Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOP: C0000135 Error on Boot


  • This topic is locked This topic is locked
5 replies to this topic

#1 Tierus

Tierus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 23 May 2012 - 06:33 PM

It's my first post here, and I'm already begging for help. I have a client's system that was recently infected by a barrage of viruses. After removal, it will not boot due to the following BSOD error:

"STOP: C0000135 The program can't start because %hs is missing. Try reinstalling the program."

While I have a Windows 7 CD, it won't recognize the operating system is there, but I can get command-line level access, and was able to run FRST. The results are as follows:


Scan result of Farbar Recovery Scan Tool Version: 23-05-2012
Ran by SYSTEM at 23-05-2012 16:24:47
Running from F:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8114720 2009-09-11] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [166424 2009-11-13] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [390168 2009-11-13] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [409624 2009-11-13] (Intel Corporation)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2010-09-17] (LogMeIn, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4241512 2012-03-06] (AVAST Software)
HKU\Thousand oaks\...\Run: [dplaysvr] C:\Users\Thousand oaks\AppData\Local\dplaysvr.exe [x]
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1082440 2012-04-04] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
SubSystems: [Windows] ATTENTION! ====> ZeroAccess

==================== Services (Whitelisted) ======

2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44768 2012-03-06] (AVAST Software)
2 BPowMon; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [117568 2009-08-17] (Broadcom Corp.)
2 HP LaserJet Service; "C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe" [136704 2009-06-24] (HP)
2 HPSIService; C:\Windows\system32\HPSIsvc.exe [127800 2010-11-21] (HP)
2 LMIGuardianSvc; "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" [375176 2012-02-07] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe" [147336 2012-02-07] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe" [407424 2010-11-08] (LogMeIn, Inc.)
3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [53248 2011-05-25] (NOS Microsystems Ltd.)

========================== Drivers (Whitelisted) =============

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [24408 2012-03-06] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [69976 2012-03-06] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [53080 2012-03-06] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [819032 2012-03-06] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [337240 2012-03-06] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59224 2012-03-06] (AVAST Software)
2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2010-09-17] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2010-09-17] (LogMeIn, Inc.)
2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2010-09-17] (LogMeIn, Inc.)
3 mf; C:\Windows\System32\Drivers\mf.sys [142848 2009-07-13] (Microsoft Corporation)
3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2010-10-13] (Marvell Semiconductor, Inc.)
3 netvsc; C:\Windows\System32\DRIVERS\netvsc60.sys [168448 2010-11-20] (Microsoft Corporation)
3 StnPport; C:\Windows\System32\Drivers\StnPport.sys [97280 2010-10-26] ()
3 SynthVid; C:\Windows\System32\DRIVERS\VMBusVideoM.sys [22528 2010-11-20] (Microsoft Corporation)
4 LMIRfsClientNP; [x]
4 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: iSMBIOS
NETSVC: bthusb
NETSVC: ctxhttp

============ One Month Created Files and Folders ==============

2012-05-23 16:24 - 2012-05-23 16:24 - 0000000 ____D C:\FRST
2012-05-23 08:33 - 2012-05-23 08:33 - 0001843 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-05-23 08:33 - 2012-05-23 08:33 - 0000000 ____A C:\Windows\SysWOW64\config.nt
2012-05-23 08:33 - 2012-03-06 15:15 - 0258520 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-05-23 08:33 - 2012-03-06 15:04 - 0819032 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-05-23 08:33 - 2012-03-06 15:04 - 0337240 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-05-23 08:33 - 2012-03-06 15:02 - 0053080 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-05-23 08:33 - 2012-03-06 15:01 - 0069976 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-05-23 08:33 - 2012-03-06 15:01 - 0059224 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-05-23 08:33 - 2012-03-06 15:01 - 0024408 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-05-23 08:31 - 2012-05-23 08:31 - 0000000 ____D C:\Users\All Users\AVAST Software
2012-05-23 08:31 - 2012-05-23 08:31 - 0000000 ____D C:\Program Files\AVAST Software
2012-05-23 08:31 - 2012-03-06 15:15 - 0201352 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-05-23 08:31 - 2012-03-06 15:15 - 0041184 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-05-23 08:30 - 2012-05-23 08:30 - 74761776 ____A C:\Users\Thousand oaks\Desktop\avast_free_antivirus_setup.exe
2012-05-23 08:29 - 2012-05-23 08:29 - 74761776 ____A C:\Users\Thousand oaks\Downloads\avast_free_antivirus_setup.exe
2012-05-23 08:20 - 2012-05-23 08:22 - 0000606 ____A C:\rkill.log
2012-05-23 08:20 - 2012-05-23 08:20 - 0002021 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-05-23 08:18 - 2012-05-23 08:18 - 1012656 ____A C:\Users\Thousand oaks\Desktop\rkill.com
2012-05-09 08:09 - 2012-05-09 08:09 - 0786420 ____A C:\Users\Thousand oaks\AppData\Local\Q$_140066.ENU_SoftGridUserSettings_settings.cp.temp
2012-05-08 23:51 - 2012-05-08 23:51 - 0016394 ____A C:\Windows\System32\hs_err_pid1868.log
2012-05-08 12:13 - 2012-05-08 12:13 - 0060416 ____A C:\Users\Thousand oaks\Downloads\Dr.Deam Free Vet Visit -FINAL.doc
2012-05-07 20:02 - 2012-05-07 20:01 - 0490496 ____A C:\Users\Thousand oaks\Desktop\PAPILLON_4288_DEPOSIT.xls
2012-05-04 15:56 - 2012-05-04 15:56 - 0000000 ____D C:\New folder
2012-05-04 15:37 - 2012-05-23 08:29 - 0000000 ____D C:\Users\Thousand oaks\Desktop\backups
2012-05-04 15:34 - 2012-05-04 15:33 - 0388608 ____A (Trend Micro Inc.) C:\Users\Thousand oaks\Desktop\HijackThis.exe
2012-05-04 13:01 - 2012-05-04 13:01 - 0107584 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2012-05-04 03:20 - 2012-05-04 03:20 - 0107584 ____A C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
2012-05-03 09:02 - 2012-05-03 09:02 - 0000000 ____D C:\Users\Thousand oaks\AppData\Roaming\Malwarebytes
2012-05-03 09:02 - 2012-05-03 09:02 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-05-03 09:02 - 2012-05-03 09:02 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-03 08:57 - 2012-05-09 08:20 - 0000000 ____D C:\Users\Thousand oaks\AppData\Local\LogMeIn Rescue Applet
2012-05-03 08:14 - 2012-05-09 08:11 - 0000256 ____A C:\Users\All Users\C0BgFvKRMYaQWh
2012-05-03 08:14 - 2012-05-09 08:11 - 0000144 ____A C:\Users\All Users\-C0BgFvKRMYaQWhr
2012-05-03 08:14 - 2012-05-09 08:11 - 0000000 ____A C:\Users\All Users\-C0BgFvKRMYaQWh
2012-05-03 08:14 - 2012-05-03 08:14 - 0000657 ____A C:\Users\Thousand oaks\Desktop\Data_Recovery.lnk
2012-05-03 05:38 - 2012-05-03 05:38 - 0000002 ____A C:\Users\Thousand oaks\uz.dat
2012-05-02 12:42 - 2012-05-02 12:42 - 0083968 ____A C:\Users\Thousand oaks\Downloads\Productivity 2012.xls
2012-05-02 01:13 - 2012-05-23 08:14 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-02 01:12 - 2012-05-02 01:12 - 0000000 ____D C:\Windows\system64
2012-05-01 13:13 - 2012-05-01 13:13 - 0153314 ____A C:\Users\Thousand oaks\Desktop\payroll apr16th - apr 30th.rtf
2012-04-28 10:21 - 2012-04-28 10:21 - 0152064 ____A C:\Users\Thousand oaks\Downloads\April 2012.xls
2012-04-25 16:11 - 2012-04-25 16:11 - 0000000 ____D C:\Windows\Sun

============ 3 Months Modified Files and Folders =============

2012-05-23 16:24 - 2012-05-23 16:24 - 0000000 ____D C:\FRST
2012-05-23 11:40 - 2011-05-19 21:00 - 2388238336 __ASH C:\hiberfil.sys
2012-05-23 10:18 - 2011-11-17 17:57 - 0436274 ____A C:\Windows\ntbtlog.txt
2012-05-23 10:08 - 2010-11-20 19:47 - 0036962 ____A C:\Windows\PFRO.log
2012-05-23 09:09 - 2011-05-25 07:41 - 0000000 ____D C:\Users\Thousand oaks\AppData\Roaming\Adobe
2012-05-23 08:54 - 2011-05-19 19:09 - 1771651 ____A C:\Windows\WindowsUpdate.log
2012-05-23 08:33 - 2012-05-23 08:33 - 0001843 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-05-23 08:33 - 2012-05-23 08:33 - 0000000 ____A C:\Windows\SysWOW64\config.nt
2012-05-23 08:31 - 2012-05-23 08:31 - 0000000 ____D C:\Users\All Users\AVAST Software
2012-05-23 08:31 - 2012-05-23 08:31 - 0000000 ____D C:\Program Files\AVAST Software
2012-05-23 08:30 - 2012-05-23 08:30 - 74761776 ____A C:\Users\Thousand oaks\Desktop\avast_free_antivirus_setup.exe
2012-05-23 08:30 - 2012-04-17 14:05 - 0000506 ___AH C:\Windows\Tasks\SystemToolsDailyTest.job
2012-05-23 08:29 - 2012-05-23 08:29 - 74761776 ____A C:\Users\Thousand oaks\Downloads\avast_free_antivirus_setup.exe
2012-05-23 08:29 - 2012-05-04 15:37 - 0000000 ____D C:\Users\Thousand oaks\Desktop\backups
2012-05-23 08:29 - 2011-06-01 16:54 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-05-23 08:27 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-05-23 08:25 - 2011-05-27 16:40 - 0000000 ____D C:\Users\Thousand oaks\AppData\Local\ElevatedDiagnostics
2012-05-23 08:23 - 2011-06-01 16:54 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-05-23 08:22 - 2012-05-23 08:20 - 0000606 ____A C:\rkill.log
2012-05-23 08:20 - 2012-05-23 08:20 - 0002021 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-05-23 08:20 - 2011-06-01 16:55 - 0000000 ____D C:\Users\All Users\Adobe
2012-05-23 08:20 - 2011-06-01 16:55 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-05-23 08:20 - 2009-07-13 20:45 - 0021312 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-23 08:20 - 2009-07-13 20:45 - 0021312 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-23 08:18 - 2012-05-23 08:18 - 1012656 ____A C:\Users\Thousand oaks\Desktop\rkill.com
2012-05-23 08:16 - 2011-05-19 19:19 - 0000031 ____A C:\tmuninst.ini
2012-05-23 08:15 - 2011-05-19 19:16 - 0514252 ____A C:\Windows\System32\TmInstall.log
2012-05-23 08:15 - 2009-07-13 20:51 - 0033970 ____A C:\Windows\setupact.log
2012-05-23 08:14 - 2012-05-02 01:13 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-23 08:13 - 2011-05-27 09:47 - 0000000 ____D C:\Users\All Users\LogMeIn
2012-05-23 08:13 - 2009-07-13 21:08 - 0000006 ____A C:\Windows\Tasks\SA.DAT
2012-05-09 08:22 - 2011-05-25 08:12 - 0000000 ____D C:\EzPOS
2012-05-09 08:20 - 2012-05-03 08:57 - 0000000 ____D C:\Users\Thousand oaks\AppData\Local\LogMeIn Rescue Applet
2012-05-09 08:11 - 2012-05-03 08:14 - 0000256 ____A C:\Users\All Users\C0BgFvKRMYaQWh
2012-05-09 08:11 - 2012-05-03 08:14 - 0000144 ____A C:\Users\All Users\-C0BgFvKRMYaQWhr
2012-05-09 08:11 - 2012-05-03 08:14 - 0000000 ____A C:\Users\All Users\-C0BgFvKRMYaQWh
2012-05-09 08:09 - 2012-05-09 08:09 - 0786420 ____A C:\Users\Thousand oaks\AppData\Local\Q$_140066.ENU_SoftGridUserSettings_settings.cp.temp
2012-05-08 23:51 - 2012-05-08 23:51 - 0016394 ____A C:\Windows\System32\hs_err_pid1868.log
2012-05-08 12:13 - 2012-05-08 12:13 - 0060416 ____A C:\Users\Thousand oaks\Downloads\Dr.Deam Free Vet Visit -FINAL.doc
2012-05-07 20:01 - 2012-05-07 20:02 - 0490496 ____A C:\Users\Thousand oaks\Desktop\PAPILLON_4288_DEPOSIT.xls
2012-05-07 20:01 - 2011-05-24 18:19 - 0000000 ____D C:\Users\Thousand oaks\AppData\Roaming\SoftGrid Client
2012-05-07 15:47 - 2009-07-13 21:13 - 0833420 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-07 15:42 - 2011-05-25 20:25 - 0000465 ____A C:\Windows\TMFilter.log
2012-05-04 18:16 - 2011-05-24 18:07 - 0000000 ____D C:\Users\Thousand oaks\AppData\Local\VirtualStore
2012-05-04 15:56 - 2012-05-04 15:56 - 0000000 ____D C:\New folder
2012-05-04 15:37 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-05-04 15:33 - 2012-05-04 15:34 - 0388608 ____A (Trend Micro Inc.) C:\Users\Thousand oaks\Desktop\HijackThis.exe
2012-05-04 13:01 - 2012-05-04 13:01 - 0107584 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2012-05-04 03:20 - 2012-05-04 03:20 - 0107584 ____A C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
2012-05-03 18:55 - 2011-05-25 10:50 - 0000000 ____D C:\Users\Thousand oaks\Desktop\med file
2012-05-03 15:23 - 2011-05-24 19:01 - 0107584 ____A C:\Users\Thousand oaks\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-03 09:30 - 2011-05-24 19:01 - 0000000 ____D C:\users\Thousand oaks
2012-05-03 09:02 - 2012-05-03 09:02 - 0000000 ____D C:\Users\Thousand oaks\AppData\Roaming\Malwarebytes
2012-05-03 09:02 - 2012-05-03 09:02 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-05-03 09:02 - 2012-05-03 09:02 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-03 08:14 - 2012-05-03 08:14 - 0000657 ____A C:\Users\Thousand oaks\Desktop\Data_Recovery.lnk
2012-05-03 07:53 - 2012-04-17 14:05 - 0000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-05-03 05:38 - 2012-05-03 05:38 - 0000002 ____A C:\Users\Thousand oaks\uz.dat
2012-05-02 12:42 - 2012-05-02 12:42 - 0083968 ____A C:\Users\Thousand oaks\Downloads\Productivity 2012.xls
2012-05-02 05:55 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-05-02 05:53 - 2011-05-24 18:18 - 0000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-05-02 05:52 - 2011-05-27 09:50 - 0000000 ____D C:\users\LogMeInRemoteUser
2012-05-02 05:52 - 2011-05-25 08:13 - 0000000 ____D C:\Windows\Crystal
2012-05-02 05:52 - 2011-05-19 21:01 - 0000000 ____D C:\Windows\SysWOW64\RTCOM
2012-05-02 05:52 - 2011-05-19 19:14 - 0000000 ____D C:\Windows\en
2012-05-02 05:52 - 2011-05-19 19:08 - 0000000 ____D C:\Windows\Downloaded Installations
2012-05-02 05:52 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Sidebar
2012-05-02 05:52 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Sidebar
2012-05-02 05:52 - 2009-07-13 20:45 - 0000000 ____D C:\Windows\Setup
2012-05-02 05:52 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\TAPI
2012-05-02 05:52 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Recovery
2012-05-02 05:52 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\security
2012-05-02 05:51 - 2011-06-06 14:09 - 0000000 ____D C:\Program Files\Dell Support Center
2012-05-02 05:51 - 2011-06-01 16:54 - 0000000 ____D C:\Program Files\Google
2012-05-02 05:51 - 2011-06-01 16:54 - 0000000 ____D C:\Program Files (x86)\Google
2012-05-02 05:51 - 2011-06-01 16:53 - 0000000 ____D C:\Users\All Users\NOS
2012-05-02 05:51 - 2011-06-01 16:53 - 0000000 ____D C:\Program Files (x86)\NOS
2012-05-02 05:51 - 2011-05-27 09:47 - 0000000 ____D C:\Program Files (x86)\LogMeIn
2012-05-02 05:51 - 2011-05-27 09:45 - 0000000 ____D C:\Users\Thousand oaks\AppData\Local\Apps\2.0
2012-05-02 05:51 - 2011-05-25 09:19 - 0000000 ____D C:\Star
2012-05-02 05:51 - 2011-05-25 08:13 - 0000000 ____D C:\Program Files (x86)\Seagate Software
2012-05-02 05:51 - 2011-05-25 08:13 - 0000000 ____D C:\Program Files (x86)\Report Designer Component
2012-05-02 05:51 - 2011-05-25 07:59 - 0000000 ____D C:\Program Files (x86)\HP
2012-05-02 05:51 - 2011-05-25 07:58 - 0000000 ____D C:\LJP1100_P1560_P1600_Full_Solution
2012-05-02 05:51 - 2011-05-24 18:11 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-05-02 05:51 - 2011-05-19 21:01 - 0000000 ____D C:\Intel
2012-05-02 05:51 - 2011-05-19 19:13 - 0000000 ____D C:\Program Files (x86)\Windows Live
2012-05-02 05:51 - 2011-05-19 19:12 - 0000000 ____D C:\Program Files\Windows Live
2012-05-02 05:51 - 2011-05-19 19:10 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-02 05:51 - 2011-05-19 19:08 - 0000000 ____D C:\Program Files\Broadcom
2012-05-02 05:51 - 2011-05-19 19:05 - 0000000 ____D C:\Program Files\Dell Inc
2012-05-02 05:51 - 2011-02-10 06:25 - 0000000 ____D C:\dell
2012-05-02 05:51 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\Microsoft Shared
2012-05-02 05:50 - 2011-05-19 19:05 - 0000000 ____D C:\Windows\SysWOW64\Macromed
2012-05-02 05:50 - 2010-11-20 23:06 - 0000000 ____D C:\Windows\SysWOW64\winrm
2012-05-02 05:50 - 2010-11-20 23:06 - 0000000 ____D C:\Windows\SysWOW64\WCN
2012-05-02 05:50 - 2010-11-20 23:06 - 0000000 ____D C:\Windows\SysWOW64\slmgr
2012-05-02 05:50 - 2010-11-20 23:06 - 0000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2012-05-02 05:50 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\SysWOW64\WindowsPowerShell
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Web
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Vss
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\spp
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Speech
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\NetworkList
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\MUI
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Msdtc
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\InstallShield
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\IME
2012-05-02 05:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-05-02 05:49 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Performance
2012-05-02 05:49 - 2009-07-13 20:45 - 0000000 ____D C:\Windows\ServiceProfiles
2012-05-02 05:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Dism
2012-05-02 05:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\com
2012-05-02 05:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Speech
2012-05-02 05:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\schemas
2012-05-02 05:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Resources
2012-05-02 05:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PolicyDefinitions
2012-05-02 05:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PLA
2012-05-02 05:46 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\IME
2012-05-02 05:46 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Help
2012-05-02 05:46 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Globalization
2012-05-02 05:46 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Branding
2012-05-02 05:44 - 2011-12-26 10:00 - 0000000 ____D C:\Users\Thousand oaks\Documents\Fax
2012-05-02 05:44 - 2011-05-25 14:00 - 0000000 ____D C:\Users\Thousand oaks\AppData\Roaming\PCDr
2012-05-02 05:44 - 2011-05-24 19:01 - 0000000 ____D C:\Users\Thousand oaks\AppData\LocalLow
2012-05-02 05:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-05-02 05:40 - 2011-06-01 16:55 - 0000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2012-05-02 05:40 - 2011-06-01 16:55 - 0000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2012-05-02 05:40 - 2011-06-01 16:54 - 0000000 ____D C:\Users\All Users\Google
2012-05-02 05:40 - 2011-05-25 14:00 - 0000000 ____D C:\Users\All Users\PCDr
2012-05-02 05:40 - 2011-05-25 07:58 - 0000000 ____D C:\Program Files\HP
2012-05-02 05:40 - 2011-05-24 18:11 - 0000000 ____D C:\Program Files\Microsoft Office
2012-05-02 05:40 - 2011-05-19 21:01 - 0000000 ____D C:\Program Files\Realtek
2012-05-02 05:40 - 2011-05-19 20:57 - 0000000 ____D C:\Program Files (x86)\Windows Virtual PC
2012-05-02 05:40 - 2011-05-19 19:07 - 0000000 ____D C:\Program Files\Java
2012-05-02 05:40 - 2011-05-19 19:06 - 0000000 ____D C:\Program Files\Windows XP Mode
2012-05-02 05:40 - 2010-11-20 23:17 - 0000000 ____D C:\Program Files\Windows Journal
2012-05-02 05:40 - 2010-11-20 23:16 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-05-02 05:40 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Photo Viewer
2012-05-02 05:40 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Defender
2012-05-02 05:40 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Reference Assemblies
2012-05-02 05:40 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\MSBuild
2012-05-02 05:40 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\DVD Maker
2012-05-02 05:40 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2012-05-02 05:40 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Default
2012-05-02 05:40 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Windows NT
2012-05-02 05:40 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2012-05-02 05:40 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\SpeechEngines
2012-05-02 05:40 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files (x86)\Windows NT
2012-05-02 05:39 - 2011-05-25 08:13 - 0000000 ____D C:\Program Files (x86)\MapInfo MapX
2012-05-02 05:39 - 2011-05-19 21:01 - 0000000 ____D C:\Program Files (x86)\Intel
2012-05-02 05:39 - 2011-05-19 19:16 - 0000000 ____D C:\Program Files (x86)\Trend Micro
2012-05-02 05:39 - 2011-05-19 19:14 - 0000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-05-02 05:39 - 2011-05-19 19:09 - 0000000 ____D C:\Program Files (x86)\Microsoft Office
2012-05-02 05:39 - 2011-05-19 19:07 - 0000000 ____D C:\Program Files (x86)\Java
2012-05-02 05:39 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Defender
2012-05-02 05:39 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Reference Assemblies
2012-05-02 05:39 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\MSBuild
2012-05-02 05:38 - 2011-05-24 18:10 - 0000000 ___RD C:\MSOCache
2012-05-02 05:38 - 2011-05-19 19:08 - 0000000 ____D C:\Program Files (x86)\Dell
2012-05-02 01:12 - 2012-05-02 01:12 - 0000000 ____D C:\Windows\system64
2012-05-01 13:13 - 2012-05-01 13:13 - 0153314 ____A C:\Users\Thousand oaks\Desktop\payroll apr16th - apr 30th.rtf
2012-04-29 12:35 - 2012-01-22 15:57 - 0265216 ____A C:\Users\Thousand oaks\Desktop\store_schedule_2012.xls
2012-04-28 10:21 - 2012-04-28 10:21 - 0152064 ____A C:\Users\Thousand oaks\Downloads\April 2012.xls
2012-04-25 16:11 - 2012-04-25 16:11 - 0000000 ____D C:\Windows\Sun
2012-04-20 15:37 - 2012-04-20 12:12 - 0023427 ____A C:\Users\Thousand oaks\Documents\BARKWORKS.docx
2012-04-20 14:55 - 2011-05-25 10:50 - 0000000 ____D C:\Users\Thousand oaks\Desktop\Lindsay
2012-04-17 14:05 - 2012-04-17 14:05 - 0000000 ____D C:\Users\All Users\Dell
2012-04-11 02:00 - 2011-06-02 06:25 - 57249312 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-06 11:03 - 2012-04-06 11:03 - 0014426 ____A C:\Users\Thousand oaks\Documents\SALES STAFF.docx
2012-04-01 10:18 - 2012-04-01 10:18 - 0139545 ____A C:\Users\Thousand oaks\Desktop\payroll mar 16th - mar 31st.rtf
2012-03-27 08:43 - 2012-03-25 09:44 - 0012728 ____A C:\Users\Thousand oaks\Documents\UNFINISHED CHORES.docx
2012-03-23 15:43 - 2012-03-23 15:43 - 0005120 ____A C:\Users\Thousand oaks\Desktop\Cust_Request.xls
2012-03-23 15:39 - 2012-03-23 15:39 - 0000000 ____D C:\Windows\System32\Macromed
2012-03-23 15:39 - 2011-06-02 06:23 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-03-21 02:04 - 2011-02-10 06:33 - 0791082 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-03-16 12:19 - 2012-03-16 12:19 - 0137144 ____A C:\Users\Thousand oaks\Desktop\payroll mar 1st-15th.rtf
2012-03-15 07:42 - 2011-06-01 16:54 - 0000000 ____D C:\Users\Thousand oaks\AppData\Local\Google
2012-03-14 02:18 - 2009-07-13 20:45 - 0409608 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-08 18:26 - 2012-03-08 18:26 - 0013418 ____A C:\Users\Thousand oaks\Documents\donation form.docx
2012-03-06 15:15 - 2012-05-23 08:33 - 0258520 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-03-06 15:15 - 2012-05-23 08:31 - 0201352 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-03-06 15:15 - 2012-05-23 08:31 - 0041184 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-03-06 15:04 - 2012-05-23 08:33 - 0819032 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-03-06 15:04 - 2012-05-23 08:33 - 0337240 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-03-06 15:02 - 2012-05-23 08:33 - 0053080 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-03-06 15:01 - 2012-05-23 08:33 - 0069976 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-03-06 15:01 - 2012-05-23 08:33 - 0059224 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-03-06 15:01 - 2012-05-23 08:33 - 0024408 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-03-05 22:53 - 2012-04-11 02:01 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-05 21:59 - 2012-04-11 02:01 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-05 21:59 - 2012-04-11 02:01 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-01 19:57 - 2012-03-01 19:57 - 0013035 ____A C:\Users\Thousand oaks\Documents\BARKWORKS SALES MONTHLY GOAL CONTRACT.docx
2012-02-29 22:46 - 2012-04-11 02:00 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-29 22:38 - 2012-04-11 02:00 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 22:33 - 2012-04-11 02:00 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 22:28 - 2012-04-11 02:00 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 21:37 - 2012-04-11 02:00 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-02-29 21:33 - 2012-04-11 02:00 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-02-29 21:29 - 2012-04-11 02:00 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-02-27 23:34 - 2012-04-11 02:01 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 23:02 - 2012-04-11 02:01 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 22:56 - 2012-04-11 02:01 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 22:50 - 2012-04-11 02:01 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 22:49 - 2012-04-11 02:01 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 22:48 - 2012-04-11 02:01 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 22:48 - 2012-04-11 02:01 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 22:47 - 2012-04-11 02:01 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 22:45 - 2012-04-11 02:01 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 22:43 - 2012-04-11 02:01 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 22:43 - 2012-04-11 02:01 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 22:42 - 2012-04-11 02:01 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 22:39 - 2012-04-11 02:01 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-27 17:52 - 2012-04-11 02:01 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-27 17:27 - 2012-04-11 02:01 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-27 17:18 - 2012-04-11 02:01 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-27 17:12 - 2012-04-11 02:01 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-27 17:11 - 2012-04-11 02:01 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-27 17:11 - 2012-04-11 02:01 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-27 17:09 - 2012-04-11 02:01 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-27 17:08 - 2012-04-11 02:01 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-27 17:06 - 2012-04-11 02:01 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-27 17:04 - 2012-04-11 02:01 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-27 17:03 - 2012-04-11 02:01 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-27 17:03 - 2012-04-11 02:01 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-27 16:59 - 2012-04-11 02:01 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 18%
Total physical RAM: 3036.8 MB
Available physical RAM: 2481.93 MB
Total Pagefile: 3034.95 MB
Available Pagefile: 2476.41 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:283.88 GB) (Free:244.75 GB) NTFS
2 Drive e: (GRMCPRXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
3 Drive f: () (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:14.15 GB) (Free:8.15 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 7648 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 283 GB 14 GB
Partition 4 Primary 1360 KB 298 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 283 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7647 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 7647 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-08 23:44

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 AM

Posted 23 May 2012 - 07:21 PM

Hi,

I have a client's system that was recently infected by a barrage of viruses.

Generally Bleeping Computer offers this free service to home users, not a business enterprise.
Also, from the logs, this is a business computer.

Zero Access is a particularly nasty infection and can allow "back door" access, therefore if there are any client files on the system or this machine was connected to an intranet, sensitive information may be compromised. I would recommend reformatting and reinstalling the operating system for that reason.

If that is impossible for your client to do then I can assist you, however I cannot guarantee that the machine will be 100% clean and that it is safe to use for business purposes where client information will be accessed.

If your client wishes to continue, then please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
script removed
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT



Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 03 July 2012 - 08:48 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Tierus

Tierus
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 23 May 2012 - 08:00 PM

First off, thanks kindly for the help. I wasn't aware that Bleeping Computer didn't typically provide support to commercial clients, so apologies for that. The computer now boots successfully.

Here's the requested FRST log:

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 23-05-2012
Ran by SYSTEM at 2012-05-23 17:49:30 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs iSMBIOS Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs bthusb Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs ctxhttp Deleted successfully.
C:\Users\All Users\C0BgFvKRMYaQWh moved successfully.
C:\Users\All Users\-C0BgFvKRMYaQWhr moved successfully.
C:\Users\All Users\-C0BgFvKRMYaQWh moved successfully.

========= bootrec /FixMbr =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


========= bootrec /fixboot =========

˙ūT h e v o l u m e d o e s n o t c o n t a i n a r e c o g n i z e d f i l e s y s t e m .

P l e a s e m a k e s u r e t h a t a l l r e q u i r e d f i l e s y s t e m d r i v e r s a r e l o a d e d a n d t h a t t h e v o l u m e i s n o t c o r r u p t e d .


========= End of CMD: =========


==== End of Fixlog ====

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 AM

Posted 23 May 2012 - 08:05 PM

First off, thanks kindly for the help. I wasn't aware that Bleeping Computer didn't typically provide support to commercial clients, so apologies for that.

No problem, just pay it forward :)

If you could please move on to running ComboFix,

Edited by CatByte, 23 May 2012 - 08:08 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 AM

Posted 26 May 2012 - 08:44 PM

Hi,

Do you still need help with your machine?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 AM

Posted 04 June 2012 - 02:17 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users