Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7, Malware infection and blank screen after system restore.


  • This topic is locked This topic is locked
25 replies to this topic

#1 khoaa

khoaa

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 15 October 2013 - 01:35 AM

I have a Windows 7 computer that is having problems lately. I believe I am infected by Malware, because when I scan with  Malwarebytes and Kaspersky, it shows up that I have malwares on my computer. On the scan with Kaspersky, this log shows up:

 

1.Trojan.Win64.Patched.bj

rpcss.dll 

c:\Windows\System32

2.HEUR:Exploit.Script.Generic

osnp91icm[1].htm 

C:\Documents and Settings\Dang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\310WTQ94

 

In the beginning there were just random noises, and eventually my computer auto-shuts down immediately after I start windows. I tried system restore and now I can't get to my files, there is just a blank screen when I start up, I can move around the mouse and that's it, screen stays black forever.

 

Here are some logs.

 

I'm sorry to post this problem twice, but my other topic hasn't been replied to in a month, and I need to fix my computer for school.

 

Any help would be appreciated.

Attached Files


Edited by khoaa, 15 October 2013 - 01:39 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 AM

Posted 15 October 2013 - 02:26 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 khoaa

khoaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 16 October 2013 - 01:22 AM

Hi, thanks for the reply :)

 

I have not done this yet but I will tomorrow when I have time.



#4 khoaa

khoaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 16 October 2013 - 11:12 PM

Hello, here is the scan results.

Thanks.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by SYSTEM on MININT-IBHVDH9 on 16-10-2013 21:05:28
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SmartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-09-14] ()
HKLM\...\Run: [PC-Doctor for Windows localizer] - C:\Program Files\PC-Doctor for Windows\localizer.exe [95728 2009-09-16] (PC-Doctor, Inc.)
HKLM\...\Run: [snpstd3] - C:\Windows\vsnpstd3.exe [827392 2006-09-19] ()
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] - C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] - c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [47904 2010-12-14] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421160 2011-01-25] (Apple Inc.)
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG Secure Search\vprot.exe [2314416 2013-08-14] ()
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [IrmBackground.exe] - C:\Program Files (x86)\Oracle\Information Rights Management\Desktop\IrmBackground.exe [657792 2011-03-17] (Oracle Corporation)
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4411440 2013-07-01] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [amd_dc_opt] - C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe [2255184 2013-06-28] (LogMeIn Inc.)
HKU\Dang\...\Run: [Messenger (Yahoo!)] - C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe [5252408 2010-06-01] (Yahoo! Inc.)
HKU\Dang\...\Run: [Google Update] - C:\Users\Dang\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-03-25] (Google Inc.)
HKU\Dang\...\Run: [Akamai NetSession Interface] - C:\Users\Dang\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-05] (Akamai Technologies, Inc.)
HKU\Dang\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [19603048 2013-06-03] (Skype Technologies S.A.)
HKU\Dang\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-03-23] (Google Inc.)
HKU\Dang\...\Run: [KSS] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [202328 2012-12-07] (Kaspersky Lab ZAO)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
Startup: C:\Users\Dang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-07-23] (AVG Technologies CZ, s.r.o.)
S2 KSS; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [202328 2012-12-07] (Kaspersky Lab ZAO)
S2 NSL; C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation)
S2 OracleIRMServiceHost; C:\Program Files (x86)\Oracle\Information Rights Management\Desktop\OracleIRMServiceHost.exe [219536 2011-03-17] (Oracle Corporation)
S2 vToolbarUpdater15.5.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-08-14] (AVG Secure Search)
S3 npggsvc; C:\Windows\system32\GameMon.des -service [x]

==================== Drivers (Whitelisted) ====================

S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-07-20] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206648 2013-07-20] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311608 2013-07-20] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-07-01] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-07-10] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-21] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-08-14] (AVG Technologies)
S1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\0200000.010\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [279616 2011-12-14] (DT Soft Ltd)
S3 SNPSTD3; C:\Windows\System32\DRIVERS\snpstd3.sys [10550272 2007-03-27] (Sonix Co. Ltd.)
S5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
S3 X6va001; \??\C:\Users\Dang\AppData\Local\Temp\001459B.tmp [x]
S3 X6va003; \??\C:\Users\Dang\AppData\Local\Temp\003BB4.tmp [x]
S3 X6va005; \??\C:\Users\Dang\AppData\Local\Temp\0054395.tmp [x]
S3 X6va008; \??\C:\Windows\SysWOW64\Drivers\X6va008 [x]
S3 X6va009; \??\C:\Windows\SysWOW64\Drivers\X6va009 [x]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-16 21:05 - 2013-10-16 21:05 - 00000000 ____D C:\FRST
2013-10-05 08:45 - 2013-10-05 08:45 - 00022528 ____N C:\bootex.log
2013-10-05 08:44 - 2013-10-05 08:44 - 00000000 __SHD C:\found.000

==================== One Month Modified Files and Folders =======

2013-10-16 21:05 - 2013-10-16 21:05 - 00000000 ____D C:\FRST
2013-10-11 06:48 - 2010-09-28 21:06 - 00000000 ____D C:\ProgramData\MFAData
2013-10-05 10:08 - 2013-07-02 07:42 - 00000000 ____D C:\Program Files (x86)\LogMeIn Hamachi
2013-10-05 10:08 - 2012-09-30 08:09 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-10-05 10:08 - 2012-09-19 19:46 - 00000000 ____D C:\ProgramData\Skype
2013-10-05 10:08 - 2012-07-27 15:21 - 00000000 ____D C:\Users\Dang\AppData\Local\Akamai
2013-10-05 10:08 - 2011-12-18 12:33 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-10-05 10:08 - 2011-10-15 11:28 - 00000000 ____D C:\Windows\System32\Macromed
2013-10-05 10:08 - 2011-04-27 13:05 - 00000000 ____D C:\Users\Dang\AppData\Local\LogMeIn Hamachi
2013-10-05 10:08 - 2010-09-23 13:31 - 00000000 ____D C:\users\Dang
2013-10-05 10:08 - 2010-01-18 19:58 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2013-10-05 10:08 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-10-05 10:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-10-05 10:07 - 2013-07-29 22:26 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-10-05 10:07 - 2012-09-19 19:46 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-10-05 10:07 - 2011-06-27 15:00 - 00000000 ____D C:\Program Files (x86)\Steam
2013-10-05 10:03 - 2010-09-23 14:17 - 00000000 ____D C:\ProgramData\Recovery
2013-10-05 08:45 - 2013-10-05 08:45 - 00022528 ____N C:\bootex.log
2013-10-05 08:44 - 2013-10-05 08:44 - 00000000 __SHD C:\found.000
2013-10-05 07:23 - 2013-08-14 23:40 - 00003726 _____ C:\Program Files (x86)\Mozilla Firefoxavg-secure-search.xml

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3415472223-3623764898-570771800-1001\$b81d9426b70685e4c3bbd093a48da409

Files to move or delete:
====================
C:\Users\Dang\jagex_cl_oldschool_LIVE.dat
C:\Users\Dang\jagex_cl_runescape_LIVE.dat
C:\Users\Dang\jagex_cl_runescape_LIVE1.dat
C:\Users\Dang\jagex_cl_runescape_LIVE2.dat
C:\Users\Dang\jagex_runescape_preferences.dat
C:\Users\Dang\jagex_runescape_preferences2.dat
C:\Users\Dang\jagex__preferences3.dat
C:\Users\Dang\random.dat

Some content of TEMP:
====================
C:\Users\Dang\AppData\Local\Temp\46883e71076f8744b595633e7179b69b.dll
C:\Users\Dang\AppData\Local\Temp\avguidx.dll
C:\Users\Dang\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Dang\AppData\Local\Temp\GenericUninstall.exe
C:\Users\Dang\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\Dang\AppData\Local\Temp\Gw2.exe
C:\Users\Dang\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Dang\AppData\Local\Temp\hsbing_717_active.exe
C:\Users\Dang\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Dang\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih.exe
C:\Users\Dang\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Dang\AppData\Local\Temp\nsjE2F8.exe
C:\Users\Dang\AppData\Local\Temp\nso7CBD.exe
C:\Users\Dang\AppData\Local\Temp\nstAD2.exe
C:\Users\Dang\AppData\Local\Temp\nsu7A5D.exe
C:\Users\Dang\AppData\Local\Temp\nsy5CA9.exe
C:\Users\Dang\AppData\Local\Temp\nsyFBC5.exe
C:\Users\Dang\AppData\Local\Temp\oi_{1E15F407-C1E0-487B-93F4-522F7F5FE202}.exe
C:\Users\Dang\AppData\Local\Temp\Resource.exe
C:\Users\Dang\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\Dang\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Dang\AppData\Local\Temp\sp54931.exe
C:\Users\Dang\AppData\Local\Temp\sp58915.exe
C:\Users\Dang\AppData\Local\Temp\SPStub.exe
C:\Users\Dang\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Dang\AppData\Local\Temp\tbPro0.dll
C:\Users\Dang\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Dang\AppData\Local\Temp\uninstaller.exe
C:\Users\Dang\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Dang\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Dang\AppData\Local\Temp\WSSetup.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

5
Restore point made on: 2013-09-10 19:05:32
Restore point made on: 2013-09-10 20:02:38
Restore point made on: 2013-09-12 13:33:12
Restore point made on: 2013-09-12 14:03:13
Restore point made on: 2013-09-13 09:57:37

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 8183.89 MB
Available physical RAM: 7221.89 MB
Total Pagefile: 8182.04 MB
Available Pagefile: 7212.59 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (HP) (Fixed) (Total:919.97 GB) (Free:550.78 GB) NTFS
Drive e: (FACTORY_IMAGE) (Fixed) (Total:11.25 GB) (Free:1.62 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (NOOKstudy) (CDROM) (Total:0.03 GB) (Free:0 GB) CDFS
Drive h: (FLASHDRIVE) (Removable) (Total:3.57 GB) (Free:3.56 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=920 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0C)

LastRegBack: 2013-09-01 14:07

==================== End Of Log ============================



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 AM

Posted 17 October 2013 - 02:33 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM\...\Run: [PC-Doctor for Windows localizer] - C:\Program Files\PC-Doctor for Windows\localizer.exe [95728 2009-09-16] (PC-Doctor, Inc.)
    HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
    
    S3 xhunter1; \??\C:\Windows\xhunter1.sys [x]
    S3 X6va001; \??\C:\Users\Dang\AppData\Local\Temp\001459B.tmp [x]
    S3 X6va003; \??\C:\Users\Dang\AppData\Local\Temp\003BB4.tmp [x]
    S3 X6va005; \??\C:\Users\Dang\AppData\Local\Temp\0054395.tmp [x]
    S3 X6va008; \??\C:\Windows\SysWOW64\Drivers\X6va008 [x]
    S3 X6va009; \??\C:\Windows\SysWOW64\Drivers\X6va009 [x]
    
    C:\Program Files\PC-Doctor for Windows
    C:\Users\Dang
    C:\$Recycle.Bin\S-1-5-21-3415472223-3623764898-570771800-1001\$b81d9426b70685e4c3bbd093a48da409
    C:\Users\Dang\AppData\Local\Temp\46883e71076f8744b595633e7179b69b.dll
    C:\Users\Dang\AppData\Local\Temp\avguidx.dll
    C:\Users\Dang\AppData\Local\Temp\CommonInstaller.exe
    C:\Users\Dang\AppData\Local\Temp\GenericUninstall.exe
    C:\Users\Dang\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
    C:\Users\Dang\AppData\Local\Temp\Gw2.exe
    C:\Users\Dang\AppData\Local\Temp\HPHelpUpdater.exe
    C:\Users\Dang\AppData\Local\Temp\hsbing_717_active.exe
    C:\Users\Dang\AppData\Local\Temp\InstallFlashPlayer.exe
    C:\Users\Dang\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih.exe
    C:\Users\Dang\AppData\Local\Temp\MachineIdCreator.exe
    C:\Users\Dang\AppData\Local\Temp\nsjE2F8.exe
    C:\Users\Dang\AppData\Local\Temp\nso7CBD.exe
    C:\Users\Dang\AppData\Local\Temp\nstAD2.exe
    C:\Users\Dang\AppData\Local\Temp\nsu7A5D.exe
    C:\Users\Dang\AppData\Local\Temp\nsy5CA9.exe
    C:\Users\Dang\AppData\Local\Temp\nsyFBC5.exe
    C:\Users\Dang\AppData\Local\Temp\oi_{1E15F407-C1E0-487B-93F4-522F7F5FE202}.exe
    C:\Users\Dang\AppData\Local\Temp\Resource.exe
    C:\Users\Dang\AppData\Local\Temp\SearchWithGoogleUpdate.exe
    C:\Users\Dang\AppData\Local\Temp\SkypeSetup.exe
    C:\Users\Dang\AppData\Local\Temp\sp54931.exe
    C:\Users\Dang\AppData\Local\Temp\sp58915.exe
    C:\Users\Dang\AppData\Local\Temp\SPStub.exe
    C:\Users\Dang\AppData\Local\Temp\swt-win32-3349.dll
    C:\Users\Dang\AppData\Local\Temp\tbPro0.dll
    C:\Users\Dang\AppData\Local\Temp\ToolbarInstaller.exe
    C:\Users\Dang\AppData\Local\Temp\uninstaller.exe
    C:\Users\Dang\AppData\Local\Temp\UninstallHPSA.exe
    C:\Users\Dang\AppData\Local\Temp\UninstallHPTCA.exe
    C:\Users\Dang\AppData\Local\Temp\WSSetup.exe

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

Now boot into windows.

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 khoaa

khoaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 20 October 2013 - 07:58 PM

Hi, I did what you asked. But I couldn't boot into windows, it is still a black screen after it says starting windows, then I can only move my mouse and everything else is black.

 

Here is the log for the fix:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013
Ran by SYSTEM at 2013-10-20 18:35:20 Run:1
Running from L:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
HKLM\...\Run: [PC-Doctor for Windows localizer] - C:\Program Files\PC-Doctor for Windows\localizer.exe [95728 2009-09-16] (PC-Doctor, Inc.)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
 
S3 xhunter1; \??\C:\Windows\xhunter1.sys [x]
S3 X6va001; \??\C:\Users\Dang\AppData\Local\Temp\001459B.tmp [x]
S3 X6va003; \??\C:\Users\Dang\AppData\Local\Temp\003BB4.tmp [x]
S3 X6va005; \??\C:\Users\Dang\AppData\Local\Temp\0054395.tmp [x]
S3 X6va008; \??\C:\Windows\SysWOW64\Drivers\X6va008 [x]
S3 X6va009; \??\C:\Windows\SysWOW64\Drivers\X6va009 [x]
 
C:\Program Files\PC-Doctor for Windows
C:\Users\Dang
C:\$Recycle.Bin\S-1-5-21-3415472223-3623764898-570771800-1001\$b81d9426b70685e4c3bbd093a48da409
C:\Users\Dang\AppData\Local\Temp\46883e71076f8744b595633e7179b69b.dll
C:\Users\Dang\AppData\Local\Temp\avguidx.dll
C:\Users\Dang\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Dang\AppData\Local\Temp\GenericUninstall.exe
C:\Users\Dang\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\Dang\AppData\Local\Temp\Gw2.exe
C:\Users\Dang\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Dang\AppData\Local\Temp\hsbing_717_active.exe
C:\Users\Dang\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Dang\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih.exe
C:\Users\Dang\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Dang\AppData\Local\Temp\nsjE2F8.exe
C:\Users\Dang\AppData\Local\Temp\nso7CBD.exe
C:\Users\Dang\AppData\Local\Temp\nstAD2.exe
C:\Users\Dang\AppData\Local\Temp\nsu7A5D.exe
C:\Users\Dang\AppData\Local\Temp\nsy5CA9.exe
C:\Users\Dang\AppData\Local\Temp\nsyFBC5.exe
C:\Users\Dang\AppData\Local\Temp\oi_{1E15F407-C1E0-487B-93F4-522F7F5FE202}.exe
C:\Users\Dang\AppData\Local\Temp\Resource.exe
C:\Users\Dang\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\Dang\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Dang\AppData\Local\Temp\sp54931.exe
C:\Users\Dang\AppData\Local\Temp\sp58915.exe
C:\Users\Dang\AppData\Local\Temp\SPStub.exe
C:\Users\Dang\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Dang\AppData\Local\Temp\tbPro0.dll
C:\Users\Dang\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Dang\AppData\Local\Temp\uninstaller.exe
C:\Users\Dang\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Dang\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Dang\AppData\Local\Temp\WSSetup.exe
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\PC-Doctor for Windows localizer => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore => Value deleted successfully.
xhunter1 => Service deleted successfully.
X6va001 => Service deleted successfully.
X6va003 => Service deleted successfully.
X6va005 => Service deleted successfully.
X6va008 => Service deleted successfully.
X6va009 => Service deleted successfully.
C:\Program Files\PC-Doctor for Windows => Moved successfully.
C:\Users\Dang => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-3415472223-3623764898-570771800-1001\$b81d9426b70685e4c3bbd093a48da409 => Moved successfully.
"C:\Users\Dang\AppData\Local\Temp\46883e71076f8744b595633e7179b69b.dll" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\avguidx.dll" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\CommonInstaller.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\GenericUninstall.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\Gw2.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\HPHelpUpdater.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\hsbing_717_active.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\InstallFlashPlayer.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\MachineIdCreator.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\nsjE2F8.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\nso7CBD.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\nstAD2.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\nsu7A5D.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\nsy5CA9.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\nsyFBC5.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\oi_{1E15F407-C1E0-487B-93F4-522F7F5FE202}.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\Resource.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\SearchWithGoogleUpdate.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\SkypeSetup.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\sp54931.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\sp58915.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\SPStub.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\swt-win32-3349.dll" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\tbPro0.dll" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\ToolbarInstaller.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\uninstaller.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\UninstallHPSA.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\UninstallHPTCA.exe" => File/Directory not found.
"C:\Users\Dang\AppData\Local\Temp\WSSetup.exe" => File/Directory not found.
 
==== End of Fixlog ====
 
I'm know nothing of computer malware fixing but I think the "Directory not found" could be a problem why I couldn't boot into windows...
Thanks so much for your time :)

Edited by khoaa, 20 October 2013 - 09:04 PM.


#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 AM

Posted 21 October 2013 - 04:22 AM

Are you able to boot into safe mode with networking?

To do this, hit F8 during startup (before the "windows is loading files" screen appears) and select "safe mode with networking".

Tell me if that works to provide further steps.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 khoaa

khoaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 October 2013 - 03:07 AM

I will do this in 5 hours, sorry for delay.



#9 khoaa

khoaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 October 2013 - 05:43 PM

It is the same results. Black screen and I can see nothing but move my mouse :(

 

Just something to add, the black screen happened after I tried to system restore. 

Initially the malware just reboots my computer automatically when I boot up.


Edited by khoaa, 24 October 2013 - 05:47 PM.


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 AM

Posted 26 October 2013 - 06:58 AM

Please create and post a new FRST log.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 khoaa

khoaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 27 October 2013 - 01:41 AM

Hi, here is the log.

 

Just curious though, can viruses/malware jump from the infected computer to my mac laptop via the USB?

If yes, I am in big trouble, because I been using the USB with both lol

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by SYSTEM on MININT-OCE1LFD on 26-10-2013 23:34:26
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SmartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-09-14] ()
HKLM\...\Run: [snpstd3] - C:\Windows\vsnpstd3.exe [827392 2006-09-19] ()
HKLM-x32\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] - C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] - c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [47904 2010-12-14] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421160 2011-01-25] (Apple Inc.)
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG Secure Search\vprot.exe [2314416 2013-08-14] ()
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [IrmBackground.exe] - C:\Program Files (x86)\Oracle\Information Rights Management\Desktop\IrmBackground.exe [657792 2011-03-17] (Oracle Corporation)
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4411440 2013-07-01] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [amd_dc_opt] - C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe [2255184 2013-06-28] (LogMeIn Inc.)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
 
==================== Services (Whitelisted) =================
 
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-07-23] (AVG Technologies CZ, s.r.o.)
S2 KSS; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [202328 2012-12-07] (Kaspersky Lab ZAO)
S2 NSL; C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation)
S2 OracleIRMServiceHost; C:\Program Files (x86)\Oracle\Information Rights Management\Desktop\OracleIRMServiceHost.exe [219536 2011-03-17] (Oracle Corporation)
S2 vToolbarUpdater15.5.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-08-14] (AVG Secure Search)
S3 npggsvc; C:\Windows\system32\GameMon.des -service [x]
 
==================== Drivers (Whitelisted) ====================
 
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-07-20] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206648 2013-07-20] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311608 2013-07-20] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-07-01] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-07-10] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-21] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-08-14] (AVG Technologies)
S1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\0200000.010\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [279616 2011-12-14] (DT Soft Ltd)
S3 SNPSTD3; C:\Windows\System32\DRIVERS\snpstd3.sys [10550272 2007-03-27] (Sonix Co. Ltd.)
S5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-16 21:05 - 2013-10-16 21:05 - 00000000 ____D C:\FRST
2013-10-05 08:45 - 2013-10-05 08:45 - 00022528 ____N C:\bootex.log
2013-10-05 08:44 - 2013-10-05 08:44 - 00000000 __SHD C:\found.000
 
==================== One Month Modified Files and Folders =======
 
2013-10-20 18:03 - 2010-09-28 21:06 - 00000000 ____D C:\ProgramData\MFAData
2013-10-16 21:05 - 2013-10-16 21:05 - 00000000 ____D C:\FRST
2013-10-05 10:08 - 2013-07-02 07:42 - 00000000 ____D C:\Program Files (x86)\LogMeIn Hamachi
2013-10-05 10:08 - 2012-09-30 08:09 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-10-05 10:08 - 2012-09-19 19:46 - 00000000 ____D C:\ProgramData\Skype
2013-10-05 10:08 - 2011-12-18 12:33 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-10-05 10:08 - 2011-10-15 11:28 - 00000000 ____D C:\Windows\System32\Macromed
2013-10-05 10:08 - 2010-01-18 19:58 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2013-10-05 10:08 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-10-05 10:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-10-05 10:07 - 2013-07-29 22:26 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-10-05 10:07 - 2012-09-19 19:46 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-10-05 10:07 - 2011-06-27 15:00 - 00000000 ____D C:\Program Files (x86)\Steam
2013-10-05 10:03 - 2010-09-23 14:17 - 00000000 ____D C:\ProgramData\Recovery
2013-10-05 08:45 - 2013-10-05 08:45 - 00022528 ____N C:\bootex.log
2013-10-05 08:44 - 2013-10-05 08:44 - 00000000 __SHD C:\found.000
2013-10-05 07:23 - 2013-08-14 23:40 - 00003726 _____ C:\Program Files (x86)\Mozilla Firefoxavg-secure-search.xml
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
5
Restore point made on: 2013-09-10 19:05:32
Restore point made on: 2013-09-10 20:02:38
Restore point made on: 2013-09-12 13:33:12
Restore point made on: 2013-09-12 14:03:13
Restore point made on: 2013-09-13 09:57:37
 
==================== Memory info =========================== 
 
Percentage of memory in use: 11%
Total physical RAM: 8183.89 MB
Available physical RAM: 7227.09 MB
Total Pagefile: 8182.04 MB
Available Pagefile: 7213.28 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: (HP) (Fixed) (Total:919.97 GB) (Free:550.57 GB) NTFS
Drive e: (FACTORY_IMAGE) (Fixed) (Total:11.25 GB) (Free:1.62 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (NOOKstudy) (CDROM) (Total:0.03 GB) (Free:0 GB) CDFS
Drive h: (FLASHDRIVE) (Removable) (Total:3.57 GB) (Free:3.56 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=920 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0C)
 
 
LastRegBack: 2013-09-01 14:07
 
==================== End Of Log ============================


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 AM

Posted 28 October 2013 - 04:21 AM

Create/Scan with Kaspersky Rescue Disk

Follow the instructions on this page for downloading the kav_rescue_10.iso (200 mb) file and creating the Kaspersky Rescue Disk.

Make sure you set to boot the machine from the CDRom drive first. Then save and exit the BIOS. The computer will begin to boot. Insert the disc in the CDrom drive, then restart the machine. It should then boot from that CD.

It's best if you refer to the instructions and images at Kaspersky How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

Once it boots from CD, press a key so it continues to boot from that CD.

Select the language, then be sure to select Kaspersky Rescue Disk Graphic Mode.

Kaspersky should begin scanning your machine. If it finds infection, look carefully at the files it lists. If any of them seem to be legit files, do not allow it to clean/quarantine/delete them. Rather, save the log and post the results for me to look over.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 khoaa

khoaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 28 October 2013 - 11:36 PM

Okay, I will do this tomorrow

Sorry for delay


Edited by khoaa, 28 October 2013 - 11:36 PM.


#14 khoaa

khoaa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 01 November 2013 - 10:31 AM

Hi, I finally did the scan. I had a lot of trouble so it took a while, so sorry :( . At first I completely forgot you told me to not quarantine them, so I accidentally did 2, and deleted one. But there is a log of these also I'll list them here (I saved the log somewhere but I don't know how to access it so I just typed them all out here).

 

I quarantine these two:

Trojan program HEUR: Exploit. Script. Generic

C:/Windows/System32/config/systemprofile/AppData/Local/Microsoft/WIndows/Temporary Internet Files/Content. IE5/rdvcdr[1].htm

 

Trojan program HEUR: Exploit. Script. Generic

C:/FRST/Quarantine/Dang/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content. IE5/310WTQ94/osnp91icm[1].htm

 

I deleted this on because I couldn't quarantine it:

Trojan program HEUR: Exploit.Java.CVE-2012-1723.gen

C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

Ok here are the rest from the report, I think it included the ones from earlier, and many of them are exactly similar

 

Trojan.Win64.Patched.bj     C:/Windows/System32/rpcss.dll

Trojan.Win64.Patched.bj     C:/Windows/System32/rpcss.dll

 

HEUR: Exploit. Script. Generic 

C:/Windows/System32/config/systemprofile/AppData/Local/Microsoft/WIndows/Temporary Internet Files/Content. IE5/rdvcdr[1].htm

 

HEUR: Exploit. Script. Generic

C:/FRST/Quarantine/Dang/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content. IE5/310WTQ94/osnp91icm[1].htm

 
HEUR: Exploit. Java. Generic

C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 
Trojan.Win64.Patched.bj     C:/Windows/System32/rpcss.dll

Trojan.Win64.Patched.bj     C:/Windows/System32/rpcss.dll

Trojan.Win64.Patched.bj     C:/Windows/System32/rpcss.dll

 

HEUR: Exploit. Script. Generic

C:/Windows/System32/config/systemprofile/AppData/Local/Microsoft/WIndows/Temporary Internet Files/Content. IE5/rdvcdr[1].htm

 

HEUR: Exploit. Script. Generic

C:/FRST/Quarantine/Dang/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content. IE5/310WTQ94/osnp91icm[1].htm

 

HEUR: Exploit. Script. Generic

C:/Windows/System32/config/systemprofile/AppData/Local/Microsoft/WIndows/Temporary Internet Files/Content. IE5/rdvcdr[1].htm

 

HEUR: Exploit. Script. Generic

C:/FRST/Quarantine/Dang/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content. IE5/310WTQ94/osnp91icm[1].htm

 

HEUR: Exploit. Java. Generic     C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit. Java. Generic     C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit. Java. Generic     C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit. Java. Generic     C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit. Java. Generic     C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit. Java. Generic     C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit. Java. Generic     C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit. Java. Generic     C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit.Java.CVE-2012-1723.gen

C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit.Java.CVE-2012-1723.gen

C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

HEUR: Exploit.Java.CVE-2012-1723.gen

C:/FRST/Quarantine/Dang/AppData/Local/Temp/jar_cache6397076831697968087.tmp

 

Now I think I will leave the computer like this, IDK what to do. Right now it asks me to disinfect the rest of the threats detected.

Should I disinfect them?

 

Thanks  :) 


Edited by khoaa, 01 November 2013 - 10:41 AM.


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 AM

Posted 04 November 2013 - 07:42 AM

Disinfect and reboot.

Tell me what happens.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users