Jump to content

Ransomware won't let me boot in safe mode


Recommended Posts

Hello I am new here. I have a nasty Ransomware on my win7 laptop. it has made safe mode unusable by changing the background color to black with black text. I was able to download Malwarebytes and install it blind (following the steps on another computer) I can run the scan but after 11 items found it has a popup that I can't read (black on black). So I read a thread here from the 10th and someone else couldn't start in safe mode. I downloaded FRST64 and ran it and here is the report: (I didn't proceed with the fix for the other user as it stated it was custom made for that user)

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-11-2012

Ran by SYSTEM at 18-11-2012 08:01:56

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet003

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [] [x]

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup [17412200 2010-05-05] (NVIDIA Corporation)

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10134560 2010-03-22] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [896032 2010-03-22] (Realtek Semiconductor)

HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [x]

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [x]

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [x]

HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [x]

HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [x]

HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [x]

HKLM\...\Run: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [x]

HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)

HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)

HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [x]

HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [x]

HKLM\...\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)

HKLM-x32\...\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [34160 2009-12-25] (TOSHIBA CORPORATION)

HKLM-x32\...\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP [423936 2010-03-04] (TOSHIBA Electronics, Inc.)

HKLM-x32\...\Run: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL [352256 2010-02-22] (TOSHIBA CORPORATION)

HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295736 2011-02-11] (TOSHIBA Corporation)

HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)

HKLM-x32\...\Run: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [x]

HKLM-x32\...\Run: [sVRemote] c:\Program Files\SVRemote\RemoteSvr.exe [20480 2007-09-17] ()

HKLM-x32\...\Run: [WinDVR SchSvr] "C:\Program Files (x86)\Common Files\InterVideo\SchSvr\SchSvr.exe" [106496 2004-09-08] (InterVideo Inc.)

HKLM-x32\...\Run: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe [2077536 2012-01-26] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [NWEReboot] [x]

HKLM-x32\...\Run: [Acrobat Assistant 7.0] "C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [483328 2004-12-14] (Adobe Systems Inc.)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [997320 2012-11-08] ()

HKLM-x32\...\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [928096 2012-01-23] ()

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [searchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" [1111432 2012-10-16] (Spigot, Inc.)

HKU\Cameron\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-05-28] (Google Inc.)

HKU\Cameron\...\Run: [updateMgr] C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0 [307200 2004-11-22] (Adobe Systems Incorporated)

HKU\Cameron\...\Run: [Akamai NetSession Interface] "C:\Users\Cameron\AppData\Local\Akamai\netsession_win.exe" [4441920 2012-10-09] (Akamai Technologies, Inc.)

HKU\Cameron\...\Run: [PC Suite Tray] "C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray [1483264 2010-12-21] (Nokia)

HKU\Cameron\...\Policies\system: [DisableTaskMgr] 1

HKU\UpdatusUser\...\Run: [] [x]

HKU\UpdatusUser\...\RunOnce: [sysOff] C:\Windows\SysWOW64\SYSPREP\ClosespV.exe [x]

HKU\UpdatusUser\...\RunOnce: [avg_spchecker] "C:\Program Files (x86)\AVG\AVG9\Notification\SPChecker1.exe" /start [406856 2011-05-09] ()

HKLM\...\Winlogon: [shell] explorer.exe, C:\ProgramData\Msyitwgeawcb [x ] ()

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

AppInit_DLLs: avgrssta.dll

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk

ShortcutTarget: AutoStart IR.lnk -> C:\Program Files (x86)\WinTV\Ir.exe (Hauppauge Computer Works)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk

ShortcutTarget: WinTV Recording Status..lnk -> C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)

Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy Software Installer.lnk

ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy Software Installer.lnk

ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)

==================== Services (Whitelisted) ===================

3 Adobe LM Service; "C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" [69632 2010-12-30] (Adobe Systems)

2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_ce5ba24.dll [4539712 2012-11-12] (Akamai Technologies, Inc.)

2 Autodesk Content Service; "C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe" [18656 2011-02-02] ()

4 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()

2 avg9emc; "C:\Program Files (x86)\AVG\AVG9\avgemc.exe" [921952 2010-07-29] (AVG Technologies CZ, s.r.o.)

2 avg9wd; "C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe" [308136 2010-07-29] (AVG Technologies CZ, s.r.o.)

2 avgfws9; "C:\Program Files (x86)\AVG\AVG9\avgfws9.exe" [2331544 2010-11-24] (AVG Technologies CZ, s.r.o.)

4 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe" AVGIDSAgent [5897808 2010-07-29] (AVG Technologies CZ, s.r.o.)

2 HauppaugeTVServer; C:\PROGRA~2\WinTV\TVServer\HAUPPA~1.EXE [602624 2010-03-29] (Hauppauge Computer Works)

2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [97432 2007-04-13] ()

2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)

2 MotoConnect Service; C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe [91456 2010-04-29] ()

2 StkSSrv; C:\Windows\System32\StkCSrv.exe [24576 2007-02-12] (Syntek America Inc.)

2 vToolbarUpdater13.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-11-08] ()

==================== Drivers (Whitelisted) =====================

3 Adwstrac; C:\Windows\system32\drivers\BtHidMgr.sys [49680 2007-03-05] (IVT Corporation.)

1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [29976 2010-07-29] (AVG Technologies CZ, s.r.o.)

3 AVGIDSDriverw7a; \??\C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN764\AVGIDSDriver.sys [132688 2010-07-29] (AVG Technologies CZ, s.r.o. )

0 AVGIDSErHrw7a; C:\Windows\System32\Drivers\AVGIDSwa.sys [27216 2010-07-29] (AVG Technologies CZ, s.r.o. )

3 AVGIDSFilterw7a; \??\C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN764\AVGIDSFilter.sys [35920 2010-07-29] (AVG Technologies CZ, s.r.o. )

1 AvgLdx64; C:\Windows\System32\Drivers\AvgLdx64.sys [269904 2010-07-29] (AVG Technologies CZ, s.r.o.)

1 AvgMfx64; C:\Windows\System32\Drivers\AvgMfx64.sys [35664 2011-09-13] (AVG Technologies CZ, s.r.o.)

0 AvgRkx64; C:\Windows\System32\Drivers\AvgRkx64.sys [56008 2010-07-29] (AVG Technologies CZ, s.r.o.)

1 AvgTdiA; C:\Windows\System32\Drivers\AvgTdiA.sys [317520 2011-05-05] (AVG Technologies CZ, s.r.o.)

1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [30568 2012-11-08] (AVG Technologies)

3 BlueletAudio; C:\Windows\System32\Drivers\BlueletAudio.sys [38160 2007-05-11] (IVT Corporation.)

3 BlueletAudio; C:\Windows\SysWow64\Drivers\BlueletAudio.sys [38160 2007-05-11] (IVT Corporation.)

3 BlueletSCOAudio; C:\Windows\System32\Drivers\BlueletSCOAudio.sys [37648 2007-03-05] (IVT Corporation.)

3 BlueletSCOAudio; C:\Windows\SysWow64\Drivers\BlueletSCOAudio.sys [37648 2007-03-05] (IVT Corporation.)

3 BT; C:\Windows\System32\DRIVERS\btnetdrv.sys [25360 2007-03-05] (IVT Corporation.)

3 Btcsrusb; C:\Windows\System32\Drivers\btcusb.sys [44688 2007-05-09] (IVT Corporation.)

3 BthAvrcp; C:\Windows\System32\Drivers\BthAvrcp.sys [29184 2009-08-13] (CSR, plc)

0 BTHidEnum; C:\Windows\System32\Drivers\vbtenum.sys [24976 2007-03-05] (IVT Corporation.)

0 BTHidMgr; C:\Windows\System32\Drivers\BTHidMgr.sys [49680 2007-03-05] (IVT Corporation.)

0 BTHidMgr; C:\Windows\SysWow64\Drivers\BTHidMgr.sys [49680 2007-03-05] (IVT Corporation.)

3 hcw72ADFilter; C:\Windows\System32\Drivers\hcw72ADFilter.sys [38656 2010-04-23] (Hauppauge Computer Works, Inc.)

3 hcw72ATV; C:\Windows\System32\Drivers\hcw72ATV.sys [1631488 2010-04-23] (Hauppauge Computer Works, Inc.)

3 hcw72DTV; C:\Windows\System32\Drivers\hcw72DTV.sys [1634176 2010-04-23] (Hauppauge Computer Works, Inc.)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)

3 MODEMCSA; C:\Windows\System32\Drivers\MODEMCSA.sys [24064 2009-07-13] (Microsoft Corporation)

3 StkCMini; C:\Windows\System32\Drivers\StkCMini.sys [632704 2007-06-28] (Syntek)

3 TridVid; C:\Windows\System32\Drivers\TridVid.sys [159232 2007-04-09] (Trident Multimedia Technologies Co.,Ltd)

3 TridVidx64; C:\Windows\System32\Drivers\TridVidx64.sys [207488 2007-07-31] (Trident Multimedia Technologies Co.,Ltd)

3 ubohci; C:\Windows\System32\Drivers\ubohci.sys [132608 2009-03-27] (Unibrain S.A.)

2 ubsbm; C:\Windows\System32\Drivers\ubsbm.sys [24064 2009-03-27] ()

2 ubumapi; C:\Windows\System32\Drivers\ubumapi.sys [92160 2009-03-27] ()

3 VComm; C:\Windows\System32\Drivers\VComm.sys [47120 2007-03-05] (IVT Corporation.)

3 VComm; C:\Windows\SysWow64\Drivers\VComm.sys [47120 2007-03-05] (IVT Corporation.)

3 VcommMgr; C:\Windows\System32\Drivers\VcommMgr.sys [63248 2007-03-05] (IVT Corporation.)

3 VcommMgr; C:\Windows\SysWow64\Drivers\VcommMgr.sys [63248 2007-03-05] (IVT Corporation.)

2 mdmxsdk; C:\Windows\System32\DRIVERS\ACFSDK64.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-11-18 08:01 - 2012-11-18 08:01 - 00000000 ____D C:\FRST

2012-11-17 18:30 - 2012-11-17 18:30 - 00000000 ____D C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

2012-11-17 16:57 - 2012-11-17 16:57 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-17 16:57 - 2012-11-17 16:57 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Malwarebytes

2012-11-17 16:57 - 2012-11-17 16:57 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-11-17 16:57 - 2012-11-17 16:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-17 16:57 - 2012-09-29 19:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-11-17 08:07 - 2012-11-18 06:07 - 00150016 ____A C:\Users\Cameron\AppData\Roaming\Msyitwgeawcb.exe

2012-11-17 08:03 - 2012-11-18 07:28 - 00150016 ____A C:\Users\All Users\Msyitwgeawcb.exe

2012-11-17 08:03 - 2012-11-18 07:10 - 00150016 ____A C:\Users\Cameron\AppData\Local\Msyitwgeawcb.exe

2012-11-17 07:11 - 2012-11-17 07:11 - 00000481 ____A C:\Windows\SynInst.log

2012-11-16 07:08 - 2012-11-17 07:08 - 00000000 ____D C:\Users\All Users\blekko toolbars

2012-11-16 06:14 - 2012-11-16 07:01 - 817480974 ____A C:\Users\Cameron\Documents\Megastructures. Megaship _ 720p _ NatGeo(iphone).mp4

2012-11-16 06:14 - 2012-11-16 06:43 - 521988973 ____A C:\Users\Cameron\Documents\MegaStructures - Boeing 747 Breakdown - HD - P1 of 2(iphone).mp4

2012-11-15 20:10 - 2012-11-15 20:45 - 201476098 ____A C:\Users\Cameron\Documents\~yt2CC6.tmp

2012-11-15 20:06 - 2012-11-15 20:45 - 119253521 ____A C:\Users\Cameron\Documents\~ytFD1A.tmp

2012-11-15 19:55 - 2012-11-15 20:10 - 133494619 ____A C:\Users\Cameron\Documents\MegaStructures - Boeing 747 Breakdown - HD - P1 of 2.mp4

2012-11-15 19:33 - 2012-11-15 20:45 - 262787262 ____A C:\Users\Cameron\Documents\~yt4897.tmp

2012-11-15 19:33 - 2012-11-15 20:06 - 135879258 ____A C:\Users\Cameron\Documents\NatGeo Megastructures - Channel Tunnel.mp4

2012-11-15 19:30 - 2012-11-15 19:55 - 205388538 ____A C:\Users\Cameron\Documents\Megastructures. Megaship _ 720p _ NatGeo.mp4

2012-11-15 19:27 - 2012-11-15 19:27 - 00001057 ____A C:\Users\Public\Desktop\YTD Video Downloader.lnk

2012-11-15 19:27 - 2012-11-15 19:27 - 00000000 ____D C:\Users\All Users\YTD Video Downloader

2012-11-14 07:11 - 2012-11-14 07:11 - 00017060 ____A C:\Users\Cameron\Desktop\hs_err_pid7764.log

2012-11-08 06:00 - 2012-11-08 05:59 - 00030568 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys

2012-11-07 06:42 - 2012-11-17 07:05 - 00023030 ____A C:\Users\Cameron\Documents\Health Tracking.xlsx

2012-10-28 10:34 - 2012-10-28 10:38 - 00000000 ____D C:\Users\Cameron\Documents\RealFlight 6 Demo

2012-10-28 10:32 - 2012-10-28 10:34 - 00000000 ____D C:\Program Files (x86)\RealFlight 6 Demo

2012-10-28 10:32 - 2012-10-28 10:32 - 00002081 ____A C:\Users\Cameron\Desktop\Launch RealFlight 6 Demo.lnk

2012-10-28 10:03 - 2012-10-28 10:32 - 00000000 ____D C:\Users\Cameron\Desktop\AeroFly

2012-10-28 09:12 - 2012-10-28 09:12 - 00002565 ____A C:\Users\Public\Desktop\ClearView1.lnk

2012-10-28 09:12 - 2012-10-28 09:12 - 00002565 ____A C:\Users\Public\Desktop\ClearView.lnk

2012-10-28 09:12 - 2012-10-28 09:12 - 00000000 ____D C:\ClearViewRC

2012-10-22 05:15 - 2012-10-22 05:15 - 00000000 ____D C:\Program Files (x86)\YTD Toolbar

2012-10-22 05:15 - 2012-10-22 05:15 - 00000000 ____D C:\Program Files (x86)\Application Updater

==================== One Month Modified Files and Folders =======

2012-11-18 08:01 - 2012-11-18 08:01 - 00000000 ____D C:\FRST

2012-11-18 07:28 - 2012-11-17 08:03 - 00150016 ____A C:\Users\All Users\Msyitwgeawcb.exe

2012-11-18 07:16 - 2009-07-13 21:13 - 00784218 ____A C:\Windows\System32\PerfStringBackup.INI

2012-11-18 07:10 - 2012-11-17 08:03 - 00150016 ____A C:\Users\Cameron\AppData\Local\Msyitwgeawcb.exe

2012-11-18 07:10 - 2010-07-01 15:25 - 00065536 _____ C:\Windows\System32\Ikeext.etl

2012-11-18 06:07 - 2012-11-17 08:07 - 00150016 ____A C:\Users\Cameron\AppData\Roaming\Msyitwgeawcb.exe

2012-11-17 21:56 - 2010-12-30 07:45 - 00001477 ____A C:\Users\Public\Documents\AcPro7_0_0.ini

2012-11-17 21:56 - 2010-12-30 07:45 - 00000095 ____A C:\Users\Public\Documents\AcPro7_0_0.sta

2012-11-17 21:54 - 2010-06-26 16:18 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-11-17 21:53 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-11-17 21:53 - 2009-07-13 20:51 - 00750783 ____A C:\Windows\setupact.log

2012-11-17 21:42 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing

2012-11-17 21:41 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-11-17 21:41 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-11-17 21:30 - 2012-04-04 05:12 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-11-17 20:46 - 2010-07-29 12:46 - 00000000 ____D C:\Windows\System32\Drivers\Avg

2012-11-17 18:30 - 2012-11-17 18:30 - 00000000 ____D C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

2012-11-17 16:57 - 2012-11-17 16:57 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-17 16:57 - 2012-11-17 16:57 - 00000000 ____D C:\Users\Cameron\AppData\Roaming\Malwarebytes

2012-11-17 16:57 - 2012-11-17 16:57 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-11-17 16:57 - 2012-11-17 16:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-17 10:31 - 2010-07-01 14:52 - 00000000 ____D C:\Users\All Users\PC Suite

2012-11-17 08:06 - 2010-06-26 16:18 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-11-17 07:13 - 2010-05-28 17:53 - 00267564 ____A C:\Windows\PFRO.log

2012-11-17 07:11 - 2012-11-17 07:11 - 00000481 ____A C:\Windows\SynInst.log

2012-11-17 07:08 - 2012-11-16 07:08 - 00000000 ____D C:\Users\All Users\blekko toolbars

2012-11-17 07:05 - 2012-11-07 06:42 - 00023030 ____A C:\Users\Cameron\Documents\Health Tracking.xlsx

2012-11-16 07:01 - 2012-11-16 06:14 - 817480974 ____A C:\Users\Cameron\Documents\Megastructures. Megaship _ 720p _ NatGeo(iphone).mp4

2012-11-16 06:43 - 2012-11-16 06:14 - 521988973 ____A C:\Users\Cameron\Documents\MegaStructures - Boeing 747 Breakdown - HD - P1 of 2(iphone).mp4

2012-11-15 20:45 - 2012-11-15 20:10 - 201476098 ____A C:\Users\Cameron\Documents\~yt2CC6.tmp

2012-11-15 20:45 - 2012-11-15 20:06 - 119253521 ____A C:\Users\Cameron\Documents\~ytFD1A.tmp

2012-11-15 20:45 - 2012-11-15 19:33 - 262787262 ____A C:\Users\Cameron\Documents\~yt4897.tmp

2012-11-15 20:10 - 2012-11-15 19:55 - 133494619 ____A C:\Users\Cameron\Documents\MegaStructures - Boeing 747 Breakdown - HD - P1 of 2.mp4

2012-11-15 20:06 - 2012-11-15 19:33 - 135879258 ____A C:\Users\Cameron\Documents\NatGeo Megastructures - Channel Tunnel.mp4

2012-11-15 19:55 - 2012-11-15 19:30 - 205388538 ____A C:\Users\Cameron\Documents\Megastructures. Megaship _ 720p _ NatGeo.mp4

2012-11-15 19:27 - 2012-11-15 19:27 - 00001057 ____A C:\Users\Public\Desktop\YTD Video Downloader.lnk

2012-11-15 19:27 - 2012-11-15 19:27 - 00000000 ____D C:\Users\All Users\YTD Video Downloader

2012-11-15 19:27 - 2011-07-28 20:44 - 00000000 ____D C:\Users\All Users\YouTube Downloader

2012-11-15 19:27 - 2011-07-28 20:44 - 00000000 ____D C:\Program Files (x86)\YouTube Downloader

2012-11-15 06:47 - 2010-12-23 17:15 - 00000000 ____D C:\Users\Cameron\Desktop\Grandpa

2012-11-14 07:11 - 2012-11-14 07:11 - 00017060 ____A C:\Users\Cameron\Desktop\hs_err_pid7764.log

2012-11-09 20:00 - 2010-06-09 02:59 - 01375177 ____A C:\Windows\WindowsUpdate.log

2012-11-09 06:58 - 2011-05-02 10:10 - 00000000 ____D C:\Users\Cameron\Desktop\Houseboats

2012-11-08 06:01 - 2012-06-13 04:57 - 00000000 ____D C:\Users\Cameron\AppData\Local\AVG Secure Search

2012-11-08 06:01 - 2011-12-08 06:15 - 00000000 ____D C:\Users\All Users\AVG Secure Search

2012-11-08 06:00 - 2011-12-08 06:15 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search

2012-11-08 05:59 - 2012-11-08 06:00 - 00030568 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys

2012-10-28 21:09 - 2010-07-29 16:20 - 00000000 ____D C:\Users\Cameron\AppData\Local\CrashDumps

2012-10-28 10:38 - 2012-10-28 10:34 - 00000000 ____D C:\Users\Cameron\Documents\RealFlight 6 Demo

2012-10-28 10:34 - 2012-10-28 10:32 - 00000000 ____D C:\Program Files (x86)\RealFlight 6 Demo

2012-10-28 10:34 - 2010-11-04 20:23 - 00002307 ____A C:\Windows\DXError.log

2012-10-28 10:34 - 2010-05-28 17:41 - 00312542 ____A C:\Windows\DirectX.log

2012-10-28 10:32 - 2012-10-28 10:32 - 00002081 ____A C:\Users\Cameron\Desktop\Launch RealFlight 6 Demo.lnk

2012-10-28 10:32 - 2012-10-28 10:03 - 00000000 ____D C:\Users\Cameron\Desktop\AeroFly

2012-10-28 10:30 - 2010-05-28 17:34 - 00000000 ____D C:\Windows\Downloaded Installations

2012-10-28 09:12 - 2012-10-28 09:12 - 00002565 ____A C:\Users\Public\Desktop\ClearView1.lnk

2012-10-28 09:12 - 2012-10-28 09:12 - 00002565 ____A C:\Users\Public\Desktop\ClearView.lnk

2012-10-28 09:12 - 2012-10-28 09:12 - 00000000 ____D C:\ClearViewRC

2012-10-28 08:18 - 2010-07-02 10:53 - 00000000 ____D C:\Program Files (x86)\IPACS

2012-10-28 07:39 - 2010-10-30 09:38 - 00000249 ____A C:\Windows\emug3.ini

2012-10-28 07:38 - 2010-10-30 08:52 - 00000000 ____D C:\Program Files (x86)\RealFlightG3

2012-10-28 07:30 - 2010-05-28 17:34 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information

2012-10-28 07:08 - 2012-02-26 04:46 - 00000000 ____D C:\Users\Cameron\Desktop\Games

2012-10-24 05:19 - 2011-11-09 20:43 - 00000000 ____D C:\Users\Cameron\AppData\Local\Akamai

2012-10-22 05:15 - 2012-10-22 05:15 - 00000000 ____D C:\Program Files (x86)\YTD Toolbar

2012-10-22 05:15 - 2012-10-22 05:15 - 00000000 ____D C:\Program Files (x86)\Application Updater

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-28 07:30:25

Restore point made on: 2012-10-28 08:06:29

Restore point made on: 2012-10-28 08:16:24

Restore point made on: 2012-10-28 08:18:20

Restore point made on: 2012-10-28 08:23:39

Restore point made on: 2012-10-28 08:30:29

Restore point made on: 2012-10-28 09:11:55

Restore point made on: 2012-10-28 10:32:11

Restore point made on: 2012-10-28 10:33:58

Restore point made on: 2012-11-05 06:16:41

Restore point made on: 2012-11-12 19:26:34

Restore point made on: 2012-11-17 07:09:51

==================== Memory info ===========================

Percentage of memory in use: 15%

Total physical RAM: 4026.68 MB

Available physical RAM: 3390.58 MB

Total Pagefile: 4024.82 MB

Available Pagefile: 3375.06 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: (TI105835W0N) (Fixed) (Total:486.42 GB) (Free:270.37 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (XP Pro) (Fixed) (Total:97.66 GB) (Free:88.23 GB) NTFS

3 Drive e: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[system with boot components (obtained from reading drive)]

5 Drive g: () (Removable) (Total:0.48 GB) (Free:0.48 GB) FAT

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 596 GB 1024 KB

Disk 1 Online 495 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 1500 MB 1024 KB

Partition 2 Primary 486 GB 1501 MB

Partition 0 Extended 97 GB 487 GB

Partition 4 Logical 97 GB 487 GB

Partition 3 Primary 10 GB 585 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E System NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C TI105835W0N NTFS Partition 486 GB Healthy

=========================================================

Disk: 0

Partition 4

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D XP Pro NTFS Partition 97 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 495 MB 0 B

==================================================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

Last Boot: 2012-11-15 05:34

==================== End Of Log =============================

Link to post
Share on other sites

Hi, Thor351: :)

Sorry to hear you might be infected.

We cannot review scan logs or work on malware removal in this sub-section of the forum, so please read below for assistance with cleaning your system.

IMPORTANT: Please do NOT use any temporary file cleaners unless instructed to do so - they can cause data loss, making recovery difficult.

ALSO: It is not advisable to follow instructions given to another user for another system or to run the powerful malware removal tools (Combofix, FSRT, etc) without expert guidance, as they can cause serious system damage.

IF YOU WOULD LIKE EXPERT HELP WITH MALWARE REMOVAL, PLEASE CHOOSE ONE OF THE FOLLOWING 3 OPTIONS:

OPTION 1: Free, one-on-one, expert assistance in the Malware Removal Forum. (Please see helpful tips below.)

OPTION 2: For licensed users of MBAM PRO, there is free, one-on-one, expert assistance from the MBAM support helpdesk.

OPTION 3: Fee-based, one-on-one, expert assistance from Premium Support.

OPTION 1:

  • Please print out, read and carefully follow the instructions in the "I'm Infected - What Do I Do Now?" sticky topic.
  • -->If the infection has so crippled the computer that you cannot complete some or all of the steps, then just do the best you can and start a new topic as described below.
  • Then please start a new post in the Malware Removal Forum.
  • An authorized, trained malware expert will provide free, one-on-one assistance as soon as one becomes available.
  • -->>When starting your new post, please note the following:<<--
  • Please do NOT post in a topic started by someone else, even if their problem sounds similar.
  • Please COPY/PASTE the requested logs directly into your post, rather than attaching them.
  • Under options, please be sure to select "track this topic" and "immediate email notification", so you'll know when a helper responds.
  • Please be patient - it may be 48 hours or more before a helper can assist you, especially when the forum is very busy.
  • Please do NOT "bump" your topic or reply back to it for at least 48 hours.
  • Doing so may cause your topic to be overlooked, as it will appear that you are already being helped.

OPTION 2:

If you are a paid user of MBAM PRO and would like support via the helpdesk, please contact them HERE.

OPTION 3:

If you prefer the Malwarebytes Premium Services (comprehensive solutions to all your computer support needs – from installation and set-up to troubleshooting and tune-ups), please go to the Premium Support site HERE.

Please be patient – someone will assist you as soon as possible.

Thank you very much,

daledoc1

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.