Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FRST64 - explorer.exe is infected


  • This topic is locked This topic is locked
44 replies to this topic

#1 jasonfarren

jasonfarren

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 28 May 2013 - 07:23 PM

Windows 7 Home Premium Edition (64 bit)...won't boot, safe mode a no-go, no Windows discs available.  Ran FRST64 off USB drive, and received the following:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-05-2013
Ran by SYSTEM on 28-05-2013 17:47:14
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: RecoveryAttention: Could not load system hive.
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: []  [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11663976 2010-12-09] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3  [2186856 2010-12-10] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2107176 2010-03-11] (Synaptics Incorporated)
HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1519016 2010-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2010-12-07] (Intel® Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [711576 2010-11-16] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38304 2010-07-09] (TOSHIBA Corporation)
HKLM\...\Run: [IntelliType Pro] "c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe" [1464944 2012-11-02] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2076272 2012-11-02] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Shell] explorer.exe [2614784 2011-02-25] ()
HKLM-x32\...\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL [532480 2010-11-09] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP [423936 2010-03-04] (TOSHIBA Electronics, Inc.)
HKLM-x32\...\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [35440 2010-09-14] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [x]
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2475384 2010-11-02] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED [3218792 2010-08-17] (Toshiba)
HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-06-07] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2009-11-18] (Hewlett-Packard)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup [2643320 2012-10-25] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [82792 2012-12-10] (Sendori, Inc.)
HKLM-x32\...\Run: [Nuance PDF Reader-reminder] "C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini" [333088 2010-07-05] (Nuance Communications, Inc.)
HKU\obeb\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-12-28] (Google Inc.)
HKU\obeb\...\Run: [GenieoUpdaterService] "C:\Users\obeb\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe" -wait 5 [291680 2013-04-08] ()
HKU\obeb\...\Run: [GenieoSystemTray] "C:\Users\obeb\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe" [529248 2013-04-08] ()
HKU\obeb\...\Run: [ISUSPM] "C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe" -scheduler [222496 2009-05-05] (Acresso Corporation)
HKU\obeb\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18705664 2013-01-08] (Skype Technologies S.A.)
HKU\obeb\...\Run: [OpenDNS Updater] "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart [839680 2010-06-16] ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)
Startup: C:\Users\obeb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
BootExecute: 
 
==================== Services (Whitelisted) =================
 
 
==================== Drivers (Whitelisted) ====================
 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-05-28 17:00 - 2013-05-28 17:47 - 00000000 ____D C:\FRST
 
==================== One Month Modified Files and Folders =======
 
2013-05-28 17:47 - 2013-05-28 17:00 - 00000000 ____D C:\FRST
 
Other Malware:
===========
C:\Users\obeb\g2mdlhlpx.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe
[2011-07-06 16:07] - [2011-02-25 21:33] - 2614784 ____A () 9793E91A7FC0EB30F67F7544AC7DC60B
 
C:\Windows\SysWOW64\explorer.exe IS INFECTED. <===== ATTENTION!
 
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-04-22 04:41:56
 
==================== Memory info =========================== 
 
Percentage of memory in use: 10%
Total physical RAM: 6050.69 MB
Available physical RAM: 5401.11 MB
Total Pagefile: 6048.84 MB
Available Pagefile: 5390.33 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: (TI106051W0J) (Fixed) (Total:581.71 GB) (Free:509.27 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:3.67 GB) (Free:3.53 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows Vista) (Size: 596 GB) (Disk ID: D82D6D2D)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=582 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=17)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)
 
 
Last Boot: 2013-04-24 16:04
 
==================== End Of Log ============================

 

Fixable...?  Or shall I prepare the sledge hammer of death?

 

Thank you - Jason

 

 



BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:16 PM

Posted 30 May 2013 - 10:44 AM

jasonfarren,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

In the upper right hand corner of the topic you will see the Follow This Topic button. Click on this then choose Receive Notification Immediately and then click Follow This Topic and you will be sent an email once I have posted a response and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 
I do think we can fix this. :)

Rerun FRST
Boot to System Recovery Options and run FRST.
Type the following in the edit box after "Search:".

explorer.exe

Click Search button and post the log (Search.txt) it makes to your reply.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 jasonfarren

jasonfarren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 30 May 2013 - 08:00 PM

Hi Jason -

 

Ran the search...here's the txt file info:

 

Farbar Recovery Scan Tool (x64) Version: 27-05-2013
Ran by SYSTEM at 2013-05-30 17:37:13
Running from F:\
Boot Mode: Recovery
 
================== Search: "explorer.exe" ===================
 
C:\Windows\explorer.exe
[2011-07-06 16:07] - [2011-02-25 22:23] - 2870272 ____A (Microsoft Corporation) 0862495E0C825893DB75EF44FAEA8E93
 
C:\Windows\SysWOW64\explorer.exe
[2011-07-06 16:07] - [2011-02-25 21:33] - 2614784 ____A () E4328156B80EDF02E05E15675C0270B5
 
====== End Of Search ======

 



#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:16 PM

Posted 30 May 2013 - 11:48 PM

Do you have a Windows disc available, or another Windows 7 computer?


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 jasonfarren

jasonfarren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 31 May 2013 - 08:07 AM

No Windows disc, but I do have access to another Windows 7 computer....

 

Jason



#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:16 PM

Posted 31 May 2013 - 11:59 AM

Run FRST on your other Windows 7 computer (you don't need to boot into system recovery).

 

Type the following in the edit box after "Search:".

 

explorer.exe

 

Click Search button and post the log (Search.txt) it makes to your reply.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 jasonfarren

jasonfarren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 31 May 2013 - 12:14 PM

OK, here it is...

 

Farbar Recovery Scan Tool (x86) Version: 27-05-2013
Ran by ddecker at 2013-05-31 13:10:28
Running from F:\
Boot Mode: Normal
 
================== Search: "explorer.exe" ===================
 
C:\Windows\explorer.exe
[2011-04-27 07:18] - [2011-02-25 01:30] - 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[2011-04-27 07:18] - [2011-02-26 01:19] - 2616320 ____A (Microsoft Corporation) 0FB9C74046656D1579A64660AD67B746
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[2011-04-27 07:18] - [2011-02-25 01:30] - 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2011-06-07 07:46] - [2010-11-20 08:17] - 2616320 ____A (Microsoft Corporation) 40D777B7A95E00593EB1568C68514493
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe
[2011-04-27 07:18] - [2011-02-26 01:51] - 2614784 ____A (Microsoft Corporation) 255CF508D7CFB10E0794D6AC93280BD8
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
[2010-12-11 23:52] - [2010-12-11 23:52] - 2614272 ____A (Microsoft Corporation) C76153C7ECA00FA852BB0C193378F917
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2010-12-11 23:51] - [2010-12-11 23:51] - 2613248 ____A (Microsoft Corporation) 9FF6C4C91A3711C0A3B18F87B08B518D
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe
[2011-04-27 07:18] - [2011-02-26 01:33] - 2614784 ____A (Microsoft Corporation) 2AF58D15EDC06EC6FDACCE1F19482BBF
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2010-12-11 23:52] - [2010-12-11 23:52] - 2614272 ____A (Microsoft Corporation) 2626FC9755BE22F805D3CFA0CE3EE727
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2010-12-11 23:51] - [2010-12-11 23:51] - 2613248 ____A (Microsoft Corporation) B95EEB0F4E5EFBF1038A35B3351CF047
 
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009-07-13 19:41] - [2009-07-13 21:14] - 2613248 ____A (Microsoft Corporation) 15BC38A7492BEFE831966ADB477CF76F
 
=== End Of Search ===


#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:16 PM

Posted 31 May 2013 - 12:37 PM

Unfortunately, that won't help us, because the other (working) Windows 7 computer is 32-bit, the infected one is 64-bit.
 
Luckily, I have a solution:
 
On your working computer, download explorer.zip and save it to your flashdrive.
Extract the file directly onto your flashdrive (not within a folder).

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
 

Replace:  F:\explorer.exe C:\Windows\SysWOW64\explorer.exe

 
Boot the infected computer into System Recovery Options, as we've done previously.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it in your reply.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 jasonfarren

jasonfarren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 31 May 2013 - 08:27 PM

Sigh.

 

So I'm following your directions, and at first I couldn't get to the command prompt via the System Recovery Options...I'm sorry I didn't capture it exactly, but it was a message about not being able to find the drivers, or something like that. So I hit cancel, and started over.  The next time I was able to get to the command prompt, but when I ran FRST64, it said it was the wrong version, and to check if I was 32 or 64 bit.  So, I then tried the 32 bit version FRST, and it started to work.  But, per your instructions at the beginning, I figured I'd better stop & ask for clarification, etc...should I continue with the "Fix" step, or...?

 

Jason



#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:16 PM

Posted 31 May 2013 - 08:37 PM

Thanks for double checking.  Just to clarify: you want to be running the fix (booting up into System Recovery Options) on the infected computer, using the 64-bit version of FRST (FRST64.exe). That's really odd that it said it was the wrong version.  Try again with FRST64.exe  If you continue to get the same error, let me know.

 

And if that doesn't work, there are other tools we can run. :)


Edited by jntkwx, 31 May 2013 - 08:40 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 jasonfarren

jasonfarren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 31 May 2013 - 09:06 PM

OK, so this is how I got to where I am:

 

  • On the USB drive are the following folders:boot,sources...and the following files:bootmgr, FRST64.exe, FRST.exe, explorer.exe, and fixlist.txt
  • I put the USB drive in the infected computer, hit F12 to get to boot menu, and choose the USB drive (f:)
  • I then get to the System Recovery Options, go to the command prompt, and typed in F:\FRST64.exe
  • It says "This version of f:\FRST64.exe is not compatible with the version of windows you'rerunning...check to see if you need a x86 (32-bit) or x64 (64-bit) version of the program.

And then, like I said, when I ran FRST instead of FRST64, it started to work.

 

I'm sure this is a screw-up on my end; do you keep a list of the expletives/names you call members like me?  Knucklehead, balls-for-brains, etc?

 

Jason



#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:16 PM

Posted 31 May 2013 - 09:25 PM

I always say computers are great when they work. When the don't work, they're a pain in the  :censored:

 

 

Delete both the FRST.exe and FRST64.exe files from the USB drive. Download a new FRST64.exe and save it to your USB drive.

 

Boot the infected computer into System Recovery Options, as we've done previously.

 

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it in your reply.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 jasonfarren

jasonfarren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 31 May 2013 - 10:21 PM

Downloaded a new version, got the same message saying FRST64 not compatible with my version of windows...

 

If its noteworthy, the default location when I start command prompt is X:\windows\system32...the 32 caught my eye...



#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:16 PM

Posted 31 May 2013 - 10:23 PM

That's odd. Try it with the 32-bit version, and see if it produces a log file.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 jasonfarren

jasonfarren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 31 May 2013 - 10:51 PM

OK, 'Fixing is in progress,' and if recent history is any guide, this will take a while.  Funny and yet sad watching the computer take 20 times as long to do something a healthy computer would do.  Anyhow, I'm gonna let it run & will post results in the AM.  Thanks again for the help, and patience.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users