Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

StartupOfflineRepair


  • This topic is locked This topic is locked
2 replies to this topic

#1 the-owl

the-owl

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 28 April 2015 - 11:01 AM

I have a Win7 machine that started sending massive port 25 traffic out Friday 4-24. ISP shut the IP down and I retrieved the machine on Monday.
It will not boot, loops in a startup repair.
Attached is the FRST64 log, I removed the obvious Installer/syshost.exe that was created on 4-24. Still loops in startup repair, safemode or not. There is no recovery points

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-04-2015 01
Ran by SYSTEM on MININT-6F6A8SF on 29-04-2015 06:59:14
Running from G:\
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] => C:\Windows\KHALMNPR.EXE [130576 2009-06-17] (Logitech, Inc.)
HKLM\...\Run: [Bluetooth Connection Assistant] => LBTWIZ.EXE -silent
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [MVS Splash] => C:\Program Files (x86)\McAfee\Managed VirusScan\DesktopUI\XTray.exe [480872 2012-11-13] ()
HKLM-x32\...\Run: [HPUsageTrackingLEDM] => C:\Program Files (x86)\HP\HP UT LEDM\bin\hppusg.exe [30264 2009-08-04] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395656 2013-10-01] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-05-07] (Oracle Corporation)
HKLM-x32\...\Run: [DNS7reminder] => C:\Program Files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe [328992 2010-10-27] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153992 2013-10-01] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [StatusAlerts] => C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe [313248 2012-07-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\ashnetadmin\...\Run: [Google Update] => C:\Users\ashnetadmin\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-01-27] (Google Inc.)
HKU\dholtman\...\Run: [Speech Recognition] => C:\Windows\Speech\Common\sapisvr.exe [44544 2009-07-13] (Microsoft Corporation)
HKU\dholtman\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2011-06-04] (Acresso Corporation)
HKU\dholtman\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
HKU\dholtman\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\WLXPGSS.SCR [301936 2010-11-10] (Microsoft Corporation)
HKU\tbowen\...\RunOnce: [Application Restart #0] => C:\Windows\HelpPane.exe [733696 2009-07-13] (Microsoft Corporation)
AppInit_DLLs-x32: c:\progra~2\citrix\icacli~1\rshook.dll => c:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [256568 2012-12-14] (Citrix Systems, Inc.)
Startup: C:\Users\dholtman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013-09-30]
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\dholtman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2012-02-21]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 EMC IRM Injection Service; C:\Program Files (x86)\EMC IRM\Common\emcirminjservice.exe [729600 2012-02-03] ()
S2 hasplms; C:\Windows\system32\hasplms.exe [3750400 2009-12-16] (SafeNet Inc.)
S2 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company)
S2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [78088 2014-08-26] (Hewlett-Packard Company)
S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [417640 2015-03-03] (LogMeIn, Inc.)
S2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [234344 2015-03-03] (LogMeIn, Inc.)
S2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2011-09-16] (LogMeIn, Inc.)
S2 McAfee SiteAdvisor Enterprise Service; C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe [161128 2014-03-06] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [242448 2013-12-17] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [185280 2013-12-17] (McAfee, Inc.)
S2 MSSQL$PRIMAVERA; C:\Program Files (x86)\Microsoft SQL Server\MSSQL$PRIMAVERA\Binn\sqlservr.exe [7520337 2002-12-17] (Microsoft Corporation)
S3 MSSQLServerADHelper; C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [66112 2002-12-17] (Microsoft Corporation)
S2 myAgtSvc; C:\Program Files (x86)\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [296400 2014-04-25] (McAfee, Inc.)
S4 OracleJobSchedulerXE; c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe [102400 2006-02-02] ()
S3 OracleMTSRecoveryService; C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe [57616 2006-02-02] (Oracle Corporation)
S2 OracleServiceXE; c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE [59064320 2006-02-02] (Oracle Corporation)
S3 OracleXEClrAgent; C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe [45056 2006-02-02] ()
S2 OracleXETNSListener; C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [204800 2006-02-02] ()
S2 RaAutoInstSrv_AM10; C:\Program Files (x86)\Cisco Systems\Cisco Valet Connector\CiscoAdapterSvc.exe [529024 2010-04-15] (Cisco Consumer Products LLC)
S3 SQLAgent$PRIMAVERA; C:\Program Files (x86)\Microsoft SQL Server\MSSQL$PRIMAVERA\Binn\sqlagent.EXE [311872 2002-12-17] (Microsoft Corporation)
S2 syshost32; C:\Windows\Installer\{DE0129C9-0C66-6538-6C75-9EA64C59D235}\syshost.exe [83968 2014-11-03] (Microsoft Corporation)
S2 UTSCSI; C:\Windows\SysWOW64\UTSCSI.EXE [45056 2014-02-14] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 RumorServer; "C:\Program Files (x86)\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /RunDLL=RumorServer.dll;ServiceHost [X]
S2 SftService; "C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE" [X]
S2 TeamViewer; "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe" [X]
S2 Update Solution Real; "C:\Program Files (x86)\Solution Real\updateSolutionReal.exe" [X]
S2 Util Solution Real; "C:\Program Files (x86)\Solution Real\bin\utilSolutionReal.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S0 aa3d1dd849df433; C:\Windows\System32\Drivers\aa3d1dd849df433.sys [42960 2014-11-03] () <===== ATTENTION Necurs Rootkit?
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [21120 2011-08-09] (SafeNet Inc.)
S3 AM10; C:\Windows\System32\DRIVERS\am10w7.sys [1101600 2010-03-23] (Ralink Technology Corp.)
S1 EmcIrmInjectionDriver; C:\Program Files (x86)\EMC IRM\Common\EmcIrmInject64.sys [58328 2012-02-03] ()
S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-27] (LogMeIn, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [180272 2013-12-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311600 2013-12-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782968 2013-12-17] (McAfee, Inc.)
S1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75936 2012-02-22] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [107032 2013-12-17] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344176 2013-12-17] (McAfee, Inc.)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2012-12-24] (Marvell Semiconductor, Inc.)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)
S1 {371bcf01-e691-44bf-9345-60788e5d16a5}Gw64; C:\Windows\System32\drivers\{371bcf01-e691-44bf-9345-60788e5d16a5}Gw64.sys [48792 2015-01-30] (StdLib)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-29 06:59 - 2015-04-29 06:59 - 00000000 ____D () C:\FRST
2015-04-29 04:03 - 2015-04-28 14:34 - 02100736 _____ () C:\FRST64.exe
2015-04-28 09:54 - 2015-04-28 09:54 - 00000000 ____D () C:\Windows\New folder
2015-04-28 09:54 - 2015-04-28 09:54 - 00000000 ____D () C:\Program Files\New folder
2015-04-24 16:35 - 2015-04-24 18:04 - 00000000 ___SD () C:\ComboFix
2015-04-07 15:12 - 2015-04-07 15:13 - 00001032 _____ () C:\Users\Public\Documents\Acrobat6.ini
2015-04-07 15:12 - 2015-04-07 15:13 - 00001032 _____ () C:\ProgramData\Documents\Acrobat6.ini
2015-04-02 18:09 - 2015-04-06 08:17 - 00011717 _____ () C:\Users\dholtman\Documents\Transport Log.xlsx
2015-04-02 16:42 - 2015-04-02 16:42 - 00000000 ____D () C:\Users\dholtman\AppData\Local\TeamViewer
2015-04-02 10:55 - 2015-04-24 15:44 - 00000000 ___RD () C:\Users\dholtman\Desktop\Cost To Complete

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-27 18:24 - 2012-01-10 20:44 - 00000000 ____D () C:\Temp
2015-04-24 18:04 - 2012-11-20 18:26 - 00000000 ____D () C:\Users\dholtman\_rpcs
2015-04-24 18:04 - 2012-11-16 15:37 - 00000000 ____D () C:\Windows\erdnt
2015-04-24 18:04 - 2012-10-19 16:26 - 00000000 ____D () C:\users\tbowen
2015-04-24 18:04 - 2012-01-30 13:01 - 00000000 ____D () C:\users\dholtman
2015-04-24 18:04 - 2012-01-27 16:07 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-04-24 18:04 - 2012-01-26 18:16 - 00000000 ____D () C:\users\ashnetadmin
2015-04-24 18:04 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\registration
2015-04-24 18:03 - 2013-09-30 11:58 - 00000000 ___RD () C:\Users\dholtman\Dropbox
2015-04-24 18:03 - 2012-11-16 15:38 - 00000000 ____D () C:\Qoobox
2015-04-24 17:24 - 2012-01-26 18:08 - 00000128 _____ () C:\Windows\System32\config\netlogon.ftl
2015-04-24 15:47 - 2012-01-10 21:08 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2015-04-24 15:47 - 2012-01-10 21:08 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2015-04-24 15:46 - 2009-07-14 00:37 - 00000000 ____D () C:\Windows\DigitalLocker
2015-04-24 15:21 - 2012-01-27 15:59 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-04-24 08:02 - 2014-03-31 14:30 - 00000000 ____D () C:\Users\dholtman\Desktop\Labor Cost Reports
2015-04-24 04:00 - 2012-05-24 13:47 - 00000000 ____D () C:\ProgramData\TEMP
2015-04-23 12:59 - 2015-03-05 15:22 - 00000000 ____D () C:\Users\dholtman\Desktop\Cost Codes
2015-04-22 00:28 - 2012-01-27 18:35 - 00000932 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1167256781-2832195314-4057810326-500UA.job
2015-04-22 00:08 - 2014-02-26 14:11 - 00000544 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1167256781-2832195314-4057810326-1119.job
2015-04-22 00:07 - 2012-10-22 23:40 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-22 00:07 - 2012-01-27 18:38 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-21 22:07 - 2012-01-27 18:38 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-21 16:00 - 2012-01-26 17:48 - 00000422 _____ () C:\Windows\Tasks\SystemToolsDailyTest.job
2015-04-21 12:28 - 2012-01-27 18:35 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1167256781-2832195314-4057810326-500Core.job
2015-04-20 09:29 - 2013-08-19 08:12 - 00000000 ____D () C:\1 Temp
2015-04-20 08:31 - 2009-07-13 23:45 - 00031312 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-20 08:31 - 2009-07-13 23:45 - 00031312 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-20 08:23 - 2013-09-30 11:53 - 00000000 ____D () C:\Users\dholtman\AppData\Roaming\Dropbox
2015-04-20 08:23 - 2012-01-10 22:25 - 01119006 _____ () C:\Windows\WindowsUpdate.log
2015-04-20 08:21 - 2009-07-13 23:45 - 00464400 _____ () C:\Windows\System32\FNTCACHE.DAT
2015-04-20 08:20 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-20 08:20 - 2009-07-13 23:51 - 00113636 _____ () C:\Windows\setupact.log
2015-04-20 08:19 - 2010-11-20 22:47 - 01084944 _____ () C:\Windows\PFRO.log
2015-04-19 10:12 - 2014-07-08 16:32 - 00000000 ____D () C:\Users\dholtman\AppData\Roaming\TeamViewer
2015-04-17 12:31 - 2013-06-24 18:31 - 00001805 _____ () C:\Users\dholtman\Desktop\NMDOT Current.lnk
2015-04-16 11:34 - 2012-04-27 14:30 - 00000000 ____D () C:\WTabs
2015-04-16 11:34 - 2012-04-09 08:46 - 00000179 _____ () C:\results.txt
2015-04-15 09:07 - 2012-10-22 23:40 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-04-15 09:07 - 2012-10-22 23:40 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-04-15 09:07 - 2012-01-10 20:30 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-15 08:40 - 2012-01-30 17:34 - 00002002 ____H () C:\Users\dholtman\Documents\Default.rdp
2015-04-14 11:43 - 2014-06-16 11:07 - 00000000 ____D () C:\Users\dholtman\Desktop\Job 806 Jemez
2015-04-13 16:13 - 2014-02-26 14:11 - 00003580 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-1167256781-2832195314-4057810326-1119
2015-04-08 08:26 - 2014-03-19 14:02 - 00000000 ____D () C:\Users\dholtman\Desktop\804 San Juan County
2015-04-05 09:19 - 2013-04-24 12:37 - 00000000 ____D () C:\Users\dholtman\Desktop\Pre Trash
2015-04-02 16:43 - 2012-01-30 13:01 - 00127680 _____ () C:\Users\dholtman\AppData\Local\GDIPFONTCACHEV1.DAT
2015-04-02 15:32 - 2012-01-27 12:26 - 00000000 ____D () C:\Program Files (x86)\BIDBUILD
2015-04-02 10:19 - 2014-12-30 11:41 - 00000000 ____D () C:\Users\dholtman\Desktop\Job 807 Silver City

Files to move or delete:
====================
C:\Users\dholtman\udownload.dat


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 4008.63 MB
Available physical RAM: 3344.27 MB
Total Pagefile: 4006.83 MB
Available Pagefile: 3349.62 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:449.57 GB) (Free:318.08 GB) NTFS
Drive e: (RECOVERY) (Fixed) (Total:16.15 GB) (Free:8.77 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: () (Removable) (Total:7.41 GB) (Free:7.4 GB) FAT32
Drive h: (2TB) (Fixed) (Total:1863.01 GB) (Free:1611.45 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 6F87AD53)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=16.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=449.6 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 7.4 GB) (Disk ID: 53CC6603)
Partition 1: (Active) - (Size=7.4 GB) - (Type=0B)

========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: A3F0518B)
Partition 1: (Active) - (Size=1863 GB) - (Type=07 NTFS)


LastRegBack: 2015-04-24 01:11

==================== End Of Log ============================

Attached Files

  • Attached File  FRST.txt   17.93KB   2 downloads

Edited by nasdaq, 01 May 2015 - 08:38 AM.
The FRST log was pasted.


BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:43 AM

Posted 01 May 2015 - 08:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CreateRestorePoint:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\dholtman\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
HKU\tbowen\...\RunOnce: [Application Restart #0] => C:\Windows\HelpPane.exe [733696 2009-07-13] (Microsoft Corporation)
ShortcutTarget: Dropbox.lnk ->  (No File)
S2 RumorServer; "C:\Program Files (x86)\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /RunDLL=RumorServer.dll;ServiceHost [X]
S2 SftService; "C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE" [X]
S2 TeamViewer; "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe" [X]
S2 Update Solution Real; "C:\Program Files (x86)\Solution Real\updateSolutionReal.exe" [X]
S2 Util Solution Real; "C:\Program Files (x86)\Solution Real\bin\utilSolutionReal.exe" [X]
S0 aa3d1dd849df433; C:\Windows\System32\Drivers\aa3d1dd849df433.sys [42960 2014-11-03] () <===== ATTENTION Necurs Rootkit?
S1 {371bcf01-e691-44bf-9345-60788e5d16a5}Gw64; C:\Windows\System32\drivers\{371bcf01-e691-44bf-9345-60788e5d16a5}Gw64.sys [48792 2015-01-30] (StdLib)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]
C:\Program Files (x86)\Itibiti Soft Phone
C:\Windows\System32\Drivers\aa3d1dd849df433.sys
C:\Windows\System32\drivers\{371bcf01-e691-44bf-9345-60788e5d16a5}Gw64.sys

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists I suggest you download and run the ESETNecursCleaner tool from this page.
http://kb.eset.com/esetkb/index?page=content&id=SOLN3137

Read the instructions before proceeding.
===

How is the computer running now?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:43 AM

Posted 06 May 2015 - 10:51 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users