Jump to content

FBI Moneypak no safe mode access


feb29
 Share

Recommended Posts

Hello,

I am running Windows Vista 32 and am stuck on the faux-warning page. I can not access safe mode, it always switches to the full mode and the fbi warning page.

I have copied the FRST.txt and Services.txt below.

Thanks in advance for any help.

Danny Sillivant

Charleston, SC USA

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2013 02

Ran by SYSTEM at 30-01-2013 12:40:20

Running from F:\

Windows 7 Professional (X86) OS Language: English(US)

The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [uSCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-06-22] (Broadcom Corporation)

HKLM\...\Run: [ESInetConnect] "C:\EagleSoft\Shared Files\esinetconnect.exe" [204800 2007-04-04] (Patterson Dental Supply, Inc.)

HKLM\...\Run: [ESServer] "C:\EagleSoft\Shared Files\startsrv.exe" [36864 2004-02-03] ()

HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [206336 2010-05-20] (Microsoft)

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-23] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-20] (Adobe Systems Incorporated)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)

HKU\Owner\...\Run: [osrsh] rundll32.exe "C:\Users\Owner\AppData\Roaming\osrsh.dll",PSTSetNewData [160768 2013-01-29] (Syntek Corporation)

HKU\Owner\...\Run: [winax] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\winax.dll",ASTFromString [613888 2013-01-29] (Ray Hinchliffe)

HKU\Owner\...\Run: [watidl] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\watidl.dll",Init [333824 2013-01-29] (ALPS Electric Co., Ltd.)

HKU\Owner\...\Winlogon: [shell] explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat [94208 2011-11-16] ()

HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$47948b2fda6c8a44705b1405ef19b4b1\n. ATTENTION! ====> ZeroAccess

Tcpip\Parameters: [DhcpNameServer] 10.1.10.1

AppInit_DLLs: C:\PROGRA~1\KEYCRY~1\KEYCRY~3.DLL

Lsa: [Authentication Packages] msv1_0 wvauth

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Constant Guard.lnk

ShortcutTarget: Constant Guard.lnk -> C:\Program Files\Constant Guard Protection Suite\IDVault.exe (White Sky, Inc.)

==================== Services (Whitelisted) ===================

2 atashost; "C:\Windows\system32\atashost.exe" [116536 2011-04-08] (Cisco WebEx LLC)

2 IDVaultSvc; "C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe" [66600 2013-01-14] (White Sky, Inc.)

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [20472 2012-09-12] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [287824 2012-09-12] (Microsoft Corporation)

3 SecureStorageService; "C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe" [1032192 2010-02-03] (Wave Systems Corp.)

2 tcsd_win32.exe; "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1273856 2008-11-12] ()

2 TdmService; "C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe" [1164648 2010-03-29] (Wave Systems Corp.)

2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2010-02-18] (Intel Corporation)

2 XCSecurity; "C:\ProgramData\CAM Commerce Solutions\X-Charge\Application\XCSecurityService.exe" [1554432 2010-10-02] ()

2 XCService; "C:\ProgramData\CAM Commerce Solutions\X-Charge\Application\XCService.exe" [461824 2010-10-02] ()

==================== Drivers (Whitelisted) ====================

1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog32.sys [82320 2013-01-29] (Zemana Ltd.)

3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [60104 2010-07-12] (FTDI Ltd.)

3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt32.sys [25936 2013-01-05] (Zemana Ltd.)

0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)

3 NAL; \??\C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-02] (Intel Corporation )

0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)

2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [229888 2010-01-19] (Wave Systems Corp.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-01-30 12:40 - 2013-01-30 12:40 - 00000000 ____D C:\FRST

2013-01-29 12:01 - 2013-01-29 12:01 - 00082320 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\AntiLog32.sys

2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Windows\System32\ZALSDK_uninst

2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Users\Owner\AppData\Local\Zemana

2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Program Files\KeyCryptSDK

2013-01-29 12:01 - 2013-01-05 17:39 - 07369552 ____A (Zemana Ltd.) C:\Windows\System32\ZALSDKCore.dll

2013-01-29 12:01 - 2013-01-05 17:39 - 00025936 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\KeyCrypt32.sys

2013-01-29 11:49 - 2013-01-30 08:45 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

2013-01-29 11:45 - 2013-01-30 08:43 - 00006526 ____A C:\Users\Owner\AppData\Local\914e708b-7721-4e0a-8f1a-4bb0306a8c84.crx

2013-01-29 11:45 - 2013-01-30 05:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-01-29 11:45 - 2013-01-29 12:08 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-01-29 11:45 - 2013-01-29 12:08 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-01-29 11:45 - 2013-01-29 11:45 - 00613888 ____A (Ray Hinchliffe) C:\Users\Owner\AppData\Roaming\winax.dll

2013-01-29 11:45 - 2013-01-29 11:45 - 00333824 ____A (ALPS Electric Co., Ltd.) C:\Users\Owner\AppData\Roaming\watidl.dll

2013-01-29 11:44 - 2013-01-29 11:44 - 00160768 ____A (Syntek Corporation) C:\Users\Owner\AppData\Roaming\osrsh.dll

2013-01-09 05:25 - 2012-11-22 18:56 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-01-09 05:25 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll

2013-01-09 05:25 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-01-09 05:24 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll

2013-01-09 05:24 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll

2013-01-09 05:24 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs

2013-01-09 05:24 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs

2013-01-09 05:24 - 2012-11-29 20:53 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2013-01-09 05:24 - 2012-11-29 20:47 - 00868352 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2013-01-09 05:24 - 2012-11-29 20:47 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 18:55 - 00271360 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2013-01-09 05:24 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2013-01-09 05:24 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\System32\locale.nls

2013-01-09 05:24 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2013-01-09 05:23 - 2012-11-22 18:48 - 00049152 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe

2013-01-09 05:23 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

==================== One Month Modified Files and Folders ========

2013-01-30 12:40 - 2013-01-30 12:40 - 00000000 ____D C:\FRST

2013-01-30 09:31 - 2009-07-13 20:55 - 02095398 ____A C:\Windows\WindowsUpdate.log

2013-01-30 09:31 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-30 09:31 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-30 09:24 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-30 09:24 - 2009-07-13 20:39 - 00029381 ____A C:\Windows\setupact.log

2013-01-30 08:45 - 2013-01-29 11:49 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

2013-01-30 08:45 - 2012-01-12 11:24 - 00000000 ____D C:\Users\Owner\AppData\Roaming\ID Vault

2013-01-30 08:43 - 2013-01-29 11:45 - 00006526 ____A C:\Users\Owner\AppData\Local\914e708b-7721-4e0a-8f1a-4bb0306a8c84.crx

2013-01-30 07:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles

2013-01-30 05:07 - 2013-01-29 11:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-01-29 12:08 - 2013-01-29 11:45 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-01-29 12:08 - 2013-01-29 11:45 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-01-29 12:01 - 2013-01-29 12:01 - 00082320 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\AntiLog32.sys

2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Windows\System32\ZALSDK_uninst

2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Users\Owner\AppData\Local\Zemana

2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Program Files\KeyCryptSDK

2013-01-29 12:01 - 2012-04-12 04:01 - 00002137 ____A C:\Users\Public\Desktop\Constant Guard.lnk

2013-01-29 12:01 - 2012-01-12 11:20 - 00000000 ____D C:\Program Files\Constant Guard Protection Suite

2013-01-29 11:55 - 2010-12-16 11:23 - 00000000 ____D C:\Users\Owner\AppData\Roaming\SoftGrid Client

2013-01-29 11:45 - 2013-01-29 11:45 - 00613888 ____A (Ray Hinchliffe) C:\Users\Owner\AppData\Roaming\winax.dll

2013-01-29 11:45 - 2013-01-29 11:45 - 00333824 ____A (ALPS Electric Co., Ltd.) C:\Users\Owner\AppData\Roaming\watidl.dll

2013-01-29 11:44 - 2013-01-29 11:44 - 00160768 ____A (Syntek Corporation) C:\Users\Owner\AppData\Roaming\osrsh.dll

2013-01-29 06:31 - 2012-06-27 07:35 - 00000000 ____D C:\Users\Owner\Desktop\Important

2013-01-28 14:16 - 2010-09-30 20:06 - 00727310 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-28 14:00 - 2012-10-18 12:47 - 00000000 ____D C:\Users\Owner\Desktop\Data Backup

2013-01-24 05:07 - 2010-12-09 12:58 - 00000000 ____D C:\EagleSoft Autobackups

2013-01-21 06:09 - 2010-12-13 09:23 - 00000000 ____D C:\Users\Owner\Desktop\New Patient Forms

2013-01-17 08:47 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF

2013-01-10 00:30 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET

2013-01-10 00:21 - 2009-07-13 20:33 - 00268128 ____A C:\Windows\System32\FNTCACHE.DAT

2013-01-10 00:00 - 2010-12-09 12:32 - 65273848 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-01-05 17:39 - 2013-01-29 12:01 - 07369552 ____A (Zemana Ltd.) C:\Windows\System32\ZALSDKCore.dll

2013-01-05 17:39 - 2013-01-29 12:01 - 00025936 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\KeyCrypt32.sys

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-302394131-1905736877-2128619648-1000\$47948b2fda6c8a44705b1405ef19b4b1

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$47948b2fda6c8a44705b1405ef19b4b1

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-30 05:31:27

Restore point made on: 2013-01-30 05:32:36

Restore point made on: 2013-01-30 05:32:42

Restore point made on: 2013-01-30 05:32:46

Restore point made on: 2013-01-30 05:32:50

==================== Memory info ===========================

Percentage of memory in use: 20%

Total physical RAM: 1995.59 MB

Available physical RAM: 1587.83 MB

Total Pagefile: 1995.59 MB

Available Pagefile: 1591.28 MB

Total Virtual: 2047.88 MB

Available Virtual: 1948.7 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:139.31 GB) (Free:0.96 GB) NTFS

3 Drive f: (USB20FD) (Removable) (Total:15.22 GB) (Free:15.2 GB) FAT32

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

5 Drive y: (RECOVERY) (Fixed) (Total:9.59 GB) (Free:4.85 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 Online 15 GB 0 B

Partitions of Disk 0:

===============

Disk ID: 08000000

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 109 MB 31 KB

Partition 2 Primary 9 GB 110 MB

Partition 3 Primary 139 GB 9 GB

=========================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 FAT Partition 109 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y RECOVERY NTFS Partition 9 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 139 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: C3072E18

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 15 GB 24 KB

=========================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F USB20FD FAT32 Removable 15 GB Healthy

=========================================================

Last Boot: 2013-01-24 05:53

==================== End Of Log ============================

Farbar Recovery Scan Tool (x86) Version: 28-01-2013 02

Ran by SYSTEM at 2013-01-30 12:42:07

Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

Thanks, MrCharlie. Do I need to run anything else, ie Malwarebytes or superspybot to clean up?

Danny

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-01-2013 02

Ran by SYSTEM at 2013-01-30 13:38:23 Run:1

Running from F:\

==============================================

HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\osrsh Value deleted successfully.

HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\winax Value deleted successfully.

HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\watidl Value deleted successfully.

HKEY_USERS\Owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).

C:\Users\Owner\AppData\Roaming\skype.ini moved successfully.

C:\Users\Owner\AppData\Local\914e708b-7721-4e0a-8f1a-4bb0306a8c84.crx moved successfully.

C:\Users\Owner\AppData\Roaming\winax.dll moved successfully.

C:\Users\Owner\AppData\Roaming\watidl.dll moved successfully.

C:\Users\Owner\AppData\Roaming\osrsh.dll moved successfully.

C:\Users\Owner\AppData\Local\914e708b-7721-4e0a-8f1a-4bb0306a8c84.crx not found.

C:\$Recycle.Bin\S-1-5-21-302394131-1905736877-2128619648-1000\$47948b2fda6c8a44705b1405ef19b4b1 moved successfully.

C:\$Recycle.Bin\S-1-5-18\$47948b2fda6c8a44705b1405ef19b4b1 moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Yes we have more to do.........

Just read this info on the infection you had:

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.