Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bot, Trojan and Black Screen of Death


  • This topic is locked This topic is locked
30 replies to this topic

#1 annmarie1031

annmarie1031

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 07 January 2014 - 08:49 PM

I hope somebody can help!  It seems hopeless now.

 

I have an HP Elitebook running Windows XP Professional.  A couple days ago I noticed when doing research on the web, I clicked on a link and something unrelated with a different web address came up instead.  I ran Malware and Symantec and nothing was found.  Yesterday  I received an email from Comcast saying there is a Bot.  So I ran Malware, Symantec Scan, and TDSSKiller.  All came up with nothing.

 

Here's the bad part.  I looked through some old threads on Bleeping Computer and found one similar to my situation about Comcast and the Bot problem.  The user was advised to run Combofix.  I am aware of the warnings against doing so, but I ran it anyway.  It seemed to work fine.  The log showed it had deleted a few files. 

 

The laptop worked fine for a couple hours until I decided to run Symantec again.  This time it found trojan.viknok!inf.  While Symantec was running, the computer locked up.  I manually shut down and tried to reboot.  It went to a screen with two options:  Windows Recovery Console or Window XP....selecting either option gave me a black screen.  I also tried starting up and hitting F8 for Advanced options.  When selecting any of those options (safe mode, etc), I also got a black screen.

 

This laptop does not have a CD drive to do a system restore.  Any advice would be greatly appreciated!



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,625 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 12 January 2014 - 08:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/520045 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 annmarie1031

annmarie1031
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 13 January 2014 - 11:51 AM

Still have the same problem as written in the original post...



#4 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 15 January 2014 - 03:05 PM

Hello and welcome to Bleeping Computer. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.
 
Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.
 
Do you have the Windows XP Pro CD for your computer? I know that it doesn't have a CD drive, but we can use it to make a bootable USB to repair your computer.

Edited by Bud_91, 15 January 2014 - 04:00 PM.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#5 annmarie1031

annmarie1031
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 15 January 2014 - 03:16 PM

Unfortunately, there isn't a CD for this computer.  It was an old work computer.



#6 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 15 January 2014 - 04:01 PM

Do you have any XP cd, even home?

 

If not, we'll use linux.


If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#7 annmarie1031

annmarie1031
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 15 January 2014 - 07:25 PM

Yes, I have an XP Media cd.



#8 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 16 January 2014 - 06:34 PM

We can use the CD to build a bootable USB to help repair you computer, but I need to familiarize myself with that first.

 

In the mean time, let's try and see if we can invoke a restore point.

 

You will need a USB flash drive for this. If you don't have one, let me know. Please note that all data will be erased on the flash drive during this process.
 
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear

  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
 
 
Please note:  If you have an ethernet connection you can access the internet by way of xPUD (Firefox).  You can perform all these steps on your sick computer.  When you download the download will reside in the Download folder.  It can be found under the File tab also.  You can similarly access our thread by way of this OS too so you can send the logs that way.
 
Please also note - all text entries are case sensitive
 
Copy and paste the enum.log for my review. Also, please tell me the approximate date when your computer problems started.

 


If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#9 annmarie1031

annmarie1031
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 16 January 2014 - 09:31 PM

Following your directions, when I tried to boot from USB, the screen said:

Could not find kernel image:  linux

 

I can boot it from a Windows 7 CD and the start-up repair says:

The partition table does not have a valid System Partition.

 

At the Windows 7 DOS prompt, I can see all the files and directories.  I ran Chkdsk and it said it fixed a corrupted entry.  Ran it again, and it said no errors.  If I boot it from a bootable USB floppy to an MS DOS prompt it doesn't see the C drive.

 

So it sounds like a Partition Table problem???

 

Also, we have the docking station for this laptop, so we have a CD drive.  Sorry for the confusion!



#10 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 17 January 2014 - 08:55 AM

Great. A Windows 7 CD will make things much easier. This tool will run from the command prompt.

 

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
 
Plug the flashdrive into the infected PC.
 
Enter System Recovery Options.
 
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  •  
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
 
FRST.PNG
 
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Edited by Bud_91, 17 January 2014 - 08:56 AM.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#11 annmarie1031

annmarie1031
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 17 January 2014 - 05:13 PM

Please see PM.


Edited by annmarie1031, 17 January 2014 - 05:25 PM.


#12 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 17 January 2014 - 07:02 PM

mistake


Edited by Bud_91, 17 January 2014 - 07:10 PM.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#13 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 17 January 2014 - 07:10 PM

Okay, you have the Pihar bootkit and the new Zekos malware, so this will take a few steps to fix.

 

First, download the attached fixlist.txt and save it in the same location as FRST on the flash drive. Boot the computer from the CD again, run FRST, but select "Fix" this time. Post the resulting fixlog.txt.

 

Then, type rpcss.dll into the search box in FRST and click "Search." Post the resulting search.txt log file.

 

Finally,

 

Please download [url=http://www.bleepingcomputer.com/download/listparts/dl/77/]Listparts[/url] and run it in the same way as FRST.

Run the tool, click Scan and post the log (Result.txt) it makes.

Attached Files


If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#14 annmarie1031

annmarie1031
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 17 January 2014 - 09:54 PM

Here's all three logs.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 17-01-2014 02
Ran by SYSTEM at 2014-01-17 21:39:29 Run:1
Running from E:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [GameServer511] - C:\Documents and Settings\cebler\Application Data\Adobe\WIN113.exe [176640 2014-01-06] ()
C:\Documents and Settings\cebler\Application Data\Adobe\WIN113.exe
Folder: C:\Documents and Settings\cebler\Application Data\Adobe
HKLM\...\Run: [Byryhucaimow] - C:\Documents and Settings\cebler\Application Data\Vegyubh\iwsiezv.exe [219757 2011-11-20] (BitMefender S.R.L.)
C:\Documents and Settings\cebler\Application Data\Vegyubh
HKLM\...\Run: [Zysuvixaemashia] - C:\Documents and Settings\cebler\Application Data\Actailc\becyy.exe [219757 2013-01-23] (BitMefender S.R.L.)
C:\Documents and Settings\cebler\Application Data\Actailc
HKLM\...\Run: [Vomacu] - C:\Documents and Settings\cebler\Application Data\Ipofogwy\vycyu.exe [219757 2011-07-07] (BitMefender S.R.L.)
C:\Documents and Settings\cebler\Application Data\Ipofogwy
HKU\cebler\...\Run: [Oqqics] - regsvr32.exe "C:\Documents and Settings\cebler\Local Settings\Application Data\Oqqics\canvasServ.dll" <===== ATTENTION
C:\Documents and Settings\cebler\Local Settings\Application Data\Oqqics
HKU\cebler\...\Run: [Byryhucaimow] - C:\Documents and Settings\cebler\Application Data\Vegyubh\iwsiezv.exe [ 2011-11-20] (BitMefender S.R.L.)
S2 SecurityCenterServer2201047575; C:\Documents and Settings\cebler\Application Data\Vegyubh\iwsiezv.exe [219757 2011-11-20] (BitMefender S.R.L.)
S2 SecurityCenterServer3781259674; C:\Documents and Settings\cebler\Application Data\Actailc\becyy.exe [219757 2013-01-23] (BitMefender S.R.L.)
S2 SecurityCenterServer4070236229; C:\Documents and Settings\cebler\Application Data\Ipofogwy\vycyu.exe [219757 2011-07-07] (BitMefender S.R.L.)
2014-01-06 13:47 - 2011-07-07 09:47 - 00219757 _____ (BitMefender S.R.L.) C:\Windows\System32\awsiorpyl.exe
2014-01-06 13:46 - 2013-01-23 05:42 - 00219757 _____ (BitMefender S.R.L.) C:\Windows\System32\royqc.exe
2014-01-06 13:44 - 2011-11-20 20:31 - 00219757 _____ (BitMefender S.R.L.) C:\Windows\System32\edsiihyp.exe
2014-01-03 13:50 - 2014-01-03 13:50 - 00028672 _____ C:\Windows\System32\lmjim.zeh
2014-01-03 13:40 - 2014-01-06 13:47 - 00000081 _____ C:\Windows\System32\kuts.tvf
2014-01-03 13:38 - 2014-01-03 13:50 - 00000099 _____ C:\Windows\System32\rgtv.qhi
2014-01-03 13:38 - 2014-01-03 13:38 - 00000064 _____ C:\Windows\System32\lmhe.wwy
2014-01-03 13:22 - 2014-01-03 13:22 - 00101213 ____S C:\Windows\System32\dpbfzxl.mfb
2014-01-04 12:06 - 2014-01-04 12:06 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Oqqics

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\GameServer511 => Value deleted successfully.
C:\Documents and Settings\cebler\Application Data\Adobe\WIN113.exe => Moved successfully.

========================= Folder: C:\Documents and Settings\cebler\Application Data\Adobe ========================

2009-09-23 18:30 - 2009-09-23 18:30 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat
2009-10-02 16:31 - 2012-06-29 09:29 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player
2010-06-28 05:58 - 2010-06-28 05:58 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics
2009-09-23 18:30 - 2010-06-28 06:48 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0
2012-06-29 09:29 - 2012-06-29 09:29 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AFCache
2009-10-02 16:31 - 2009-10-02 16:31 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache
2010-06-28 05:58 - 2010-06-28 05:58 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics\Dictionaries
2009-09-23 18:34 - 2009-09-23 18:34 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Collab
2009-09-23 18:34 - 2009-09-23 18:34 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\JavaScripts
2010-03-16 08:16 - 2010-03-16 08:16 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Messages
2009-09-23 18:34 - 2009-10-03 07:19 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Preferences
2010-06-25 14:33 - 2010-06-25 14:33 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Security
2009-10-02 16:31 - 2013-12-07 14:21 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV
2010-06-28 05:58 - 2010-06-28 05:58 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary
2010-03-16 08:16 - 2010-08-15 13:12 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Messages\ENU
2010-06-25 14:33 - 2010-06-25 14:33 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Security\CRLCache
2010-06-28 05:58 - 2010-06-28 05:58 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all
2010-06-28 05:58 - 2010-06-28 05:58 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt
2010-06-28 05:58 - 2010-06-28 05:58 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can
2010-06-28 05:58 - 2010-06-28 06:48 - 0000000 ____D () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng
2014-01-06 13:42 - 2014-01-06 13:42 - 0000000 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\WIN113.tmp
2010-06-28 05:58 - 2010-06-28 05:58 - 0001024 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\added.clam
2010-06-28 06:48 - 2010-06-28 06:48 - 0000000 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\exception.txt
2010-06-28 05:58 - 2010-06-28 05:58 - 0001024 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\added.clam
2010-05-08 17:31 - 2010-05-08 17:40 - 0000149 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\077BA3FD3A24318B67B13F8297375C8DF03582D8.heu
2010-05-08 17:31 - 2010-05-08 17:31 - 0566651 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\077BA3FD3A24318B67B13F8297375C8DF03582D8.swz
2010-08-25 04:53 - 2011-01-03 17:12 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\1846548181EAE8A4BB86AFC74FD021D9A0F6DFA6.heu
2010-08-25 04:53 - 2010-08-25 04:53 - 0541380 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\1846548181EAE8A4BB86AFC74FD021D9A0F6DFA6.swz
2010-08-25 04:53 - 2013-12-30 06:48 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\1C04C61346A1FA3139A37D860ED92632AA13DECF.heu
2010-08-25 04:53 - 2010-08-25 04:53 - 0565987 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\1C04C61346A1FA3139A37D860ED92632AA13DECF.swz
2013-11-14 16:55 - 2014-01-01 11:47 - 0000149 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\33D9983BC427DD69DF151E816FB0AB02C0B8D5CF.heu
2013-11-14 16:55 - 2013-11-14 16:55 - 0317992 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\33D9983BC427DD69DF151E816FB0AB02C0B8D5CF.swz
2013-10-23 13:14 - 2013-10-23 13:14 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\381814F6F5270FFBB27E244D6138BC023AF911D5.heu
2013-10-23 13:14 - 2013-10-23 13:14 - 0157002 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\381814F6F5270FFBB27E244D6138BC023AF911D5.swz
2013-10-23 13:14 - 2013-10-23 13:14 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\440AE73B017A477382DEFF7C0DBE4896FED21079.heu
2013-10-23 13:14 - 2013-10-23 13:14 - 0054532 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\440AE73B017A477382DEFF7C0DBE4896FED21079.swz
2013-10-23 13:14 - 2013-10-23 13:14 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\6344DCC80A9A6A3676DCEA0C92C8C45EFD2F3220.heu
2013-10-23 13:14 - 2013-10-23 13:14 - 0319300 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\6344DCC80A9A6A3676DCEA0C92C8C45EFD2F3220.swz
2013-11-14 16:55 - 2014-01-01 11:47 - 0000149 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\67BA9F962EEC4D8B413432AFAD5C88BB810426B9.heu
2013-11-14 16:55 - 2013-11-14 16:55 - 0054494 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\67BA9F962EEC4D8B413432AFAD5C88BB810426B9.swz
2013-10-23 13:14 - 2013-10-23 13:14 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\6DDB94AE3365798230849FA0F931AC132FE417D1.heu
2013-10-23 13:14 - 2013-10-23 13:14 - 0131925 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\6DDB94AE3365798230849FA0F931AC132FE417D1.swz
2013-11-14 16:55 - 2014-01-01 11:47 - 0000149 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\7421C71F94DB4F028E7528B2D278F3FE4DC21273.heu
2013-11-14 16:55 - 2013-11-14 16:55 - 0156308 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\7421C71F94DB4F028E7528B2D278F3FE4DC21273.swz
2013-12-07 14:21 - 2013-12-07 14:21 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\8D9BD95C28BED7A58006E8111DF0DC7F938F766C.heu
2013-12-07 14:21 - 2013-12-07 14:21 - 0322182 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\8D9BD95C28BED7A58006E8111DF0DC7F938F766C.swz
2013-11-25 15:28 - 2013-12-07 14:21 - 0000149 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\8F903698240FE799F61EEDA8595181137B996156.heu
2013-11-25 15:28 - 2013-11-25 15:28 - 0186404 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\8F903698240FE799F61EEDA8595181137B996156.swz
2013-12-07 14:21 - 2013-12-07 14:21 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\A5515FD0D36E8AFB49675489EFDC2060580BA794.heu
2013-12-07 14:21 - 2013-12-07 14:21 - 0325312 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\A5515FD0D36E8AFB49675489EFDC2060580BA794.swz
2013-09-22 08:37 - 2013-12-01 10:24 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\AF07B46903A6C5D87A24725CB7D50DE352A0383C.heu
2013-09-22 08:37 - 2013-09-22 08:37 - 0537658 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\AF07B46903A6C5D87A24725CB7D50DE352A0383C.swz
2013-11-14 16:55 - 2014-01-01 11:47 - 0000149 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\B5EDE1771498AF65DE58DBD5AE9AD33D4483DC4C.heu
2013-11-14 16:55 - 2013-11-14 16:55 - 0622043 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\B5EDE1771498AF65DE58DBD5AE9AD33D4483DC4C.swz
2013-10-23 13:14 - 2014-01-01 11:47 - 0000149 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\C3306B26751D6A80EB1FCB651912469AE18819AB.heu
2013-10-23 13:14 - 2013-10-23 13:14 - 0098077 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\C3306B26751D6A80EB1FCB651912469AE18819AB.swz
2010-05-08 17:31 - 2013-12-30 06:48 - 0000008 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\cacheSize.txt
2013-11-14 16:55 - 2014-01-01 11:47 - 0000149 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\D796AC95BD6E16151B6D3C0019A52E648CED1FE1.heu
2013-11-14 16:55 - 2013-11-14 16:55 - 0131911 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\D796AC95BD6E16151B6D3C0019A52E648CED1FE1.swz
2013-12-30 06:48 - 2013-12-30 06:48 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\F7536EF0D78A77B889EEBE98BF96BA5321A1FDE0.heu
2013-12-30 06:48 - 2013-12-30 06:48 - 0127284 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\F7536EF0D78A77B889EEBE98BF96BA5321A1FDE0.swz
2013-10-23 13:14 - 2013-10-23 13:14 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\F78F74378B1552FF9A1725155D1B43BA54BE9094.heu
2013-10-23 13:14 - 2013-10-23 13:14 - 0627143 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\F78F74378B1552FF9A1725155D1B43BA54BE9094.swz
2010-08-22 08:33 - 2010-08-22 08:33 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\FF56DCA4C4D6043F3D639EFF51BF9A2934B7456B.heu
2010-08-22 08:33 - 2010-08-22 08:33 - 0568814 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\FF56DCA4C4D6043F3D639EFF51BF9A2934B7456B.swz
2013-12-07 14:21 - 2013-12-07 14:21 - 0000148 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\FFED7ABF745E67D4FA1BBED81ED0DA48E262E5F5.heu
2013-12-07 14:21 - 2013-12-07 14:21 - 0466935 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Flash Player\AssetCache\T4WBHZXV\FFED7ABF745E67D4FA1BBED81ED0DA48E262E5F5.swz
2009-09-23 18:30 - 2013-11-04 07:09 - 0000472 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\AdobeCMapFnt07.lst
2009-09-23 18:30 - 2013-11-23 15:39 - 0055147 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\AdobeSysFnt07.lst
2009-09-23 18:30 - 2013-12-02 12:15 - 0056399 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\UserCache.bin
2010-06-25 14:33 - 2010-06-25 14:33 - 0005383 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Security\addressbook.acrodata
2010-06-25 14:33 - 2010-06-25 14:33 - 0000601 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Security\CRLCache\B7F20844EA430A174287EE65FE7AB63296B06C84.crl
2010-06-25 14:33 - 2010-06-25 14:33 - 0000724 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Security\CRLCache\FB9327BF676A37F74C4E994E89AE066551552E42.crl
2009-10-03 07:19 - 2013-12-31 10:24 - 0000000 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Preferences\AutoFillDefaults.dat
2009-10-03 07:19 - 2013-12-31 10:24 - 0000870 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Preferences\defaultHeuristics.dat
2010-08-15 13:12 - 2010-08-15 13:12 - 0021859 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Messages\ENU\read0600win_ENUadbe070c.pdf
2009-09-23 18:34 - 2014-01-06 06:57 - 0000010 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
2009-09-23 18:34 - 2014-01-06 06:57 - 0000103 _____ () C:\Documents and Settings\cebler\Application Data\Adobe\Acrobat\7.0\Collab\RSS

====== End of Folder: ======

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Byryhucaimow => Value deleted successfully.
C:\Documents and Settings\cebler\Application Data\Vegyubh => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Zysuvixaemashia => Value deleted successfully.
C:\Documents and Settings\cebler\Application Data\Actailc => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Vomacu => Value deleted successfully.
C:\Documents and Settings\cebler\Application Data\Ipofogwy => Moved successfully.
HKU\cebler\Software\Microsoft\Windows\CurrentVersion\Run\\Oqqics => Value deleted successfully.
C:\Documents and Settings\cebler\Local Settings\Application Data\Oqqics => Moved successfully.
HKU\cebler\Software\Microsoft\Windows\CurrentVersion\Run\\Byryhucaimow => Value deleted successfully.
SecurityCenterServer2201047575 => Service deleted successfully.
SecurityCenterServer3781259674 => Service deleted successfully.
SecurityCenterServer4070236229 => Service deleted successfully.
C:\Windows\System32\awsiorpyl.exe => Moved successfully.
C:\Windows\System32\royqc.exe => Moved successfully.
C:\Windows\System32\edsiihyp.exe => Moved successfully.
C:\Windows\System32\lmjim.zeh => Moved successfully.
C:\Windows\System32\kuts.tvf => Moved successfully.
C:\Windows\System32\rgtv.qhi => Moved successfully.
C:\Windows\System32\lmhe.wwy => Moved successfully.
C:\Windows\System32\dpbfzxl.mfb => Moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Oqqics => Moved successfully.

==== End of Fixlog ====

 

Farbar Recovery Scan Tool (x86) Version: 17-01-2014 02
Ran by SYSTEM at 2014-01-17 21:40:39
Running from E:\
Boot Mode: Recovery

================== Search: "rpcss.dll" ===================

C:\WINDOWS\system32\rpcss.dll
[2006-02-28 04:00] - [2009-02-09 04:10] - 0401408 ____A (Microsoft Corporation) 1551436dce4107a87c4149e4f697e38a

C:\WINDOWS\system32\dllcache\rpcss.dll
[2006-02-28 04:00] - [2009-02-09 04:10] - 0401408 ___AC (Microsoft Corporation) 358b6642980a737e48802286e2cfd072

C:\WINDOWS\$NtUninstallKB956572_0$\rpcss.dll
[2009-06-25 07:03] - [2005-07-25 20:39] - 0397824 ____C (Microsoft Corporation) ce94a2bd25e3e9f4d46a7373ff455c6d

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2010-07-13 15:51] - [2008-04-14 01:42] - 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2009-06-25 06:01] - [2009-02-09 02:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\rpcss.dll
[2009-06-25 06:01] - [2009-02-09 04:10] - 0401408 ____A (Microsoft Corporation) 6b27a5c03dfb94b4245739065431322c

C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\rpcss.dll
[2009-06-25 06:01] - [2009-02-09 02:01] - 0401408 ____A (Microsoft Corporation) 24b5d53b9accc1e2edcf0a878d6659d4

C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[2008-08-21 12:38] - [2005-07-25 20:20] - 0398336 ____A (Microsoft Corporation) c369df215d352b6f3a0b8c3469aa34f8

C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[2008-08-21 12:36] - [2005-04-28 11:35] - 0396288 ____A (Microsoft Corporation) da383fb39a6f1c445f3afc94b3eb1248

X:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
[2009-07-13 15:45] - [2009-07-13 17:16] - 0376320 ____A (Microsoft Corporation) b82cd39e336973359d7c9bf911e8e84f

X:\Windows\System32\rpcss.dll
[2009-07-13 15:45] - [2009-07-13 17:16] - 0376320 ____A (Microsoft Corporation) b82cd39e336973359d7c9bf911e8e84f

=== End Of Search ===

 

ListParts by Farbar Version: 20-10-2013
Ran by SYSTEM (administrator) on 17-01-2014 at 21:49:05
Windows 7 (X86)
Running From: E:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3932.27 MB
Available physical RAM: 3232.87 MB
Total Pagefile: 3930.54 MB
Available Pagefile: 3301.68 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.54 MB

======================= Partitions =========================

1 Drive c: (Disk C) (Fixed) (Total:111.79 GB) (Free:43.91 GB) NTFS
2 Drive d: (WIN_7_PROFESSIONAL) (CDROM) (Total:4.78 GB) (Free:0 GB) UDF
3 Drive e: () (Removable) (Total:0.12 GB) (Free:0.12 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          111 GB      0 B        
  Disk 1    Online          124 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 3A2F3A2E

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            111 GB  1024 KB

======================================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   Disk C       NTFS   Partition    111 GB  Healthy           

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 62F989A8

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            124 MB    16 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     E                FAT    Removable    124 MB  Healthy           

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 3A2F3A2E
Partition 00: (Active) - (Size=0) - (Type=00 ATTENTION ===> 0 byte partition bootkit.
Partition 1: (Not Active) - (Size=112 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 1:
===============
Disk ID: 62F989A8
Partition 1: (Active) - (Size=125 MB) - (Type=06)

****** End Of Log ******



#15 annmarie1031

annmarie1031
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 18 January 2014 - 11:00 AM

Good morning,

My anxious husband (lol) ran tdsskiller from the DOS prompt.  It found pinhar.c and something else.  It cured them and when it rebooted, we got back windows xp.  For some reason we can't find the log, maybe because it was done from DOS and a Windows 7 CD?  Everything seems fine now.  Is there anything you would like me to do to make sure it is clean?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users