Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alureon Virus Removed - Now system won't boot up!


  • This topic is locked This topic is locked
13 replies to this topic

#1 quitclicking

quitclicking

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:10 AM

Posted 23 April 2013 - 09:38 AM

I am a newbie to your forum.  I used Windows Defender Offline to remove the virus. Now it won't boot up. I found FRST64 instructions and I am attaching the txt file belowAttached File  FRST.txt   25.39KB   3 downloads

Machine Specs: Windows 7 Home Prem. ASUS X53E. Please advise. Thank you for your assistance!!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-04-2013
Ran by SYSTEM at 19-04-2013 12:08:34
Running from F:\
Windows 7 Home Premium   (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2589992 2011-04-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [361984 2011-03-21] (Alcor Micro Corp.)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SF3  [2188904 2011-01-17] (Realtek Semiconductor)
HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()
HKLM\...\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL "" [1304296 2012-12-18] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [213824 2012-02-27] (Trend Micro Inc.)
HKLM-x32\...\Run: [Nuance PDF Reader-reminder] "C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini" [370 2013-04-19] ()
HKLM-x32\...\Run: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE" [2018032 2011-04-01] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe /S [731472 2011-02-23] (ecareme)
HKLM-x32\...\Run: [SonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe [984400 2010-07-09] (Virage Logic Corporation / Sonic Focus)
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5732992 2010-08-17] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2319536 2011-10-18] (ASUS)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [NBAgent] "C:\Program Files (x86)\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe" /WinStart [1086760 2010-03-14] (Nero AG)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKU\Carol's Asus\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59872 2012-12-17] (Apple Inc.)
HKU\Carol's Asus\...\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59872 2012-12-17] (Apple Inc.)
HKU\Carol's Asus\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5629312 2012-11-01] (SUPERAntiSpyware.com)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\ProgramData\Start Menu\Programs\Startup\AsusVibeLauncher.lnk
ShortcutTarget: AsusVibeLauncher.lnk -> C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe (ASUSTeK Computer Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\FancyStart daemon.lnk
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (No File)
Startup: C:\Users\Carol\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V CAST Media Monitor.lnk
ShortcutTarget: V CAST Media Monitor.lnk -> C:\Program Files\V CAST Media Manager\MEMonitor.exe (No File)
Startup: C:\Users\Carol's Asus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Carol's Asus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel® Turbo Boost Technology Monitor 2.0.lnk
ShortcutTarget: Intel® Turbo Boost Technology Monitor 2.0.lnk -> C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe (Intel® Corporation)
Startup: C:\Users\Carol's Asus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)
2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2009-12-15] (ASUS)
2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [x]

==================== Drivers (Whitelisted) =====================

1 ATKWMIACPIIO; \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17536 2011-05-25] (ASUS)
3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( )
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 tmactmon; C:\Windows\System32\Drivers\tmactmon.sys [107048 2012-09-24] (Trend Micro Inc.)
1 tmcomm; C:\Windows\System32\Drivers\tmcomm.sys [173504 2012-09-24] (Trend Micro Inc.)
3 tmeevw; C:\Windows\System32\Drivers\tmeevw.sys [67344 2011-12-18] (Trend Micro Inc.)
1 tmevtmgr; C:\Windows\System32\Drivers\tmevtmgr.sys [77184 2012-09-24] (Trend Micro Inc.)
3 tmnciesc; C:\Windows\System32\Drivers\tmnciesc.sys [210704 2011-12-18] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\Drivers\tmtdi.sys [105744 2011-12-18] (Trend Micro Inc.)
3 48189316;  [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-04-19 08:18 - 2013-04-19 09:18 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-04-19 00:26 - 2013-04-19 07:49 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-04-19 00:10 - 2013-04-19 00:10 - 00000000 ____D C:\ProgramData\McAfee
2013-04-18 22:19 - 2013-04-19 09:11 - 00000000 ____D C:\Windows\softwaredistribution.bak2
2013-04-18 22:07 - 2013-04-18 22:08 - 00000000 ____D C:\Windows\softwaredistribution.bak1
2013-04-18 22:06 - 2013-04-18 22:19 - 00001152 ____A C:\Users\Carol's Asus\Desktop\Windows Update Troubleshooting Info.lnk
2013-04-18 21:59 - 2013-04-18 21:59 - 00003014 ____A C:\Windows\PFRO.log
2013-04-18 21:51 - 2013-04-18 21:51 - 00262144 ____A C:\Windows\Minidump\041913-23992-01.dmp
2013-04-18 21:48 - 2013-04-18 21:48 - 00262144 ____A C:\Windows\Minidump\041913-21871-01.dmp
2013-04-18 21:37 - 2013-04-18 21:38 - 00262144 ____A C:\Windows\Minidump\041913-24351-01.dmp
2013-04-18 21:34 - 2013-04-18 21:34 - 00271984 ____A C:\Windows\Minidump\041913-34991-01.dmp
2013-04-18 21:31 - 2013-04-18 21:32 - 02240352 ____A (Kaspersky Lab ZAO) C:\Users\Carol's Asus\Downloads\tdsskiller.exe
2013-04-18 21:24 - 2013-04-18 21:24 - 00262144 ____A C:\Windows\Minidump\041913-16083-01.dmp
2013-04-18 21:06 - 2013-04-18 21:07 - 00271984 ____A C:\Windows\Minidump\041913-30451-01.dmp
2013-04-18 20:54 - 2013-04-18 20:54 - 00271984 ____A C:\Windows\Minidump\041813-39405-01.dmp
2013-04-18 20:49 - 2013-04-18 20:49 - 00262144 ____A C:\Windows\Minidump\041813-39265-01.dmp
2013-04-18 20:48 - 2013-04-18 21:51 - 516616101 ____A C:\Windows\MEMORY.DMP
2013-04-18 20:46 - 2013-04-18 20:47 - 13475464 ____A (Microsoft Corporation) C:\Users\Carol's Asus\Downloads\mseinstall.exe
2013-04-18 20:39 - 2013-04-19 00:06 - 00000607 ____A C:\Windows\setupact.log
2013-04-18 20:39 - 2013-04-18 20:39 - 00000000 ____A C:\Windows\setuperr.log
2013-04-18 20:38 - 2013-04-18 20:38 - 00086444 ____A C:\Users\Carol's Asus\Documents\cc_20130418_233800.reg
2013-04-18 20:27 - 2013-04-18 20:27 - 04316280 ____A (Piriform Ltd) C:\Users\Carol's Asus\Downloads\ccsetup400.exe
2013-04-18 20:27 - 2013-04-18 20:27 - 00000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2013-04-18 20:27 - 2013-04-18 20:27 - 00000000 ____D C:\Program Files\CCleaner
2013-04-18 20:23 - 2013-04-01 16:58 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-18 17:03 - 2013-04-18 17:03 - 00001810 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-04-18 11:18 - 2013-04-18 11:18 - 00000000 ____D C:\Users\Carol's Asus\AppData\Roaming\SUPERAntiSpyware.com
2013-04-18 11:17 - 2013-04-18 17:04 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-04-18 11:17 - 2013-04-18 11:17 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2013-04-12 17:00 - 2013-02-21 22:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-12 17:00 - 2013-02-21 22:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-12 17:00 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-04-12 17:00 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-12 17:00 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-04-12 17:00 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-12 16:59 - 2013-02-21 22:57 - 17817088 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-12 16:59 - 2013-02-21 22:29 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-12 16:59 - 2013-02-21 22:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-12 16:59 - 2013-02-21 22:21 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-12 16:59 - 2013-02-21 22:20 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-12 16:59 - 2013-02-21 22:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-12 16:59 - 2013-02-21 22:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-12 16:59 - 2013-02-21 22:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-12 16:59 - 2013-02-21 22:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-12 16:59 - 2013-02-21 22:15 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-12 16:59 - 2013-02-21 22:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-12 16:59 - 2013-02-21 22:14 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-12 16:59 - 2013-02-21 22:13 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-12 16:59 - 2013-02-21 22:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-12 16:59 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-12 16:59 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-12 16:59 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-12 16:59 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-12 16:59 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-12 16:59 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-04-12 16:59 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-04-12 16:59 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-12 16:59 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-12 16:59 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-04-12 16:59 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-12 16:59 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-10 15:37 - 2013-02-28 19:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-10 15:37 - 2013-02-14 22:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-10 15:37 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-10 15:37 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-10 15:37 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-04-10 15:36 - 2013-02-11 20:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-04-10 15:36 - 2013-01-23 22:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
2013-04-10 00:41 - 2013-04-10 00:41 - 00000000 ____D C:\Users\Default\AppData\Roaming\Apple Computer
2013-04-10 00:41 - 2013-04-10 00:41 - 00000000 ____D C:\Users\Default\AppData\Local\Apple Computer
2013-04-10 00:41 - 2013-04-10 00:41 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Apple Computer
2013-04-10 00:41 - 2013-04-10 00:41 - 00000000 ____D C:\Users\Default User\AppData\Local\Apple Computer
2013-04-09 23:56 - 2013-04-09 23:56 - 00000000 ____D C:\Windows\Sun
2013-04-09 21:49 - 2013-02-14 22:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-09 21:49 - 2013-02-14 22:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll


==================== One Month Modified Files and Folders =======

2013-04-19 09:20 - 2011-12-18 10:36 - 00000000 ____D C:\users\Carol's Asus
2013-04-19 09:18 - 2013-04-19 08:18 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-04-19 09:18 - 2012-02-25 11:43 - 00000000 ____D C:\ProgramData\P4G
2013-04-19 09:18 - 2012-01-01 09:28 - 00000000 ____D C:\Program Files (x86)\Java
2013-04-19 09:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-04-19 09:11 - 2013-04-18 22:19 - 00000000 ____D C:\Windows\softwaredistribution.bak2
2013-04-19 09:11 - 2012-01-10 17:11 - 00000000 ____D C:\Users\Carol's Asus\AppData\Roaming\SoftGrid Client
2013-04-19 09:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-04-19 07:49 - 2013-04-19 00:26 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-04-19 00:12 - 2011-09-24 23:10 - 01185808 ____A C:\Windows\WindowsUpdate.log
2013-04-19 00:10 - 2013-04-19 00:10 - 00000000 ____D C:\ProgramData\McAfee
2013-04-19 00:07 - 2012-08-31 18:47 - 00000000 ___RD C:\Users\Carol's Asus\Dropbox
2013-04-19 00:07 - 2012-08-31 18:44 - 00000000 ____D C:\Users\Carol's Asus\AppData\Roaming\Dropbox
2013-04-19 00:06 - 2013-04-18 20:39 - 00000607 ____A C:\Windows\setupact.log
2013-04-19 00:06 - 2011-12-18 10:37 - 00000000 ___HD C:\ASUS.DAT
2013-04-19 00:06 - 2011-09-24 23:26 - 00045056 ____A C:\Windows\SysWOW64\acovcnt.exe
2013-04-19 00:06 - 2011-04-01 20:36 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-04-19 00:06 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-18 23:45 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-18 23:45 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-18 22:24 - 2011-09-24 23:24 - 00001200 ____A C:\Windows\System32\ServiceFilter.ini
2013-04-18 22:19 - 2013-04-18 22:06 - 00001152 ____A C:\Users\Carol's Asus\Desktop\Windows Update Troubleshooting Info.lnk
2013-04-18 22:17 - 2011-09-24 23:13 - 00000000 ____D C:\Program Files (x86)\Intel
2013-04-18 22:08 - 2013-04-18 22:07 - 00000000 ____D C:\Windows\softwaredistribution.bak1
2013-04-18 21:59 - 2013-04-18 21:59 - 00003014 ____A C:\Windows\PFRO.log
2013-04-18 21:51 - 2013-04-18 21:51 - 00262144 ____A C:\Windows\Minidump\041913-23992-01.dmp
2013-04-18 21:51 - 2013-04-18 20:48 - 516616101 ____A C:\Windows\MEMORY.DMP
2013-04-18 21:51 - 2013-02-28 21:35 - 00000000 ____D C:\Windows\Minidump
2013-04-18 21:48 - 2013-04-18 21:48 - 00262144 ____A C:\Windows\Minidump\041913-21871-01.dmp
2013-04-18 21:38 - 2013-04-18 21:37 - 00262144 ____A C:\Windows\Minidump\041913-24351-01.dmp
2013-04-18 21:34 - 2013-04-18 21:34 - 00271984 ____A C:\Windows\Minidump\041913-34991-01.dmp
2013-04-18 21:32 - 2013-04-18 21:31 - 02240352 ____A (Kaspersky Lab ZAO) C:\Users\Carol's Asus\Downloads\tdsskiller.exe
2013-04-18 21:24 - 2013-04-18 21:24 - 00262144 ____A C:\Windows\Minidump\041913-16083-01.dmp
2013-04-18 21:07 - 2013-04-18 21:06 - 00271984 ____A C:\Windows\Minidump\041913-30451-01.dmp
2013-04-18 20:54 - 2013-04-18 20:54 - 00271984 ____A C:\Windows\Minidump\041813-39405-01.dmp
2013-04-18 20:49 - 2013-04-18 20:49 - 00262144 ____A C:\Windows\Minidump\041813-39265-01.dmp
2013-04-18 20:47 - 2013-04-18 20:46 - 13475464 ____A (Microsoft Corporation) C:\Users\Carol's Asus\Downloads\mseinstall.exe
2013-04-18 20:43 - 2011-04-01 20:36 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-04-18 20:39 - 2013-04-18 20:39 - 00000000 ____A C:\Windows\setuperr.log
2013-04-18 20:38 - 2013-04-18 20:38 - 00086444 ____A C:\Users\Carol's Asus\Documents\cc_20130418_233800.reg
2013-04-18 20:31 - 2009-07-28 22:03 - 00000000 ____D C:\Windows\Panther
2013-04-18 20:27 - 2013-04-18 20:27 - 04316280 ____A (Piriform Ltd) C:\Users\Carol's Asus\Downloads\ccsetup400.exe
2013-04-18 20:27 - 2013-04-18 20:27 - 00000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2013-04-18 20:27 - 2013-04-18 20:27 - 00000000 ____D C:\Program Files\CCleaner
2013-04-18 20:07 - 2011-04-01 20:49 - 00000000 ____D C:\ProgramData\Trend Micro
2013-04-18 20:02 - 2011-09-24 23:24 - 00002264 ____A C:\Windows\System32\AutoRunFilter.ini
2013-04-18 17:04 - 2013-04-18 11:17 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-04-18 17:04 - 2009-07-13 21:13 - 00742894 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-18 17:03 - 2013-04-18 17:03 - 00001810 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-04-18 11:18 - 2013-04-18 11:18 - 00000000 ____D C:\Users\Carol's Asus\AppData\Roaming\SUPERAntiSpyware.com
2013-04-18 11:17 - 2013-04-18 11:17 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2013-04-18 10:35 - 2013-02-19 16:01 - 00002257 ____A C:\Users\Carol's Asus\Desktop\Internet Browser.lnk
2013-04-18 10:32 - 2009-07-13 21:08 - 00023758 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-04-13 09:09 - 2012-08-31 18:47 - 00001047 ____A C:\Users\Carol's Asus\Desktop\Dropbox.lnk
2013-04-13 09:06 - 2009-07-13 20:45 - 00288816 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-12 21:19 - 2012-04-29 21:09 - 03604480 ____A C:\Users\Carol's Asus\Desktop\Carol's Asus's Quicken Data.QDF-backup
2013-04-10 17:59 - 2013-03-15 20:34 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-04-10 17:59 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-04-10 00:41 - 2013-04-10 00:41 - 00000000 ____D C:\Users\Default\AppData\Roaming\Apple Computer
2013-04-10 00:41 - 2013-04-10 00:41 - 00000000 ____D C:\Users\Default\AppData\Local\Apple Computer
2013-04-10 00:41 - 2013-04-10 00:41 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Apple Computer
2013-04-10 00:41 - 2013-04-10 00:41 - 00000000 ____D C:\Users\Default User\AppData\Local\Apple Computer
2013-04-09 23:56 - 2013-04-09 23:56 - 00000000 ____D C:\Windows\Sun
2013-04-01 16:58 - 2013-04-18 20:23 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-03-25 16:32 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache


ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-04-12 21:19:46
Restore point made on: 2013-04-14 00:00:47
Restore point made on: 2013-04-14 07:16:20
Restore point made on: 2013-04-18 10:36:32
Restore point made on: 2013-04-18 14:09:51
Restore point made on: 2013-04-18 20:23:13
Restore point made on: 2013-04-18 22:03:56
Restore point made on: 2013-04-18 22:15:02
Restore point made on: 2013-04-18 22:31:53
Restore point made on: 2013-04-18 22:34:44
Restore point made on: 2013-04-18 23:46:18
Restore point made on: 2013-04-19 00:11:07
Restore point made on: 2013-04-19 00:13:01

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 5921.14 MB
Available physical RAM: 5266.73 MB
Total Pagefile: 5919.29 MB
Available Pagefile: 5258.35 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:238.47 GB) (Free:91.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive c: detected. Check for MBR/Partition infection.
2 Drive d: (DATA) (Fixed) (Total:332.7 GB) (Free:332.57 GB) NTFS
3 Drive e: (RECOVERY) (Fixed) (Total:24.98 GB) (Free:12.95 GB) FAT32 ==>[System with boot components (obtained from reading drive)]
4 Drive f: (Apr 19 2013) (CDROM) (Total:0.69 GB) (Free:0.66 GB) UDF
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          596 GB  1024 KB         

Partitions of Disk 0:
===============

Disk ID: AA9693FE

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             25 GB  1024 KB
  Partition 2    Primary            238 GB    25 GB
  Partition 0    Extended           332 GB   263 GB
  Partition 3    Logical            332 GB   263 GB

==================================================================================

Disk: 0
Partition 1
Type  : 0C
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     E   RECOVERY     FAT32  Partition     25 GB  Healthy            

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    238 GB  Healthy            

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   DATA         NTFS   Partition    332 GB  Healthy            

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: AA9693FE

Partition 1:
=========
Hex: 002021000CFEFFFF0008000000002003
Active: NO
Type: 0C
Size: 25 GB

Partition 2:
=========
Hex: 80FEFFFF07FEFFFF000820030000CF1D
Active: YES
Type: 07 (NTFS)
Size: 238 GB

Partition 3:
=========
Hex: 00FEFFFF0FFEFFFF0008EF2000709629
Active: NO
Type: OF (Extended)
Size: 333 GB


Last Boot: 2013-04-13 21:06

==================== End Of Log =============================


Edited by Noviciate, 23 April 2013 - 04:04 PM.
Log added from attachment.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:10 AM

Posted 23 April 2013 - 04:16 PM

Good evening. :)

Copy and paste the following text into a new Notepad window and save it alongside FRST as fixlist.txt:

TDL4: custom:26000022
 

Run FRST as previously, but this time click the Fix button just once and wait.
Once complete the results will be written to the textfile Fixlog.txt, saved alongside FRST as before - please let me have the contents of the file in your next reply.

Also, try to boot the PC normally and tell me what happens.

 

 


So long, and thanks for all the fish.

 

 


#3 quitclicking

quitclicking
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:10 AM

Posted 23 April 2013 - 04:54 PM

Attached File  Fixlog.txt   306bytes   2 downloadsAttached is the fixlog.txt.  I want to kiss you right now!  :bananas: Thank you SO VERY MUCH!!!  The computer has rebooted.  I was able to login.  Please advise my next step.



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:10 AM

Posted 24 April 2013 - 02:15 PM

Good evening. :)
 

 I want to kiss you right now!

 

And it's not even Christmas! :blush:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Pay a visit to the ESET Online Scanner.
 

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:
    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Finally, please go here, follow step six, and then post accordingly into this thread.

 

 


So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:10 AM

Posted 24 April 2013 - 02:15 PM

Double post deleted.


Edited by Noviciate, 24 April 2013 - 02:17 PM.

So long, and thanks for all the fish.

 

 


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:10 AM

Posted 24 April 2013 - 02:15 PM

Double post deleted.


Edited by Noviciate, 24 April 2013 - 02:16 PM.

So long, and thanks for all the fish.

 

 


#7 quitclicking

quitclicking
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:10 AM

Posted 25 April 2013 - 06:22 PM

Well that definitely took awhile to run LOL!  Below is a list of threats it found:

 

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\155a3259-5b78e6fb multiple threats
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\155a3259-5b78e6fb multiple threats
F:\PC\Software\Nero\Setupx.exe a variant of Win32/Bundled.Toolbar.Ask.A application
F:\Treys Toshiba\20111224_150346_Trey Toshiba18.nba a variant of Win32/Bundled.Toolbar.Ask.A application
F:\Carols Asus\20130316_102024_Carol's Asus225.nba a variant of Win32/Bundled.Toolbar.Ask.A application
 

fyi - The F Drive is their backup drive.  I had ran a virus scan on that previously and thought it had cleaned everything.  Obviously not :-/



#8 quitclicking

quitclicking
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:10 AM

Posted 26 April 2013 - 09:14 AM

I manually searched for the C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache and it doesn't exist.  The 2nd directory does exist though.



#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:10 AM

Posted 26 April 2013 - 02:07 PM

Good evening. :)

Finally, please go here, follow step six, and then post accordingly into this thread.

 


So long, and thanks for all the fish.

 

 


#10 quitclicking

quitclicking
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:10 AM

Posted 26 April 2013 - 02:22 PM

I had to get the computer back to my friend.  I believe from what I read the ask toolbar is debated as to whether or not it is malware.  It was no longer installed on their system.  Since the last three items are on their backup which they are not likely to restore from I am not going to worry about it.  Java was no longer installed on the computer either, so I don't believe it is a threat either.  I would say we can close out this thread and if they continue to have issues they will get back to me.  I ran ccleaner.  I have updated their windows,  I have turned back on their system restore.  They have a good backup and repair disk is made.  Antivirus software is running and up-to-date.  I appreciate your help getting their system back up and running.  Sorry I just ran out of time and I didn't realize that I could run step 6 without hearing back from you.  THANK YOU SO VERY MUCH!!



#11 quitclicking

quitclicking
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:10 AM

Posted 26 April 2013 - 02:23 PM

I guess I could get them to run DDS and have them send the log to me.  Maybe I should get them to do that before you close out this thread?  What do you think?



#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:10 AM

Posted 26 April 2013 - 04:26 PM

Given that Java has been removed, just delete the folder C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun and call that it. The other three detections are due to the Ask Toolbar installer bundled with various stuff and it is usually optional anyway.

I'd call this one done and if there are further issues just start a new thread.

 

 


So long, and thanks for all the fish.

 

 


#13 quitclicking

quitclicking
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:10 AM

Posted 26 April 2013 - 04:28 PM

Wonderful!  Thanks again!  :thumbup2:



#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:10 AM

Posted 27 April 2013 - 03:33 PM

As this issue appears to have been resolved, this thread is now closed.


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users