Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request help creating fixlist.txt for use with FRST64


  • This topic is locked This topic is locked
10 replies to this topic

#1 NK10

NK10

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 16 December 2014 - 07:13 PM

by SYSTEM on MININT-4DLVSJK on 13-12-2014 19:16:46
Running from G:\
Platform: Windows 7 Ultimate (X64) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet003
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2464072 2014-11-06] (NVIDIA Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-20] (Intel Corporation)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\User\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\User\...\Run: [GoogleChromeAutoLaunch_BCEA24321E5E4F1401136BBEDFB545FE] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [854344 2014-10-21] (Google Inc.)
HKU\User\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3821136 2013-10-26] (Tonec Inc.)
HKU\User\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-10-03] (AVAST Software)
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [393032 2013-08-06] (BlueStack Systems, Inc.)
S2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [384840 2013-08-06] (BlueStack Systems, Inc.)
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S2 CLHNServiceForPowerDVD12; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe [90640 2012-08-16] (CyberLink Corp.)
S2 CyberLink PowerDVD 12 Media Server Monitor Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [78352 2012-08-16] (CyberLink)
S2 CyberLink PowerDVD 12 Media Server Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [295440 2012-08-16] (CyberLink)
S3 Disc Soft Bus Service; C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe [580672 2013-03-06] (Disc Soft Ltd)
S2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148744 2014-11-06] (NVIDIA Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-24] (Intel Corporation)
S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe [417552 2014-10-20] (LogMeIn, Inc.)
S2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1795912 2014-11-06] (NVIDIA Corporation)
S2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19819848 2014-11-06] (NVIDIA Corporation)
S3 Origin Client Service; D:\Origin\OriginClientService.exe [1900400 2014-11-04] (Electronic Arts)
S2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2014-08-21] ()
S3 upnphost; C:\Windows\SysWOW64\upnphost.dll [266752 2009-07-13] ()
S2 winzipersvc; C:\Program Files (x86)\WinZipper\winzipersvc.exe [425104 2014-02-26] (Taiwan Shui Mu Chih Ching Technology Limited.) <==== ATTENTION
S3 sppuinotify; %SystemRoot%\system32\sppuinotify.dll [X]
S3 SwitchBoard; "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-10-03] ()
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-10-03] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-10-03] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-10-03] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-10-03] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-10-03] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-10-03] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-10-03] ()
S1 Bfilter; C:\Windows\System32\drivers\Bfilter.sys [50496 2013-08-12] (Baidu, Inc.)
S1 Bfmon; C:\Windows\System32\drivers\Bfmon.sys [32576 2013-08-12] (Baidu, Inc.)
S1 Bprotect; C:\Windows\System32\drivers\Bprotect.sys [106624 2013-08-19] (Baidu, Inc.)
S2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [70984 2013-08-06] (BlueStack Systems)
S3 dtscsibus; C:\Windows\System32\DRIVERS\dtscsibus.sys [29696 2013-05-07] (Disc Soft Ltd)
S2 ntk_PowerDVD12; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\ntk_PowerDVD12_64.sys [83704 2012-06-20] (Cyberlink Corp.)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19784 2014-11-06] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38216 2014-10-03] (NVIDIA Corporation)
S2 {73526619-C24F-470B-9BED-53D455FBB5C6}; C:\Program Files (x86)\CyberLink\PowerDVD12\Common\NavFilter\000.fcl [147704 2012-08-09] (CyberLink Corp.)
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 PCFApiUtil; \??\C:\Program Files (x86)\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil64.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2028-01-12 00:19 - 2028-01-12 00:19 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Xvoice.dll
2014-12-06 08:09 - 2014-12-06 08:09 - 00001438 _____ () C:\CW.ERR
2014-12-06 04:34 - 2014-12-06 04:34 - 00398158 __RSH () C:\bootmgr
2014-12-06 04:34 - 2014-12-06 04:34 - 00000073 _____ () C:\Windows\{7bd30e4b-b46c-48d3-8be2-aff6b5939a54}
2014-12-05 15:26 - 2014-11-13 15:05 - 65077248 _____ () C:\Windows\System32\config\SOFTWARE.TPBAK
2014-12-05 15:26 - 2014-11-13 15:05 - 54788096 _____ () C:\Windows\System32\config\SYSTEM.TPBAK
2014-12-05 15:26 - 2014-11-13 15:05 - 00102400 _____ () C:\Windows\System32\config\SAM.TPBAK
2014-12-05 15:26 - 2014-11-13 15:04 - 00028672 _____ () C:\Windows\System32\config\SECURITY.TPBAK
2014-12-05 15:20 - 2014-12-05 15:20 - 00000073 _____ () C:\Windows\{6b7e135c-fc27-4472-9288-95547b8d2347}
2014-12-05 15:14 - 2014-12-06 04:34 - 00921616 __RSH () C:\$UGM
2014-12-05 15:14 - 2014-12-06 04:34 - 00053805 _____ () C:\g2ldr
2014-12-05 15:14 - 2014-12-05 15:14 - 00000073 _____ () C:\Windows\{5cdecb11-30bb-4236-a521-365bb1301905}
2014-12-05 13:01 - 2014-12-13 19:16 - 00000000 ____D () C:\FRST
2014-11-22 08:15 - 2014-11-22 08:19 - 00000000 ____D () C:\Windows\System32\config\backup
2014-11-18 04:26 - 2014-11-18 04:26 - 00000130 _____ () C:\undo.bat
2014-11-18 02:30 - 2014-11-18 02:30 - 00438840 __RSH () C:\bootxez
2014-11-18 02:30 - 2014-11-18 02:30 - 00206312 __RSH () C:\XELDZ
2014-11-17 05:01 - 2014-11-17 05:01 - 11907850 _____ () C:\Users\User\Downloads\Win7 ATT 3 in 1.zip
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-11-27 18:36 - 2013-05-01 01:53 - 00000000 ____D () C:\Temp
2014-11-18 19:05 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-11-18 18:39 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\servicing
2014-11-18 04:26 - 2014-07-27 07:15 - 00000000 ____D () C:\Users\User\AppData\Local\LogMeIn Hamachi
2014-11-18 04:26 - 2009-07-13 20:45 - 00009584 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-18 04:26 - 2009-07-13 20:45 - 00009584 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-18 04:25 - 2009-07-13 21:13 - 00783270 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-11-18 04:18 - 2014-11-08 16:43 - 00004913 _____ () C:\Windows\setupact.log
2014-11-18 04:16 - 2014-02-26 14:22 - 00000000 ____D () C:\Program Files (x86)\WinZipper
2014-11-18 04:16 - 2013-05-01 02:00 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-11-18 04:16 - 2013-05-01 01:42 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-18 04:16 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-18 04:15 - 2014-11-08 23:24 - 00003717 _____ () C:\Windows\WindowsUpdate.log
2014-11-18 04:15 - 2013-12-20 03:49 - 00000000 ____D () C:\Users\User\AppData\Roaming\DMCache
2014-11-18 04:15 - 2013-05-01 01:42 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-18 04:15 - 2009-07-13 15:52 - 00014848 _____ (Microsoft Corporation) C:\Windows\System32\slwga.dll.infsx
2014-11-18 04:15 - 2009-07-13 15:38 - 01008640 _____ (Microsoft Corporation) C:\Windows\System32\user32.dll.infsx
2014-11-18 04:15 - 2009-07-13 15:36 - 00013824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\slwga.dll.infsx
2014-11-18 04:15 - 2009-07-13 15:24 - 00833024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll.infsx
2014-11-18 04:10 - 2013-04-05 00:34 - 00001926 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-11-18 04:09 - 2013-04-05 00:34 - 00003924 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2014-11-16 01:50 - 2014-03-06 18:50 - 00000288 _____ () C:\Windows\Tasks\Digital Sites.job
2014-11-16 01:50 - 2012-11-15 02:11 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-15 23:55 - 2014-03-06 19:50 - 00000123 _____ () C:\Users\User\AppData\Roaming\WB.CFG
2014-11-15 18:19 - 2012-11-15 02:26 - 00004286 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{5BE7698C-6FE7-4598-AFE5-D207D863FAD6}
2014-11-15 04:02 - 2013-10-15 22:38 - 00000000 ____D () C:\Users\User\Documents\FIFA 14
2014-11-14 04:05 - 2013-05-01 01:42 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-14 04:05 - 2013-05-01 01:42 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-13 03:50 - 2012-11-15 02:11 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-13 03:50 - 2012-11-15 02:11 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-11-13 03:50 - 2012-11-15 02:11 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-11-13 03:27 - 2014-08-26 07:20 - 00000000 ____D () C:\Users\User\AppData\Local\Adobe
Files to move or delete:
====================
C:\ProgramData\FileSplitUpLoad.dll
Some content of TEMP:
====================
C:\Users\User\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\User\AppData\Local\Temp\nvStInst.exe
==================== Known DLLs (Whitelisted) ================
C:\Windows\System32\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\user32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\user32.dll IS MISSING <==== ATTENTION!
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2013-05-01 01:42] - [2011-02-24 22:36] - 0295296 ____A (Microsoft Corporation) C9D0EAF58D6BA71E128E715EA43AD87D
==================== Restore Points  =========================
==================== Memory info ===========================
Percentage of memory in use: 9%
Total physical RAM: 8138.07 MB
Available physical RAM: 7346.15 MB
Total Pagefile: 8136.22 MB
Available Pagefile: 7346.62 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:97.65 GB) (Free:26.55 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:416.93 GB) (Free:45.63 GB) NTFS
Drive e: () (Fixed) (Total:416.92 GB) (Free:392.47 GB) NTFS
Drive g: (KINGSTON) (Removable) (Total:7.23 GB) (Free:1.18 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 5BC53D8B)
Partition 1: (Active) - (Size=97.7 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=833.9 GB) - (Type=OF Extended)
========================================================
Disk: 1 (Size: 7.3 GB) (Disk ID: 04030201)
Partition 1: (Not Active) - (Size=7.2 GB) - (Type=0B)
LastRegBack: 2014-11-13 15:05
==================== End Of Log ============================

Edit: Topic moved from Windows 7 to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)

 


m

#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:41 PM

Posted 21 December 2014 - 06:28 PM

Greetings NK10 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run the following for me.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
S2 winzipersvc; C:\Program Files (x86)\WinZipper\winzipersvc.exe [425104 2014-02-26] (Taiwan Shui Mu Chih Ching Technology Limited.) <==== ATTENTION
C:\Program Files (x86)\WinZipper
S3 sppuinotify; %SystemRoot%\system32\sppuinotify.dll [X]
S3 SwitchBoard; "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [X]
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 PCFApiUtil; \??\C:\Program Files (x86)\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil64.sys [X]
C:\ProgramData\FileSplitUpLoad.dll
C:\Users\User\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\User\AppData\Local\Temp\nvStInst.exe
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Type the following in the Search Field
winlogon.exe
LPK.dll
user32.dll
  • Click Search File(s) button
  • A Search.txt document will be saved to your USB device
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Search log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 NK10

NK10
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 22 December 2014 - 06:47 AM

My Fixlog
 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-12-2014
Ran by SYSTEM at 2014-12-22 18:39:14 Run:5
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
S2 winzipersvc; C:\Program Files (x86)\WinZipper\winzipersvc.exe [425104 2014-02-26] (Taiwan Shui Mu Chih Ching Technology Limited.) <==== ATTENTION
C:\Program Files (x86)\WinZipper
S3 sppuinotify; %SystemRoot%\system32\sppuinotify.dll [X]
S3 SwitchBoard; "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [X]
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 PCFApiUtil; \??\C:\Program Files (x86)\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil64.sys [X]
C:\ProgramData\FileSplitUpLoad.dll
C:\Users\User\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\User\AppData\Local\Temp\nvStInst.exe
*****************

winzipersvc => Service deleted successfully.
C:\Program Files (x86)\WinZipper => Moved successfully.
sppuinotify => Service deleted successfully.
SwitchBoard => Service deleted successfully.
BprotectEx => Service deleted successfully.
clwvd => Service deleted successfully.
EagleX64 => Service deleted successfully.
GGSAFERDriver => Service deleted successfully.
PCFApiUtil => Service deleted successfully.
C:\ProgramData\FileSplitUpLoad.dll => Moved successfully.
C:\Users\User\AppData\Local\Temp\nvSCPAPI.dll => Moved successfully.
C:\Users\User\AppData\Local\Temp\nvStInst.exe => Moved successfully.

==== End of Fixlog ====

 

Search
 

Farbar Recovery Scan Tool (x64) Version: 03-12-2014
Ran by SYSTEM at 2014-12-22 18:40:44
Running from G:\
Boot Mode: Recovery

================== Search Files: "winlogon.exe
LPK.dll
user32.dll
" =============

====== End Of Search ======


Edited by NK10, 22 December 2014 - 06:47 AM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:41 PM

Posted 22 December 2014 - 02:59 PM

Thanks. My error in the script for the Search part. Please do this.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Boot to the System Recovery Options again and run FRST
  • Type the following in the Search Field
winlogon.exe;LPK.dll;user32.dll
  • Click Search File(s) button
  • A Search.txt document will be saved to your USB device
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Search log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 NK10

NK10
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 23 December 2014 - 06:07 AM

Farbar Recovery Scan Tool (x64) Version: 03-12-2014
Ran by SYSTEM at 2014-12-23 18:04:39
Running from G:\
Boot Mode: Recovery

================== Search Files: "winlogon.exe;LPK.dll;user32.dll" =============

C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
[2009-07-13 15:24][2009-07-13 17:11] 0833024 ____A (Microsoft Corporation) E8B0FFC209E504CB7E79FC24E6C085F0

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_101cb471a89825ee\lpk.dll
[2009-07-13 15:25][2009-07-13 17:11] 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe
[2009-07-13 15:52][2009-07-13 17:39] 0389120 ____A (Microsoft Corporation) 132328DF455B0028F13BF0ABEE51A63A

C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[2009-07-13 15:38][2009-07-13 17:41] 1008640 ____A (Microsoft Corporation) 72D7B3EA16946E8F0CF7458150031CC6

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_05c80a1f743763f3\lpk.dll
[2009-07-13 15:38][2009-07-13 17:41] 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

X:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe
[2009-07-13 15:52][2009-07-13 17:39] 0389120 ____A (Microsoft Corporation) 132328DF455B0028F13BF0ABEE51A63A

X:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[2009-07-13 15:38][2009-07-13 17:41] 1008640 ____A (Microsoft Corporation) 72D7B3EA16946E8F0CF7458150031CC6

X:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_05c80a1f743763f3\lpk.dll
[2009-07-13 15:38][2009-07-13 17:41] 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

X:\Windows\System32\lpk.dll
[2009-07-13 15:38][2009-07-13 17:41] 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

X:\Windows\System32\user32.dll
[2009-07-13 15:38][2009-07-13 17:41] 1008640 ____A (Microsoft Corporation) 72D7B3EA16946E8F0CF7458150031CC6

X:\Windows\System32\winlogon.exe
[2009-07-13 15:52][2009-07-13 17:39] 0389120 ____A (Microsoft Corporation) 132328DF455B0028F13BF0ABEE51A63A

====== End Of Search ======



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:41 PM

Posted 23 December 2014 - 02:50 PM

Thanks for the information. This is our next step.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
cmd: copy C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll C:\Windows\SysWOW64
cmd: copy C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll C:\Windows\System32
cmd: copy C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_101cb471a89825ee\lpk.dll C:\Windows\SysWOW64
cmd: copy C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_05c80a1f743763f3\lpk.dll C:\Windows\System32
cmd: copy C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe C:\Windows\System32
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Does your computer boot?

Edited by Oh My!, 23 December 2014 - 02:52 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 NK10

NK10
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 24 December 2014 - 05:43 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-12-2014
Ran by SYSTEM at 2014-12-24 17:34:57 Run:6
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
cmd: copy C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll C:\Windows\SysWOW64
cmd: copy C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll C:\Windows\System32
cmd: copy C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_101cb471a89825ee\lpk.dll C:\Windows\SysWOW64
cmd: copy C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_05c80a1f743763f3\lpk.dll C:\Windows\System32
cmd: copy C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe C:\Windows\System32
*****************

=========  copy C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll C:\Windows\SysWOW64 =========

        1 file(s) copied.

========= End of CMD: =========

=========  copy C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll C:\Windows\System32 =========

        1 file(s) copied.

========= End of CMD: =========

=========  copy C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_101cb471a89825ee\lpk.dll C:\Windows\SysWOW64 =========

        1 file(s) copied.

========= End of CMD: =========

=========  copy C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_05c80a1f743763f3\lpk.dll C:\Windows\System32 =========

        1 file(s) copied.

========= End of CMD: =========

=========  copy C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe C:\Windows\System32 =========

        1 file(s) copied.

========= End of CMD: =========

==== End of Fixlog ====

 

 

 

Now I can boot to normal . I very thankyou .
happy christmas. :thumbup2: 

 



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:41 PM

Posted 24 December 2014 - 10:38 AM

Merry Christmas to you as well. We are not quite done yet so hang in there a bit longer.

Please do this.

===================================================

Emsisoft Emergency Kit Scan

--------------------
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Copy and paste the contents of the report in your reply
  • Note: If you receive an error report saying there are too many emoticons simply attach the file instead
  • Close the program then click Close
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double click the icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message attempt to run the program in Safe Mode
  • Press any key to start the program
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Emsisoft report (if applicable)
  • Security Check log
  • How is your computer running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:41 PM

Posted 28 December 2014 - 04:56 PM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:41 PM

Posted 02 January 2015 - 10:11 AM

Greetings,

Now that the holidays are over I would like to try to get back on track and make some progress with our issues. In order to determine whether or not you are still with me it is necessary for me to post this.

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:41 PM

Posted 29 March 2015 - 07:49 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users