Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KSOD VISTA SONY VAIO - Virus?


  • This topic is locked This topic is locked
120 replies to this topic

#1 sweetiequeen

sweetiequeen

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:U.K.
  • Local time:01:47 PM

Posted 26 November 2012 - 11:21 AM

http://www.bleepingcomputer.com/forums/topic475351.html/page__pid__2903674#top

Hi,

My Sony Vaio, windows vista home premium will no longer open windows. I can not access windows through the safe modes, I can only access the command prompt through the repair my computer option, using a recovery vista dvd. Which isn't a full recovery disc just a bootable one I bought online. In the command prompt, I typed regedit.exe and viewed part of the registry as follows:


HKEY_LOCAL_MACHINE
- SOFTWARE
- MICROSOFT
- WINDOWS NT
- WINLOGON
- SHELL - its states "cmd.exe /k start cmd.exe"

Sony have confirmed to me that the shell should state "explorer.exe", I have tried amending the value however after exit and rebooting the laptop this value reverts back to "cmd.exe /k start cmd.exe". If I can't amend the shell value then a full system recovery will be the only option they say they can advise me with.

Why can't I rename the shell? Is it because the explorer.exe file has been corrupted or deleted? Do I have a virus? If I do have a virus and attempt to restore my laptop will that solve the problem?


Please see link above for previous posts.

Also I did look at the preparation guide before posting, although I am not sure how I do the following without being able to access windows?

1. Back up Data - Vista Complete PC Backup - Is this the option I should pick because my OP is Vista? But I can't access Windows Start - All Programs - Maintenance - Back up and Restore Center.
5. Enable A Firewall - I can't access the control panel
6. D/L & Run DDS to create log of programs running on pc - Can I download this on another working computer and use it to run the DDS tool on my laptop when I can't access windows?

However I was able to copy the C: drive and user area from my laptop by using the recovery disc, repair my computer option, when selecting the upload new drivers which gave me limited access to my computer. It only let me see the driver set up or installation type files (can't remember exact wording) so I copied the whole C drive and user folder to a WD hard drive. Was that a mistake to do that? Especially if I may have a virus?

I hope that all makes sense! Any advice would be greatly appreciated.

Thanks for your help

p.s. After reading some of the self-help guides, which explained how virus' can infect your computer. I know the following were running on my machine.

Actual Spy - downloaded a couple of months ago.
Registry Checker/cleaner - Over 6 months ago, I can't quite remember the name - Registry Mechanic or something similiar, it was a trial, I don't remember letting it fix anything and I did not purchase it.
Watched TV online - I was asked to download something because I did not have the correct codec or something, I think I clicked on it by mistake! This was the last thing I did on the computer.
Shutdown incorrectly - The next time I tried to log on which was a few days later there had been a powercut, the switch tripped so my computer was shut down incorrectly when it was in sleep mode.

Edited by sweetiequeen, 26 November 2012 - 01:29 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:47 AM

Posted 29 November 2012 - 10:14 AM

Greetings sweetiequeen and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:47 AM

Posted 29 November 2012 - 10:27 AM

Hi sweetiequeen,


It appears you have done a lot of prep work so far. We are going to slow down a bit and focus on one thing at a time. I will ask that you now place your trust in both of us working together and resist any temptation to take a step that was not directed by me in a Post. At this point I see no reason why we can't make progress, as long as we progress in a calculated way.

----------

I copied the whole C drive and user folder to a WD hard drive. Was that a mistake to do that?

It was not a mistake to do that but you are correctly concerned about possibly having a virus contained in that information. As long as we keep all of that backup information isolated on the external drive we are fine.

----------

Here is the first step I would like you to take for me please.


===================================================


Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC and we will enter the System Recovery Options one of the two following ways:

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • FRST log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 sweetiequeen

sweetiequeen
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:U.K.
  • Local time:01:47 PM

Posted 29 November 2012 - 11:58 AM

Hi Gary, Many thanks for your post, I appreciate this may take a while so I wont get too frustrated. I have a quick but prob stupid question, how do I know if my system is a 32bit or 64bit? Is it mentioned in the BIOS? I looked up my model on the sony website but I cant see it specified in the spec. My mode is VGN-NS30E/P.

I have downlowned the two files and saved them to a flash drive, I will attempt to get a log for you and post tomorrow.

Many Thanks for your help

Sarah

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:47 AM

Posted 29 November 2012 - 12:48 PM

Hi Sarah and welcome,

how do I know if my system is a 32bit or 64bit?

That is actually a very good question since you can't boot. Here is what I would like you to do to find out:

  • Boot your computer into the command prompt as you did before.
  • Type cd \windows and press Enter (space after "cd")
  • Type dir and press Enter
  • Scroll down the directory list and see if you can locate SysWOW64
  • If that directory is present you have a 64 bit machine. If not, it is 32 bit

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 sweetiequeen

sweetiequeen
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:U.K.
  • Local time:01:47 PM

Posted 30 November 2012 - 04:30 AM

Hi Gary,
Here is the FRST log
Thanks Sarah

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2012 (ATTENTION: FRST version is 6 days old)
Ran by SYSTEM at 29-11-2012 20:14:48
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet098

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6703648 2009-01-05] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [835584 2007-03-09] (Synaptics, Inc.)
HKLM\...\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [317288 2008-12-18] (Sony Corporation)
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-07-14] (Google)
HKLM\...\Run: [MarketingTools] C:\Program Files\Sony\Marketing Tools\MarketingTools.exe [26112 2009-03-30] (Sony Corporation)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-05] (Apple Inc.)
HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [215552 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [SmileyCentralIE_1w Browser Plugin Loader] C:\PROGRA~1\SMILEY~2\bar\1.bin\1wbrmon.exe [20480 2010-12-13] (SmileyCentral)
HKLM\...\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe [2345592 2012-07-31] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-01-05] (Realtek Semiconductor Corp.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM\...\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries\BIN\RegTool.exe [172032 2007-06-20] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [1107552 2012-07-09] ()
HKLM\...\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [928096 2012-01-16] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [TotalRecipeSearch Search Scope Monitor] "C:\PROGRA~1\TOTALR~2\bar\1.bin\14srchmn.exe" /m=2 /w /h [42536 2012-07-08] (MindSpark)
HKLM\...\Run: [TotalRecipeSearch_14 Browser Plugin Loader] C:\PROGRA~1\TOTALR~2\bar\1.bin\14brmon.exe [30096 2012-07-08] (VER_COMPANY_NAME)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\Default\...\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe" [274432 2008-12-21] (Sony Corporation)
HKU\Default User\...\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe" [274432 2008-12-21] (Sony Corporation)
HKU\Hulk\...\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe" [274432 2008-12-21] (Sony Corporation)
HKU\Hulk\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Hulk\...\Run: [Facebook Update] "C:\Users\Hulk\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-12] (Facebook Inc.)
HKU\Hulk\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Hulk\...\Run: [GameXN GO] "C:\ProgramData\GameXN\GameXNGO.exe" /startup [347008 2011-09-10] (EasyBits Software AS)
HKU\Hulk\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [318464 2008-01-20] (Microsoft Corporation)
HKLM\...\Policies\Explorer\Run: [application] C:\Program Files\ACSPMonitor\ASMonitor.exe hs [665600 2012-10-13] ()
Winlogon\Notify\gemsafe: C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll [X]
Winlogon\Notify\VESWinlogon: VESWinlogon.dll (Sony Corporation)
HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Hulk\Start Menu\Programs\Startup\Facebook Messenger.lnk
ShortcutTarget: Facebook Messenger.lnk -> (No File)

==================== Services (Whitelisted) ===================

3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
2 AVGIDSAgent; "C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [7391072 2012-01-31] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files\AVG\AVG10\avgwdsvc.exe" [269520 2011-02-07] (AVG Technologies CZ, s.r.o.)
3 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2010-07-14] (Google)
2 gupdate1ca74e8a117752; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-12-04] (Google Inc.)
2 hshld; C:\Program Files\Hotspot Shield\bin\openvpnas.exe [476016 2012-08-02] ()
2 HssSrv; C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe [408944 2012-08-02] (AnchorFree Inc.)
3 HssTrayService; C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE [78072 2012-08-02] ()
2 HssWd; C:\Program Files\Hotspot Shield\bin\hsswd.exe [387440 2012-08-02] ()
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3064000 2012-10-02] (Skype Technologies S.A.)
2 SmileyCentralIE_1wService; C:\PROGRA~1\SMILEY~2\bar\1.bin\1wbarsvc.exe [28766 2010-12-13] (SmileyCentral)
3 SOHCImp; "C:\Program Files\Common Files\Sony Shared\SOHLib\SOHCImp.exe" [120104 2009-01-20] (Sony Corporation)
3 SOHDBSvr; "C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe" [70952 2009-01-20] (Sony Corporation)
3 SOHDms; "C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDms.exe" [390440 2009-01-20] (Sony Corporation)
3 SOHDs; "C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDs.exe" [75048 2009-01-20] (Sony Corporation)
3 SOHPlMgr; "C:\Program Files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe" [91432 2009-01-20] (Sony Corporation)
2 TotalRecipeSearch_14Service; C:\PROGRA~1\TOTALR~2\bar\1.bin\14barsvc.exe [42504 2012-07-08] (COMPANYVERS_NAME)
2 uCamMonitor; C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)
3 VAIO Entertainment TV Device Arbitration Service; "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe" [69632 2009-01-21] (Sony Corporation)
2 VCFw; "C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe" [5184872 2009-01-14] (Sony Corporation)
2 VcmIAlzMgr; "C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [394536 2009-01-19] (Sony Corporation)
3 Vcsw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -RunBySCM [313264 2009-01-21] (Sony Corporation)
2 vToolbarUpdater11.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [935008 2012-07-09] ()
3 VUAgent; "C:\Program Files\Sony\VAIO Update Common\VUAgent.exe" [939624 2012-01-13] (Sony Corporation)
2 VzCdbSvc; "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe" [192512 2009-01-21] (Sony Corporation)

==================== Drivers (Whitelisted) ====================

3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [17920 2008-04-24] (ArcSoft, Inc.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134480 2011-05-27] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [22992 2011-02-21] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24144 2011-02-09] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [28624 2011-02-09] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [248656 2011-01-06] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [34896 2011-03-01] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-03-16] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [297168 2011-04-04] (AVG Technologies CZ, s.r.o.)
3 GTwinUSB; C:\Windows\System32\Drivers\GTwinUSB.sys [71424 2005-04-15] (Gemplus)
1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [35560 2012-08-01] (AnchorFree Inc.)
1 RapportCerberus_43926; \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys [272216 2012-10-04] ()
3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [33512 2012-08-01] (AnchorFree Inc)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
4 UIUSys; C:\Windows\System32\DRIVERS\UIUSYS.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-11-29 20:14 - 2012-11-29 20:14 - 00000000 ____D C:\FRST
2012-10-31 14:28 - 2012-10-31 14:28 - 00000162 ____A C:\Users\Hulk\Desktop\greys.url

==================== One Month Modified Files and Folders ========

2012-11-29 20:14 - 2012-11-29 20:14 - 00000000 ____D C:\FRST
2012-11-21 10:16 - 2006-11-02 05:01 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-21 10:16 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-21 10:16 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-21 10:16 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-13 23:29 - 2009-12-04 05:51 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-13 22:44 - 2012-01-30 10:35 - 00000922 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4210161596-2143205629-43785670-1000UA.job
2012-11-13 19:36 - 2009-09-24 15:42 - 01463400 ____A C:\Windows\WindowsUpdate.log
2012-11-12 11:11 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\winevt
2012-11-11 10:21 - 2006-11-02 04:47 - 00116736 _____ C:\Windows\System32\umstartup.etl
2012-11-11 03:45 - 2012-08-26 04:31 - 00000000 ____D C:\Program Files\Hotspot Shield
2012-11-11 03:45 - 2011-12-07 00:08 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2012-11-11 03:45 - 2011-12-07 00:08 - 00000000 ____D C:\Program Files\AVG Secure Search
2012-11-11 03:45 - 2011-09-10 04:19 - 00000000 ____D C:\Users\All Users\GameXN
2012-11-11 03:45 - 2011-01-02 11:56 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-11-11 03:45 - 2009-10-04 04:16 - 00000000 ____D C:\Users\All Users\McAfee Security Scan
2012-11-11 03:45 - 2009-09-24 15:47 - 00000000 ____D C:\users\Hulk
2012-11-11 03:45 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool
2012-11-11 03:45 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\system
2012-11-11 03:45 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration
2012-11-11 03:45 - 2006-11-02 02:22 - 49020928 ____A C:\Windows\System32\config\software_previous
2012-11-11 03:41 - 2006-11-02 02:22 - 96468992 ____A C:\Windows\System32\config\system_previous
2012-11-11 03:30 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-11-11 03:30 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-11-11 03:27 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\LogFiles
2012-11-11 02:58 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\default_previous
2012-11-08 10:58 - 2011-06-22 12:41 - 00000000 ____D C:\Users\Hulk\AppData\Roaming\go
2012-11-07 13:51 - 2012-10-07 03:25 - 00000171 ____A C:\Users\Hulk\Desktop\Drop Dead Diva 4.url
2012-11-07 12:45 - 2009-12-04 05:25 - 00000000 ____D C:\Users\Hulk\AppData\Roaming\Skype
2012-11-07 12:44 - 2012-08-26 04:31 - 00000885 ____A C:\Windows\certutil.log
2012-11-04 10:42 - 2006-11-02 02:22 - 41943040 ____A C:\Windows\System32\config\components_previous
2012-10-31 14:28 - 2012-10-31 14:28 - 00000162 ____A C:\Users\Hulk\Desktop\greys.url
2012-10-31 14:24 - 2012-10-16 14:20 - 00000172 ____A C:\Users\Hulk\Desktop\Private Practice.url
2012-10-30 22:43 - 2009-12-04 05:51 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-30 09:58 - 2009-03-30 13:43 - 00000000 ____D C:\Users\All Users\Skype
2012-10-30 08:39 - 2012-01-30 10:35 - 00000900 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4210161596-2143205629-43785670-1000Core.job

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 2938.43 MB
Available physical RAM: 2446.6 MB
Total Pagefile: 2727.69 MB
Available Pagefile: 2582.56 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.72 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:223.11 GB) (Free:139.89 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
3 Drive e: (Recovery) (Fixed) (Total:9.78 GB) (Free:0.83 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (HP USB FD) (Removable) (Total:15.22 GB) (Free:15.22 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 993 KB
Disk 1 Online 15 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 1024 KB
Partition 2 Primary 223 GB 10 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 10 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 223 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 24 KB

=========================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F HP USB FD FAT32 Removable 15 GB Healthy

=========================================================

Last Boot: 2012-11-13 19:49

==================== End Of Log ============================

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:47 AM

Posted 30 November 2012 - 10:25 AM

Hi Sarah,

Thank you for your efforts in producing the report which was valuable in determining what is wrong with your computer. I will provide an initial step for you but I would like you to install a new copy of Farbar's Recovery Scan Tool on your USB device. The one you are currently using is older than we'd like it to be.

Before you take the next step I must first advise you of the following:


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Farbar's Recovery Scan Tool - Run Fix

--------------------

  • From a clean computer press the windows key Posted Image + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt

    HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess
    HKLM\...\Run: [SmileyCentralIE_1w Browser Plugin Loader] C:\PROGRA~1\SMILEY~2\bar\1.bin\1wbrmon.exe [20480 2010-12-13] (SmileyCentral)
    HKLM\...\.exe: <===== ATTENTION!
    HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
    HKLM\...\exefile\open\command: <===== ATTENTION!
    
  • NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Please attempt to boot your computer into Normal Mode

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • FRST log
  • Were you able to boot into Normal Mode?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 sweetiequeen

sweetiequeen
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:U.K.
  • Local time:01:47 PM

Posted 30 November 2012 - 11:21 AM

Hi Gary,

Thanks for the advice, I just have a couple of questions.

You say one or more of the identified infections is a Backdoor Trojan?

Can you tell me how many infections I have? and what may have caused this?

The last thing I did on the laptop was watch tv which was very slow and buffering, it was telling me I was having problems viewing the video correctly and needed to download a codec (can't remember exact wording). Could this be when I was infected? Because I didn't use the laptop after that, it was put to sleep. Then I think the next day, there was a power cut so my computer was shut down incorrectly at that point.

Could someone access my machine when it is in sleep mode?

I do use my laptop for internet banking, email, facebook etc but not after it was infected (if what I described above is when it was infected), does this make a difference?

If reformatting/restoring the laptop is the decision I make, does this mean that I would not be able to restore the laptop using the built in vista recovery option to factory settings etc, as there could be an infection within that?

I will be contacting my credit card companies, bank and changing all passwords asap.

Many thanks for your help

Sarah

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:47 AM

Posted 30 November 2012 - 01:53 PM

Hi Sarah,

You have what is known as a ZeroAccess infection and if you click on the link you will see more information about it. That seems to be the main infection from what I can tell and it will affect different areas of your computer. Chances are we can undo those changes that were made, which may include your video difficulties. However the Backdoor component/caution still remains.

----------

Any time you are actively online someone theoretically could have access to your computer. So if the computer is put into sleep mode you would be OK because you are not online.

----------

I do use my laptop for internet banking, email, facebook etc but not after it was infected (if what I described above is when it was infected), does this make a difference?

It depends on whether or not your logon and password information has been changed using a non-infected computer. If it was done on the infected computer it might still be vulnerable. If it was from a clean computer then the new information is secure. Here are some thoughts I have put together for people who ask what they should do in light of the infection. Ultimately each user must decide for themselves what to do and the below are simply things to consider.

It is necessary for us to at least make you aware of the worse case scenario. This is because of the potential Backdoor Trojans bring with them, but it is not a determination on our part that your situation currently falls withing this worse case scenario.

Ultimately it is a personal decision whether to reformat or not. What decision should you make to let you sleep well at night. It is different for different people. I will say whether rightly or wrongly most people decide to clean and not reformat, at least initially.

The only insight I can offer is how I evaluate the issue personally even though I have never had a Backdoor Trojan on my computer. One of the primary purposes for malicious software is to somehow separate you from your money. It seems reasonable to assume that a thief trying to take your money via a Backdoor Trojan will hit you hard, and quickly. Once your computer starts to act up and you become suspicious, you have the opportunity to eliminate access to your computer and change the information taken, namely account and password information. The key to this, in my opinion, is whether or not you have noticed any irregularities in your banking or other financial institutions, or things like email and social network accounts (i.e. Facebook). If you have not seen any evidence of that then you may question whether your information has truly been stolen. If it seems it hasn't, and your critical information has been changed, it is reasonable to be more confident you are safe but you must stop short of claiming an absolute guarantee.

If, after careful consideration you decide not to reformat your computer it would be wise to continue monitoring your sensitive data and don't wait to address future symptoms on your computer which seem to be malware related.

The bottom line, the ONLY way to be absolutely sure to be rid of a Backdoor Trojan is to reformat. The decision is yours.

----------

Regarding reformat/reinstall. If you reformat, the infection will be gone. But here is the twist. I you happen to reintroduce an infected file into a clean machine your machine will be clean no longer. For that reason I encourage users to continue the steps in cleaning their computer to maximize the probabilities of only putting back clean files. Now these files would be data files, not programs themselves. For example, we could put back a Word document but you would have to reinstall Word. Any programs you have installed would have to be installed again (you need the disk or download).

Take your time in carefully considering what you would like to do and we will go from there. Whatever you decide, I agree! It is your computer. :)
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 sweetiequeen

sweetiequeen
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:U.K.
  • Local time:01:47 PM

Posted 03 December 2012 - 06:28 AM

Hi Gary,

hmm its a tough one, I can't see that my banks have been affected and I will get new cards issued etc so can we go ahead and clean the laptop please. After running the fix log I could not open in normal mode.

Thanks Sarah

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-11-2012
Ran by SYSTEM at 2012-12-03 08:54:29 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default value was restored successfully .
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SmileyCentralIE_1w Browser Plugin Loader Value deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\Default value was restored successfully .
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\\Default value was restored successfully .
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\Default value was restored successfully .

==== End of Fixlog ====

#11 sweetiequeen

sweetiequeen
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:U.K.
  • Local time:01:47 PM

Posted 03 December 2012 - 07:07 AM

Hi Gary, Sorry just another quick question.

Are you able to tell me when I was infected with ZeroAccess? A date?

Thanks

Sarah

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:47 AM

Posted 03 December 2012 - 01:30 PM

Hi Sarah,

After running the fix log I could not open in normal mode

Could you please describe what happens (blue screen, only beeps, etc)


Are you able to tell me when I was infected with ZeroAccess? A date?

Unfortunately not. The evidence so far only shows this, which relates to the modification of registry entries

HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 sweetiequeen

sweetiequeen
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:U.K.
  • Local time:01:47 PM

Posted 03 December 2012 - 04:24 PM

Hi Gary, I switched laptop on and pressed F2 to bring up the BIOS screen and changed BIOS to boot from hard drive instead of optical drive then shutdown and switched back on. Opens to boot manaager screen - choose an operating system.

Then opens to a windows error recovery screen. Windows did not shut down successfully. If this was due to system not responding etc, options safe mode, safe mode with networking or with command prompt or start normally.

Microsoft corporation bar appears at the bottom of the screen flashes, no sound! Then goes to a black screen, screen goes dark then the black screen with a white cursor arrow appears.

Thanks
Sarah

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:47 AM

Posted 03 December 2012 - 06:14 PM

Hi Sarah,

Are the Normal Boot up symptoms you just described similar to what you experienced before running Farbar's Recovery Scan Tool? And can you tell me if you are still unable to boot into Safe Mode?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 sweetiequeen

sweetiequeen
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:U.K.
  • Local time:01:47 PM

Posted 04 December 2012 - 04:00 PM

Hi Gary, yes does the same as before, when trying to boot in safe mode (all of the safe modes), it says loading Windows files, listing system32\drivers\ etc before opening to the black screen.

Thanks

Sarah




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users