Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Vundo found by malwarebytes


  • This topic is locked This topic is locked
259 replies to this topic

#1 Fixing1

Fixing1

  • Members
  • 350 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 15 January 2013 - 07:07 PM

I have download CCLEANER and DDS when I started my computer it looks like it is stuck in Safe mode (everything looks enlarged). I also received an error msg "C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL" Help!

This is a Vista operating system

Edited by Fixing1, 15 January 2013 - 10:00 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:43 AM

Posted 20 January 2013 - 03:42 PM

Hi James,

Welcome back! I think you know the drill already. :)

Are you able to Press F8 and boot into Safe Mode?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Fixing1

Fixing1
  • Topic Starter

  • Members
  • 350 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 20 January 2013 - 03:46 PM

No.....it wont let me do that. I also received an brief error message and I just caught the number 0x0000042 but I don't know how many zeros were in the message, it just flashed up! and gone.

Oh and good to have you aboard on this :thumbsup:

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:43 AM

Posted 20 January 2013 - 04:22 PM

Nice to be working with you again.

Let's do this.


===================================================


Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC and we will enter the System Recovery Options one of the two following ways:

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • FRST.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Fixing1

Fixing1
  • Topic Starter

  • Members
  • 350 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 20 January 2013 - 04:43 PM

I'll give this a try but I never see the BIOS on start up. there is an another way to get in to safe mode. I just can't find the resource right now. It also takes over 10 minutes for this computer to shut down. DO you still want me to try this process once it has shut off?

#6 Fixing1

Fixing1
  • Topic Starter

  • Members
  • 350 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 20 January 2013 - 05:21 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-01-2013
Ran by SYSTEM at 20-01-2013 17:17:50
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [815104 2006-11-17] (Synaptics, Inc.)
HKLM\...\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r [180224 2006-11-27] (Creative Technology Ltd)
HKLM\...\Run: [UpdReg] C:\Windows\UpdReg.EXE [90112 2000-05-10] (Creative Technology Ltd.)
HKLM\...\Run: [] [x]
HKLM\...\Run: [DLCGCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16 [73728 2006-10-20] ()
HKLM\...\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe" [430984 2006-12-07] (Dell)
HKLM\...\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s [312200 2006-11-03] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [282624 2007-04-27] (Apple Inc.)
HKLM\...\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" [398728 2008-01-29] (Symantec Corporation)
HKLM\...\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [185896 2007-12-04] (RealNetworks, Inc.)
HKLM\...\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [221184 2006-11-05] (Sonic Solutions)
HKLM\...\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" [184320 2006-10-13] (CyberLink Corp.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [257088 2007-06-01] (Apple Inc.)
HKLM\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [221184 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\PhotoDownloader.exe [x]
HKLM\...\Run: [BigDog303] C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (VC0303) [61440 2006-01-24] (Vimicro)
HKLM\...\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [63712 2007-03-09] (Adobe Systems Incorporated)
HKLM\...\Run: [RogersServicepointAgent.exe] "C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" /AUTORUN [3228912 2009-02-27] (Rogers)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM\...\Run: [SigmatelSysTrayApp] sttray.exe [x]
HKU\Default\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)
HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)
HKU\Jay\...\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background [131072 2006-02-27] (Rogers Cable Communications Inc. )
HKU\Jay\...\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [171448 2007-12-04] (Google Inc.)
HKU\Jay\...\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe [x]
HKU\Jay\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Jay\...\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe [x]
HKU\Jay\...\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [4670968 2007-06-11] (Yahoo! Inc.)
HKU\Jay\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\Jay\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\Jay\...\Winlogon: [Shell] explorer.exe [x]
HKU\Test\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)
HKU\Test\...\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [171448 2007-12-04] (Google Inc.)
HKU\Test\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Test\...\Run: [Facebook Update] "C:\Users\Test\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-08-17] (Facebook Inc.)
HKU\Test\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{A98324B6-8782-4354-B255-DD6B7045C02A}: [NameServer]192.168.0.2
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickSet.lnk
ShortcutTarget: QuickSet.lnk -> C:\Windows\Installer\{53A01CC6-14B0-4512-A2E7-10D39BF83DC4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe (InstallShield Software Corp.)
Startup: C:\Users\Jay\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ===================

4 AOL ACS; "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" [46640 2006-10-23] (AOL LLC)
2 Creative Labs Licensing Service; "C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe" [72704 2007-04-15] (Creative Labs)
2 Creative Service for CDROM Access; C:\Windows\system32\CTsvcCDA.exe [44032 2006-12-19] (Creative Technology Ltd)
2 dlcg_device; C:\Windows\system32\dlcgcoms.exe -service [537480 2006-12-07] ( )
3 DSBrokerService; "C:\Program Files\DellSupport\brkrsvc.exe" [70656 2006-11-07] ()
2 HWDeviceService.exe; C:\ProgramData\DatacardService\HWDeviceService.exe -/service [264704 2010-11-16] ()
2 LiveUpdate Notice Service; "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" [537992 2008-04-10] (Symantec Corporation)
2 Mobilicity Connect. RunOuc; C:\Program Files\Mobilicity Connect\UpdateDog\ouc.exe [218624 2012-11-19] ()
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [113120 2012-08-20] (Mozilla Foundation)
2 PDAgent; "C:\Program Files\Raxco\PerfectDisk\PDAgent.exe" [414984 2008-04-28] (Raxco Software, Inc.)
3 PDEngine; "C:\Program Files\Raxco\PerfectDisk\PDEngine.exe" [738568 2008-04-28] (Raxco Software, Inc.)
3 Radialpoint Security Services; "C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe" [111312 2009-09-01] (Radialpoint Inc.)
2 RP_FWS; C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe [363248 2009-02-27] (Rogers)
3 Symantec Core LC; "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" [1174664 2007-08-18] (Symantec Corporation)
2 LiveUpdate Notice Ex; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
2 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x]
4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

==================== Drivers (Whitelisted) ====================

0 DefragFS; C:\Windows\System32\Drivers\DefragFS.sys [71184 2008-04-25] (Raxco Software, Inc.)
2 dsunidrv; \??\C:\Program Files\DellSupport\Drivers\dsunidrv.sys [7424 2006-08-17] (Gteko Ltd.)
1 kl1; C:\Windows\System32\DRIVERS\kl1.sys [112144 2008-06-26] (Kaspersky Lab)
1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [147984 2008-06-26] (Kaspersky Lab)
3 MR97310_USB_DUAL_CAMERA; C:\Windows\System32\DRIVERS\mr97310c.sys [130309 2002-09-09] (DUCam Technology Inc.)
3 RPPKT; C:\Windows\System32\DRIVERS\rp_pkt32.sys [48384 2007-04-19] (Radialpoint, Inc.)
2 RPSKT; C:\Windows\System32\DRIVERS\rp_skt32.sys [53192 2008-04-24] (Radialpoint Inc.)
3 SAMFILT; C:\Windows\System32\drivers\samfilt.sys [34688 2006-02-10] (Dolphin, Inc.)
1 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5632 2007-02-20] ()
3 STHDA; C:\Windows\System32\drivers\stwrt.sys [647680 2007-02-07] (SigmaTel, Inc.)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2009-01-08] (Symantec Corporation)
3 TrueSight; \??\C:\Windows\system32\drivers\TrueSight.sys [14080 2012-10-22] ()
3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-01] (America Online, Inc.)
3 ZSMC303; C:\Windows\System32\Drivers\usbVM303.sys [391300 2006-02-22] (Vimicro Corporation)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 EraserUtilDrv10710; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-01-20 17:17 - 2013-01-20 17:17 - 00000000 ____D C:\FRST
2013-01-15 15:47 - 2013-01-15 15:47 - 00000000 ____D C:\Users\Test\AppData\Local\AOL
2013-01-14 18:38 - 2013-01-14 18:38 - 00006723 ____A C:\Users\Jay\Desktop\attach.txt
2013-01-14 18:38 - 2013-01-14 18:37 - 00018825 ____A C:\Users\Jay\Desktop\dds.txt
2013-01-09 08:11 - 2012-11-19 20:22 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt(340).dll
2013-01-09 08:01 - 2012-11-21 19:54 - 00353280 ____A (Microsoft Corporation) C:\Windows\System32\shlwapi(344).dll
2013-01-09 08:00 - 2012-11-02 02:19 - 01400832 ____A (Microsoft Corporation) C:\Windows\System32\msxml6(339).dll
2013-01-06 22:26 - 2013-01-08 21:53 - 00000000 ___AD C:\Users\Test\Desktop\Resumes
2013-01-04 12:23 - 2013-01-04 12:23 - 00000150 ____A C:\Users\Test\Desktop\Being True to yourself.txt
2013-01-04 12:22 - 2013-01-04 12:22 - 00000273 ____A C:\Users\Test\Desktop\Collections complaints.txt
2013-01-04 11:52 - 2013-01-04 11:53 - 00000000 ___AD C:\Users\Test\Desktop\Another idea 2
2012-12-31 08:23 - 2012-12-31 08:24 - 00000000 ___AD C:\Users\Test\Desktop\Irrisitible firing
2012-12-29 20:45 - 2012-12-29 20:45 - 00000000 ___AD C:\Users\Test\Desktop\Johnathen Spafford
2012-12-25 00:29 - 2013-01-07 23:33 - 00000358 ____A C:\Windows\Tasks\ReclaimerUpdateXML_Jay.job
2012-12-25 00:29 - 2013-01-07 23:30 - 00000362 ____A C:\Windows\Tasks\ReclaimerUpdateFiles_Jay.job
2012-12-24 23:14 - 2012-12-25 10:39 - 00025122 ____A C:\Users\Jay\Desktop\Nmc_2012-12-25_02-14-27.log
2012-12-24 21:43 - 2012-12-24 22:58 - 233438576 ____A (Norman AS) C:\Users\Jay\Downloads\Norman_Malware_Cleaner(1).exe
2012-12-23 22:07 - 2012-12-23 22:07 - 00896016 ____A (Oracle Corporation) C:\Users\Test\Downloads\chromeinstall-7u10.exe
2012-12-23 15:18 - 2012-12-24 19:27 - 00000000 ___AD C:\Users\Test\Desktop\1 Apple
2012-12-21 21:15 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-21 21:15 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-12-21 21:15 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-12-21 21:15 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-12-21 21:15 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-21 21:15 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-21 21:15 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-12-21 21:15 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-12-21 21:15 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-12-21 21:15 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-21 21:15 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-21 21:15 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-12-21 21:15 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-21 21:15 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-12-21 21:15 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-12-21 21:15 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-21 21:10 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-12-21 21:10 - 2012-06-02 06:34 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-12-21 21:09 - 2012-07-25 18:46 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-12-21 21:08 - 2012-07-25 19:39 - 00526952 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-12-21 21:08 - 2012-07-25 19:39 - 00047720 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-12-21 21:08 - 2012-07-25 19:21 - 00196608 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-12-21 21:08 - 2012-07-25 19:20 - 00613888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-12-21 21:08 - 2012-07-25 19:20 - 00172032 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-12-21 21:08 - 2012-07-25 19:20 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-12-21 21:08 - 2012-07-25 19:20 - 00038912 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-12-21 21:08 - 2012-07-25 18:33 - 00066560 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-12-21 21:08 - 2012-07-25 18:32 - 00155136 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-12-21 21:08 - 2009-07-14 04:12 - 00016896 ____A (Microsoft Corporation) C:\Windows\System32\winusb.dll
2012-12-21 21:01 - 2012-12-16 05:12 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-21 21:01 - 2012-12-16 02:50 - 00293376 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

==================== One Month Modified Files and Folders ========

2013-01-20 13:42 - 2009-05-16 14:48 - 649036064 ____A C:\Windows\System32\Drivers\fidbox.idx
2013-01-20 13:42 - 2009-05-16 14:48 - 4294967208 ____A C:\Windows\System32\Drivers\fidbox.dat
2013-01-20 13:27 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-20 13:27 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-20 13:26 - 2007-04-15 15:47 - 01075245 ____A C:\Windows\WindowsUpdate.log
2013-01-20 13:26 - 2006-11-02 05:01 - 00032546 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-01-20 13:26 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-20 13:16 - 2011-12-29 14:14 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-20 13:06 - 2012-08-21 09:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-20 12:58 - 2007-04-28 16:10 - 00000436 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2013-01-15 20:23 - 2011-01-29 16:37 - 00000000 ____D C:\Users\Jay\AppData\Roaming\Dropbox
2013-01-15 20:22 - 2011-01-29 16:42 - 00000000 ___RD C:\Users\Jay\Dropbox
2013-01-15 20:21 - 2009-12-25 10:07 - 00000000 ____D C:\Users\Jay\Tracing
2013-01-15 20:21 - 2007-05-12 20:06 - 00001356 ____A C:\Users\Jay\AppData\Local\d3d9caps.dat
2013-01-15 20:21 - 2007-04-15 16:23 - 00000000 ____D C:\MDT
2013-01-15 20:16 - 2011-12-29 14:14 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-15 20:08 - 2006-11-02 02:22 - 51118080 ____A C:\Windows\System32\config\software_previous
2013-01-15 20:08 - 2006-11-02 02:22 - 42205184 ____A C:\Windows\System32\config\components_previous
2013-01-15 20:08 - 2006-11-02 02:22 - 22544384 ____A C:\Windows\System32\config\system_previous
2013-01-15 20:08 - 2006-11-02 02:22 - 00524288 ____A C:\Windows\System32\config\default_previous
2013-01-15 20:08 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2013-01-15 20:08 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-01-15 19:53 - 2008-03-05 15:15 - 00000000 ____D C:\users\Test
2013-01-15 19:53 - 2008-03-05 14:38 - 00000000 ____D C:\Windows\pss
2013-01-15 19:53 - 2007-06-27 22:50 - 00000000 ____D C:\Windows\Minidump
2013-01-15 19:53 - 2007-04-23 15:21 - 00000000 ____D C:\users\Jay
2013-01-15 19:53 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool
2013-01-15 19:53 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\Msdtc
2013-01-15 19:52 - 2011-11-13 21:08 - 00000000 ____D C:\Users\Test\AppData\Local\MediaDirect
2013-01-15 19:52 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration
2013-01-15 16:02 - 2007-12-04 15:40 - 00000000 ____D C:\Users\All Users\Google
2013-01-15 16:02 - 2007-12-04 15:40 - 00000000 ____D C:\Program Files\Google
2013-01-15 15:49 - 2008-07-28 19:51 - 00000680 ____A C:\Users\Test\AppData\Local\d3d9caps.dat
2013-01-15 15:47 - 2013-01-15 15:47 - 00000000 ____D C:\Users\Test\AppData\Local\AOL
2013-01-14 18:38 - 2013-01-14 18:38 - 00006723 ____A C:\Users\Jay\Desktop\attach.txt
2013-01-14 18:37 - 2013-01-14 18:38 - 00018825 ____A C:\Users\Jay\Desktop\dds.txt
2013-01-14 18:03 - 2006-11-10 05:22 - 00000000 ____D C:\Windows\Panther
2013-01-10 06:43 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-01-09 20:48 - 2011-12-08 12:44 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2228953216-2475306572-2080351113-1003UA.job
2013-01-09 20:45 - 2007-05-26 16:04 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-01-09 20:37 - 2012-10-14 19:37 - 00000506 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 24dd49bd-76fb-4ea5-bc48-1cb97986041c.job
2013-01-09 20:01 - 2012-08-21 09:44 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-01-09 20:01 - 2011-12-29 15:12 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-01-09 19:58 - 2011-12-08 12:44 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2228953216-2475306572-2080351113-1003Core.job
2013-01-08 22:11 - 2009-05-16 14:48 - 517073792 ____A C:\Windows\System32\Drivers\fidbox(400).idx
2013-01-08 22:11 - 2009-05-16 14:48 - 4294967208 ____A C:\Windows\System32\Drivers\fidbox(399).dat
2013-01-08 21:53 - 2013-01-06 22:26 - 00000000 ___AD C:\Users\Test\Desktop\Resumes
2013-01-07 23:33 - 2012-12-25 00:29 - 00000358 ____A C:\Windows\Tasks\ReclaimerUpdateXML_Jay.job
2013-01-07 23:30 - 2012-12-25 00:29 - 00000362 ____A C:\Windows\Tasks\ReclaimerUpdateFiles_Jay.job
2013-01-07 23:00 - 2012-10-14 19:37 - 00000506 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 9f0ba42d-3003-4aed-b883-5e635872bfac.job
2013-01-04 18:58 - 2012-12-20 20:50 - 00000000 ____D C:\Users\Test\AppData\Local\CrashDumps
2013-01-04 17:00 - 2007-04-27 07:08 - 00000484 ____A C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Jay.job
2013-01-04 12:23 - 2013-01-04 12:23 - 00000150 ____A C:\Users\Test\Desktop\Being True to yourself.txt
2013-01-04 12:22 - 2013-01-04 12:22 - 00000273 ____A C:\Users\Test\Desktop\Collections complaints.txt
2013-01-04 11:53 - 2013-01-04 11:52 - 00000000 ___AD C:\Users\Test\Desktop\Another idea 2
2012-12-31 08:24 - 2012-12-31 08:23 - 00000000 ___AD C:\Users\Test\Desktop\Irrisitible firing
2012-12-29 22:00 - 2006-11-02 04:37 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-12-29 20:45 - 2012-12-29 20:45 - 00000000 ___AD C:\Users\Test\Desktop\Johnathen Spafford
2012-12-26 22:19 - 2007-06-14 11:09 - 00000000 ____D C:\Users\Jay\AppData\Local\Powercinema
2012-12-25 10:39 - 2012-12-24 23:14 - 00025122 ____A C:\Users\Jay\Desktop\Nmc_2012-12-25_02-14-27.log
2012-12-24 22:58 - 2012-12-24 21:43 - 233438576 ____A (Norman AS) C:\Users\Jay\Downloads\Norman_Malware_Cleaner(1).exe
2012-12-24 21:46 - 2008-03-05 15:09 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-12-24 21:14 - 2007-09-29 17:22 - 00000000 ____D C:\Program Files\Dl_cats
2012-12-24 19:27 - 2012-12-23 15:18 - 00000000 ___AD C:\Users\Test\Desktop\1 Apple
2012-12-23 22:07 - 2012-12-23 22:07 - 00896016 ____A (Oracle Corporation) C:\Users\Test\Downloads\chromeinstall-7u10.exe
2012-12-23 21:09 - 2006-11-02 02:33 - 00789322 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-21 22:08 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2012-12-21 21:32 - 2006-11-02 04:47 - 00423184 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-21 21:03 - 2006-11-02 02:24 - 65087872 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-20 21:36] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-07 23:36:08
Restore point made on: 2013-01-09 21:02:00
Restore point made on: 2013-01-11 09:01:28
Restore point made on: 2013-01-15 07:21:55
Restore point made on: 2013-01-15 19:14:37
Restore point made on: 2013-01-20 13:11:32

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 2037.82 MB
Available physical RAM: 1774.5 MB
Total Pagefile: 1969.46 MB
Available Pagefile: 1841.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.71 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:99.74 GB) (Free:3.99 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (BATMAN_THE_DARK_KNIGHT) (CDROM) (Total:3.54 GB) (Free:0 GB) UDF
3 Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
4 Drive f: (CRUZER) (Removable) (Total:1.86 GB) (Free:1.8 GB) FAT
5 Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.36 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 1024 KB
Disk 1 Online 1912 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 47 MB 32 KB
Partition 2 Primary 10 GB 48 MB
Partition 3 Primary 100 GB 10 GB
Partition 0 Extended 2048 MB 110 GB
Partition 4 Logical 2047 MB 110 GB

=========================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 47 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 X RECOVERY NTFS Partition 10 GB Healthy Boot

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 C OS NTFS Partition 100 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : DD
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1908 MB 65 KB

=========================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 F CRUZER FAT Removable 1908 MB Healthy

=========================================================

Last Boot: 2013-01-20 13:43

==================== End Of Log ============================

My computer is still stuck in this mode too...just to let you know.

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:43 AM

Posted 20 January 2013 - 06:00 PM

Hi James,

Thanks for the information. We need a deeper look. You may still have this program.


===================================================


xPUD MBR Dump and Driver Scan using USB

--------------------

Try this please. You will need a USB drive with no less than 64 mb of space.

  • Insert your USB drive. Caution: The next step will remove all information from your USB device.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK. Note: If you receive the message "You must select a distribution to load" just follow the instructions/image below
  • Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.


    Posted Image

  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert.
  • Confirm that you see driver.sh that you downloaded there
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Type Exit and press Enter
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

    dd if=/dev/sda of=mbr.zip bs=512 count=1
  • After it has finished (within just a few seconds) a file will be located on your USB drive named mbr.bin.
  • Remove the USB drive, insert it back in your working computer
  • Please zip and attach report.txt to your reply
  • Please attach mbr.zip to your reply

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • report.zip
  • mbr.zip

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Fixing1

Fixing1
  • Topic Starter

  • Members
  • 350 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 20 January 2013 - 08:57 PM

When I get Past the introduction it says Loading/boot/xpud................................................................ could not find ramdisk image: /opt/media
boot:


What do I do now?

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:43 AM

Posted 20 January 2013 - 09:17 PM

Greetings,

See if this makes any difference.


Download driver.opt and save it to your desktop.

Copy and paste the driver.opt file from your desktop into the opt folder on your USB device then try the instructions again.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Fixing1

Fixing1
  • Topic Starter

  • Members
  • 350 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 20 January 2013 - 09:56 PM

In the opt folder it is saying that the media file and the scim file are 0 KB is that normal?

#11 Fixing1

Fixing1
  • Topic Starter

  • Members
  • 350 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 20 January 2013 - 09:59 PM

I tried it again and it gave me the same error (post 8) as before.

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:43 AM

Posted 20 January 2013 - 10:15 PM

Hi James,

Let's try it with a different program. We will start with the MBR.


===================================================


Ubuntu Installer MBR Report

--------------

  • Please follow the Ubuntu Windows Installer instructions in order to run this program on your computer
  • Boot your machine into Ubuntu
  • When the Ubuntu desktop appears click the top icon in the left panel
  • Type terminal in the search box
  • Click on the first Terminal icon that is displayed which will open a window with a command prompt window
  • Type the following and press Enter. Makes sure there is a space between the different colors.

    sudo dd if=/dev/sda of=mbr.txt bs=512 count=1
  • Open Home Folder (on left column, third icon down)
  • Right click on mbr.txt and select copy
  • Select File System from the left side of the Home Folder
  • Double click on the host folder
  • Right click on the right hand side and select paste
  • Reboot your machine into Windows
  • Attach c:\mbr.txt to your next reply

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • mbr.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Fixing1

Fixing1
  • Topic Starter

  • Members
  • 350 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 20 January 2013 - 10:19 PM

Sorry I wanted to be sure that I should do this step on the sick computer or I should download this to the usb?

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:43 AM

Posted 20 January 2013 - 10:32 PM

Sorry, poor instructions. All on your sick computer.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Fixing1

Fixing1
  • Topic Starter

  • Members
  • 350 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 20 January 2013 - 10:45 PM

Good thing I started 25 minutes ago....I' trying to load the page everything is going extremely slow....not sure why




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users