Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows will not load?


  • This topic is locked This topic is locked
13 replies to this topic

#1 Hadnjury

Hadnjury

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 30 October 2012 - 07:43 PM

I am working on a HP Pavilion with windows 7 x64. When starting the computer it makes it to the windows icon and a blue screen flashes and causes restart. It will not boot in safe mode either. I ran kapersky rescue cd ver10 and it found several instances of rootkits and viruses. It still is doing the same thing. I ran Hiren's bootcd 15.1 in mini xp and then ran frst. Here are the results

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2012
Ran by SYSTEM at 30-10-2012 19:12:22
Running from G:\
Windows 7 Home Premium (X86) OS Language:
The current controlset is ControlSet001

ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1794344 2009-05-01] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [x]
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-23] (IDT, Inc.)
HKU\Cody\...\Run: [Google Update] "C:\Users\Cody\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-06-19] (Google Inc.)
HKU\Cody\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [4786048 2012-05-21] (SUPERAntiSpyware.com)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [37664 2011-05-25] (Apple Inc.)
3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [1025352 2011-07-26] ()
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [7390560 2011-08-18] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe" [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
2 Bonjour Service; "C:\Program Files (x86)\Bonjour\mDNSResponder.exe" [387944 2011-07-12] (Apple Inc.)
4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation)
2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [138576 2010-03-18] (Microsoft Corporation)
3 Com4QLBEx; "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe" [228408 2009-05-05] (Hewlett-Packard Development Company, L.P.)
3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42856 2010-11-05] (Microsoft Corporation)
3 GameConsoleService; "C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe" [165416 2008-05-05] (WildTangent, Inc.)
3 hpqwmiex; "C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe" [223232 2008-10-23] (Hewlett-Packard Development Company, L.P.)
3 IDriverT; "C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" [73728 2004-10-22] (Macrovision Corporation)
3 idsvc; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe" [856400 2010-11-05] (Microsoft Corporation)
2 LightScribeService; "C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe" [73728 2008-06-09] (Hewlett-Packard Company)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [113120 2012-06-14] (Mozilla Foundation)
4 NetTcpPortSharing; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation)
2 NetworkLog; C:\Windows\svcs.exe [568304 2012-06-19] ()
3 odserv; "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" [441712 2008-11-04] (Microsoft Corporation)
3 ose; "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [145184 2006-10-26] (Microsoft Corporation)
3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-14] (Microsoft Corporation)
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-18] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-09-15] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe [247808 2010-03-23] (IDT, Inc.)
2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-11-27] ()
2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-11-27] ()
2 FastUserSwitchingCompatibility; C:\Windows\system32\FastUserSwitchingCompatibilityex.dll [x]
2 HP Health Check Service; "c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
2 RoxLiveShare9; "C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe" [x]

==================== Drivers (Whitelisted) ====================

3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1146880 2009-06-10] (LSI Corp)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [118864 2011-05-28] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [26704 2011-02-22] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [29264 2011-02-10] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [304720 2011-01-07] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [41552 2011-03-01] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [37456 2011-03-16] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [377936 2011-04-05] (AVG Technologies CZ, s.r.o.)
3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation)
3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation)
3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl664.sys [1526776 2009-07-20] (Broadcom Corporation)
3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [7369600 2009-08-27] (Intel Corporation)
3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-14] (Microsoft Corporation)
3 rcmirror; C:\Windows\System32\DRIVERS\rcmirror.sys [5120 2008-10-09] (Windows ® Codename Longhorn DDK provider)
3 RTL8167; C:\Windows\System32\DRIVERS\Rt64win7.sys [187392 2009-03-02] (Realtek Corporation )
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh64.sys [174592 2008-08-06] (Realtek Corporation )
3 RTSTOR; C:\Windows\System32\drivers\RTSTOR64.SYS [68096 2008-09-20] (Realtek Semiconductor Corp.)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 STHDA; C:\Windows\System32\DRIVERS\stwrt64.sys [505344 2010-03-23] (IDT, Inc.)
3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [51712 2010-09-28] (Apple, Inc.)
4 eabfiltr; [x]
3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [x]
0 speedfan; SysWOW64\speedfan.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-10-30 19:12 - 2012-10-30 19:12 - 00000000 ____D C:\FRST
2012-10-29 22:37 - 2012-10-29 22:37 - 00019516 ____A C:\ComboFix.txt
2012-10-29 20:09 - 2012-10-30 05:04 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-10-29 14:44 - 2012-10-29 22:37 - 00000000 ____D C:\Qoobox
2012-10-29 03:31 - 2012-10-29 03:31 - 00801224 ____A C:\Users\Cody\Local Settings\census.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00801224 ____A C:\Users\Cody\Local Settings\Application Data\census.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00801224 ____A C:\Users\Cody\AppData\Local\census.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00099263 ____A C:\Users\Cody\Local Settings\ars.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00099263 ____A C:\Users\Cody\Local Settings\Application Data\ars.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00099263 ____A C:\Users\Cody\AppData\Local\ars.cache
2012-10-29 03:16 - 2012-10-29 03:16 - 00000036 ____A C:\Users\Cody\Local Settings\housecall.guid.cache
2012-10-29 03:16 - 2012-10-29 03:16 - 00000036 ____A C:\Users\Cody\Local Settings\Application Data\housecall.guid.cache
2012-10-29 03:16 - 2012-10-29 03:16 - 00000036 ____A C:\Users\Cody\AppData\Local\housecall.guid.cache

==================== 3 Months Modified Files ==================

2012-10-29 22:37 - 2012-10-29 22:37 - 00019516 ____A C:\ComboFix.txt
2012-10-29 22:19 - 2009-07-14 02:34 - 73400320 ____A C:\Windows\System32\config\software.bak
2012-10-29 22:19 - 2009-07-14 02:34 - 23855104 ____A C:\Windows\System32\config\system.bak
2012-10-29 22:19 - 2009-07-14 02:34 - 00524288 ____A C:\Windows\System32\config\default.bak
2012-10-29 22:19 - 2009-07-14 02:34 - 00262144 ____A C:\Windows\System32\config\security.bak
2012-10-29 22:19 - 2009-07-14 02:34 - 00262144 ____A C:\Windows\System32\config\sam.bak
2012-10-29 03:31 - 2012-10-29 03:31 - 00801224 ____A C:\Users\Cody\Local Settings\census.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00801224 ____A C:\Users\Cody\Local Settings\Application Data\census.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00801224 ____A C:\Users\Cody\AppData\Local\census.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00099263 ____A C:\Users\Cody\Local Settings\ars.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00099263 ____A C:\Users\Cody\Local Settings\Application Data\ars.cache
2012-10-29 03:31 - 2012-10-29 03:31 - 00099263 ____A C:\Users\Cody\AppData\Local\ars.cache
2012-10-29 03:16 - 2012-10-29 03:16 - 00000036 ____A C:\Users\Cody\Local Settings\housecall.guid.cache
2012-10-29 03:16 - 2012-10-29 03:16 - 00000036 ____A C:\Users\Cody\Local Settings\Application Data\housecall.guid.cache
2012-10-29 03:16 - 2012-10-29 03:16 - 00000036 ____A C:\Users\Cody\AppData\Local\housecall.guid.cache

ZeroAccess:
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2011-05-04 19:49] - [2011-02-25 06:19] - 2871808 ____A (Microsoft Corporation)

C:\Windows\System32\winlogon.exe
[2011-06-23 08:13] - [2010-11-20 13:25] - 0390656 ____A (Microsoft Corporation)

C:\Windows\System32\wininit.exe
[2009-07-13 23:52] - [2009-07-14 01:39] - 0129024 ____A (Microsoft Corporation)

C:\Windows\System32\svchost.exe
[2009-07-13 23:31] - [2009-07-14 01:39] - 0027136 ____A (Microsoft Corporation)

C:\Windows\System32\services.exe
[2009-07-13 23:19] - [2009-07-14 01:39] - 0328704 ____A (Microsoft Corporation)

C:\Windows\System32\User32.dll
[2011-06-23 08:13] - [2010-11-20 13:27] - 1008128 ____A (Microsoft Corporation)

C:\Windows\System32\userinit.exe
[2011-06-23 08:12] - [2010-11-20 13:25] - 0030720 ____A (Microsoft Corporation)

C:\Windows\System32\Drivers\volsnap.sys
[2011-06-23 08:13] - [2010-11-20 13:34] - 0295808 ____A (Microsoft Corporation)


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================


==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 2975.12 MB
Available physical RAM: 2593.35 MB
Total Pagefile: 2747.79 MB
Available Pagefile: 1855.02 MB
Total Virtual: 2047.88 MB
Available Virtual: 2008.82 MB

==================== Partitions =============================

1 Drive b: (RamDrive) (Fixed) (Total:0.8 GB) (Free:0.8 GB) NTFS
2 Drive c: () (Fixed) (Total:285.05 GB) (Free:190.98 GB) NTFS
4 Drive e: (RECOVERY) (Fixed) (Total:13.04 GB) (Free:2.04 GB) NTFS
5 Drive f: (HBCD 15.1) (CDROM) (Total:0.49 GB) (Free:0 GB) CDFS
6 Drive g: (UBCDv5) (Fixed) (Total:3.89 GB) (Free:1.79 GB) FAT32
7 Drive x: (Mini Xp) (Fixed) (Total:0.23 GB) (Free:0.23 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 2 Online 3993 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 285 GB 1024 KB
Partition 2 Primary 13 GB 285 GB
=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 285 GB Healthy
=========================================================

Disk: 0
The disk management services could not complete the operation.

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3993 MB 32 KB
Partition 2 Unknown 32 KB 3993 MB
=========================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 UBCDv5 FAT32 Partition 3993 MB Healthy
=========================================================

Disk: 2
Partition 2
Type : 21
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 Partition 0 B Healthy
=========================================================

Last Boot: 2012-06-23 06:17

==================== End Of Log ============================

Edited by Andrew, 30 October 2012 - 08:54 PM.
Mod Edit: Moved to Malware forum due to infection - AA

Some people think technology has the answers - Kevin Mitnick

BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:08 AM

Posted 31 October 2012 - 04:58 PM

Greetings Hadnjury and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#3 Hadnjury

Hadnjury
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 31 October 2012 - 06:15 PM

Thank you Gary your help is greatly appreciated. I hope one day I too can help people in the forums to return the favor. My name is Mike and I am very happy to meet you. I will follow your instructions completely and I am very patient.
Some people think technology has the answers - Kevin Mitnick

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:08 AM

Posted 31 October 2012 - 06:52 PM

Hi Mike,

It is very nice to meet you and I look forward to working on this together. I have some instructions for you to follow but I must first advise you of the following.


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Farbar's Recovery Scan Tool Search

--------------------

  • Boot to the System Recovery Options again and run FRST
  • Type the following in the edit box

    svchost.exe
  • Click Search button
  • A Search.txt document will be saved to your USB device
  • Copy and paste the contents of that document your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Search.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#5 Hadnjury

Hadnjury
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 01 November 2012 - 11:21 AM

The system will not boot in safe mode. I tried and it just restarts. I have only been able to boot with Hiren's boot cd using mini xp. Would you like me to try it that way?
Some people think technology has the answers - Kevin Mitnick

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:08 AM

Posted 01 November 2012 - 12:22 PM

Hi Mike,

Did you try to start into Safe Mode or this (from my previous post)?

Boot to the System Recovery Options again and run FRST


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 Hadnjury

Hadnjury
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 01 November 2012 - 01:17 PM

Yes I tried to boot in safe mode and it will not. I can boot to the system recovery option and get a command prompt.
Some people think technology has the answers - Kevin Mitnick

#8 Hadnjury

Hadnjury
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 01 November 2012 - 01:49 PM

Sorry Gary,

I misread something along the way. I am in system recovery options. Do I run frst from the command prompt?
Some people think technology has the answers - Kevin Mitnick

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:08 AM

Posted 01 November 2012 - 01:52 PM

Hi Mike,

OK, maybe my instructions were not clear enough. You must boot into the System Recovery Option in order to run Farbar's Recovery Scan Tool (FRST) from your USB device. Basically you need to repeat the steps you took when you first ran FRST and then posted the information on the site. Once you launch FRST you can search for the file I listed. Just follow the instructions in my previous post to do the file search.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#10 Hadnjury

Hadnjury
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 01 November 2012 - 01:58 PM

Gary,

I have decided to go with the erase and reinstall windows method. I need this system to be trustworthy. Thanks for all your help sir!
Some people think technology has the answers - Kevin Mitnick

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:08 AM

Posted 01 November 2012 - 02:12 PM

OK Mike,

Thanks for letting me know. If you have the patience, that is always the best bet.

I will leave the topic open for a couple of days just to give you some time in case you have any questions. I would also like to provide you with some guidelines on how to maximize security once you have a clean machine.

----------

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:


In addition, here are some more links you might find of interest:


I will leave this topic open for just a couple of days in case you have any further issues then it will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. Posted Image
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#12 Hadnjury

Hadnjury
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 01 November 2012 - 06:25 PM

Gary,

Thanks for all your help and the additional info! :thumbsup: It's nice to have a website you can trust for windows answers
Some people think technology has the answers - Kevin Mitnick

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:08 AM

Posted 01 November 2012 - 08:52 PM

You are most welcome. Please feel free to come back if the need ever arises.

Good luck!
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:08 AM

Posted 05 February 2013 - 10:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users