Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Virus on Win Vista - can't start in any safe mode option


  • This topic is locked This topic is locked
8 replies to this topic

#1 kathyjam

kathyjam

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 10 November 2013 - 11:18 AM

Trying to remove virus on a Vista laptop that belongs to my father. Attemped Gringo's steps for removal through the Repair Your Computer option but can't get past the Administrator password. States it is disabled. My father says he didn't know there was an admin password. Is there any way around this without having to completely reinstall windows?
Unable to boot up using any of the safe modes, including safe mode with command prompt.

Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:13 PM

Posted 11 November 2013 - 04:07 PM

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 kathyjam

kathyjam
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 13 November 2013 - 04:22 PM

Thank you so much for your reply.  Here's the results:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2013 01
Ran by SYSTEM on MINWINPC on 13-11-2013 15:02:26
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
Internet Explorer Version 7
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SMSERIAL] - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [729088 2006-10-09] (Motorola Inc.)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1021224 2007-09-15] (Synaptics, Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4390912 2007-03-09] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [174872 2007-02-12] (Intel Corporation)
HKLM\...\Run: [QPService] - C:\Program Files\HP\QuickPlay\QPService.exe [176128 2007-04-23] (CyberLink Corp.)
HKLM\...\Run: [QlbCtrl] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe [159744 2007-02-13] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [HP Health Check Scheduler] - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [472776 2007-03-01] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [WAWifiMessage] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [317128 2007-01-10] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\hpwuSchd2.exe [49152 2005-02-16] (Hewlett-Packard Co.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [SynTPStart] - C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-09-15] (Synaptics, Inc.)
HKLM\...\Run: [dldwmon.exe] - C:\Program Files\Dell V505\dldwmon.exe [677104 2008-06-04] ()
HKLM\...\Run: [dldwamon] - C:\Program Files\Dell V505\dldwamon.exe [16624 2008-06-04] ()
HKLM\...\Run: [Dell V505 Fax Server] - C:\Program Files\Dell V505\fm3032.exe [312560 2008-06-04] ()
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1193848 2010-09-30] (McAfee, Inc.)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
HKLM\...\RunOnce: [Launcher] - %WINDIR%\SMINST\launcher.exe [44128 2006-11-07] (soft thinks)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [313856 2010-10-28] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2007-03-20] (Hewlett-Packard)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2007-03-20] (Hewlett-Packard)
HKU\Sales43\...\Run: [ehTray.exe] - C:\Windows\ehome\ehtray.exe [ 2006-11-02] (Microsoft Corporation)
HKU\Sales43\...\Run: [RebateInformer] - C:\Program Files\RebateInformer\RebateInf.exe [ 2013-04-14] (Inbox.com, Inc.)
HKU\Sales43\...\Run: [{79AD74AD-A0D8-EC3A-85DB-D8D400CA3454}] - C:\Users\Sales43\AppData\Roaming\Oksux\hutou.exe
HKU\Sales43\...\Run: [cmdletup] - rundll32 "C:\Users\Sales43\AppData\Local\Temp\dldwicpl.dll",CreateProcessNotify <===== ATTENTION
HKU\Sales43\...\Run: [cdloader] - C:\Users\Sales43\AppData\Roaming\mjusbsp\cdloader2.exe [ 2012-02-01] (magicJack L.P.)
HKU\Sales43\...\Run: [56HkYITDe6.exe] - C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe [ 2013-11-02] (Microsoft Corporation)
HKU\Sales43\...\Winlogon: [Shell] cmd.exe [ 2006-11-02] (Microsoft Corporation) <==== ATTENTION
HKU\Sales43\...\Command Processor: "C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe" <===== ATTENTION!

========================== Services (Whitelisted) =================

S2 2wirepcp; C:\Windows\system32\svchost.exe [22016 2006-11-02] (Microsoft Corporation)
S2 CLCapSvc; C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe [266240 2011-12-17] ()
S2 CLSched; C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe [110592 2011-12-17] ()
S2 dldwCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\dldwserv.exe [99568 2008-05-16] ()
S2 dldw_device; C:\Windows\system32\dldwcoms.exe [595184 2011-12-17] ( )
S2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [65536 2011-12-17] (Hewlett-Packard)
S2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [203280 2011-12-18] ()
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [364216 2010-10-07] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [171168 2011-12-18] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [188136 2011-12-18] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [141792 2011-12-17] (McAfee, Inc.)
S2 winpower; C:\Windows\system32\mhn.dll [5120 2006-11-02] (Iomega)
S2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [x]
S2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [x]
S2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [x]
S2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [x]

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [55840 2010-10-13] (McAfee, Inc.)
S1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [95600 2010-10-13] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [152960 2010-10-13] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [52104 2010-10-13] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [313288 2010-10-13] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [386840 2010-10-13] (McAfee, Inc.)
S1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64304 2010-10-13] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [84264 2010-10-13] (McAfee, Inc.)
S1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [84072 2010-10-13] (McAfee, Inc.)
S1 Smb; C:\Windows\System32\DRIVERS\smb.sys [66048 2006-11-02] ()
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 mfeavfk01; No ImagePath
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: winpower -> C:\Windows\system32\mhn.dll (Iomega) ATTENTION! ====> ZeroAccess

==================== One Month Created Files and Folders ========

Error(0) reading file: "C:\Windows\System32\ "
2013-11-13 14:59 - 2013-11-13 14:59 - 00000000 ____D C:\FRST
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\Local Settings\Application Data\QHrTGggVYX8
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\AppData\Roaming\QitY9YR4BP
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\AppData\Local\QHrTGggVYX8
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\ProgramData\yW9xkWFIJ3
2013-11-02 11:43 - 2013-11-02 11:48 - 00000000 ____D C:\Users\Sales43\Local Settings\Application Data\eRG6WNq683J
2013-11-02 11:43 - 2013-11-02 11:48 - 00000000 ____D C:\Users\Sales43\AppData\Local\eRG6WNq683J

==================== One Month Modified Files and Folders =======

2013-11-13 14:59 - 2013-11-13 14:59 - 00000000 ____D C:\FRST
2013-11-13 12:22 - 2012-03-11 17:37 - 00000000 ___SH C:\Windows\System32\dds_log_ad13.cmd
2013-11-13 12:22 - 2010-10-28 11:58 - 00032061 _____ C:\ProgramData\nvModes.dat
2013-11-13 12:22 - 2010-10-28 11:58 - 00032061 _____ C:\ProgramData\nvModes.001
2013-11-10 10:46 - 2007-12-11 15:46 - 01439912 _____ C:\Windows\WindowsUpdate.log
2013-11-10 10:40 - 2006-11-02 02:33 - 00716948 _____ C:\Windows\System32\PerfStringBackup.INI
2013-11-10 10:35 - 2006-11-02 04:47 - 00003072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-10 10:35 - 2006-11-02 04:47 - 00003072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-10 10:25 - 2006-11-02 04:52 - 00031898 _____ C:\Windows\setupact.log
2013-11-02 11:48 - 2013-11-02 11:43 - 00000000 ____D C:\Users\Sales43\Local Settings\Application Data\eRG6WNq683J
2013-11-02 11:48 - 2013-11-02 11:43 - 00000000 ____D C:\Users\Sales43\AppData\Local\eRG6WNq683J
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\Local Settings\Application Data\QHrTGggVYX8
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\AppData\Roaming\QitY9YR4BP
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\AppData\Local\QHrTGggVYX8
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\ProgramData\yW9xkWFIJ3
2013-11-02 11:39 - 2011-06-09 06:36 - 00000000 ____D C:\Program Files\RebateInformer
2013-11-02 11:39 - 2007-05-12 06:12 - 00000000 ____D C:\Windows\SMINST
2013-11-02 11:39 - 2007-05-12 05:44 - 00000147 _____ C:\Users\Public\Documents\hpqp.ini
2013-11-02 11:39 - 2007-05-12 05:44 - 00000147 _____ C:\ProgramData\Documents\hpqp.ini
2013-11-02 11:38 - 2007-05-12 05:33 - 00104030 _____ C:\Windows\PFRO.log
2013-11-01 19:57 - 2010-10-29 08:55 - 00000000 ____D C:\Program Files\McAfee

ZeroAccess:
C:\Users\Sales43\AppData\Local\1cf6efbe
C:\Users\Sales43\AppData\Local\1cf6efbe\@
C:\Users\Sales43\AppData\Local\1cf6efbe\U\000000c0.@
C:\Users\Sales43\AppData\Local\1cf6efbe\U\000000cb.@

Files to move or delete:
====================
C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe
C:\Users\Sales43\taskmgr.exe

Some content of TEMP:
====================
C:\Users\Sales43\AppData\Local\Temp\APNStub.exe
C:\Users\Sales43\AppData\Local\Temp\dldwicpl.dll
C:\Users\Sales43\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Sales43\AppData\Local\Temp\HPQSi.exe
C:\Users\Sales43\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Sales43\AppData\Local\Temp\msimg32.dll
C:\Users\Sales43\AppData\Local\Temp\setup.exe
C:\Users\Sales43\AppData\Local\Temp\SetupA2.exe
C:\Users\Sales43\AppData\Local\Temp\SetupAC.exe
C:\Users\Sales43\AppData\Local\Temp\SymLCSVC.EXE
C:\Users\Sales43\AppData\Local\Temp\wlsidten.dll
C:\Users\Sales43\AppData\Local\Temp\wlsidten.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

7
Restore point made on: 2012-04-09 11:19:20
Restore point made on: 2012-06-13 09:28:21
Restore point made on: 2012-08-15 11:28:33
Restore point made on: 2012-08-16 21:19:41
Restore point made on: 2012-09-26 17:30:03
Restore point made on: 2012-09-27 07:36:51
Restore point made on: 2012-12-17 16:45:19

==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 2045.81 MB
Available physical RAM: 1563.95 MB
Total Pagefile: 1775.87 MB
Available Pagefile: 1626.7 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.7 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:103.43 GB) (Free:39.73 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (HP_RECOVERY) (Fixed) (Total:8.36 GB) (Free:1.81 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 112 GB) (Disk ID: 6E236E23)
Partition 1: (Active) - (Size=103 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 244 MB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=244 MB) - (Type=0E)

LastRegBack: 2013-11-10 10:43

==================== End Of Log ============================



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:13 PM

Posted 13 November 2013 - 06:06 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKU\Sales43\...\Run: [{79AD74AD-A0D8-EC3A-85DB-D8D400CA3454}] - C:\Users\Sales43\AppData\Roaming\Oksux\hutou.exe
HKU\Sales43\...\Run: [cmdletup] - rundll32 "C:\Users\Sales43\AppData\Local\Temp\dldwicpl.dll",CreateProcessNotify <===== ATTENTION
HKU\Sales43\...\Run: [56HkYITDe6.exe] - C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe [ 2013-11-02] (Microsoft Corporation)
HKU\Sales43\...\Winlogon: [Shell] cmd.exe [ 2006-11-02] (Microsoft Corporation) <==== ATTENTION
HKU\Sales43\...\Command Processor: "C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe" <===== ATTENTION!
NETSVC: winpower -> C:\Windows\system32\mhn.dll (Iomega) ATTENTION! ====> ZeroAcce
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\Local Settings\Application Data\QHrTGggVYX8
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\AppData\Roaming\QitY9YR4BP
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\AppData\Local\QHrTGggVYX8
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\ProgramData\yW9xkWFIJ3
2013-11-02 11:43 - 2013-11-02 11:48 - 00000000 ____D C:\Users\Sales43\Local Settings\Application Data\eRG6WNq683J
2013-11-02 11:43 - 2013-11-02 11:48 - 00000000 ____D C:\Users\Sales43\AppData\Local\eRG6WNq683J
C:\Users\Sales43\AppData\Local\1cf6efbe
C:\Users\Sales43\AppData\Local\1cf6efbe\@
C:\Users\Sales43\AppData\Local\1cf6efbe\U\000000c0.@
C:\Users\Sales43\AppData\Local\1cf6efbe\U\000000cb.@
C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe
C:\Users\Sales43\taskmgr.exe
C:\Users\Sales43\AppData\Local\Temp\APNStub.exe
C:\Users\Sales43\AppData\Local\Temp\dldwicpl.dll
C:\Users\Sales43\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Sales43\AppData\Local\Temp\HPQSi.exe
C:\Users\Sales43\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Sales43\AppData\Local\Temp\msimg32.dll
C:\Users\Sales43\AppData\Local\Temp\setup.exe
C:\Users\Sales43\AppData\Local\Temp\SetupA2.exe
C:\Users\Sales43\AppData\Local\Temp\SetupAC.exe
C:\Users\Sales43\AppData\Local\Temp\SymLCSVC.EXE
C:\Users\Sales43\AppData\Local\Temp\wlsidten.dll
C:\Users\Sales43\AppData\Local\Temp\wlsidten.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 will the machine start now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 kathyjam

kathyjam
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 13 November 2013 - 06:43 PM

It worked!!  I can't thank you enough!  Thank you SO much.  Here's the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-11-2013 01
Ran by SYSTEM at 2013-11-13 17:37:30 Run:1
Running from F:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKU\Sales43\...\Run: [{79AD74AD-A0D8-EC3A-85DB-D8D400CA3454}] - C:\Users\Sales43\AppData\Roaming\Oksux\hutou.exe
HKU\Sales43\...\Run: [cmdletup] - rundll32 "C:\Users\Sales43\AppData\Local\Temp\dldwicpl.dll",CreateProcessNotify <===== ATTENTION
HKU\Sales43\...\Run: [56HkYITDe6.exe] - C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe [ 2013-11-02] (Microsoft Corporation)
HKU\Sales43\...\Winlogon: [Shell] cmd.exe [ 2006-11-02] (Microsoft Corporation) <==== ATTENTION
HKU\Sales43\...\Command Processor: "C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe" <===== ATTENTION!
NETSVC: winpower -> C:\Windows\system32\mhn.dll (Iomega) ATTENTION! ====> ZeroAcce
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\Local Settings\Application Data\QHrTGggVYX8
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\AppData\Roaming\QitY9YR4BP
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\Users\Sales43\AppData\Local\QHrTGggVYX8
2013-11-02 11:44 - 2013-11-02 11:44 - 00300544 _____ C:\ProgramData\yW9xkWFIJ3
2013-11-02 11:43 - 2013-11-02 11:48 - 00000000 ____D C:\Users\Sales43\Local Settings\Application Data\eRG6WNq683J
2013-11-02 11:43 - 2013-11-02 11:48 - 00000000 ____D C:\Users\Sales43\AppData\Local\eRG6WNq683J
C:\Users\Sales43\AppData\Local\1cf6efbe
C:\Users\Sales43\AppData\Local\1cf6efbe\@
C:\Users\Sales43\AppData\Local\1cf6efbe\U\000000c0.@
C:\Users\Sales43\AppData\Local\1cf6efbe\U\000000cb.@
C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe
C:\Users\Sales43\taskmgr.exe
C:\Users\Sales43\AppData\Local\Temp\APNStub.exe
C:\Users\Sales43\AppData\Local\Temp\dldwicpl.dll
C:\Users\Sales43\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Sales43\AppData\Local\Temp\HPQSi.exe
C:\Users\Sales43\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Sales43\AppData\Local\Temp\msimg32.dll
C:\Users\Sales43\AppData\Local\Temp\setup.exe
C:\Users\Sales43\AppData\Local\Temp\SetupA2.exe
C:\Users\Sales43\AppData\Local\Temp\SetupAC.exe
C:\Users\Sales43\AppData\Local\Temp\SymLCSVC.EXE
C:\Users\Sales43\AppData\Local\Temp\wlsidten.dll
C:\Users\Sales43\AppData\Local\Temp\wlsidten.exe

*****************

HKU\Sales43\Software\Microsoft\Windows\CurrentVersion\Run\\{79AD74AD-A0D8-EC3A-85DB-D8D400CA3454} => Value deleted successfully.
HKU\Sales43\Software\Microsoft\Windows\CurrentVersion\Run\\cmdletup => Value deleted successfully.
HKU\Sales43\Software\Microsoft\Windows\CurrentVersion\Run\\56HkYITDe6.exe => Value deleted successfully.
HKU\Sales43\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Sales43\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs winpower => Value deleted successfully.
C:\Users\Sales43\Local Settings\Application Data\QHrTGggVYX8 => Moved successfully.
C:\Users\Sales43\AppData\Roaming\QitY9YR4BP => Moved successfully.
"C:\Users\Sales43\AppData\Local\QHrTGggVYX8" => File/Directory not found.
C:\ProgramData\yW9xkWFIJ3 => Moved successfully.
C:\Users\Sales43\Local Settings\Application Data\eRG6WNq683J => Moved successfully.
"C:\Users\Sales43\AppData\Local\eRG6WNq683J" => File/Directory not found.
C:\Users\Sales43\AppData\Local\1cf6efbe => Moved successfully.
"C:\Users\Sales43\AppData\Local\1cf6efbe\@" => File/Directory not found.
"C:\Users\Sales43\AppData\Local\1cf6efbe\U\000000c0.@" => File/Directory not found.
"C:\Users\Sales43\AppData\Local\1cf6efbe\U\000000cb.@" => File/Directory not found.
"C:\Users\Sales43\AppData\Local\eRG6WNq683J\56HkYITDe6.exe" => File/Directory not found.
C:\Users\Sales43\taskmgr.exe => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\APNStub.exe => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\dldwicpl.dll => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\FlashPlayerUpdate.exe => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\HPQSi.exe => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\msimg32.dll => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\setup.exe => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\SetupA2.exe => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\SetupAC.exe => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\SymLCSVC.EXE => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\wlsidten.dll => Moved successfully.
C:\Users\Sales43\AppData\Local\Temp\wlsidten.exe => Moved successfully.

==== End of Fixlog ====



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:13 PM

Posted 13 November 2013 - 10:53 PM

Please run Frst as you did the first time you ran it and post the log please.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 kathyjam

kathyjam
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 14 November 2013 - 04:08 PM

Uh oh. I already gave the laptop back to my dad. Is it possible there was something else that needed to be fixed? It seemed to be working fine. I didn't see your message in time.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:13 PM

Posted 15 November 2013 - 10:22 PM

I just wanted to make sure it was fixed and nothing leftover.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:13 PM

Posted 18 November 2013 - 09:24 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users