0098816 ____A C:\Windows\sed.exe
2012-04-17 18:02 - 2002-09-17 21:45 - 0208896 ____A C:\Windows\MBR.exe
2012-04-17 18:02 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-04-17 17:46 - 2011-04-27 11:54 - 0000159 ____A C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2012-04-16 18:27 - 2011-02-26 08:18 - 0000000 ____D C:\Users\Owner\AppData\Local\YoYo_Games_Ltd
2012-04-16 17:59 - 2011-06-26 18:33 - 0000000 ____D C:\Users\Owner\AppData\Local\GameMaker8.1
2012-04-16 17:58 - 2011-04-16 09:02 - 0000000 ____D C:\Users\Owner\AppData\Roaming\GameMaker
2012-04-16 17:58 - 2011-04-11 11:13 - 0000000 ____D C:\Users\Owner\GameMaker 8.1
2012-04-16 17:46 - 2011-11-14 19:33 - 0000000 ____D C:\Program Files (x86)\GraphicsGale FreeEdition
2012-04-16 17:46 - 2008-04-04 19:43 - 0000000 ____D C:\Users\Owner\AppData\Local\Humanbalance
2012-04-05 14:51 - 2011-04-11 11:16 - 0000000 ____D C:\Users\Owner\Documents\TurboTax
2012-04-05 14:44 - 2009-12-09 21:14 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Intuit
2012-04-05 14:38 - 2012-04-17 19:18 - 0000000 ____D C:\Users\Owner\AppData\Local\IsolatedStorage
2012-04-05 14:37 - 2010-07-22 18:09 - 0000000 ____D C:\Program Files (x86)\TurboTax
2012-04-05 14:24 - 2012-04-17 19:12 - 0000000 ____D C:\50f23cf54d97311d3a
2012-04-05 14:16 - 2012-02-23 07:58 - 0000000 ____D C:\ProgramData\Intuit
2012-04-04 15:35 - 2012-03-26 14:32 - 0000000 ____D C:\Users\Owner\Desktop\Lasalle Track
2012-03-30 06:14 - 2007-08-07 13:43 - 0000000 ____D C:\New Folder
2012-03-26 14:11 - 2012-04-16 18:26 - 0000000 ____D C:\Users\Owner\Desktop\John Jay - Girls Var Lax

============ 3 Months Modified Files and Folders =============

2012-04-18 06:49 - 2010-08-14 07:22 - 4266414 ____A C:\Windows\ntbtlog.txt
2012-04-17 19:19 - 2008-03-16 10:27 - 1469548 ____A C:\Windows\WindowsUpdate.log
2012-04-17 19:19 - 2007-07-13 04:17 - 0000012 ____A C:\Windows\bthservsdp.dat
2012-04-17 19:19 - 2006-11-02 07:42 - 0032656 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-17 19:19 - 2006-11-02 07:42 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-17 19:19 - 2006-11-02 07:22 - 0003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-17 19:19 - 2006-11-02 07:22 - 0003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-17 19:15 - 2008-05-16 02:19 - 0000418 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{30FE25F4-0DF6-475A-8625-8F8D84DDB628}.job
2012-04-17 19:12 - 2012-04-17 19:12 - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-17 18:48 - 2011-11-14 19:32 - 0000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-17 18:32 - 2012-04-17 18:32 - 0016804 ____A C:\ComboFix.txt
2012-04-17 18:32 - 2012-04-17 18:02 - 0000000 ____D C:\Qoobox
2012-04-17 18:32 - 2006-11-02 05:33 - 0000000 ___RD C:\users\Public
2012-04-17 18:30 - 2006-11-02 04:46 - 0005570 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-17 18:29 - 2012-04-17 18:02 - 0000000 ____D C:\Windows\ERDNT
2012-04-17 18:23 - 2011-11-14 19:32 - 0000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-04-17 18:23 - 2010-03-04 21:33 - 0820848 ____A C:\ProgramData\nvModes.dat
2012-04-17 18:23 - 2010-03-04 21:33 - 0820848 ____A C:\ProgramData\nvModes.001
2012-04-17 18:23 - 2008-03-16 13:59 - 0045056 ____A C:\Windows\System32\acovcnt.exe
2012-04-17 18:23 - 2006-11-02 04:34 - 0000215 ____A C:\Windows\system.ini
2012-04-17 18:22 - 2012-04-17 18:22 - 0000000 ___AH C:\Windows\System32\config\COMPONENTS.tmp.LOG2
2012-04-17 18:22 - 2012-04-17 18:22 - 0000000 ___AH C:\Windows\System32\config\COMPONENTS.tmp.LOG1
2012-04-17 18:22 - 2008-04-27 18:58 - 0076678 ____A C:\Windows\PFRO.log
2012-04-17 18:22 - 2006-11-02 04:33 - 83099648 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-04-17 18:22 - 2006-11-02 04:33 - 4980736 ____A C:\Windows\System32\config\DEFAULT.bak
2012-04-17 18:22 - 2006-11-02 04:33 - 48758784 ____A C:\Windows\System32\config\COMPONENTS.bak
2012-04-17 18:22 - 2006-11-02 04:33 - 29622272 ____A C:\Windows\System32\config\SYSTEM.bak
2012-04-17 18:22 - 2006-11-02 04:33 - 0262144 ____A C:\Windows\System32\config\SECURITY.bak
2012-04-17 18:22 - 2006-11-02 04:33 - 0262144 ____A C:\Windows\System32\config\SAM.bak
2012-04-17 18:21 - 2012-04-17 18:21 - 0262144 ___AH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SAM.tmp.LOG2
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\SAM.tmp.LOG1
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-04-17 18:21 - 2012-04-17 18:21 - 0000000 ___AH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-04-17 17:46 - 2012-04-17 17:46 - 0000159 ____A C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2012-04-16 18:27 - 2012-04-16 18:27 - 0000000 ____D C:\Users\Owner\AppData\Local\YoYo_Games_Ltd
2012-04-16 18:27 - 2012-04-16 17:58 - 0000000 ____D C:\Users\Owner\AppData\Roaming\GameMaker
2012-04-16 18:26 - 2008-07-13 04:59 - 0000000 ___RD C:\Users\Owner\Desktop\Games
2012-04-16 17:59 - 2012-04-16 17:59 - 0000000 ____D C:\Users\Owner\AppData\Local\GameMaker8.1
2012-04-16 17:58 - 2012-04-16 17:58 - 0000000 ____D C:\Users\Owner\GameMaker 8.1
2012-04-16 17:58 - 2008-04-04 19:43 - 0000000 ____D C:\users\Owner
2012-04-16 17:46 - 2012-04-16 17:46 - 0000000 ____D C:\Users\Owner\AppData\Local\Humanbalance
2012-04-16 17:46 - 2012-04-16 17:46 - 0000000 ____D C:\Program Files (x86)\GraphicsGale FreeEdition
2012-04-16 15:27 - 2011-07-30 13:40 - 0000000 ____D C:\Users\Owner\AppData\Local\PMB Files
2012-04-15 17:43 - 2012-03-07 19:58 - 0000000 ____D C:\Users\Owner\AppData\Roaming\.techniclauncher
2012-04-06 05:29 - 2006-11-02 07:21 - 2407224 ____A C:\Windows\System32\FNTCACHE.DAT
2012-04-05 20:15 - 2012-04-05 14:51 - 0000000 ____D C:\Users\Owner\Documents\TurboTax
2012-04-05 14:44 - 2012-04-05 14:44 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Intuit
2012-04-05 14:44 - 2011-04-23 17:46 - 0134736 ____A C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-05 14:40 - 2012-04-05 14:16 - 0000000 ____D C:\ProgramData\Intuit
2012-04-05 14:38 - 2012-04-05 14:38 - 0000000 ____D C:\Users\Owner\AppData\Local\IsolatedStorage
2012-04-05 14:37 - 2012-04-05 14:37 - 0000000 ____D C:\Program Files (x86)\TurboTax
2012-04-05 14:25 - 2012-04-05 14:24 - 0000000 ____D C:\50f23cf54d97311d3a
2012-04-05 05:23 - 2008-04-16 19:08 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Adobe
2012-04-04 15:38 - 2012-04-04 15:35 - 0000000 ____D C:\Users\Owner\Desktop\Lasalle Track
2012-04-04 10:34 - 2009-03-10 16:17 - 0000229 ____A C:\Windows\NeroDigital.ini
2012-04-04 10:34 - 2008-10-19 08:12 - 0000079 ____A C:\Users\Owner\AppData\default.pls
2012-04-04 10:25 - 2011-04-26 22:28 - 0079872 ____A C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-03-31 14:19 - 2010-07-22 18:12 - 0000000 ____D C:\Users\Owner\AppData\Roaming\uTorrent
2012-03-30 11:21 - 2009-02-08 09:48 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-30 11:13 - 2011-06-26 18:47 - 0001460 ____A C:\Users\Owner\AppData\Local\d3d9caps64.dat
2012-03-30 06:14 - 2012-03-30 06:14 - 0000000 ____D C:\New Folder
2012-03-29 22:13 - 2009-05-08 18:20 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Orbit
2012-03-26 14:32 - 2012-03-26 14:11 - 0000000 ____D C:\Users\Owner\Desktop\John Jay - Girls Var Lax
2012-03-26 11:05 - 2012-02-15 20:07 - 0000000 ____D C:\Users\Owner\Desktop\New Folder (2)
2012-03-17 20:51 - 2011-07-30 13:40 - 0000000 ____D C:\ProgramData\PMB Files
2012-03-15 06:27 - 2012-02-12 11:31 - 0000000 ____D C:\New Folder (3)
2012-03-11 16:37 - 2008-07-12 18:34 - 0000000 ____D C:\Program Files (x86)\Steam
2012-03-10 19:32 - 2012-03-10 19:32 - 0000000 ____D C:\Users\Owner\AppData\Local\Chromium
2012-03-10 19:31 - 2012-03-10 19:30 - 0000000 ____D C:\Users\Owner\Documents\BrawlBusters
2012-03-10 19:04 - 2012-03-10 19:04 - 0327348 ____A C:\Users\Owner\AppData\Local\dd_vcredistMSI4A4C.txt
2012-03-10 19:04 - 2012-03-10 19:03 - 0011126 ____A C:\Users\Owner\AppData\Local\dd_vcredistUI4A4C.txt
2012-03-08 20:19 - 2008-11-26 17:03 - 0000000 ____D C:\Users\Owner\Documents\NeroVision
2012-03-05 19:46 - 2012-03-05 18:41 - 0000000 ____D C:\Users\Owner\AppData\Roaming\GlarySoft
2012-03-03 17:31 - 2009-09-29 17:57 - 0000000 ____D C:\Users\Owner\Documents\Funny Crap-ola
2012-02-23 08:03 - 2012-02-23 08:03 - 0000000 ____D C:\Program Files (x86)\Hewlett-Packard
2012-02-23 08:03 - 2012-02-23 07:58 - 0139602 ____A C:\Windows\hpoins21.dat
2012-02-23 08:02 - 2012-02-23 08:02 - 0000000 ____D C:\ProgramData\Hewlett-Packard
2012-02-23 07:59 - 2012-02-23 07:59 - 0000000 ____D C:\Program Files (x86)\HP
2012-02-23 07:58 - 2012-02-23 07:58 - 0000000 ____D C:\ProgramData\HP
2012-02-21 14:18 - 2011-07-30 19:22 - 0000000 ____D C:\Users\Owner\riotsGamesLogs
2012-02-19 23:26 - 2012-02-19 23:25 - 0000000 ____D C:\Users\Owner\Documents\Great but inaprop
2012-02-19 23:20 - 2012-02-19 23:20 - 0000000 ____D C:\Users\Owner\Documents\Worth keeping
2012-02-19 21:11 - 2012-02-19 21:11 - 53636410 ____A C:\Users\Owner\Desktop\The Fantastic Flying Books of Mr. Morris Lessmore (2011).flv
2012-02-17 18:52 - 2011-01-30 13:39 - 0003706 ____A C:\Windows\setupact.log
2012-02-16 20:13 - 2012-02-16 20:07 - 0000000 ____D C:\Users\Owner\Desktop\New podcasts to go
2012-02-15 20:54 - 2011-09-01 17:52 - 0000000 ____D C:\Users\Owner\Calibre Library
2012-02-15 20:26 - 2011-09-01 17:52 - 0000000 ____D C:\Users\Owner\AppData\Roaming\calibre
2012-02-09 15:53 - 2012-02-09 15:53 - 0285440 ____A C:\Windows\Minidump\Mini020912-01.dmp
2012-02-09 15:53 - 2011-12-30 10:59 - 613288000 ____A C:\Windows\MEMORY.DMP
2012-02-09 15:53 - 2009-01-07 08:42 - 0000000 ____D C:\Windows\Minidump
2012-02-05 09:27 - 2012-02-05 09:27 - 0000000 ____D C:\Program Files\Ventrilo
2012-02-05 09:27 - 2012-02-05 09:26 - 0000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
2012-02-03 23:20 - 2008-11-15 11:33 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Media Player Classic
2012-02-02 18:44 - 2011-01-29 13:28 - 0000000 ____D C:\Users\Owner\AppData\Roaming\.minecraft
2012-02-02 09:50 - 2008-11-15 11:31 - 0000000 ____D C:\Program Files (x86)\Combined Community Codec Pack
2012-01-28 18:37 - 2012-01-21 19:15 - 0000000 ____D C:\Users\Owner\AppData\Local\Artemis
2012-01-23 13:18 - 2012-01-23 13:18 - 0000000 ____D C:\Program Files (x86)\LSoft Technologies
2012-01-23 13:18 - 2008-03-16 13:23 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-01-21 19:15 - 2012-01-21 19:13 - 66279142 ____A (Thom Robertson) C:\Users\Owner\Downloads\Artemis_full_v1_60.exe


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe
[2008-07-29 16:10] - [2008-01-19 00:00] - 0406016 ____A (Microsoft Corporation) 856491FCED98093D824B9EB2892F564A

C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe
[2008-12-19 10:18] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2008-07-29 16:11] - [2008-01-19 00:04] - 0820224 ____A (Microsoft Corporation) 32B87D215905F648EBE36A621978442C

C:\Windows\SysWOW64\User32.dll
[2008-07-29 16:11] - [2008-01-18 23:32] - 0648192 ____A (Microsoft Corporation) 3D691030DBD3BD75DE1501BE54F0D425

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 4094.36 MB
Available physical RAM: 3398.88 MB
Total Pagefile: 3906.29 MB
Available Pagefile: 3410.65 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (Vista64) (Fixed) (Total:149.04 GB) (Free:18.93 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (DATA) (Fixed) (Total:140.25 GB) (Free:19.98 GB) NTFS
3 Drive e: (2008.03.29_2201) (CDROM) (Total:0.15 GB) (Free:0 GB) UDF
4 Drive f: (USB20FD) (Removable) (Total:0.96 GB) (Free:0.96 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 984 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 9 GB 1024 KB
Partition 2 Primary 149 GB 9 GB
Partition 0 Extended 140 GB 158 GB
Partition 3 Logical 140 GB 158 GB

======================================================================================================

Disk: 0
Partition 1
Type : 1C
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Vista64 NTFS Partition 149 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 140 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 984 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F USB20FD FAT Removable 984 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-17 18:29

======================= End Of Log ==========================

Thank you, again, Gringo!

Woodstock.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:11 PM

Posted 19 April 2012 - 08:03 PM

Hello

GREAT JOB!!!!!!! :thumbsup:


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ==> ZeroAccess
2 cxusb; C:\Windows\System32\e1000.dll [6656 2008-01-19] (Oak Technology Inc.)
C:\Windows\System32\e1000.dll
NETSVC: cxusb


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 woodstock107

woodstock107
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 19 April 2012 - 08:23 PM

Awesome! Thanks!

Here's the Fixlog text:

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 16-04-2012
Ran by SYSTEM at 2012-04-19 21:20:37 R:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
cxusb service deleted successfully.
C:\Windows\System32\e1000.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs cxusb Deleted successfully.

==== End of Fixlog ====

Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users