Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fell for the phone scam Ammyy computer stuck in Windows error recovery


  • This topic is locked This topic is locked
59 replies to this topic

#1 jamiespull

jamiespull

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 24 January 2014 - 03:01 PM

My husband fell for the phone call that our windows certificates were expired. He followed the prompts of the caller which gave the caller control of the computer. He got all the way to the costs before my husband realized something was amiss. Needless to say when I got home there were open files on my computer to prove the callers point. I used AVG to search for malware. it found 3 items and destroyed them. I used the window defender and it found nothing. I then found 3 files in my download folder and attempted to delete them one would not delete the Ammyy-(1) (I may not have that correct). So I scanned it 3 time with AVG and it was not infected. I asked a friend how to remove the file and they suggested I do it in safe mode. I went to safe mode and have been stuck in this Start-up repair. Start up repair cannot determine the cause of the problem. I am running windows 7 (professional ?). I don't have any disks, but I can attempt to get them from work if necessary. Any help you can lend I appreciate. I really don't want to lose my photos.



BC AdBot (Login to Remove)

 


m

#2 polskamachina

polskamachina

  • Malware Response Team
  • 3,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 29 January 2014 - 12:26 PM

Hi jamiespull :)

 

My name is polskamachina and I will be assisting you with your malware problem. It sounds like you are unable to boot into normal mode, is that correct? Or do you get stuck in Start-up repair only when you boot into that mode?

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#3 jamiespull

jamiespull
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 29 January 2014 - 12:28 PM

You are correct. I cannot boot in normal mode.

#4 polskamachina

polskamachina

  • Malware Response Team
  • 3,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 30 January 2014 - 11:35 AM

Hi jamiespull :)

I would like to officially welcome you to Bleeping Computer. What follows below are some ground rules for this forum.

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know.

I am in California at GMT-8 Hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

----------------------------------------------------------------------------------------------------------------------

Let's get started!

 

Since you can only boot to the recovery console, we will run a diagnostic tool to generate a report about your computer's status. You will need a working, malware-free computer and a flash drive to assist you with this. Please read through the entire instructions below before beginning the process.

  • On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to download and run the version compatible with your system. If you are not sure if you have the 32-bit or 64-bit version of Windows 7, download both versions of the Farbar Recovery Scan Tool. Only one will run and that's how you will know which version of Windows you have installed.

    Plug the flashdrive into the infected PC.
  • If you are using Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http:/
    /www.sevenforums.com/tutorials/2083-system-repair-disc-create.html
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:

    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Let me know if you have any questions. By the way, now would be a good time to copy your irreplaceable photos from your computer to a flash drive and then put the flash drive in a safe place.

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#5 jamiespull

jamiespull
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 30 January 2014 - 11:25 PM

Hi Polskamachina,

Thank you for your help. I have attempted both processses with no success. I first downloaded the Farbar Recovery Tool. I used F8 to enter advanced boot options and selected repair your computer. I then selected US as the keyboard language. It would then go into a auto recovery and did not allow me to select the operating system I wanted to repair. I could select the auto recover, restart, or shutdown.  

 

I then made a system recovery disk. After several attempts I got it to start. I was allowed to select the keyboard language, then it comes to system recovery options. When I attempt to select windows 7 an error comes up that says : "This version of System Recovery Options is not compatible with the version of Windows you are trying to repair. Try using a recovery disc that is compatible with this version of Windows."

 

In the window where you select the operating system it shows the operating system on (E:) Local Disk, is that where it should be? Or does that even matter?  FYI-There is also the option to Load Drivers.

 

Please let me know what I should do next. Thanks again.



#6 polskamachina

polskamachina

  • Malware Response Team
  • 3,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 31 January 2014 - 02:06 PM

Hi jamiespull :)

 

Sorry to hear you had trouble getting through my instructions. At any point was there an option for, Repair your computer,  as shown in Figure 3 of this tutorial? Also, how did you make the system recovery disk?

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#7 jamiespull

jamiespull
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 31 January 2014 - 02:27 PM

I did not get repair my computer. I made the recovery disk from another computer following the directions on the website. Using a clean computer I used a cd and went to start and searched for what the instructions said which created the disk. Should I try again?

#8 polskamachina

polskamachina

  • Malware Response Team
  • 3,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 31 January 2014 - 03:17 PM

Hi jamiespull :)

 

I think what is happening is that the recovery disk you made was from a different version of Windows 7. For example, if you have the professional version installed on your sytem and you used a computer which has the home premium version installed to make the recovery disk, it might not work correctly. I'm going to consult with some other techs here and get back to you.

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#9 polskamachina

polskamachina

  • Malware Response Team
  • 3,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 01 February 2014 - 12:15 PM

Hi jamiespull :)

 

Perhaps the easiest way to identify your version of Windows is to look for a sticker on your computer (usually inconspicuously placed) which should have a Microsoft serial # as well as the version number. Also, if you have any documentation that came with the computer that might also identify the version.

 

Let me know what you were able to find out.

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#10 jamiespull

jamiespull
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 01 February 2014 - 06:47 PM

The sticker shows Windows 7 Home Edition Prem OA.

 

I made the disk from a Windows 7 professional edition computer.

 

I know someone with a windows 7 home original disk I will try and get it. If you have anyother way for me to get it let me know,

Thanks!



#11 polskamachina

polskamachina

  • Malware Response Team
  • 3,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 02 February 2014 - 12:18 PM

Hi jamiespull :)

 

This link should provide you with some information regarding your situation. You can download the ISO for your version of Windows. With that ISO file, you can burn your own Windows 7 disk. The OA indicates Windows came preinstalled with your computer. However you still need to know if you have the 32-bit or 64-bit version.  It may be helpful to call the manufacturer and see if they can identify it for you or go to their website and type in the serial number of your machine. That should give you all the specifics.

 

Let me know if you have any questions.

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#12 jamiespull

jamiespull
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 03 February 2014 - 10:41 PM

Called Lenovo found out I have a 64 bit. I am in the process of downloading the disk from the link you provided. I will update you when I have done more.

Thanks



#13 jamiespull

jamiespull
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 06 February 2014 - 08:25 PM

After much trial and error. Here is the file. Please send me information on how to get to my picture files.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-02-2014
Ran by SYSTEM on MININT-IJSJIVM on 06-02-2014 19:20:30
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11697768 2010-12-13] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2538280 2010-12-22] (Synaptics Incorporated)
HKLM\...\Run: [IntelWireless] - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1933584 2010-11-02] (Intel® Corporation)
HKLM\...\Run: [Lenovo EE Boot Optimizer] - C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-06-03] (Lenovo)
HKLM\...\Run: [OnekeyStudio] - C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [789920 2011-06-03] (Lenovo)
HKLM\...\Run: [UpdatePRCShortCut] - C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM\...\Run: [Energy Management] - C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9769888 2011-06-03] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] - C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2011-06-03] (Lenovo(beijing) Limited)
HKLM\...\Run: [Logitech Download Assistant] - C:\Windows\System32\LogiLDA.dll [1832760 2012-09-20] (Logitech, Inc.)
HKLM-x32\...\Run: [332BigDog] - C:\Program Files (x86)\USB Camera2\VM332_STI.EXE [536576 2010-01-19] (Vimicro)
HKLM-x32\...\Run: [YouCam Mirage] - C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2010-12-04] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] - C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe [224352 2010-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [VeriFaceManager] - C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [329056 2011-06-03] (Lenovo)
HKLM-x32\...\Run: [UpdateP2GShortCut] - C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2010-07-26] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] - C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288080 2009-07-17] (Microsoft Corporation)
HKLM-x32\...\Run: [ArcSoft Connection Service] - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4411952 2013-11-19] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [OtShot] - C:\Program Files (x86)\OtShot\otshot.exe -minimize
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-01] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] - c:\program files (x86)\real\realplayer\Update\realsched.exe [295512 2013-12-08] (RealNetworks, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Jamie\...\Run: [ooVoo.exe] - C:\program files (x86)\oovoo\oovoo.exe [27040888 2012-08-20] (ooVoo LLC)
HKU\Jamie\...\RunOnce: [FlashPlayerUpdate] - C:\windows\system32\Macromed\Flash\FlashUtil64_11_9_900_170_ActiveX.exe [531336 2013-12-10] (Adobe Systems Incorporated)
Startup: C:\Users\Jamie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hpqtra08.exe (Hewlett-Packard Co.)

==================== Services (Whitelisted) =================

S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-19] (AVG Technologies CZ, s.r.o.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-11-02] ()
S2 Oasis2Service; C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [46080 2010-12-22] ()
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S2 RtLedService; C:\Program Files\Realtek\RtLED\RtLEDService.exe [311296 2010-09-30] (Realtek Semiconductor Corp.)

==================== Drivers (Whitelisted) ====================

S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-11-24] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-07-19] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206648 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311608 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-06-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-10-22] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-21] (AVG Technologies CZ, s.r.o.)
S2 CLKMSVC10_3A60B698;
S2 CLKMSVC10_C3B3B687;
S2 DriverService;
S2 IAStorDataMgrSvc;
S2 idealife Update Service;
S3 IGRS;
S2 IviRegMgr;
S2 nvUpdatusService;
S2 PCCarerServic;
S2 ReadyComm.DirectRouter;
S2 RichVideo;
S2 SoftwareService;
S2 Stereo Service;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-02-06 19:20 - 2014-02-06 19:20 - 00000000 ____D () C:\FRST
2014-01-23 07:39 - 2014-01-23 17:25 - 00000283 _____ () C:\Users\Jamie\Downloads\AA_v3 (1).log
2014-01-22 10:27 - 2014-01-22 10:27 - 00000000 ____D () C:\ProgramData\AMMYY
2014-01-22 10:26 - 2014-01-22 10:26 - 00743704 _____ () C:\Users\Jamie\Desktop\AA_v3 (1).exe
2014-01-15 12:35 - 2013-11-26 17:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbhub.sys
2014-01-15 12:35 - 2013-11-26 17:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbport.sys
2014-01-15 12:35 - 2013-11-26 17:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbccgp.sys
2014-01-15 12:35 - 2013-11-26 17:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbehci.sys
2014-01-15 12:35 - 2013-11-26 17:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbuhci.sys
2014-01-15 12:35 - 2013-11-26 17:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbohci.sys
2014-01-15 12:35 - 2013-11-26 17:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbd.sys
2014-01-15 12:35 - 2013-11-26 03:40 - 00376768 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2014-01-15 12:35 - 2013-11-26 02:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys

==================== One Month Modified Files and Folders =======

2014-02-06 19:20 - 2014-02-06 19:20 - 00000000 ____D () C:\FRST
2014-02-06 16:59 - 2011-06-03 05:57 - 00282713 _____ () C:\Windows\System32\fastboot.set
2014-01-23 17:35 - 2011-06-03 05:55 - 01057065 _____ () C:\FaceProv.log
2014-01-23 17:35 - 2011-06-03 05:18 - 01819807 _____ () C:\Windows\WindowsUpdate.log
2014-01-23 17:29 - 2011-11-06 16:47 - 00000000 ____D () C:\ProgramData\MFAData
2014-01-23 17:28 - 2011-09-04 14:03 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{8FA11499-80F1-492D-950F-FF5653D2BB96}
2014-01-23 17:27 - 2011-06-03 05:54 - 00000000 ____D () C:\ProgramData\VeriFace
2014-01-23 17:25 - 2014-01-23 07:39 - 00000283 _____ () C:\Users\Jamie\Downloads\AA_v3 (1).log
2014-01-23 17:25 - 2012-01-02 17:31 - 00000324 _____ () C:\Windows\Tasks\HP Photo Creations Communicator.job
2014-01-23 17:25 - 2011-06-03 06:03 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-23 17:25 - 2011-06-03 06:03 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-22 16:12 - 2009-07-13 20:45 - 00021280 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-22 16:12 - 2009-07-13 20:45 - 00021280 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-22 10:27 - 2014-01-22 10:27 - 00000000 ____D () C:\ProgramData\AMMYY
2014-01-22 10:26 - 2014-01-22 10:26 - 00743704 _____ () C:\Users\Jamie\Desktop\AA_v3 (1).exe
2014-01-21 18:07 - 2009-07-13 20:51 - 00061622 _____ () C:\Windows\setupact.log
2014-01-18 16:16 - 2013-10-09 06:23 - 00003340 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3955961150-1361679008-2258829009-1000
2014-01-18 16:16 - 2013-10-09 06:23 - 00003206 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3955961150-1361679008-2258829009-1000
2014-01-16 16:51 - 2009-07-13 21:13 - 00726444 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-01-16 16:45 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-01-16 16:45 - 2009-07-13 20:45 - 00428512 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-01-16 16:27 - 2013-03-31 19:40 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-01-16 16:27 - 2011-09-08 11:43 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-01-16 16:27 - 2011-06-03 06:03 - 00002183 _____ () C:\Users\Public\Desktop\Internet Browser.lnk
2014-01-16 16:26 - 2013-08-12 07:20 - 00000000 ____D () C:\Windows\System32\MRT
2014-01-11 10:23 - 2012-02-24 17:55 - 00000400 _____ () C:\Windows\Tasks\EasyShare Registration Task.job
2014-01-09 16:46 - 2011-09-04 13:28 - 00002255 _____ () C:\Users\Jamie\Desktop\OneKey Recovery.lnk

Some content of TEMP:
====================
C:\Users\Jamie\AppData\Local\Temp\.exe
C:\Users\Jamie\AppData\Local\Temp\535C.exe
C:\Users\Jamie\AppData\Local\Temp\7.2.25.1-EasyShrx.Dll
C:\Users\Jamie\AppData\Local\Temp\761B.exe
C:\Users\Jamie\AppData\Local\Temp\8.2.30.1-EasyShrx.Dll
C:\Users\Jamie\AppData\Local\Temp\8.3.20.1-EasyShrx.Dll
C:\Users\Jamie\AppData\Local\Temp\business.exe
C:\Users\Jamie\AppData\Local\Temp\conduitinstaller.exe
C:\Users\Jamie\AppData\Local\Temp\FC98.exe
C:\Users\Jamie\AppData\Local\Temp\HotShot_installerNewNoStartUp.exe
C:\Users\Jamie\AppData\Local\Temp\HPPSdr.exe
C:\Users\Jamie\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\Jamie\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\Jamie\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\Jamie\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exe
C:\Users\Jamie\AppData\Local\Temp\lowproc.exe
C:\Users\Jamie\AppData\Local\Temp\nsb6E7E.exe
C:\Users\Jamie\AppData\Local\Temp\nsb966B.exe
C:\Users\Jamie\AppData\Local\Temp\nsr17F6.exe
C:\Users\Jamie\AppData\Local\Temp\nsw218A.exe
C:\Users\Jamie\AppData\Local\Temp\nsy47DD.exe
C:\Users\Jamie\AppData\Local\Temp\oi_{7E345D66-2FDC-4D9B-BC00-A644BD6B49B9}.exe
C:\Users\Jamie\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Jamie\AppData\Local\Temp\SPStub.exe
C:\Users\Jamie\AppData\Local\Temp\stubhelper.dll
C:\Users\Jamie\AppData\Local\Temp\tbKeyB.dll
C:\Users\Jamie\AppData\Local\Temp\ToolbarHelper.exe
C:\Users\Jamie\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Jamie\AppData\Local\Temp\VistaLib64_1.dll

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-01-06 16:20:10
Restore point made on: 2014-01-13 17:34:07
Restore point made on: 2014-01-16 16:02:41

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 4010.17 MB
Available physical RAM: 3359.26 MB
Total Pagefile: 4008.37 MB
Available Pagefile: 3363.97 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:654.69 GB) (Free:576.01 GB) NTFS
Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:26.43 GB) NTFS
Drive f: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
Drive g: (Lexar) (Removable) (Total:3.73 GB) (Free:3.68 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:0.2 GB) (Free:0.15 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: E6E1E10E)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=655 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=29 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=15 GB) - (Type=12)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=4 GB) - (Type=0C)

LastRegBack: 2014-01-19 12:33

==================== End Of Log ============================



#14 jamiespull

jamiespull
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 06 February 2014 - 10:03 PM

I figured out how to download pics, no need to send that info. Thanks!



#15 polskamachina

polskamachina

  • Malware Response Team
  • 3,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 08 February 2014 - 12:22 PM

Hi jamiespull :)
 
Let's try and roll back your system to the last working state.
 
Open notepad. Please copy the contents of the box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it on the flash drive as fixlist.txt (Please remember in order for the fix to work, the FRST64 exe file has to be in the same folder/location as fixlist.txt
 

LastRegBack: 2014-01-19 12:33

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will generate a log on the flashdrive (Fixlog.txt) please post it in your reply.
 
Now try and reboot your computer into normal mode.
 
Let me know if you have any questions. How is your computer working now?
 
polskamachina


Member of the Bleeping Computer A.I.I. early response team!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users