Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan.zeroaccess in desktop.ini/GAC_32 blue screen


  • Please log in to reply
49 replies to this topic

#1 aneaccount

aneaccount

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 10 March 2013 - 12:58 PM

Ok, I have been fighting this stupid thing with no success. I have spyware doctor and it finds and removes the virus fine- but upon restart I get the blue screen of death and have to do a system restore which of course puts the dumb thing back.

 

I have uploaded an image that gives location.

Any help will be most appreciated.

Thanks,

SteveAttached File  virus location.png   55.41KB   9 downloads



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:17 AM

Posted 10 March 2013 - 01:26 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue!
  • Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download
  • a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    • Because of this, you must reply within 3 days
    failure to reply will result in the topic being closed!
  • I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.
    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.
  • ____________________________________________________

    It appears you're infected with an infection known as ZeroAccess.

    ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:
  • NEXT:


    Farbar Service Scanner

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
    NEXT:


    Running OTL

    We need to create a New FULL OTL Report
    • Please download OTL from here if you have not done so already:
    • Save it to your desktop.
    • Double click on the otlicon.png icon on your desktop.
    • Click the "Scan All Users" checkbox.
    • Change the "Extra Registry" option to "SafeList"
    • Copy and Paste the following code into the customscanfix.png textbox.
      msconfig
      safebootminimal
      activex
      drivers32
      netsvcs
      CreateRestorePoint
      "%WinDir%\$NtUninstallKB*$." /30
      C:\Program Files\Common Files\ComObjects\*.* /s
      %systemroot%\*. /mp /s
      %systemroot%\*. /rp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\drivers\*.sys /90
      %SYSTEMDRIVE%\*.exe
      %systemdrive%\$Recycle.Bin|@;true;true;true /fp 
      /md5start
      volsnap.sys
      atapi.sys
      explorer.exe
      winlogon.exe
      wininit.exe
      svchost.exe
      tdx.sys
      afd.sys
      netbt.sys
      services.exe
      /md5stop
      hklm\software\clients\startmenuinternet|command /rs
      hklm\software\clients\startmenuinternet|command /64 /rs
      HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
      
    • Push the runscan.png button.
    • Two reports will open, copy and paste them in a reply here:
      • OTL.txt <-- Will be opened
      • Extras.txt <-- Will be minimized
    NEXT:



    Please make sure you include the following items in your next post:

    1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
    2. aswMBR log.
    3. Farbar Service Scanner log.
    4. OTL.txt & Extras.txt logs.
    5. An update on how your computer is currently running.

    It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


    Please let me know how the above scans go.

    Kindest Regards,
    ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 aneaccount

aneaccount
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 10 March 2013 - 09:32 PM

ST, thanks for your help in advance.

 

Clarification question prior to downloading/running programs: Do you want all the virus still 'working' as I do this. Why I ask is because it takes about 3 hours to get my machine running once it chuts off. Also it is difficult to connect and download anything with the virus 'working'.

My process with this machine is this: Once spyware doctor is run and detects and removes virus(s), I can get on line and everything seems to work ok. Once the machine shuts down, I get a blue screen on startup (my guess is a desktop error as the machine gets most of the way to starting). I then need to do a restore to get the machine to start. Then (of course) the virus is still there and it is very difficult to go on the internet.

 

Also, I could not find a download link for aswmbr.exe, should I just search for it.

Thanks,

Steve



#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:17 AM

Posted 11 March 2013 - 05:28 PM

Hi Steve,

Apology for not responding sooner.

It sounds like we may need to go about removing this a different way.

Do you have access to a flash drive that we could download a tool onto and utilize in trying to remove this infection as well as another computer to download the utility to?

If so, lets try the following;

Running FRST

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 aneaccount

aneaccount
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 14 March 2013 - 12:40 AM

Ok, well this is what I get in the command box when I type in G:\frst.exe (the drive letter of my flash drive): 'The subsystem needed to support the image type is not present'

 

Additional info: I downloaded the file to a flash drive and it is there. I am now going thru the process of getting it through the restore phase. It takes a while as it only shows a few restore points and none of them are before I ran spyware doctor. Eventually it will show me the March 8th date to chose after it fails a few times.

 

Thanks a lot. I will be able to respond more quickly now as the last day I have been traveling back to the great (wet) northwest.

Thanks! Steve



#6 aneaccount

aneaccount
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 14 March 2013 - 01:54 AM

More additional info: I cannot get the computer to restart now on any of the 6 displayed restore points. I check the box for showing more points and nothing is displayed. It gets all the way thru the startup process but after the windows logo is displayed, when it seems to be loading the desktop, it blue screens.



#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:17 AM

Posted 14 March 2013 - 05:28 PM

Hi Steve!

 

So sorry to hear that you experienced issues with running the FRST application. I'd like for you to try downloading and running the 64 bit version of the utility to see what results that yields.

 

For the time being, lets focus on getting you booted up into FRST so that I can take a look at the current state of the system.

 

Thanks,

 

-ST.


Edited by SweetTech, 14 March 2013 - 05:30 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 aneaccount

aneaccount
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 16 March 2013 - 12:58 AM

Yippee it worked! Frst64.exe log is below:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013
Ran by SYSTEM at 16-03-2013 02:46:12
Running from G:\
Windows 7 Home Premium   (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM-x32\...\Run: [ISTray] "C:\Program Files (x86)\PC Tools\PC Tools Security\pctsGui.exe" /hideGUI [2717816 2012-11-01] (PC Tools)
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [162336 2009-07-21] ()
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [162336 2009-07-21] ()
HKU\Guest\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\micaiah\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\micaiah\...\Policies\system: [LogonHoursAction] 2
HKU\micaiah\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\tammy\...\Policies\system: [LogonHoursAction] 2
HKU\tammy\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.1.10.1

==================== Services (Whitelisted) ===================

2 Browser Defender Update Service; "C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe" [580728 2012-10-23] (Threat Expert Ltd.)
3 CACLEARWIRE; "C:\Program Files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe" /n "CACLEARWIRE" [124760 2011-11-22] (SmithMicro Inc.)
2 clearwireDeviceDiagnosticsService; "C:\Program Files (x86)\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe" [407552 2011-03-29] ()
3 CLEARWIRERcAppSvc; "C:\Program Files (x86)\Clearwire\Connection Manager\RcAppSvc.exe" /n "CLEARWIRERcAppSvc" [120664 2011-11-22] (SmithMicro Inc.)
2 sdAuxService; C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe [403416 2012-10-31] (PC Tools)
2 sdCoreService; C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe [1162360 2012-11-01] (PC Tools)
2 SMSI Device Launch Service; "C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe" /n "SMSI Device Launch Service" [108376 2011-11-22] ()
3 ThreatFire; C:\Program Files (x86)\PC Tools\PC Tools Security\TFEngine\TFService.exe service [72824 2012-10-31] (PC Tools)

==================== Drivers (Whitelisted) =====================

3 bcm; C:\Windows\System32\DRIVERS\drxvi314_64.sys [382848 2011-10-17] (Beceem communications pvt ltd.)
3 bcmbusctr; C:\Windows\System32\DRIVERS\BcmBusCtr_64.sys [60416 2011-10-17] (Beceem communications pvt ltd.)
3 PCTBD; C:\Windows\System32\Drivers\PCTBD64.sys [77144 2012-10-23] (PC Tools)
0 PCTCore; C:\Windows\System32\drivers\PCTCore64.sys [413448 2012-10-22] (PC Tools)
0 pctDS; C:\Windows\System32\drivers\pctDS64.sys [453896 2012-02-28] (PC Tools)
0 pctEFA; C:\Windows\System32\drivers\pctEFA64.sys [1096176 2012-02-28] (PC Tools)
1 pctgntdi; \??\C:\Windows\System32\drivers\pctgntdi64.sys [347016 2012-10-31] (PC Tools)
3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [43032 2010-08-05] (Smith Micro Inc.)
3 pctplsg; \??\C:\Windows\System32\drivers\pctplsg64.sys [93600 2012-11-01] (PC Tools)
3 pctplsm; \??\C:\Windows\System32\drivers\pctplsm64.sys [87968 2012-11-01] (PC Tools)
1 PCTSD; C:\Windows\System32\Drivers\PCTSD64.sys [253256 2012-11-01] (PC Tools)
0 TfFsMon; C:\Windows\System32\Drivers\TfFsMon.sys [66344 2012-10-31] (PC Tools)
3 TfNetMon; C:\Windows\System32\Drivers\TfNetMon.sys [42648 2012-10-31] (PC Tools)
0 TFSysMon; C:\Windows\System32\Drivers\TFSysMon.sys [709552 2012-10-31] (PC Tools)
3 ATMFBUS; C:\Windows\System32\DRIVERS\ATMFBUS.sys [x]
3 ATMFCVsp; C:\Windows\System32\DRIVERS\ATMFCVsp.sys [x]
3 ATMFFLT; C:\Windows\System32\DRIVERS\ATMFFLT.sys [x]
3 ATMFMdm; C:\Windows\System32\DRIVERS\ATMFMdm.sys [x]
3 ATMFNET; C:\Windows\System32\DRIVERS\ATMFNET.sys [x]
3 ATMFNVsp; C:\Windows\System32\DRIVERS\ATMFNVsp.sys [x]
3 ATMFVsp; C:\Windows\System32\DRIVERS\ATMFVsp.sys [x]
3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 USBCCID; C:\Windows\System32\DRIVERS\usbccid.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-03-16 02:46 - 2013-03-16 02:46 - 00000000 ____D C:\FRST
2013-03-14 00:00 - 2013-03-14 00:00 - 00000000 ____A C:\Recovery.txt
2013-03-10 18:13 - 2013-03-10 18:13 - 00000512 ____A C:\Users\tammy\Desktop\MBR.dat
2013-03-09 21:08 - 2013-03-09 21:08 - 00002017 ____A C:\Users\tammy\Desktop\RKreport[8]_D_03092013_02d2108.txt
2013-03-09 21:05 - 2013-03-09 21:05 - 00001807 ____A C:\Users\tammy\Desktop\RKreport[7]_S_03092013_02d2105.txt
2013-03-09 21:03 - 2013-03-09 21:03 - 00001332 ____A C:\Users\tammy\Desktop\RKreport[5]_SC_03092013_02d2103.txt
2013-03-09 21:03 - 2013-03-09 21:03 - 00001004 ____A C:\Users\tammy\Desktop\RKreport[6]_H_03092013_02d2103.txt
2013-03-09 21:00 - 2013-03-09 21:00 - 00001845 ____A C:\Users\tammy\Desktop\RKreport[4]_D_03092013_02d2100.txt
2013-03-09 20:56 - 2013-03-09 20:56 - 00001635 ____A C:\Users\tammy\Desktop\RKreport[3]_S_03092013_02d2056.txt
2013-03-09 20:51 - 2013-03-09 20:51 - 00002152 ____A C:\Users\tammy\Desktop\RKreport[2]_D_03092013_02d2051.txt
2013-03-09 20:48 - 2013-03-09 20:48 - 00001924 ____A C:\Users\tammy\Desktop\RKreport[1]_S_03092013_02d2048.txt
2013-03-09 20:46 - 2013-03-14 15:24 - 00000000 ____D C:\Users\tammy\Desktop\RK_Quarantine
2013-03-07 06:15 - 2013-03-07 07:02 - 00002605 ____A C:\Users\tammy\Desktop\fix from pc tools.txt
2013-03-05 05:08 - 2013-03-05 05:08 - 00000347 ____A C:\Users\tammy\Downloads\ComboFix.exe
2013-03-05 04:54 - 2013-03-05 05:04 - 01975175 ____A (Swearware) C:\Users\tammy\Downloads\ComboFix.exe.part
2013-02-18 17:07 - 2013-02-18 18:10 - 00018432 ____A C:\Users\tammy\Documents\Ronald Reagan Works Cited pg.wps
2013-02-15 07:36 - 2013-02-15 07:37 - 00017408 ____A C:\Users\tammy\Documents\Where love is there God is also The last Leaf.wps

==================== One Month Modified Files and Folders =======

2013-03-14 15:24 - 2013-03-09 20:46 - 00000000 ____D C:\Users\tammy\Desktop\RK_Quarantine
2013-03-14 15:24 - 2013-02-07 12:56 - 00000000 ____D C:\Users\tammy\AppData\Roaming\vlc
2013-03-14 15:24 - 2012-02-02 19:06 - 00000000 ____D C:\users\micaiah
2013-03-14 15:24 - 2012-01-30 23:33 - 00000000 ____D C:\users\Guest
2013-03-14 15:24 - 2011-11-18 10:15 - 00000000 ____D C:\Program Files (x86)\Bonjour
2013-03-14 15:24 - 2011-09-29 14:38 - 00000000 ____D C:\Windows\pss
2013-03-14 15:24 - 2010-05-14 21:20 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-03-14 15:24 - 2010-03-15 19:56 - 00000000 ____D C:\users\tammy
2013-03-14 15:24 - 2009-11-05 12:33 - 00000000 ____D C:\Program Files (x86)\Acer Arcade Deluxe
2013-03-14 15:24 - 2009-11-05 11:58 - 00000000 ____D C:\ProgramData\WildTangent
2013-03-14 15:24 - 2009-11-05 11:58 - 00000000 ____D C:\Program Files (x86)\Acer Games
2013-03-14 15:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-03-14 15:19 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
2013-03-14 15:17 - 2009-11-05 12:06 - 00000000 __RHD C:\MSOCache
2013-03-14 15:17 - 2009-11-05 11:43 - 00000000 ___HD C:\OEM
2013-03-14 14:25 - 2012-11-21 22:49 - 00000000 ____A C:\Windows\System32\Drivers\Cat.DB
2013-03-14 00:00 - 2013-03-14 00:00 - 00000000 ____A C:\Recovery.txt
2013-03-10 18:13 - 2013-03-10 18:13 - 00000512 ____A C:\Users\tammy\Desktop\MBR.dat
2013-03-10 12:55 - 2009-07-13 21:13 - 00713714 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-10 12:50 - 2010-04-02 11:40 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-10 12:50 - 2010-04-02 11:40 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-10 12:50 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-10 12:49 - 2009-07-13 20:51 - 00075854 ____A C:\Windows\setupact.log
2013-03-10 12:45 - 2010-03-15 19:56 - 00000000 __SHD C:\Recovery
2013-03-10 08:59 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-10 08:59 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-09 21:08 - 2013-03-09 21:08 - 00002017 ____A C:\Users\tammy\Desktop\RKreport[8]_D_03092013_02d2108.txt
2013-03-09 21:05 - 2013-03-09 21:05 - 00001807 ____A C:\Users\tammy\Desktop\RKreport[7]_S_03092013_02d2105.txt
2013-03-09 21:03 - 2013-03-09 21:03 - 00001332 ____A C:\Users\tammy\Desktop\RKreport[5]_SC_03092013_02d2103.txt
2013-03-09 21:03 - 2013-03-09 21:03 - 00001004 ____A C:\Users\tammy\Desktop\RKreport[6]_H_03092013_02d2103.txt
2013-03-09 21:00 - 2013-03-09 21:00 - 00001845 ____A C:\Users\tammy\Desktop\RKreport[4]_D_03092013_02d2100.txt
2013-03-09 20:56 - 2013-03-09 20:56 - 00001635 ____A C:\Users\tammy\Desktop\RKreport[3]_S_03092013_02d2056.txt
2013-03-09 20:51 - 2013-03-09 20:51 - 00002152 ____A C:\Users\tammy\Desktop\RKreport[2]_D_03092013_02d2051.txt
2013-03-09 20:48 - 2013-03-09 20:48 - 00001924 ____A C:\Users\tammy\Desktop\RKreport[1]_S_03092013_02d2048.txt
2013-03-07 07:45 - 2010-01-21 20:37 - 00000000 ___AD C:\book
2013-03-07 07:02 - 2013-03-07 06:15 - 00002605 ____A C:\Users\tammy\Desktop\fix from pc tools.txt
2013-03-05 06:50 - 2010-04-29 17:06 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2013-03-05 05:08 - 2013-03-05 05:08 - 00000347 ____A C:\Users\tammy\Downloads\ComboFix.exe
2013-03-05 05:04 - 2013-03-05 04:54 - 01975175 ____A (Swearware) C:\Users\tammy\Downloads\ComboFix.exe.part
2013-03-05 04:29 - 2013-02-07 12:56 - 00000000 ____D C:\Users\tammy\AppData\Roaming\dvdcss
2013-03-05 04:29 - 2012-06-05 07:22 - 00000000 ____D C:\Users\tammy\Desktop\Homemade By Holman Soft and Thick Sugar Cookies_files
2013-02-23 15:56 - 2013-01-29 07:10 - 00018432 ____A C:\Users\tammy\Documents\Success in Writing 29.wps
2013-02-23 15:56 - 2010-09-11 08:32 - 00044096 ____A C:\Users\tammy\AppData\Roaming\wklnhst.dat
2013-02-23 15:56 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-02-23 15:51 - 2013-01-23 07:35 - 00029184 ____A C:\Users\tammy\Documents\Jensens Pg. 116-133 Panda text.wps
2013-02-23 15:07 - 2013-01-29 07:07 - 00018432 ____A C:\Users\tammy\Documents\Success in Writing 28.wps
2013-02-23 15:05 - 2013-01-29 07:03 - 00017408 ____A C:\Users\tammy\Documents\Success in Writing 27.wps
2013-02-23 15:05 - 2013-01-29 07:00 - 00018432 ____A C:\Users\tammy\Documents\Success in Writing 26.wps
2013-02-23 15:04 - 2013-01-29 06:56 - 00017408 ____A C:\Users\tammy\Documents\Success in Writing 25.wps
2013-02-23 15:03 - 2013-01-29 06:52 - 00014848 ____A C:\Users\tammy\Documents\Success in Writing 24.wps
2013-02-23 15:02 - 2013-01-29 06:47 - 00017408 ____A C:\Users\tammy\Documents\Success in Writing 23.wps
2013-02-23 15:01 - 2013-01-29 06:43 - 00017408 ____A C:\Users\tammy\Documents\success in writing 22.wps
2013-02-23 15:01 - 2013-01-29 06:39 - 00017408 ____A C:\Users\tammy\Documents\Success in writing 21.wps
2013-02-23 15:00 - 2013-01-28 07:31 - 00018432 ____A C:\Users\tammy\Documents\Success in Writing 20.wps
2013-02-23 14:57 - 2013-01-28 07:28 - 00015872 ____A C:\Users\tammy\Documents\Success in Writing 19.wps
2013-02-23 14:57 - 2013-01-28 07:21 - 00016384 ____A C:\Users\tammy\Documents\Success in Writing 18.wps
2013-02-23 14:56 - 2013-01-28 07:17 - 00017408 ____A C:\Users\tammy\Documents\Success in Writing 17.wps
2013-02-23 14:55 - 2013-01-28 07:13 - 00018432 ____A C:\Users\tammy\Documents\Success in Writing 16.wps
2013-02-23 14:55 - 2013-01-28 07:05 - 00016384 ____A C:\Users\tammy\Documents\Success in Writing 15.wps
2013-02-23 14:54 - 2013-01-28 06:53 - 00018432 ____A C:\Users\tammy\Documents\Success in Writing 13.wps
2013-02-23 14:53 - 2013-01-28 06:48 - 00016384 ____A C:\Users\tammy\Documents\Success in Writing 12.wps
2013-02-22 15:28 - 2013-01-28 06:40 - 00014848 ____A C:\Users\tammy\Documents\Success in Writing 11.wps
2013-02-22 15:27 - 2013-01-26 19:40 - 00017408 ____A C:\Users\tammy\Documents\success in writing 10.wps
2013-02-22 15:27 - 2013-01-26 19:34 - 00017408 ____A C:\Users\tammy\Documents\Success in Writing 9.wps
2013-02-22 15:26 - 2013-01-26 19:26 - 00017408 ____A C:\Users\tammy\Documents\Success in writing 8.wps
2013-02-22 15:25 - 2013-01-26 19:23 - 00017408 ____A C:\Users\tammy\Documents\Success in Writing 7.wps
2013-02-22 15:25 - 2013-01-26 19:17 - 00017408 ____A C:\Users\tammy\Documents\success in writing 6.wps
2013-02-22 15:24 - 2013-01-26 19:12 - 00017408 ____A C:\Users\tammy\Documents\Success in writing 5.wps
2013-02-22 15:24 - 2013-01-26 18:24 - 00017408 ____A C:\Users\tammy\Documents\success in writing 4.wps
2013-02-22 15:23 - 2013-01-26 18:20 - 00018432 ____A C:\Users\tammy\Documents\Success in writing 3.wps
2013-02-22 15:23 - 2013-01-26 18:16 - 00017408 ____A C:\Users\tammy\Documents\Success in writing 2.wps
2013-02-21 22:17 - 2012-10-12 10:14 - 00041472 ____A C:\Users\tammy\Documents\Pres. Reagan.wps
2013-02-18 18:10 - 2013-02-18 17:07 - 00018432 ____A C:\Users\tammy\Documents\Ronald Reagan Works Cited pg.wps
2013-02-18 18:10 - 2013-02-12 08:00 - 00020992 ____A C:\Users\tammy\Documents\A start in life Themes in Lit..wps
2013-02-18 18:10 - 2012-10-16 16:19 - 00023552 ____A C:\Users\tammy\Documents\Ronald Reagan Outline.wps
2013-02-18 18:10 - 2012-09-18 11:31 - 00024064 ____A C:\Users\tammy\Documents\A harder task then making briks without straw.wps
2013-02-18 18:09 - 2013-02-13 08:01 - 00015872 ____A C:\Users\tammy\Documents\State the temes of poems.wps
2013-02-18 18:09 - 2012-09-14 08:43 - 00019456 ____A C:\Users\tammy\Documents\Old Behrman and Martin Avdeich.wps
2013-02-15 07:37 - 2013-02-15 07:36 - 00017408 ____A C:\Users\tammy\Documents\Where love is there God is also The last Leaf.wps


ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-03-09 22:52:18
Restore point made on: 2013-03-10 09:12:23
Restore point made on: 2013-03-10 09:13:51
Restore point made on: 2013-03-10 18:51:58

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 2812.05 MB
Available physical RAM: 2201.73 MB
Total Pagefile: 2810.2 MB
Available Pagefile: 2186.5 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (Acer) (Fixed) (Total:136.95 GB) (Free:75.22 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:1.5 GB) NTFS
3 Drive f: (DVD) (CDROM) (Total:4.18 GB) (Free:0 GB) UDF
4 Drive g: () (Removable) (Total:0.99 GB) (Free:0.96 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          149 GB      0 B         
  Disk 1    Online         1010 MB      0 B         

Partitions of Disk 0:
===============

Disk ID: EC718CB3

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            12 GB    31 KB
  Partition 2    Primary            101 MB    12 GB
  Partition 3    Primary            136 GB    12 GB

==================================================================================

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   PQSERVICE    NTFS   Partition     12 GB  Healthy    Hidden  

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   SYSTEM RESE  NTFS   Partition    101 MB  Healthy            

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   Acer         NTFS   Partition    136 GB  Healthy            

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1009 MB   176 KB

==================================================================================

Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                FAT    Removable   1009 MB  Healthy            

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: EC718CB3

Partition 1:
=========
Hex: 0001010027FEFFFF3F000000201F8001
Active: NO
Type: 27
Size: 12 GB

Partition 2:
=========
Hex: 80FEFFFF07FEFFFF5F1F8001CD2F0300
Active: YES
Type: 07 (NTFS)
Size: 102 MB

Partition 3:
=========
Hex: 00FEFFFF07FEFFFF2C4F830184471E11
Active: NO
Type: 07 (NTFS)
Size: 137 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 000526000601010260010000A08E1F00
Active: NO
Type: 06
Size: 1010 MB


Last Boot: 2013-02-23 15:28

==================== End Of Log =============================



#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:17 AM

Posted 16 March 2013 - 09:02 PM

Hi Steve!
 
Please run the following fix below:
 
 
Running FRST Fix
 
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
 
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
 
 

Running Search in FRST
In Vista or Windows 7: Boot to System Recovery Options and run FRST.
In Windows XP: Please boot to BartPe and run FRST.
Type the following in the edit box after "Search:".
 
services.exe
 
Note: The file names should be separated by semicolon (;)
 
It then should look like:
 
services.exe
 
Click Search button and post the log (Search.txt) it makes to your reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#10 aneaccount

aneaccount
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 17 March 2013 - 11:31 AM

ok, done

 

Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-03-17 13:24:45 Run:1
Running from G:\

==============================================

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

 

search.txt:

 

Farbar Recovery Scan Tool (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-03-17 13:25:43
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======



#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:17 AM

Posted 18 March 2013 - 02:03 PM

Howdy!

Thanks for posting that log file.

Please run the following fix below, and then try to boot up into Windows.

Let me know how it goes.
 
Running FRST Fix
 
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
 
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe 
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 aneaccount

aneaccount
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 18 March 2013 - 02:30 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-03-18 16:29:08 Run:2
Running from G:\

==============================================

Could not find C:\Windows\System32\services.exe .
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====



#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:17 AM

Posted 18 March 2013 - 03:17 PM

Are you able to boot up now?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 aneaccount

aneaccount
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 18 March 2013 - 03:24 PM

Just tried, and still flashed the blue screen and went into startup repair again.



#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:17 AM

Posted 18 March 2013 - 03:26 PM

Okay, can you please run a new scan with FRST and post the log file for me to review?

I should be online for the next couple of hours, so I should be able to respond a bit quicker than normal.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users