Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop and Safe Mode won't load up


  • This topic is locked This topic is locked
20 replies to this topic

#1 glascow

glascow

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 13 December 2015 - 06:34 PM

For both cases it only loads a blank black screen with the mouse cursor. This actually happened several months ago, but I managed to fix it on my own that time (forgot exactly how). I have not used the internet on this computer in a long while (it is far overdue for a dust clean judging by the occasional humming sounds the cooling fan is making) but in the case that it may be caused by some malware residue and not a hardware-related issue I figured I might as well. It is not usually restarting and looping on its own as it would do before with this type of problem. I kind-of need this done quickly because I'm in the middle of transitioning some of my files from this old comp into a new one. I am typing this post from Splashtop.
 
edit: updated FRST.txt as that was taken at 01:00 AM
 
FRST.txt:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-12-2015
Ran by SYSTEM on MININT-L6HU9RL (13-12-2015 19:08:38)
Running from g:\
Platform: Windows 7 Home Premium (X64) Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated)
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324096 2010-06-25] (Alcor Micro Corp.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-17] (IDT, Inc.)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [611896 2010-01-20] ()
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [AtwtusbIcon] => C:\Windows\system32\AtwtusbIcon.exe [3593728 2012-09-10] ()
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] => C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisTSR.exe [380272 2010-06-08] (Egis Technology Inc. )
HKLM-x32\...\Run: [Bing Bar] => C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe [243544 2010-04-13] (Microsoft Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602168 2010-06-29] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2009-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [amd_dc_opt] => C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6108752 2015-11-16] (AVAST Software)
HKLM-x32\...\Run: [atwtusb] => C:\Windows\SysWOW64\atwtusb.exe [364192 2007-12-05] ()
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [415232 2009-07-13] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\admin\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\admin\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3671872 2012-04-17] (DT Soft Ltd)
HKU\admin\...\Run: [Akamai NetSession Interface] => C:\Users\admin\AppData\Local\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.)
HKU\admin\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Program Files (x86)\ScreenSaverGift\Rain And Snow\Rain And Snow.scr [22433792 2011-07-02] ()
HKU\Default\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-07-20] (AVAST Software)
S2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [109008 2015-07-20] (AVAST Software)
S2 EgisTec Service; C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe [697712 2010-06-08] (Egis Technology Inc. )
S2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-06-29] ()
S2 mi-raysat_3dsmax2013_32; C:\Program Files (x86)\Autodesk\3ds Max Design 2013\NVIDIA\raysat_3dsmax2013_32server.exe [86016 2011-09-14] ()
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
S2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S2 WTService; C:\Windows\system32\atwtusb.exe [582144 2013-11-12] ()
S2 WTService; C:\Windows\SysWOW64\atwtusb.exe [364192 2007-12-05] ()
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 63583163; C:\Windows\System32\drivers\17432469.sys [208216 2013-06-14] (Kaspersky Lab, GERT)
S5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-07-20] (AVAST Software)
S1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28144 2015-07-20] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90968 2015-07-20] (AVAST Software)
S0 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [454016 2015-07-20] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-07-20] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-07-20] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1059656 2015-11-16] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [449992 2015-11-16] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [150160 2015-07-20] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [274808 2015-07-20] (AVAST Software)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-05-08] (DT Soft Ltd)
S1 DVMIO; C:\Windows\System32\DRIVERS\dvmio.sys [20056 2009-11-11] (DeviceVM, Inc.)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 moufiltr; C:\Windows\System32\DRIVERS\moufiltr.sys [7680 2009-03-08] (Windows ® Codename Longhorn DDK provider)
S3 vhidmini; C:\Windows\System32\DRIVERS\walvhid.sys [7552 2009-08-26] (Windows ® Win 7 DDK provider)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-08 22:20 - 2015-12-08 22:20 - 00003288 ____N C:\bootsqm.dat
2015-12-08 21:39 - 2015-12-08 21:39 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2015-12-08 21:39 - 2015-12-08 21:39 - 00000000 ____D C:\Program Files\Common Files\AV
2015-12-08 07:45 - 2015-12-08 07:45 - 00007605 _____ C:\Users\admin\AppData\Local\Resmon.ResmonCfg
2015-12-04 07:42 - 2015-12-04 07:49 - 00000000 ____D C:\Users\admin\Desktop\Please delete
2015-11-29 23:57 - 2015-11-30 02:32 - 00000000 ____D C:\Users\admin\Downloads\Retropop
2015-11-23 07:24 - 2015-11-23 07:24 - 18324168 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-11-14 06:08 - 2015-11-14 07:06 - 00000000 ____D C:\Users\admin\Downloads\Selig
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-13 14:48 - 2009-07-13 18:34 - 00000518 _____ C:\Windows\win.ini
2015-12-13 14:47 - 2009-09-06 16:40 - 00000000 ____D C:\SwSetup
2015-12-13 12:56 - 2014-11-09 04:10 - 00000000 ____D C:\FRST
2015-12-10 15:09 - 2012-07-16 11:13 - 01100588 _____ C:\Windows\ntbtlog.txt
2015-12-08 21:39 - 2009-07-13 21:13 - 00792126 _____ C:\Windows\System32\PerfStringBackup.INI
2015-12-08 21:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2015-12-08 21:35 - 2014-12-04 06:06 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-08 21:32 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-08 14:46 - 2014-12-04 06:06 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-08 14:24 - 2012-04-02 04:08 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-08 08:37 - 2013-09-11 04:56 - 00000000 ____D C:\Users\admin\AppData\Roaming\foobar2000
2015-12-08 08:01 - 2009-07-13 20:45 - 00023024 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-08 08:01 - 2009-07-13 20:45 - 00023024 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-08 07:50 - 2012-09-01 05:30 - 00000000 ____D C:\Users\admin\AppData\Roaming\Audacity
2015-11-29 22:46 - 2013-08-18 21:48 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-11-23 07:25 - 2012-04-02 04:08 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-11-23 07:24 - 2012-04-02 04:08 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-11-23 07:24 - 2012-04-02 04:08 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-11-16 10:29 - 2013-08-18 21:48 - 01059656 _____ (AVAST Software) C:\Windows\System32\Drivers\aswsnx.sys
2015-11-16 10:29 - 2013-08-18 21:48 - 00449992 _____ (AVAST Software) C:\Windows\System32\Drivers\aswsp.sys
 
Some files in TEMP:
====================
C:\Users\admin\AppData\Local\Temp\bieiykap.dll
C:\Users\admin\AppData\Local\Temp\ptzq2vyw.dll
 
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0522240 ____A (Microsoft Corporation) 009FE669EDFA4341C69D44500356543E
 
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE Association (Whitelisted) =============
 
 
==================== Restore Points =========================
 
Restore point date: 2015-12-08 22:52
 
==================== Memory info =========================== 
 
Percentage of memory in use: 18%
Total physical RAM: 3893.86 MB
Available physical RAM: 3173.51 MB
Total Virtual: 3892.01 MB
Available Virtual: 3170.84 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:441.76 GB) (Free:11.76 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (RECOVERY) (Fixed) (Total:23.7 GB) (Free:3.46 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (AOMG_D2) (CDROM) (Total:0.57 GB) (Free:0 GB) CDFS
Drive g: (EPYON) (Removable) (Total:14.9 GB) (Free:7.28 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 7D7FBDAF)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=441.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=23.7 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 14.9 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
 
LastRegBack: 2015-11-30 05:29
 
==================== End of FRST.txt ============================

Edited by glascow, 13 December 2015 - 07:12 PM.


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:19 PM

Posted 13 December 2015 - 07:32 PM

Hello and welcome to the Malware Removal Logs area :)

I go by Alexstrasza, but you may call me Alex. I will assist you with your problem.

Please allow me some time to review your logs, and I will be back with instructions.

#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:19 PM

Posted 15 December 2015 - 10:24 AM

Hello glascow,

:step1: Fix with Farbar Recovery Scan Tool in Recovery Environment
  • On a clean machine, please download the attached fixlist.txt and save it to a flash drive with FRST.
  • Plug the flash drive into the infected PC.
To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use the Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========

Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and navigate to your flash drive.
  • Right click on FRST/FRST64 and select Run as Administrator.
  • The tool will start to run.
  • Press Fix just once and wait.
  • A log named Fixlog.txt will be created in the flash drive. Please post that into your next reply.
  • A file named MBRDUMP.txt will be created in the flash drive. Please attach it to your next reply.
===

:step2: Search with Farbar Recovery Scan Tool
  • While FRST is running, type the contents of the following box into the white box in FRST:
    rpcss.dll
    
  • Press Search Files.
  • A log named Search.txt will be created in your flash drive. Please post that into your next reply.
===

:step3: Please reboot into Normal Mode, then follow these instructions.
  • Press Ctrl + Alt + Delete to bring up Task Manager.
  • If Task Manager launched successfully, press the Windows key + R to bring up the Run box.
  • If the Run box launched successfully, type in explorer.exe and press Enter.
  • Let me know if the Desktop launches normally or not.
To recap, in your next reply I will need the following:
  • What happens when you try to boot into Normal Mode?
  • Contents of Fixlog.txt and Search.txt;
  • Attached MBRDUMP.txt.
  • Did the Desktop launch successfully with the above instructions?
Regards,
Alex

#4 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 17 December 2015 - 08:25 AM

Apologies for the delay Alex, how have you been

 

1) Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-12-2015
Ran by SYSTEM (2015-12-17 04:56:30) Run:5
Running from G:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
S3 63583163; C:\Windows\System32\drivers\17432469.sys [208216 2013-06-14] (Kaspersky Lab, GERT)
C:\Users\admin\AppData\Local\Temp\bieiykap.dll
C:\Users\admin\AppData\Local\Temp\ptzq2vyw.dll
cmd: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
cmd: reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot"
cmd: reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot"
SaveMBR: drive=0
*****************
 
63583163 => service removed successfully
C:\Users\admin\AppData\Local\Temp\bieiykap.dll => moved successfully
C:\Users\admin\AppData\Local\Temp\ptzq2vyw.dll => moved successfully
 
=========  reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell =========
 
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell    REG_SZ    cmd.exe /k start cmd.exe
 
 
========= End of CMD: =========
 
 
=========  reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot" =========
 
 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
    AlternateShell    REG_SZ    cmd.exe
 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network
 
========= End of CMD: =========
 
 
=========  reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot" =========
 
ERROR: The system was unable to find the specified registry key or value.
 
========= End of CMD: =========
 
MBRDUMP.txt is made successfully.
 
==== End of Fixlog 04:56:30 ====
 
2) Search.txt:
 
Farbar Recovery Scan Tool (x64) Version:09-12-2015
Ran by SYSTEM (2015-12-17 05:06:34)
Running from G:\
Boot Mode: Recovery
 
================== Search Files: "rpcss.dll" =============
 
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 16:00][2009-07-13 17:41] 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
 
C:\Windows\System32\rpcss.dll
[2009-07-13 16:00][2009-07-13 17:41] 0522240 ____A (Microsoft Corporation) 009FE669EDFA4341C69D44500356543E
 
C:\Windows\erdnt\cache64\rpcss.dll
[2013-04-21 18:17][2009-07-13 17:41] 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
 
X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 16:00][2009-07-13 17:41] 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
 
X:\Windows\System32\rpcss.dll
[2009-07-13 16:00][2009-07-13 17:41] 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
 
====== End of Search ======

 

3) The desktop did not load up successfully with the instructions given. I've shut it off again for now.

Attached Files



#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:19 PM

Posted 17 December 2015 - 10:47 PM

Hello glascow,

When you were performing the instructions to load up Explorer, which step failed? Did the Task Manager not appear, the Run box did not appear or Explorer did not launch?

Fix with Farbar Recovery Scan Tool in Recovery Environment
  • On a clean machine, please download the attached fixlist.txt and save it to your flash drive with FRST.
  • Plug the flash drive into the infected PC.
To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========

Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and navigate to your flash drive.
  • Right click on FRST/FRST64 and select Run as Administrator.
  • The tool will start to run.
  • Press Fix just once and wait.
  • A log named Fixlog.txt will be created in the flash drive. Please post that into your next reply.
After that please create a new FRST log while in Recovery Environment and post it here.

When you are done with the logs, please reboot into Windows and let me know if things show up normally.

Regards,
Alex 

#6 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 18 December 2015 - 12:17 AM

Neither the Task Manager or Run appeared. I presumed they were to be done at the blank screen, so if I was supposed to perform the command somewhere else, please let me know.

 

1) Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-12-2015
Ran by SYSTEM (2015-12-17 23:07:51) Run:6
Running from g:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
C:\Windows\System32\drivers\17432469.sys
cmd: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "explorer.exe" /f
Replace: X:\Windows\System32\rpcss.dll C:\Windows\System32\rpcss.dll
*****************
 
C:\Windows\System32\drivers\17432469.sys => moved successfully
 
=========  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f =========
 
The operation completed successfully.
 
 
========= End of CMD: =========
 
 
=========  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "explorer.exe" /f =========
 
The operation completed successfully.
 
 
========= End of CMD: =========
 
C:\Windows\System32\rpcss.dll => moved successfully
X:\Windows\System32\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
 
==== End of Fixlog 23:07:52 ====
 
FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-12-2015
Ran by SYSTEM on MININT-95QJ26M (17-12-2015 23:08:22)
Running from g:\
Platform: Windows 7 Home Premium (X64) Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated)
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324096 2010-06-25] (Alcor Micro Corp.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-17] (IDT, Inc.)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [611896 2010-01-20] ()
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [AtwtusbIcon] => C:\Windows\system32\AtwtusbIcon.exe [3593728 2012-09-10] ()
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] => C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisTSR.exe [380272 2010-06-08] (Egis Technology Inc. )
HKLM-x32\...\Run: [Bing Bar] => C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe [243544 2010-04-13] (Microsoft Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602168 2010-06-29] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2009-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [amd_dc_opt] => C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6108752 2015-11-16] (AVAST Software)
HKLM-x32\...\Run: [atwtusb] => C:\Windows\SysWOW64\atwtusb.exe [364192 2007-12-05] ()
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [415232 2009-07-13] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\admin\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\admin\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3671872 2012-04-17] (DT Soft Ltd)
HKU\admin\...\Run: [Akamai NetSession Interface] => C:\Users\admin\AppData\Local\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.)
HKU\admin\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Program Files (x86)\ScreenSaverGift\Rain And Snow\Rain And Snow.scr [22433792 2011-07-02] ()
HKU\Default\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-07-20] (AVAST Software)
S2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [109008 2015-07-20] (AVAST Software)
S2 EgisTec Service; C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe [697712 2010-06-08] (Egis Technology Inc. )
S2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-06-29] ()
S2 mi-raysat_3dsmax2013_32; C:\Program Files (x86)\Autodesk\3ds Max Design 2013\NVIDIA\raysat_3dsmax2013_32server.exe [86016 2011-09-14] ()
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
S2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S2 WTService; C:\Windows\system32\atwtusb.exe [582144 2013-11-12] ()
S2 WTService; C:\Windows\SysWOW64\atwtusb.exe [364192 2007-12-05] ()
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-07-20] (AVAST Software)
S1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28144 2015-07-20] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90968 2015-07-20] (AVAST Software)
S0 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [454016 2015-07-20] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-07-20] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-07-20] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1059656 2015-11-16] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [449992 2015-11-16] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [150160 2015-07-20] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [274808 2015-07-20] (AVAST Software)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-05-08] (DT Soft Ltd)
S1 DVMIO; C:\Windows\System32\DRIVERS\dvmio.sys [20056 2009-11-11] (DeviceVM, Inc.)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 moufiltr; C:\Windows\System32\DRIVERS\moufiltr.sys [7680 2009-03-08] (Windows ® Codename Longhorn DDK provider)
S3 vhidmini; C:\Windows\System32\DRIVERS\walvhid.sys [7552 2009-08-26] (Windows ® Win 7 DDK provider)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-08 22:20 - 2015-12-08 22:20 - 00003288 ____N C:\bootsqm.dat
2015-12-08 21:39 - 2015-12-08 21:39 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2015-12-08 21:39 - 2015-12-08 21:39 - 00000000 ____D C:\Program Files\Common Files\AV
2015-12-08 07:45 - 2015-12-08 07:45 - 00007605 _____ C:\Users\admin\AppData\Local\Resmon.ResmonCfg
2015-12-04 07:42 - 2015-12-04 07:49 - 00000000 ____D C:\Users\admin\Desktop\Please delete
2015-11-29 23:57 - 2015-11-30 02:32 - 00000000 ____D C:\Users\admin\Downloads\Retropop
2015-11-23 07:24 - 2015-11-23 07:24 - 18324168 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-17 21:04 - 2009-07-13 18:34 - 00000518 _____ C:\Windows\win.ini
2015-12-17 20:26 - 2009-09-06 16:40 - 00000000 ____D C:\SwSetup
2015-12-17 19:08 - 2014-11-09 04:10 - 00000000 ____D C:\FRST
2015-12-10 15:09 - 2012-07-16 11:13 - 01100588 _____ C:\Windows\ntbtlog.txt
2015-12-08 21:39 - 2009-07-13 21:13 - 00792126 _____ C:\Windows\System32\PerfStringBackup.INI
2015-12-08 21:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2015-12-08 21:35 - 2014-12-04 06:06 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-08 21:32 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-08 14:46 - 2014-12-04 06:06 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-08 14:24 - 2012-04-02 04:08 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-08 08:37 - 2013-09-11 04:56 - 00000000 ____D C:\Users\admin\AppData\Roaming\foobar2000
2015-12-08 08:01 - 2009-07-13 20:45 - 00023024 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-08 08:01 - 2009-07-13 20:45 - 00023024 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-08 07:50 - 2012-09-01 05:30 - 00000000 ____D C:\Users\admin\AppData\Roaming\Audacity
2015-11-29 22:46 - 2013-08-18 21:48 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-11-23 07:25 - 2012-04-02 04:08 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-11-23 07:24 - 2012-04-02 04:08 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-11-23 07:24 - 2012-04-02 04:08 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE Association (Whitelisted) =============
 
 
==================== Restore Points =========================
 
Restore point date: 2015-12-08 22:52
 
==================== Memory info =========================== 
 
Percentage of memory in use: 18%
Total physical RAM: 3893.86 MB
Available physical RAM: 3169.23 MB
Total Virtual: 3892.01 MB
Available Virtual: 3162.57 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:441.76 GB) (Free:11.76 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (RECOVERY) (Fixed) (Total:23.7 GB) (Free:3.46 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (AOMG_D2) (CDROM) (Total:0.57 GB) (Free:0 GB) CDFS
Drive g: (EPYON) (Removable) (Total:14.9 GB) (Free:7.28 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 7D7FBDAF)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=441.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=23.7 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 14.9 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
 
LastRegBack: 2015-11-30 05:29
 
==================== End of FRST.txt ============================
 
edit: The computer has not been able to boot up the desktop yet.

Edited by glascow, 18 December 2015 - 12:21 AM.


#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:19 PM

Posted 19 December 2015 - 11:44 PM

Hello glascow,

 

It would be best that you print out the instructions or view them on another media while following them, as they can be a bit complicated.

:step1: Fix with Farbar Recovery Scan Tool in Recovery Environment

  • On a clean machine, please download the attached fixlist.txt and save it to your flash drive with FRST.
  • Plug the flash drive into the infected PC.
  • Reboot into the Recovery Environment using Advanced Boot Options or the Windows installation disk.
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and navigate to your flash drive. Take note of the drive letter of the partition with Windows installed, you will need it later.
  • Select the fixlist.txt and click Open.
  • You will see these two lines:
    cmd: sfc /scannow /offbootdir=c:\ /offwindir=c:\windows
    cmd: chkdsk /f c:
    .
    Replace the c: with the correct drive letter of the partition with Windows installed.
  • Save the fixlist.txt, then select File -> Open again. Navigate to your flash drive.
  • Right click on FRST/FRST64 and select Run as Administrator.
  • The tool will start to run.
  • Press Fix just once and wait.
  • A log named Fixlog.txt will be created in the flash drive. Please post that into your next reply.

===

:step2: After fixing with FRST, please reboot. While the computer is booting, tap F8 repeatedly to get to the Advanced Boot Options.

While you are there, select the Startup Repair option and press Enter. Follow the instructions to let Windows try to repair itself.

If it did not work, please reboot again and select Last Known Good Configuration.

If LKGC also failed, reboot and use System Restore to roll back to a date when your computer was still working.

Let me know what happened - if any of them succeeded or all failed, with what error if they fail.

Regards,
Alex 



#8 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 20 December 2015 - 02:27 AM

Correct me if I'm wrong but I don't see a Fixlist.txt attachment, unless I'm supposed to make my own with those commands?



#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:19 PM

Posted 20 December 2015 - 03:07 AM

My apologies, it should be attached now.

#10 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 20 December 2015 - 10:52 AM

It's no problem, I was just wondering.

 

I'm presuming the partition is called ''Boot''

 

1) Fixlist.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-12-2015
Ran by SYSTEM (2015-12-20 10:30:18) Run:7
Running from G:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
cmd: sfc /scannow /offbootdir=x:\ /offwindir=x:\windows
cmd: chkdsk /f x:
*****************
 
 
=========  sfc /scannow /offbootdir=x:\ /offwindir=x:\windows =========
 
 
 
The arguments passed to sfc are invalid.  The offline windows directory  
 
specified points to the online system.
 
 
========= End of CMD: =========
 
 
=========  chkdsk /f x: =========
 
The type of the file system is NTFS.
Windows cannot run disk checking on this volume because it is write protected.
 
========= End of CMD: =========
 
 
==== End of Fixlog 10:30:18 ====
 
2) Startup Repair did not find any problems.
 
Last Known Good Configuration managed to reach the Login screen. It is taking a while for Windows to load though, I will update as soon as the desktop appears or not.
 
edit: It took a while but the desktop managed to load up. I've since shut down the computer again to cool it down.

Edited by glascow, 20 December 2015 - 11:59 AM.


#11 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:19 PM

Posted 23 December 2015 - 05:47 AM

Hello glascow,

Glad to hear that you got the Desktop running.  :)

Please boot into Normal Mode and create a new set of FRST logs for me - FRST.txt and Addition.txt.

Regards,
Alex 



#12 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 24 December 2015 - 11:22 PM

Thank you for your help Alex, I hope your winter holiday is good regardless of whether you celebrate it or not.

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:23-12-2015
Ran by admin (administrator) on ADMIN-HP (24-12-2015 22:33:05)
Running from C:\Users\admin\Desktop
Loaded Profiles: admin (Available Profiles: admin)
Platform: Windows 7 Home Premium (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard) C:\Windows\System32\hpservice.exe
(Validity Sensors, Inc.) C:\Windows\System32\vcsFPService.exe
(Egis Technology Inc. ) C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe
(Egis Technology Inc. ) C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(CinemaNow, Inc.) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
() C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
() C:\Program Files (x86)\Autodesk\3ds Max Design 2013\NVIDIA\raysat_3dsmax2013_32server.exe
(arvato digital services llc) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
() C:\Windows\System32\atwtusb.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
() C:\Windows\System32\atwtusb.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Alcor Micro Corp.) C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
() C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(CyberLink) C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
() C:\Windows\System32\AtwtusbIcon.exe
(Akamai Technologies, Inc.) C:\Users\admin\AppData\Local\Akamai\netsession_win.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(Akamai Technologies, Inc.) C:\Users\admin\AppData\Local\Akamai\netsession_win.exe
(Microsoft Corp.) C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Hewlett-Packard Development Company L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated)
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324096 2010-06-25] (Alcor Micro Corp.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-17] (IDT, Inc.)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [611896 2010-01-20] ()
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [AtwtusbIcon] => C:\Windows\system32\AtwtusbIcon.exe [3593728 2012-09-10] ()
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] => C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisTSR.exe [380272 2010-06-08] (Egis Technology Inc. )
HKLM-x32\...\Run: [Bing Bar] => C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe [243544 2010-04-13] (Microsoft Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602168 2010-06-29] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2009-12-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [amd_dc_opt] => C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6108752 2015-11-16] (AVAST Software)
HKLM-x32\...\Run: [atwtusb] => C:\Windows\SysWOW64\atwtusb.exe [364192 2007-12-05] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2284440560-2780697144-91482775-1000\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\S-1-5-21-2284440560-2780697144-91482775-1000\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3671872 2012-04-17] (DT Soft Ltd)
HKU\S-1-5-21-2284440560-2780697144-91482775-1000\...\Run: [Akamai NetSession Interface] => C:\Users\admin\AppData\Local\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.)
HKU\S-1-5-21-2284440560-2780697144-91482775-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Program Files (x86)\ScreenSaverGift\Rain And Snow\Rain And Snow.scr [22433792 2011-07-02] ()
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil64_15_0_0_246_ActiveX.exe -update activex
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-07-20] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2012-03-20]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [232448 2009-07-13] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 C:\Windows\System32\mswsock.dll [320000 2009-07-13] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\Parameters: [DhcpNameServer] 192.168.200.1
Tcpip\..\Interfaces\{D1ACD2B1-0603-49A3-A9A7-A92B738CB101}: [DhcpNameServer] 192.168.200.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2284440560-2780697144-91482775-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/webhp?hl=ja&tab=Tw
HKU\S-1-5-21-2284440560-2780697144-91482775-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {28F7CE8F-22D2-4657-B15C-A31A2FBE6E3C} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {6BA94E4A-1CD9-48AC-8C74-D585A2D05550} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {DA6BA16C-5387-4BD6-8999-A21CEE124C9E} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {6BA94E4A-1CD9-48AC-8C74-D585A2D05550} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {DA6BA16C-5387-4BD6-8999-A21CEE124C9E} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKU\S-1-5-21-2284440560-2780697144-91482775-1000 -> DefaultScope {6BA94E4A-1CD9-48AC-8C74-D585A2D05550} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2284440560-2780697144-91482775-1000 -> {6BA94E4A-1CD9-48AC-8C74-D585A2D05550} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2284440560-2780697144-91482775-1000 -> {DA6BA16C-5387-4BD6-8999-A21CEE124C9E} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-08-18] (Oracle Corporation)
BHO: EgisPBIE Class -> {7B51CCBE-4AF9-44A6-BDAB-D7F7E4C4E6F9} -> C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\x64\EgisPBIE.dll [2010-06-08] (Egis Technology Inc.)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-07-20] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-08-18] (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21] (Adobe Systems Incorporated)
BHO-x32: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2010-01-14] (Microsoft Corporation)
BHO-x32: EgisPBIE Class -> {7B51CCBE-4AF9-44A6-BDAB-D7F7E4C4E6F9} -> C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisPBIE.dll [2010-06-08] (Egis Technology Inc.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-07-20] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Bing Bar BHO -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll [2010-04-13] (Microsoft Corporation)
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll [2010-04-13] (Microsoft Corporation)
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-10-26] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-10-26] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-10-26] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-10-26] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\fhszwz1h.default
FF Homepage: hxxp://www.google.com/webhp?hl=ja&tab=Tw&gws_rd=ssl
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_207.dll [2015-10-13] ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\system32\npDeployJava1.dll [2013-08-18] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-08-18] (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_207.dll [2015-10-13] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1165635.dll [2012-07-04] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2012-03-06] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.9.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2012-11-04] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-03-31] ( Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpWinExt,version=5.0 -> C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll [2010-04-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-16] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-20] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-20] (Google Inc.)
FF Extension: Live HTTP headers - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\fhszwz1h.default\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} [2014-05-05] [not signed]
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-22]
FF HKLM-x32\...\Firefox\Extensions: [{41ecbc0b-34d5-4cd4-935f-253a30e2cb7e}] - C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\FFExt
FF Extension: SimplePass Online Accounts Extension  - C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\FFExt [2012-03-20] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [msntoolbar@msn.com] - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\Firefox
FF Extension: Bing Bar - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\Firefox [2012-03-20] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension
FF Extension: Search Helper Extension - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension [2012-03-20] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
 
Chrome: 
=======
CHR HomePage: Default -> hxxps://www.google.com/webhp?hl=ja&tab=Tw&gws_rd=ssl
CHR StartupUrls: Default -> "hxxps://www.google.com/webhp?hl=ja&tab=Tw&gws_rd=ssl"
CHR Profile: C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-04]
CHR Extension: (Google Docs) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
CHR Extension: (Google Drive) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-26]
CHR Extension: (YouTube) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-09]
CHR Extension: (Google Search) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-31]
CHR Extension: (Google Sheets) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-04]
CHR Extension: (Google Docs Offline) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-29]
CHR Extension: (zen temple) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlmiiioabolbmhbhphhfjbohiiijmkee [2014-12-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-08]
CHR Extension: (Gmail) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-11]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-07-20]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-07-20] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [109008 2015-07-20] (AVAST Software)
R2 EgisTec Service; C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe [697712 2010-06-08] (Egis Technology Inc. )
R2 HP Health Check Service; C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [121344 2010-06-30] (Hewlett-Packard Company) [File not signed]
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-06-29] ()
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 mi-raysat_3dsmax2013_32; C:\Program Files (x86)\Autodesk\3ds Max Design 2013\NVIDIA\raysat_3dsmax2013_32server.exe [86016 2011-09-14] () [File not signed]
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
R2 WTService; C:\Windows\system32\atwtusb.exe [582144 2013-11-12] () [File not signed]
R2 WTService; C:\Windows\SysWOW64\atwtusb.exe [364192 2007-12-05] () [File not signed]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-07-20] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28144 2015-07-20] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90968 2015-07-20] (AVAST Software)
R0 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [454016 2015-07-20] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-07-20] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-07-20] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1059656 2015-11-16] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [449992 2015-11-16] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [150160 2015-07-20] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [274808 2015-07-20] (AVAST Software)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-05-08] (DT Soft Ltd)
R1 DVMIO; C:\Windows\System32\DRIVERS\dvmio.sys [20056 2009-11-11] (DeviceVM, Inc.)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 moufiltr; C:\Windows\System32\DRIVERS\moufiltr.sys [7680 2009-03-08] (Windows ® Codename Longhorn DDK provider)
R3 vhidmini; C:\Windows\System32\DRIVERS\walvhid.sys [7552 2009-08-26] (Windows ® Win 7 DDK provider)
S3 63583163; system32\drivers\17432469.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-24 17:33 - 2015-12-24 17:33 - 00026211 _____ C:\Users\admin\Desktop\FRST.txt
2015-12-24 17:31 - 2015-12-24 17:31 - 02370560 _____ (Farbar) C:\Users\admin\Desktop\FRST64.exe
2015-12-08 19:39 - 2015-12-08 19:39 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2015-12-08 19:39 - 2015-12-08 19:39 - 00000000 ____D C:\Program Files\Common Files\AV
2015-12-08 05:45 - 2015-12-08 05:45 - 00007605 _____ C:\Users\admin\AppData\Local\Resmon.ResmonCfg
2015-12-04 05:42 - 2015-12-04 05:49 - 00000000 ____D C:\Users\admin\Desktop\Please delete
2015-11-29 21:57 - 2015-11-30 00:32 - 00000000 ____D C:\Users\admin\Downloads\Retropop
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-24 17:33 - 2014-11-09 02:10 - 00000000 ____D C:\FRST
2015-12-24 17:24 - 2012-04-02 02:08 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-24 17:05 - 2009-07-13 18:45 - 00023024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-24 17:05 - 2009-07-13 18:45 - 00023024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-24 17:01 - 2014-12-04 04:06 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-24 17:00 - 2009-07-13 19:13 - 00792126 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-24 17:00 - 2009-07-13 17:20 - 00000000 ____D C:\Windows\inf
2015-12-24 16:56 - 2014-12-04 04:06 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-24 16:55 - 2009-07-13 19:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-24 16:55 - 2009-07-13 16:34 - 00000518 _____ C:\Windows\win.ini
2015-12-24 16:48 - 2012-09-01 03:30 - 00000000 ____D C:\Users\admin\AppData\Roaming\Audacity
2015-12-24 01:07 - 2013-09-11 02:56 - 00000000 ____D C:\Users\admin\AppData\Roaming\foobar2000
2015-12-20 05:56 - 2014-12-04 04:06 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-12-20 05:56 - 2014-12-04 04:06 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-12-20 05:55 - 2013-08-18 19:48 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-12-20 05:32 - 2009-09-06 14:40 - 00000000 ____D C:\SwSetup
2015-12-10 13:09 - 2012-07-16 09:13 - 01100588 _____ C:\Windows\ntbtlog.txt
 
==================== Files in the root of some directories =======
 
2013-05-09 21:30 - 2013-05-09 21:30 - 0234976 _____ () C:\Users\admin\AppData\Roaming\adodbupd.dat
2012-07-21 08:13 - 2012-07-21 08:39 - 0000412 _____ () C:\Users\admin\AppData\Roaming\All CPU Meter_Settings.ini
2012-07-21 08:14 - 2012-07-21 08:14 - 0000166 _____ () C:\Users\admin\AppData\Roaming\Battery Meter_Settings.ini
2012-07-21 08:16 - 2012-07-22 01:00 - 0000437 _____ () C:\Users\admin\AppData\Roaming\Digital Clock_Settings.ini
2012-07-21 08:17 - 2012-07-21 08:32 - 0000145 _____ () C:\Users\admin\AppData\Roaming\Earthquakes Meter_Settings.ini
2014-09-16 16:46 - 2014-09-16 16:46 - 0000000 _____ () C:\Users\admin\AppData\Roaming\elulxa.dll
2013-05-09 21:33 - 2013-05-09 21:33 - 0000205 _____ () C:\Users\admin\AppData\Roaming\itlsvc.dat
2012-03-21 09:19 - 2013-07-03 17:25 - 0000201 _____ () C:\Users\admin\AppData\Local\mv_music.xml
2012-03-21 09:19 - 2013-07-03 16:53 - 0000183 _____ () C:\Users\admin\AppData\Local\mv_Photo.xml
2015-12-08 05:45 - 2015-12-08 05:45 - 0007605 _____ () C:\Users\admin\AppData\Local\Resmon.ResmonCfg
2012-07-28 13:13 - 2011-01-25 13:44 - 0097280 _____ () C:\Users\admin\AppData\Local\UrlManager.exe
2012-07-28 13:13 - 2012-07-28 12:06 - 0002405 _____ () C:\Users\admin\AppData\Local\urlManager.xml
1999-07-06 14:00 - 1999-07-06 14:00 - 0000006 __RSH () C:\ProgramData\F2BDD61C-7F20-44BD-A1DB-F510E492AB22
2013-03-02 15:19 - 2013-03-02 15:22 - 0108308 _____ () C:\ProgramData\pebvyidkgdkppee
2012-03-20 18:13 - 2012-03-20 18:13 - 0000032 _____ () C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
2010-10-26 09:10 - 2010-10-26 09:11 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2012-03-20 18:13 - 2012-03-20 18:13 - 0000032 _____ () C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
2010-10-26 09:07 - 2010-10-26 09:07 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2012-03-20 18:12 - 2012-03-20 18:12 - 0000032 _____ () C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
2012-03-20 18:13 - 2012-03-20 18:13 - 0000032 _____ () C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
2010-10-26 09:06 - 2010-10-26 09:07 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2010-10-26 09:07 - 2010-10-26 09:10 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
2012-03-20 18:13 - 2012-03-20 18:13 - 0000105 _____ () C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-20 18:41
 
==================== End of FRST.txt ============================

 

Attached Files



#13 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:19 PM

Posted 26 December 2015 - 08:46 AM

Hello glascow,

I must warn you of the following. Please read the information carefully.

:step1: Pirated software

Bleeping Computer does not allow the use of pirated software.

The practice of using keygenshacking toolscracking toolswareztorrents or any pirated software is not only considered illegal activity, but it is a serious security risk which can turn a computer into a virus honeypot or zombie.
 
When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible, and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.
 
If you want to read on then the full post is here.

I will help you clean your machine, but please remember that this is a one-time deal. After that I will refuse further assistance.

===

:step2: Peer-to-peer software

Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Programs and Features.
If you wish to keep it, please do not use it until your computer is cleaned.

===

:step3: Uninstalling Programs

Click the Start orb on the taskbar, and then click the Control Panel button.
  • If you use Category mode, click on Uninstall a Program.
  • If you use Icons mode, click on Program and Features.
A list of programs installed will be "populated" (this may take a bit of time).
If they exist, uninstall the following by clicking on the below entries and selecting Remove:

Þ·ß_VOrWACU ޷ߢ­I Ver.
Acrobat.com
Avast Internet Security
Bing Bar



Additional instructions can be found here if needed.

If you run into any issues, please let me know.

===

:step4: Fix with Farbar Recovery Scan Tool
  • Please download the attached fixlist.txt and save it to your Desktop.
    Note: It's important that both FRST/FRST64.exe and fixlist.txt are in the same location or the fix will not work!
    WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system!
  • Run FRST/FRST64.exe and press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run.
  • When finished, FRST will generate a log named Fixlog.txt on the Desktop, please post it to your reply.
To recap, in your next post I will need the following information:
  • Confirmation that you have read the warnings;
  • Confirmation that you have uninstalled the software above;
  • Contents of Fixlog.txt.
Regards,
Alex 

#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:19 PM

Posted 29 December 2015 - 04:14 AM

Hello glascow,

Are you still with me? It has been three days since your last post.

#15 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 30 December 2015 - 01:05 PM

I am fine. I was working overtime due to everyone celebrating Christmas and after. I also had to deal with a few unfortunate incidents in real-life.
 
Yes, I have read and are familiar with those warnings. As a long-time gamer and one who uses and creates his own gaming modifications, I have made countless silly and stupid decisions in my short life. Truthfully I still do. If you wish to close and remove this thread after this post, I won't stop you from doing so. I fully understand if you see me as some sort of despicable scum and don't want to affiliate yourself with one you perceive to be involved in cyber-criminal acts. Frankly I am in no place here to judge anything.
 

I will help you clean your machine, but please remember that this is a one-time deal. After that I will refuse further assistance.

Cleaning my machine is no longer of importance. If you want to go away, just do so.
 
 
I have uninstalled the four programmes you have listed. The first one with the German letters I believe is an imported oriental game that did not transfer the characters properly.
 
Fixlog.txt:
 
Fix result of Farbar Recovery Scan Tool (x64) Version:29-12-2015
Ran by admin (2015-12-30 10:18:31) Run:9
Running from C:\Users\admin\Desktop
Loaded Profiles: admin (Available Profiles: admin)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [232448 2009-07-13] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 C:\Windows\System32\mswsock.dll [320000 2009-07-13] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
S3 63583163; system32\drivers\17432469.sys [X]
File: C:\ProgramData\pebvyidkgdkppee
File: C:\ProgramData\F2BDD61C-7F20-44BD-A1DB-F510E492AB22
 
 
*****************
 
Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
Winsock: Catalog5-x64 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
63583163 => service removed successfully
 
========================= File: C:\ProgramData\pebvyidkgdkppee ========================
 
File not signed
MD5: 36B695730D909F01638C9B4C114328D4
Creation and modification date: 2013-03-02 15:19 - 2013-03-02 15:22
Size: 0108308
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
========================= File: C:\ProgramData\F2BDD61C-7F20-44BD-A1DB-F510E492AB22 ========================
 
File not signed
MD5: 01A3D271F5334A749F44D3159EB8ACF0
Creation and modification date: 1999-07-06 14:00 - 1999-07-06 14:00
Size: 0000006
Attributes: --RSH
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
==== End of Fixlog 10:18:31 ====




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users