Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Celas infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 James-ACS

James-ACS

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 23 May 2012 - 05:03 AM

Hi guys,

I have seen a few other topics dealing with this problem, but the solutions are on an individual basis. The laptop has Windows Vista 64, after logging in I get the Celas page and asks me to pay 50. Ctrl+alt+del works but not the task manager, if I boot in safe mode, it still comes up with the Celas page.
I tried to run frst64.exe in Recovery mode, as i assumed it was 64bit, but it said it wasn't compatible, so I have run the 32bit version and am attaching the log for your reading pleasure.

Many thanks in advance for any help.

James

Attached File  FRST.txt   21.83KB   4 downloads

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:40 AM

Posted 23 May 2012 - 08:55 AM

Hello James-ACS,

Welcome to Bleeping computer.

Please copy and paste the logs instead of attaching them unless otherwise requested. Thank you.

Next round we will take care of the infection and will boot the system. But before doing that we need find a good replacement for a patched driver.

Boot to System Recovery Options and run FRST.
Type the following in the edit box after "Search:".

i8042prt.sys

Click Search File(s) button and post the log it makes to your reply.

#3 James-ACS

James-ACS
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 23 May 2012 - 10:23 AM

Hi Farbar,

I think I have resolved the issue as far as I can see. I created my own fixlist.txt script and ran the fix and the laptop now logs in ok, I also run malwarebytes after I could login. Here are the frst.txt and the fixlist.txt I used. I'm sorry I had time restrictions so I couldn't wait for your reply.

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 23-05-2012 02
Ran by SYSTEM at 23-05-2012 10:35:20
Running from F:\
Windows Vista ™ Business (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [729088 2006-10-09] (Motorola Inc.)
HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [159744 2007-02-13] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [176128 2007-04-23] (CyberLink Corp.)
HKLM\...\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [472776 2007-03-01] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [317128 2007-01-10] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [827392 2007-01-12] (Synaptics, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2008-01-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [166424 2008-01-02] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133656 2008-01-02] (Intel Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2010-08-31] (Apple Inc.)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [121064 2011-03-25] (Trend Micro Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM\...\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [963976 2010-12-20] (Malwarebytes Corporation)
HKU\david\...\Run: [Google Update] "C:\Users\david\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-05-12] (Google Inc.)
HKLM\...\Winlogon: [Shell] C:\Windows\temp\uawthl\setup.exe [x ] ()
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.0.10.254 208.67.222.222 208.67.200.200
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Acturis Assistant.lnk
ShortcutTarget: Acturis Assistant.lnk -> X:\Program Files\Acturis\ActurisAssistant\AACInterface.exe (No File)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> X:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (No File)

================================ Services (Whitelisted) ==================

2 Acturis Installer Service; C:\Program Files\Acturis\ActurisAssistant\AA.exe [909312 2010-12-13] (Acturis.)
2 CLCapSvc; "C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe" [262243 2007-04-23] ()
2 CLSched; "C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe" [106593 2007-04-23] ()
3 Com4Qlb; "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe" [110592 2007-01-09] (Hewlett-Packard Development Company, L.P.)
2 hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [135168 2006-05-02] (Hewlett-Packard Development Company, L.P.)
2 picturetaker; C:\Windows\System32\OVT511Plus.dll [5632 2008-01-18] (Oak Technology Inc.)
3 TmListen; "C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe" [681488 2011-03-29] (Trend Micro Inc.)
2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=qb -dt=60000 [x]
2 pciSd; C:\Windows\System32\bwsvc.dll [x]

========================== Drivers (Whitelisted) =============

1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [9472 2006-06-28] (Hewlett-Packard Development Company, L.P.)
1 i8042prt; C:\Windows\System32\DRIVERS\i8042prt.sys [54784 2008-01-18] ()
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh86.sys [76288 2007-03-05] (Realtek Corporation )
3 smserial; C:\Windows\System32\DRIVERS\smserial.sys [981504 2006-10-09] (Motorola Inc.)
2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [81168 2011-02-25] (Trend Micro Inc.)
2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [190736 2011-02-25] (Trend Micro Inc.)
2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [65296 2011-02-25] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [92112 2010-09-30] (Trend Micro Inc.)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\Users\david\AppData\Local\Temp\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 RimUsb; C:\Windows\System32\Drivers\RimUsb.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: picturetaker
NETSVC: netdevio
NETSVC: symantecantibotshim
NETSVC: asuskbnt
NETSVC: pciSd

============ One Month Created Files and Folders ==============

2012-05-23 10:31 - 2012-05-23 10:34 - 0000000 ____D C:\FRST
2012-05-23 00:59 - 2012-05-23 01:18 - 2137448448 __ASH C:\hiberfil.sys
2012-05-22 11:22 - 2012-05-22 16:19 - 0000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-05-22 08:23 - 2012-05-22 08:23 - 0003480 ____N C:\bootsqm.dat
2012-05-22 06:16 - 2012-05-22 06:16 - 0000000 __SHD C:\found.001
2012-05-14 18:10 - 2012-05-14 18:53 - 0000000 __SHD C:\Config.Msi
2012-05-14 11:07 - 2012-05-21 09:23 - 0000440 ____A C:\Windows\Tasks\SpeedMaxPc Registration3.job
2012-05-14 11:06 - 2012-05-14 19:15 - 0000398 ____A C:\Windows\Tasks\SpeedMaxPc Update3.job
2012-05-14 11:06 - 2012-05-14 18:55 - 0000376 ____A C:\Windows\Tasks\SpeedMaxPc.job
2012-05-14 11:06 - 2012-05-14 11:06 - 0000975 ____A C:\Users\david\Desktop\SpeedMaxPc.lnk
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Users\david\AppData\Roaming\SpeedMaxPc
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Users\david\AppData\Roaming\DriverCure
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Users\All Users\SpeedMaxPc
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Program Files\SpeedMaxPc
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Program Files\Common Files\SpeedMaxPc
2012-05-14 11:02 - 2012-05-14 11:05 - 0000000 ___SD C:\32788R22FWJFW
2012-05-12 14:06 - 2012-05-12 14:06 - 0002042 ____A C:\Users\david\Desktop\Google Chrome.lnk
2012-05-12 14:05 - 2012-05-23 01:10 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-630971089-2092496672-2384843193-1137UA.job
2012-05-12 14:05 - 2012-05-18 03:00 - 0000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-630971089-2092496672-2384843193-1137Core.job
2012-05-12 14:04 - 2012-05-12 14:05 - 0000000 ____D C:\Users\david\AppData\Local\Deployment
2012-05-12 14:04 - 2012-05-12 14:04 - 0000000 ____D C:\Users\david\AppData\Local\Apps\2.0
2012-05-10 14:16 - 2012-04-03 00:16 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-05-10 14:16 - 2012-04-03 00:16 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-10 14:16 - 2012-04-02 05:36 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-10 14:16 - 2012-03-30 04:39 - 0905600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-05-10 14:16 - 2012-03-20 15:28 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-05-10 14:16 - 2012-03-01 06:46 - 0219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-05-10 14:16 - 2012-03-01 06:46 - 0160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-05-10 14:16 - 2012-02-29 06:08 - 1172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-05-10 14:16 - 2012-02-29 05:44 - 0683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-05-10 14:16 - 2012-02-29 05:41 - 1069056 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-05-10 14:00 - 2012-05-10 14:00 - 0129285 ____A C:\Users\david\Documents\0406_001.pdf
2012-05-10 07:09 - 2012-05-10 07:09 - 0133345 ____A C:\Users\david\Documents\Claims Service & Procedure inc Loss Adjusting Service.pdf
2012-05-10 07:08 - 2012-05-10 07:08 - 0147964 ____A C:\Users\david\Documents\Info on Management Liability & Legal Expenses.pdf
2012-05-10 07:07 - 2012-05-10 07:08 - 0274470 ____A C:\Users\david\Documents\Kemmetech Ltd - Summary of Proposed Insurances.pdf
2012-05-08 04:45 - 2012-05-22 10:19 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-04-25 12:03 - 2012-04-25 12:03 - 0038148 ____A C:\Users\david\Documents\Attachments_2012_04_25.zip
2012-04-23 11:44 - 2012-04-23 11:44 - 0363217 ____A C:\Users\david\Desktop\Plan of house.pdf

============ 3 Months Modified Files and Folders ===============

2012-05-23 10:34 - 2012-05-23 10:31 - 0000000 ____D C:\FRST
2012-05-23 01:24 - 2007-12-17 12:51 - 0000012 ____A C:\Windows\bthservsdp.dat
2012-05-23 01:24 - 2006-11-02 05:01 - 0032618 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-23 01:24 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-23 01:24 - 2006-11-02 04:52 - 1792000 ____A C:\Windows\WindowsUpdate.log
2012-05-23 01:24 - 2006-11-02 04:47 - 0003952 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-23 01:24 - 2006-11-02 04:47 - 0003952 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-23 01:23 - 2006-11-02 02:33 - 0722976 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-23 01:20 - 2007-12-17 11:38 - 0000418 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{95DB46FD-FE71-4189-BFB8-690616E78CB3}.job
2012-05-23 01:18 - 2012-05-23 00:59 - 2137448448 __ASH C:\hiberfil.sys
2012-05-23 01:10 - 2012-05-12 14:05 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-630971089-2092496672-2384843193-1137UA.job
2012-05-23 00:56 - 2010-08-27 21:59 - 1678228 ____A C:\Windows\ntbtlog.txt
2012-05-22 16:19 - 2012-05-22 11:22 - 0000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-05-22 16:14 - 2008-08-06 14:54 - 0000000 ____D C:\Users\All Users\wininfo
2012-05-22 10:19 - 2012-05-08 04:45 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-22 08:23 - 2012-05-22 08:23 - 0003480 ____N C:\bootsqm.dat
2012-05-22 08:23 - 2011-12-21 09:20 - 0000000 __SHD C:\$RECYCLE.BIN
2012-05-22 06:16 - 2012-05-22 06:16 - 0000000 __SHD C:\found.001
2012-05-21 09:23 - 2012-05-14 11:07 - 0000440 ____A C:\Windows\Tasks\SpeedMaxPc Registration3.job
2012-05-18 03:00 - 2012-05-12 14:05 - 0000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-630971089-2092496672-2384843193-1137Core.job
2012-05-17 08:14 - 2006-11-02 05:00 - 0825956 ____A C:\Windows\PFRO.log
2012-05-15 11:16 - 2007-12-17 05:59 - 0000150 ____A C:\Users\Public\Documents\hpqp.ini
2012-05-14 19:19 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2012-05-14 19:15 - 2012-05-14 11:06 - 0000398 ____A C:\Windows\Tasks\SpeedMaxPc Update3.job
2012-05-14 18:55 - 2012-05-14 11:06 - 0000376 ____A C:\Windows\Tasks\SpeedMaxPc.job
2012-05-14 18:55 - 2006-11-02 04:47 - 0426592 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-14 18:53 - 2012-05-14 18:10 - 0000000 __SHD C:\Config.Msi
2012-05-14 18:50 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Journal
2012-05-14 18:35 - 2007-12-17 06:19 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-05-14 18:26 - 2006-11-02 02:24 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-05-14 18:04 - 2006-11-02 04:37 - 0000000 ____D C:\Windows\System32\XPSViewer
2012-05-14 11:06 - 2012-05-14 11:06 - 0000975 ____A C:\Users\david\Desktop\SpeedMaxPc.lnk
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Users\david\AppData\Roaming\SpeedMaxPc
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Users\david\AppData\Roaming\DriverCure
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Users\All Users\SpeedMaxPc
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Program Files\SpeedMaxPc
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Program Files\Common Files\SpeedMaxPc
2012-05-14 11:05 - 2012-05-14 11:02 - 0000000 ___SD C:\32788R22FWJFW
2012-05-12 14:06 - 2012-05-12 14:06 - 0002042 ____A C:\Users\david\Desktop\Google Chrome.lnk
2012-05-12 14:06 - 2011-11-03 13:01 - 0000000 ____D C:\Users\david\AppData\Local\Google
2012-05-12 14:05 - 2012-05-12 14:04 - 0000000 ____D C:\Users\david\AppData\Local\Deployment
2012-05-12 14:04 - 2012-05-12 14:04 - 0000000 ____D C:\Users\david\AppData\Local\Apps\2.0
2012-05-10 14:00 - 2012-05-10 14:00 - 0129285 ____A C:\Users\david\Documents\0406_001.pdf
2012-05-10 12:31 - 2011-12-21 09:04 - 0000000 ____D C:\Windows\ERDNT
2012-05-10 07:09 - 2012-05-10 07:09 - 0133345 ____A C:\Users\david\Documents\Claims Service & Procedure inc Loss Adjusting Service.pdf
2012-05-10 07:08 - 2012-05-10 07:08 - 0147964 ____A C:\Users\david\Documents\Info on Management Liability & Legal Expenses.pdf
2012-05-10 07:08 - 2012-05-10 07:07 - 0274470 ____A C:\Users\david\Documents\Kemmetech Ltd - Summary of Proposed Insurances.pdf
2012-05-08 15:01 - 2008-04-18 12:18 - 0000000 ____D C:\Program Files\Google
2012-05-08 13:06 - 2008-04-18 12:19 - 0000000 ____D C:\Users\All Users\Google
2012-04-25 12:03 - 2012-04-25 12:03 - 0038148 ____A C:\Users\david\Documents\Attachments_2012_04_25.zip
2012-04-25 11:30 - 2008-04-14 11:41 - 0005972 ____A C:\Users\david\AppData\Local\d3d9caps.dat
2012-04-25 11:23 - 2007-12-17 07:33 - 0000000 ____D C:\users\david
2012-04-25 11:22 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\config\TxR
2012-04-23 11:44 - 2012-04-23 11:44 - 0363217 ____A C:\Users\david\Desktop\Plan of house.pdf
2012-04-21 05:18 - 2007-12-17 07:53 - 0002627 ____A C:\Users\david\Desktop\Microsoft Office Word 2007.lnk
2012-04-19 14:03 - 2012-04-19 14:03 - 1175248 ____A C:\Users\david\Desktop\EP-Whitgift-B.pdf
2012-04-16 14:18 - 2012-04-16 14:18 - 0129536 ____A C:\Users\david\Documents\Chubb IT Data Dash_Export_1(1) Excel.xls
2012-04-16 14:17 - 2012-04-16 14:17 - 0052278 ____A C:\Users\david\Documents\Chubb IT Data Dash_Export_1(1).csv
2012-04-04 11:40 - 2012-04-04 11:40 - 0003404 ____A C:\Users\david\Documents\Valuation.mht
2012-04-03 00:16 - 2012-05-10 14:16 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-04-03 00:16 - 2012-05-10 14:16 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-02 05:36 - 2012-05-10 14:16 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 04:39 - 2012-05-10 14:16 - 0905600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-27 12:31 - 2012-03-27 12:31 - 0010539 ____A C:\Users\david\Documents\DG & JG details for mortgage.xlsx
2012-03-27 11:26 - 2007-12-17 07:53 - 0002585 ____A C:\Users\david\Desktop\Microsoft Office Excel 2007.lnk
2012-03-20 15:28 - 2012-05-10 14:16 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-03-09 06:44 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\microsoft shared
2012-03-09 06:40 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\System
2012-03-09 06:40 - 2006-11-02 02:23 - 0000219 ____A C:\Windows\win.ini
2012-03-06 13:04 - 2012-03-06 08:56 - 0018654 ____A C:\Users\david\Documents\MH 6 Months review notes.docx
2012-03-05 13:30 - 2012-03-05 12:50 - 0011349 ____A C:\Users\david\Documents\10 & 11 Salary and Divs.xlsx
2012-03-01 06:46 - 2012-05-10 14:16 - 0219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-03-01 06:46 - 2012-05-10 14:16 - 0160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-02-29 07:11 - 2012-04-18 18:17 - 0172032 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 07:11 - 2012-04-18 18:17 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 07:09 - 2012-04-18 18:17 - 0157696 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 06:08 - 2012-05-10 14:16 - 1172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-02-29 05:44 - 2012-05-10 14:16 - 0683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-02-29 05:41 - 2012-05-10 14:16 - 1069056 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-29 05:32 - 2012-04-18 18:17 - 0012800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-28 07:26 - 2012-04-12 11:47 - 1176576 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-28 07:26 - 2012-04-12 11:47 - 0834048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-28 07:26 - 2012-04-12 11:47 - 0106496 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-28 07:24 - 2012-04-12 11:47 - 3618304 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-28 07:24 - 2012-04-12 11:47 - 0671232 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-02-28 07:24 - 2012-04-12 11:47 - 0478208 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-28 07:24 - 2012-04-12 11:47 - 0471040 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-02-28 07:24 - 2012-04-12 11:47 - 0027648 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-28 07:23 - 2012-04-12 11:47 - 6090240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-28 07:23 - 2012-04-12 11:47 - 0380928 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-02-28 07:23 - 2012-04-12 11:47 - 0270336 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-28 07:23 - 2012-04-12 11:47 - 0193024 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-02-28 07:23 - 2012-04-12 11:47 - 0180736 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-28 06:21 - 2012-04-12 11:47 - 0389632 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-02-28 05:56 - 2012-04-12 11:47 - 1383424 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 23%
Total physical RAM: 2037.81 MB
Available physical RAM: 1550.54 MB
Total Pagefile: 1854.14 MB
Available Pagefile: 1708.81 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:102.61 GB) (Free:29.02 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (HP_RECOVERY) (Fixed) (Total:9.18 GB) (Free:3.3 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF
4 Drive f: (Volume) (Fixed) (Total:74.53 GB) (Free:54.04 GB) NTFS
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 1528 KB
Disk 1 Online 75 GB 1081 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 103 GB 32 KB
Partition 2 Primary 9 GB 103 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 103 GB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D HP_RECOVERY NTFS Partition 9 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 75 GB 1024 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 F Volume NTFS Partition 75 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-23 01:08

======================= End Of Log ==========================


Here is the fixlist I created

HKLM\...\Winlogon: [Shell] C:\Windows\temp\uawthl\setup.exe [x ] ()
2 picturetaker; C:\Windows\System32\OVT511Plus.dll [5632 2008-01-18] (Oak Technology Inc.)
3 catchme; \??\C:\Users\david\AppData\Local\Temp\catchme.sys [x]
NETSVC: picturetaker
2012-05-14 11:07 - 2012-05-21 09:23 - 0000440 ____A C:\Windows\Tasks\SpeedMaxPc Registration3.job
2012-05-14 11:06 - 2012-05-14 19:15 - 0000398 ____A C:\Windows\Tasks\SpeedMaxPc Update3.job
2012-05-14 11:06 - 2012-05-14 18:55 - 0000376 ____A C:\Windows\Tasks\SpeedMaxPc.job
2012-05-14 11:06 - 2012-05-14 11:06 - 0000975 ____A C:\Users\david\Desktop\SpeedMaxPc.lnk
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Users\david\AppData\Roaming\SpeedMaxPc
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Users\david\AppData\Roaming\DriverCure
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Users\All Users\SpeedMaxPc
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Program Files\SpeedMaxPc
2012-05-14 11:06 - 2012-05-14 11:06 - 0000000 ____D C:\Program Files\Common Files\SpeedMaxPc
2012-05-14 11:02 - 2012-05-14 11:05 - 0000000 ___SD C:\32788R22FWJFW

And the Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 23-05-2012 02
Ran by SYSTEM at 2012-05-23 13:11:53 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored.
picturetaker service deleted successfully.
catchme service deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs picturetaker Deleted successfully.
C:\Windows\Tasks\SpeedMaxPc Registration3.job moved successfully.
C:\Windows\Tasks\SpeedMaxPc Update3.job moved successfully.
C:\Windows\Tasks\SpeedMaxPc.job moved successfully.
C:\Users\david\Desktop\SpeedMaxPc.lnk moved successfully.
C:\Users\david\AppData\Roaming\SpeedMaxPc moved successfully.
C:\Users\david\AppData\Roaming\DriverCure moved successfully.
C:\Users\All Users\SpeedMaxPc moved successfully.
C:\Program Files\SpeedMaxPc moved successfully.
C:\Program Files\Common Files\SpeedMaxPc moved successfully.
C:\32788R22FWJFW moved successfully.

==== End of Fixlog ====

Thank you for your time looking, I have run Malwarebytes which found more ZeroAccess files which have been deleted.

Regards,

James

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:40 AM

Posted 23 May 2012 - 10:26 AM

Glad the issue is resolved.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users