Jump to content

removal of winrscmde svchost.exe virus


Recommended Posts

  • Staff

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]type exit and reboot the computer normally

[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

NEXT

For 64bit systems, download Listparts64 and save it to your desktop

Run the tool,

check the "list BCD" box

click "Scan" and post the log (Result.txt) it makes.

Link to post
Share on other sites

CatByte: Here is result of frst64 scan.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2012

Ran by SYSTEM at 24-11-2012 14:09:12

Running from H:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)

HKLM\...\Run: [broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [305664 2009-01-22] (Alps Electric Co., Ltd.)

HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [273544 2011-07-05] (RealNetworks, Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" [148888 2009-11-07] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)

HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]

HKLM-x32\...\RunOnce: [sTToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120048 2009-08-17] ()

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ===================

4 Autodesk Content Service; "C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe" [19232 2012-01-31] (Autodesk, Inc.)

2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)

2 mfevtp; "C:\Windows\system32\mfevtps.exe" [177144 2012-07-17] (McAfee, Inc.)

2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1021888 2012-10-10] (Enigma Software Group USA, LLC.)

4 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-28] (IDT, Inc.)

==================== Drivers (Whitelisted) =====================

3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [13088 2011-03-02] ()

3 EsgScanner; C:\Windows\System32\Drivers\EsgScanner.sys [22704 2012-06-22] ()

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)

3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [169320 2012-07-17] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [752672 2012-07-17] (McAfee, Inc.)

1 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [335784 2012-07-17] (McAfee, Inc.)

3 RDID1061; C:\Windows\System32\Drivers\rdwm1061.sys [201216 2009-09-18] (Roland Corporation)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-11-24 14:00 - 2012-11-24 14:00 - 00277088 ____A C:\Windows\Minidump\112412-24726-01.dmp

2012-11-24 13:43 - 2012-11-24 13:50 - 01461039 ____A (Farbar) C:\Users\Brian\Downloads\FRST64.exe

2012-11-24 09:29 - 2012-11-24 09:29 - 00044554 ____A C:\Users\Brian\Desktop\attach.txt

2012-11-24 09:29 - 2012-11-24 09:28 - 00017040 ____A C:\Users\Brian\Desktop\dds.txt

2012-11-24 09:23 - 2012-11-24 09:25 - 00688992 ____R (Swearware) C:\Users\Brian\Downloads\dds.com

2012-11-23 23:59 - 2012-11-23 23:59 - 00002256 ____A C:\Users\Brian\Desktop\SpyHunter.lnk

2012-11-23 23:59 - 2012-11-23 23:59 - 00000000 ____D C:\sh4ldr

2012-11-23 23:59 - 2012-11-23 23:59 - 00000000 ____D C:\Program Files\Enigma Software Group

2012-11-23 23:59 - 2012-11-23 23:59 - 00000000 ____A C:\autoexec.bat

2012-11-23 23:59 - 2012-06-22 12:01 - 00022704 ____A C:\Windows\System32\Drivers\EsgScanner.sys

2012-11-23 23:57 - 2012-11-23 23:59 - 00000000 ____D C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

2012-11-18 14:41 - 2009-07-13 19:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-11-18 14:03 - 2012-10-08 06:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-11-18 14:03 - 2012-10-08 05:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-11-18 14:03 - 2012-10-08 05:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-11-18 14:03 - 2012-10-08 05:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-11-18 14:03 - 2012-10-08 05:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-11-18 14:03 - 2012-10-08 05:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-11-18 14:03 - 2012-10-08 05:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-11-18 14:03 - 2012-10-08 05:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-11-18 14:03 - 2012-10-08 05:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-11-18 14:03 - 2012-10-08 05:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-11-18 14:03 - 2012-10-08 05:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-11-18 14:03 - 2012-10-08 05:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-11-18 14:03 - 2012-10-08 05:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-11-18 14:03 - 2012-10-08 05:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-11-18 14:03 - 2012-10-08 05:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-11-18 14:03 - 2012-10-08 05:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-11-18 14:03 - 2012-10-08 02:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-11-18 14:03 - 2012-10-08 02:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-11-18 14:03 - 2012-10-08 01:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-11-18 14:03 - 2012-10-08 01:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-11-18 14:03 - 2012-10-08 01:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-11-18 14:03 - 2012-10-08 01:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-11-18 14:03 - 2012-10-08 01:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-11-18 14:03 - 2012-10-08 01:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-11-18 14:03 - 2012-10-08 01:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-11-18 14:03 - 2012-10-08 01:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-11-18 14:03 - 2012-10-08 01:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-11-18 14:03 - 2012-10-08 01:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-11-18 14:03 - 2012-10-08 01:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-11-18 14:03 - 2012-10-08 01:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-11-18 14:03 - 2012-10-08 01:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-11-18 14:03 - 2012-10-08 01:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-11-15 22:06 - 2012-07-25 22:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys

2012-11-15 22:06 - 2012-07-25 22:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys

2012-11-15 22:06 - 2012-07-25 20:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll

2012-11-15 22:06 - 2012-06-02 08:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf

2012-11-15 21:55 - 2012-11-15 21:55 - 00000208 ____A C:\Windows\System32\MRT.INI

2012-11-15 21:51 - 2012-07-25 21:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll

2012-11-15 21:51 - 2012-07-25 21:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe

2012-11-15 21:51 - 2012-07-25 21:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll

2012-11-15 21:51 - 2012-07-25 21:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll

2012-11-15 21:51 - 2012-07-25 21:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll

2012-11-15 21:51 - 2012-07-25 20:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys

2012-11-15 21:51 - 2012-07-25 20:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys

2012-11-15 21:51 - 2012-06-02 08:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

2012-11-15 20:33 - 2012-10-18 12:18 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-11-15 19:34 - 2012-09-25 16:39 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll

2012-11-15 19:34 - 2012-09-25 15:55 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll

2012-11-04 19:16 - 2012-11-04 19:35 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Brian\Desktop\mbam-consumer.exe

==================== One Month Modified Files and Folders =======

2012-11-24 14:08 - 2012-11-24 14:08 - 00000000 ____D C:\FRST

2012-11-24 14:02 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-11-24 14:02 - 2009-07-13 22:51 - 00096083 ____A C:\Windows\setupact.log

2012-11-24 14:00 - 2012-11-24 14:00 - 00277088 ____A C:\Windows\Minidump\112412-24726-01.dmp

2012-11-24 14:00 - 2011-10-10 18:31 - 389467019 ____A C:\Windows\MEMORY.DMP

2012-11-24 14:00 - 2011-10-10 18:31 - 00000000 ____D C:\Windows\Minidump

2012-11-24 13:59 - 2009-12-19 09:04 - 00000000 ____D C:\brian

2012-11-24 13:50 - 2012-11-24 13:43 - 01461039 ____A (Farbar) C:\Users\Brian\Downloads\FRST64.exe

2012-11-24 13:48 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-11-24 13:48 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-11-24 13:36 - 2012-09-22 21:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-11-24 13:34 - 2010-11-26 11:52 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-11-24 13:33 - 2009-12-16 21:13 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log

2012-11-24 13:33 - 2009-11-07 15:37 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup

2012-11-24 10:24 - 2009-07-13 23:10 - 01951680 ____A C:\Windows\WindowsUpdate.log

2012-11-24 10:11 - 2010-11-26 11:52 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-11-24 09:29 - 2012-11-24 09:29 - 00044554 ____A C:\Users\Brian\Desktop\attach.txt

2012-11-24 09:28 - 2012-11-24 09:29 - 00017040 ____A C:\Users\Brian\Desktop\dds.txt

2012-11-24 09:26 - 2012-06-19 19:40 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-735682779-3776735334-2523709070-1001UA.job

2012-11-24 09:25 - 2012-11-24 09:23 - 00688992 ____R (Swearware) C:\Users\Brian\Downloads\dds.com

2012-11-24 09:01 - 2009-07-13 23:08 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-11-23 23:59 - 2012-11-23 23:59 - 00002256 ____A C:\Users\Brian\Desktop\SpyHunter.lnk

2012-11-23 23:59 - 2012-11-23 23:59 - 00000000 ____D C:\sh4ldr

2012-11-23 23:59 - 2012-11-23 23:59 - 00000000 ____D C:\Program Files\Enigma Software Group

2012-11-23 23:59 - 2012-11-23 23:59 - 00000000 ____A C:\autoexec.bat

2012-11-23 23:59 - 2012-11-23 23:57 - 00000000 ____D C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

2012-11-22 17:35 - 2012-06-19 19:40 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-735682779-3776735334-2523709070-1001Core.job

2012-11-19 20:57 - 2012-10-15 20:52 - 00000000 ____D C:\Windows\pss

2012-11-19 12:22 - 2009-07-13 23:13 - 00787254 ____A C:\Windows\System32\PerfStringBackup.INI

2012-11-18 03:05 - 2009-12-16 21:09 - 00000000 ____D C:\users\Brian

2012-11-18 03:05 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\registration

2012-11-16 21:23 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache

2012-11-16 20:31 - 2009-11-07 17:19 - 00532550 ____A C:\Windows\PFRO.log

2012-11-16 05:41 - 2009-12-16 21:10 - 00131656 ____A C:\Users\Brian\Local Settings\GDIPFONTCACHEV1.DAT

2012-11-16 05:41 - 2009-12-16 21:10 - 00131656 ____A C:\Users\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2012-11-16 05:41 - 2009-12-16 21:10 - 00131656 ____A C:\Users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT

2012-11-16 05:40 - 2009-07-13 22:45 - 00459240 ____A C:\Windows\System32\FNTCACHE.DAT

2012-11-15 22:11 - 2009-11-07 15:39 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-11-15 22:11 - 2009-11-07 15:39 - 00000000 ____D C:\Users\All Users\Application Data\Microsoft Help

2012-11-15 21:55 - 2012-11-15 21:55 - 00000208 ____A C:\Windows\System32\MRT.INI

2012-11-15 21:52 - 2012-10-09 21:40 - 66395536 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-11-15 21:50 - 2009-07-13 20:34 - 00000534 ____A C:\Windows\win.ini

2012-11-15 21:47 - 2012-10-04 20:41 - 00006465 ____A C:\Users\Brian\Local Settings\chromeupdate.crx

2012-11-15 21:47 - 2012-10-04 20:41 - 00006465 ____A C:\Users\Brian\Local Settings\Application Data\chromeupdate.crx

2012-11-15 21:47 - 2012-10-04 20:41 - 00006465 ____A C:\Users\Brian\AppData\Local\chromeupdate.crx

2012-11-15 18:25 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\AppCompat

2012-11-15 18:22 - 2011-07-05 19:13 - 00000000 ____D C:\Users\All Users\Real

2012-11-15 18:22 - 2011-07-05 19:13 - 00000000 ____D C:\Users\All Users\Application Data\Real

2012-11-09 03:07 - 2012-06-19 19:50 - 00002486 ____A C:\Users\Brian\Desktop\Google Chrome.lnk

2012-11-04 19:49 - 2012-10-16 16:38 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-04 19:49 - 2012-10-16 16:38 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-04 19:49 - 2012-10-16 16:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-04 19:35 - 2012-11-04 19:16 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Brian\Desktop\mbam-consumer.exe

2012-11-02 21:13 - 2012-10-01 19:18 - 00000000 ____D C:\adoption profile pics

ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-15 21:50:28

Restore point made on: 2012-11-17 03:00:36

Restore point made on: 2012-11-18 11:18:08

Restore point made on: 2012-11-18 14:03:34

Restore point made on: 2012-11-18 14:14:11

Restore point made on: 2012-11-19 03:00:38

Restore point made on: 2012-11-20 03:00:29

Restore point made on: 2012-11-21 03:00:29

Restore point made on: 2012-11-21 07:08:05

Restore point made on: 2012-11-21 07:16:33

Restore point made on: 2012-11-22 03:00:32

Restore point made on: 2012-11-22 18:18:02

Restore point made on: 2012-11-23 23:58:13

Restore point made on: 2012-11-24 03:00:31

Restore point made on: 2012-11-24 08:21:48

Restore point made on: 2012-11-24 10:24:23

==================== Memory info ===========================

Percentage of memory in use: 18%

Total physical RAM: 3032.36 MB

Available physical RAM: 2477.79 MB

Total Pagefile: 3030.51 MB

Available Pagefile: 2471.81 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:218.2 GB) (Free:147.91 GB) NTFS

2 Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.57 GB) NTFS ==>[system with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive d: detected. Check for MBR/Partition infection.

6 Drive h: () (Removable) (Total:3.72 GB) (Free:0.22 GB) FAT32

7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 No Media 0 B 0 B

Disk 3 Online 3815 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 218 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 D RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 218 GB Healthy

=========================================================

Partitions of Disk 3:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3814 MB 8 KB

==================================================================================

Disk: 3

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 H FAT32 Removable 3814 MB Healthy

=========================================================

Last Boot: 2012-11-15 19:04

==================== End Of Log =============================

Link to post
Share on other sites

CatByte:

Here is the result of the listpart scan.

Thanks,

Brian

ListParts by Farbar Version: 30-10-2012

Ran by Brian (administrator) on 24-11-2012 at 14:19:40

Windows 7 (X64)

Running From: C:\Users\Brian\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 40%

Total physical RAM: 3032.36 MB

Available physical RAM: 1797.13 MB

Total Pagefile: 6062.87 MB

Available Pagefile: 4498.2 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:218.2 GB) (Free:147.89 GB) NTFS

4 Drive f: () (Removable) (Total:3.72 GB) (Free:0.22 GB) FAT32

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 Online 3815 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 218 GB 14 GB

======================================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 RECOVERY NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 218 GB Healthy Boot

======================================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3814 MB 8 KB

======================================================================================================

Disk: 2

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 F FAT32 Removable 3814 MB Healthy

======================================================================================================

==========================================================

TDL4: custom:26000022

Windows Boot Manager

--------------------

identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}

device partition=\Device\HarddiskVolume2

description Windows Boot Manager

locale en-US

inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

default {85299226-cbf1-11de-90cc-d46b45696dce}

resumeobject {85299225-cbf1-11de-90cc-d46b45696dce}

displayorder {85299226-cbf1-11de-90cc-d46b45696dce}

toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}

timeout 30

Windows Boot Loader

-------------------

identifier {85299226-cbf1-11de-90cc-d46b45696dce}

device partition=C:

path \Windows\system32\winload.exe

description Windows 7

locale en-US

inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

recoverysequence {85299227-cbf1-11de-90cc-d46b45696dce}

recoveryenabled Yes

osdevice partition=C:

systemroot \Windows

resumeobject {85299225-cbf1-11de-90cc-d46b45696dce}

nx OptIn

Windows Boot Loader

-------------------

identifier {85299227-cbf1-11de-90cc-d46b45696dce}

device ramdisk=[\Device\HarddiskVolume2]\Recovery\WindowsRE\Winre.wim,{85299228-cbf1-11de-90cc-d46b45696dce}

path \windows\system32\winload.exe

description Windows Recovery Environment

inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

osdevice ramdisk=[\Device\HarddiskVolume2]\Recovery\WindowsRE\Winre.wim,{85299228-cbf1-11de-90cc-d46b45696dce}

systemroot \windows

nx OptIn

winpe Yes

custom:46000010 Yes

Resume from Hibernate

---------------------

identifier {85299225-cbf1-11de-90cc-d46b45696dce}

device partition=C:

path \Windows\system32\winresume.exe

description Windows Resume Application

locale en-US

inherit {1afa9c49-16ab-4a5c-901b-212802da9460}

filedevice partition=C:

filepath \hiberfil.sys

debugoptionenabled No

Windows Memory Tester

---------------------

identifier {b2721d73-1db4-4c62-bf78-c548a880142d}

device partition=\Device\HarddiskVolume2

path \boot\memtest.exe

description Windows Memory Diagnostic

locale en-US

inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

badmemoryaccess Yes

EMS Settings

------------

identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}

custom:26000022 Yes

Debugger Settings

-----------------

identifier {4636856e-540f-4170-a130-a84776f4c654}

debugtype Serial

debugport 1

baudrate 115200

RAM Defects

-----------

identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings

---------------

identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

inherit {4636856e-540f-4170-a130-a84776f4c654}

{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}

{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings

--------------------

identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings

-------------------

identifier {7ff607e0-4395-11db-b0de-0800200c9a66}

hypervisordebugtype Serial

hypervisordebugport 1

hypervisorbaudrate 115200

Resume Loader Settings

----------------------

identifier {1afa9c49-16ab-4a5c-901b-212802da9460}

inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options

--------------

identifier {85299228-cbf1-11de-90cc-d46b45696dce}

description Ramdisk Options

ramdisksdidevice partition=\Device\HarddiskVolume2

ramdisksdipath \Recovery\WindowsRE\boot.sdi

****** End Of Log ******

Link to post
Share on other sites

  • Staff

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\svchost.exe
TDL4: custom:26000022
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

NEXT

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

NEXT

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

  • Staff

just a couple more scans to make certain there are no leftovers, please run the following:

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.