Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can someone make a fixlog ?


  • This topic is locked This topic is locked
15 replies to this topic

#1 daanus

daanus

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 November 2013 - 05:12 AM

can someone have a look at my log and make a fixlog would be great !

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2013
Ran by SYSTEM on MININT-4PPQLG4 on 13-11-2013 10:43:27
Running from G:\
Windows 7 Ultimate Service Pack 1 (X86) OS Language: Dutch Standard
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [11430504 2011-10-17] (Realtek Semiconductor)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [926896 2012-09-23] (Adobe Systems Incorporated)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [3117344 2012-03-07] (ESET)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
HKLM\...\Run: [Automatic Mouse Move and Click Software.exe] - [x]
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS6ServiceManager] - C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\Daan\...\Run: [AdobeBridge] - [x]
HKU\Daan\...\Run: [Share YouTube Videos] - C:\Program Files\Share YouTube Videos\Share YouTube Videos.exe [ 2013-10-08] ()
HKU\Daan\...\Run: [EV_Autowatcher_Download-Carbon0x] - C:\Users\Daan\Desktop\Enhanceviews Autowatcher v2.44(1).exe
 
========================== Services (Whitelisted) =================
 
S2 Cepstral License Server; C:\Program Files\Cepstral\bin\CepstralLicSrv.exe [57344 2007-03-15] (Cepstral, LLC)
S2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [913144 2012-03-07] (ESET)
 
==================== Drivers (Whitelisted) ====================
 
S3 BFN7x86; C:\Windows\system32\drivers\Xeno7x86.sys [130152 2012-02-22] (Bigfoot Networks, Inc.)
S1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [169080 2012-03-14] (ESET)
S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [120152 2012-03-14] (ESET)
S2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [103112 2012-03-14] (ESET)
S3 FilterService; C:\Windows\system32\drivers\lvuvcflt.sys [23832 2009-10-07] (Logitech Inc.)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1265216 2011-09-09] (Ralink Technology Corp.)
S3 uagp35; C:\Windows\system32\drivers\sisagpx.sys [58400 2009-08-01] (Silicon Integrated Systems Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
S4 WinDefend; 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-11-13 10:43 - 2013-11-13 10:43 - 00000000 ____D C:\FRST
2013-10-20 17:50 - 2013-10-20 17:50 - 00000000 __SHD C:\found.000
 
==================== One Month Modified Files and Folders =======
 
2013-11-13 10:43 - 2013-11-13 10:43 - 00000000 ____D C:\FRST
2013-10-20 17:50 - 2013-10-20 17:50 - 00000000 __SHD C:\found.000
2013-10-19 16:02 - 2013-05-24 22:14 - 122991485 _____ C:\Windows\MEMORY.DMP
2013-10-19 15:55 - 2013-01-29 21:08 - 01335230 _____ C:\Windows\WindowsUpdate.log
2013-10-19 15:54 - 2009-07-14 05:39 - 00048727 _____ C:\Windows\setupact.log
2013-10-14 08:57 - 2009-07-14 05:34 - 00017072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-14 08:57 - 2009-07-14 05:34 - 00017072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-14 08:56 - 2011-04-12 05:48 - 02056466 _____ C:\Windows\System32\perfh013.dat
2013-10-14 08:56 - 2011-04-12 05:48 - 00570656 _____ C:\Windows\System32\perfc013.dat
2013-10-14 08:56 - 2010-11-20 22:01 - 00006430 _____ C:\Windows\System32\PerfStringBackup.INI
 
Files to move or delete:
====================
C:\Users\Daan\AppData\Roaming\CamLayout.ini
C:\Users\Daan\AppData\Roaming\CamShapes.ini
C:\Users\Daan\Enhanceviews Autowatcher v2.44(1).exe
C:\Users\Daan\start-server.bat
 
 
Some content of TEMP:
====================
C:\Users\Daan\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Daan\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Daan\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Daan\AppData\Local\Temp\OCL6D93.tmp.dll
C:\Users\Daan\AppData\Local\Temp\OCL93BA.tmp.dll
C:\Users\Daan\AppData\Local\Temp\OCLACB6.tmp.dll
C:\Users\Daan\AppData\Local\Temp\xmlUpdater.exe
 
 
==================== Known DLLs (Whitelisted) ============
 
C:\Windows\System32\LPK.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\MSCTF.dll IS MISSING <==== ATTENTION!.
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 12%
Total physical RAM: 3839.24 MB
Available physical RAM: 3376.75 MB
Total Pagefile: 3837.52 MB
Available Pagefile: 3387.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1945.88 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:141.74 GB) (Free:71.57 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:141.7 GB) (Free:140.12 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:3.8 GB) NTFS
Drive g: (Naamloos) (Removable) (Total:3.72 GB) (Free:3.72 GB) exFAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: C50DC441)
Partition 1: (Not Active) - (Size=15 GB) - (Type=27)
Partition 2: (Active) - (Size=142 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=142 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=07 NTFS)
 
 
LastRegBack: 2013-10-11 15:29
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 13 November 2013 - 05:20 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Not that easy on your system!

 

 

Search for files with FRST (Recovery Environment)


In Vista or Windows 7: Boot to System Recovery Options and run FRST.

In Windows XP: Please boot to BartPe and run FRST.



Type the following in the edit box after "Search:"

LPK.dll
MSCTF.dll

Click Search button and post the log (Search.txt) it makes to your reply.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 daanus

daanus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 November 2013 - 06:05 AM

Farbar Recovery Scan Tool (x86) Version: 13-11-2013
Ran by SYSTEM at 2013-11-13 12:04:07
Running from G:\
Boot Mode: Recovery
Farbar Recovery Scan Tool (x86) Version: 13-11-2013
Ran by SYSTEM at 2013-11-13 12:05:59
Running from G:\
Boot Mode: Recovery
 
================== Search: "LPK.dll" ===================
 
C:\Windows.old\Windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_ac0e7fd2d22636de\lpk.dll
[2009-07-14 00:25] - [2009-07-14 02:15] - 0026624 ____A (Microsoft Corporation) 4F154D2C9C6DF951FD6E5AABBAE6B5EE
 
C:\Windows.old\Windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.18032_none_abc2c1b1b8daa369\lpk.dll
[2009-07-14 00:25] - [2009-07-14 02:15] - 0026624 ____A (Microsoft Corporation) 4F154D2C9C6DF951FD6E5AABBAE6B5EE
 
C:\Windows.old\Windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_abda8263b8c87657\lpk.dll
[2009-07-14 00:25] - [2009-07-14 02:15] - 0026624 ____A (Microsoft Corporation) 4F154D2C9C6DF951FD6E5AABBAE6B5EE
 
C:\Windows.old\Windows\System32\lpk.dll
[2009-07-14 00:25] - [2009-07-14 02:15] - 0026624 ____A (Microsoft Corporation) 4F154D2C9C6DF951FD6E5AABBAE6B5EE
 
=== End Of Search ===
 
================== Search: "MSCTF.dll" ===================
 
C:\Windows.old\Windows\winsxs\x86_microsoft-windows-t..icesframework-msctf_31bf3856ad364e35_6.1.7600.16385_none_759a063d5018af0a\msctf.dll
[2009-07-14 00:28] - [2009-07-14 02:15] - 0828928 ____A (Microsoft Corporation) C9618BC9B2B0FD7C1138D8774795A79B
 
C:\Windows.old\Windows\System32\msctf.dll
[2009-07-14 00:28] - [2009-07-14 02:15] - 0828928 ____A (Microsoft Corporation) C9618BC9B2B0FD7C1138D8774795A79B
 
=== End Of Search ===


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 13 November 2013 - 08:01 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1
    HKU\Daan\...\Run: [Share YouTube Videos] - C:\Program Files\Share YouTube Videos\Share YouTube Videos.exe [ 2013-10-08] ()
    HKU\Daan\...\Run: [EV_Autowatcher_Download-Carbon0x] - C:\Users\Daan\Desktop\Enhanceviews Autowatcher v2.44(1).exe
    
    C:\Program Files\Share YouTube Videos
    C:\Users\Daan\Desktop\Enhanceviews Autowatcher v2.44(1).exe
    C:\Users\Daan\AppData\Roaming\CamLayout.ini
    C:\Users\Daan\AppData\Roaming\CamShapes.ini
    C:\Users\Daan\Enhanceviews Autowatcher v2.44(1).exe
    C:\Users\Daan\start-server.bat
    
    Replace: C:\Windows.old\Windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_ac0e7fd2d22636de\lpk.dll C:\Windows\System32\LPK.dll
    Replace: C:\Windows.old\Windows\winsxs\x86_microsoft-windows-t..icesframework-msctf_31bf3856ad364e35_6.1.7600.16385_none_759a063d5018af0a\msctf.dll C:\Windows\System32\MSCTF.dll

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

Boot into windows now!

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 daanus

daanus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 November 2013 - 10:05 AM

i still can't boot into windows i did a scan again and this is the log :

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2013
Ran by SYSTEM on MININT-IC3QLSC on 13-11-2013 16:02:55
Running from G:\
Windows 7 Ultimate Service Pack 1 (X86) OS Language: Dutch Standard
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [11430504 2011-10-17] (Realtek Semiconductor)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [926896 2012-09-23] (Adobe Systems Incorporated)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [3117344 2012-03-07] (ESET)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
HKLM\...\Run: [Automatic Mouse Move and Click Software.exe] - [x]
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS6ServiceManager] - C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKU\Daan\...\Run: [AdobeBridge] - [x]
 
========================== Services (Whitelisted) =================
 
S2 Cepstral License Server; C:\Program Files\Cepstral\bin\CepstralLicSrv.exe [57344 2007-03-15] (Cepstral, LLC)
S2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [913144 2012-03-07] (ESET)
 
==================== Drivers (Whitelisted) ====================
 
S3 BFN7x86; C:\Windows\system32\drivers\Xeno7x86.sys [130152 2012-02-22] (Bigfoot Networks, Inc.)
S1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [169080 2012-03-14] (ESET)
S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [120152 2012-03-14] (ESET)
S2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [103112 2012-03-14] (ESET)
S3 FilterService; C:\Windows\system32\drivers\lvuvcflt.sys [23832 2009-10-07] (Logitech Inc.)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1265216 2011-09-09] (Ralink Technology Corp.)
S3 uagp35; C:\Windows\system32\drivers\sisagpx.sys [58400 2009-08-01] (Silicon Integrated Systems Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
S4 WinDefend; 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-11-13 14:10 - 2009-07-14 02:15 - 00828928 _____ (Microsoft Corporation) C:\Windows\System32\MSCTF.dll
2013-11-13 14:10 - 2009-07-14 02:15 - 00026624 _____ (Microsoft Corporation) C:\Windows\System32\LPK.dll
2013-11-13 10:43 - 2013-11-13 10:43 - 00000000 ____D C:\FRST
2013-10-20 17:50 - 2013-10-20 17:50 - 00000000 __SHD C:\found.000
 
==================== One Month Modified Files and Folders =======
 
2013-11-13 14:10 - 2013-01-29 21:15 - 00000000 ____D C:\users\Daan
2013-11-13 10:43 - 2013-11-13 10:43 - 00000000 ____D C:\FRST
2013-10-20 17:50 - 2013-10-20 17:50 - 00000000 __SHD C:\found.000
2013-10-19 16:02 - 2013-05-24 22:14 - 122991485 _____ C:\Windows\MEMORY.DMP
2013-10-19 15:55 - 2013-01-29 21:08 - 01335230 _____ C:\Windows\WindowsUpdate.log
2013-10-19 15:54 - 2009-07-14 05:39 - 00048727 _____ C:\Windows\setupact.log
2013-10-14 08:57 - 2009-07-14 05:34 - 00017072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-14 08:57 - 2009-07-14 05:34 - 00017072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-14 08:56 - 2011-04-12 05:48 - 02056466 _____ C:\Windows\System32\perfh013.dat
2013-10-14 08:56 - 2011-04-12 05:48 - 00570656 _____ C:\Windows\System32\perfc013.dat
2013-10-14 08:56 - 2010-11-20 22:01 - 00006430 _____ C:\Windows\System32\PerfStringBackup.INI
 
Some content of TEMP:
====================
C:\Users\Daan\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Daan\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Daan\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Daan\AppData\Local\Temp\OCL6D93.tmp.dll
C:\Users\Daan\AppData\Local\Temp\OCL93BA.tmp.dll
C:\Users\Daan\AppData\Local\Temp\OCLACB6.tmp.dll
C:\Users\Daan\AppData\Local\Temp\xmlUpdater.exe
 
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 11%
Total physical RAM: 3839.24 MB
Available physical RAM: 3380.23 MB
Total Pagefile: 3837.52 MB
Available Pagefile: 3390.59 MB
Total Virtual: 2047.88 MB
Available Virtual: 1954.78 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:141.74 GB) (Free:71.55 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:141.7 GB) (Free:140.12 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:3.8 GB) NTFS
Drive g: (Naamloos) (Removable) (Total:3.72 GB) (Free:3.72 GB) exFAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: C50DC441)
Partition 1: (Not Active) - (Size=15 GB) - (Type=27)
Partition 2: (Active) - (Size=142 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=142 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=07 NTFS)
 
 
LastRegBack: 2013-10-11 15:29
 
==================== End Of Log ============================


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 13 November 2013 - 10:49 AM

what exactly happens when you try to boot?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 daanus

daanus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 November 2013 - 10:56 AM

i get a blackscreen and only my mouse cursor.



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 13 November 2013 - 11:00 AM

System File Check (offline mode)

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Select Command Prompt
  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your system drive letter and system path (for example, D:\windows\) and close the notepad.
  • enter the following command:


sfc /scannow /offbootdir=d:\ /offwindir=d:\windows


Replace the red and pink parts with the informations you obtained from the last step of this tutorial.

Note: Depending on how your computer is setup, the Command Prompt, when used from outside of Windows, doesn't always assign drive letters in the same way that you see them from inside Windows. In other words, Windows might be at C:\Windows when you're using it, but D:\Windows from the Command Prompt in System Recovery Options.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 daanus

daanus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 November 2013 - 11:32 AM

now it says that there are some damaged files on my pc that cant be restored i can find them in the map C:\Windows\Logs\CBS\CBS.log 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 13 November 2013 - 11:59 AM

Are you able to boot?


Edited by TB-Psychotic, 13 November 2013 - 11:59 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 daanus

daanus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 November 2013 - 12:23 PM

no im not, i still get the black screen... 


Edited by daanus, 13 November 2013 - 12:29 PM.


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 13 November 2013 - 12:36 PM

Are you able to boot into one of the safe modes?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 daanus

daanus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 November 2013 - 03:54 PM

no I'm not able to access windows in any way. 



#14 daanus

daanus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 November 2013 - 04:22 PM


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2013
Ran by SYSTEM on MININT-6AL9UD3 on 13-11-2013 22:20:23
Running from G:\
Windows ™ Code Name "Longhorn" Preinstallation Environment Service Pack 1 (X86) OS Language: Dutch Standard
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
==================== Registry (Whitelisted) ==================
 
HKLM\...\Winlogon: [Shell] cmd.exe /k start cmd.exe [x ] () <=== ATTENTION
BootExecute: 
 
========================== Services (Whitelisted) =================
 
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2008-01-19] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S0 FBWF; C:\Windows\System32\DRIVERS\fbwf.sys [97792 2008-01-19] (Microsoft Corporation)
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20864 2008-01-19] (Microsoft Corporation)
S0 Ramdisk; C:\Windows\System32\DRIVERS\ramdisk.sys [27648 2008-01-19] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [103992 2008-01-19] (Microsoft Corporation)
S0 WimFsf; C:\Windows\System32\Drivers\WimFsf.sys [61952 2008-01-19] (Microsoft Corporation)
S3 BTHMODEM; \SystemRoot\system32\drivers\bthmodem.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== One Month Created Files and Folders ========
 
2013-11-13 22:20 - 2013-11-13 22:20 - 00000000 ____D C:\FRST
 
==================== One Month Modified Files and Folders =======
 
2013-11-13 22:20 - 2013-11-13 22:20 - 00000000 ____D C:\FRST
2013-11-13 11:49 - 2006-05-19 23:15 - 00000000 ____D C:\Windows\System32\LogFiles
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe
[2006-05-19 23:11] - [2008-01-19 09:00] - 0406016 ____A (Microsoft Corporation) 856491FCED98093D824B9EB2892F564A
 
C:\Windows\System32\wininit.exe
[2006-05-19 23:11] - [2008-01-19 09:00] - 0123904 ____A (Microsoft Corporation) 117EA87DF785CA1B9D821F6F213DCE07
 
C:\Windows\System32\svchost.exe
[2006-05-19 23:11] - [2008-01-19 09:00] - 0027648 ____A (Microsoft Corporation) CDA9F1373805AF88F6FA4F2064BBA24D
 
C:\Windows\System32\services.exe
[2006-05-19 23:11] - [2008-01-19 09:00] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719
 
C:\Windows\System32\User32.dll
[2006-05-19 23:11] - [2008-01-19 09:04] - 0820224 ____A (Microsoft Corporation) 32B87D215905F648EBE36A621978442C
 
C:\Windows\System32\userinit.exe
[2006-05-19 23:11] - [2008-01-19 09:00] - 0028160 ____A (Microsoft Corporation) A0AB2BB9A92293D9CE66E252719AB5FE
 
C:\Windows\System32\Drivers\volsnap.sys
[2006-05-19 23:12] - [2008-01-19 09:11] - 0271416 ____A (Microsoft Corporation) DE4307412D98050239026E56A7DFF3C0
 
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 11%
Total physical RAM: 3839.24 MB
Available physical RAM: 3408.45 MB
Total Pagefile: 3837.52 MB
Available Pagefile: 3406.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1940.18 MB
 
==================== Drives ================================
 
Drive c: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:3.8 GB) NTFS
Drive d: () (Fixed) (Total:141.7 GB) (Free:140.12 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:3.8 GB) NTFS
Drive g: (Naamloos) (Removable) (Total:3.72 GB) (Free:3.72 GB) exFAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:141.74 GB) (Free:71.4 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: C50DC441)
Partition 1: (Not Active) - (Size=15 GB) - (Type=27)
Partition 2: (Active) - (Size=142 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=142 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 
do you see something here ?

Edited by daanus, 13 November 2013 - 04:28 PM.


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 14 November 2013 - 02:57 AM

Yes, but it makes no sense.

 

 

Create/Scan with Kaspersky Rescue Disk

Follow the instructions on this page for downloading the kav_rescue_10.iso (200 mb) file and creating the Kaspersky Rescue Disk.

Make sure you set to boot the machine from the CDRom drive first. Then save and exit the BIOS. The computer will begin to boot. Insert the disc in the CDrom drive, then restart the machine. It should then boot from that CD.

It's best if you refer to the instructions and images at Kaspersky How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

Once it boots from CD, press a key so it continues to boot from that CD.

Select the language, then be sure to select Kaspersky Rescue Disk Graphic Mode.

Kaspersky should begin scanning your machine. If it finds infection, look carefully at the files it lists. If any of them seem to be legit files, do not allow it to clean/quarantine/delete them. Rather, save the log and post the results for me to look over.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users