Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to open programs


  • This topic is locked This topic is locked
29 replies to this topic

#1 TABweb

TABweb

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 24 October 2012 - 08:18 PM

This is my second thread and I have to say that, so far, I'm really impressed with the response times and expertise here. It is very much appreciated and I will be donating when I can.

This second computer that I'm working on is Windows Vista Ultimate 32-bit with SP2.

So far, I have not been able to open any flash drives plugged in.
I can open Control Panel but anything I try to open in there brings up a pop-up box that says (title bar: Explorer.EXE) (The specified service does not exist as an installed service.)
Can't open IE
Start menu looks minimalist
Overall, the computer is really slow

I have not attempted anything except Malwarebytes in Safe Mode with Command Prompt

Any help you could give me would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 TABweb

TABweb
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 24 October 2012 - 10:51 PM

I also just tried uninstalling some obvious things like the toolbars. I can open Programs & Features but when I click uninstall, after highlighting one of the unwanted programs, nothing happens.

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:35 PM

Posted 26 October 2012 - 10:26 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




I need to get some reports to get a base to start from so I need you to run these programs first.


-DeFogger-

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


-Download DDS-

  • Please download DDS from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3


    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs

  • In your next post I need the following

  • both reports from DDS
  • report from security check
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 TABweb

TABweb
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 27 October 2012 - 09:45 AM

I managed to copy everything on my flash drive to the new folder on the desktop but when I try to run the first one: Defogger, I get this message:

C:\Users\mom saum\Desktop\MALWAREremoval\Defogger.exe
The specified service does not exist as an installed service.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:35 PM

Posted 27 October 2012 - 12:48 PM

Move to the next item



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 TABweb

TABweb
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 27 October 2012 - 02:40 PM

Same message with SecurityCheck

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:35 PM

Posted 27 October 2012 - 03:50 PM

Hello

download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 TABweb

TABweb
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 27 October 2012 - 04:16 PM

I didn't see the option to Repair in F8 menu. I booted to Safe Mode with Command Prompt so that I could access the flash drive to run these tests:


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-10-2012
Ran by mom saum at 27-10-2012 17:12:30
Running from E:\
Service Pack 2 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-10-27 17:11 - 2012-10-27 17:12 - 00000000 ____D C:\FRST
2012-10-27 10:14 - 2012-10-27 10:15 - 00000000 ____D C:\Users\mom saum\Desktop\MALWAREremoval
2012-10-23 11:34 - 2012-10-23 11:34 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-23 11:34 - 2012-10-23 11:34 - 00000000 ____D C:\Users\mom saum\AppData\Roaming\Malwarebytes
2012-10-23 11:34 - 2012-10-23 11:34 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-10-23 11:34 - 2012-10-23 11:34 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-10-23 11:34 - 2012-09-29 19:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-10-14 05:18 - 2012-10-14 05:20 - 00000000 ____D C:\Users\All Users\3C2458080DEA7D1700973C23C161FA2E
2012-10-10 02:36 - 2012-09-13 09:28 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-10-10 02:36 - 2012-08-29 07:27 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-10-10 02:36 - 2012-08-29 07:27 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-10-10 02:36 - 2012-08-24 11:53 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-10-10 02:36 - 2012-06-01 20:02 - 00985088 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-10-10 02:36 - 2012-06-01 20:02 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-10-10 02:36 - 2012-06-01 20:02 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-10-08 21:56 - 2012-10-08 21:56 - 00006456 ____A C:\Users\mom saum\Downloads\invite (2).ics
2012-10-08 21:55 - 2012-10-08 21:55 - 00006786 ____A C:\Users\mom saum\Downloads\invite.ics
2012-10-08 21:55 - 2012-10-08 21:55 - 00006786 ____A C:\Users\mom saum\Downloads\invite (1).ics
2012-09-30 10:59 - 2012-09-30 11:16 - 00042616 ____A C:\Users\mom saum\Documents\Classroom Seating Chart.pptx
2012-09-28 21:50 - 2012-09-28 21:50 - 00000000 ____D C:\Users\mom saum\Documents\Spring 2012
2012-09-28 20:00 - 2012-10-19 11:01 - 00002571 ____A C:\Users\mom saum\Desktop\Microsoft Excel 2010.lnk

==================== 3 Months Modified Files ==================

2012-10-27 16:18 - 2011-07-20 19:23 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-516667878-2941072860-3179962928-1000UA.job
2012-10-27 16:15 - 2012-05-22 18:00 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-27 15:57 - 2012-06-13 22:19 - 00001735 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2012-10-27 15:32 - 2006-11-02 06:33 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-27 15:29 - 2011-07-05 22:44 - 00028124 ____A C:\Users\All Users\nvModes.001
2012-10-27 15:28 - 2012-05-22 18:00 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-27 15:27 - 2006-11-02 09:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-27 15:27 - 2006-11-02 08:46 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-27 15:27 - 2006-11-02 08:46 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-26 22:02 - 2011-07-20 19:23 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-516667878-2941072860-3179962928-1000Core.job
2012-10-23 13:20 - 2009-11-19 18:03 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-10-23 13:20 - 2006-11-02 09:00 - 00032590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-23 13:14 - 2006-11-02 08:59 - 00062336 ____A C:\Windows\PFRO.log
2012-10-23 11:34 - 2012-10-23 11:34 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-22 20:52 - 2011-01-28 00:58 - 02084899 ____A C:\Windows\WindowsUpdate.log
2012-10-21 20:18 - 2011-07-05 16:03 - 00002613 ____A C:\Users\mom saum\Desktop\Microsoft Word 2010.lnk
2012-10-19 11:01 - 2012-09-28 20:00 - 00002571 ____A C:\Users\mom saum\Desktop\Microsoft Excel 2010.lnk
2012-10-15 17:34 - 2011-07-05 06:21 - 00000680 ____A C:\Users\mom saum\AppData\Local\d3d9caps.dat
2012-10-10 21:21 - 2011-07-20 19:27 - 00002057 ____A C:\Users\mom saum\Desktop\Google Chrome.lnk
2012-10-10 03:02 - 2006-11-02 06:24 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-10-08 21:56 - 2012-10-08 21:56 - 00006456 ____A C:\Users\mom saum\Downloads\invite (2).ics
2012-10-08 21:55 - 2012-10-08 21:55 - 00006786 ____A C:\Users\mom saum\Downloads\invite.ics
2012-10-08 21:55 - 2012-10-08 21:55 - 00006786 ____A C:\Users\mom saum\Downloads\invite (1).ics
2012-10-06 21:10 - 2011-07-05 18:34 - 00028124 ____A C:\Users\All Users\nvModes.dat
2012-10-06 10:40 - 2006-11-02 08:51 - 00038186 ____A C:\Windows\setupact.log
2012-09-30 11:16 - 2012-09-30 10:59 - 00042616 ____A C:\Users\mom saum\Documents\Classroom Seating Chart.pptx
2012-09-29 19:54 - 2012-10-23 11:34 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-19 21:15 - 2012-09-19 21:15 - 00000445 ____A C:\Users\mom saum\Downloads\Event3BA2FA82E1904268B7135934DB8D6CB7.ics
2012-09-17 14:23 - 2012-09-17 14:22 - 00139256 ____A C:\Windows\Minidump\Mini091712-01.dmp
2012-09-17 14:22 - 2012-09-17 14:22 - 298766191 ____A C:\Windows\MEMORY.DMP
2012-09-13 09:28 - 2012-10-10 02:36 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-09-07 13:43 - 2012-04-24 18:52 - 00017920 ____A C:\Users\mom saum\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-09-03 00:07 - 2012-04-29 14:28 - 00001726 ____A C:\Users\Public\Desktop\ooVoo.lnk
2012-08-29 07:27 - 2012-10-10 02:36 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-08-29 07:27 - 2012-10-10 02:36 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-08-24 16:35 - 2012-08-24 16:35 - 00000137 ____A C:\Users\mom saum\Desktop\Home - Faculty & Staff.url
2012-08-24 11:53 - 2012-10-10 02:36 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-08-24 03:27 - 2012-09-22 03:01 - 12319744 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 03:03 - 2012-09-22 03:01 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 02:59 - 2012-09-22 03:01 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 02:51 - 2012-09-22 03:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 02:51 - 2012-09-22 03:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 02:51 - 2012-09-22 03:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 02:49 - 2012-09-22 03:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 02:48 - 2012-09-22 03:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 02:47 - 2012-09-22 03:01 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 02:47 - 2012-09-22 03:01 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 02:47 - 2012-09-22 03:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 02:45 - 2012-09-22 03:01 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 02:44 - 2012-09-22 03:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 02:44 - 2012-09-22 03:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 02:43 - 2012-09-22 03:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 02:40 - 2012-09-22 03:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 03:26 - 2006-11-02 08:46 - 00370448 ____A C:\Windows\System32\FNTCACHE.DAT


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-516667878-2941072860-3179962928-1000\$97400343e5d28b7040e523967ae261f8

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 2045.33 MB
Available physical RAM: 1722.36 MB
Total Pagefile: 4327.68 MB
Available Pagefile: 4137.25 MB
Total Virtual: 2047.88 MB
Available Virtual: 1954.29 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:164.61 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (USBTLKIT) (Removable) (Total:7.55 GB) (Free:6.42 GB) FAT32

See the System Event Log for more information.


Last Boot: 2012-10-27 15:34

==================== End Of Log ============================



Farbar Recovery Scan Tool (x86) Version: 26-10-2012
Ran by mom saum at 2012-10-27 17:13:15
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-11-16 14:47] - [2009-04-11 02:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 22:22] - [2008-01-20 22:22] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2009-11-16 14:47] - [2009-04-11 02:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:35 PM

Posted 27 October 2012 - 04:30 PM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

C:\$Recycle.Bin\S-1-5-21-516667878-2941072860-3179962928-1000\$97400343e5d28b7040e523967ae261f8


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 TABweb

TABweb
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 27 October 2012 - 04:45 PM

Notice that this fix did not work (probably because I'm only open in Safe Mode with Command Prompt rather than system recovery)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-10-2012
Ran by mom saum at 2012-10-27 17:44:15 Run:1
Running from E:\

ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==============================================

Could not move C:\$Recycle.Bin\S-1-5-21-516667878-2941072860-3179962928-1000\$97400343e5d28b7040e523967ae261f8.

==== End of Fixlog ====

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:35 PM

Posted 27 October 2012 - 05:11 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 TABweb

TABweb
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 27 October 2012 - 05:45 PM

Hang on, I found a vista ultimate 32 bit disk that allowed me to boot into recovery. I'm running FRST.exe again and will post the two logs.

#13 TABweb

TABweb
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 27 October 2012 - 05:50 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-10-2012
Ran by SYSTEM at 27-10-2012 18:45:27
Running from E:\
Windows Vista ™ Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [x]
HKLM\...\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe [36864 2007-05-09] (Creative Technology Ltd.)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [159744 2007-07-02] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [x]
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13552160 2008-09-03] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-09-03] (NVIDIA Corporation)
HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [96800 2008-09-03] (NVIDIA Corporation)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe [753664 2007-04-03] (Eastman Kodak Company)
HKLM\...\Run: [] [x]
HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask)
HKLM\...\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900 [318096 2009-08-03] (Carbonite, Inc.)
HKLM\...\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [197928 2009-12-18] (Seagate LLC)
HKLM\...\Run: [SelectRebates] C:\Program Files\SelectRebates\SelectRebates.exe [886752 2010-11-01] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1318816 2012-03-21] (McAfee, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKU\Default\...\Run: [ooVoo] C\ooVoo.exe /minimized [x]
HKU\Default User\...\Run: [ooVoo] C\ooVoo.exe /minimized [x]
HKU\mom saum\...\Run: [Google Update] "C:\Users\mom saum\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-20] (Google Inc.)
HKU\mom saum\...\Run: [ooVoo.exe] C:\Program Files\ooVoo\oovoo.exe /minimized [27040888 2012-08-20] (ooVoo LLC)
HKU\mom saum\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [766536 2012-09-29] (Malwarebytes Corporation)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1089608 2012-09-29] (Malwarebytes Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.5.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Ultrawideband Control Center.lnk
ShortcutTarget: Ultrawideband Control Center.lnk -> C:\Program Files\Dell\Dell WUSB\WQ_Tray2.exe (WiQuest Communications, Inc.)

==================== Services (Whitelisted) ===================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe [73728 2007-09-20] (Andrea Electronics Corporation)
2 FreeAgentGoNext Service; "C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe" [189736 2009-12-18] (Seagate Technology LLC)
2 KodakSvc; "C:\Program Files\Kodak\printer\center\KodakSvc.exe" [9728 2007-03-22] (SDSD)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [361976 2012-04-19] (McAfee, Inc.)
2 McOobeSv; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166288 2012-03-20] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [161632 2012-03-20] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [151880 2012-03-20] (McAfee, Inc.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe [102400 2008-02-15] (IDT, Inc.)
2 WebClient; C:\Windows\System32\svchost.exe -k LocalService [21504 2008-01-20] (Microsoft Corporation)
2 WPDBusEnum; C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

3 cfwids; C:\Windows\System32\drivers\cfwids.sys [57600 2012-02-22] (McAfee, Inc.)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121544 2012-02-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180848 2012-02-22] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59456 2012-02-22] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [340920 2012-02-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464304 2012-02-22] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64912 2012-02-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87656 2012-02-22] (McAfee, Inc.)
1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [169608 2012-02-22] (McAfee, Inc.)
3 OA001Ufd; C:\Windows\System32\DRIVERS\OA001Ufd.sys [133632 2009-03-06] (Creative Technology Ltd.)
3 OA001Vid; C:\Windows\System32\DRIVERS\OA001Vid.sys [280096 2009-03-08] (Creative Technology Ltd.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-10-27 14:39 - 2012-10-27 14:39 - 00000000 ___SD C:\32788R22FWJFW
2012-10-27 14:39 - 2012-10-27 14:39 - 00000000 ____D C:\Windows\erdnt
2012-10-27 14:39 - 2012-10-27 14:39 - 00000000 ____D C:\Qoobox
2012-10-27 13:11 - 2012-10-27 13:12 - 00000000 ____D C:\FRST
2012-10-27 06:14 - 2012-10-27 06:15 - 00000000 ____D C:\Users\mom saum\Desktop\MALWAREremoval
2012-10-23 07:34 - 2012-10-23 07:34 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-23 07:34 - 2012-10-23 07:34 - 00000000 ____D C:\Users\mom saum\AppData\Roaming\Malwarebytes
2012-10-23 07:34 - 2012-10-23 07:34 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-10-23 07:34 - 2012-10-23 07:34 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-10-23 07:34 - 2012-09-29 15:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-10-14 01:18 - 2012-10-14 01:20 - 00000000 ____D C:\Users\All Users\3C2458080DEA7D1700973C23C161FA2E
2012-10-09 22:36 - 2012-09-13 05:28 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-10-09 22:36 - 2012-08-29 03:27 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-10-09 22:36 - 2012-08-29 03:27 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-10-09 22:36 - 2012-08-24 07:53 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-10-09 22:36 - 2012-06-01 16:02 - 00985088 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-10-09 22:36 - 2012-06-01 16:02 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-10-09 22:36 - 2012-06-01 16:02 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-10-08 17:56 - 2012-10-08 17:56 - 00006456 ____A C:\Users\mom saum\Downloads\invite (2).ics
2012-10-08 17:55 - 2012-10-08 17:55 - 00006786 ____A C:\Users\mom saum\Downloads\invite.ics
2012-10-08 17:55 - 2012-10-08 17:55 - 00006786 ____A C:\Users\mom saum\Downloads\invite (1).ics
2012-09-30 06:59 - 2012-09-30 07:16 - 00042616 ____A C:\Users\mom saum\Documents\Classroom Seating Chart.pptx
2012-09-28 17:50 - 2012-09-28 17:50 - 00000000 ____D C:\Users\mom saum\Documents\Spring 2012
2012-09-28 16:00 - 2012-10-19 07:01 - 00002571 ____A C:\Users\mom saum\Desktop\Microsoft Excel 2010.lnk

==================== 3 Months Modified Files ==================

2012-10-27 13:47 - 2012-06-13 18:19 - 00001735 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2012-10-27 12:18 - 2011-07-20 15:23 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-516667878-2941072860-3179962928-1000UA.job
2012-10-27 12:15 - 2012-05-22 14:00 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-27 11:32 - 2006-11-02 02:33 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-27 11:29 - 2011-07-05 18:44 - 00028124 ____A C:\Users\All Users\nvModes.001
2012-10-27 11:28 - 2012-05-22 14:00 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-27 11:27 - 2006-11-02 05:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-27 11:27 - 2006-11-02 04:46 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-27 11:27 - 2006-11-02 04:46 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-26 18:02 - 2011-07-20 15:23 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-516667878-2941072860-3179962928-1000Core.job
2012-10-23 09:20 - 2009-11-19 14:03 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-10-23 09:20 - 2006-11-02 05:00 - 00032590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-23 09:14 - 2006-11-02 04:59 - 00062336 ____A C:\Windows\PFRO.log
2012-10-23 07:34 - 2012-10-23 07:34 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-22 16:52 - 2011-01-27 20:58 - 02084899 ____A C:\Windows\WindowsUpdate.log
2012-10-21 16:18 - 2011-07-05 12:03 - 00002613 ____A C:\Users\mom saum\Desktop\Microsoft Word 2010.lnk
2012-10-19 07:01 - 2012-09-28 16:00 - 00002571 ____A C:\Users\mom saum\Desktop\Microsoft Excel 2010.lnk
2012-10-15 13:34 - 2011-07-05 02:21 - 00000680 ____A C:\Users\mom saum\AppData\Local\d3d9caps.dat
2012-10-10 17:21 - 2011-07-20 15:27 - 00002057 ____A C:\Users\mom saum\Desktop\Google Chrome.lnk
2012-10-09 23:02 - 2006-11-02 02:24 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-10-08 17:56 - 2012-10-08 17:56 - 00006456 ____A C:\Users\mom saum\Downloads\invite (2).ics
2012-10-08 17:55 - 2012-10-08 17:55 - 00006786 ____A C:\Users\mom saum\Downloads\invite.ics
2012-10-08 17:55 - 2012-10-08 17:55 - 00006786 ____A C:\Users\mom saum\Downloads\invite (1).ics
2012-10-06 17:10 - 2011-07-05 14:34 - 00028124 ____A C:\Users\All Users\nvModes.dat
2012-10-06 06:40 - 2006-11-02 04:51 - 00038186 ____A C:\Windows\setupact.log
2012-09-30 07:16 - 2012-09-30 06:59 - 00042616 ____A C:\Users\mom saum\Documents\Classroom Seating Chart.pptx
2012-09-29 15:54 - 2012-10-23 07:34 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-19 17:15 - 2012-09-19 17:15 - 00000445 ____A C:\Users\mom saum\Downloads\Event3BA2FA82E1904268B7135934DB8D6CB7.ics
2012-09-17 10:23 - 2012-09-17 10:22 - 00139256 ____A C:\Windows\Minidump\Mini091712-01.dmp
2012-09-17 10:22 - 2012-09-17 10:22 - 298766191 ____A C:\Windows\MEMORY.DMP
2012-09-13 05:28 - 2012-10-09 22:36 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-09-07 09:43 - 2012-04-24 14:52 - 00017920 ____A C:\Users\mom saum\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-09-02 20:07 - 2012-04-29 10:28 - 00001726 ____A C:\Users\Public\Desktop\ooVoo.lnk
2012-08-29 03:27 - 2012-10-09 22:36 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-08-29 03:27 - 2012-10-09 22:36 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-08-24 12:35 - 2012-08-24 12:35 - 00000137 ____A C:\Users\mom saum\Desktop\Home - Faculty & Staff.url
2012-08-24 07:53 - 2012-10-09 22:36 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-08-23 23:27 - 2012-09-21 23:01 - 12319744 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-23 23:03 - 2012-09-21 23:01 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-23 22:59 - 2012-09-21 23:01 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-23 22:51 - 2012-09-21 23:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-23 22:51 - 2012-09-21 23:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-23 22:51 - 2012-09-21 23:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-23 22:49 - 2012-09-21 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-23 22:48 - 2012-09-21 23:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-23 22:47 - 2012-09-21 23:01 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-23 22:47 - 2012-09-21 23:01 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-23 22:47 - 2012-09-21 23:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-23 22:45 - 2012-09-21 23:01 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-23 22:44 - 2012-09-21 23:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-23 22:44 - 2012-09-21 23:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-23 22:43 - 2012-09-21 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-23 22:40 - 2012-09-21 23:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-14 23:26 - 2006-11-02 04:46 - 00370448 ____A C:\Windows\System32\FNTCACHE.DAT


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-02 20:00:32
Restore point made on: 2012-10-03 20:00:39
Restore point made on: 2012-10-04 20:00:20
Restore point made on: 2012-10-05 20:00:31
Restore point made on: 2012-10-07 07:21:17
Restore point made on: 2012-10-07 20:00:26
Restore point made on: 2012-10-08 20:00:35
Restore point made on: 2012-10-09 20:00:42
Restore point made on: 2012-10-09 23:00:37
Restore point made on: 2012-10-10 20:00:33
Restore point made on: 2012-10-11 20:00:26
Restore point made on: 2012-10-12 20:00:35
Restore point made on: 2012-10-13 20:00:26
Restore point made on: 2012-10-14 18:44:03
Restore point made on: 2012-10-15 20:08:19
Restore point made on: 2012-10-16 21:03:41
Restore point made on: 2012-10-17 20:17:43
Restore point made on: 2012-10-18 20:00:24
Restore point made on: 2012-10-19 21:21:46
Restore point made on: 2012-10-21 06:26:54
Restore point made on: 2012-10-21 20:00:27

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 2045.45 MB
Available physical RAM: 1635.69 MB
Total Pagefile: 1853.99 MB
Available Pagefile: 1688.58 MB
Total Virtual: 2047.88 MB
Available Virtual: 1982.35 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:164.75 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (VISTA_32_ULTIMATE) (CDROM) (Total:2.84 GB) (Free:0 GB) CDFS
3 Drive e: (USBTLKIT) (Removable) (Total:7.55 GB) (Free:6.42 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 1177 KB
Disk 1 Online 7751 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 233 GB 1024 KB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C NTFS Partition 233 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7751 MB 32 KB

=========================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E USBTLKIT FAT32 Removable 7751 MB Healthy

=========================================================

Last Boot: 2012-10-27 13:46

==================== End Of Log ============================


Farbar Recovery Scan Tool (x86) Version: 26-10-2012
Ran by SYSTEM at 2012-10-27 18:46:27
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-11-16 10:47] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:22] - [2008-01-20 18:22] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2009-11-16 10:47] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:35 PM

Posted 27 October 2012 - 06:15 PM

Hello


looks like the file was removed - go ahead and try post 11



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 TABweb

TABweb
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 27 October 2012 - 06:30 PM

I can't seem to get a log file by running combofix from the command line. I'm going to try again to log into windows and run from there.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users