Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure on problem


  • This topic is locked This topic is locked
5 replies to this topic

#1 pecanguy830

pecanguy830

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 07 December 2012 - 09:29 AM

So I had an ad talking in background and was not protected. Dont know who gave me idea, but I ran deffender and was instructed to run offline version via disc. Since then I have not been able to boot. Computer will flash blue script screen then attempt startup repair. I have already attempted startup repair with no luck. I thought my problem sounded like several I read about through this site. I only ran FRST64 and this is the result.
PLEASE HELP!!!

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-12-2012
Ran by SYSTEM at 06-12-2012 19:11:41
Running from F:\PCFIX
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [] [x]
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [x]
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [x]
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [x]
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [x]
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [x]
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [x]
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2010-11-10] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295224 2010-07-01] (TOSHIBA Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [296056 2012-05-30] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1561768 2012-05-04] (Ask)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKU\Eric\...\Run: [Glary Memory Optimizer] "C:\Program Files (x86)\Glary Utilities\memdefrag.exe" /autostart [108344 2012-04-06] (Glarysoft Ltd)
HKU\Eric\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-11-22] (Google Inc.)
HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

==================== Services (Whitelisted) ===================

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

==================== Drivers (Whitelisted) =====================

3 kx1avs_x64; C:\Windows\System32\Drivers\kx1avs_x64.sys [45136 2009-12-07] (Native Instruments GmbH)
3 kx1usb_x64; C:\Windows\System32\Drivers\kx1usb_x64.sys [300624 2009-12-07] (Native Instruments GmbH)
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 SeratoUsb; C:\Windows\System32\Drivers\SeratoUsb.sys [50808 2010-11-22] (Cristalink Ltd)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-12-06 19:11 - 2012-12-06 19:11 - 00000000 ____D C:\FRST
2012-11-30 21:07 - 2012-11-30 21:07 - 00000000 ____A C:\Windows\System32\config\SOFTWAREf217de32
2012-11-30 20:43 - 2012-12-01 09:54 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-11-30 17:10 - 2012-11-30 21:25 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-11-30 17:09 - 2012-11-30 21:25 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-11-26 07:05 - 2012-11-26 07:06 - 00000000 ____D C:\Users\Eric\Downloads\flo rida(wild ones iTunes Holiday edition)-atrilli.net
2012-11-26 07:05 - 2012-11-22 19:31 - 00000000 ____D C:\Users\Eric\Downloads\Fabolous-The_Soul_Tape_2-2012-atrilli.net
2012-11-26 07:05 - 2012-11-13 07:42 - 00000000 ____D C:\Users\Eric\Downloads\Pitbull-Global_Warming_(Deluxe_Edition)-2012-atrilli.net
2012-11-24 22:12 - 2012-11-21 02:22 - 00000000 ____D C:\Users\Eric\Downloads\Future - Superfuture The Prequel (Presented By Atrilli.net)
2012-11-23 21:50 - 2012-11-23 22:00 - 00000000 ____D C:\Users\Eric\Downloads\Cy Fyre - The Fyre Fyles Beat CD
2012-11-23 21:41 - 2012-11-19 18:02 - 00000000 ____D C:\Users\Eric\Downloads\French Montana - Mac Cheese 3 (DatPiff.com)
2012-11-23 21:41 - 2012-11-14 12:29 - 00000000 ____D C:\Users\Eric\Downloads\Big Shane - Welcome 2 The Creole Gwop Pit (DatPiff.com)
2012-11-23 21:40 - 2012-11-15 04:24 - 00000000 ____D C:\Users\Eric\Downloads\BoB - bleep Em We Ball (DatPiff.com)
2012-11-23 21:08 - 2012-11-23 22:12 - 00000000 ____D C:\Users\Eric\Downloads\Killa Kyleon x Cy Fyre - H-Town Heroes [Mixed By DJ Slimchances]
2012-11-23 21:08 - 2012-11-21 08:12 - 00000000 ____D C:\Users\Eric\Downloads\VA - Hustlegram the Mixtape (DatPiff.com)
2012-11-23 21:08 - 2012-11-21 06:54 - 00000000 ____D C:\Users\Eric\Downloads\Kid Ink - Rocketshipshawty (DatPiff.com)
2012-11-23 21:07 - 2012-11-22 22:00 - 00000000 ____D C:\Users\Eric\Downloads\DJ_Smallz-Yung_Nation-All_Freestyles_2
2012-11-23 21:07 - 2012-11-20 22:00 - 00000000 ____D C:\Users\Eric\Downloads\Traps-N-Trunks-Poke_Dog-Support_Our_Trap_2
2012-11-23 21:07 - 2012-11-20 12:28 - 00000000 ____D C:\Users\Eric\Downloads\Joe Budden - A Loose Quarter (DatPiff.com)
2012-11-18 09:00 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-11-18 08:59 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-11-18 08:59 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-11-18 08:59 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-11-18 08:28 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-11-18 08:28 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-11-18 08:28 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-11-18 08:28 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-11-18 08:28 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-11-18 08:28 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-11-18 08:28 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-11-18 08:28 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-11-18 08:28 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-11-18 08:28 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-11-18 08:28 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-11-18 08:28 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-11-18 08:28 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-11-18 08:28 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-11-18 08:28 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-11-18 08:28 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-11-18 08:28 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-11-18 08:28 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-11-18 08:28 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-11-18 08:28 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-11-18 08:28 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-11-18 08:28 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-11-18 08:28 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-11-18 08:28 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-11-18 08:28 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-11-18 08:28 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-11-18 08:28 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-11-18 08:28 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-11-18 08:28 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-11-18 08:28 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-11-18 08:28 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-11-18 08:28 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-11-18 08:26 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-11-18 08:26 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-11-18 08:26 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-11-18 08:26 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-11-18 08:26 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-11-18 08:26 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-11-18 08:26 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-11-18 08:26 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-11-14 19:27 - 2012-10-18 10:18 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-11-14 19:27 - 2012-09-25 14:39 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2012-11-14 19:27 - 2012-09-25 13:55 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2012-11-12 18:21 - 2012-11-12 18:22 - 00274544 ____A C:\Windows\Minidump\111212-36473-01.dmp

==================== One Month Modified Files and Folders =======

2012-12-01 10:03 - 2012-08-03 18:51 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-01 10:03 - 2012-02-27 14:12 - 00000000 ____D C:\Users\Eric\AppData\Roaming\uTorrent
2012-12-01 10:03 - 2012-02-24 19:39 - 00000000 ____D C:\Program Files (x86)\Glary Utilities
2012-12-01 10:03 - 2012-01-04 06:20 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-12-01 10:03 - 2012-01-01 08:53 - 00000000 ____D C:\Users\All Users\HP
2012-12-01 10:03 - 2011-02-13 18:29 - 00000000 ____D C:\users\Eric
2012-12-01 10:02 - 2012-05-30 08:54 - 00000000 ____D C:\Users\All Users\Real
2012-12-01 10:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-12-01 10:01 - 2012-04-27 15:31 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-12-01 09:54 - 2012-11-30 20:43 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-11-30 21:25 - 2012-11-30 17:10 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-11-30 21:25 - 2012-11-30 17:09 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-11-30 21:07 - 2012-11-30 21:07 - 00000000 ____A C:\Windows\System32\config\SOFTWAREf217de32
2012-11-30 16:24 - 2010-11-22 15:38 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-30 16:23 - 2012-07-20 13:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-30 16:22 - 2011-01-10 03:41 - 02087583 ____A C:\Windows\WindowsUpdate.log
2012-11-29 19:31 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-29 19:31 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-29 19:16 - 2012-04-11 19:32 - 00021552 ____A C:\Windows\setupact.log
2012-11-29 19:16 - 2012-02-24 19:39 - 00000322 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-11-29 19:16 - 2010-11-22 15:38 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-29 19:16 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-28 20:19 - 2009-07-13 21:13 - 00727310 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-28 20:15 - 2012-06-26 20:29 - 00000000 ____D C:\Users\Eric\moo
2012-11-26 07:06 - 2012-11-26 07:05 - 00000000 ____D C:\Users\Eric\Downloads\flo rida(wild ones iTunes Holiday edition)-atrilli.net
2012-11-25 04:27 - 2011-11-29 13:20 - 00000000 ____D C:\Users\Eric\AppData\Roaming\SoftGrid Client
2012-11-23 22:12 - 2012-11-23 21:08 - 00000000 ____D C:\Users\Eric\Downloads\Killa Kyleon x Cy Fyre - H-Town Heroes [Mixed By DJ Slimchances]
2012-11-23 22:00 - 2012-11-23 21:50 - 00000000 ____D C:\Users\Eric\Downloads\Cy Fyre - The Fyre Fyles Beat CD
2012-11-22 22:00 - 2012-11-23 21:07 - 00000000 ____D C:\Users\Eric\Downloads\DJ_Smallz-Yung_Nation-All_Freestyles_2
2012-11-22 19:31 - 2012-11-26 07:05 - 00000000 ____D C:\Users\Eric\Downloads\Fabolous-The_Soul_Tape_2-2012-atrilli.net
2012-11-21 08:12 - 2012-11-23 21:08 - 00000000 ____D C:\Users\Eric\Downloads\VA - Hustlegram the Mixtape (DatPiff.com)
2012-11-21 06:54 - 2012-11-23 21:08 - 00000000 ____D C:\Users\Eric\Downloads\Kid Ink - Rocketshipshawty (DatPiff.com)
2012-11-21 02:22 - 2012-11-24 22:12 - 00000000 ____D C:\Users\Eric\Downloads\Future - Superfuture The Prequel (Presented By Atrilli.net)
2012-11-20 22:00 - 2012-11-23 21:07 - 00000000 ____D C:\Users\Eric\Downloads\Traps-N-Trunks-Poke_Dog-Support_Our_Trap_2
2012-11-20 12:28 - 2012-11-23 21:07 - 00000000 ____D C:\Users\Eric\Downloads\Joe Budden - A Loose Quarter (DatPiff.com)
2012-11-19 18:02 - 2012-11-23 21:41 - 00000000 ____D C:\Users\Eric\Downloads\French Montana - Mac Cheese 3 (DatPiff.com)
2012-11-19 01:57 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-11-18 21:26 - 2011-02-13 18:35 - 00058400 ____A C:\Users\Eric\AppData\Local\GDIPFONTCACHEV1.DAT
2012-11-18 21:23 - 2009-07-13 20:45 - 00268856 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-15 04:24 - 2012-11-23 21:40 - 00000000 ____D C:\Users\Eric\Downloads\BoB - bleep Em We Ball (DatPiff.com)
2012-11-14 12:29 - 2012-11-23 21:41 - 00000000 ____D C:\Users\Eric\Downloads\Big Shane - Welcome 2 The Creole Gwop Pit (DatPiff.com)
2012-11-13 07:42 - 2012-11-26 07:05 - 00000000 ____D C:\Users\Eric\Downloads\Pitbull-Global_Warming_(Deluxe_Edition)-2012-atrilli.net
2012-11-12 18:22 - 2012-11-12 18:21 - 00274544 ____A C:\Windows\Minidump\111212-36473-01.dmp
2012-11-12 18:21 - 2012-11-04 18:38 - 278941936 ____A C:\Windows\MEMORY.DMP
2012-11-12 18:21 - 2011-02-15 20:11 - 00000000 ____D C:\Windows\Minidump


ZeroAccess:
C:\Windows\Installer\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4}
C:\Windows\Installer\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4}\L
C:\Windows\Installer\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4}\U
C:\Windows\Installer\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4}\U\80000064.@

ZeroAccess:
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4}
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4}\L
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4}\U

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-07 08:33:12
Restore point made on: 2012-11-13 21:11:04
Restore point made on: 2012-11-18 08:26:01
Restore point made on: 2012-11-19 01:01:35
Restore point made on: 2012-11-19 01:16:21
Restore point made on: 2012-11-20 19:30:50
Restore point made on: 2012-11-24 18:27:36
Restore point made on: 2012-11-25 04:19:43
Restore point made on: 2012-11-26 05:07:37
Restore point made on: 2012-11-27 01:04:01
Restore point made on: 2012-11-29 19:24:53
Restore point made on: 2012-11-30 16:24:45
Restore point made on: 2012-11-30 16:53:29

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 2662.87 MB
Available physical RAM: 2177.23 MB
Total Pagefile: 2661.02 MB
Available Pagefile: 2152.91 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (TI106046W0D) (Fixed) (Total:286.11 GB) (Free:33.17 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive d: detected. Check for MBR/Partition infection.
4 Drive f: () (Removable) (Total:7.45 GB) (Free:4.85 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 7633 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 286 GB 1501 MB
Partition 3 Primary 10 GB 287 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI106046W0D NTFS Partition 286 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7633 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 7633 MB Healthy

=========================================================

Last Boot: 2012-11-19 01:42

==================== End Of Log =============================

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:43 AM

Posted 07 December 2012 - 10:35 AM

Hello pecanguy830,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM\...\Run: [] [x]
HKLM-x32\...\Run: [] [x]
C:\Windows\Installer\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4}
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4}
TDL4: custom:26000022 <===== ATTENTION!

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.



Things to include in your next reply::
Fixlog.txt
Will your machine boot now normally?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 pecanguy830

pecanguy830
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 07 December 2012 - 07:08 PM

Computer booted fine after running frst64 with fixlist...Here is the fix log

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-12-2012
Ran by SYSTEM at 2012-12-07 18:00:07 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\Installer\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4} moved successfully.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{e5573bf5-cc1e-6c27-dd1f-299d937dd8a4} moved successfully.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:43 AM

Posted 09 December 2012 - 11:47 AM

Glad to hear that the machine booted. NOw we will run some very powerful tools to see if they find anything.

1.
Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:43 AM

Posted 11 December 2012 - 11:09 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:43 AM

Posted 14 December 2012 - 09:32 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users