Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer won't boot after Hitman Pro


  • This topic is locked This topic is locked
6 replies to this topic

#1 quyenishere

quyenishere

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 13 July 2012 - 02:01 PM

I installed Hitman Pro and it told me to reboot my computer. Now my computer is stuck at the startup repair screen. I have a 32 bit Windows 7.
Please help!

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 13 July 2012 - 03:07 PM

Hello,

Welcome to the forum.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#3 quyenishere

quyenishere
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 13 July 2012 - 04:01 PM

This is what it says

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 13-07-2012
Ran by SYSTEM at 13-07-2012 16:59:04
Running from J:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min [281768 2010-11-02] (Avira GmbH)
HKLM\...\Run: [lxdmmon.exe] "C:\Program Files\Lexmark 5000 Series\lxdmmon.exe" [455336 2009-07-06] ()
HKLM\...\Run: [lxdmamon] "C:\Program Files\Lexmark 5000 Series\lxdmamon.exe" [25256 2009-07-06] ()
HKLM\...\Run: [Lexmark 5000 Series Fax Server] "C:\Program Files\Lexmark 5000 Series\fm3032.exe" /s [307880 2009-07-06] ()
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2011-01-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-10] (Adobe Systems Incorporated)
HKLM\...\Run: [] [x]
HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1391272 2012-01-03] (Ask)
HKLM\...\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot [273544 2011-06-28] (RealNetworks, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [StartNowToolbarHelper] "C:\Program Files\StartNow Toolbar\ToolbarHelper.exe" [x]
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2011-10-09] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKU\Hai\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5248312 2010-04-29] (Yahoo! Inc.)
HKU\Hai\...\Run: [Desktop Software] "C:\Program Files\Common Files\SupportSoft\bin\bcont.exe" /ini "C:\Program Files\ComcastUI\Desktop Software\uinstaller.ini" /fromrun /starthidden [1025320 2009-04-23] (SupportSoft, Inc.)
HKU\Hai\...\Run: [ooVoo.exe] C:\Program Files\ooVoo\oovoo.exe /minimized [21975120 2011-08-14] (ooVoo LLC)
HKU\Hai\...\Run: [AdobeBridge] [x]
HKU\Hai\...\Run: [YahooPartnerToolbar] rundll32.exe [44544 2009-07-13] (Microsoft Corporation)
HKU\Hai\...\Run: [GoogleServiceProfile] rundll32.exe "C:\ProgramData\GoogleServiceProfile.dll",DllRegisterServer [x]
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
Startup: C:\Users\Hai\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [136360 2011-04-28] (Avira GmbH)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [269480 2011-06-28] (Avira GmbH)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 lxdmCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdmserv.exe [99248 2007-06-07] (Lexmark International, Inc.)
2 lxdm_device; C:\Windows\system32\lxdmcoms.exe -service [598960 2007-06-07] ( )
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
2 Updater Service for StartNow Toolbar; C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe [267488 2011-07-27] ()

========================== Drivers (Whitelisted) =============

2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [66616 2011-06-28] (Avira GmbH)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [138192 2011-06-28] (Avira GmbH)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-04-30] (Malwarebytes Corporation)
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2009-05-11] (Avira GmbH)
3 VSTHWBS2; C:\Windows\System32\DRIVERS\VSTBS23.SYS [266752 2009-07-13] (Conexant Systems, Inc.)
3 VST_DPV; C:\Windows\System32\DRIVERS\VSTDPV3.SYS [980992 2009-07-13] (Conexant Systems, Inc.)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============


2012-07-13 16:58 - 2012-07-13 16:59 - 00000000 ____D C:\FRST
2012-07-13 09:20 - 2012-07-13 14:21 - 00000000 ____D C:\Program Files\HitmanPro
2012-07-13 09:20 - 2012-07-13 09:20 - 00001893 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2012-07-13 09:19 - 2012-07-13 14:21 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-07-13 08:52 - 2012-07-13 14:21 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malwa
2012-07-13 08:47 - 2012-07-13 08:47 - 00000361 ____A C:\rkill.log
2012-07-12 16:42 - 2012-07-13 08:37 - 00000368 ____A C:\Users\All Users\4oTpCleOJlVAwD
2012-07-12 16:42 - 2012-07-13 08:37 - 00000072 ____A C:\Users\All Users\-4oTpCleOJlVAwDr
2012-07-12 16:42 - 2012-07-13 08:37 - 00000072 ____A C:\Users\All Users\-4oTpCleOJlVAwD
2012-07-10 11:11 - 2012-07-10 11:11 - 00000266 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{AAF6EA03-6CA6-4A7A-BFB4-4615F50812B2}.job
2012-07-07 16:42 - 2012-07-07 16:42 - 00154208 ____A C:\Windows\Minidump\070712-85738-01.dmp
2012-07-05 08:53 - 2012-07-05 08:53 - 00151552 ____A C:\Windows\Minidump\070512-124629-01.dmp
2012-07-02 17:20 - 2012-07-02 17:20 - 00156768 ____A C:\Windows\Minidump\070212-54350-01.dmp
2012-07-02 13:25 - 2012-07-02 13:25 - 00157800 ____A C:\Windows\Minidump\070212-20685-01.dmp
2012-06-21 07:29 - 2012-06-21 07:29 - 00006576 ____H C:\bootsqm.dat
2012-06-20 23:12 - 2012-07-13 14:22 - 00000000 ____D C:\3ec54f3507d6507c5f023a958f6bfc
2012-06-20 23:12 - 2012-04-27 19:19 - 00177152 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-20 23:10 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-20 23:10 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-20 23:10 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-20 23:10 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-20 23:10 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-20 23:10 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-20 23:10 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-20 23:10 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-20 23:10 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-20 23:10 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-20 23:10 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-20 23:10 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-20 23:10 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-20 23:10 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-20 23:10 - 2012-05-14 17:12 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-20 23:10 - 2012-04-07 03:34 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-20 23:09 - 2012-04-25 20:48 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-20 23:09 - 2012-04-25 20:48 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-20 23:09 - 2012-04-25 20:43 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-20 23:02 - 2012-06-20 23:02 - 00151744 ____A C:\Windows\Minidump\062112-39811-01.dmp
2012-06-20 09:43 - 2012-06-20 09:43 - 00151488 ____A C:\Windows\Minidump\062012-94302-01.dmp
2012-06-19 17:35 - 2012-05-01 20:52 - 00163328 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-17 12:19 - 2012-06-17 12:19 - 00151648 ____A C:\Windows\Minidump\061712-75816-01.dmp

============ 3 Months Modified Files ========================

2012-07-13 09:20 - 2012-07-13 09:20 - 00001893 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2012-07-13 08:47 - 2012-07-13 08:47 - 00000361 ____A C:\rkill.log
2012-07-13 08:37 - 2012-07-12 16:42 - 00000368 ____A C:\Users\All Users\4oTpCleOJlVAwD
2012-07-13 08:37 - 2012-07-12 16:42 - 00000072 ____A C:\Users\All Users\-4oTpCleOJlVAwDr
2012-07-13 08:37 - 2012-07-12 16:42 - 00000072 ____A C:\Users\All Users\-4oTpCleOJlVAwD
2012-07-11 13:15 - 2010-05-25 15:31 - 01255560 ____A C:\Windows\WindowsUpdate.log
2012-07-11 13:11 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-11 13:11 - 2009-07-13 20:39 - 00068450 ____A C:\Windows\setupact.log
2012-07-11 10:17 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-10 16:25 - 2011-07-21 08:01 - 00000132 ___AH C:\Users\Hai\AppData\Roaming\Adobe PNG Format CS5 Prefs
2012-07-10 13:08 - 2011-07-21 07:45 - 00001456 ___AH C:\Users\Hai\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-07-10 11:11 - 2012-07-10 11:11 - 00000266 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{AAF6EA03-6CA6-4A7A-BFB4-4615F50812B2}.job
2012-07-10 10:58 - 2009-07-13 20:53 - 00032652 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-10 10:09 - 2012-06-12 18:03 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-10 09:07 - 2009-07-13 20:34 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-10 09:07 - 2009-07-13 20:34 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-07 16:42 - 2012-07-07 16:42 - 00154208 ____A C:\Windows\Minidump\070712-85738-01.dmp
2012-07-07 16:42 - 2012-04-04 17:24 - 150102693 ____A C:\Windows\MEMORY.DMP
2012-07-05 08:53 - 2012-07-05 08:53 - 00151552 ____A C:\Windows\Minidump\070512-124629-01.dmp
2012-07-05 08:25 - 2010-06-01 14:07 - 00127480 ___AH C:\Users\Hai\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-05 08:09 - 2009-07-13 20:33 - 03804168 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-02 17:20 - 2012-07-02 17:20 - 00156768 ____A C:\Windows\Minidump\070212-54350-01.dmp
2012-07-02 13:25 - 2012-07-02 13:25 - 00157800 ____A C:\Windows\Minidump\070212-20685-01.dmp
2012-07-01 08:07 - 2010-05-25 12:39 - 00730320 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-24 10:15 - 2012-06-12 18:03 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-24 10:15 - 2011-07-23 13:33 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-21 07:29 - 2012-06-21 07:29 - 00006576 ____H C:\bootsqm.dat
2012-06-20 23:02 - 2012-06-20 23:02 - 00151744 ____A C:\Windows\Minidump\062112-39811-01.dmp
2012-06-20 09:43 - 2012-06-20 09:43 - 00151488 ____A C:\Windows\Minidump\062012-94302-01.dmp
2012-06-17 12:19 - 2012-06-17 12:19 - 00151648 ____A C:\Windows\Minidump\061712-75816-01.dmp
2012-06-17 04:41 - 2010-05-25 13:24 - 00028122 ____A C:\Windows\PFRO.log
2012-05-22 23:02 - 2012-05-22 23:02 - 00151352 ____A C:\Windows\Minidump\052312-36941-01.dmp
2012-05-21 18:01 - 2012-05-21 18:00 - 01483584 ____A (Microsoft Corporation) C:\Users\Hai\Documents\WorksConv.exe
2012-05-17 15:11 - 2012-06-20 23:10 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-20 23:10 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-20 23:10 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-20 23:10 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-20 23:10 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-20 23:10 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-20 23:10 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-20 23:10 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-20 23:10 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-20 23:10 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-20 23:10 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-20 23:10 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-20 23:10 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-20 23:10 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-14 17:12 - 2012-06-20 23:10 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-14 16:43 - 2012-05-14 16:43 - 00155544 ____A C:\Windows\Minidump\051412-37908-01.dmp
2012-05-07 23:02 - 2012-05-07 23:02 - 00151320 ____A C:\Windows\Minidump\050812-57439-01.dmp
2012-05-03 13:22 - 2012-05-03 13:22 - 00151568 ____A C:\Windows\Minidump\050312-39842-01.dmp
2012-05-01 20:52 - 2012-06-19 17:35 - 00163328 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 13:40 - 2012-04-30 13:39 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-04-30 13:39 - 2012-04-30 13:39 - 00001067 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-27 23:03 - 2012-04-27 23:03 - 00150864 ____A C:\Windows\Minidump\042812-105456-01.dmp
2012-04-27 19:19 - 2012-06-20 23:12 - 00177152 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 20:48 - 2012-06-20 23:09 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:48 - 2012-06-20 23:09 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:43 - 2012-06-20 23:09 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-21 17:03 - 2012-04-21 17:03 - 00152000 ____A C:\Windows\Minidump\042112-46035-01.dmp
2012-04-21 16:46 - 2012-04-21 16:46 - 00151320 ____A C:\Windows\Minidump\042112-20482-01.dmp


ZeroAccess:
C:\Windows\Installer\{9a70d21d-5094-1b28-0fe2-8575961fcb3e}
C:\Windows\Installer\{9a70d21d-5094-1b28-0fe2-8575961fcb3e}\@
C:\Windows\Installer\{9a70d21d-5094-1b28-0fe2-8575961fcb3e}\U
C:\Windows\Installer\{9a70d21d-5094-1b28-0fe2-8575961fcb3e}\U\00000004.@
C:\Windows\Installer\{9a70d21d-5094-1b28-0fe2-8575961fcb3e}\U\00000008.@
C:\Windows\Installer\{9a70d21d-5094-1b28-0fe2-8575961fcb3e}\U\000000cb.@
C:\Windows\Installer\{9a70d21d-5094-1b28-0fe2-8575961fcb3e}\U\80000000.@
C:\Windows\Installer\{9a70d21d-5094-1b28-0fe2-8575961fcb3e}\U\80000032.@

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 21%
Total physical RAM: 1918.49 MB
Available physical RAM: 1515.55 MB
Total Pagefile: 1918.49 MB
Available Pagefile: 1518.91 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.79 GB) (Free:148.79 GB) NTFS
7 Drive j: () (Removable) (Total:7.45 GB) (Free:7.22 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
9 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 7633 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 232 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 232 GB Healthy

==================================================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7633 MB 16 KB

==================================================================================

Disk: 5
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J FAT32 Removable 7633 MB Healthy

==================================================================================
==========================================================
TDL4: custom:26000022 <===== ATTENTION!


==========================================================

Last Boot: 2012-05-22 23:32

======================= End Of Log ==========================

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 13 July 2012 - 04:31 PM

We will take care of the infection and resolve the boot issue.

Please download Attached File  fixlist.txt   987bytes   53 downloads
Save it to your flash drive.
Boot to System Recovery Options.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

Edited by Farbar, 14 July 2012 - 09:13 AM.


#5 quyenishere

quyenishere
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 13 July 2012 - 05:49 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 13-07-2012
Ran by SYSTEM at 2012-07-13 18:46:13 Run:1
Running from J:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\StartNowToolbarHelper Value deleted successfully.
C:\Program Files\StartNow Toolbar moved successfully.
HKEY_USERS\Hai\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge Value deleted successfully.
HKEY_USERS\Hai\Software\Microsoft\Windows\CurrentVersion\Run\\YahooPartnerToolbar Value deleted successfully.
HKEY_USERS\Hai\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleServiceProfile Value deleted successfully.
C:\ProgramData\GoogleServiceProfile.dll not found.
Updater Service for StartNow Toolbar service deleted successfully.
C:\Users\All Users\4oTpCleOJlVAwD moved successfully.
C:\Users\All Users\-4oTpCleOJlVAwDr moved successfully.
C:\Users\All Users\-4oTpCleOJlVAwD moved successfully.
C:\Windows\Installer\{9a70d21d-5094-1b28-0fe2-8575961fcb3e} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.

========= bootrec /FixMbr =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

I boot it and everything seems to be fixed now. Thank you!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 14 July 2012 - 12:34 AM

Great. :thumbup2:

The system had multiple rootkit en MBR infection. Please let me know if you want me to check the system for any damage done by the infection.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 22 July 2012 - 11:21 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users