Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio ads playing in background, frequent crashes


  • This topic is locked This topic is locked
32 replies to this topic

#1 dthal

dthal

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 12 June 2013 - 08:38 PM

Problem mostly just started this evening -- when I turn my computer on, I automatically hear multiple different audio advertisements playing at the same time, with no video anywhere and no web browser open or anything like that. The Task Manager doesn't show any open programs that should be causing this. The computer also now crashes very frequently, within minutes of startup. I had to run DDS in Safe Mode so it would scan without crashing, and it even took a few attempts to boot in Safe Mode (previous attempts just gave me a black screen and a shut down before Safe Mode would load).

Any help would be greatly appreciated!

DDS log:
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 MINIMAL
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 1.6.0_39
Run by owner at 21:05:41 on 2013-06-12
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3001.2097 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Coupon Companion Plugin: {11111111-1111-1111-1111-110211181104} - C:\Program Files (x86)\Coupon Companion Plugin\Coupon Companion Plugin.dll
BHO: SelectionLinksBHO Class: {300BEC06-B743-4D19-86B9-11DC711D7FFB} - C:\Program Files (x86)\OApps\SelectionLinks.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Epson Stylus NX420(Network)] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIGCA.EXE /FU "C:\Windows\TEMP\E_SF78A.tmp" /EF "HKCU"
uRun: [EPSON NX420 Series] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIGCA.EXE /FU "C:\Windows\TEMP\E_S794D.tmp" /EF "HKCU"
uRun: [AdobeBridge] <no file>
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
dRun: [Samsung.PCSync] "C:\Program Files (x86)\Samsung\Samsung PC Studio 7\PcSync2.exe" /NoDialog
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Scrybe.lnk - C:\Windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files (x86)\TuneCab\YouTubeRipper.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{B7BE647E-5AE2-4360-8CBB-DF622D5FFDC4} : DHCPNameServer = 12.127.16.67 12.127.17.71 4.2.2.3
TCP: Interfaces\{BD0183A5-6597-4586-B817-2E945819E091} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{BD0183A5-6597-4586-B817-2E945819E091}\2656C6B696E6E2231603E2765756374737 : DHCPNameServer = 192.168.169.1
TCP: Interfaces\{BD0183A5-6597-4586-B817-2E945819E091}\3596C667562737D6964786 : DHCPNameServer = 12.127.16.67 12.127.17.71 4.2.2.3
TCP: Interfaces\{BD0183A5-6597-4586-B817-2E945819E091}\D43555E656470274575637470223E203 : DHCPNameServer = 35.8.2.5 35.8.2.41
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [PLFSetI] C:\Windows\PLFSetI.exe
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\yah7o7id.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Nitro PDF\Reader 2\npdf.dll
FF - plugin: C:\Program Files (x86)\Nitro PDF\Reader 2\npnitromozilla.dll
FF - plugin: C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\owner\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\owner\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\owner\AppData\Roaming\Electronic Arts\Game Face\npGameFacePlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-6-14 283200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2012-5-1 166400]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2012-5-1 128512]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [2011-6-21 341296]
S2 ScrybeUpdater;Scrybe Updater;C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-5-27 1300264]
S2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-5-14 3289208]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 GSService;GSService;C:\Windows\SysWOW64\GSService.exe [2013-1-6 355112]
S3 nmwcdnsux64;Nokia USB Flashing Phone Parent;C:\Windows\System32\drivers\nmwcdnsux64.sys [2012-11-9 171008]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-4 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-11-7 1255736]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
.
=============== Created Last 30 ================
.
2013-05-26 13:20:56	2382848	----a-w-	C:\Windows\SysWow64\mshtml.tlb
2013-05-26 13:20:56	2382848	----a-w-	C:\Windows\System32\mshtml.tlb
2013-05-25 15:47:28	--------	d-----w-	C:\Users\owner\.idlerc
2013-05-25 15:43:01	--------	d-----w-	C:\Python33
2013-05-25 12:57:36	--------	d-----w-	C:\Users\owner\AppData\Local\Deployment
2013-05-25 12:57:36	--------	d-----w-	C:\Users\owner\AppData\Local\Apps
2013-05-25 12:57:23	--------	d-----w-	C:\Program Files\Microsoft Synchronization Services
2013-05-25 12:57:23	--------	d-----w-	C:\Program Files\Microsoft SQL Server Compact Edition
2013-05-25 12:56:31	--------	d-----w-	C:\Program Files (x86)\Microsoft Synchronization Services
2013-05-24 12:26:57	48640	----a-w-	C:\Windows\System32\wwanprotdim.dll
2013-05-24 12:25:47	68608	----a-w-	C:\Windows\System32\taskhost.exe
2013-05-23 11:10:28	--------	d-----w-	C:\Windows\System32\SPReview
2013-05-16 04:07:08	3920384	----a-w-	C:\Windows\System32\python33.dll
2013-05-16 04:06:12	93696	----a-w-	C:\Windows\py.exe
2013-05-16 04:06:10	94208	----a-w-	C:\Windows\pyw.exe
2013-05-14 17:31:10	6128760	----a-w-	C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-05-14 17:31:10	6128760	----a-w-	C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
==================== Find3M  ====================
.
2013-05-29 00:57:15	71048	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-29 00:57:15	692104	----a-w-	C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-23 11:30:35	175616	----a-w-	C:\Windows\System32\msclmd.dll
2013-05-23 11:30:35	152576	----a-w-	C:\Windows\SysWow64\msclmd.dll
2013-04-13 05:49:23	135168	----a-w-	C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19	350208	----a-w-	C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19	308736	----a-w-	C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19	111104	----a-w-	C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16	474624	----a-w-	C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15	2176512	----a-w-	C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08	1656680	----a-w-	C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54	265064	----a-w-	C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53	983400	----a-w-	C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50	3153920	----a-w-	C:\Windows\System32\win32k.sys
2013-04-05 01:08:44	2312704	----a-w-	C:\Windows\System32\jscript9.dll
2013-04-05 01:00:30	1392128	----a-w-	C:\Windows\System32\wininet.dll
2013-04-05 00:59:24	1494528	----a-w-	C:\Windows\System32\inetcpl.cpl
2013-04-05 00:56:16	173056	----a-w-	C:\Windows\System32\ieUnatt.exe
2013-04-05 00:55:47	599040	----a-w-	C:\Windows\System32\vbscript.dll
2013-04-04 22:11:34	1800704	----a-w-	C:\Windows\SysWow64\jscript9.dll
2013-04-04 22:02:59	1427968	----a-w-	C:\Windows\SysWow64\inetcpl.cpl
2013-04-04 22:02:17	1129472	----a-w-	C:\Windows\SysWow64\wininet.dll
2013-04-04 21:58:51	142848	----a-w-	C:\Windows\SysWow64\ieUnatt.exe
2013-04-04 21:57:45	420864	----a-w-	C:\Windows\SysWow64\vbscript.dll
2013-03-22 12:40:36	255352	----a-w-	C:\Windows\SysWow64\awrdscdc.ax
2013-03-19 06:04:06	5550424	----a-w-	C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58	230400	----a-w-	C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56	43520	----a-w-	C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13	3968856	----a-w-	C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10	3913560	----a-w-	C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50	6656	----a-w-	C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33	112640	----a-w-	C:\Windows\System32\smss.exe
.
============= FINISH: 21:07:40.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 PM

Posted 12 June 2013 - 09:03 PM


Hello dthal

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 dthal

dthal
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 12 June 2013 - 11:42 PM

Hi Gringo,

Thank you very much for your assistance! I tried to follow your instructions, but I'm afraid I've gotten myself into a deeper mess because I'm an idiot.
 
I installed both programs. I managed to run AdwCleaner successfully (the audio ads were still there afterward), but unfortunately can no longer access the log file, as you will see ...

While running JRT (after a few failed attempts that resulted in crashes), my computer was locked by an FBI Cybercrime ransomware screen (identical to this one, which I know is a scam) -- the first time this has happened.

At some point while I still had access, I changed a setting allowing me to automatically boot into Safe Mode -- the computer was repeatedly crashing too soon for me to complete the scans, and after repeated attempts I had been unable to access Safe Mode using F8. So, I stupidly followed these instructions and changed the boot options in msconfig.

Except now, after trying to restart following the FBI Cybercrime screen, I can't boot at all. I get two options: "Start Windows Normally" or "Launch Startup Repair (recommended)"

When I choose "start Windows Normally" I see a "Loading Windows Files" page (that loads for a long time), then a "The system is booting in Safe Mode" page, and then a blue screen crash that says something about kdcom.dll and PAGE_FAULT_IN_NONPAGED_AREA

If I choose "Launch Startup Repair" the startup repair will run for a long time but says it cannot repair the problem. I can then enter some advanced repair settings, were I tried System Restore, which said it encountered an unidentified error.

Am I FUBAR? Please advise.

Edited by dthal, 12 June 2013 - 11:44 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 PM

Posted 13 June 2013 - 12:17 AM


Hello dthal,

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
I want you to poste the FRST.txt report into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 dthal

dthal
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 13 June 2013 - 12:35 AM

Thanks again. I will carry out your new instructions tomorrow.

 

For now, I did manage to boot the computer using a NimbleX (Linux) boot CD, so I can now give you the AdwCleaner log you asked for earlier. As I mentioned before, the audio ads and the FBI Crimeware screen were there after AdwCleaner ran.

# AdwCleaner v2.303 - Logfile created 06/12/2013 at 23:01:02
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : owner - OWNER-PC
# Boot Mode : Normal
# Running from : C:\Users\owner\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110211181104}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110211181104}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox.1
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211181104}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{11111111-1111-1111-1111-110211181104}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211181104}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110211181104}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110211181104}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16483

[OK] Registry is clean.

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\yah7o7id.default\prefs.js

C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\yah7o7id.default\user.js ... Deleted !

[OK] File is clean.

-\\ Google Chrome v27.0.1453.110

File : C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [353 octets] - [12/06/2013 22:45:14]
AdwCleaner[S2].txt - [2696 octets] - [12/06/2013 23:01:02]

########## EOF - C:\AdwCleaner[S2].txt - [2756 octets] ##########
 



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 PM

Posted 13 June 2013 - 12:40 AM

OK I will look for you then


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 dthal

dthal
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 13 June 2013 - 07:54 PM

OK, F8 still isn't working for me and I didn't have the Windows disc handy, but I eventually got to the Command Prompt the way I did before -- waiting through the Startup Repair until it fails, and then choosing "advanced repair settings."

Anyways, I was able to run FRST and here is the log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-06-2013
Ran by SYSTEM on 13-06-2013 19:27:04
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2735400 2011-03-31] (Synaptics Incorporated)
HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [200704 2007-10-23] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [298376 2012-09-28] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
HKU\owner\...\Run: [Epson Stylus NX420(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGCA.EXE /FU "C:\Windows\TEMP\E_SF78A.tmp" /EF "HKCU" [188 2012-05-01] ()
HKU\owner\...\Run: [EPSON NX420 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGCA.EXE /FU "C:\Windows\TEMP\E_S794D.tmp" /EF "HKCU" [126 2012-12-06] ()
HKU\owner\...\Run: []  [x]
HKU\owner\...\Run: [AdobeBridge]  [x]
HKU\owner\...\Run: [S60 PC Suite Tray] "C:\Program Files (x86)\Samsung\Samsung PC Studio 7\PCSuite.exe" -onlytray [699392 2008-12-05] ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\Scrybe.lnk
ShortcutTarget: Scrybe.lnk -> C:\Windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe (Acresso Software Inc.)

==================== Services (Whitelisted) =================

S3 GSService; C:\Windows\SysWOW64\GSService.exe [355112 2012-11-29] ()
S2 NitroReaderDriverReadSpool2; C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [341296 2011-06-21] (Nitro PDF Software)
S2 ScrybeUpdater; C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe [1300264 2011-05-27] (Synaptics, Inc.)

==================== Drivers (Whitelisted) ====================

S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-06-14] (DT Soft Ltd)
S1 WPS; \??\C:\Windows\system32\drivers\wpsdrvnt.sys [x]
S3 WpsHelper; \??\C:\Windows\system32\drivers\WpsHelper.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-13 19:17 - 2013-06-13 19:17 - 00000000 ____D C:\FRST
2013-06-12 23:53 - 2013-06-12 23:53 - 00000000 __SHD C:\$$PendingFiles
2013-06-12 19:22 - 2013-06-12 19:24 - 00000000 ____D C:\ProgramData\5bd1b8
2013-06-12 19:05 - 2013-06-12 23:42 - 00000000 ____D C:\JRT
2013-06-12 19:05 - 2013-06-12 19:05 - 00002821 ____A C:\Users\owner\Desktop\AdwCleaner[S2].txt
2013-06-12 19:01 - 2013-06-12 19:01 - 00002821 ____A C:\AdwCleaner[S2].txt
2013-06-12 18:45 - 2013-06-12 18:45 - 00000353 ____A C:\AdwCleaner[S1].txt
2013-06-12 17:07 - 2013-06-12 17:07 - 00017510 ____A C:\Users\owner\Desktop\attach.txt
2013-06-12 17:07 - 2013-06-12 17:07 - 00014442 ____A C:\Users\owner\Desktop\dds.txt
2013-06-12 16:54 - 2013-06-12 16:54 - 00000000 ____D C:\Windows\Sun
2013-06-12 16:04 - 2013-06-12 16:04 - 00000000 ____D C:\Qoobox
2013-06-12 16:01 - 2013-06-12 20:19 - 00000000 ___SD C:\32788R22FWJFW
2013-06-12 16:01 - 2013-06-12 16:01 - 00000000 ____D C:\Windows\erdnt
2013-06-09 04:20 - 2013-06-09 04:21 - 00004431 ____A C:\Windows\IE10_main.log
2013-06-02 15:56 - 2013-06-02 16:01 - 00000000 ____D C:\Users\owner\Desktop\Sonia to upload
2013-06-02 15:33 - 2013-06-02 15:55 - 00000000 ____D C:\Users\owner\Desktop\New folder
2013-05-30 14:30 - 2013-05-30 14:30 - 00543704 ____A C:\Users\owner\Desktop\Album vyuk4 - Imgur.zip
2013-05-30 06:34 - 2013-05-30 06:34 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ccdcmbx64_01009.Wdf
2013-05-28 06:33 - 2013-05-28 06:33 - 00007798 ____A C:\Users\owner\Desktop\a1_gui.py
2013-05-28 06:33 - 2013-05-28 06:33 - 00000000 ____D C:\Users\owner\Desktop\__pycache__
2013-05-28 05:52 - 2013-05-28 06:32 - 00003649 ____A C:\Users\owner\Desktop\a1.py
2013-05-26 05:20 - 2013-05-05 13:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-26 05:20 - 2013-05-05 13:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-26 05:20 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-26 05:20 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-26 05:18 - 2013-04-04 17:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-26 05:18 - 2013-04-04 17:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-26 05:18 - 2013-04-04 17:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-26 05:18 - 2013-04-04 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-26 05:18 - 2013-04-04 16:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-26 05:18 - 2013-04-04 16:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-26 05:18 - 2013-04-04 16:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-26 05:18 - 2013-04-04 16:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-26 05:18 - 2013-04-04 16:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-26 05:18 - 2013-04-04 16:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-26 05:18 - 2013-04-04 16:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-26 05:18 - 2013-04-04 16:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-26 05:18 - 2013-04-04 16:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-26 05:18 - 2013-04-04 16:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-26 05:18 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-26 05:18 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-26 05:18 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-05-26 05:18 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-26 05:18 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-26 05:18 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-05-26 05:18 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-26 05:18 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-26 05:18 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-05-26 05:18 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-05-26 05:18 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-26 05:18 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-26 05:18 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-05-26 05:18 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-25 08:44 - 2013-05-28 05:52 - 00000234 ____A C:\Users\owner\Desktop\testpython.py
2013-05-25 07:47 - 2013-05-25 08:44 - 00000000 ____D C:\Users\owner\.idlerc
2013-05-25 07:43 - 2013-05-25 07:43 - 00000000 ____D C:\Python33
2013-05-25 07:40 - 2013-05-25 07:40 - 20774912 ____A C:\Users\owner\Desktop\python-3.3.2.amd64.msi
2013-05-25 04:58 - 2013-05-25 04:59 - 00000000 ____D C:\Users\owner\Documents\FaceoffHockey2012
2013-05-25 04:58 - 2013-05-25 04:58 - 00000000 ____D C:\Users\owner\Documents\FaceoffHockey2011
2013-05-25 04:57 - 2013-05-25 04:58 - 00000000 ____D C:\Users\owner\AppData\Local\Deployment
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Users\owner\AppData\Local\Apps\2.0
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Program Files\Microsoft Synchronization Services
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Program Files\Microsoft SQL Server Compact Edition
2013-05-25 04:56 - 2013-05-25 04:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Synchronization Services
2013-05-25 04:55 - 2013-05-27 03:12 - 00773522 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2013-05-25 04:52 - 2013-05-25 04:52 - 00465408 ____A () C:\Users\owner\Desktop\setup.exe
2013-05-24 04:27 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-24 04:27 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-24 04:27 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-24 04:27 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-24 04:27 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-24 04:27 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-24 04:27 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-24 04:27 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-24 04:27 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-24 04:27 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-24 04:27 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll
2013-05-24 04:27 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll
2013-05-24 04:27 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll
2013-05-24 04:27 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll
2013-05-24 04:27 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-24 04:26 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-24 04:26 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-24 04:26 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll
2013-05-24 04:26 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll
2013-05-24 04:26 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2013-05-24 04:26 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2013-05-24 04:26 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2013-05-24 04:26 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2013-05-24 04:26 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2013-05-24 04:26 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2013-05-24 04:26 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2013-05-24 04:26 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2013-05-24 04:25 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe
2013-05-23 03:10 - 2013-05-23 03:10 - 00000000 ____D C:\Windows\System32\SPReview
2013-05-22 14:54 - 2013-05-22 14:55 - 00000000 ____D C:\Users\owner\Downloads\Babies.2010.DOCU.DVDRip.XviD-AMIABLE
2013-05-19 03:24 - 2013-05-19 03:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-17 13:22 - 2013-05-17 13:22 - 00000000 ____D C:\Users\owner\Downloads\Face Off Season 4 (2013)
2013-05-15 20:07 - 2013-05-15 20:07 - 03920384 ____A (Python Software Foundation) C:\Windows\System32\python33.dll
2013-05-15 20:06 - 2013-05-15 20:06 - 00094208 ____A (Python Software Foundation) C:\Windows\pyw.exe
2013-05-15 20:06 - 2013-05-15 20:06 - 00093696 ____A (Python Software Foundation) C:\Windows\py.exe

==================== One Month Modified Files and Folders =======

2013-06-13 19:17 - 2013-06-13 19:17 - 00000000 ____D C:\FRST
2013-06-13 19:02 - 2013-01-18 09:11 - 00000000 ____D C:\Program Files (x86)\Coupon Companion Plugin
2013-06-13 19:02 - 2011-12-16 06:09 - 00000000 ____D C:\Users\owner\AppData\Roaming\OpenCandy
2013-06-13 19:02 - 2011-10-30 11:07 - 00000000 ____D C:\users\owner
2013-06-13 19:02 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages
2013-06-13 19:02 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-06-13 19:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-06-13 19:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-06-13 19:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-06-13 19:01 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-06-13 19:01 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-06-13 19:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-06-13 19:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-13 18:59 - 2011-11-19 10:35 - 00000000 ____D C:\ProgramData\Real
2013-06-12 23:53 - 2013-06-12 23:53 - 00000000 __SHD C:\$$PendingFiles
2013-06-12 23:42 - 2013-06-12 19:05 - 00000000 ____D C:\JRT
2013-06-12 20:19 - 2013-06-12 16:01 - 00000000 ___SD C:\32788R22FWJFW
2013-06-12 19:24 - 2013-06-12 19:22 - 00000000 ____D C:\ProgramData\5bd1b8
2013-06-12 19:05 - 2013-06-12 19:05 - 00002821 ____A C:\Users\owner\Desktop\AdwCleaner[S2].txt
2013-06-12 19:01 - 2013-06-12 19:01 - 00002821 ____A C:\AdwCleaner[S2].txt
2013-06-12 18:45 - 2013-06-12 18:45 - 00000353 ____A C:\AdwCleaner[S1].txt
2013-06-12 17:07 - 2013-06-12 17:07 - 00017510 ____A C:\Users\owner\Desktop\attach.txt
2013-06-12 17:07 - 2013-06-12 17:07 - 00014442 ____A C:\Users\owner\Desktop\dds.txt
2013-06-12 16:54 - 2013-06-12 16:54 - 00000000 ____D C:\Windows\Sun
2013-06-12 16:04 - 2013-06-12 16:04 - 00000000 ____D C:\Qoobox
2013-06-12 16:01 - 2013-06-12 16:01 - 00000000 ____D C:\Windows\erdnt
2013-06-09 04:21 - 2013-06-09 04:20 - 00004431 ____A C:\Windows\IE10_main.log
2013-06-09 04:20 - 2011-10-30 12:50 - 01856188 ____A C:\Windows\WindowsUpdate.log
2013-06-09 04:19 - 2013-02-22 10:03 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3426782124-745710171-731335067-1000UA.job
2013-06-09 04:19 - 2012-10-25 05:14 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-08 17:23 - 2012-10-25 05:14 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-08 17:21 - 2013-02-22 10:03 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3426782124-745710171-731335067-1000Core.job
2013-06-08 05:18 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-08 05:18 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-08 00:13 - 2012-08-25 09:36 - 00000472 ____A C:\Windows\Tasks\SDMsgUpdate (TE).job
2013-06-07 00:04 - 2009-07-13 20:51 - 00073511 ____A C:\Windows\setupact.log
2013-06-06 16:50 - 2012-05-15 07:15 - 00000000 ____D C:\Users\owner\AppData\Roaming\Skype
2013-06-06 09:18 - 2012-05-15 07:14 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-06-06 09:18 - 2012-05-15 07:14 - 00000000 ____D C:\ProgramData\Skype
2013-06-06 05:58 - 2009-07-13 21:13 - 00779306 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-06 05:48 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-05 06:51 - 2012-06-06 06:41 - 00000808 ____A C:\Users\owner\.powerschool_gradebook.properties
2013-06-02 16:01 - 2013-06-02 15:56 - 00000000 ____D C:\Users\owner\Desktop\Sonia to upload
2013-06-02 15:55 - 2013-06-02 15:33 - 00000000 ____D C:\Users\owner\Desktop\New folder
2013-05-30 14:30 - 2013-05-30 14:30 - 00543704 ____A C:\Users\owner\Desktop\Album vyuk4 - Imgur.zip
2013-05-30 06:34 - 2013-05-30 06:34 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ccdcmbx64_01009.Wdf
2013-05-30 06:31 - 2012-01-26 04:18 - 00000000 ____D C:\Users\owner\Desktop\to sort
2013-05-28 17:03 - 2011-11-15 16:41 - 00000000 ____D C:\ProgramData\Adobe
2013-05-28 16:57 - 2012-08-16 05:07 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-28 16:57 - 2011-11-13 14:19 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-28 06:33 - 2013-05-28 06:33 - 00007798 ____A C:\Users\owner\Desktop\a1_gui.py
2013-05-28 06:33 - 2013-05-28 06:33 - 00000000 ____D C:\Users\owner\Desktop\__pycache__
2013-05-28 06:32 - 2013-05-28 05:52 - 00003649 ____A C:\Users\owner\Desktop\a1.py
2013-05-28 05:52 - 2013-05-25 08:44 - 00000234 ____A C:\Users\owner\Desktop\testpython.py
2013-05-27 03:50 - 2012-11-26 08:51 - 00000000 ____D C:\Users\owner\AppData\Roaming\vlc
2013-05-27 03:18 - 2009-07-13 20:45 - 04980040 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-27 03:12 - 2013-05-25 04:55 - 00773522 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2013-05-25 08:44 - 2013-05-25 07:47 - 00000000 ____D C:\Users\owner\.idlerc
2013-05-25 07:43 - 2013-05-25 07:43 - 00000000 ____D C:\Python33
2013-05-25 07:40 - 2013-05-25 07:40 - 20774912 ____A C:\Users\owner\Desktop\python-3.3.2.amd64.msi
2013-05-25 04:59 - 2013-05-25 04:58 - 00000000 ____D C:\Users\owner\Documents\FaceoffHockey2012
2013-05-25 04:58 - 2013-05-25 04:58 - 00000000 ____D C:\Users\owner\Documents\FaceoffHockey2011
2013-05-25 04:58 - 2013-05-25 04:57 - 00000000 ____D C:\Users\owner\AppData\Local\Deployment
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Users\owner\AppData\Local\Apps\2.0
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Program Files\Microsoft Synchronization Services
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Program Files\Microsoft SQL Server Compact Edition
2013-05-25 04:56 - 2013-05-25 04:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Synchronization Services
2013-05-25 04:56 - 2011-12-27 10:04 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2013-05-25 04:52 - 2013-05-25 04:52 - 00465408 ____A () C:\Users\owner\Desktop\setup.exe
2013-05-23 03:48 - 2011-10-30 11:29 - 00016012 ____A C:\Windows\PFRO.log
2013-05-23 03:39 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2013-05-23 03:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2013-05-23 03:39 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sppui
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sppui
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2013-05-23 03:30 - 2009-07-13 18:36 - 00175616 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2013-05-23 03:30 - 2009-07-13 18:36 - 00152576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2013-05-23 03:10 - 2013-05-23 03:10 - 00000000 ____D C:\Windows\System32\SPReview
2013-05-22 15:03 - 2012-06-19 10:42 - 00000000 ____D C:\Users\owner\AppData\Roaming\uTorrent
2013-05-22 14:55 - 2013-05-22 14:54 - 00000000 ____D C:\Users\owner\Downloads\Babies.2010.DOCU.DVDRip.XviD-AMIABLE
2013-05-22 11:45 - 2012-09-04 09:19 - 00000000 ____D C:\Users\owner\Desktop\y - Teaching
2013-05-22 11:44 - 2012-06-19 03:59 - 00033280 ____A C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-05-20 15:39 - 2012-04-25 09:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-05-19 03:25 - 2013-05-19 03:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-18 04:14 - 2011-10-30 11:17 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-17 13:22 - 2013-05-17 13:22 - 00000000 ____D C:\Users\owner\Downloads\Face Off Season 4 (2013)
2013-05-15 20:07 - 2013-05-15 20:07 - 03920384 ____A (Python Software Foundation) C:\Windows\System32\python33.dll
2013-05-15 20:06 - 2013-05-15 20:06 - 00094208 ____A (Python Software Foundation) C:\Windows\pyw.exe
2013-05-15 20:06 - 2013-05-15 20:06 - 00093696 ____A (Python Software Foundation) C:\Windows\py.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\en-US => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender


safeboot: ==> The system is configured to boot to Safe Mode <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-25 07:42:17
Restore point made on: 2013-05-26 04:10:54
Restore point made on: 2013-05-26 04:12:12
Restore point made on: 2013-05-26 04:19:24
Restore point made on: 2013-05-26 05:17:48
Restore point made on: 2013-05-27 03:02:58
Restore point made on: 2013-06-03 09:00:52
Restore point made on: 2013-06-09 04:22:27

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3000.75 MB
Available physical RAM: 2458.44 MB
Total Pagefile: 2998.89 MB
Available Pagefile: 2455.45 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.79 GB) (Free:98.3 GB) NTFS (Disk=0 Partition=2)
Drive d: (WD SmartWare) (CDROM) (Total:0.43 GB) (Free:0 GB) UDF
Drive g: (My Book) (Fixed) (Total:465.11 GB) (Free:340.53 GB) NTFS (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: C59ED8D2)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 465 GB) (Disk ID: 000487A0)
Partition 1: (Not Active) - (Size=465 GB) - (Type=07 NTFS)


LastRegBack: 2013-06-03 08:53

==================== End Of Log ============================


Edited by dthal, 13 June 2013 - 07:54 PM.


#8 dthal

dthal
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 15 June 2013 - 07:29 PM

Bumping the topic, per the instructions in your signature



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 PM

Posted 15 June 2013 - 08:39 PM



Hello dthal



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
cmd: bcdedit /deletevalue {default} safeboot
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client
cmd: Dir /b /a:l "C:\Program Files" /s
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 dthal

dthal
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 15 June 2013 - 09:25 PM

Okay, I tried to boot in normal mode but again got the "Your computer was unable to start" error, and asked me to run Startup Repair.


Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-06-2013 04
Ran by SYSTEM at 2013-06-15 22:22:18 Run:1
Running from G:\
Boot Mode: Recovery
==============================================


=========  bcdedit /deletevalue {default} safeboot =========

The operation completed successfully.

========= End of CMD: =========

Error: DeleteJunctionsInDirectory: C:\Program Files\Windows Defender => entry should be fixed outside recovery mode.
Error: DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client => entry should be fixed outside recovery mode.

=========  Dir /b /a:l "C:\Program Files" /s =========

C:\Program Files\Windows Defender\en-US

========= End of CMD: =========


==== End of Fixlog ====



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 PM

Posted 15 June 2013 - 09:30 PM

Hello


go ahead and run startup repair and after it is finished - if you still cannot get into normal mode I want you to rescan with frst and send me a new report


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 dthal

dthal
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 15 June 2013 - 09:45 PM

Still no luck with startup repair.

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-06-2013 04
Ran by SYSTEM on 15-06-2013 22:41:46
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2735400 2011-03-31] (Synaptics Incorporated)
HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [200704 2007-10-23] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [298376 2012-09-28] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
HKU\owner\...\Run: [Epson Stylus NX420(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGCA.EXE /FU "C:\Windows\TEMP\E_SF78A.tmp" /EF "HKCU" [188 2012-05-01] ()
HKU\owner\...\Run: [EPSON NX420 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGCA.EXE /FU "C:\Windows\TEMP\E_S794D.tmp" /EF "HKCU" [126 2012-12-06] ()
HKU\owner\...\Run: []  [x]
HKU\owner\...\Run: [AdobeBridge]  [x]
HKU\owner\...\Run: [S60 PC Suite Tray] "C:\Program Files (x86)\Samsung\Samsung PC Studio 7\PCSuite.exe" -onlytray [699392 2008-12-05] ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\Scrybe.lnk
ShortcutTarget: Scrybe.lnk -> C:\Windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe (Acresso Software Inc.)

==================== Services (Whitelisted) =================

S3 GSService; C:\Windows\SysWOW64\GSService.exe [355112 2012-11-29] ()
S2 NitroReaderDriverReadSpool2; C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [341296 2011-06-21] (Nitro PDF Software)
S2 ScrybeUpdater; C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe [1300264 2011-05-27] (Synaptics, Inc.)

==================== Drivers (Whitelisted) ====================

S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-06-14] (DT Soft Ltd)
S1 WPS; \??\C:\Windows\system32\drivers\wpsdrvnt.sys [x]
S3 WpsHelper; \??\C:\Windows\system32\drivers\WpsHelper.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-13 19:17 - 2013-06-13 19:17 - 00000000 ____D C:\FRST
2013-06-12 23:53 - 2013-06-12 23:53 - 00000000 __SHD C:\$$PendingFiles
2013-06-12 19:22 - 2013-06-12 19:24 - 00000000 ____D C:\ProgramData\5bd1b8
2013-06-12 19:05 - 2013-06-12 23:42 - 00000000 ____D C:\JRT
2013-06-12 19:05 - 2013-06-12 19:05 - 00002821 ____A C:\Users\owner\Desktop\AdwCleaner[S2].txt
2013-06-12 19:01 - 2013-06-12 19:01 - 00002821 ____A C:\AdwCleaner[S2].txt
2013-06-12 18:45 - 2013-06-12 18:45 - 00000353 ____A C:\AdwCleaner[S1].txt
2013-06-12 17:07 - 2013-06-12 17:07 - 00017510 ____A C:\Users\owner\Desktop\attach.txt
2013-06-12 17:07 - 2013-06-12 17:07 - 00014442 ____A C:\Users\owner\Desktop\dds.txt
2013-06-12 16:54 - 2013-06-12 16:54 - 00000000 ____D C:\Windows\Sun
2013-06-12 16:04 - 2013-06-12 16:04 - 00000000 ____D C:\Qoobox
2013-06-12 16:01 - 2013-06-12 20:19 - 00000000 ___SD C:\32788R22FWJFW
2013-06-12 16:01 - 2013-06-12 16:01 - 00000000 ____D C:\Windows\erdnt
2013-06-09 04:20 - 2013-06-09 04:21 - 00004431 ____A C:\Windows\IE10_main.log
2013-06-02 15:56 - 2013-06-02 16:01 - 00000000 ____D C:\Users\owner\Desktop\Sonia to upload
2013-06-02 15:33 - 2013-06-02 15:55 - 00000000 ____D C:\Users\owner\Desktop\New folder
2013-05-30 14:30 - 2013-05-30 14:30 - 00543704 ____A C:\Users\owner\Desktop\Album vyuk4 - Imgur.zip
2013-05-30 06:34 - 2013-05-30 06:34 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ccdcmbx64_01009.Wdf
2013-05-28 06:33 - 2013-05-28 06:33 - 00007798 ____A C:\Users\owner\Desktop\a1_gui.py
2013-05-28 06:33 - 2013-05-28 06:33 - 00000000 ____D C:\Users\owner\Desktop\__pycache__
2013-05-28 05:52 - 2013-05-28 06:32 - 00003649 ____A C:\Users\owner\Desktop\a1.py
2013-05-26 05:20 - 2013-05-05 13:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-26 05:20 - 2013-05-05 13:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-26 05:20 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-26 05:20 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-26 05:18 - 2013-04-04 17:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-26 05:18 - 2013-04-04 17:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-26 05:18 - 2013-04-04 17:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-26 05:18 - 2013-04-04 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-26 05:18 - 2013-04-04 16:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-26 05:18 - 2013-04-04 16:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-26 05:18 - 2013-04-04 16:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-26 05:18 - 2013-04-04 16:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-26 05:18 - 2013-04-04 16:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-26 05:18 - 2013-04-04 16:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-26 05:18 - 2013-04-04 16:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-26 05:18 - 2013-04-04 16:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-26 05:18 - 2013-04-04 16:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-26 05:18 - 2013-04-04 16:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-26 05:18 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-26 05:18 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-26 05:18 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-05-26 05:18 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-26 05:18 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-26 05:18 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-05-26 05:18 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-26 05:18 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-26 05:18 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-05-26 05:18 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-05-26 05:18 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-26 05:18 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-26 05:18 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-05-26 05:18 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-25 08:44 - 2013-05-28 05:52 - 00000234 ____A C:\Users\owner\Desktop\testpython.py
2013-05-25 07:47 - 2013-05-25 08:44 - 00000000 ____D C:\Users\owner\.idlerc
2013-05-25 07:43 - 2013-05-25 07:43 - 00000000 ____D C:\Python33
2013-05-25 07:40 - 2013-05-25 07:40 - 20774912 ____A C:\Users\owner\Desktop\python-3.3.2.amd64.msi
2013-05-25 04:58 - 2013-05-25 04:59 - 00000000 ____D C:\Users\owner\Documents\FaceoffHockey2012
2013-05-25 04:58 - 2013-05-25 04:58 - 00000000 ____D C:\Users\owner\Documents\FaceoffHockey2011
2013-05-25 04:57 - 2013-05-25 04:58 - 00000000 ____D C:\Users\owner\AppData\Local\Deployment
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Users\owner\AppData\Local\Apps\2.0
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Program Files\Microsoft Synchronization Services
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Program Files\Microsoft SQL Server Compact Edition
2013-05-25 04:56 - 2013-05-25 04:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Synchronization Services
2013-05-25 04:55 - 2013-05-27 03:12 - 00773522 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2013-05-25 04:52 - 2013-05-25 04:52 - 00465408 ____A () C:\Users\owner\Desktop\setup.exe
2013-05-24 04:27 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-24 04:27 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-24 04:27 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-24 04:27 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-24 04:27 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-24 04:27 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-24 04:27 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-24 04:27 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-24 04:27 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-24 04:27 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-24 04:27 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll
2013-05-24 04:27 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll
2013-05-24 04:27 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll
2013-05-24 04:27 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll
2013-05-24 04:27 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-24 04:26 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-24 04:26 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-24 04:26 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
2013-05-24 04:26 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll
2013-05-24 04:26 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll
2013-05-24 04:26 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2013-05-24 04:26 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2013-05-24 04:26 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2013-05-24 04:26 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2013-05-24 04:26 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2013-05-24 04:26 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2013-05-24 04:26 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2013-05-24 04:26 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2013-05-24 04:25 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe
2013-05-23 03:10 - 2013-05-23 03:10 - 00000000 ____D C:\Windows\System32\SPReview
2013-05-22 14:54 - 2013-05-22 14:55 - 00000000 ____D C:\Users\owner\Downloads\Babies.2010.DOCU.DVDRip.XviD-AMIABLE
2013-05-19 03:24 - 2013-05-19 03:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-17 13:22 - 2013-05-17 13:22 - 00000000 ____D C:\Users\owner\Downloads\Face Off Season 4 (2013)

==================== One Month Modified Files and Folders =======

2013-06-13 19:17 - 2013-06-13 19:17 - 00000000 ____D C:\FRST
2013-06-13 19:02 - 2013-01-18 09:11 - 00000000 ____D C:\Program Files (x86)\Coupon Companion Plugin
2013-06-13 19:02 - 2011-12-16 06:09 - 00000000 ____D C:\Users\owner\AppData\Roaming\OpenCandy
2013-06-13 19:02 - 2011-10-30 11:07 - 00000000 ____D C:\users\owner
2013-06-13 19:02 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages
2013-06-13 19:02 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-06-13 19:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-06-13 19:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-06-13 19:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-06-13 19:01 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-06-13 19:01 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-06-13 19:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-06-13 19:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-13 18:59 - 2011-11-19 10:35 - 00000000 ____D C:\ProgramData\Real
2013-06-12 23:53 - 2013-06-12 23:53 - 00000000 __SHD C:\$$PendingFiles
2013-06-12 23:42 - 2013-06-12 19:05 - 00000000 ____D C:\JRT
2013-06-12 20:19 - 2013-06-12 16:01 - 00000000 ___SD C:\32788R22FWJFW
2013-06-12 19:24 - 2013-06-12 19:22 - 00000000 ____D C:\ProgramData\5bd1b8
2013-06-12 19:05 - 2013-06-12 19:05 - 00002821 ____A C:\Users\owner\Desktop\AdwCleaner[S2].txt
2013-06-12 19:01 - 2013-06-12 19:01 - 00002821 ____A C:\AdwCleaner[S2].txt
2013-06-12 18:45 - 2013-06-12 18:45 - 00000353 ____A C:\AdwCleaner[S1].txt
2013-06-12 17:07 - 2013-06-12 17:07 - 00017510 ____A C:\Users\owner\Desktop\attach.txt
2013-06-12 17:07 - 2013-06-12 17:07 - 00014442 ____A C:\Users\owner\Desktop\dds.txt
2013-06-12 16:54 - 2013-06-12 16:54 - 00000000 ____D C:\Windows\Sun
2013-06-12 16:04 - 2013-06-12 16:04 - 00000000 ____D C:\Qoobox
2013-06-12 16:01 - 2013-06-12 16:01 - 00000000 ____D C:\Windows\erdnt
2013-06-09 04:21 - 2013-06-09 04:20 - 00004431 ____A C:\Windows\IE10_main.log
2013-06-09 04:20 - 2011-10-30 12:50 - 01856188 ____A C:\Windows\WindowsUpdate.log
2013-06-09 04:19 - 2013-02-22 10:03 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3426782124-745710171-731335067-1000UA.job
2013-06-09 04:19 - 2012-10-25 05:14 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-08 17:23 - 2012-10-25 05:14 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-08 17:21 - 2013-02-22 10:03 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3426782124-745710171-731335067-1000Core.job
2013-06-08 05:18 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-08 05:18 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-08 00:13 - 2012-08-25 09:36 - 00000472 ____A C:\Windows\Tasks\SDMsgUpdate (TE).job
2013-06-07 00:04 - 2009-07-13 20:51 - 00073511 ____A C:\Windows\setupact.log
2013-06-06 16:50 - 2012-05-15 07:15 - 00000000 ____D C:\Users\owner\AppData\Roaming\Skype
2013-06-06 09:18 - 2012-05-15 07:14 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-06-06 09:18 - 2012-05-15 07:14 - 00000000 ____D C:\ProgramData\Skype
2013-06-06 05:58 - 2009-07-13 21:13 - 00779306 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-06 05:48 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-05 06:51 - 2012-06-06 06:41 - 00000808 ____A C:\Users\owner\.powerschool_gradebook.properties
2013-06-02 16:01 - 2013-06-02 15:56 - 00000000 ____D C:\Users\owner\Desktop\Sonia to upload
2013-06-02 15:55 - 2013-06-02 15:33 - 00000000 ____D C:\Users\owner\Desktop\New folder
2013-05-30 14:30 - 2013-05-30 14:30 - 00543704 ____A C:\Users\owner\Desktop\Album vyuk4 - Imgur.zip
2013-05-30 06:34 - 2013-05-30 06:34 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ccdcmbx64_01009.Wdf
2013-05-30 06:31 - 2012-01-26 04:18 - 00000000 ____D C:\Users\owner\Desktop\to sort
2013-05-28 17:03 - 2011-11-15 16:41 - 00000000 ____D C:\ProgramData\Adobe
2013-05-28 16:57 - 2012-08-16 05:07 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-28 16:57 - 2011-11-13 14:19 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-28 06:33 - 2013-05-28 06:33 - 00007798 ____A C:\Users\owner\Desktop\a1_gui.py
2013-05-28 06:33 - 2013-05-28 06:33 - 00000000 ____D C:\Users\owner\Desktop\__pycache__
2013-05-28 06:32 - 2013-05-28 05:52 - 00003649 ____A C:\Users\owner\Desktop\a1.py
2013-05-28 05:52 - 2013-05-25 08:44 - 00000234 ____A C:\Users\owner\Desktop\testpython.py
2013-05-27 03:50 - 2012-11-26 08:51 - 00000000 ____D C:\Users\owner\AppData\Roaming\vlc
2013-05-27 03:18 - 2009-07-13 20:45 - 04980040 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-27 03:12 - 2013-05-25 04:55 - 00773522 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2013-05-25 08:44 - 2013-05-25 07:47 - 00000000 ____D C:\Users\owner\.idlerc
2013-05-25 07:43 - 2013-05-25 07:43 - 00000000 ____D C:\Python33
2013-05-25 07:40 - 2013-05-25 07:40 - 20774912 ____A C:\Users\owner\Desktop\python-3.3.2.amd64.msi
2013-05-25 04:59 - 2013-05-25 04:58 - 00000000 ____D C:\Users\owner\Documents\FaceoffHockey2012
2013-05-25 04:58 - 2013-05-25 04:58 - 00000000 ____D C:\Users\owner\Documents\FaceoffHockey2011
2013-05-25 04:58 - 2013-05-25 04:57 - 00000000 ____D C:\Users\owner\AppData\Local\Deployment
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Users\owner\AppData\Local\Apps\2.0
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Program Files\Microsoft Synchronization Services
2013-05-25 04:57 - 2013-05-25 04:57 - 00000000 ____D C:\Program Files\Microsoft SQL Server Compact Edition
2013-05-25 04:56 - 2013-05-25 04:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Synchronization Services
2013-05-25 04:56 - 2011-12-27 10:04 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2013-05-25 04:52 - 2013-05-25 04:52 - 00465408 ____A () C:\Users\owner\Desktop\setup.exe
2013-05-23 03:48 - 2011-10-30 11:29 - 00016012 ____A C:\Windows\PFRO.log
2013-05-23 03:39 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2013-05-23 03:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2013-05-23 03:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2013-05-23 03:39 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sppui
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2013-05-23 03:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sppui
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism
2013-05-23 03:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2013-05-23 03:30 - 2009-07-13 18:36 - 00175616 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2013-05-23 03:30 - 2009-07-13 18:36 - 00152576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2013-05-23 03:10 - 2013-05-23 03:10 - 00000000 ____D C:\Windows\System32\SPReview
2013-05-22 15:03 - 2012-06-19 10:42 - 00000000 ____D C:\Users\owner\AppData\Roaming\uTorrent
2013-05-22 14:55 - 2013-05-22 14:54 - 00000000 ____D C:\Users\owner\Downloads\Babies.2010.DOCU.DVDRip.XviD-AMIABLE
2013-05-22 11:45 - 2012-09-04 09:19 - 00000000 ____D C:\Users\owner\Desktop\y - Teaching
2013-05-22 11:44 - 2012-06-19 03:59 - 00033280 ____A C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-05-20 15:39 - 2012-04-25 09:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-05-19 03:25 - 2013-05-19 03:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-18 04:14 - 2011-10-30 11:17 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-17 13:22 - 2013-05-17 13:22 - 00000000 ____D C:\Users\owner\Downloads\Face Off Season 4 (2013)

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\en-US => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-25 07:42:17
Restore point made on: 2013-05-26 04:10:54
Restore point made on: 2013-05-26 04:12:12
Restore point made on: 2013-05-26 04:19:24
Restore point made on: 2013-05-26 05:17:48
Restore point made on: 2013-05-27 03:02:58
Restore point made on: 2013-06-03 09:00:52
Restore point made on: 2013-06-09 04:22:27

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3000.75 MB
Available physical RAM: 2455.36 MB
Total Pagefile: 2998.89 MB
Available Pagefile: 2442.89 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.79 GB) (Free:98.23 GB) NTFS (Disk=0 Partition=2)
Drive g: (FLIPVIDEO) (Fixed) (Total:0.97 GB) (Free:0.19 GB) FAT (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: C59ED8D2)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 996 MB) (Disk ID: A5665B9A)
Partition 1: (Active) - (Size=996 MB) - (Type=06)


LastRegBack: 2013-06-03 08:53

==================== End Of Log ============================

 




 



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 PM

Posted 15 June 2013 - 10:09 PM



Hello dthal



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
LastRegBack: 2013-06-03 08:53
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 dthal

dthal
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 16 June 2013 - 07:11 AM

Still won't boot to normal mode. Startup repair still fails.

Here is the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-06-2013 04
Ran by SYSTEM at 2013-06-16 08:07:51 Run:2
Running from G:\
Boot Mode: Recovery
==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

 

 



#15 dthal

dthal
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 16 June 2013 - 08:36 AM

Here's a the log/details from the Startup Repair, if that helps any:

 

Startup Repair diagnosis and repair log
---------------------------
Last successful boot time: ?6/?13/?2013 5:16:44 AM (GMT)
Number of repair attempts: 3

Session details
---------------------------
System Disk = \Device\Harddisk0
Windows directory = D:\Windows
AutoChk Run = 0
Number of root causes = 1

Test Performed:
---------------------------
Name: Check for updates
Result: Completed successfully. Error code =  0x0
Time taken = 31 ms

Test Performed:
---------------------------
Name: System disk test
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: Disk failure diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 156 ms

Test Performed:
---------------------------
Name: Disk metadata test
Result: Completed successfully. Error code =  0x0
Time taken = 47 ms

Test Performed:
---------------------------
Name: Target OS test
Result: Completed successfully. Error code =  0x0
Time taken = 156 ms

Test Performed:
---------------------------
Name: Volume content check
Result: Completed successfully. Error code =  0x0
Time taken = 265 ms

Test Performed:
---------------------------
Name: Boot manager diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: System boot log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: Event log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 140 ms

Test Performed:
---------------------------
Name: Internal state check
Result: Completed successfully. Error code =  0x0
Time taken = 63 ms

Test Performed:
---------------------------
Name: Boot status test
Result: Completed successfully. Error code =  0x0
Time taken = 46 ms

Test Performed:
---------------------------
Name: Setup state check
Result: Completed successfully. Error code =  0x0
Time taken = 624 ms

Test Performed:
---------------------------
Name: Registry hives test
Result: Completed successfully. Error code =  0x0
Time taken = 3604 ms

Test Performed:
---------------------------
Name: Windows boot log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: Bugcheck analysis
Result: Completed successfully. Error code =  0x0
Time taken = 1108 ms

Root cause found:
---------------------------
Unknown Bugcheck: Bugcheck 50. Parameters = 0xfffff8000f736f0e, 0x0, 0xfffff80000bdbb15, 0x2.

---------------------------
---------------------------
Session details
---------------------------
System Disk = \Device\Harddisk0
Windows directory = D:\Windows
AutoChk Run = 0
Number of root causes = 1

Test Performed:
---------------------------
Name: Check for updates
Result: Completed successfully. Error code =  0x0
Time taken = 31 ms

Test Performed:
---------------------------
Name: System disk test
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: Disk failure diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 171 ms

Test Performed:
---------------------------
Name: Disk metadata test
Result: Completed successfully. Error code =  0x0
Time taken = 32 ms

Test Performed:
---------------------------
Name: Target OS test
Result: Completed successfully. Error code =  0x0
Time taken = 156 ms

Test Performed:
---------------------------
Name: Volume content check
Result: Completed successfully. Error code =  0x0
Time taken = 265 ms

Test Performed:
---------------------------
Name: Boot manager diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: System boot log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: Event log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 140 ms

Test Performed:
---------------------------
Name: Internal state check
Result: Completed successfully. Error code =  0x0
Time taken = 63 ms

Test Performed:
---------------------------
Name: Boot status test
Result: Completed successfully. Error code =  0x0
Time taken = 31 ms

Test Performed:
---------------------------
Name: Setup state check
Result: Completed successfully. Error code =  0x0
Time taken = 577 ms

Test Performed:
---------------------------
Name: Registry hives test
Result: Completed successfully. Error code =  0x0
Time taken = 4789 ms

Test Performed:
---------------------------
Name: Windows boot log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: Bugcheck analysis
Result: Completed successfully. Error code =  0x0
Time taken = 1451 ms

Root cause found:
---------------------------
Unknown Bugcheck: Bugcheck 50. Parameters = 0xfffff8000f736f0e, 0x0, 0xfffff80000bdbb15, 0x2.

Repair action: System files integrity check and repair
Result: Failed. Error code =  0x11
Time taken = 655048 ms

---------------------------
---------------------------
Session details
---------------------------
System Disk = \Device\Harddisk0
Windows directory = D:\Windows
AutoChk Run = 0
Number of root causes = 1

Test Performed:
---------------------------
Name: Check for updates
Result: Completed successfully. Error code =  0x0
Time taken = 15 ms

Test Performed:
---------------------------
Name: System disk test
Result: Completed successfully. Error code =  0x0
Time taken = 16 ms

Test Performed:
---------------------------
Name: Disk failure diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 156 ms

Test Performed:
---------------------------
Name: Disk metadata test
Result: Completed successfully. Error code =  0x0
Time taken = 47 ms

Test Performed:
---------------------------
Name: Target OS test
Result: Completed successfully. Error code =  0x0
Time taken = 140 ms

Test Performed:
---------------------------
Name: Volume content check
Result: Completed successfully. Error code =  0x0
Time taken = 265 ms

Test Performed:
---------------------------
Name: Boot manager diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: System boot log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: Event log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 141 ms

Test Performed:
---------------------------
Name: Internal state check
Result: Completed successfully. Error code =  0x0
Time taken = 62 ms

Test Performed:
---------------------------
Name: Boot status test
Result: Completed successfully. Error code =  0x0
Time taken = 16 ms

Test Performed:
---------------------------
Name: Setup state check
Result: Completed successfully. Error code =  0x0
Time taken = 577 ms

Test Performed:
---------------------------
Name: Registry hives test
Result: Completed successfully. Error code =  0x0
Time taken = 3869 ms

Test Performed:
---------------------------
Name: Windows boot log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed:
---------------------------
Name: Bugcheck analysis
Result: Completed successfully. Error code =  0x0
Time taken = 1123 ms

Root cause found:
---------------------------
Unknown Bugcheck: Bugcheck 50. Parameters = 0xfffff80010594f0e, 0x0, 0xfffff80001a17b15, 0x2.

Repair action: System Restore
Result: Failed. Error code =  0x1f
Time taken = 334637 ms

Repair action: System files integrity check and repair
Result: Failed. Error code =  0x11
Time taken = 597437 ms

---------------------------
--------






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users