Chillaxn{split}

[chillaxn]

Hello, I have the same exact problem but I will say that I have no intensions of saving this laptop as is, I want to do a complete reformat however there are some important documents I need off this computer as well as college work, and family photos, is there a way to back up those specific files without booting into windows. Seems there is no way possible to save anything to external after it boots because of the 60 second opportunity before it shuts down again. Can you please provide me with guidance considering this.

Thank You so much in advance.

[Maurice Naggar]

Hello chillaxn and welcome to MalwareBytes forums.

Be aware that the malware-removal-help forum bars anyone from piggybacking their help request onto someone else's.

You do not state what version of Windows this is. Or if you have the Windows CD/DVD.

With the CD or DVD, you can boot from it and get to Recovery Console(XP) or the Recovery Environment in Vista/Windows 7.

If those are not available, tapping F8 function key on keyboard as soon as pc is restarted, you can get to Advanced Boot options.

I may suggest using Safe Mode or Safe Mode with Networking, or lastly, Command prompt.

From any one of those, you can probably copy your files to a USB-flash drive or external USB drive.

[chillaxn]

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-06-2012 01

Ran by SYSTEM at 23-06-2012 09:00:10

Running from F:\

Windows Vista Home Premium Service Pack 1 (X86) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]

HKLM\...\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2009-04-21] (Advanced Micro Devices, Inc.)

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6965792 2009-03-12] (Realtek Semiconductor)

HKLM\...\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1451304 2009-03-18] (Synaptics Incorporated)

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [468320 2009-03-06] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [55160 2009-03-09] (TOSHIBA Corporation)

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [448376 2008-12-18] (TOSHIBA Corporation)

HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [729088 2009-03-23] (TOSHIBA Corporation)

HKLM\...\Run: [NDSTray.exe] "C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe" [299008 2009-05-12] (TOSHIBA CORPORATION)

HKLM\...\Run: [cfFncEnabler.exe] "C:\Program Files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [16384 2009-03-24] (Toshiba Corporation)

HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1318912 2009-04-14] (TOSHIBA Corporation)

HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe [1007616 2009-03-24] (TOSHIBA Corporation)

HKLM\...\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized [131072 2008-05-01] (Linksys LLC - A Division of Cisco Systems)

HKLM\...\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [648504 2008-04-08] (Pure Networks, Inc.)

HKLM\...\Run: [TPCHWMsg] %ProgramFiles%\TOSHIBA\TPHM\TPCHWMsg.exe [570736 2009-04-09] (TOSHIBA Corporation)

HKLM\...\Run: [ToshibaServiceStation] C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60 [1294712 2010-11-29] (TOSHIBA Corporation)

HKLM\...\Run: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-03-12] (Realtek Semiconductor Corp.)

HKLM\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2793304 2009-10-14] ()

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)

HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM\...\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\Update\realsched.exe" -osboot [296056 2012-02-20] (RealNetworks, Inc.)

HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)

HKU\chillaxn\...\Run: [EPSON NX110 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFBA.EXE /FU "C:\Windows\TEMP\E_S420E.tmp" /EF "HKCU" [199680 2008-09-25] (SEIKO EPSON CORPORATION)

HKLM\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe [25088 2008-01-20] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Startup: C:\Users\chillaxn\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk

ShortcutTarget: Epson all-in-one Registration.lnk -> (No File)

Startup: C:\Users\chillaxn\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [176128 2009-04-21] (AMD)

2 ConfigFree Service; "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" [46448 2009-03-10] (TOSHIBA CORPORATION)

3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [441856 2008-07-02] (Microsoft Corporation)

3 ehSched; C:\Windows\ehome\ehsched.exe [103424 2008-07-02] (Microsoft Corporation)

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)

3 GamesAppService; "C:\Program Files\WildTangent Games\App\GamesAppService.exe" [206072 2010-10-12] (WildTangent, Inc.)

2 IBUpdaterService; "C:\ProgramData\IBUpdaterService\ibsvc.exe" /SERVICE [397848 2012-04-30] ()

2 LVPrcSrv; "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe" [154136 2009-10-06] (Logitech Inc.)

3 Microsoft SharePoint Workspace Audit Service; "C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" /auditservice [31125880 2011-06-12] (Microsoft Corporation)

2 nmservice; "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe" [648504 2008-04-08] (Pure Networks, Inc.)

3 osppsvc; "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" [4640000 2010-01-09] (Microsoft Corporation)

2 RSELSVC; C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe /Service [57344 2009-02-19] (TOSHIBA Corporation)

2 TosCoSrv; "C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe" [464224 2009-03-06] (TOSHIBA Corporation)

2 TOSHIBA eco Utility Service; "C:\Program Files\TOSHIBA\TECO\TecoService.exe" [176128 2009-04-14] (TOSHIBA Corporation)

2 TOSHIBA HDD SSD Alert Service; "C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe" [73728 2009-03-17] (TOSHIBA Corporation)

2 TPCHSrv; "C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe" [656752 2009-04-09] (TOSHIBA Corporation)

2 LinksysUpdater; "C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf" [x]

2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]

3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

0 AtiPcie; C:\Windows\System32\DRIVERS\AtiPcie.sys [14352 2008-04-28] (ATI Technologies Inc.)

3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-06] ()

0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)

3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [2687512 2009-04-30] (Logitech Inc.)

2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [24888 2008-04-08] (Pure Networks, Inc.)

2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [26424 2008-04-08] (Pure Networks, Inc.)

3 RTL8187Se; C:\Windows\System32\DRIVERS\RTL8187Se.sys [333824 2008-08-22] (Realtek Semiconductor Corporation )

1 RtlProt; C:\Windows\System32\DRIVERS\rtlprot.sys [25896 2007-04-23] (Windows ® Codename Longhorn DDK provider)

3 sscdbus; C:\Windows\System32\DRIVERS\sscdbus.sys [58352 2005-08-17] (MCCI)

2 TVALZFL; C:\Windows\System32\DRIVERS\TVALZFL.sys [12920 2009-03-20] (TOSHIBA Corporation)

3 HTCAND32; C:\Windows\System32\Drivers\ANDROIDUSB.sys [x]

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-06-23 08:59 - 2012-06-23 08:59 - 00000000 ____D C:\FRST

2012-06-19 17:47 - 2012-06-19 17:48 - 00000000 ____D C:\Users\chillaxn\Desktop\New Folder (2)

2012-06-19 16:58 - 2012-06-19 16:58 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-06-18 20:27 - 2012-06-18 20:27 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-06-15 12:36 - 2012-06-15 12:36 - 00001635 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-06-15 12:34 - 2012-06-15 12:36 - 00000000 ____D C:\Program Files\iTunes

2012-06-15 12:34 - 2012-06-15 12:34 - 00000000 ____D C:\Program Files\iPod

2012-06-15 08:36 - 2012-06-18 20:36 - 00063247 ____A C:\Users\chillaxn\Desktop\2012BUDGETSUMMARYxlsx.xlsx

2012-06-15 08:36 - 2012-06-15 08:36 - 00060944 ____A C:\Users\chillaxn\Desktop\may2012BUDGETSUMMARYxlsx.xlsx

2012-06-13 20:14 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-13 20:14 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-13 20:14 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-13 20:14 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-13 20:14 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-13 20:14 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-13 20:14 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-13 20:14 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-13 20:14 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-13 20:14 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-13 20:14 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-13 20:14 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-13 20:13 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-13 20:13 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-13 20:11 - 2012-05-15 11:51 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-13 20:11 - 2012-05-01 06:03 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-06-13 20:11 - 2012-04-23 08:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-06-13 20:11 - 2012-04-23 08:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-06-13 20:11 - 2012-04-23 08:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-06-11 17:32 - 2012-06-11 17:32 - 00138784 ____A C:\Windows\Minidump\Mini061112-01.dmp

============ 3 Months Modified Files and Folders ===============

2012-06-23 08:59 - 2012-06-23 08:59 - 00000000 ____D C:\FRST

2012-06-23 04:46 - 2010-07-07 18:41 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe

2012-06-23 04:45 - 2008-01-20 18:47 - 00720236 ____A C:\Windows\PFRO.log

2012-06-23 04:45 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-06-23 04:45 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-06-23 04:45 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-06-20 18:28 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool

2012-06-20 18:28 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\Msdtc

2012-06-20 18:28 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration

2012-06-20 18:28 - 2006-11-02 02:22 - 54263808 ____A C:\Windows\System32\config\software_previous

2012-06-20 18:28 - 2006-11-02 02:22 - 20185088 ____A C:\Windows\System32\config\system_previous

2012-06-20 18:23 - 2006-11-02 02:22 - 40370176 ____A C:\Windows\System32\config\components_previous

2012-06-20 18:23 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous

2012-06-20 14:40 - 2012-05-20 12:25 - 00000000 ____D C:\Users\chillaxn\Documents\Outlook Files

2012-06-20 14:40 - 2010-07-06 20:58 - 01217494 ____A C:\Windows\WindowsUpdate.log

2012-06-20 14:29 - 2010-07-06 19:12 - 00000000 ____D C:\users\chillaxn

2012-06-20 09:04 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous

2012-06-20 09:04 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\default_previous

2012-06-19 17:48 - 2012-06-19 17:47 - 00000000 ____D C:\Users\chillaxn\Desktop\New Folder (2)

2012-06-19 16:58 - 2012-06-19 16:58 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-06-19 16:58 - 2012-01-08 06:14 - 00001945 ____A C:\Windows\epplauncher.mif

2012-06-19 16:58 - 2006-11-02 02:33 - 00721940 ____A C:\Windows\System32\PerfStringBackup.INI

2012-06-18 20:37 - 2006-11-02 05:01 - 00032542 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-06-18 20:36 - 2012-06-15 08:36 - 00063247 ____A C:\Users\chillaxn\Desktop\2012BUDGETSUMMARYxlsx.xlsx

2012-06-18 20:27 - 2012-06-18 20:27 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-06-18 20:15 - 2010-11-03 19:11 - 00000000 ____D C:\Users\chillaxn\AppData\Local\CrashDumps

2012-06-15 14:16 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET

2012-06-15 12:36 - 2012-06-15 12:36 - 00001635 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-06-15 12:36 - 2012-06-15 12:34 - 00000000 ____D C:\Program Files\iTunes

2012-06-15 12:34 - 2012-06-15 12:34 - 00000000 ____D C:\Program Files\iPod

2012-06-15 12:34 - 2010-07-07 17:28 - 00000000 ____D C:\Program Files\Common Files\Apple

2012-06-15 08:36 - 2012-06-15 08:36 - 00060944 ____A C:\Users\chillaxn\Desktop\may2012BUDGETSUMMARYxlsx.xlsx

2012-06-14 18:59 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache

2012-06-13 20:47 - 2006-11-02 04:47 - 00406360 ____A C:\Windows\System32\FNTCACHE.DAT

2012-06-13 20:32 - 2010-07-06 21:06 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-06-13 20:22 - 2006-11-02 02:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2012-06-11 17:32 - 2012-06-11 17:32 - 00138784 ____A C:\Windows\Minidump\Mini061112-01.dmp

2012-06-11 17:32 - 2010-08-14 03:41 - 00000000 ____D C:\Windows\Minidump

2012-06-11 17:31 - 2010-08-02 19:29 - 234835607 ____A C:\Windows\MEMORY.DMP

2012-06-02 18:16 - 2010-07-10 09:43 - 00000680 ____A C:\Users\chillaxn\AppData\Local\d3d9caps.dat

2012-05-21 15:24 - 2011-12-16 13:14 - 00000000 ____D C:\Users\All Users\Yahoo!

2012-05-21 15:24 - 2011-12-16 13:13 - 00000000 ____D C:\Program Files\Yahoo!

2012-05-21 15:22 - 2011-10-14 10:16 - 00000000 ____D C:\Program Files\Bonjour

2012-05-21 07:49 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini

2012-05-20 12:36 - 2012-05-20 12:36 - 00000000 ____D C:\Users\chillaxn\Documents\OneNote Notebooks

2012-05-20 12:18 - 2010-07-06 19:14 - 00115752 ____A C:\Users\chillaxn\AppData\Local\GDIPFONTCACHEV1.DAT

2012-05-20 10:24 - 2006-11-02 03:18 - 00000000 ____D C:\Program Files\Common Files\microsoft shared

2012-05-20 10:23 - 2006-11-02 04:37 - 00000000 ____D C:\Windows\ShellNew

2012-05-20 10:11 - 2006-11-02 04:37 - 00000000 ____D C:\Program Files\MSBuild

2012-05-20 10:10 - 2012-05-20 10:10 - 00000000 ____D C:\Program Files\Microsoft Synchronization Services

2012-05-20 10:10 - 2012-05-20 10:10 - 00000000 ____D C:\Program Files\Common Files\DESIGNER

2012-05-20 10:09 - 2012-05-20 10:09 - 00000000 ____D C:\Windows\PCHEALTH

2012-05-20 10:09 - 2012-05-20 10:09 - 00000000 ____D C:\Program Files\Microsoft Sync Framework

2012-05-20 10:09 - 2012-05-20 10:09 - 00000000 ____D C:\Program Files\Microsoft SQL Server Compact Edition

2012-05-20 10:09 - 2010-07-06 21:07 - 00000000 ____D C:\Program Files\Microsoft.NET

2012-05-20 10:09 - 2010-07-06 21:05 - 00000000 ____D C:\Program Files\Microsoft Office

2012-05-20 09:56 - 2012-05-20 09:56 - 00000000 ____D C:\Program Files\Microsoft Analysis Services

2012-05-18 17:49 - 2012-05-18 15:07 - 00000000 ____D C:\Users\chillaxn\Documents\office2010

2012-05-17 15:11 - 2012-06-13 20:13 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-05-17 14:48 - 2012-06-13 20:13 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-05-17 14:45 - 2012-06-13 20:14 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-05-17 14:36 - 2012-06-13 20:14 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-05-17 14:35 - 2012-06-13 20:14 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-05-17 14:35 - 2012-06-13 20:14 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-17 14:33 - 2012-06-13 20:14 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-05-17 14:31 - 2012-06-13 20:14 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-17 14:29 - 2012-06-13 20:14 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-05-17 14:29 - 2012-06-13 20:14 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-05-17 14:27 - 2012-06-13 20:14 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-05-17 14:25 - 2012-06-13 20:14 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-05-17 14:24 - 2012-06-13 20:14 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-05-17 14:20 - 2012-06-13 20:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-05-15 11:51 - 2012-06-13 20:11 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-05-13 18:44 - 2010-09-13 15:43 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2012-05-13 06:14 - 2006-11-02 04:37 - 00000000 ____D C:\Windows\System32\XPSViewer

2012-05-13 06:14 - 2006-11-02 04:37 - 00000000 ____D C:\Program Files\Windows Journal

2012-05-01 06:03 - 2012-06-13 20:11 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-23 08:00 - 2012-06-13 20:11 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-04-23 08:00 - 2012-06-13 20:11 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-04-23 08:00 - 2012-06-13 20:11 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-04-10 19:47 - 2012-01-17 19:04 - 00001858 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk

2012-04-10 09:32 - 2012-04-10 09:32 - 00012814 ____A C:\Users\chillaxn\Desktop\hs_err_pid3656.log

2012-04-07 17:51 - 2006-11-02 04:52 - 00044334 ____A C:\Windows\setupact.log

2012-04-03 00:16 - 2012-05-12 15:16 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2012-04-03 00:16 - 2012-05-12 15:16 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-04-01 12:00 - 2012-04-01 12:00 - 00000000 ____D C:\Users\chillaxn\AppData\Local\DDMSettings

2012-04-01 11:49 - 2011-11-20 18:16 - 00000000 ____D C:\Users\All Users\DivX

2012-04-01 11:48 - 2011-11-20 18:18 - 00000000 ____D C:\Program Files\DivX

2012-04-01 11:44 - 2012-04-01 11:43 - 00000000 ____D C:\Users\All Users\IBUpdaterService

2012-03-30 04:39 - 2012-05-12 15:16 - 00914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-03-29 05:39 - 2012-05-12 15:16 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

ZeroAccess:

C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}

C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\@

C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\L

C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\n

C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\U

C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\L\00000004.@

C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\L\1afb2d56

C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\L\201d3dde

C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\U\00000004.@

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%

Total physical RAM: 2813.07 MB

Available physical RAM: 2412.41 MB

Total Pagefile: 2612.91 MB

Available Pagefile: 2473.79 MB

Total Virtual: 2047.88 MB

Available Virtual: 1974.31 MB

======================= Partitions =========================

1 Drive c: (TI100760V0G) (Fixed) (Total:222.67 GB) (Free:100.29 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS

4 Drive f: (FreeAgent Drive) (Fixed) (Total:465.76 GB) (Free:456.64 GB) NTFS

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 233 GB 0 B

Disk 1 Online 466 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 1500 MB 1024 KB

Partition 2 Primary 223 GB 1501 MB

Partition 3 Primary 9 GB 224 GB

======================================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C TI100760V0G NTFS Partition 223 GB Healthy

======================================================================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 466 GB 32 KB

======================================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 F FreeAgent D NTFS Partition 466 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-20 14:36

======================= End Of Log ==========================

[Maurice Naggar]

Make sure you click on the Follow this Topic icon (button) near the upper right-hand-side of this forum Topic.

These steps are for chillaxn only. If you are a casual viewer, do NOT try this on your system!

If you are not chillaxn and have a similar problem, do NOT post here; start your own topic

The fixes in this Topic are for this system only! Do not apply the fix-instructions from this topic to any other System one!

You will want to print out or copy these instructions to Notepad for Safe offline reference!

Do not do any websurfing on this system. Only go to this forum and the sites I guide you to for tools or online scans.

Please follow my guidance

If you are a casual viewer, do NOT try this on your system!

If you are not the originating-member-poster and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

Close any of your open programs while you run these tools.

DO as much as possible of the following:

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Download aswMBR.exe ( 511KB ) to your desktop.

On Windows 7 or Vista, RIGHT click on aswMBR.exe and select Run As Administrator to start.

On Windows XP, double click the exe to start.

change the a-v scan to None.

uncheck trace disk IO calls

Click the "Scan" button to start scan

On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Step 4

Please read carefully and follow these steps.

• Delete the prior copies of TDSSKILLER.zip & TDSSKILLER.exe that you may have.
  
• Download TDSSKiller and save it to your Desktop.
  
• If on Windows 7 or Vista, RIGHT-Click on TDSSKiller.exe and select Run As Administrator to run the application.
  If on Windows XP, double-click to start.
  
• Click on "Change parameters" and place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
• Then press Start Scan

When the scan is done, it will display a summary screen.

• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

Step 5

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Please double-click OTL.exe to run it. (Note: If you are running on Windows 7 or Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  *****************************************************************
  :processes
  killallprocesses
  :files
  recycler /alldrives
  C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\@
  C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\L
  C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\n
  C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\U
  C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\L\00000004.@
  C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\L\1afb2d56
  C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\L\201d3dde
  C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}\U\00000004.@
  C:\Windows\Installer\{16cfd029-9738-d8a0-c61d-e3f2578ebd71}
  :Commands
  [purity]
  [resethosts]
  [CREATERESTOREPOINT]
  [EMPTYFLASH]
  [Reboot]
  *****************************************************************
  
• Return to OTL. Right click in the window (under the aqua-blue bar) and choose Paste.
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button .
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 6

Please close any of your open windows/programs and exit; saving any open work you have.

I'd like to have you do a special run of OTL to generate some searches & a new log-report.

• Please double-click OTL.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  *****************************************************************
  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  %ALLUSERSPROFILE%\Application Data\*.
  %ALLUSERSPROFILE%\Application Data\*.exe /s
  %ALLUSERSPROFILE%\Application Data\*.dll /s
  %APPDATA%\*.
  %APPDATA%\*.exe /s
  %APPDATA%\*.dll /s
  %SYSTEMDRIVE%\*.exe
  /md5start
  services.exe
  themeui.dll
  beep.sys
  userinit.exe
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  /md5stop
  %USERPROFILE%\..|smtmp;true;true;true /FP
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  CREATERESTOREPOINT
  *****************************************************************
  
• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on Run Scan.
  
• The scan won't take long.
  When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of just OTL.txt

[Maurice Naggar]

Hello,

Are you still with us? Please advise on the status of this pc and how you are doing.

[Maurice Naggar]

It has been 3 more days and still no reply. This topic is now closed