Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

lost Desktop due to Reveton


  • This topic is locked This topic is locked
62 replies to this topic

#1 syn1023

syn1023

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 20 September 2013 - 12:10 PM

Seems I have a virus. My original problem was that whenever I signed in upon startup, I would get a completely white background instead of my desktop with the message "Microsoft Mobile PC Adaptability Client has stopped working....A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." Was told by some Geek Squad guys that it was probably due to a failed Microsoft update.

 

I was advised to start this new thread after posting a different one. I've performed various tasks and scans already at the advice of members on BleepingComputer.com and have found that I have some viruses (trojans), in particular Reveton. Could this be the problem of why I cannot get into my computer in normal mode? I can only use safe mode and safe mode with networking.

 

Here are the results of an ESETScan I performed:

 

C:\Users\All Users\4wrfdojr7.plz Win32/Reveton.V trojan
C:\ProgramData\4wrfdojr7.plz Win32/Reveton.V trojan cleaned by deleting - quarantined
C:\Users\doppelganger713\AppData\Local\Temp\asqbtliakdkuledohao.bfg Win32/Reveton.V trojan cleaned by deleting - quarantined
C:\Users\doppelganger713\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\7cd0ad13-546a4be2 multiple threats cleaned by deleting - quarantined
C:\Users\doppelganger713\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\82f28e0-64ae4037 Win32/Reveton.V trojan cleaned by deleting - quarantined
C:\Users\doppelganger713\Desktop\rkill\rkill-09-19-2013-01-55-59.reg REG/Disabler.A application cleaned by deleting - quarantined
C:\Windows\pss\ctfmon.lnk.Startup Win32/Reveton.J trojan cleaned by deleting - quarantined

 

And here is a link to my previous thread with more information, scan results, and operations I've performed already:

 

http://www.bleepingcomputer.com/forums/t/508234/white-background-and-microsoft-error-message-on-startup/#entry3162090

 

Attached are also files of scans from ESET, MiniToolBox, and Kaspersky's TDSSKiller.

 

Any help on getting my PC to startup in normal mode and viruses removed will be greatly appreciated!

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 25 September 2013 - 12:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/508427 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 syn1023

syn1023
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 25 September 2013 - 05:46 PM

Tried to dwnld the DDS and run it but my computer froze while doing so, twice. I do NOT have the original CD/DVD that came with the computer. Please help!



#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:51 AM

Posted 25 September 2013 - 06:28 PM

Hello syn1023 and welcome to Bleeping Computer!

We're very sorry for the delay! At times the forum can get overwhelmed at times, but I'm here now! :)

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:
  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Please do not run any other tools without my instruction to do so!
==========

You mention you can enter Windows through Safe Mode With Networking, correct?

If so, please do so now, and then do the following from Safe Mode With Networking:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
bloopie

#5 syn1023

syn1023
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 25 September 2013 - 06:40 PM

Hi Bloopie! Thanks for your help. Ok, I followed your instructions. Below are the FRST.txt and Addition.txt pastes. Please let me know what you see there and how you think I ought to proceed.

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-09-2013
Ran by doppelganger713 (administrator) on DOPPELGANGER on 25-09-2013 18:34:53
Running from C:\Users\doppelganger713\Downloads
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] - [x]
Winlogon\Notify\VESWinlogon: C:\Windows\system32\VESWinlogon.dll (Sony Corporation)
HKCU\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil32_11_8_800_94_ActiveX.exe -update activex [814984 2013-08-24] (Adobe Systems Incorporated)
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
SearchScopes: HKLM - DefaultScope {A81B1C1D-C49B-44DF-8463-D242BBE9008B} URL = http://search.aol.com/aolcom/search?query={searchTerms}&invocationType=sny_ie7;
SearchScopes: HKLM - {A81B1C1D-C49B-44DF-8463-D242BBE9008B} URL = http://search.aol.com/aolcom/search?query={searchTerms}&invocationType=sny_ie7;
SearchScopes: HKCU - {A81B1C1D-C49B-44DF-8463-D242BBE9008B} URL = http://search.aol.com/aolcom/search?query={searchTerms}&invocationType=sny_ie7;
BHO: Content Blocker Plugin - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO: Virtual Keyboard Plugin - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: URL Advisor Plugin - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} http://esupport.sony.com/VaioInfo.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\29.0.1547.57\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\29.0.1547.57\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\29.0.1547.57\pdf.dll ()
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\doppelganger713\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman\13.0.1.4190_0\plugin/npABPlugin.dll (Kaspersky Lab ZAO)
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\doppelganger713\AppData\Local\Google\Chrome\User Data\Default\Extensions\hakdifolhalapjijoafobooafbilfakh\13.0.1.4190_0\plugin/online_banking_npapi.dll (Kaspersky Lab ZAO)
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\doppelganger713\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\13.0.1.4190_0\plugin/npUrlAdvisor.dll No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\doppelganger713\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh\13.0.1.4292_0\plugin/npVKPlugin.dll (Kaspersky Lab ZAO)
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U26) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (YouTube) - C:\Users\DOPPEL~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\DOPPEL~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Safe Money) - C:\Users\DOPPEL~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\hakdifolhalapjijoafobooafbilfakh\13.0.1.4190_0
CHR Extension: (Virtual Keyboard) - C:\Users\DOPPEL~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh\13.0.1.4292_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\DOPPEL~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
CHR Extension: (Gmail) - C:\Users\DOPPEL~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR Extension: (Anti-Banner) - C:\Users\DOPPEL~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman\13.0.1.4190_0
CHR HKLM\...\Chrome\Extension: [dchlnpcodkpfdpacogkljefecpegganj] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\urladvisor.crx
CHR HKLM\...\Chrome\Extension: [hakdifolhalapjijoafobooafbilfakh] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\online_banking_chrome.crx
CHR HKLM\...\Chrome\Extension: [hghkgaeecgjhjkannahfamoehjmkjail] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\content_blocker_chrome.crx
CHR HKLM\...\Chrome\Extension: [jagncdcchgajhfhijbbhecadmaiegcmh] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\virtkbd.crx
CHR HKLM\...\Chrome\Extension: [pjldcfjmnllhmgjclecdnfampinooman] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\ab.crx

========================== Services (Whitelisted) =================

S4 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46640 2006-10-23] (AOL LLC)
S4 AVP; C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe [356376 2013-03-03] (Kaspersky Lab ZAO)
S4 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [57344 2006-12-14] ()
S4 PMBDeviceInfoProvider; C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [479840 2012-11-27] (Sony Corporation)
S4 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [69632 2006-12-14] (Sony Corporation)
S4 Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [394704 2008-02-01] (Symantec, Inc.)
S4 VAIO Event Service; C:\Program Files\Sony\VAIO Event Service\VESMgr.exe [182392 2007-07-24] (Sony Corporation)

==================== Drivers (Whitelisted) ====================

R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [136024 2012-06-19] (Kaspersky Lab ZAO)
S1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [594528 2013-04-23] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [24408 2012-08-02] (Kaspersky Lab ZAO)
S3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [25944 2013-03-03] (Kaspersky Lab)
S3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [25944 2013-03-03] (Kaspersky Lab)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [44000 2013-06-18] (Kaspersky Lab ZAO)
S1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [145040 2013-04-23] (Kaspersky Lab ZAO)
S3 OlyCamComm; C:\Windows\System32\DRIVERS\OlyCamComm.sys [21648 2009-09-10] (OLYMPUS IMAGING CORP.)
S3 ti21sony; C:\Windows\System32\drivers\ti21sony.sys [812544 2007-06-05] (Texas Instruments)
R3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-01] (America Online, Inc.)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
U5 klflt; C:\Windows\System32\Drivers\klflt.sys [74848 2013-04-23] (Kaspersky Lab ZAO)
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S4 UIUSys; system32\DRIVERS\UIUSYS.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-25 18:33 - 2013-09-25 18:33 - 01089329 _____ (Farbar) C:\Users\doppelganger713\Downloads\FRST.exe
2013-09-25 18:33 - 2013-09-25 18:33 - 00000000 ____D C:\FRST
2013-09-25 17:55 - 2013-09-25 17:55 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Vera 3107698.url
2013-09-25 17:55 - 2013-09-25 17:55 - 00000242 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Inna 2768984.url
2013-09-25 17:54 - 2013-09-25 17:54 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Evgenia 2957506.url
2013-09-25 17:52 - 2013-09-25 17:52 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Marina 3107737.url
2013-09-25 17:49 - 2013-09-25 17:49 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Ilona 1318002.url
2013-09-25 17:49 - 2013-09-25 17:49 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Vera 2928186.url
2013-09-25 15:35 - 2013-09-25 15:35 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Aliona 2312920.url
2013-09-25 15:34 - 2013-09-25 15:34 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Olga 3106677.url
2013-09-25 15:34 - 2013-09-25 15:34 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Olena 1309207.url
2013-09-24 10:10 - 2013-09-24 10:10 - 00002109 _____ C:\Users\doppelganger713\Desktop\Exotic Russian lady Veronica from Chaplinka, 42 yo, hair color Red.url
2013-09-24 10:02 - 2013-09-24 10:02 - 00002108 _____ C:\Users\doppelganger713\Desktop\Girl from Ukraine Olga from Dnepropetrovsk, 21 yo, hair color Brown.url
2013-09-24 09:51 - 2013-09-24 09:51 - 00002192 _____ C:\Users\doppelganger713\Desktop\Romantic woman from Ukraine Daria from Kharkov, 23 yo, hair color Brown.url
2013-09-23 20:27 - 2013-09-23 20:27 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Aliona 3107512.url
2013-09-23 20:26 - 2013-09-23 20:26 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Svetlana 3107332.url
2013-09-23 20:26 - 2013-09-23 20:26 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Nadezhda 3107337.url
2013-09-23 10:49 - 2013-09-23 10:49 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Lidia 2719317.url
2013-09-23 10:48 - 2013-09-23 10:48 - 00000190 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Nelina 62622.url
2013-09-23 10:47 - 2013-09-23 10:47 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Olga 1307047.url
2013-09-23 00:28 - 2013-09-23 00:28 - 00000242 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Irina 2867069.url
2013-09-19 17:46 - 2013-09-19 17:46 - 00000322 _____ C:\Users\doppelganger713\Desktop\Date Russian and Ukrainian Women Live videochat - Marriage Agency Nataly.url
2013-09-19 15:20 - 2013-09-19 15:20 - 00000789 _____ C:\Users\doppelganger713\Desktop\ESETScanInfectionsFound.txt
2013-09-19 14:08 - 2013-09-19 14:08 - 02347384 _____ (ESET) C:\Users\doppelganger713\Downloads\esetsmartinstaller_enu.exe
2013-09-19 14:08 - 2013-09-19 14:08 - 00000000 ____D C:\Program Files\ESET
2013-09-19 14:00 - 2013-09-19 14:01 - 02748256 _____ (Kaspersky Lab ZAO) C:\Users\doppelganger713\Downloads\tdsskiller.exe
2013-09-19 13:55 - 2013-09-19 15:12 - 00000000 ____D C:\Users\doppelganger713\Desktop\rkill
2013-09-19 13:55 - 2013-09-19 13:59 - 00001708 _____ C:\Users\doppelganger713\Desktop\Rkill.txt
2013-09-19 13:55 - 2013-09-19 13:57 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\doppelganger713\Downloads\rkill.com
2013-09-19 13:52 - 2013-09-19 13:52 - 00023686 _____ C:\Users\doppelganger713\Desktop\Result.txt
2013-09-19 13:51 - 2013-09-19 13:51 - 00760937 _____ (Farbar) C:\Users\doppelganger713\Downloads\MiniToolBox.exe
2013-09-15 13:12 - 2013-09-15 13:12 - 00000871 _____ C:\Users\doppelganger713\Desktop\Elke Madler, Model.url
2013-09-15 00:04 - 2013-09-15 00:04 - 95025368 ____T C:\ProgramData\7rjodfrw4.pff
2013-09-14 23:36 - 2013-09-14 23:36 - 00046585 _____ C:\Users\doppelganger713\Downloads\Addison Improv (1)
2013-09-14 17:55 - 2013-09-14 17:55 - 00046585 _____ C:\Users\doppelganger713\Downloads\Addison Improv
2013-09-13 13:12 - 2013-09-13 13:17 - 00000000 ____D C:\Windows\system32\MRT
2013-09-13 13:00 - 2013-07-24 21:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-09-13 13:00 - 2013-07-24 21:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-09-13 13:00 - 2013-07-24 21:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-09-13 13:00 - 2013-07-24 21:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-09-13 13:00 - 2013-07-24 21:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-09-13 13:00 - 2013-07-24 21:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-09-13 13:00 - 2013-07-24 21:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-09-13 13:00 - 2013-07-24 21:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-09-13 12:59 - 2013-07-24 21:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-09-13 12:59 - 2013-07-24 21:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-09-13 12:59 - 2013-07-24 21:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-09-13 12:59 - 2013-07-24 21:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-09-13 12:59 - 2013-07-24 21:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-09-13 12:59 - 2013-07-24 21:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-09-13 12:59 - 2013-07-24 21:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-09-13 12:59 - 2013-07-24 21:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-09-11 21:49 - 2013-09-11 21:49 - 00000575 _____ C:\Users\doppelganger713\Desktop\HitmanPro - Shortcut.lnk
2013-09-11 21:48 - 2013-09-11 21:48 - 00000000 ____D C:\ProgramData\HitmanPro
2013-09-11 21:47 - 2013-09-11 21:48 - 09186416 _____ (SurfRight B.V.) C:\Users\doppelganger713\Downloads\HitmanPro.exe
2013-09-10 02:47 - 2013-09-23 11:07 - 00000000 ____D C:\Users\doppelganger713\Desktop\DG
2013-08-28 12:16 - 2013-08-28 12:16 - 00000000 ____D C:\ProgramData\Geek Squad
2013-08-27 22:57 - 2013-08-28 12:16 - 00000000 ____D C:\Users\doppelganger713\AppData\Local\KB2279612

==================== One Month Modified Files and Folders =======

2013-09-25 18:35 - 2007-12-25 18:13 - 00000000 ____D C:\Users\doppelganger713\AppData\Roaming\Corel
2013-09-25 18:33 - 2013-09-25 18:33 - 01089329 _____ (Farbar) C:\Users\doppelganger713\Downloads\FRST.exe
2013-09-25 18:33 - 2013-09-25 18:33 - 00000000 ____D C:\FRST
2013-09-25 17:55 - 2013-09-25 17:55 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Vera 3107698.url
2013-09-25 17:55 - 2013-09-25 17:55 - 00000242 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Inna 2768984.url
2013-09-25 17:54 - 2013-09-25 17:54 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Evgenia 2957506.url
2013-09-25 17:52 - 2013-09-25 17:52 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Marina 3107737.url
2013-09-25 17:49 - 2013-09-25 17:49 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Ilona 1318002.url
2013-09-25 17:49 - 2013-09-25 17:49 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Vera 2928186.url
2013-09-25 15:35 - 2013-09-25 15:35 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Aliona 2312920.url
2013-09-25 15:34 - 2013-09-25 15:34 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Olga 3106677.url
2013-09-25 15:34 - 2013-09-25 15:34 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Olena 1309207.url
2013-09-24 10:10 - 2013-09-24 10:10 - 00002109 _____ C:\Users\doppelganger713\Desktop\Exotic Russian lady Veronica from Chaplinka, 42 yo, hair color Red.url
2013-09-24 10:02 - 2013-09-24 10:02 - 00002108 _____ C:\Users\doppelganger713\Desktop\Girl from Ukraine Olga from Dnepropetrovsk, 21 yo, hair color Brown.url
2013-09-24 09:51 - 2013-09-24 09:51 - 00002192 _____ C:\Users\doppelganger713\Desktop\Romantic woman from Ukraine Daria from Kharkov, 23 yo, hair color Brown.url
2013-09-23 20:27 - 2013-09-23 20:27 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Aliona 3107512.url
2013-09-23 20:26 - 2013-09-23 20:26 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Svetlana 3107332.url
2013-09-23 20:26 - 2013-09-23 20:26 - 00000264 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Nadezhda 3107337.url
2013-09-23 11:07 - 2013-09-10 02:47 - 00000000 ____D C:\Users\doppelganger713\Desktop\DG
2013-09-23 10:49 - 2013-09-23 10:49 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Lidia 2719317.url
2013-09-23 10:48 - 2013-09-23 10:48 - 00000190 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Nelina 62622.url
2013-09-23 10:47 - 2013-09-23 10:47 - 00000194 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Olga 1307047.url
2013-09-23 00:28 - 2013-09-23 00:28 - 00000242 _____ C:\Users\doppelganger713\Desktop\Single Russian Girl Irina 2867069.url
2013-09-22 12:55 - 2012-06-28 09:00 - 00000000 ____D C:\Users\doppelganger713\Desktop\AG
2013-09-22 09:37 - 2012-09-29 22:06 - 00001356 _____ C:\Users\doppelganger713\AppData\Local\d3d9caps.dat
2013-09-21 15:01 - 2006-11-02 05:33 - 00716870 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-20 20:58 - 2007-12-25 15:09 - 01583082 _____ C:\Windows\WindowsUpdate.log
2013-09-20 20:58 - 2006-11-02 08:01 - 00032544 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-20 20:58 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-20 20:58 - 2006-11-02 07:47 - 00003168 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-20 20:58 - 2006-11-02 07:47 - 00003168 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-20 20:57 - 2013-05-07 12:53 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-20 20:54 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-09-19 17:46 - 2013-09-19 17:46 - 00000322 _____ C:\Users\doppelganger713\Desktop\Date Russian and Ukrainian Women Live videochat - Marriage Agency Nataly.url
2013-09-19 15:37 - 2011-01-01 13:15 - 00000000 ____D C:\Users\doppelganger713\AppData\Local\CrashDumps
2013-09-19 15:20 - 2013-09-19 15:20 - 00000789 _____ C:\Users\doppelganger713\Desktop\ESETScanInfectionsFound.txt
2013-09-19 15:12 - 2013-09-19 13:55 - 00000000 ____D C:\Users\doppelganger713\Desktop\rkill
2013-09-19 15:12 - 2012-09-30 16:01 - 00000000 ____D C:\Windows\pss
2013-09-19 14:08 - 2013-09-19 14:08 - 02347384 _____ (ESET) C:\Users\doppelganger713\Downloads\esetsmartinstaller_enu.exe
2013-09-19 14:08 - 2013-09-19 14:08 - 00000000 ____D C:\Program Files\ESET
2013-09-19 14:01 - 2013-09-19 14:00 - 02748256 _____ (Kaspersky Lab ZAO) C:\Users\doppelganger713\Downloads\tdsskiller.exe
2013-09-19 13:59 - 2013-09-19 13:55 - 00001708 _____ C:\Users\doppelganger713\Desktop\Rkill.txt
2013-09-19 13:57 - 2013-09-19 13:55 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\doppelganger713\Downloads\rkill.com
2013-09-19 13:52 - 2013-09-19 13:52 - 00023686 _____ C:\Users\doppelganger713\Desktop\Result.txt
2013-09-19 13:51 - 2013-09-19 13:51 - 00760937 _____ (Farbar) C:\Users\doppelganger713\Downloads\MiniToolBox.exe
2013-09-15 13:12 - 2013-09-15 13:12 - 00000871 _____ C:\Users\doppelganger713\Desktop\Elke Madler, Model.url
2013-09-15 00:04 - 2013-09-15 00:04 - 95025368 ____T C:\ProgramData\7rjodfrw4.pff
2013-09-14 23:36 - 2013-09-14 23:36 - 00046585 _____ C:\Users\doppelganger713\Downloads\Addison Improv (1)
2013-09-14 17:55 - 2013-09-14 17:55 - 00046585 _____ C:\Users\doppelganger713\Downloads\Addison Improv
2013-09-13 14:30 - 2012-12-10 16:43 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-13 13:17 - 2013-09-13 13:12 - 00000000 ____D C:\Windows\system32\MRT
2013-09-13 13:12 - 2006-11-02 05:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-09-11 21:49 - 2013-09-11 21:49 - 00000575 _____ C:\Users\doppelganger713\Desktop\HitmanPro - Shortcut.lnk
2013-09-11 21:48 - 2013-09-11 21:48 - 00000000 ____D C:\ProgramData\HitmanPro
2013-09-11 21:48 - 2013-09-11 21:47 - 09186416 _____ (SurfRight B.V.) C:\Users\doppelganger713\Downloads\HitmanPro.exe
2013-09-11 20:11 - 2013-08-07 11:52 - 00000000 ____D C:\Users\doppelganger713\Desktop\LW
2013-09-11 18:53 - 2013-03-03 16:32 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-08-30 15:55 - 2006-11-02 07:47 - 00331304 _____ C:\Windows\system32\FNTCACHE.DAT
2013-08-28 12:16 - 2013-08-28 12:16 - 00000000 ____D C:\ProgramData\Geek Squad
2013-08-28 12:16 - 2013-08-27 22:57 - 00000000 ____D C:\Users\doppelganger713\AppData\Local\KB2279612

Files to move or delete:
====================
C:\ProgramData\7rjodfrw4.pff
C:\ProgramData\lsass.exe
C:\ProgramData\pswi_preloaded.exe
C:\ProgramData\ssrsc.pad

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-09-25 18:21

==================== End Of Log ============================

 

 

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-09-2013
Ran by doppelganger713 at 2013-09-25 18:36:47
Running from C:\Users\doppelganger713\Downloads
Boot Mode: Safe Mode (with Networking)
==========================================================

==================== Security Center ========================

AV: Kaspersky Internet Security (Disabled - Out of date) {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
AS: Kaspersky Internet Security (Disabled - Up to date) {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security (Disabled) {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}

==================== Installed Programs ======================

Adobe AIR (Version: 3.1.0.4880)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.94)
Adobe Reader X (10.1.7) (Version: 10.1.7)
ArcSoft Magic-i Visual Effects Installer
Corel Paint Shop Pro Photo XI (Version: 11.10.0000)
Corel Snapfire (Version: 1.10.0000)
ESET Online Scanner v3
GearDrvs (Version: 1.00.0000)
GearDrvs (Version: 5.0.0.2)
Google Chrome (Version: 29.0.1547.57)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4413.1752)
Google Update Helper (Version: 1.3.21.153)
HDAUDIO SoftV92 Data Fax Modem with SmartCP
HP Photo Creations (Version: 1.0.0.7702)
HP Photosmart 5520 series Basic Device Software (Version: 28.0.1315.0)
HP Photosmart 5520 series Help (Version: 27.0.0)
HP Update (Version: 5.003.003.001)
Instant Mode (Version: 1.0.2)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Kaspersky Internet Security 2013 (Version: 13.0.1.4190)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office Click-to-Run 2010 (Version: 14.0.4763.1000)
Microsoft Office Home and Business 2010 - English (Version: 14.0.5138.5002)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
OLYMPUS ib (Version: 1.1.1404)
OpenMG Limited Patch 4.7-07-15-19-01
OpenMG Secure Module 4.7.00 (Version: 4.7.00.12140)
PlayMemories Home (Version: 7.0.00.11271)
QuickBooks Product Listing Service (Version: 2.0.148)
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista (Version: 1.00.0000)
Realtek High Definition Audio Driver (Version: 6.0.1.5391)
Setting Utility Series (Version: 3.0.00.07240)
Symantec Technical Support Advanced Chat Controls (Version: 3.5.3)
Synaptics Pointing Device Driver (Version: 9.1.13.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940) (Version: 1)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
VAIO Camera Capture Utility (Version: 2.7.00.07050)
VAIO Content Folder Setting (Version: 1.0.00.07170)
VAIO Control Center (Version: 2.1.00.07110)
VAIO Event Service (Version: 3.2.00.07240)
VAIO PC Wireless LAN Wizard (Version: 1.00.0716)
VAIO Power Management (Version: 2.2.00.06130)
VAIO Update 3 (Version: 3.0.02.05090)
Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0) (Version: 09/09/2009 1.0.0.0)
WinDVD for VAIO (Version: 8.0-B8.384)
Wireless Switch Setting Utility (Version: 3.6.00.18210)

==================== Restore Points  =========================

24-08-2013 22:12:13 Scheduled Checkpoint
13-09-2013 17:56:31 Windows Update

==================== Hosts content: ==========================

2006-11-02 05:23 - 2006-09-18 16:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {36142D3D-6A63-45EF-9CF9-4EF5E6CF4401} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-05-07] (Google Inc.)
Task: {3BCDF251-CA5C-4045-A1FC-8FCEF9FBDC93} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {44980BEE-7809-44A9-AC24-D6E578A3B7DF} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: {68DFAA29-17C1-4E71-B121-FA7FD0D52801} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {6FF17721-17D9-4D54-A012-51D3D81ECF7F} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-24] (Adobe Systems Incorporated)
Task: {89D7F134-0B6D-4DE9-A0F1-BC83A3A6B682} - System32\Tasks\SONY\WSSU\WSSU => C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe [2007-06-15] (Sony Corporation)
Task: {A55F4BD2-33A0-497F-A720-05F517B3B5B5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-05-07] (Google Inc.)
Task: {AD4E54C6-FAB3-413B-802B-69D669E2AD05} - System32\Tasks\User_Feed_Synchronization-{50A5FECF-8F59-452E-BC10-FBE31E4EFD19} => C:\Windows\system32\msfeedssync.exe [2012-01-23] (Microsoft Corporation)
Task: {C9CE980B-B79A-4E57-9D46-AB5B9C4CBD11} - System32\Tasks\SONY\VAIO Update\VAIO Update => C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe [2007-05-31] (Sony Corporation)
Task: {DBD5067F-BB97-43A9-B528-67D31C0C8648} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {E5150B95-F9B4-4D5D-95A2-7EC1ACBA95F8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-05] ()
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-08-24 16:20 - 2013-08-24 16:20 - 16230792 ____R (Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\Flash32_11_8_800_94.ocx

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== Faulty Device Manager Devices =============

Name: Microsoft 6to4 Adapter #2
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

==================== Event log errors: =========================

Application errors:
==================
Error: (09/25/2013 06:07:11 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/25/2013 05:42:22 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/25/2013 05:32:32 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/25/2013 03:28:00 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/23/2013 11:05:39 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/22/2013 06:57:31 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/21/2013 10:16:58 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/21/2013 04:23:02 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/21/2013 09:36:22 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/21/2013 07:58:41 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

System errors:
=============
Error: (09/25/2013 06:08:02 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (09/25/2013 06:07:30 PM) (Source: Service Control Manager) (User: )
Description: DMICall
KLIF
kneps
spldr
Wanarpv6

Error: (09/25/2013 06:07:30 PM) (Source: Service Control Manager) (User: )
Description: Client Virtualization HandlerApplication Virtualization Client%%1068

Error: (09/25/2013 06:07:30 PM) (Source: Service Control Manager) (User: )
Description: Computer BrowserServer%%1068

Error: (09/25/2013 06:07:19 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (09/25/2013 06:07:11 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (09/25/2013 06:07:03 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (09/25/2013 06:06:20 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 5:57:40 PM on 9/25/2013 was unexpected.

Error: (09/25/2013 05:42:42 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (09/25/2013 05:42:29 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Microsoft Office Sessions:
=========================
Error: (09/25/2013 06:07:11 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/25/2013 05:42:22 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/25/2013 05:32:32 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/25/2013 03:28:00 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/23/2013 11:05:39 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/22/2013 06:57:31 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/21/2013 10:16:58 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/21/2013 04:23:02 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/21/2013 09:36:22 AM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/21/2013 07:58:41 AM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

CodeIntegrity Errors:
===================================
  Date: 2013-09-25 18:36:13.872
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-25 18:36:13.591
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-25 18:36:13.310
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-25 18:36:13.030
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-25 18:36:12.733
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\klif.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-25 18:36:12.452
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\klif.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-25 18:36:12.172
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\klif.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-25 18:36:11.891
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\klif.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-25 18:36:11.563
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-25 18:36:11.282
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 35%
Total physical RAM: 2037.69 MB
Available physical RAM: 1312.89 MB
Total Pagefile: 4312.63 MB
Available Pagefile: 3763.61 MB
Total Virtual: 2047.88 MB
Available Virtual: 1921.57 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:178.83 GB) (Free:144.03 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 186 GB) (Disk ID: 0A63C989)
Partition 1: (Not Active) - (Size=7 GB) - (Type=27)
Partition 2: (Active) - (Size=179 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

 



#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:51 AM

Posted 25 September 2013 - 07:29 PM

Hello again,

Thanks for posting the log for me!

Please allow me some time to analyze the log, and I will be back with the next set of instructions either later tonight, or tomorrow afternoon!

Good work!

bloopie

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:51 AM

Posted 26 September 2013 - 12:03 PM

Hello again,

Okay, there's not much malware to speak of left in your logs...ESET got most of it. I see you've got the Windows Welcome Center set run on boot and that's just not necessary, so we'll make a small change and remove a few files, then we'll check the normal boot again.

==========

Boot the computer again into Safemode With Networking, then do the following:


Download attached Attached File  fixlist.txt   379bytes   8 downloads and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

==========

After posting the Fixlog.txt, please try to boot the machine normally now and let me know the outcome!

bloopie



#8 syn1023

syn1023
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 September 2013 - 12:19 PM

Hi. Posting the Fixlog.txt to this reply. Will try restarting pc in normal mode now and will reply with result.

Attached Files



#9 syn1023

syn1023
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 September 2013 - 12:32 PM

Restarted in normal mode but the problem is still there. White desktop with the error message "Microsoft PC Presentation Adaptability Client has stopped working." I was told early on by microsoft and geek squad that this could be due to a failed microsoft update. What do you think? Not sure where to go from here.



#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:51 AM

Posted 26 September 2013 - 12:57 PM

Hello again,

 

Yes, most likely it is due to a Microsoft update. Malware is not the cause. We need to see if you still get the error message when performing a clean boot.

 

Please refer to the following article on how to perform a "clean boot", and then only let me know if you still get the error message or not...do not make any other changes!

 

http://support.microsoft.com/kb/929135

 

bloopie



#11 syn1023

syn1023
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 September 2013 - 01:44 PM

hi bloopie, thanks for all of your help. tried the clean boot before and again just now. no change. still the problem persists. What should i do now?



#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:51 AM

Posted 26 September 2013 - 02:46 PM

Hello again,

You mention you are able to get the task manager to work while booted into normal mode, correct?

Please do that, then click on "New Task" and type in explorer.exe and press ENTER.

Does the desktop come back? If so, see if you can disable the presentation settings described in this article. If not, try the setting changes from safe mode.

 

==========

Once that's done, reboot and let me know what happens. Describe exactly when you see the message and/or the white screen.

bloopie



#13 syn1023

syn1023
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 September 2013 - 03:47 PM

Hi Bloopie,

 

I followed your directions, but once i typed explorer.exe and pressed enter, I got an Application Error that said "The application failed to initialize properly (0xc0000022). Click OK to terminate the application." I also tried the presentationsettings.exe, but same kind of error, and then again the "Microsoft Mobile PC Presentation Adaptability Client has stopped working" message popped up after I closed that. I get that message and the white background in normal mode after I type in my password and right when the desktop should load on startup.

 

What do you think I should do from here? Should I try the presenation settings thing in safe mode?



#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:51 AM

Posted 26 September 2013 - 04:15 PM

Hello again,

If so, see if you can disable the presentation settings described in this article. If not, try the setting changes from safe mode.

Yes, please. :)

bloopie

#15 syn1023

syn1023
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 September 2013 - 05:29 PM

Hi Bloopie,

 

Ok, I did that. The "I am currently giving a presentation" box was already unchecked, so I left it unchecked and clicked OK. Rebooted and still the white background loads upon startup (after entering password) and almost immediately thereafter the Microsoft Mobile PC Adaptability Client message pops up.

 

What would you recommend I try next?

 

syn1023






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users