Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Invalid Partition Table


  • This topic is locked This topic is locked
29 replies to this topic

#1 April.T

April.T

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 09 October 2012 - 03:52 PM

My computer cannot start up. When I researched the cause I came across this topic. Link So, I guess this is pretty much a repeat. I'm posting the zipped file according to AustrAlien.

Attached Files

  • Attached File  mbr.zip   528bytes   4 downloads


BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:37 PM

Posted 09 October 2012 - 04:40 PM

I can see several apparent problems with the partition table, sure enough.
  • The problem(s) should be able to be fixed, but firstly I need some more information.
  • If the problem is malware-related, I will (must) request some expert malware-specialist assistance for you.
How about some details of the system, and the history of the problem?

I notice you posted in the Win7 forum, yet the MBR is shown as that of Windows XP:
Which operating system is installed on the problematic computer?
  • Windows 7 ?
    OR ...
  • Windows XP ?
What is the make and model of the computer, and is it a laptop or desktop computer?

The first partition is invalid, and appears to be the product of a malware infection:
  • Were you aware of malware on the system?
  • Did you attempt to remove malware, and how did you go about that?
Please describe events leading up to the current problem.

MBR Analyzer v1.1.0

File : C:\Documents and Settings\GEOFF\Desktop\April.T _BC\mbr.bin

--------------------------------------------------------------

--OFFSET--  0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F-  0123456789ABCDEF

0x00000000  33C08ED0BC007CFB5007501FFCBE1B7C  3.м.|P.P..|
0x00000010  BF1B065057B9E501F3A4CBBDBE07B104  ..PW.˽..
0x00000020  386E007C09751383C510E2F4CD188BF5  8n.|.u.....
0x00000030  83C610497419382C74F6A0B507B4078B  ..It.8,t....
0x00000040  F0AC3C0074FCBB0700B40ECD10EBF288  <.t.....
0x00000050  4E10E84600732AFE4610807E040B740B  N.F.s*F..~..t.
0x00000060  807E040C7405A0B60775D28046020683  .~..t...u.F...
0x00000070  46080683560A00E821007305A0B607EB  F...V..!.s...
0x00000080  BC813EFE7D55AA740B807E100074C8A0  .>}Ut..~..t.
0x00000090  B707EBA98BFC1E578BF5CBBF05008A56  ...W.˿...V
0x000000A0  00B408CD1372238AC1243F988ADE8AFC  ...r#.$?...
0x000000B0  43F7E38BD186D6B106D2EE42F7E23956  C..ֱ.B9V
0x000000C0  0A77237205394608731CB80102BB007C  .w#r.9F.s....|
0x000000D0  8B4E028B5600CD1373514F744E32E48A  .N..V..sQOtN2.
0x000000E0  5600CD13EBE48A560060BBAA55B441CD  V...V.`UA
0x000000F0  13723681FB55AA7530F6C101742B6160  .r6.Uu0.t+a`
0x00000100  6A006A00FF760AFF76086A0068007C6A  j.j..v..v.j.h.|j
0x00000110  016A10B4428BF4CD136161730E4F740B  .j.B..aas.Ot.
0x00000120  32E48A5600CD13EBD661F9C3496E7661  2.V..aInva
0x00000130  6C696420706172746974696F6E207461  lid partition ta
0x00000140  626C65004572726F72206C6F6164696E  ble.Error loadin
0x00000150  67206F7065726174696E672073797374  g operating syst
0x00000160  656D004D697373696E67206F70657261  em.Missing opera
0x00000170  74696E672073797374656D0000000000  ting system.....
0x00000180  00000000000000000000000000000000  ................
0x00000190  00000000000000000000000000000000  ................
0x000001A0  00000000000000000000000000000000  ................
0x000001B0  00000000002C44633E76B9D000008000  .....,Dc>v....
0x000001C0  03000000000002000000000000000020  ............... 
0x000001D0  2100DEDF130C000800000020030080DF  !........ ...
0x000001E0  140C07FEFFFF0028030000C0D40100FE  ......(.....
0x000001F0  FFFF07FEFFFF00E8D701B092AD4855AA  ........HU

---------------------------[ MBR ]----------------------------

MBR_CODE        : XP MBR Code
MD5             : CAC7FD012215C72785310D997CB2185D
SHA1            : 55671113EAF51B41EDAAAD574F609047BB6EE354
PARTITIONS      : 3
DISK_SIGNATURE  : 3E76B9D0
SIGNATURE_ID    : AA55h

-----------------------[ PARTITION 2 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0xDE ( Dell Utility )
PARTITION_SIZE  : 100 Mo
STARTING_SECTOR : 2048
ENDING_SECTOR   : 206848
TOTAL_SECTORS   : 204800

-----------------------[ PARTITION 3 ]------------------------

BOOTABLE        : YES
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 14.65 Go
STARTING_SECTOR : 206848
ENDING_SECTOR   : 30926848
TOTAL_SECTORS   : 30720000

-----------------------[ PARTITION 4 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 581 Go
STARTING_SECTOR : 30926848
ENDING_SECTOR   : 1250261680
TOTAL_SECTORS   : 1219334832

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 April.T

April.T
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 09 October 2012 - 06:41 PM

-It is Windows 7. It was bought new just over a year ago.
-It is a Dell Inspiron M5010, laptop

I was getting redirected to fake search engines prior to this. This was happening when I was trying to click Google links, but not if I just typed in an address manually. I do not mean that I typed in the address of the links Google provided. Just sites that I normally use. I ran Microsoft Security Essentials and it did remove something. I don't remember what it was called or what type of malware it was. However, it didn't change anything with the false links.
Hope this gets you going in the right direction.

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:37 PM

Posted 09 October 2012 - 10:05 PM

Thank you. As expected, the problem was most likely caused by malware/improperly attempting to remove the malware.

Please sit tight and be patient for now:
  • I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.
  • A suitably experienced helper will respond when they are available.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:37 PM

Posted 10 October 2012 - 02:09 AM

Hello April.T,

Welcome to the forum. I will be assisting you with the issue. Please refrain from doing any fixes on your own until we are done and this topic is closed.

I see the system is infected with a partition infection. We will fix the infection and boot the system the next round after providing the log.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#6 April.T

April.T
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 10 October 2012 - 05:27 PM

First off, thanks.

I think I'm going to have a problem with this. The F8 key does not respond. I had tried that at the outset and is actually how I ended up finding that other topic. F2 and F12 do work. Also, the laptop did not come with an installation disc. I can't remember if this is 32-bit or 64-bit. I know how to find out on a properly working computer, but is there another way to find out which it is? I should be able to figure out which drive letter is my flash drive using xPUD, right? I can see that it is 'K' on my good computer, but I doubt that it is K for every computer. Or is it?

Is there any work-around for the Advanced Boot Options issue?

Edited by April.T, 10 October 2012 - 05:29 PM.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:37 PM

Posted 11 October 2012 - 06:47 AM

De drive letter of the flash drive can change in recovery environment and could be easily found once you can boot to the recovery environment. The main concern now is booting to recovery environment.

Sometime F8 should be tried repeatedly with different tempo. Sometimes it responds when tapping it with longer interval a few times. But on some systems, even after responding, the computer might not be able to boot to the recovery environment and hang on loading files.

If you have access to another computer with Windows 7 you can make a recovery disk: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

Since you don't know the version the only way is to try whatever you have. If you could get to the Advanced Boot Options with whatever version, we can handle the rest from there even if FRST log is not showing all the entries properly.

There is a paid recovery disc that is claimed to work on both versions: http://systemdiscs.com/?utm_source=neosmart&utm_medium=article&utm_campaign=Win7_Recovery

Edited by Farbar, 11 October 2012 - 05:08 PM.


#8 April.T

April.T
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 11 October 2012 - 05:05 PM

Excellent. I'll try this a little later today and get back to you.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:37 PM

Posted 11 October 2012 - 05:11 PM

OK. It is too late over here and I'll see your reply tomorrow morning European time. :thumbup2:

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:37 PM

Posted 12 October 2012 - 12:55 PM

This is another thing to try:

Tap F2 at start up to enter the BIOS set up. Don't change anything as this is just a trick to get the keyboard to respond. Exit the BIOS by pressing the key that is required, but before delay and almost simultaneously tap F8. You should not give the system any time to start to load the drivers otherwise the keyboard will be disabled. Please let me know how it went.

#11 April.T

April.T
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 15 October 2012 - 11:00 AM

Finally back. So I made a 64-bit version repair disc. Here's the file.
EDIT: Tried your keyboard trick and didn't meet with any success.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-10-2012
Ran by SYSTEM at 15-10-2012 10:53:55
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2416480 2012-01-24] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKU\April T\...\Run: [Elements+9 Menu] noValue [x]
HKU\April T\...\Run: [SoftAuto.exe] "C:\Program Files (x86)\Creative\Software Update 3\SoftAuto.exe" [405504 2008-08-12] (Creative Technology Ltd)
HKU\April T\...\Run: [Akamai NetSession Interface] "C:\Users\April T\AppData\Local\Akamai\netsession_win.exe" [4440896 2012-08-10] (Akamai Technologies, Inc.)
HKU\April T\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\April T\...\Run: [AdobeBridge] [x]
HKU\Guest\...\Run: [Best Buy pc app] C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x]
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-04] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Guest\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ===================

2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_5891ae0.dll [4537664 2012-08-30] (Akamai Technologies, Inc.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [192776 2011-08-02] (AVG Technologies CZ, s.r.o.)
2 CTDevice_Srv; C:\Program Files (x86)\Creative\Shared Files\CTDevSrv.exe [61440 2007-04-01] (Creative Technology Ltd)
3 CTUPnPSv; C:\Program Files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [64000 2008-05-21] (Creative Technology Ltd)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [x]

==================== Drivers (Whitelisted) =====================

3 SWNC8UA3; C:\Windows\System32\Drivers\SWNC8UA3.sys [227840 2009-03-31] (Sierra Wireless Inc.)
3 SWUMXA3; C:\Windows\System32\Drivers\SWUMXA3.sys [198528 2009-05-04] (Sierra Wireless Inc.)
2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}; \??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl [146928 2009-12-29] (CyberLink Corp.)
3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [x]
3 swmsflt; C:\Windows\System32\DRIVERS\swmsflt.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-10-15 10:53 - 2012-10-15 10:53 - 00000000 ____D C:\FRST
2012-10-07 11:08 - 2012-10-07 11:08 - 00635144 ____A C:\Windows\Minidump\100712-17830-01.dmp
2012-09-26 15:00 - 2012-09-26 15:00 - 00129037 ____A C:\Users\April T\Downloads\vintage_erotique.zip
2012-09-26 15:00 - 2012-09-26 15:00 - 00000000 ____D C:\Users\April T\Downloads\vintage_erotique
2012-09-26 14:59 - 2012-09-26 14:59 - 00196323 ____A C:\Users\April T\Downloads\alpha_silouettes.zip
2012-09-26 14:59 - 2012-09-26 14:59 - 00000000 ____D C:\Users\April T\Downloads\alpha_silouettes
2012-09-25 17:56 - 2012-09-25 17:56 - 00000020 ____A C:\Users\Guest\Documents\inflikted.txt
2012-09-25 12:40 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2012-09-23 13:34 - 2012-09-23 13:34 - 00000000 ____D C:\Users\April T\Downloads\halloweenies
2012-09-23 13:34 - 2012-09-23 13:34 - 00000000 ____D C:\Users\April T\Downloads\double_feature
2012-09-23 13:33 - 2012-09-23 13:33 - 00000000 ____D C:\Users\April T\Downloads\lunacy_more
2012-09-23 13:33 - 2012-09-23 13:33 - 00000000 ____D C:\Users\April T\Downloads\jack_lantern_bb
2012-09-23 13:30 - 2012-09-23 13:30 - 00059303 ____A C:\Users\April T\Downloads\double_feature.zip
2012-09-23 13:29 - 2012-09-23 13:29 - 00029611 ____A C:\Users\April T\Downloads\halloweenies.zip
2012-09-23 13:28 - 2012-09-23 13:28 - 00032265 ____A C:\Users\April T\Downloads\jack_lantern_bb.zip
2012-09-23 13:28 - 2012-09-23 13:28 - 00014182 ____A C:\Users\April T\Downloads\lunacy_more.zip
2012-09-21 17:44 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-09-21 17:44 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-09-21 17:44 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-09-21 17:44 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-09-21 17:44 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-09-21 17:44 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-09-21 17:44 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-09-21 17:44 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-09-21 17:44 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-09-21 17:44 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-09-21 17:44 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-09-21 17:44 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-09-21 17:44 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-09-21 17:44 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-09-21 17:44 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-09-21 17:44 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-09-21 17:44 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-09-21 17:44 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-09-21 17:44 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-09-21 17:44 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-09-21 17:44 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-09-21 17:44 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-09-21 17:44 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-09-21 17:44 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-09-21 17:44 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-09-21 17:44 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-09-21 17:44 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-09-21 17:44 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-09-21 17:44 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-09-21 17:44 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-09-21 17:44 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-09-21 17:44 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-09-20 19:10 - 2012-09-20 19:10 - 09573296 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-09-15 18:51 - 2012-09-15 18:51 - 00031096 ____A C:\Users\April T\Downloads\kingthings_conundrum.zip
2012-09-15 18:51 - 2012-09-15 18:51 - 00000000 ____D C:\Users\April T\Downloads\kingthings_conundrum
2012-09-15 08:41 - 2012-09-15 08:41 - 00076122 ____A C:\Users\April T\Downloads\uni_05_x.zip
2012-09-15 08:41 - 2012-09-15 08:41 - 00000000 ____D C:\Users\April T\Downloads\uni_05_x

==================== 3 Months Modified Files ==================

2012-10-08 17:18 - 2010-11-26 10:54 - 01277620 ____A C:\Windows\WindowsUpdate.log
2012-10-08 17:10 - 2012-03-29 11:56 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-08 16:04 - 2009-07-13 21:13 - 00779266 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-08 14:08 - 2012-08-06 14:09 - 00000132 ____A C:\Users\April T\AppData\Roaming\Adobe PNG Format CS5 Prefs
2012-10-08 04:39 - 2009-07-13 20:45 - 00013872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-08 04:39 - 2009-07-13 20:45 - 00013872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-08 04:31 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-08 04:31 - 2009-07-13 20:51 - 00129642 ____A C:\Windows\setupact.log
2012-10-07 11:08 - 2012-10-07 11:08 - 00635144 ____A C:\Windows\Minidump\100712-17830-01.dmp
2012-10-07 11:08 - 2012-02-07 04:23 - 513241342 ____A C:\Windows\MEMORY.DMP
2012-10-01 18:27 - 2012-04-19 15:08 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-30 10:14 - 2012-01-18 13:10 - 00001551 ____A C:\Users\April T\Documents\Azreth.txt
2012-09-30 07:51 - 2012-04-19 14:50 - 00093062 ____A C:\Windows\SysWOW64\commonpriv.log
2012-09-27 06:40 - 2011-02-25 20:14 - 00055640 ____A C:\Users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-27 06:40 - 2009-07-13 20:45 - 04778464 ____A C:\Windows\System32\FNTCACHE.DAT
2012-09-26 16:58 - 2011-02-25 16:52 - 00055640 ____A C:\Users\April T\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-26 15:00 - 2012-09-26 15:00 - 00129037 ____A C:\Users\April T\Downloads\vintage_erotique.zip
2012-09-26 14:59 - 2012-09-26 14:59 - 00196323 ____A C:\Users\April T\Downloads\alpha_silouettes.zip
2012-09-25 21:40 - 2012-05-05 07:14 - 00001035 ____A C:\Users\Guest\Documents\Gift List.txt
2012-09-25 17:56 - 2012-09-25 17:56 - 00000020 ____A C:\Users\Guest\Documents\inflikted.txt
2012-09-23 13:30 - 2012-09-23 13:30 - 00059303 ____A C:\Users\April T\Downloads\double_feature.zip
2012-09-23 13:29 - 2012-09-23 13:29 - 00029611 ____A C:\Users\April T\Downloads\halloweenies.zip
2012-09-23 13:28 - 2012-09-23 13:28 - 00032265 ____A C:\Users\April T\Downloads\jack_lantern_bb.zip
2012-09-23 13:28 - 2012-09-23 13:28 - 00014182 ____A C:\Users\April T\Downloads\lunacy_more.zip
2012-09-20 19:10 - 2012-09-20 19:10 - 09573296 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-09-20 19:10 - 2012-03-29 11:56 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-20 19:10 - 2011-05-14 04:50 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-15 18:51 - 2012-09-15 18:51 - 00031096 ____A C:\Users\April T\Downloads\kingthings_conundrum.zip
2012-09-15 08:41 - 2012-09-15 08:41 - 00076122 ____A C:\Users\April T\Downloads\uni_05_x.zip
2012-09-14 15:46 - 2012-09-14 15:46 - 00017896 ____A C:\Users\April T\Downloads\santas_big_secret(1).zip
2012-09-11 18:21 - 2011-03-02 08:26 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-09-08 17:46 - 2012-09-08 17:26 - 00000523 ____A C:\Users\April T\Documents\BigSigMap.map
2012-09-08 15:46 - 2012-09-08 15:46 - 00000077 ____A C:\Users\April T\Documents\Sigmaptest.map
2012-09-05 18:04 - 2009-07-13 21:08 - 00032622 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-04 14:46 - 2012-09-04 14:45 - 00125581 ____A C:\Users\April T\Downloads\Wonderland__Fancy_Borders_6.zip
2012-09-03 16:15 - 2012-09-03 16:15 - 00000276 ____A C:\Users\April T\Documents\Bearded dragon.txt
2012-08-30 19:03 - 2012-08-30 19:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-08-30 19:03 - 2011-04-27 12:25 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-08-29 18:03 - 2012-08-28 15:56 - 00000216 ____A C:\Users\April T\Documents\MGS4.txt
2012-08-26 15:07 - 2012-08-26 15:07 - 00000310 ____A C:\Users\April T\Downloads\admhelper(1)
2012-08-24 03:15 - 2012-09-21 17:44 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 02:39 - 2012-09-21 17:44 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 02:31 - 2012-09-21 17:44 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 02:22 - 2012-09-21 17:44 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 02:21 - 2012-09-21 17:44 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 02:20 - 2012-09-21 17:44 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 02:18 - 2012-09-21 17:44 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 02:17 - 2012-09-21 17:44 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 02:14 - 2012-09-21 17:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 02:14 - 2012-09-21 17:44 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 02:13 - 2012-09-21 17:44 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 02:12 - 2012-09-21 17:44 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 02:11 - 2012-09-21 17:44 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 02:10 - 2012-09-21 17:44 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 02:09 - 2012-09-21 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 02:04 - 2012-09-21 17:44 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-23 23:27 - 2012-09-21 17:44 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-23 23:03 - 2012-09-21 17:44 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-23 22:59 - 2012-09-21 17:44 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-23 22:51 - 2012-09-21 17:44 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-23 22:51 - 2012-09-21 17:44 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-23 22:51 - 2012-09-21 17:44 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-23 22:49 - 2012-09-21 17:44 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-23 22:48 - 2012-09-21 17:44 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-23 22:47 - 2012-09-21 17:44 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-23 22:47 - 2012-09-21 17:44 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-23 22:47 - 2012-09-21 17:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-23 22:45 - 2012-09-21 17:44 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-23 22:44 - 2012-09-21 17:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-23 22:44 - 2012-09-21 17:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-23 22:43 - 2012-09-21 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-23 22:40 - 2012-09-21 17:44 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-22 10:12 - 2012-09-11 15:23 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 10:12 - 2012-09-11 15:23 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 10:12 - 2012-09-11 15:23 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 10:12 - 2012-09-11 15:23 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-21 13:30 - 2012-08-21 13:30 - 00776137 ____A C:\Users\April T\Downloads\PetPets.zip
2012-08-21 13:29 - 2012-08-21 13:29 - 00385385 ____A C:\Users\April T\Downloads\Unseelie.zip
2012-08-21 13:28 - 2012-08-21 13:28 - 00440473 ____A C:\Users\April T\Downloads\Seelie.zip
2012-08-21 13:01 - 2012-09-25 12:40 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2012-08-18 13:16 - 2012-08-06 17:32 - 00001456 ____A C:\Users\April T\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-08-18 10:11 - 2012-08-18 10:11 - 00380493 ____A C:\Users\April T\Downloads\Merfolk.zip
2012-08-12 10:01 - 2012-08-12 10:26 - 00000919 ____A C:\Users\April T\Desktop\Certing Regs.txt
2012-08-11 20:43 - 2011-02-25 17:11 - 00074830 ____A C:\Windows\PFRO.log
2012-08-11 20:08 - 2012-08-11 20:08 - 00001128 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-08-11 20:06 - 2012-08-11 20:06 - 16801656 ____A (Mozilla) C:\Users\April T\Downloads\Firefox_Setup_14.0.1.exe
2012-08-11 19:36 - 2012-08-11 19:36 - 00000098 ____A C:\user.js
2012-08-11 19:35 - 2012-08-11 19:35 - 00001199 ____A C:\Users\April T\Desktop\.lnk
2012-08-11 15:02 - 2011-06-08 15:49 - 00000002 ____A C:\Users\April T\.bdockinstall.log
2012-08-08 18:53 - 2012-08-08 18:53 - 00345424 ____A C:\Windows\Minidump\080812-35459-01.dmp
2012-08-07 18:55 - 2012-08-12 10:26 - 00940368 ____A C:\Users\April T\Desktop\HoACert-Recovered[USE].psd
2012-08-06 12:17 - 2012-08-06 12:17 - 00001095 ____A C:\Users\April T\Desktop\CS5.1 (64 Bit).lnk
2012-08-05 06:42 - 2012-08-05 06:42 - 00084401 ____A C:\Users\April T\Downloads\alpha_clouds.zip
2012-08-02 09:58 - 2012-09-11 15:23 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-08-02 08:57 - 2012-09-11 15:23 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-07-28 16:04 - 2012-07-28 16:04 - 08961515 ____A C:\Users\April T\Downloads\Celtic_Knotwork_Vector_Brushes_by_redheadstock.zip
2012-07-23 11:59 - 2012-07-23 11:59 - 00000062 ____A C:\Users\Guest\Documents\Lollipop Lust Kill songs.txt
2012-07-18 10:15 - 2012-08-14 12:01 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys


ZeroAccess:
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L

ZeroAccess:
C:\Users\April T\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Users\April T\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@
C:\Users\April T\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L
C:\Users\April T\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-25 12:45:32
Restore point made on: 2012-09-25 17:13:38
Restore point made on: 2012-09-27 10:47:16
Restore point made on: 2012-09-29 03:19:57
Restore point made on: 2012-09-29 13:50:34
Restore point made on: 2012-09-30 07:48:35
Restore point made on: 2012-10-01 18:27:06
Restore point made on: 2012-10-05 13:41:02

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 5883.93 MB
Available physical RAM: 5210.74 MB
Total Pagefile: 5882.07 MB
Available Pagefile: 5196.67 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:581.42 GB) (Free:507.24 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
3 Drive f: (ORANGE) (Removable) (Total:1.86 GB) (Free:1.42 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (Recovery) (Fixed) (Total:14.65 GB) (Free:8.91 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 1909 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 581 GB 14 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 DELLUTILITY FAT Partition 100 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y Recovery NTFS Partition 14 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 581 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1909 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F ORANGE FAT Removable 1909 MB Healthy

=========================================================

Last Boot: 2012-10-06 12:46

==================== End Of Log =============================

Edited by Farbar, 15 October 2012 - 12:24 PM.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:37 PM

Posted 15 October 2012 - 12:39 PM

Well done. :thumbup2:

Please copy and paste the logs unless otherwise requested. :)

We will try to take care of the main infection first and boot the system, then remove the rest.

Please download Listparts
Save it to the flash drive.

Download Attached File  fix.txt   118bytes   8 downloads
The fix.list should be saved in the same directory as ListParts.
Run ListParts, by typing f:\listparts64 in the command windows and pressing Enter.
Click Fix.
When it is finished, check "List BCD" click Scan, it will make a log (Result.txt) on the flash drive.

Restart the computer, let it boot normally and tell me how it went. In case the system didn't boot post the Result.txt otherwise we don't need it any more.

Edited by Farbar, 15 October 2012 - 02:42 PM.


#13 April.T

April.T
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 15 October 2012 - 02:29 PM

Sorry about that. Didn't want to drop a wall of text, but I see why you guys would do it that way. I'll try to remember that in the future. Your Listparts link didn't work, but I found it in the download section anyway.

Well, it worked! I really appreciate the help I received from the two of you. I wish I would have known of this site before. Might have been able to save some cash. Is there anyway for you to accept donations? It's pretty generous of you to lend your knowledge gratis.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:37 PM

Posted 15 October 2012 - 02:50 PM

Great. :thumbup2:

Sorry about the bad link. I corrected it just in case someone wanted to use it.

As far as donation concerns there is a link here: http://www.bleepingcomputer.com/download/publisher/farbar/

We need to remove the rest of the infection and make sure the system is protected.

You may do all the steps in normal mode. No need to run FRST64 in recovery mode any more.

  • Please download Attached File  fixlist.txt   154bytes   4 downloads
    Save it to in the same directory the FRST64 is located.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log please post it to your reply.
  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#15 April.T

April.T
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 15 October 2012 - 03:29 PM

Done.
EDIT: Let me know if everything checks out. Thanks.


Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.15.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
April T :: APRILT-PC [administrator]

10/15/2012 3:09:32 PM
mbam-log-2012-10-15 (15-09-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 223783
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 9
HKCR\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401} (Adware.Yontoo) -> Quarantined and deleted successfully.
HKCR\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401} (Adware.Yontoo) -> Quarantined and deleted successfully.
HKCR\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967} (Adware.Yontoo) -> Quarantined and deleted successfully.
HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> Quarantined and deleted successfully.
HKCR\YontooIEClient.Layers.1 (Adware.Yontoo) -> Quarantined and deleted successfully.
HKCR\YontooIEClient.Layers (Adware.Yontoo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Program Files (x86)\Yontoo Layers\YontooIEClient.dll (Adware.Yontoo) -> Quarantined and deleted successfully.
C:\Users\April T\AppData\Local\Temp\0.07558699023499538 (Trojan.Happili) -> Quarantined and deleted successfully.

(end)

Edited by April.T, 15 October 2012 - 05:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users