Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Celas Virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 Capey

Capey

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 18 May 2012 - 04:38 PM

Whilst on the internet tonight (Internet Explorer on Vista) I noticed that the right click function stopped working so I thought to restart my computer, everything was going as normal until I put my password in, I got a white screen followed by a message saying that I've been blocked from accessing my computer because of illegal downloads. I've had the Strathclyde Police virus before which wasn't was pretty easy to remove however this one's a little different.

I've tried starting in all the safe modes however I still get locked out as soon as I put my password in, I've tried a system restore however I'm told there's not enough memory to do a system restore on my C drive.

I've tried the basic Alt & F4 to try and close it and there's no access to the task menu when you press ctrl, alt and delete.

I've googled this however there's very little on the net about removing this particular problem.

Only problem is I've just bought a new laptop and I was in the process of trying to pull everything off it as I don't have an up to date back up so don't really want to reinstall windows / lose my data.

I'm not great on computers but know enough to get by, so any help would be appreciated.

[Moderator edit: post moved to more appropriate forum. jgw]

Edited by jgweed, 18 May 2012 - 05:43 PM.


BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:04:20 PM

Posted 18 May 2012 - 07:40 PM

Hi,

After performing these scans, enter the results in your next post and also update me on the status of the PC.

Note: You may have to perform some or all of the following in Safe Mode With Networking, depending on if you have internet access while in the normal Windows environment. If you still don't have internet access in Safe Mode With Networking, you will need to download the installers onto a flash drive from a working computer and transfer them to the problem PC.

Also, if you have any of the following programs already installed on your machine, download the latest version along with updates, then run the scan.

================================================================================

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

================================================================================

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
    For instructions with screenshots, please refer to the How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all other options as they are set):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the Control Center screen.
  • Back on the main screen, under "Select Scan Type" check the box for Complete Scan.
  • If your computer is badly infected, be sure to check the box next to Enable Rescue Scan (Highly Infected Systems ONLY).
  • Click the Scan your computer... button.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the scan log after reboot, launch SUPERAntiSpyware again.
  • Click the View Scan Logs button at the bottom.
  • This will open the Scanner Logs Window.
  • Click on the log to highlight it and then click on View Selected Log to open it.
  • Copy and paste the scan log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.
================================================================================

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, go to Start > All Programs > Malwarebytes Anti-Malware folder > Tools > click on Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).
================================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:20 PM

Posted 21 May 2012 - 12:32 PM

Hello, do you have access to the recovery environment on Vista? You can try this by tapping F8 on boot up until the Advanced Boot Options menu comes up and looking for Repair Windows. If that option is not available, please let me know if you have a Vista DVD at hand.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Capey

Capey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 May 2012 - 10:04 AM

Apologies about the delay, I've had issues accessing the net.

My computer is effectively unusable now. I put my password in and my desktop is locked. I get a white screen with all the usual you need to pay £50 to unlock your computer rubbish on it, this is the same in all safe modes.

I've tried the recovery environment however keep getting an error message part way though.

Having searched the internet today I've tied using Kaspersky Windows unlocked on a USB. I've changed my computer to boot from the USB however I keep getting a black screen with a flashing cursor in the top left hand corner.

I have a product recovery DVD however I think that's all I have? I've tried booting from this and keep getting a message about I will lose all data on my hard drive which I really don't want to do.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:20 PM

Posted 24 May 2012 - 10:09 AM

What error do you have when trying to access the recovery environment?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Capey

Capey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 May 2012 - 10:26 AM

When trying to carry out a system restore the error message I get it;

System Restore failed due to an unspecified error.

The system cannot find the file specified (0x80070002)

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:20 PM

Posted 24 May 2012 - 10:40 AM

I am not asking you to carry out a system restore, but I need to know if you can access the command prompt in the Recovery Environment.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Capey

Capey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 May 2012 - 10:42 AM

Apologies, I can access that fine...

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:20 PM

Posted 24 May 2012 - 10:47 AM

No problem! :)

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Capey

Capey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 May 2012 - 10:57 AM

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 23-05-2012 02
Ran by SYSTEM at 24-05-2012 16:55:46
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM\...\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-08-15] (Synaptics, Inc.)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]
HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [115816 2007-01-09] (Symantec Corporation)
HKLM\...\Run: [IS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT" [431752 2007-01-12] (Symantec Corporation)
HKLM\...\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup [581632 2007-07-10] (TOSHIBA)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [411192 2007-03-29] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [509496 2007-04-03] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [538744 2007-05-22] (TOSHIBA Corporation)
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe [571024 2007-05-04] (Toshiba)
HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2415456 2011-10-24] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-05] (Apple Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-08-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-26] (Apple Inc.)
HKU\Capey\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [436088 2007-06-27] ()
HKU\Capey\...\Run: [Spotify] "C:\Users\Capey\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [4011184 2012-03-17] (Spotify Ltd)
HKU\Capey\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [436088 2007-06-27] ()
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [436088 2007-06-27] ()
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [318464 2008-01-18] (Microsoft Corporation)
HKLM\...\Winlogon: [Shell] C:\Windows\temp\lxbcbd\setup.exe [x ] ()
Winlogon\Notify\igfxcui: igfxdev.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

================================ Services (Whitelisted) ==================

3 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [257696 2012-05-07] (Adobe Systems Incorporated)
2 AMService; C:\Windows\TEMP\lmpyve\setup.exe run [46080 2012-05-18] ()
4 Automatic LiveUpdate Scheduler; "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [554616 2007-01-05] (Symantec Corporation)
4 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe" [4433248 2011-10-11] (AVG Technologies CZ, s.r.o.)
4 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [192776 2011-08-01] (AVG Technologies CZ, s.r.o.)
4 ccEvtMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108648 2007-01-09] (Symantec Corporation)
4 ccSetMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108648 2007-01-09] (Symantec Corporation)
4 CFSvcs; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2006-11-14] (TOSHIBA CORPORATION)
4 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon [108648 2007-01-09] (Symantec Corporation)
4 comHost; "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe" [49248 2007-01-12] (Symantec Corporation)
4 ISPwdSvc; "C:\Program Files\Norton Internet Security\isPwdSvc.exe" [80504 2007-01-13] (Symantec Corporation)
2 Lavasoft Ad-Aware Service; "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" [2152688 2012-05-14] (Lavasoft Limited)
4 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2918008 2007-01-05] (Symantec Corporation)
4 Symantec Core LC; "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" [1174664 2007-09-19] (Symantec Corporation)
4 SymAppCore; "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe" [47712 2007-01-04] (Symantec Corporation)
4 TNaviSrv; C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe [77824 2007-08-01] (TOSHIBA Corporation)
4 TODDSrv; C:\Windows\system32\TODDSrv.exe [114688 2006-05-25] (TOSHIBA Corporation)
4 TosCoSrv; "C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe" [427576 2007-03-29] (TOSHIBA Corporation)
4 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
2 z800mgmt; C:\Windows\System32\nvnforce.dll [5632 2008-01-18] (Oak Technology Inc.)
2 {d31a0762-0ceb-444e-acff-b049a1f6fe91}; \\.\globalrootC:\Windows\system32\svchost.exe -k netsvcs [21504 2008-01-18] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [983552 2006-11-01] (Agere Systems)
3 atikmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [3695104 2008-06-02] (ATI Technologies Inc.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134736 2011-07-10] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [23120 2011-07-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24272 2011-07-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [16720 2011-10-03] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [230608 2011-10-06] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [40016 2011-08-07] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-09-12] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [295248 2011-07-10] (AVG Technologies CZ, s.r.o.)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [387384 2007-01-09] (Symantec Corporation)
3 FwLnk; C:\Windows\System32\DRIVERS\FwLnk.sys [7168 2006-11-20] (TOSHIBA Corporation)
3 IDSvix86; \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [212280 2006-12-27] (Symantec Corporation)
4 KR10I; C:\Windows\System32\drivers\kr10i.sys [219392 2007-01-18] (TOSHIBA CORPORATION)
4 KR10N; C:\Windows\System32\drivers\kr10n.sys [211072 2007-01-18] (TOSHIBA CORPORATION)
0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [64512 2011-12-22] (Lavasoft AB)
3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20070918.007\NAVENG.SYS [81232 2007-09-17] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20070918.007\NAVEX15.SYS [865904 2007-09-17] (Symantec Corporation)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh86.sys [44544 2006-11-01] (Realtek Corporation)
3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [252416 2007-06-01] (Realtek Semiconductor Corporation )
3 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [417592 2007-01-02] (Symantec Corporation)
3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [247608 2007-01-11] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [276792 2007-01-11] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [25400 2007-01-11] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [115000 2007-09-19] (Symantec Corporation)
3 tdcmdpst; C:\Windows\System32\DRIVERS\tdcmdpst.sys [16128 2006-10-18] (TOSHIBA Corporation.)
1 tdx; C:\Windows\System32\DRIVERS\tdx.sys [72192 2009-04-10] ()
0 tos_sps32; C:\Windows\System32\DRIVERS\tos_sps32.sys [285184 2007-07-26] (TOSHIBA Corporation)
0 TVALZ; C:\Windows\System32\DRIVERS\TVALZ_O.SYS [16768 2006-10-05] (TOSHIBA Corporation)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\Users\Capey\AppData\Local\Temp\catchme.sys [x]
3 igfx; C:\Windows\System32\DRIVERS\igdkmd32.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: z800mgmt
NETSVC: NOWMEMDF
NETSVC: slee_81_service

============ One Month Created Files and Folders ==============

2012-05-24 16:54 - 2012-05-24 16:55 - 0000000 ____D C:\FRST
2012-05-24 03:18 - 2012-05-24 03:18 - 0000384 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2012-05-18 11:42 - 2012-04-18 04:49 - 0405176 ____A (Newtonsoft) C:\Windows\System32\Newtonsoft.Json.Net20.dll
2012-05-18 11:42 - 2012-03-22 04:43 - 2557952 ____A (Nokia Corporation and/or its subsidiary(-ies)) C:\Windows\System32\QtCore4.dll
2012-05-18 11:42 - 2012-03-06 06:43 - 4421272 ____A (Microsoft Corporation) C:\Windows\System32\mfc100u.dll
2012-05-18 11:42 - 2012-03-06 06:43 - 0772248 ____A (Microsoft Corporation) C:\Windows\System32\msvcr100.dll
2012-05-18 11:42 - 2012-03-06 06:43 - 0419480 ____A (Microsoft Corporation) C:\Windows\System32\msvcp100.dll
2012-05-18 11:42 - 2012-03-06 06:43 - 0136344 ____A (Microsoft Corporation) C:\Windows\System32\atl100.dll
2012-05-18 11:42 - 2012-03-06 06:43 - 0080024 ____A (Microsoft Corporation) C:\Windows\System32\mfcm100u.dll
2012-05-15 18:53 - 2012-05-24 02:28 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-15 18:09 - 2012-05-15 18:36 - 0000000 __SHD C:\Config.Msi
2012-05-15 15:37 - 2012-03-30 04:39 - 0905600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-05-15 15:37 - 2012-03-20 15:28 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-05-15 15:37 - 2012-03-01 06:46 - 0219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-05-15 15:37 - 2012-03-01 06:46 - 0160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-05-15 15:37 - 2012-02-29 06:08 - 1172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-05-15 15:37 - 2012-02-29 05:44 - 0683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-05-15 15:37 - 2012-02-29 05:41 - 1069056 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-05-15 15:33 - 2012-04-03 00:16 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-05-15 15:33 - 2012-04-03 00:16 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-15 15:33 - 2012-04-02 05:36 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-01 01:16 - 2012-05-01 01:16 - 0137928 ____A C:\Windows\Minidump\Mini050112-01.dmp

============ 3 Months Modified Files and Folders ===============

2012-05-24 07:21 - 2011-03-05 16:58 - 0010163 ____A C:\aaw7boot.log
2012-05-24 07:21 - 2011-03-05 10:58 - 2462720 ____A C:\Windows\ntbtlog.txt
2012-05-24 03:23 - 2006-11-02 02:33 - 0703388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-24 03:18 - 2012-05-24 03:18 - 0000384 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2012-05-24 02:28 - 2012-05-15 18:53 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-24 02:28 - 2011-08-24 10:17 - 0000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-05-24 02:28 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-24 02:28 - 2006-11-02 04:47 - 0003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-24 02:28 - 2006-11-02 04:47 - 0003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-21 15:43 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\LogFiles
2012-05-21 15:15 - 2012-03-17 09:19 - 0000064 ____A C:\Windows\System32\rp_stats.dat
2012-05-21 15:15 - 2012-03-17 09:19 - 0000044 ____A C:\Windows\System32\rp_rules.dat
2012-05-18 12:03 - 2011-02-27 13:46 - 1774371 ____A C:\Windows\WindowsUpdate.log
2012-05-18 11:49 - 2006-11-02 05:01 - 0032650 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-18 11:47 - 2011-08-24 10:17 - 0000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-05-18 11:44 - 2011-07-24 15:03 - 0000000 ____D C:\Users\Capey\AppData\Roaming\DVDVideoSoft
2012-05-18 11:43 - 2011-04-07 02:00 - 0001037 ____A C:\Users\Capey\Desktop\DVDVideoSoft Free Studio.lnk
2012-05-18 11:42 - 2011-04-07 02:00 - 0001196 ____A C:\Users\Capey\Desktop\Free YouTube to MP3 Converter.lnk
2012-05-18 11:42 - 2011-02-27 16:02 - 0000000 ____D C:\Program Files\Common Files\DVDVideoSoft
2012-05-18 10:57 - 2012-04-16 00:39 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-05-15 18:47 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2012-05-15 18:37 - 2006-11-02 04:47 - 0288064 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-15 18:36 - 2012-05-15 18:09 - 0000000 __SHD C:\Config.Msi
2012-05-15 18:36 - 2011-05-09 23:45 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-15 18:33 - 2006-11-02 04:37 - 0000000 ____D C:\Windows\System32\XPSViewer
2012-05-15 18:33 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Journal
2012-05-15 18:17 - 2011-04-26 08:09 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-05-15 04:12 - 2006-11-02 02:24 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-05-11 15:28 - 2006-11-02 04:52 - 0022964 ____A C:\Windows\setupact.log
2012-05-11 03:11 - 2011-02-27 15:11 - 0000000 ____D C:\Program Files\Common Files\Apple
2012-05-07 16:41 - 2012-04-16 00:39 - 0419488 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-05-07 16:41 - 2011-05-16 15:34 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-05-01 04:47 - 2011-12-09 16:43 - 0000000 ____D C:\Users\Capey\AppData\Local\Spotify
2012-05-01 04:47 - 2011-12-09 16:42 - 0000000 ____D C:\Users\Capey\AppData\Roaming\Spotify
2012-05-01 01:16 - 2012-05-01 01:16 - 0137928 ____A C:\Windows\Minidump\Mini050112-01.dmp
2012-05-01 01:16 - 2011-03-03 00:31 - 0000000 ____D C:\Windows\Minidump
2012-05-01 01:15 - 2011-12-27 12:56 - 161355586 ____A C:\Windows\MEMORY.DMP
2012-04-18 04:49 - 2012-05-18 11:42 - 0405176 ____A (Newtonsoft) C:\Windows\System32\Newtonsoft.Json.Net20.dll
2012-04-06 12:12 - 2011-03-08 12:13 - 0001854 ____A C:\Users\Public\Desktop\Safari.lnk
2012-04-06 12:12 - 2011-03-08 12:13 - 0000000 ____D C:\Program Files\Safari
2012-04-06 12:07 - 2012-04-06 12:07 - 0001669 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-04-06 12:06 - 2012-03-17 13:37 - 0000000 ____D C:\Program Files\iTunes
2012-04-06 12:04 - 2012-04-06 12:04 - 0000000 ____D C:\Program Files\iPod
2012-04-06 11:49 - 2011-02-27 13:57 - 0007944 ____A C:\Users\Capey\AppData\Local\d3d9caps.dat
2012-04-03 00:16 - 2012-05-15 15:33 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-04-03 00:16 - 2012-05-15 15:33 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-02 05:36 - 2012-05-15 15:33 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-04-01 10:43 - 2011-02-27 15:19 - 0000000 ____D C:\Users\Capey\AppData\Roaming\Apple Computer
2012-03-30 04:39 - 2012-05-15 15:37 - 0905600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-22 04:43 - 2012-05-18 11:42 - 2557952 ____A (Nokia Corporation and/or its subsidiary(-ies)) C:\Windows\System32\QtCore4.dll
2012-03-20 15:28 - 2012-05-15 15:37 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-03-17 17:07 - 2012-03-15 09:14 - 0000000 ____D C:\Users\Capey\{8aca4a83-8139-491e-97fb-2a310b7f9945}
2012-03-17 17:07 - 2012-03-15 09:09 - 0000000 ____D C:\Program Files\QuickTime
2012-03-17 17:07 - 2011-12-06 12:52 - 0000000 __SHD C:\$RECYCLE.BIN
2012-03-17 17:07 - 2011-12-06 12:40 - 0000000 ____D C:\ComboFix
2012-03-17 17:07 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\spool
2012-03-17 17:07 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\registration
2012-03-17 17:07 - 2006-11-02 02:22 - 40108032 ____A C:\Windows\System32\config\software_previous
2012-03-17 17:07 - 2006-11-02 02:22 - 15204352 ____A C:\Windows\System32\config\system_previous
2012-03-17 17:04 - 2006-11-02 02:22 - 42467328 ____A C:\Windows\System32\config\components_previous
2012-03-17 17:04 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\sam_previous
2012-03-17 13:40 - 2011-03-08 12:12 - 0001245 ____A C:\Windows\System32\mapisvc.inf
2012-03-17 13:33 - 2011-02-27 13:57 - 0000000 ____D C:\users\Capey
2012-03-17 09:28 - 2012-03-17 09:42 - 0016432 ____A C:\Windows\System32\lsdelete.exe
2012-03-17 09:28 - 2011-03-05 16:21 - 0101720 ____A (Sunbelt Software) C:\Windows\System32\Drivers\SBREDrv.sys
2012-03-17 09:17 - 2012-03-17 09:17 - 0000942 ____A C:\Users\Public\Desktop\Ad-Aware.lnk
2012-03-17 09:16 - 2012-03-17 09:16 - 0000000 ____D C:\Program Files\Lavasoft
2012-03-17 09:16 - 2011-03-05 16:14 - 0000000 ____D C:\Users\All Users\Lavasoft
2012-03-17 09:10 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\config\TxR
2012-03-16 16:28 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\security_previous
2012-03-16 16:27 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\default_previous
2012-03-16 16:26 - 2012-03-16 16:23 - 0000000 ____D C:\Users\Capey\AppData\Roaming\GetRightToGo
2012-03-16 16:13 - 2012-03-16 15:39 - 0000000 ____D C:\Program Files\GridinSoft Trojan Killer
2012-03-16 15:54 - 2011-10-17 14:32 - 0000000 ____D C:\Users\Capey\Documents\Uni Work
2012-03-16 15:52 - 2011-02-27 15:51 - 0000000 ____D C:\Users\Capey\Documents\Campaign
2012-03-16 15:30 - 2011-12-06 12:40 - 0000000 ____D C:\Qoobox
2012-03-15 09:18 - 2012-03-15 09:18 - 0000000 ____D C:\Program Files\iPod(119)
2012-03-15 09:18 - 2012-03-15 09:17 - 0000000 ____D C:\Program Files\iTunes(120)
2012-03-15 09:10 - 2012-03-15 09:10 - 0001731 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-03-06 06:43 - 2012-05-18 11:42 - 4421272 ____A (Microsoft Corporation) C:\Windows\System32\mfc100u.dll
2012-03-06 06:43 - 2012-05-18 11:42 - 0772248 ____A (Microsoft Corporation) C:\Windows\System32\msvcr100.dll
2012-03-06 06:43 - 2012-05-18 11:42 - 0419480 ____A (Microsoft Corporation) C:\Windows\System32\msvcp100.dll
2012-03-06 06:43 - 2012-05-18 11:42 - 0136344 ____A (Microsoft Corporation) C:\Windows\System32\atl100.dll
2012-03-06 06:43 - 2012-05-18 11:42 - 0080024 ____A (Microsoft Corporation) C:\Windows\System32\mfcm100u.dll
2012-03-05 04:25 - 2007-09-19 10:34 - 0165784 ____A C:\Windows\PFRO.log
2012-03-03 14:55 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\microsoft shared
2012-03-01 06:46 - 2012-05-15 15:37 - 0219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-03-01 06:46 - 2012-05-15 15:37 - 0160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-02-29 07:11 - 2012-04-15 18:04 - 0172032 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 07:11 - 2012-04-15 18:04 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 07:09 - 2012-04-15 18:04 - 0157696 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 06:08 - 2012-05-15 15:37 - 1172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-02-29 05:44 - 2012-05-15 15:37 - 0683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-02-29 05:41 - 2012-05-15 15:37 - 1069056 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-29 05:32 - 2012-04-15 18:04 - 0012800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-27 17:52 - 2012-04-15 18:05 - 12281856 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 17:27 - 2012-04-15 18:05 - 9705984 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 17:18 - 2012-04-15 18:05 - 1799168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 17:12 - 2012-04-15 18:05 - 1103360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 17:11 - 2012-04-15 18:05 - 1427456 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 17:11 - 2012-04-15 18:05 - 1127424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 17:09 - 2012-04-15 18:05 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 17:08 - 2012-04-15 18:05 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 17:06 - 2012-04-15 18:05 - 0716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 17:04 - 2012-04-15 18:05 - 1792000 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 17:03 - 2012-04-15 18:05 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 17:03 - 2012-04-15 18:05 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 16:59 - 2012-04-15 18:05 - 0176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 1917.44 MB
Available physical RAM: 1480.14 MB
Total Pagefile: 1698.33 MB
Available Pagefile: 1542.95 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (Vista) (Fixed) (Total:74.22 GB) (Free:1.26 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Data) (Fixed) (Total:73.36 GB) (Free:71.09 GB) NTFS
4 Drive f: (WinRE) (Fixed) (Total:1.46 GB) (Free:1.26 GB) NTFS
5 Drive g: () (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1849 KB
Disk 1 Online 7634 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 74 GB 1501 MB
Partition 3 Primary 73 GB 76 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F WinRE NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Vista NTFS Partition 74 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Data NTFS Partition 73 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7633 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 G FAT32 Removable 7633 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-24 03:38

======================= End Of Log ==========================

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:20 PM

Posted 24 May 2012 - 11:42 AM

Hi, please let me know if you can get in windows after executing the following fix.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


HKLM\...\Winlogon: [Shell] C:\Windows\temp\lxbcbd\setup.exe [x ] ()

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Capey

Capey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 May 2012 - 11:54 AM

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 23-05-2012 02
Ran by SYSTEM at 2012-05-24 17:49:09 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored.

==== End of Fixlog ====


I've just mannaged to log in and get my desktop back. Is there anything else I need to do?

Thank you got all your help with this. I'll be spending my night backing up now!!

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:20 PM

Posted 24 May 2012 - 12:45 PM

Yes, lets make sure everything else is okay too. :)

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Capey

Capey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 May 2012 - 12:57 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Capey at 18:55:31 on 2012-05-24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.713 [GMT 1:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\TEMP\lmpyve\setup.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Users\Capey\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Spotify] "c:\users\capey\appdata\roaming\spotify\Spotify.exe" /uri spotify:autostart
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [Spotify Web Helper] "c:\users\capey\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] "c:\program files\common files\symantec shared\opc\{31011d49-d90c-4da0-878b-78d28ad507af}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoViewContextMenu = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube to iPhone Converter - c:\users\capey\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetoiphoneconverter.htm
IE: Free YouTube to MP3 Converter - c:\users\capey\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{DFA1451B-B972-43D9-AD3B-226FD4F23BD4} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F0442A38-5F1E-4B62-96E5-5F6818B1B284} : DhcpNameServer = 10.1.10.51 10.1.10.52
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R?2 AMService;AMService;c:\windows\temp\lmpyve\setup.exe run --> c:\windows\temp\lmpyve\setup.exe run [?]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-3-17 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-3-3 21504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152688]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-9-19 7168]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-12-23 15232]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2007-9-19 252416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-24 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-16 257696]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-24 136176]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20070108.003\IDSvix86.sys [2007-9-19 212280]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-9-19 1174664]
.
=============== Created Last 30 ================
.
2012-05-25 00:54:45 -------- d-----w- C:\FRST
2012-05-18 19:42:44 2557952 ----a-w- c:\windows\system32\QtCore4.dll
2012-05-18 19:42:39 405176 ----a-w- c:\windows\system32\Newtonsoft.Json.Net20.dll
2012-05-18 19:42:16 80024 ----a-w- c:\windows\system32\mfcm100u.dll
2012-05-18 19:42:16 772248 ----a-w- c:\windows\system32\msvcr100.dll
2012-05-18 19:42:16 4421272 ----a-w- c:\windows\system32\mfc100u.dll
2012-05-18 19:42:16 419480 ----a-w- c:\windows\system32\msvcp100.dll
2012-05-18 19:42:16 136344 ----a-w- c:\windows\system32\atl100.dll
2012-05-16 02:53:31 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-05-15 23:37:38 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-15 23:37:33 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-15 23:37:30 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-05-15 23:37:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-05-15 23:37:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-05-15 23:37:30 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-05-15 23:37:30 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-05-15 23:33:35 983040 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-15 23:33:35 964608 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-15 23:33:35 1404928 ----a-w- c:\program files\common files\microsoft shared\ink\InkObj.dll
2012-05-15 23:33:35 1218048 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-15 23:33:34 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-15 23:33:34 47104 ----a-w- c:\program files\windows journal\PDIALOG.exe
2012-05-15 23:33:04 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-15 23:33:02 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-15 23:33:00 2044928 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-05-15 02:26:55 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-05-08 00:41:25 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-08 00:41:25 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-17 17:28:24 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 18:56:57.22 ===============

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:20 PM

Posted 24 May 2012 - 01:19 PM

Unfortunately you have a nasty rootkit on board. Please read the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Lavasoft AdAware.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users