Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer won't start up, stuck in start up repair


  • This topic is locked This topic is locked
39 replies to this topic

#1 Lmmduff

Lmmduff

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 10 June 2013 - 06:30 AM

My 2 year old shut down my computer maually and Since then, I have been unable to turn the computer on. It is stuck in start up repair. My husband tried to do a system restore, but it went straight back to start up repair. Please advise!

BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 PM

Posted 10 June 2013 - 06:37 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Let´s try to get this fixed.

 

Please tell me, which Windows version is installed. Also tell me, if it is 32- or 64bit.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Lmmduff

Lmmduff
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 10 June 2013 - 08:09 AM

Windows 7
64 bit

#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 PM

Posted 10 June 2013 - 08:27 AM

Scan with FRST


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Lmmduff

Lmmduff
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 10 June 2013 - 05:27 PM

I hv the log, but can't save it to computer or get it to my phone. Please advise.

#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 PM

Posted 10 June 2013 - 05:33 PM

try to upload the log with a working computer - if you haven´t got one nearby, please report.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Lmmduff

Lmmduff
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 10 June 2013 - 06:10 PM

No I don't hv another computer. Help.

#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 PM

Posted 11 June 2013 - 01:03 AM

How did you download the file and get it to an usb flash disk, then?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Lmmduff

Lmmduff
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 11 June 2013 - 05:54 AM

Husbands computer at work...don't know how to paste log and get it to jump drive.

#10 Lmmduff

Lmmduff
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 11 June 2013 - 06:06 AM

We got it! Will b posted shortly.

#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 PM

Posted 11 June 2013 - 06:35 AM

OK then you were faster than me! :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 Lmmduff

Lmmduff
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 11 June 2013 - 06:58 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-06-2013
Ran by SYSTEM on 11-06-2013 21:53:24
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [305664 2009-01-22] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-28] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [DLKAStatusMonitor] C:\Windows\system32\spool\DRIVERS\x64\3\DLKAMUI.exe [1679360 2009-09-05] (Dell Inc.)
HKLM\...\Run: [MRT] "C:\Windows\system32\MRT.exe" /R [75016696 2013-05-16] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-07] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1779952 2009-09-11] ()
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [454600 2013-02-28] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Monitor] "C:\Users\Home\Documents\My Documents\Leapfrog\LeapFrog Connect\Monitor.exe" [268640 2011-11-12] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [642856 2009-04-07] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [nmapp] "C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash [467240 2009-04-07] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [x]
HKLM-x32\...\Run: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 [x]
HKLM-x32\...\Run: [SNM] C:\Program Files (x86)\SpyNoMore\SNM.exe /startup [1067984 2010-07-12] (Illysoft LLC)
HKLM-x32\...\Run: [mcpltui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [454600 2013-02-28] (McAfee, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-18] (Adobe Systems Incorporated)
HKU\Home\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-12-20] (Google Inc.)
HKU\Home\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Home\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
 
==================== Services (Whitelisted) =================
 
S2 0143801370316765mcinstcleanup; C:\Windows\TEMP\014380~1.EXE [833616 2013-01-30] (McAfee, Inc.)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 LeapFrog Connect Device Service; C:\Users\Home\Documents\My Documents\Leapfrog\LeapFrog Connect\CommandService.exe [6141792 2011-11-12] (LeapFrog Enterprises, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [388680 2013-03-01] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1017016 2013-02-28] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-04-03] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-04-03] (McAfee, Inc.)
S2 MOBKbackup; C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe [231224 2010-04-13] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.48\SymcPCCULaunchSvc.exe [123320 2012-12-16] (Symantec Corporation)
S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.48\ccSvcHst.exe [126392 2011-12-14] (Symantec Corporation)
S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1021888 2012-10-10] (Enigma Software Group USA, LLC.)
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-28] (IDT, Inc.)
S2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE [33280 2009-07-16] ()
S2 vToolbarUpdater13.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [x]
 
==================== Drivers (Whitelisted) ====================
 
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [30568 2012-11-09] (AVG Technologies)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-04-03] (McAfee, Inc.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197264 2012-05-28] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179664 2013-04-03] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309968 2013-04-03] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [516608 2013-04-03] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [772944 2013-04-03] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [337120 2013-02-18] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [95856 2013-02-18] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [342416 2013-04-03] (McAfee, Inc.)
S1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [66040 2010-04-13] (Mozy, Inc.)
S3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-06-11 18:22 - 2013-06-11 18:22 - 00000000 ____D C:\FRST
2013-05-21 02:01 - 2013-05-21 02:01 - 00277080 ____A C:\Windows\Minidump\052113-20935-01.dmp
2013-05-16 03:49 - 2013-04-10 01:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-16 03:49 - 2013-04-10 01:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-16 03:49 - 2011-02-03 06:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-16 03:48 - 2013-02-26 23:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-16 03:48 - 2013-02-26 23:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-16 03:48 - 2013-02-26 23:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-16 03:46 - 2013-04-09 22:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-16 03:46 - 2013-03-19 00:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-16 03:46 - 2013-03-19 00:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-16 03:46 - 2013-02-27 01:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-16 03:46 - 2013-02-27 00:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-16 03:46 - 2013-02-27 00:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-16 03:46 - 2013-02-27 00:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-16 03:46 - 2013-02-27 00:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-16 03:17 - 2013-05-05 16:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-16 03:17 - 2013-05-05 16:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-16 03:17 - 2013-05-05 14:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-16 03:17 - 2013-05-05 14:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-16 03:16 - 2013-04-04 20:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-16 03:16 - 2013-04-04 20:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-16 03:16 - 2013-04-04 20:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-16 03:16 - 2013-04-04 20:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-16 03:16 - 2013-04-04 19:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-16 03:16 - 2013-04-04 19:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-16 03:16 - 2013-04-04 19:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-16 03:16 - 2013-04-04 19:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-16 03:16 - 2013-04-04 19:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-16 03:16 - 2013-04-04 19:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-16 03:16 - 2013-04-04 19:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-16 03:16 - 2013-04-04 19:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-16 03:16 - 2013-04-04 19:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-16 03:16 - 2013-04-04 19:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-16 03:16 - 2013-04-04 17:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-16 03:16 - 2013-04-04 17:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-16 03:16 - 2013-04-04 17:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-05-16 03:16 - 2013-04-04 17:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-16 03:16 - 2013-04-04 17:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-16 03:16 - 2013-04-04 17:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-05-16 03:16 - 2013-04-04 16:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-16 03:16 - 2013-04-04 16:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-16 03:16 - 2013-04-04 16:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-05-16 03:16 - 2013-04-04 16:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-05-16 03:16 - 2013-04-04 16:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-16 03:16 - 2013-04-04 16:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-16 03:16 - 2013-04-04 16:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-05-16 03:16 - 2013-04-04 16:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
 
==================== One Month Modified Files and Folders =======
 
2013-06-11 18:22 - 2013-06-11 18:22 - 00000000 ____D C:\FRST
2013-06-11 05:11 - 2013-02-02 12:27 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2013-06-11 05:11 - 2013-01-27 13:58 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2013-06-11 05:11 - 2013-01-24 19:15 - 00000000 ____D C:\Users\Home\Application Data\Roxio
2013-06-11 05:11 - 2013-01-24 19:15 - 00000000 ____D C:\Users\Home\AppData\Roaming\Roxio
2013-06-11 05:11 - 2012-11-05 14:59 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-06-11 05:11 - 2012-11-05 14:59 - 00000000 ____D C:\ProgramData\Application Data\Spybot - Search & Destroy
2013-06-11 05:11 - 2010-10-15 12:17 - 00000000 ____D C:\Program Files (x86)\McAfee.com
2013-06-11 05:11 - 2010-08-23 19:37 - 00000000 ____D C:\users\Home
2013-06-11 05:11 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\spool
2013-06-11 05:11 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-11 05:10 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2013-06-11 05:08 - 2010-10-15 12:17 - 00000000 ____D C:\Program Files\Common Files\McAfee
2013-06-11 05:08 - 2010-02-02 10:51 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-06-07 02:00 - 2010-12-20 17:28 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-07 02:00 - 2009-07-14 00:10 - 01896960 ____A C:\Windows\WindowsUpdate.log
2013-06-06 20:22 - 2010-12-20 17:28 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-04 07:06 - 2010-12-20 17:26 - 00000000 ____D C:\Users\Home\Application Data\Skype
2013-06-04 07:06 - 2010-12-20 17:26 - 00000000 ____D C:\Users\Home\AppData\Roaming\Skype
2013-06-03 22:33 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-03 22:33 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-03 22:25 - 2010-09-29 12:33 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks
2013-06-03 22:25 - 2010-09-29 12:33 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
2013-06-03 22:25 - 2010-09-29 12:33 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-06-03 22:25 - 2010-09-29 12:33 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks
2013-06-03 22:25 - 2010-09-29 12:33 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
2013-06-03 22:25 - 2010-09-29 12:33 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-06-03 22:23 - 2013-01-27 01:00 - 00002800 ____A C:\Windows\setupact.log
2013-06-03 22:23 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-03 22:05 - 2010-02-02 12:39 - 00621900 ____A C:\Windows\PFRO.log
2013-05-31 15:10 - 2010-12-13 08:05 - 00000000 ____D C:\Users\Home\My Documents\Outlook Files
2013-05-31 15:10 - 2010-12-13 08:05 - 00000000 ____D C:\Users\Home\Documents\Outlook Files
2013-05-22 21:33 - 2010-02-02 10:49 - 00000000 ____D C:\ProgramData\Application Data\Adobe
2013-05-22 21:33 - 2010-02-02 10:49 - 00000000 ____D C:\ProgramData\Adobe
2013-05-21 02:01 - 2013-05-21 02:01 - 00277080 ____A C:\Windows\Minidump\052113-20935-01.dmp
2013-05-21 02:01 - 2013-02-04 00:03 - 517340171 ____A C:\Windows\MEMORY.DMP
2013-05-21 02:01 - 2010-12-26 16:57 - 00000000 ____D C:\Windows\Minidump
2013-05-17 12:02 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-05-17 02:22 - 2009-07-13 23:45 - 00418392 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-16 04:06 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\L2Schemas
2013-05-16 03:31 - 2010-08-23 19:56 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-16 03:31 - 2010-08-23 19:56 - 00000000 ____D C:\ProgramData\Application Data\Microsoft Help
2013-05-16 03:30 - 2013-03-17 03:04 - 00000129 ____A C:\Windows\System32\MRT.INI
2013-05-16 03:25 - 2010-08-27 13:28 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-16 03:22 - 2009-07-14 00:13 - 00744902 ____A C:\Windows\System32\PerfStringBackup.INI
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
TDL4: custom:26000022 <===== ATTENTION!
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-05-29 02:01:14
Restore point made on: 2013-05-29 10:44:21
Restore point made on: 2013-05-30 02:01:00
Restore point made on: 2013-05-31 02:01:06
Restore point made on: 2013-06-01 02:01:30
Restore point made on: 2013-06-02 02:00:47
Restore point made on: 2013-06-03 02:00:39
Restore point made on: 2013-06-04 02:01:28
Restore point made on: 2013-06-05 02:01:01
Restore point made on: 2013-06-06 02:01:16
Restore point made on: 2013-06-07 02:01:04
Restore point made on: 2013-06-08 02:01:23
Restore point made on: 2013-06-09 02:00:46
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 4056.36 MB
Available physical RAM: 3434.78 MB
Total Pagefile: 4054.51 MB
Available Pagefile: 3439.74 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:283.4 GB) (Free:161.92 GB) NTFS (Disk=0 Partition=3)
Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.97 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive d: detected.
Drive g: (KINGSTON) (Removable) (Total:14.53 GB) (Free:14.52 GB) FAT32 (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 298 GB) (Disk ID: CF5ACF27)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=283 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=15 GB) - (Type=0C)
 
 
LastRegBack: 2013-06-03 04:12
 
==================== End Of Log ============================


#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 PM

Posted 11 June 2013 - 07:19 AM

Your problem isn´t your 2 years old child but the TDL4 rootkit on your hard drive.

That will be awful to remove, if even possible in this case:

 

Fix with FRST

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
    HKLM-x32\...\Run: []  [x]
    TDL4: custom:26000022 <===== ATTENTION!
    cmd: bootrec /FixMbr
    

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 Lmmduff

Lmmduff
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 11 June 2013 - 05:00 PM

We tried to execute the file on the command screen and it said "not recognized as an internal or external command operable program or batch file"

#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 PM

Posted 12 June 2013 - 01:14 AM

What exactly did you do?

Were you able to run frst?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users