Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOP: C0000135


  • This topic is locked This topic is locked
7 replies to this topic

#1 george_d

george_d

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 21 April 2012 - 10:10 AM

Working on a client's Lenovo A70 All-in-One running Windows 7 Professional.

WD hard drive crashed with SMART code failures reporting I/O errors. Had drive contents professionally recovered to a stable drive. When booting from new drive, got the above STOP 135.

I have tried:

1) System startup repair. No luck.
1.5) Ran chkdsk /r. Found some errors and corrected. Rebooted and got same stop code 135.
1.6) Ran SFC /scannow. It reports one or more corrupted system files and reports creating the CBS.log but I can not locate the log file. It is not in the suggested location of windows\logs\cbs. Strange?
2) Scan drive with AVG AV Scanner booted from CD. Found Backdoor.Gneric14 in desktop.ini (both 64 bit and 32 bit version). AVG reports both were healed. Rebooted and still getting above error.
3) A number of blogs suggested that missing %hs is related to AVG AV. Searched for way to uninstall AVG from recovery console when unable to boot. Couldn't find anything.

Any guidance or help would be appreciated. george_d.

Edited by hamluis, 21 April 2012 - 02:19 PM.
Moved from Win 7 to Am I Infected, Hamluis.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:46 PM

Posted 21 April 2012 - 10:18 AM

This can be easily fixed.Let me ask someone to help you

good luck

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:46 AM

Posted 21 April 2012 - 05:05 PM

Hi george_d,

Welcome to Bleeping Computer.

I'll move the topic to the appropriate forum and assist you from there.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#4 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 21 April 2012 - 06:24 PM

Here is the frst.txt.

thanks for your assistance. Much appreciated. george_d

Scan result of Farbar Recovery Scan Tool Version: 19-04-2012
Ran by SYSTEM at 21-04-2012 18:18:56
Running from G:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Daemon for Mouse Suite] C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.EXE 60 [99840 2010-07-29] (Primax Electronics Ltd.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-09-01] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [387608 2009-09-01] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365592 2009-09-01] (Intel Corporation)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2010-09-17] (LogMeIn, Inc.)
HKLM\...\Run: [bcsea] rundll32.exe "C:\Windows\TEMP\bcsea.dll",LoadMeshFromXInMemory [x]
HKLM\...\Run: [mshgc] rundll32.exe "C:\Windows\TEMP\mshgc.dll",BAOCloseFile [x]
HKLM-x32\...\Run: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor [769024 2009-09-21] (Lenovo Group Limited)
HKLM-x32\...\Run: [Power Manager Power Agenda] C:\PROGRA~2\ThinkPad\UTILIT~1\DPMHost.exe [72256 2009-10-16] ()
HKLM-x32\...\Run: [Message Center Plus] C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe /start [49976 2009-05-27] ()
HKLM-x32\...\Run: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot [4309184 2011-02-09] (Lenovo, Inc.)
HKLM-x32\...\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe [x]
HKLM-x32\...\Run: [daDyaeJQgtiFQ.exe] C:\ProgramData\daDyaeJQgtiFQ.exe [x]
HKLM-x32\...\Run: [QkqnRvQCEE.exe] C:\ProgramData\QkqnRvQCEE.exe [x]
HKU\mbratton\...\Run: [Update] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\sgpeue.dll",DllRegisterServer [x]
HKU\mbratton\...\Run: [bdebdacafadct] "C:\ProgramData\bdebdacafadct.exe" [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.10 192.168.0.1 204.127.202.4 216.148.227.68
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 LMIGuardianSvc; "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" [375176 2012-02-08] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe" [147336 2012-02-08] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe" [407424 2010-11-08] (LogMeIn, Inc.)
2 PelService; C:\Program Files\Lenovo\Lenovo Mouse Suite\PelService.exe [177152 2010-04-21] ()
2 Power Manager DBC Service; "C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE" [72256 2009-10-16] (Lenovo)
2 SAAZappr; "C:\PROGRA~2\SAAZOD\zRealTime\SAAZappr.exe" SAAZappr [82760 2011-10-14] (Zenith Infotech Ltd)
2 SAAZapsc; "C:\PROGRA~2\SAAZOD\zRealTime\SAAZapsc.exe" SAAZapsc [82760 2011-10-14] (Zenith Infotech Ltd)
2 SAAZDPMACTL; "C:\PROGRA~2\SAAZOD\SAAZDPMACTL.exe" [86856 2011-09-29] (Zenith Infotech Ltd)
2 SAAZRemoteSupport; "C:\PROGRA~2\SAAZOD\SAAZRemoteSupport.exe" [78664 2011-09-29] (Zenith Infotech Ltd)
2 SAAZScheduler; "C:\PROGRA~2\SAAZOD\SAAZScheduler.exe" [77824 2011-09-28] (Zenith Infotech Ltd)
2 SAAZServerPlus; "C:\PROGRA~2\SAAZOD\SAAZServerPlus.exe" [77824 2009-04-30] (Zenith Infotech Ltd)
2 SAAZWatchDog; "C:\PROGRA~2\SAAZOD\SAAZWatchDog.exe" [86856 2011-09-29] (Zenith Infotech Ltd)
2 ThinkVantage Registry Monitor Service; "C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe" [1019904 2009-08-28] (Lenovo Group Limited)
3 TVT Backup Service; "C:\Program Files (x86)\Lenovo\Rescue and Recovery\rrservice.exe" [1475896 2010-07-29] (Lenovo Group Limited)
2 VIPAppService; "C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe" [82544 2011-07-12] (Symantec Corporation)
2 SPService; C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL [x]
2 SUService; "c:\Program Files (x86)\Lenovo\System Update\SUService.exe" [x]

========================== Drivers (Whitelisted) =============

3 dmvsc; C:\Windows\System32\Drivers\dmvsc.sys [71168 2010-11-20] (Microsoft Corporation)
2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2010-09-17] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2010-09-17] (LogMeIn, Inc.)
2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2010-09-17] (LogMeIn, Inc.)
3 psadd; C:\Windows\System32\Drivers\psadd.sys [40512 2009-07-01] (Lenovo (United States) Inc.)
3 TPM; C:\Windows\System32\Drivers\TPM.sys [38400 2009-07-13] (Microsoft Corporation)
3 TsUsbGD; C:\Windows\System32\Drivers\TsUsbGD.sys [31232 2010-11-20] (Microsoft Corporation)
4 LMIRfsClientNP; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-21 18:18 - 2012-04-20 09:23 - 0000000 ____D C:\FRST
2012-04-21 13:01 - 2011-02-15 01:42 - 3735235 ____A C:\CBS.log
2012-04-20 11:25 - 2009-07-13 17:39 - 0586728 ____A C:\Windows\ntbtlog.txt
2012-04-20 09:23 - 2009-07-13 21:08 - 0000000 __SHD C:\found.000
2012-04-16 04:04 - 2012-04-16 04:12 - 0000168 ____A C:\Users\All Users\-UNqbZsqk5NQvDjr
2012-04-16 04:04 - 2012-04-16 04:12 - 0000168 ____A C:\ProgramData\-UNqbZsqk5NQvDjr
2012-04-16 04:04 - 2012-01-05 12:50 - 0000658 ____A C:\Users\mbratton\Desktop\SMART_HDD.lnk
2012-04-16 04:04 - - 0000000 ____A C:\Users\All Users\-UNqbZsqk5NQvDj
2012-04-16 04:04 - - 0000000 ____A C:\ProgramData\-UNqbZsqk5NQvDj
2012-04-16 04:03 - 2011-06-25 11:33 - 0000256 ____A C:\Users\All Users\UNqbZsqk5NQvDj
2012-04-16 04:03 - 2011-06-25 11:33 - 0000256 ____A C:\ProgramData\UNqbZsqk5NQvDj
2012-04-16 04:02 - 2012-04-16 04:02 - 0065536 __ASH C:\Windows\System32\config\components{88ff8e1d-e9e9-11e0-9b77-f80f41236d59}.TxR.blf
2012-04-14 16:50 - 2012-03-17 21:37 - 0000000 ____D C:\Windows\Minidump
2012-04-14 16:50 - 2011-06-25 11:21 - 517475182 ____A C:\Windows\MEMORY.DMP
2012-04-14 16:50 - - 0277080 ____A C:\Windows\Minidump\041412-67532-01.dmp
2012-04-14 16:18 - 2009-07-13 21:08 - 0000000 ____D C:\Users\All Users\F4D55F3B000435DB000380EEB4EB2331
2012-04-14 16:18 - 2009-07-13 21:08 - 0000000 ____D C:\ProgramData\F4D55F3B000435DB000380EEB4EB2331
2012-04-13 12:10 - 2012-04-17 04:49 - 0000000 ____D C:\Windows\system64
2012-04-13 08:45 - 2011-11-28 11:10 - 0000000 ____D C:\Program Files\Hewlett-Packard
2012-04-13 08:45 - 2009-06-10 12:30 - 0000000 ____A C:\Windows\HPMProp.INI
2012-04-13 08:44 - 2011-02-09 09:24 - 0507904 ____A (HP) C:\Windows\SysWOW64\hpcdmc32.dll
2012-04-13 08:44 - 2011-02-09 09:17 - 0384000 ____A (Hewlett-Packard) C:\Windows\System32\hpmml112.dll
2012-04-13 08:44 - 2011-02-09 09:17 - 0309760 ____A (Hewlett-Packard) C:\Windows\System32\hpmpm081.dll
2012-04-13 08:44 - 2011-02-09 09:16 - 0352256 ____A (Hewlett-Packard) C:\Windows\System32\hpmja112.dll
2012-04-13 08:44 - 2011-02-09 09:16 - 0271872 ____A (Hewlett-Packard) C:\Windows\System32\hpmtp112.dll
2012-04-13 08:44 - 2011-02-09 09:16 - 0193592 ____A (Hewlett-Packard) C:\Windows\System32\hppdcompio.dll
2012-04-13 08:44 - 2011-02-09 00:57 - 0218112 ____A (Hewlett-Packard) C:\Windows\System32\hpmpw081.dll
2012-04-13 08:44 - 2010-09-19 11:51 - 0022016 ____A (Hewlett-Packard Company) C:\Windows\System32\hppmopjl.dll
2012-04-13 08:44 - 2010-04-23 03:18 - 0167480 ____A (Hewlett-Packard) C:\Windows\SysWOW64\hppccompio.dll
2012-04-13 08:44 - 2009-07-13 17:40 - 0060440 ____A (Hewlett-Packard) C:\Windows\System32\FxCompChannel_x64.dll
2012-04-13 08:44 - 2009-07-13 17:14 - 0321536 ____A (Hewlett Packard Corporation) C:\Windows\SysWOW64\hpcc3112.dll
2012-04-13 08:44 - 2006-06-06 15:37 - 0286720 ____A (Hewlett-Packard Corporation) C:\Windows\System32\hpcpn112.dll
2012-04-13 08:40 - 2011-11-28 11:10 - 0000000 ____D C:\Program Files (x86)\HP
2012-04-13 03:08 - 2011-09-30 04:58 - 0020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-04-10 07:05 - 2012-03-08 13:10 - 0194358 ___AT C:\Users\mbratton\Desktop\Legacy BoF site map.pdf
2012-04-05 06:12 - 2011-12-01 14:38 - 0200086 ____A C:\Users\mbratton\Desktop\Copy of Rivers Edge EDITED.xlsx
2012-04-03 07:07 - 2012-04-05 06:35 - 0044544 ____A C:\Users\mbratton\Desktop\2012 Referrals.xls
2012-03-23 10:36 - 2010-02-05 05:04 - 0474112 ____A C:\Users\mbratton\Desktop\District A, 12-1-2009.xls
2012-03-22 12:59 - 2012-02-23 06:07 - 0185806 ____A C:\Users\mbratton\Desktop\boat insurance.jpg

============ 3 Months Modified Files and Folders =============

2012-04-21 13:13 - 2012-04-21 13:01 - 3735235 ____A C:\CBS.log
2012-04-21 11:31 - 2009-07-13 20:45 - 0341032 ____A C:\Windows\System32\FNTCACHE.DAT
2012-04-21 11:30 - 2011-06-25 11:11 - 3118391296 __ASH C:\hiberfil.sys
2012-04-21 10:17 - 2012-04-20 11:25 - 0586728 ____A C:\Windows\ntbtlog.txt
2012-04-20 09:23 - 2012-04-20 09:23 - 0000000 __SHD C:\found.000
2012-04-19 06:37 - 2011-09-28 07:20 - 0000000 ____D C:\Users\mbratton\Desktop\Funny things to read
2012-04-19 06:19 - 2009-07-13 19:18 - 0000000 __SHD C:\$Recycle.Bin
2012-04-17 04:28 - 2012-04-14 16:18 - 0000000 ____D C:\Users\All Users\F4D55F3B000435DB000380EEB4EB2331
2012-04-17 04:28 - 2012-04-14 16:18 - 0000000 ____D C:\ProgramData\F4D55F3B000435DB000380EEB4EB2331
2012-04-16 06:51 - 2011-09-29 16:01 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-04-16 06:51 - 2011-09-29 16:01 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-04-16 06:51 - 2011-09-28 07:31 - 0000000 ____D C:\Program Files (x86)\SAAZOD
2012-04-16 06:51 - 2011-09-28 07:13 - 0000000 ____D C:\users\administrator
2012-04-16 06:51 - 2011-09-28 07:08 - 0000000 ____D C:\users\mbratton
2012-04-16 06:51 - 2011-09-28 02:13 - 0000000 ____D C:\users\Mike
2012-04-16 06:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-04-16 04:13 - 2011-06-25 11:17 - 1599079 ____A C:\Windows\WindowsUpdate.log
2012-04-16 04:12 - 2012-04-16 04:04 - 0000168 ____A C:\Users\All Users\-UNqbZsqk5NQvDjr
2012-04-16 04:12 - 2012-04-16 04:04 - 0000168 ____A C:\ProgramData\-UNqbZsqk5NQvDjr
2012-04-16 04:12 - 2012-04-16 04:04 - 0000000 ____A C:\Users\All Users\-UNqbZsqk5NQvDj
2012-04-16 04:12 - 2012-04-16 04:04 - 0000000 ____A C:\ProgramData\-UNqbZsqk5NQvDj
2012-04-16 04:12 - 2012-04-16 04:03 - 0000256 ____A C:\Users\All Users\UNqbZsqk5NQvDj
2012-04-16 04:12 - 2012-04-16 04:03 - 0000256 ____A C:\ProgramData\UNqbZsqk5NQvDj
2012-04-16 04:10 - 2011-11-02 04:33 - 0000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-04-16 04:09 - 2009-07-13 21:08 - 0000006 ____A C:\Windows\Tasks\SA.DAT
2012-04-16 04:09 - 2009-07-13 20:51 - 0049687 ____A C:\Windows\setupact.log
2012-04-16 04:04 - 2012-04-16 04:04 - 0000658 ____A C:\Users\mbratton\Desktop\SMART_HDD.lnk
2012-04-16 04:02 - 2012-04-16 04:02 - 0065536 __ASH C:\Windows\System32\config\components{88ff8e1d-e9e9-11e0-9b77-f80f41236d59}.TxR.blf
2012-04-16 03:58 - 2009-07-13 20:45 - 0031296 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-16 03:58 - 2009-07-13 20:45 - 0031296 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-16 03:54 - 2011-09-28 08:16 - 0000000 ____D C:\Users\All Users\LogMeIn
2012-04-16 03:54 - 2011-09-28 08:16 - 0000000 ____D C:\ProgramData\LogMeIn
2012-04-16 03:53 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-04-15 15:31 - 2011-09-29 16:01 - 0000000 ____D C:\Program Files (x86)\SAAZSBE
2012-04-15 14:53 - 2011-11-02 04:33 - 0000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-15 09:01 - 2009-07-13 18:34 - 0000533 ____A C:\Windows\win.ini
2012-04-14 21:04 - 2011-09-28 19:14 - 0000128 ____A C:\Windows\System32\config\netlogon.ftl
2012-04-14 20:05 - 2009-07-13 18:34 - 0000855 ____R C:\Windows\System32\Drivers\etc\hosts
2012-04-14 19:47 - 2010-11-20 19:47 - 0034290 ____A C:\Windows\PFRO.log
2012-04-14 16:51 - 2012-04-14 16:50 - 0277080 ____A C:\Windows\Minidump\041412-67532-01.dmp
2012-04-14 16:50 - 2012-04-14 16:50 - 517475182 ____A C:\Windows\MEMORY.DMP
2012-04-14 16:50 - 2012-04-14 16:50 - 0000000 ____D C:\Windows\Minidump
2012-04-13 12:10 - 2012-04-13 12:10 - 0000000 ____D C:\Windows\system64
2012-04-13 08:45 - 2012-04-13 08:45 - 0000000 ____D C:\Program Files\Hewlett-Packard
2012-04-13 08:45 - 2012-04-13 08:45 - 0000000 ____A C:\Windows\HPMProp.INI
2012-04-13 08:45 - 2009-07-13 21:13 - 0726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-13 08:40 - 2012-04-13 08:40 - 0000000 ____D C:\Program Files (x86)\HP
2012-04-13 07:49 - 2012-02-16 07:16 - 0062976 ____A C:\Users\mbratton\Desktop\Enhancement template Nov 2006.01.xls
2012-04-13 03:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sysprep
2012-04-11 21:04 - 2011-09-28 07:32 - 0003423 ____A C:\Windows\SysWOW64\ipstuffNew.txt
2012-04-11 07:37 - 2012-04-03 07:07 - 0044544 ____A C:\Users\mbratton\Desktop\2012 Referrals.xls
2012-04-10 07:05 - 2012-04-10 07:05 - 0194358 ___AT C:\Users\mbratton\Desktop\Legacy BoF site map.pdf
2012-04-05 06:35 - 2011-11-04 07:22 - 0189157 ____A C:\Users\mbratton\Desktop\2012 master.xlsx
2012-04-05 06:26 - 2012-04-05 06:12 - 0200086 ____A C:\Users\mbratton\Desktop\Copy of Rivers Edge EDITED.xlsx
2012-03-23 11:14 - 2011-09-28 07:19 - 0000000 ____D C:\Users\mbratton\Desktop\Contracts
2012-03-23 11:02 - 2012-03-23 10:36 - 0474112 ____A C:\Users\mbratton\Desktop\District A, 12-1-2009.xls
2012-03-22 12:59 - 2012-03-22 12:59 - 0185806 ____A C:\Users\mbratton\Desktop\boat insurance.jpg
2012-03-22 07:30 - 2011-09-28 07:20 - 0050688 ____A C:\Users\mbratton\Desktop\Home Unit Billing.xls
2012-03-21 10:09 - 2011-09-28 07:30 - 0000000 ____D C:\Program Files (x86)\SetupLogs
2012-03-08 13:10 - 2012-03-08 13:10 - 0038351 ____A C:\Users\mbratton\Desktop\Lakes-2008 revision.pdf
2012-03-05 08:39 - 2012-03-05 08:18 - 0012722 ____A C:\Users\mbratton\Desktop\2012 Spring Color Schedule.xlsx
2012-03-05 05:05 - 2012-03-05 05:05 - 0040758 ____A C:\Users\mbratton\Desktop\Christie Ranch, 5-1-08.pdf
2012-03-01 05:40 - 2012-03-01 05:27 - 0015099 ____A C:\Users\mbratton\Desktop\Good Morning and welcome to the semi.docx
2012-02-23 06:07 - 2012-02-15 14:33 - 0012735 ____A C:\Users\mbratton\Desktop\Bank of America Summary.xlsx
2012-02-16 22:38 - 2012-03-17 21:23 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-17 21:23 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-17 21:23 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-17 21:23 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-15 13:50 - 2011-10-31 13:04 - 0000000 ____D C:\Users\mbratton\AppData\Local\Microsoft Help
2012-02-15 13:03 - 2011-09-29 16:01 - 0000000 ____D C:\Windows\SetupLogs
2012-02-09 14:52 - 2011-09-28 07:20 - 0089088 ____A C:\Users\mbratton\Desktop\2010-Maintenance Client Contacts.xls
2012-02-08 04:01 - 2011-09-28 08:16 - 0087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2012-02-08 04:01 - 2011-09-28 08:16 - 0080768 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2012-02-08 04:01 - 2011-09-28 08:16 - 0034688 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-02-08 04:01 - 2011-09-28 08:15 - 0000000 ____D C:\Program Files (x86)\LogMeIn
2012-01-30 13:50 - 2012-01-30 13:50 - 0000000 ____D C:\Users\mbratton\AppData\Local\{CA9749A6-191B-4AD3-8C4E-6B7977D886FA}
2012-01-30 13:50 - 2012-01-30 13:48 - 0000000 ____D C:\Users\mbratton\AppData\Local\Windows Live
2012-01-30 13:49 - 2012-01-30 13:48 - 0000000 ____D C:\Users\mbratton\AppData\Local\{F487DBFB-EB25-480B-BAD8-32753A08D0DB}
2012-01-30 13:49 - 2012-01-30 13:48 - 0000000 ____D C:\Users\mbratton\AppData\Local\{3287F851-C459-4F7D-9FE0-C330B0A09AD0}
2012-01-30 13:48 - 2012-01-30 13:48 - 0000000 ____D C:\Users\mbratton\AppData\Local\{B7323A0E-B875-4E72-8AB7-4F4659FE886E}
2012-01-30 04:58 - 2011-09-28 07:20 - 0002413 ____A C:\Users\mbratton\Desktop\Maint. Payroll Summary.lnk
2012-01-30 04:02 - 2012-01-30 04:02 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-01-24 22:38 - 2012-03-18 21:09 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-01-24 22:38 - 2012-03-18 21:09 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-01-24 22:33 - 2012-03-18 21:09 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3965.24 MB
Available physical RAM: 3339.61 MB
Total Pagefile: 3963.44 MB
Available Pagefile: 3321.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (Windows7_OS) (Fixed) (Total:287.15 GB) (Free:235.54 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (Lenovo_Recovery) (Fixed) (Total:9.76 GB) (Free:2.9 GB) NTFS
3 Drive f: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
4 Drive g: () (Removable) (Total:0.95 GB) (Free:0.95 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM_DRV) (Fixed) (Total:1.17 GB) (Free:0.45 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 977 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1200 MB 1024 KB
Partition 2 Primary 287 GB 1201 MB
Partition 3 Primary 9 GB 288 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM_DRV NTFS Partition 1200 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Windows7_OS NTFS Partition 287 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Lenovo_Reco NTFS Partition 9 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 976 MB 32 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 976 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-08 21:30

======================= End Of Log ==========================

Edited by farbar, 21 April 2012 - 06:35 PM.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:46 AM

Posted 21 April 2012 - 06:45 PM

Please copy and paste the logs unless it is requested otherwise.:)

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [bcsea] rundll32.exe "C:\Windows\TEMP\bcsea.dll",LoadMeshFromXInMemory [x]
HKLM\...\Run: [mshgc] rundll32.exe "C:\Windows\TEMP\mshgc.dll",BAOCloseFile [x]
HKLM-x32\...\Run: [daDyaeJQgtiFQ.exe] C:\ProgramData\daDyaeJQgtiFQ.exe [x]
HKLM-x32\...\Run: [QkqnRvQCEE.exe] C:\ProgramData\QkqnRvQCEE.exe [x]
HKU\mbratton\...\Run: [Update] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\sgpeue.dll",DllRegisterServer [x]
HKU\mbratton\...\Run: [bdebdacafadct] "C:\ProgramData\bdebdacafadct.exe" [x]
SubSystems: [Windows] ==> ZeroAccess
2 SPService; C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL [x]
4 LMIRfsClientNP; [x]
2012-04-16 04:04 - 2012-04-16 04:12 - 0000168 ____A C:\Users\All Users\-UNqbZsqk5NQvDjr
2012-04-16 04:04 - 2012-04-16 04:12 - 0000168 ____A C:\ProgramData\-UNqbZsqk5NQvDjr
2012-04-16 04:04 - 2012-01-05 12:50 - 0000658 ____A C:\Users\mbratton\Desktop\SMART_HDD.lnk
2012-04-16 04:04 - - 0000000 ____A C:\Users\All Users\-UNqbZsqk5NQvDj
2012-04-16 04:04 - - 0000000 ____A C:\ProgramData\-UNqbZsqk5NQvDj
2012-04-16 04:03 - 2011-06-25 11:33 - 0000256 ____A C:\Users\All Users\UNqbZsqk5NQvDj
2012-04-16 04:03 - 2011-06-25 11:33 - 0000256 ____A C:\ProgramData\UNqbZsqk5NQvDj
2012-04-13 03:08 - 2011-09-30 04:58 - 0020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe 
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options and select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also please restart the computer, let it boot normally and tell me how it went.

#6 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 22 April 2012 - 09:22 AM

The machine booted successfully. Incredible. Arthur Clarke was right that any technology sufficiently advanced is indistingishable from magic.

Thanks so much. I will make a donation to your account.

george_d

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 19-04-2012
Ran by SYSTEM at 2012-04-22 09:06:22 R:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\bcsea Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\mshgc Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\daDyaeJQgtiFQ.exe Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\QkqnRvQCEE.exe Value deleted successfully.
HKEY_USERS\mbratton\Software\Microsoft\Windows\CurrentVersion\Run\\Update Value deleted successfully.
HKEY_USERS\mbratton\Software\Microsoft\Windows\CurrentVersion\Run\\bdebdacafadct Value deleted successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
SPService service deleted successfully.
LMIRfsClientNP service deleted successfully.
C:\Users\All Users\-UNqbZsqk5NQvDjr moved successfully.
C:\ProgramData\-UNqbZsqk5NQvDjr not found.
C:\Users\mbratton\Desktop\SMART_HDD.lnk moved successfully.
C:\Users\All Users\-UNqbZsqk5NQvDj moved successfully.
C:\ProgramData\-UNqbZsqk5NQvDj not found.
C:\Users\All Users\UNqbZsqk5NQvDj moved successfully.
C:\ProgramData\UNqbZsqk5NQvDj not found.
C:\Windows\svchost.exe moved successfully.

==== End of Fixlog ====

Attached Files



#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:46 AM

Posted 22 April 2012 - 09:41 AM

Great. :thumbup2:

Thank you for the donation.:)

This ZeroAccess infection that came along with SMART HDD alters some winsock registry keys that effects internet. We need to restore it to the default to make sure internet related programs function to their full quality.

  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Please download MiniRegTool64.zip and unzip it.
    • Run the tool.
    • Copy and paste the following into the edit box:

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64]
    • Check Export keys radio button.
    • Press Go button and post the result.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:46 AM

Posted 27 April 2012 - 04:10 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users