Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Police virus - need Help with a fixlist.txt for Farbar


  • This topic is locked This topic is locked
2 replies to this topic

#1 jj1990

jj1990

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 15 April 2014 - 09:08 PM

Fixing my friend's laptop - need a bit of help creating the fixlist. Can't figure out how to do it myself. Some sort of varation on Moneypak (RCMP) virus... Any help would be appreciated! Cannot boot it from either Safe Mode nor normally.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-04-2014

Ran by SYSTEM on MININT-0OURLN1 on 15-04-2014 18:33:14
Running from F:\
Windows 7 Home Premium (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2097960 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-01-20] (IDT, Inc.)
HKLM\...\Run: [QuickSet] => C:\Program Files\Dell\QuickSet\QuickSet.exe [3216544 2010-06-09] (Dell Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5470208 2009-12-16] (Dell Inc.)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2327952 2010-07-21] (Microsoft Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$80948820d896dd88bc1b3760593e9f22\n. ATTENTION! ====> ZeroAccess?
HKU\Brad\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4280184 2012-03-08] (Microsoft Corporation)
HKU\Brad\...\Run: [Sidebar] => C:\Program Files (x86)\Windows Sidebar\sidebar.exe [1173504 2009-07-13] (Microsoft Corporation)
HKU\Brad\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [1631144 2013-03-29] (Valve Corporation)
HKU\Brad\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18705664 2013-01-08] (Skype Technologies S.A.)
HKU\Brad\...\Run: [ctfmon.exe] => C:\PROGRA~3\rundll32.exe C:\PROGRA~3\hitt.dat,FG00 <===== ATTENTION
HKU\Default\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475072 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475072 2009-07-13] (Microsoft Corporation)
Lsa: [Notification Packages] scecli FAPassSync
Startup: C:\Users\alyssa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Brad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Brad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\ProgramData\hitt.dat ()
Startup: C:\Users\Brad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe (No File)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
 
========================== Services (Whitelisted) =================
 
S3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [253656 2013-03-13] (Adobe Systems Incorporated)
S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
S2 CLKMSVC10_1628BCEA; C:\Program Files (x86)\CyberLink\PowerDVD DX\Kernel\BD\NavFilter\kmsvc.exe [240360 2011-03-01] (CyberLink)
S4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation)
S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [138576 2010-03-18] (Microsoft Corporation)
S2 cvhsvc; C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [822624 2012-01-04] (Microsoft Corporation)
S2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation)
S2 F-Secure Gatekeeper Handler Starter; C:\Program Files (x86)\Shaw Secure\Anti-Virus\fsgk32st.exe [215648 2009-08-05] (F-Secure Corporation)
S2 FAService; c:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe [2409800 2010-02-22] (Sensible Vision )
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42840 2009-06-10] (Microsoft Corporation)
S3 FSDFWD; C:\Program Files (x86)\Shaw Secure\FWES\Program\fsdfwd.exe [844384 2011-02-17] (F-Secure Corporation)
S2 FSMA; C:\Program Files (x86)\Shaw Secure\Common\FSMA32.EXE [186976 2009-08-05] (F-Secure Corporation)
S3 FSORSPClient; C:\Program Files (x86)\Shaw Secure\ORSP Client\fsorsp.exe [63992 2011-02-17] (F-Secure Corporation)
S3 fsssvc; C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [1492840 2012-03-08] (Microsoft Corporation)
S3 GamesAppService; C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [206072 2010-10-12] (WildTangent, Inc.)
S2 IAStorDataMgrSvc; C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [13336 2010-03-03] (Intel Corporation)
S3 idsvc; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [856384 2009-06-10] (Microsoft Corporation)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe [116560 2009-06-10] (Microsoft Corporation)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [149352 2010-01-09] (Microsoft Corporation)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-13] (Microsoft Corporation)
S2 SeaPort; C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [249136 2010-09-22] (Microsoft Corporation)
S2 sftlist; C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [508776 2011-10-01] (Microsoft Corporation)
S2 SftService; C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE [689472 2010-08-20] (SoftThinks SAS)
S3 sftvsa; C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [219496 2011-10-01] (Microsoft Corporation)
S2 SkypeUpdate; C:\Program Files (x86)\Skype\Updater\Updater.exe [161536 2013-01-08] (Skype Technologies)
S2 sprtsvc_DellSupportCenter; C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe [206064 2009-05-21] (SupportSoft, Inc.)
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe [244736 2010-01-20] (IDT, Inc.)
S3 Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [543656 2013-03-29] (Valve Corporation)
S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4950016 2009-12-16] (Dell Inc.)
S3 npggsvc; C:\Windows\system32\GameMon.des -service [X]
S2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [X]
S4 RoxLiveShare10; "C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [X]
S2 SessionLauncher; C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
S3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [6233088 2010-01-21] (ATI Technologies Inc.)
S3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation)
S3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation)
S3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [22520 2009-12-16] (Broadcom Corporation)
S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl664.sys [3053560 2009-12-16] (Broadcom Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S4 F-Secure Filter; C:\Program Files (x86)\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [39776 2009-08-05] ()
S3 F-Secure Gatekeeper; C:\Program Files (x86)\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [194728 2011-02-17] ()
S1 F-Secure HIPS; C:\Program Files (x86)\Shaw Secure\HIPS\drivers\fshs.sys [57920 2009-08-05] (F-Secure Corporation)
S4 F-Secure Recognizer; C:\Program Files (x86)\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [25184 2009-08-05] ()
S3 FACAP; C:\Windows\System32\DRIVERS\facap.sys [238848 2008-09-24] (Sensible Vision )
S1 FSES; C:\Windows\System32\drivers\fses.sys [45624 2011-02-17] (F-Secure Corporation)
S1 FSFW; C:\Windows\System32\drivers\fsdfw.sys [94280 2011-02-17] (F-Secure Corporation)
S1 fsvista; C:\Program Files (x86)\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [14904 2009-08-05] ()
S3 itecir; C:\Windows\System32\DRIVERS\itecir.sys [60416 2009-03-09] (ITE Tech. Inc. )
S3 k57nd60a; C:\Windows\System32\DRIVERS\k57nd60a.sys [321064 2009-11-19] (Broadcom Corporation)
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-13] (Microsoft Corporation)
S3 Point64; C:\Windows\System32\DRIVERS\point64.sys [45456 2010-07-21] (Microsoft Corporation)
S2 rimspci; C:\Windows\System32\DRIVERS\rimspe64.sys [60416 2009-07-01] (REDC)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S2 risdpcie; C:\Windows\System32\DRIVERS\risdpe64.sys [80896 2009-07-01] (REDC)
S2 rixdpcie; C:\Windows\System32\DRIVERS\rixdpe64.sys [55808 2009-07-04] (REDC)
S3 STHDA; C:\Windows\System32\DRIVERS\stwrt64.sys [505856 2010-01-20] (IDT, Inc.)
S2 TurboB; C:\Windows\System32\DRIVERS\TurboB.sys [13784 2009-11-02] ()
S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}; C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl [146928 2009-12-29] (CyberLink Corp.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-04-15 18:33 - 2014-04-15 18:33 - 00000000 ____D () C:\FRST
2014-04-15 17:10 - 2014-04-15 17:10 - 00000000 ____D () C:\Users\Brad\AppData\Local\{76B5929F-FA58-453F-8CB6-5FAB87EE169B}
 
==================== One Month Modified Files and Folders =======
 
2014-04-15 18:33 - 2014-04-15 18:33 - 00000000 ____D () C:\FRST
2014-04-15 17:17 - 2013-04-02 20:19 - 95023320 ____T () C:\ProgramData\ttih.pad
2014-04-15 17:17 - 2010-10-15 10:31 - 00000000 ____D () C:\Users\Brad\Tracing
2014-04-15 17:17 - 2009-07-13 20:51 - 00104962 _____ () C:\Windows\setupact.log
2014-04-15 17:11 - 2011-02-21 14:09 - 00000000 ____D () C:\Users\Brad\AppData\Roaming\Skype
2014-04-15 17:11 - 2010-10-21 21:33 - 00000000 ____D () C:\Users\Brad\AppData\Local\Windows Live
2014-04-15 17:10 - 2014-04-15 17:10 - 00000000 ____D () C:\Users\Brad\AppData\Local\{76B5929F-FA58-453F-8CB6-5FAB87EE169B}
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2430918288-738339497-1570114297-1000\$80948820d896dd88bc1b3760593e9f22
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$80948820d896dd88bc1b3760593e9f22
 
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
 
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
 
Files to move or delete:
====================
C:\ProgramData\coiwr.dat
C:\ProgramData\coorto.dat
C:\ProgramData\hash.dat
C:\ProgramData\hitt.dat
C:\ProgramData\nialto.dat
C:\ProgramData\rundll32.exe
C:\ProgramData\ttih.bat
C:\ProgramData\ttih.js
C:\ProgramData\ttih.pad
C:\ProgramData\ttih.reg
C:\Users\Brad\2724111.dll
C:\Users\Brad\3076608.dll
C:\Users\Brad\6667774.dll
C:\Users\Brad\8261390.dll
C:\Users\Brad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
 
 
Some content of TEMP:
====================
C:\Users\Brad\AppData\Local\Temp\0.5799210575322084.exe
C:\Users\Brad\AppData\Local\Temp\2jfuweif.exe
C:\Users\Brad\AppData\Local\Temp\3BE7.exe
C:\Users\Brad\AppData\Local\Temp\7E53.exe
C:\Users\Brad\AppData\Local\Temp\burnsetup.exe
C:\Users\Brad\AppData\Local\Temp\C6E.exe
C:\Users\Brad\AppData\Local\Temp\detectionapi_rd.dll
C:\Users\Brad\AppData\Local\Temp\detectionui_r.exe
C:\Users\Brad\AppData\Local\Temp\directx9tests_rd.dll
C:\Users\Brad\AppData\Local\Temp\DivXInstaller.exe
C:\Users\Brad\AppData\Local\Temp\DivXSetup.exe
C:\Users\Brad\AppData\Local\Temp\doxillionsetup.exe
C:\Users\Brad\AppData\Local\Temp\farmanager.exe
C:\Users\Brad\AppData\Local\Temp\fsprod.dll
C:\Users\Brad\AppData\Local\Temp\fssfm.dll
C:\Users\Brad\AppData\Local\Temp\generka.exe
C:\Users\Brad\AppData\Local\Temp\GLFAC4C.tmp.ConduitEngineSetup.exe
C:\Users\Brad\AppData\Local\Temp\installerdll4569908.dll
C:\Users\Brad\AppData\Local\Temp\installerdll4583668.dll
C:\Users\Brad\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Brad\AppData\Local\Temp\install_flashplayer11x32au_gtba_chra_dy_aih.exe
C:\Users\Brad\AppData\Local\Temp\IPx64_1033.exe
C:\Users\Brad\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Brad\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\Brad\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Brad\AppData\Local\Temp\local.dll
C:\Users\Brad\AppData\Local\Temp\mfc80.dll
C:\Users\Brad\AppData\Local\Temp\mfc80u.dll
C:\Users\Brad\AppData\Local\Temp\mpsetup.exe
C:\Users\Brad\AppData\Local\Temp\msvcp80.dll
C:\Users\Brad\AppData\Local\Temp\msvcr80.dll
C:\Users\Brad\AppData\Local\Temp\preconfig.exe
C:\Users\Brad\AppData\Local\Temp\prismsetup.exe
C:\Users\Brad\AppData\Local\Temp\ripsetup.exe
C:\Users\Brad\AppData\Local\Temp\rootsupd.exe
C:\Users\Brad\AppData\Local\Temp\Setup.exe
C:\Users\Brad\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Brad\AppData\Local\Temp\tbNCH.dll
C:\Users\Brad\AppData\Local\Temp\uninst.exe
C:\Users\Brad\AppData\Local\Temp\vcredist_x64.exe
C:\Users\Brad\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Brad\AppData\Local\Temp\_is1332.exe
C:\Users\Brad\AppData\Local\Temp\_is160F.exe
C:\Users\Brad\AppData\Local\Temp\_is25F7.exe
C:\Users\Brad\AppData\Local\Temp\_is4FF3.exe
 
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe
[2011-04-26 14:29] - [2011-02-25 22:23] - 2870272 ____A (Microsoft Corporation) 0862495E0C825893DB75EF44FAEA8E93
 
C:\Windows\System32\winlogon.exe
[2010-10-06 11:04] - [2010-10-06 11:04] - 0389632 ____A (Microsoft Corporation) DA3E2A6FA9660CC75B471530CE88453A
 
C:\Windows\System32\wininit.exe
[2009-07-13 15:52] - [2009-07-13 17:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA
 
C:\Windows\System32\svchost.exe
[2009-07-13 15:31] - [2009-07-13 17:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D
 
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
 
C:\Windows\System32\User32.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 1008640 ____A (Microsoft Corporation) 72D7B3EA16946E8F0CF7458150031CC6
 
C:\Windows\System32\userinit.exe
[2009-07-13 15:50] - [2009-07-13 17:39] - 0030208 ____A (Microsoft Corporation) 6F8F1376A13114CC10C0E69274F5A4DE
 
C:\Windows\System32\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-11 22:08] - [2012-09-06 09:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1
 
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-03-19 17:43:08
Restore point made on: 2013-03-23 10:28:28
Restore point made on: 2013-03-23 10:54:38
Restore point made on: 2013-03-27 14:48:17
 
==================== Memory info =========================== 
 
Percentage of memory in use: 7%
Total physical RAM: 8180.5 MB
Available physical RAM: 7581.64 MB
Total Pagefile: 8178.78 MB
Available Pagefile: 7592.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1947.67 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:448.14 GB) (Free:260.92 GB) NTFS
Drive e: (GRMCHPFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
Drive f: (Lexar) (Removable) (Total:29.8 GB) (Free:6.2 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:17.58 GB) (Free:10.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 78DBB486)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=18 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=448 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 30 GB) (Disk ID: C3072E18)
 
Partition: GPT Partition Type.
 
 
LastRegBack: 2013-03-27 19:56
 
==================== End Of Log ============================
[attachment=149368:FRST.txt]

Edited by jj1990, 15 April 2014 - 09:20 PM.


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:30 AM

Posted 16 April 2014 - 06:19 AM

:welcome:

Hello jj1990,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Logs can take a while to research, so please be patient.
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (Running from F:\ => Save it on the flash drive) as fixlist.txt

 
start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$80948820d896dd88bc1b3760593e9f22\n. ATTENTION! ====> ZeroAccess?
HKU\Brad\...\Run: [ctfmon.exe] => C:\PROGRA~3\rundll32.exe C:\PROGRA~3\hitt.dat,FG00 <===== ATTENTION
C:\$Recycle.Bin\S-1-5-21-2430918288-738339497-1570114297-1000\$80948820d896dd88bc1b3760593e9f22
C:\$Recycle.Bin\S-1-5-18\$80948820d896dd88bc1b3760593e9f22
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\ProgramData\coiwr.dat
C:\ProgramData\coorto.dat
C:\ProgramData\hash.dat
C:\ProgramData\hitt.dat
C:\ProgramData\nialto.dat
C:\ProgramData\rundll32.exe
C:\ProgramData\ttih.bat
C:\ProgramData\ttih.js
C:\ProgramData\ttih.pad
C:\ProgramData\ttih.reg
C:\Users\Brad\2724111.dll
C:\Users\Brad\3076608.dll
C:\Users\Brad\6667774.dll
C:\Users\Brad\8261390.dll
C:\Users\Brad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
C:\Users\Brad\AppData\Local\Temp\GLFAC4C.tmp.ConduitEngineSetup.exe
end


NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.


Can you boot the pc now in normal mode?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:30 AM

Posted 20 April 2014 - 03:44 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users