Jump to content

Ransomware took over and nothing is safe... FRST results

boilinh2o

By boilinh2o
in Resolved Malware Removal Logs

 Share

Recommended Posts

boilinh2o

boilinh2o

Posted
Posted

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by SYSTEM on MININT-LHCDJK9 on 12-10-2013 16:46:39
Running from F:\
Windows 7 Professional (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8067616 2009-08-18] (Realtek Semiconductor)
HKLM\...\Run: [Launchpad] - C:\Program Files\Windows Server\Bin\Launchpad.exe [1099360 2012-11-02] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [iAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-09-03] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [518640 2010-09-02] ()
HKLM-x32\...\Run: [OfficeScanNT Monitor] - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe [1705296 2010-06-25] (Trend Micro Inc.)
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [267792 2013-01-17] (Research In Motion Limited)
HKU\Mark Hunt\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3883856 2009-07-26] (Microsoft Corporation)
HKU\Mark Hunt\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-04-15] (Google Inc.)
HKU\Mark Hunt\...\Winlogon: [shell] explorer.exe,C:\Users\Mark Hunt\AppData\Roaming\data.dat [50688 2013-08-01] () <==== ATTENTION
Startup: C:\Users\Mark Hunt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)

==================== Services (Whitelisted) =================

S3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited)
S2 HealthAlertsSvc; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation)
S2 initMonitor; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation)
S2 NotificationsProviderSvc; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation)
S2 ntrtscan; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe [1835912 2010-06-22] (Trend Micro Inc.)
S2 providers_system; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation)
S2 ServiceProviderRegistry; C:\Program Files\Windows Server\Bin\ProviderRegistryService.exe [41600 2012-07-06] (Microsoft Corporation)
S4 SqmProviderSvc; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation)
S2 svcGenericHost; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [45056 2010-07-05] (Trend Micro Inc.)
S2 tmlisten; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe [2057096 2010-06-22] (Trend Micro Inc.)
S3 TmPfw; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe [595960 2009-07-15] (Trend Micro Inc.)
S3 TmProxy; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [917768 2009-07-15] (Trend Micro Inc.)
S2 WSS_ComputerBackupProviderSvc; C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [30592 2011-03-02] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [1160824 2012-04-12] (Symantec Corporation)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [1160824 2012-04-12] (Symantec Corporation)
S1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-05-31] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-05-31] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120606.001\IDSvia64.sys [488568 2012-05-06] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120606.001\IDSvia64.sys [488568 2012-05-06] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120606.020\ENG64.SYS [120440 2012-06-06] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120606.020\ENG64.SYS [120440 2012-06-06] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120606.020\EX64.SYS [2068600 2012-06-06] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120606.020\EX64.SYS [2068600 2012-06-06] (Symantec Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
S3 SRTSP; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSP64.SYS [729720 2011-08-02] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSPX64.SYS [37496 2011-08-02] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\NISx64\1301000.01C\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [1084536 2011-07-28] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-05-07] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS [189560 2011-07-25] (Symantec Corporation)
S1 SymNetS; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMNETS.SYS [401016 2011-07-25] (Symantec Corporation)
S2 TmFilter; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [265744 2010-05-10] (Trend Micro Inc.)
S1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [200720 2009-07-15] (Trend Micro Inc.)
S2 TmPreFilter; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [42000 2010-05-10] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [107536 2009-07-15] (Trend Micro Inc.)
S2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [339984 2009-07-15] (Trend Micro Inc.)
S2 VSApiNt; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\VSApiNt.sys [2007056 2010-05-10] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-12 16:46 - 2013-10-12 16:46 - 00000000 ____D C:\FRST
2013-10-12 12:15 - 2013-10-12 12:15 - 00003224 ____N C:\bootsqm.dat
2013-09-30 11:09 - 2013-10-12 12:23 - 00000004 _____ C:\Users\Mark Hunt\AppData\Roaming\settings.ini
2013-09-17 07:28 - 2013-09-17 07:32 - 00000000 ____D C:\Users\Mark Hunt\Documents\Gas Station
2013-09-12 00:06 - 2013-08-09 21:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-09-12 00:06 - 2013-08-09 21:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-09-12 00:06 - 2013-08-09 21:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-09-12 00:06 - 2013-08-09 21:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-09-12 00:06 - 2013-08-09 21:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-09-12 00:06 - 2013-08-09 21:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-09-12 00:06 - 2013-08-09 21:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-09-12 00:06 - 2013-08-09 21:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-09-12 00:06 - 2013-08-09 21:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-09-12 00:06 - 2013-08-09 21:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-09-12 00:06 - 2013-08-09 21:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-09-12 00:06 - 2013-08-09 21:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-09-12 00:06 - 2013-08-09 21:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-09-12 00:06 - 2013-08-09 21:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-09-12 00:06 - 2013-08-09 19:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-09-12 00:06 - 2013-08-09 19:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-09-12 00:06 - 2013-08-09 19:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-09-12 00:06 - 2013-08-09 19:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-09-12 00:06 - 2013-08-09 19:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-09-12 00:06 - 2013-08-09 18:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-12 00:06 - 2013-08-09 18:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

==================== One Month Modified Files and Folders =======

2013-10-12 16:46 - 2013-10-12 16:46 - 00000000 ____D C:\FRST
2013-10-12 12:35 - 2009-07-13 20:45 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-12 12:35 - 2009-07-13 20:45 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-12 12:31 - 2010-12-31 01:02 - 00000031 _____ C:\tmuninst.ini
2013-10-12 12:28 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-12 12:28 - 2009-07-13 20:51 - 00037141 _____ C:\Windows\setupact.log
2013-10-12 12:23 - 2013-09-30 11:09 - 00000004 _____ C:\Users\Mark Hunt\AppData\Roaming\settings.ini
2013-10-12 12:23 - 2009-07-13 21:10 - 01672651 _____ C:\Windows\WindowsUpdate.log
2013-10-12 12:20 - 2011-04-15 13:15 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-12 12:19 - 2013-02-10 17:14 - 00000000 ____D C:\Users\Mark Hunt\AppData\Roaming\Dropbox
2013-10-12 12:19 - 2012-09-06 07:00 - 00000524 _____ C:\Windows\Tasks\SpeedyPC Update Version3 Startup Task.job
2013-10-12 12:19 - 2011-01-24 10:01 - 00000000 ____D C:\Users\Mark Hunt\Tracing
2013-10-12 12:15 - 2013-10-12 12:15 - 00003224 ____N C:\bootsqm.dat
2013-10-12 12:09 - 2010-12-31 00:59 - 00000000 ____D C:\ProgramData\Sonic
2013-10-12 10:10 - 2013-02-10 17:24 - 00000000 ___RD C:\Users\Mark Hunt\Desktop\Dropbox
2013-10-12 10:10 - 2011-04-15 13:15 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-30 11:11 - 2011-02-10 01:03 - 00000721 _____ C:\Windows\TMFilter.log
2013-09-30 10:45 - 2012-04-23 08:42 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-30 07:25 - 2011-10-03 07:40 - 00000000 ____D C:\Users\Mark Hunt\Documents\Randolph Retail
2013-09-30 01:52 - 2012-01-04 08:13 - 00000428 _____ C:\Windows\Tasks\SpeedyPC Pro.job
2013-09-29 15:00 - 2012-01-04 08:14 - 00000500 _____ C:\Windows\Tasks\SpeedyPC Registration3.job
2013-09-28 22:18 - 2012-01-04 08:13 - 00000472 _____ C:\Windows\Tasks\SpeedyPC Update Version3.job
2013-09-25 22:19 - 2012-11-21 23:19 - 00001203 _____ C:\Users\Mark Hunt\Desktop\SpeedyPC Pro.lnk
2013-09-24 09:17 - 2011-10-17 08:27 - 00000000 ____D C:\Users\Mark Hunt\Documents\Crystal Palace
2013-09-23 14:53 - 2011-01-19 08:28 - 00000000 ____D C:\Users\Mark Hunt\AppData\Local\CutePDF Writer
2013-09-23 10:02 - 2012-06-04 07:54 - 00000000 ____D C:\Users\Mark Hunt\Documents\News Bldg
2013-09-19 20:45 - 2012-04-23 08:42 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-19 20:45 - 2012-04-23 08:42 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-09-19 20:45 - 2011-05-13 05:16 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-19 18:10 - 2012-02-10 15:13 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-09-17 07:32 - 2013-09-17 07:28 - 00000000 ____D C:\Users\Mark Hunt\Documents\Gas Station
2013-09-17 05:52 - 2012-11-06 12:32 - 00000000 ____D C:\Users\Mark Hunt\Documents\Base
2013-09-17 05:27 - 2013-01-14 11:37 - 00000000 ____D C:\Users\Mark Hunt\Documents\Pisor
2013-09-17 05:21 - 2011-08-04 08:58 - 00000000 ____D C:\Users\Mark Hunt\Documents\Gap
2013-09-16 07:42 - 2012-09-19 13:50 - 00000000 ____D C:\Users\Mark Hunt\Documents\Bidwell
2013-09-16 07:06 - 2012-03-21 07:40 - 00000000 ____D C:\ProgramData\Sonos,_Inc
2013-09-16 07:04 - 2011-04-15 13:15 - 00000000 ____D C:\Users\Mark Hunt\AppData\Local\Google
2013-09-16 07:03 - 2011-01-06 17:37 - 00000000 ___RD C:\Users\Mark Hunt\Virtual Machines
2013-09-12 00:50 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-09-12 00:25 - 2009-07-13 20:45 - 00461464 _____ C:\Windows\System32\FNTCACHE.DAT
2013-09-12 00:24 - 2010-12-31 02:28 - 00092570 _____ C:\Windows\PFRO.log
2013-09-12 00:06 - 2011-01-07 10:56 - 00000000 ____D C:\ProgramData\Microsoft Help

Files to move or delete:
====================
C:\Users\Mark Hunt\AppData\Roaming\data.dat
C:\Users\Mark Hunt\AppData\Roaming\settings.ini
C:\Users\Mark Hunt\AppData\Roaming\i.ini

Some content of TEMP:
====================
C:\Users\Mark Hunt\AppData\Local\Temp\ApnStub.exe
C:\Users\Mark Hunt\AppData\Local\Temp\b34btbztdb0vavaw.exe
C:\Users\Mark Hunt\AppData\Local\Temp\converter.exe
C:\Users\Mark Hunt\AppData\Local\Temp\DropboxSetup.exe
C:\Users\Mark Hunt\AppData\Local\Temp\install.exe
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\Mark Hunt\AppData\Local\Temp\Setup.exe
C:\Users\Mark Hunt\AppData\Local\Temp\SonosUpgrader.exe
C:\Users\Mark Hunt\AppData\Local\Temp\Update.exe
C:\Users\Mark Hunt\AppData\Local\Temp\webyeryb3460vavaw.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

12
Restore point made on: 2013-09-10 02:37:13
Restore point made on: 2013-09-10 22:32:20
Restore point made on: 2013-09-12 00:00:39
Restore point made on: 2013-09-12 22:13:17
Restore point made on: 2013-09-17 00:36:30
Restore point made on: 2013-09-17 21:37:03
Restore point made on: 2013-09-19 21:37:05
Restore point made on: 2013-09-24 00:39:53
Restore point made on: 2013-09-24 22:11:54
Restore point made on: 2013-09-29 22:01:52
Restore point made on: 2013-10-01 07:36:06
Restore point made on: 2013-10-08 08:14:54

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4055.11 MB
Available physical RAM: 3413.21 MB
Total Pagefile: 4053.26 MB
Available Pagefile: 3409.2 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:232.06 GB) (Free:149.93 GB) NTFS
Drive e: (Malwarebytes) (CDROM) (Total:0.04 GB) (Free:0 GB) CDFS
Drive f: (TOSHIBA) (Removable) (Total:14.44 GB) (Free:14.43 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.51 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: 77E3ED41)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=750 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=232 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 14 GB) (Disk ID: 6D914050)
Partition 1: (Not Active) - (Size=14 GB) - (Type=0B)

LastRegBack: 2013-09-20 21:57

==================== End Of Log ============================

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........run MBAR

If not...rescan with FRST and post the new log

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites
boilinh2o

boilinh2o

Posted
  • Author
Posted

Thank you!! So far so good. The fixlist cleaned out enough crap to get the computer to boot. I'm now running a Full Scan with Mawarebytes Pro.

 

Here's the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013
Ran by SYSTEM at 2013-10-13 09:14:18 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKU\Mark Hunt\...\Winlogon: [shell] explorer.exe,C:\Users\Mark Hunt\AppData\Roaming\data.dat [50688 2013-08-01] ()
C:\Users\Mark Hunt\AppData\Roaming\data.dat
C:\Users\Mark Hunt\AppData\Roaming\settings.ini
C:\Users\Mark Hunt\AppData\Roaming\i.ini
C:\Users\Mark Hunt\AppData\Local\Temp\ApnStub.exe
C:\Users\Mark Hunt\AppData\Local\Temp\b34btbztdb0vavaw.exe
C:\Users\Mark Hunt\AppData\Local\Temp\converter.exe
C:\Users\Mark Hunt\AppData\Local\Temp\DropboxSetup.exe
C:\Users\Mark Hunt\AppData\Local\Temp\install.exe
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\Mark Hunt\AppData\Local\Temp\Setup.exe
C:\Users\Mark Hunt\AppData\Local\Temp\SonosUpgrader.exe
C:\Users\Mark Hunt\AppData\Local\Temp\Update.exe
C:\Users\Mark Hunt\AppData\Local\Temp\webyeryb3460vavaw.exe

*****************

HKU\Mark Hunt\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Users\Mark Hunt\AppData\Roaming\data.dat => Moved successfully.
C:\Users\Mark Hunt\AppData\Roaming\settings.ini => Moved successfully.
"C:\Users\Mark Hunt\AppData\Roaming\i.ini" => File/Directory not found.
C:\Users\Mark Hunt\AppData\Local\Temp\ApnStub.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\b34btbztdb0vavaw.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\converter.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\DropboxSetup.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\install.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\Setup.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\SonosUpgrader.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\Update.exe => Moved successfully.
C:\Users\Mark Hunt\AppData\Local\Temp\webyeryb3460vavaw.exe => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.