Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something causing problems with loggon and 32 bit program


  • This topic is locked This topic is locked
13 replies to this topic

#1 ITJosh

ITJosh

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 02 April 2013 - 07:35 PM

I am using a Dell computer running Windows 7 64-bit with the free version of AVG as my only non-windows security. I also run Adaware and disk cleanup on a regular basis.

 

An AVG-esque pop-up came up but was not clicked. No action was taken, but the computer then went black. I have tried numerous basic malware, adware, and virus removal/detection tools to no avail. Anything that is made for 32 bit computers wont even run (including programs already on my computer like my email and 32 bit web browser). I was able to run the 64 bit version of the Microsoft malware remover which told me that I had a type of Trojan and partially removed it (all problems still persist). I was also able to run FRST64 from a flash drive in repair mode which provided the only log that I can give you on the problem. Again, the issues are: 1) After logging on to my account the computer just goes black like when the virus first started  2) After CTRL+ALT+DEL logging off and then logging back in like normal everything appears fine  3) Most, if not all, 32 bit programs will not run AT ALL when I open them from anywhere using any method of opening programs that I know of

 

PLEASE HELP - I AM STUCK! THANK YOU!!!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 20 days old)
Ran by SYSTEM at 02-04-2013 17:31:43
Running from F:\
Windows 7 Home Premium   (X64) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2006-09-20] ()
HKLM\...\Run: [dleamon.exe] "C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe" [770728 2010-08-09] ()
HKLM\...\Run: [EzPrint] "C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe" [139944 2010-08-09] ()
HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\vdeck.exe [2243584 2009-07-28] (VIA)
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807600 2009-11-13] ()
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [185896 2006-09-28] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [75304 2006-10-11] (ScanSoft, Inc.)
HKLM-x32\...\Run: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1485208 2010-07-28] (Affinegy, Inc.)
HKLM-x32\...\Run: [Dell V310-V510 Series] "C:\Program Files (x86)\Dell V310-V510 Series\fm3032.exe" /s [316072 2010-08-09] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-08-19] (Apple Inc.)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1151152 2013-02-18] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165104 2009-09-17] (Softthinks)
HKLM-x32\...\RunOnce: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120048 2009-09-17] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)

==================== Services (Whitelisted) ===================

2 AffinegyService; "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe" [569752 2010-07-28] (Affinegy, Inc.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814904 2012-11-16] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 Belkin Local Backup Service; "C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe" /service [181760 2010-02-17] ()
2 Belkin Network USB Helper; "C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe" /service [55296 2010-02-09] ()
2 dleaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [45224 2010-05-21] ()
2 dlea_device; C:\Windows\system32\dleacoms.exe -service [1047552 2009-12-09] ( )
2 dlea_device; C:\Windows\SysWow64\dleacoms.exe -service [598696 2010-05-21] ( )
2 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [1737728 2012-09-21] (Lavasoft Limited                                                  )
2 vToolbarUpdater14.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [968880 2013-02-18] ()
2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [x]

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111968 2012-11-16] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-02-18] (AVG Technologies)
3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-06-18] ()
0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69376 2011-06-17] (Lavasoft AB)
3 sxuptp; C:\Windows\System32\Drivers\sxuptp.sys [291352 2010-03-10] (silex technology, Inc.)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-04-02 17:31 - 2013-04-02 17:31 - 00000000 ____D C:\FRST
2013-03-25 16:58 - 2013-04-02 19:23 - 00001132 ____A C:\Windows\setupact.log
2013-03-25 16:58 - 2013-03-25 16:58 - 00000000 ____A C:\Windows\setuperr.log
2013-03-20 12:42 - 2013-03-20 12:42 - 00274864 ____A C:\Windows\Minidump\032013-22386-01.dmp
2013-03-13 21:52 - 2013-03-20 12:42 - 639536822 ____A C:\Windows\MEMORY.DMP
2013-03-13 21:52 - 2013-03-20 12:42 - 00000000 ____D C:\Windows\Minidump
2013-03-13 21:52 - 2013-03-13 21:52 - 00274864 ____A C:\Windows\Minidump\031313-24663-01.dmp
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Application Data\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\AppData\Local\Resmon.ResmonCfg
2013-03-12 16:14 - 2009-07-13 20:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\SPLF542.tmp
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\Application Data\SPLF542.tmp

==================== One Month Modified Files and Folders =======

2013-04-02 19:27 - 2009-07-14 00:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-02 19:23 - 2013-03-25 16:58 - 00001132 ____A C:\Windows\setupact.log
2013-04-02 19:21 - 2010-01-28 20:57 - 00214652 ____A C:\aaw7boot.log
2013-04-02 19:21 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-02 17:31 - 2013-04-02 17:31 - 00000000 ____D C:\FRST
2013-04-02 17:28 - 2009-07-14 00:10 - 01540086 ____A C:\Windows\WindowsUpdate.log
2013-04-02 17:28 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-02 17:28 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-28 17:58 - 2011-04-06 14:51 - 00008228 ____A C:\Windows\IE9_main.log
2013-03-25 16:58 - 2013-03-25 16:58 - 00000000 ____A C:\Windows\setuperr.log
2013-03-22 19:53 - 2010-01-24 20:05 - 00000000 ____D C:\ProgramData\Dl_cats
2013-03-22 19:53 - 2010-01-24 20:05 - 00000000 ____D C:\ProgramData\Application Data\Dl_cats
2013-03-22 19:52 - 2010-01-24 20:06 - 00390720 ____A C:\ProgramData\dleaJSW.log
2013-03-22 19:52 - 2010-01-24 20:06 - 00390720 ____A C:\ProgramData\Application Data\dleaJSW.log
2013-03-20 12:44 - 2010-01-24 17:15 - 00000000 ____D C:\users\Joyce
2013-03-20 12:42 - 2013-03-20 12:42 - 00274864 ____A C:\Windows\Minidump\032013-22386-01.dmp
2013-03-20 12:42 - 2013-03-13 21:52 - 639536822 ____A C:\Windows\MEMORY.DMP
2013-03-20 12:42 - 2013-03-13 21:52 - 00000000 ____D C:\Windows\Minidump
2013-03-20 11:41 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2013-03-13 21:52 - 2013-03-13 21:52 - 00274864 ____A C:\Windows\Minidump\031313-24663-01.dmp
2013-03-13 20:51 - 2009-07-14 02:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Application Data\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\AppData\Local\Resmon.ResmonCfg
2013-03-12 16:13 - 2010-01-16 19:18 - 00085798 ____A C:\Windows\PFRO.log
2013-03-12 16:12 - 2011-08-26 22:41 - 00000000 ____D C:\Users\Joyce\Application Data\Orbit
2013-03-12 16:12 - 2011-08-26 22:41 - 00000000 ____D C:\Users\Joyce\AppData\Roaming\Orbit
2013-03-12 16:12 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-03-12 15:55 - 2011-05-09 21:24 - 00000000 ____D C:\ProgramData\MFAData
2013-03-12 15:55 - 2011-05-09 21:24 - 00000000 ____D C:\ProgramData\Application Data\MFAData
2013-03-11 18:36 - 2010-01-24 19:49 - 00171595 ____A C:\ProgramData\dleascan.log
2013-03-11 18:36 - 2010-01-24 19:49 - 00171595 ____A C:\ProgramData\Application Data\dleascan.log
2013-03-11 18:31 - 2011-03-19 16:53 - 00000000 ____D C:\Program Files\Dell V310-V510 Series
2013-03-11 18:31 - 2010-01-24 20:05 - 00000507 ____A C:\ProgramData\dlea.log
2013-03-11 18:31 - 2010-01-24 20:05 - 00000507 ____A C:\ProgramData\Application Data\dlea.log
2013-03-10 23:26 - 2010-01-24 17:15 - 00000000 ____D C:\Users\Joyce\Local Settings\SoftThinks
2013-03-10 23:26 - 2010-01-24 17:15 - 00000000 ____D C:\Users\Joyce\Local Settings\Application Data\SoftThinks
2013-03-10 23:26 - 2010-01-24 17:15 - 00000000 ____D C:\Users\Joyce\AppData\Local\SoftThinks
2013-03-10 23:26 - 2010-01-16 17:50 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log
2013-03-10 23:26 - 2010-01-16 17:33 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-03-10 23:16 - 2011-06-22 16:08 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2013-03-10 23:16 - 2011-06-22 16:08 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\SPLF542.tmp
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\Application Data\SPLF542.tmp
2013-03-04 15:53 - 2010-02-08 14:37 - 72013344 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe


ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-02-23 21:52:52
Restore point made on: 2013-03-04 13:16:24
Restore point made on: 2013-03-12 02:54:04
Restore point made on: 2013-03-13 03:14:23
Restore point made on: 2013-03-14 21:35:19
Restore point made on: 2013-03-16 22:59:59
Restore point made on: 2013-03-18 21:45:41
Restore point made on: 2013-03-28 17:14:29

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 7935.12 MB
Available physical RAM: 7177.28 MB
Total Pagefile: 7933.27 MB
Available Pagefile: 7168.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:683.95 GB) (Free:636.22 GB) NTFS
3 Drive e: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.67 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive e: detected. Check for MBR/Partition infection.
4 Drive f: (USB20FD) (Removable) (Total:3.76 GB) (Free:3.75 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          698 GB      0 B        
  Disk 1    Online         3854 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 85DB1A95

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             14 GB    40 MB
  Partition 3    Primary            683 GB    14 GB

==================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      FAT    Partition     39 MB  Healthy    Hidden 

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     E   RECOVERY     NTFS   Partition     14 GB  Healthy           

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    683 GB  Healthy           

=========================================================

Partitions of Disk 1:
===============

Disk ID: 04DD5721

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3853 MB    31 KB

==================================================================================

Disk: 1
Partition 1
Type  : 0C
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F   USB20FD      FAT32  Removable   3853 MB  Healthy           

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 85DB1A95

Partition 1:
=========
Hex: 80003800000000003700000000000000
Active: YES
Type: 00
Size: 0 byte
ATTENTION ===> 0 byte partition bootkit on partition 1

Partition 2:
=========
Hex: 00010100DEFE3F043F00000086390100
Active: NO
Type: DE
Size: 39 MB

Partition 3:
=========
Hex: 8019150507FEFFFF0040010000C0D401
Active: YES
Type: 07 (NTFS)
Size: 15 GB

Partition 4:
=========
Hex: 00FEFFFF07FEFFFF0000D601F05E7E55
Active: NO
Type: 07 (NTFS)
Size: 684 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 04DD5721

Partition 1:
=========
Hex: 800101000C7FFFD13F000000C16F7800
Active: YES
Type: 0C
Size: 4 GB


Last Boot: 2013-03-25 17:18

==================== End Of Log =============================



BC AdBot (Login to Remove)

 


#2 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 05 April 2013 - 05:47 AM


**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days.

:)


Hello there, ITJosh

:welcome:

I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
  • IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.

    ---------------------------------------------------------------------------------------------------

    Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
    start
    C:\Windows\svchost.exe
    TDL4: custom:26000022 <===== ATTENTION!
    cmd: bootrec /FixMbr
    end
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

---------------------------------------------------------------------------------------------------
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#3 ITJosh

ITJosh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 05 April 2013 - 05:19 PM

Thank you for your reply Conspire. I appreciate the help. I ran FRST64 with the fixlist you provided, and the log is pasted below:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-04-05 18:11:43 Run:1
Running from F:\

==============================================

C:\Windows\svchost.exe moved successfully.

The operation completed successfully.
The operation completed successfully.

=========  bootrec /FixMbr =========

ÿþT h e   o p e r a t i o n   c o m p l e t e d   s u c c e s s f u l l y .
 
========= End of CMD: =========


==== End of Fixlog ====



#4 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 05 April 2013 - 09:49 PM

How is it behaving now in normal mode?
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#5 ITJosh

ITJosh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 05 April 2013 - 11:21 PM

It's behaving the same way.

#6 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 05 April 2013 - 11:30 PM

Please post fresh FRST again for review. Thanks.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#7 ITJosh

ITJosh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 07 April 2013 - 10:55 PM

Okay will do. My work schedules are crazy right now and the infected computer is my grandmother's, so I will get you that new log tomorrow. Thanks again!

#8 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 07 April 2013 - 11:10 PM

Sure. :)
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#9 ITJosh

ITJosh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 08 April 2013 - 07:44 PM

I ran the FRST64 again and here is the log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 26 days old)
Ran by SYSTEM at 08-04-2013 19:23:47
Running from F:\
Windows 7 Home Premium   (X64) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2006-09-20] ()
HKLM\...\Run: [dleamon.exe] "C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe" [770728 2010-08-09] ()
HKLM\...\Run: [EzPrint] "C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe" [139944 2010-08-09] ()
HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\vdeck.exe [2243584 2009-07-28] (VIA)
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807600 2009-11-13] ()
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [185896 2006-09-28] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [75304 2006-10-11] (ScanSoft, Inc.)
HKLM-x32\...\Run: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1485208 2010-07-28] (Affinegy, Inc.)
HKLM-x32\...\Run: [Dell V310-V510 Series] "C:\Program Files (x86)\Dell V310-V510 Series\fm3032.exe" /s [316072 2010-08-09] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-08-19] (Apple Inc.)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1151152 2013-02-18] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165104 2009-09-17] (Softthinks)
HKLM-x32\...\RunOnce: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120048 2009-09-17] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)

==================== Services (Whitelisted) ===================

2 AffinegyService; "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe" [569752 2010-07-28] (Affinegy, Inc.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814904 2012-11-16] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 Belkin Local Backup Service; "C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe" /service [181760 2010-02-17] ()
2 Belkin Network USB Helper; "C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe" /service [55296 2010-02-09] ()
2 dleaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [45224 2010-05-21] ()
2 dlea_device; C:\Windows\system32\dleacoms.exe -service [1047552 2009-12-09] ( )
2 dlea_device; C:\Windows\SysWow64\dleacoms.exe -service [598696 2010-05-21] ( )
2 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [1737728 2012-09-21] (Lavasoft Limited                                                  )
2 vToolbarUpdater14.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [968880 2013-02-18] ()
2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [x]

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111968 2012-11-16] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-02-18] (AVG Technologies)
3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-06-18] ()
0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69376 2011-06-17] (Lavasoft AB)
3 sxuptp; C:\Windows\System32\Drivers\sxuptp.sys [291352 2010-03-10] (silex technology, Inc.)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-04-05 19:13 - 2009-07-13 20:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2013-04-02 19:14 - 2013-04-02 19:14 - 00688992 ____A (Swearware) C:\Users\Joyce\Desktop\dds.com
2013-04-02 17:31 - 2013-04-02 17:31 - 00000000 ____D C:\FRST
2013-03-25 16:58 - 2013-04-08 19:21 - 00001580 ____A C:\Windows\setupact.log
2013-03-25 16:58 - 2013-03-25 16:58 - 00000000 ____A C:\Windows\setuperr.log
2013-03-20 12:42 - 2013-03-20 12:42 - 00274864 ____A C:\Windows\Minidump\032013-22386-01.dmp
2013-03-13 21:52 - 2013-03-20 12:42 - 639536822 ____A C:\Windows\MEMORY.DMP
2013-03-13 21:52 - 2013-03-20 12:42 - 00000000 ____D C:\Windows\Minidump
2013-03-13 21:52 - 2013-03-13 21:52 - 00274864 ____A C:\Windows\Minidump\031313-24663-01.dmp
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Application Data\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\AppData\Local\Resmon.ResmonCfg
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\SPLF542.tmp
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\Application Data\SPLF542.tmp

==================== One Month Modified Files and Folders =======

2013-04-08 19:21 - 2013-03-25 16:58 - 00001580 ____A C:\Windows\setupact.log
2013-04-08 19:21 - 2010-01-28 20:57 - 00216220 ____A C:\aaw7boot.log
2013-04-08 19:21 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-08 19:20 - 2009-07-14 00:10 - 01595148 ____A C:\Windows\WindowsUpdate.log
2013-04-08 00:20 - 2009-07-14 00:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-07 22:23 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-07 22:23 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-06 01:19 - 2012-05-28 16:48 - 00000000 ____D C:\Users\Joyce\.gimp-2.8
2013-04-02 19:14 - 2013-04-02 19:14 - 00688992 ____A (Swearware) C:\Users\Joyce\Desktop\dds.com
2013-04-02 17:31 - 2013-04-02 17:31 - 00000000 ____D C:\FRST
2013-03-28 17:58 - 2011-04-06 14:51 - 00008228 ____A C:\Windows\IE9_main.log
2013-03-25 16:58 - 2013-03-25 16:58 - 00000000 ____A C:\Windows\setuperr.log
2013-03-22 19:53 - 2010-01-24 20:05 - 00000000 ____D C:\ProgramData\Dl_cats
2013-03-22 19:53 - 2010-01-24 20:05 - 00000000 ____D C:\ProgramData\Application Data\Dl_cats
2013-03-22 19:52 - 2010-01-24 20:06 - 00390720 ____A C:\ProgramData\dleaJSW.log
2013-03-22 19:52 - 2010-01-24 20:06 - 00390720 ____A C:\ProgramData\Application Data\dleaJSW.log
2013-03-20 12:44 - 2010-01-24 17:15 - 00000000 ____D C:\users\Joyce
2013-03-20 12:42 - 2013-03-20 12:42 - 00274864 ____A C:\Windows\Minidump\032013-22386-01.dmp
2013-03-20 12:42 - 2013-03-13 21:52 - 639536822 ____A C:\Windows\MEMORY.DMP
2013-03-20 12:42 - 2013-03-13 21:52 - 00000000 ____D C:\Windows\Minidump
2013-03-20 11:41 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2013-03-13 21:52 - 2013-03-13 21:52 - 00274864 ____A C:\Windows\Minidump\031313-24663-01.dmp
2013-03-13 20:51 - 2009-07-14 02:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Application Data\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\AppData\Local\Resmon.ResmonCfg
2013-03-12 16:13 - 2010-01-16 19:18 - 00085798 ____A C:\Windows\PFRO.log
2013-03-12 16:12 - 2011-08-26 22:41 - 00000000 ____D C:\Users\Joyce\Application Data\Orbit
2013-03-12 16:12 - 2011-08-26 22:41 - 00000000 ____D C:\Users\Joyce\AppData\Roaming\Orbit
2013-03-12 16:12 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-03-12 15:55 - 2011-05-09 21:24 - 00000000 ____D C:\ProgramData\MFAData
2013-03-12 15:55 - 2011-05-09 21:24 - 00000000 ____D C:\ProgramData\Application Data\MFAData
2013-03-12 02:10 - 2010-01-24 17:42 - 00282744 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-03-11 18:36 - 2010-01-24 19:49 - 00171595 ____A C:\ProgramData\dleascan.log
2013-03-11 18:36 - 2010-01-24 19:49 - 00171595 ____A C:\ProgramData\Application Data\dleascan.log
2013-03-11 18:31 - 2011-03-19 16:53 - 00000000 ____D C:\Program Files\Dell V310-V510 Series
2013-03-11 18:31 - 2010-01-24 20:05 - 00000507 ____A C:\ProgramData\dlea.log
2013-03-11 18:31 - 2010-01-24 20:05 - 00000507 ____A C:\ProgramData\Application Data\dlea.log
2013-03-10 23:26 - 2010-01-24 17:15 - 00000000 ____D C:\Users\Joyce\Local Settings\SoftThinks
2013-03-10 23:26 - 2010-01-24 17:15 - 00000000 ____D C:\Users\Joyce\Local Settings\Application Data\SoftThinks
2013-03-10 23:26 - 2010-01-24 17:15 - 00000000 ____D C:\Users\Joyce\AppData\Local\SoftThinks
2013-03-10 23:26 - 2010-01-16 17:50 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log
2013-03-10 23:26 - 2010-01-16 17:33 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-03-10 23:16 - 2011-06-22 16:08 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2013-03-10 23:16 - 2011-06-22 16:08 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\SPLF542.tmp
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\Application Data\SPLF542.tmp


ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-03-04 13:16:24
Restore point made on: 2013-03-12 02:54:04
Restore point made on: 2013-03-13 03:14:23
Restore point made on: 2013-03-14 21:35:19
Restore point made on: 2013-03-16 22:59:59
Restore point made on: 2013-03-18 21:45:41
Restore point made on: 2013-03-28 17:14:29
Restore point made on: 2013-04-02 19:37:04
Restore point made on: 2013-04-08 19:19:44

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 7935.12 MB
Available physical RAM: 7174.03 MB
Total Pagefile: 7933.27 MB
Available Pagefile: 7167 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:683.95 GB) (Free:637.17 GB) NTFS
3 Drive e: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.67 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (USB20FD) (Removable) (Total:3.76 GB) (Free:3.75 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          698 GB      0 B        
  Disk 1    Online         3854 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 85DB1A95

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             14 GB    40 MB
  Partition 3    Primary            683 GB    14 GB

==================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      FAT    Partition     39 MB  Healthy    Hidden 

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     E   RECOVERY     NTFS   Partition     14 GB  Healthy           

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    683 GB  Healthy           

=========================================================

Partitions of Disk 1:
===============

Disk ID: 04DD5721

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3853 MB    31 KB

==================================================================================

Disk: 1
Partition 1
Type  : 0C
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F   USB20FD      FAT32  Removable   3853 MB  Healthy           

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 85DB1A95

Partition 1:
=========
Hex: 80003800000000003700000000000000
Active: YES
Type: 00
Size: 0 byte
ATTENTION ===> 0 byte partition bootkit on partition 1

Partition 2:
=========
Hex: 00010100DEFE3F043F00000086390100
Active: NO
Type: DE
Size: 39 MB

Partition 3:
=========
Hex: 8019150507FEFFFF0040010000C0D401
Active: YES
Type: 07 (NTFS)
Size: 15 GB

Partition 4:
=========
Hex: 00FEFFFF07FEFFFF0000D601F05E7E55
Active: NO
Type: 07 (NTFS)
Size: 684 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 04DD5721

Partition 1:
=========
Hex: 800101000C7FFFD13F000000C16F7800
Active: YES
Type: 0C
Size: 4 GB


Last Boot: 2013-04-08 01:10

==================== End Of Log =============================



#10 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 08 April 2013 - 10:25 PM

It seems like the FRST version you're using is outdated. There have been quite some changes to FRST since this one.

Please download a new copy here : Farbar Recovery Scan Tool 64-Bit

FYI, the infection is back again. Run it again with the same method as before and we will go from there.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#11 ITJosh

ITJosh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 09 April 2013 - 01:42 PM

Okay, I updated and ran the updated version of FRST64 and here is the log it created:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 27 days old)
Ran by SYSTEM at 09-04-2013 14:34:24
Running from F:\
Windows 7 Home Premium   (X64) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2006-09-20] ()
HKLM\...\Run: [dleamon.exe] "C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe" [770728 2010-08-09] ()
HKLM\...\Run: [EzPrint] "C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe" [139944 2010-08-09] ()
HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\vdeck.exe [2243584 2009-07-28] (VIA)
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807600 2009-11-13] ()
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [185896 2006-09-28] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [75304 2006-10-11] (ScanSoft, Inc.)
HKLM-x32\...\Run: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1485208 2010-07-28] (Affinegy, Inc.)
HKLM-x32\...\Run: [Dell V310-V510 Series] "C:\Program Files (x86)\Dell V310-V510 Series\fm3032.exe" /s [316072 2010-08-09] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-08-19] (Apple Inc.)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1151152 2013-02-18] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165104 2009-09-17] (Softthinks)
HKLM-x32\...\RunOnce: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120048 2009-09-17] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)

==================== Services (Whitelisted) ===================

2 AffinegyService; "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe" [569752 2010-07-28] (Affinegy, Inc.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814904 2012-11-16] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 Belkin Local Backup Service; "C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe" /service [181760 2010-02-17] ()
2 Belkin Network USB Helper; "C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe" /service [55296 2010-02-09] ()
2 dleaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [45224 2010-05-21] ()
2 dlea_device; C:\Windows\system32\dleacoms.exe -service [1047552 2009-12-09] ( )
2 dlea_device; C:\Windows\SysWow64\dleacoms.exe -service [598696 2010-05-21] ( )
2 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [1737728 2012-09-21] (Lavasoft Limited                                                  )
2 vToolbarUpdater14.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [968880 2013-02-18] ()
2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [x]

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111968 2012-11-16] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-02-18] (AVG Technologies)
3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-06-18] ()
0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69376 2011-06-17] (Lavasoft AB)
3 sxuptp; C:\Windows\System32\Drivers\sxuptp.sys [291352 2010-03-10] (silex technology, Inc.)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-04-05 19:13 - 2009-07-13 20:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2013-04-02 19:14 - 2013-04-02 19:14 - 00688992 ____A (Swearware) C:\Users\Joyce\Desktop\dds.com
2013-04-02 17:31 - 2013-04-02 17:31 - 00000000 ____D C:\FRST
2013-03-25 16:58 - 2013-04-09 14:21 - 00001748 ____A C:\Windows\setupact.log
2013-03-25 16:58 - 2013-03-25 16:58 - 00000000 ____A C:\Windows\setuperr.log
2013-03-20 12:42 - 2013-03-20 12:42 - 00274864 ____A C:\Windows\Minidump\032013-22386-01.dmp
2013-03-13 21:52 - 2013-03-20 12:42 - 639536822 ____A C:\Windows\MEMORY.DMP
2013-03-13 21:52 - 2013-03-20 12:42 - 00000000 ____D C:\Windows\Minidump
2013-03-13 21:52 - 2013-03-13 21:52 - 00274864 ____A C:\Windows\Minidump\031313-24663-01.dmp
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Application Data\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\AppData\Local\Resmon.ResmonCfg
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\SPLF542.tmp
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\Application Data\SPLF542.tmp

==================== One Month Modified Files and Folders =======

2013-04-09 14:30 - 2009-07-14 00:10 - 01606664 ____A C:\Windows\WindowsUpdate.log
2013-04-09 14:30 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-09 14:30 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-09 14:27 - 2009-07-14 00:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-09 14:21 - 2013-03-25 16:58 - 00001748 ____A C:\Windows\setupact.log
2013-04-09 14:21 - 2010-01-28 20:57 - 00216892 ____A C:\aaw7boot.log
2013-04-09 14:21 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-06 01:19 - 2012-05-28 16:48 - 00000000 ____D C:\Users\Joyce\.gimp-2.8
2013-04-02 19:14 - 2013-04-02 19:14 - 00688992 ____A (Swearware) C:\Users\Joyce\Desktop\dds.com
2013-04-02 17:31 - 2013-04-02 17:31 - 00000000 ____D C:\FRST
2013-03-28 17:58 - 2011-04-06 14:51 - 00008228 ____A C:\Windows\IE9_main.log
2013-03-25 16:58 - 2013-03-25 16:58 - 00000000 ____A C:\Windows\setuperr.log
2013-03-22 19:53 - 2010-01-24 20:05 - 00000000 ____D C:\ProgramData\Dl_cats
2013-03-22 19:53 - 2010-01-24 20:05 - 00000000 ____D C:\ProgramData\Application Data\Dl_cats
2013-03-22 19:52 - 2010-01-24 20:06 - 00390720 ____A C:\ProgramData\dleaJSW.log
2013-03-22 19:52 - 2010-01-24 20:06 - 00390720 ____A C:\ProgramData\Application Data\dleaJSW.log
2013-03-20 12:44 - 2010-01-24 17:15 - 00000000 ____D C:\users\Joyce
2013-03-20 12:42 - 2013-03-20 12:42 - 00274864 ____A C:\Windows\Minidump\032013-22386-01.dmp
2013-03-20 12:42 - 2013-03-13 21:52 - 639536822 ____A C:\Windows\MEMORY.DMP
2013-03-20 12:42 - 2013-03-13 21:52 - 00000000 ____D C:\Windows\Minidump
2013-03-20 11:41 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2013-03-13 21:52 - 2013-03-13 21:52 - 00274864 ____A C:\Windows\Minidump\031313-24663-01.dmp
2013-03-13 20:51 - 2009-07-14 02:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\Local Settings\Application Data\Resmon.ResmonCfg
2013-03-12 23:57 - 2013-03-12 23:57 - 00007607 ____A C:\Users\Joyce\AppData\Local\Resmon.ResmonCfg
2013-03-12 16:13 - 2010-01-16 19:18 - 00085798 ____A C:\Windows\PFRO.log
2013-03-12 16:12 - 2011-08-26 22:41 - 00000000 ____D C:\Users\Joyce\Application Data\Orbit
2013-03-12 16:12 - 2011-08-26 22:41 - 00000000 ____D C:\Users\Joyce\AppData\Roaming\Orbit
2013-03-12 16:12 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-03-12 15:55 - 2011-05-09 21:24 - 00000000 ____D C:\ProgramData\MFAData
2013-03-12 15:55 - 2011-05-09 21:24 - 00000000 ____D C:\ProgramData\Application Data\MFAData
2013-03-12 02:10 - 2010-01-24 17:42 - 00282744 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-03-11 18:36 - 2010-01-24 19:49 - 00171595 ____A C:\ProgramData\dleascan.log
2013-03-11 18:36 - 2010-01-24 19:49 - 00171595 ____A C:\ProgramData\Application Data\dleascan.log
2013-03-11 18:31 - 2011-03-19 16:53 - 00000000 ____D C:\Program Files\Dell V310-V510 Series
2013-03-11 18:31 - 2010-01-24 20:05 - 00000507 ____A C:\ProgramData\dlea.log
2013-03-11 18:31 - 2010-01-24 20:05 - 00000507 ____A C:\ProgramData\Application Data\dlea.log
2013-03-10 23:26 - 2010-01-24 17:15 - 00000000 ____D C:\Users\Joyce\Local Settings\SoftThinks
2013-03-10 23:26 - 2010-01-24 17:15 - 00000000 ____D C:\Users\Joyce\Local Settings\Application Data\SoftThinks
2013-03-10 23:26 - 2010-01-24 17:15 - 00000000 ____D C:\Users\Joyce\AppData\Local\SoftThinks
2013-03-10 23:26 - 2010-01-16 17:50 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log
2013-03-10 23:26 - 2010-01-16 17:33 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-03-10 23:16 - 2011-06-22 16:08 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2013-03-10 23:16 - 2011-06-22 16:08 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\SPLF542.tmp
2013-03-10 23:11 - 2013-03-10 23:11 - 00360370 ____A C:\ProgramData\Application Data\SPLF542.tmp


ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-03-04 13:16:24
Restore point made on: 2013-03-12 02:54:04
Restore point made on: 2013-03-13 03:14:23
Restore point made on: 2013-03-14 21:35:19
Restore point made on: 2013-03-16 22:59:59
Restore point made on: 2013-03-18 21:45:41
Restore point made on: 2013-03-28 17:14:29
Restore point made on: 2013-04-02 19:37:04
Restore point made on: 2013-04-08 19:19:44

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 7935.12 MB
Available physical RAM: 7177.46 MB
Total Pagefile: 7933.27 MB
Available Pagefile: 7168.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:683.95 GB) (Free:637.16 GB) NTFS
3 Drive e: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.67 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (USB20FD) (Removable) (Total:3.76 GB) (Free:3.75 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          698 GB      0 B        
  Disk 1    Online         3854 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 85DB1A95

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             14 GB    40 MB
  Partition 3    Primary            683 GB    14 GB

==================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      FAT    Partition     39 MB  Healthy    Hidden 

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     E   RECOVERY     NTFS   Partition     14 GB  Healthy           

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    683 GB  Healthy           

=========================================================

Partitions of Disk 1:
===============

Disk ID: 04DD5721

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3853 MB    31 KB

==================================================================================

Disk: 1
Partition 1
Type  : 0C
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F   USB20FD      FAT32  Removable   3853 MB  Healthy           

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 85DB1A95

Partition 1:
=========
Hex: 80003800000000003700000000000000
Active: YES
Type: 00
Size: 0 byte
ATTENTION ===> 0 byte partition bootkit on partition 1

Partition 2:
=========
Hex: 00010100DEFE3F043F00000086390100
Active: NO
Type: DE
Size: 39 MB

Partition 3:
=========
Hex: 8019150507FEFFFF0040010000C0D401
Active: YES
Type: 07 (NTFS)
Size: 15 GB

Partition 4:
=========
Hex: 00FEFFFF07FEFFFF0000D601F05E7E55
Active: NO
Type: 07 (NTFS)
Size: 684 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 04DD5721

Partition 1:
=========
Hex: 800101000C7FFFD13F000000C16F7800
Active: YES
Type: 0C
Size: 4 GB


Last Boot: 2013-04-08 01:10

==================== End Of Log =============================



#12 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 10 April 2013 - 07:17 AM

Hello,

 

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
C:\ProgramData\SPLF542.tmp
C:\ProgramData\Application Data\SPLF542.tmp
C:\Windows\svchost.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

===================================================

Run this in normal mode.

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide


Download ComboFix from one of these locations:

Link 1
Link 2



* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

===================================================

On your next reply please post :
FRST fix log
ComboFix log



Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!


Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#13 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 15 April 2013 - 10:03 AM

Still need help?


Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#14 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 16 April 2013 - 07:17 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users