Jump to content

Recommended Posts

  1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    Plug the flash drive into the infected PC.
  2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
    If you are using Vista or Windows 7 enter System Recovery Options.
    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforu...isc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

  • On the System Recovery Options menu you will get the following options:


      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
        Select Command Prompt
        Once in the Command Prompt:

      [*]In the command window type in notepad and press Enter.

      [*]The notepad opens. Under File menu select Open.

      [*]Select "Computer" and find your flash drive letter and close the notepad.

      [*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

      [*]The tool will start to run.

      [*]When the tool opens click Yes to disclaimer.

      [*]Press Scan button.

      [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    MrC

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-02-2013

Ran by SYSTEM at 12-02-2013 18:36:46

Running from F:\

Windows 7 Ultimate (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2008-08-14] (Adobe Systems Incorporated)

HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)

HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)

HKLM\...\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)

HKLM\...\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-06-25] (Advanced Micro Devices, Inc.)

HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [38768 2009-10-03] (Adobe Systems Incorporated)

HKLM\...\Run: [] [x]

HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2009-10-02] (Adobe Systems Inc.)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)

HKLM\...\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [2215768 2011-12-06] (Intuit Inc. All rights reserved.)

HKLM\...\Run: [sendori Tray] "C:\Program Files\Sendori\SendoriTray.exe" [82792 2012-12-10] (Sendori, Inc.)

HKU\Jenny L\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-09-30] (Google Inc.)

HKU\Jenny L\...\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17877168 2012-11-09] (Skype Technologies S.A.)

HKU\Jenny L\...\Winlogon: [shell] C:\Users\Jenny L\AppData\Roaming\ldr.mcb,explorer.exe [x]

HKLM\...\runonceex: [Flags] 128 [x]

HKLM\...\runonceex: [Title] UnHackMe Rootkit Check [x]

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 4.2.2.2

AppInit_DLLs: acaptuser32.dll

Tcpip\..\Interfaces\{E0392B4E-03CE-4818-AF0E-7724AEC69B92}: [NameServer]216.146.35.240,216.146.36.240,192.168.1.1,4.2.2.2

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk

ShortcutTarget: Audible Download Manager.lnk -> C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\DRSpawner.lnk

ShortcutTarget: DRSpawner.lnk -> C:\ProgramData\ASGvis\DRSpawner\DRSpawner.exe ()

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk

ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk

ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)

==================== Services (Whitelisted) ===================

2 Application Sendori; C:\Program Files\Sendori\SendoriSvc.exe [118632 2012-12-10] (Sendori, Inc.)

2 Autodesk Content Service; "C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe" [18656 2011-02-02] ()

2 AVGIDSAgent; "C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [7391072 2012-01-31] (AVG Technologies CZ, s.r.o.)

2 avgwd; "C:\Program Files\AVG\AVG10\avgwdsvc.exe" [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)

3 FLEXnet Licensing Service; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [1044816 2011-05-13] (Flexera Software, Inc.)

3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [115608 2013-02-09] (Mozilla Foundation)

2 QBVSS; "C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe" [1248256 2011-12-06] (Intuit Inc.)

2 Service Sendori; C:\Program Files\Sendori\Sendori.Service.exe [14696 2012-12-10] (sendori)

2 sndappv2; C:\Program Files\Sendori\sndappv2.exe [3569512 2012-12-10] (Sendori)

2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]

3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134480 2011-05-27] (AVG Technologies CZ, s.r.o. )

0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [22992 2011-02-22] (AVG Technologies CZ, s.r.o. )

3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24144 2011-02-10] (AVG Technologies CZ, s.r.o. )

3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [21968 2011-02-10] (AVG Technologies CZ, s.r.o. )

1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [248656 2011-01-07] (AVG Technologies CZ, s.r.o.)

1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [34896 2011-03-01] (AVG Technologies CZ, s.r.o.)

0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-03-16] (AVG Technologies CZ, s.r.o.)

1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [297168 2011-04-04] (AVG Technologies CZ, s.r.o.)

3 itecir; C:\Windows\System32\DRIVERS\itecir.sys [65640 2010-07-13] (ITE Tech. Inc. )

3 libusb0; C:\Windows\System32\DRIVERS\libusb0.sys [28160 2009-07-07] (http://libusb-win32.sourceforge.net)

0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)

0 Partizan; C:\Windows\System32\drivers\Partizan.sys [35816 2012-09-20] (Greatis Software)

3 RegGuard; \??\C:\Windows\system32\Drivers\regguard.sys [24416 2012-09-23] (Greatis Software)

0 sptd; C:\Windows\System32\Drivers\sptd.sys [682232 2010-10-01] (Duplex Secure Ltd.)

1 MpKsle47b7712; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8E3A73D1-77F2-4833-9C1E-E32CBFC367B7}\MpKsle47b7712.sys [x]

3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]

3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]

3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-02-12 18:28 - 2013-02-12 18:28 - 00003344 ____N C:\bootsqm.dat

2013-02-09 11:42 - 2013-02-09 11:43 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-01-29 22:26 - 2013-02-12 08:10 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-01-29 22:26 - 2013-01-29 22:26 - 00000000 ____D C:\Users\All Users\Mozilla

2013-01-25 00:18 - 2013-01-25 00:18 - 00000375 ____A C:\Users\Jenny L\Desktop\i heart sarah packing list.txt

2013-01-22 11:19 - 2013-01-23 23:29 - 00000000 ____D C:\Users\Jenny L\Desktop\pics from grace jan 2013

2013-01-14 11:48 - 2013-01-14 11:49 - 00008972 ____A C:\Users\Jenny L\Desktop\grace and jenny momentum budget.xlsx

2013-01-14 11:48 - 2013-01-14 11:48 - 00000165 ___AH C:\Users\Jenny L\Desktop\~$grace and jenny momentum budget.xlsx

==================== One Month Modified Files and Folders ========

2013-02-12 18:36 - 2013-02-12 18:36 - 00000000 ____D C:\FRST

2013-02-12 18:30 - 2012-09-20 12:07 - 00000000 ____D C:\Users\All Users\RegRun

2013-02-12 18:29 - 2012-11-20 22:41 - 00010330 ____A C:\Windows\setupact.log

2013-02-12 18:29 - 2012-09-20 20:21 - 00000262 ____A C:\Windows\System32\PARTIZAN.TXT

2013-02-12 18:29 - 2010-09-30 10:18 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-02-12 18:29 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-02-12 18:28 - 2013-02-12 18:28 - 00003344 ____N C:\bootsqm.dat

2013-02-12 18:19 - 2010-09-30 07:02 - 01999328 ____A C:\Windows\WindowsUpdate.log

2013-02-12 18:18 - 2012-09-20 12:07 - 00000000 ____D C:\Users\Public\Documents\regruninfo

2013-02-12 18:14 - 2012-11-20 22:43 - 00024951 ____A C:\Windows\Partizan.log

2013-02-12 17:45 - 2010-09-30 10:18 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-02-12 17:44 - 2012-04-14 12:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-02-12 09:32 - 2010-10-06 10:10 - 00000000 ____D C:\Users\Jenny L\AppData\Roaming\Skype

2013-02-12 09:09 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-02-12 09:09 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-02-12 08:29 - 2010-09-30 07:28 - 00000000 ____D C:\users\Jenny L

2013-02-12 08:10 - 2013-01-29 22:26 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-02-12 06:50 - 2010-09-30 07:25 - 00782922 ____A C:\Windows\System32\PerfStringBackup.INI

2013-02-11 13:04 - 2012-05-30 19:37 - 00000000 ____D C:\Users\Jenny L\Documents\PERSONAL

2013-02-09 11:43 - 2013-02-09 11:42 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-02-07 16:29 - 2012-07-29 22:41 - 00000000 ____D C:\Users\Jenny L\Desktop\TRAVEL ITINERARIES

2013-02-07 13:06 - 2012-04-14 12:13 - 00697712 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-02-07 13:06 - 2011-12-26 19:05 - 00074096 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-02-02 16:26 - 2012-10-18 21:36 - 00000000 ____D C:\Users\Jenny L\Desktop\MICHAEL AND SARAH SHOWER

2013-01-30 02:53 - 2010-09-30 08:14 - 00232336 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2013-01-29 22:26 - 2013-01-29 22:26 - 00000000 ____D C:\Users\All Users\Mozilla

2013-01-29 22:26 - 2010-10-04 09:33 - 00001107 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2013-01-25 00:18 - 2013-01-25 00:18 - 00000375 ____A C:\Users\Jenny L\Desktop\i heart sarah packing list.txt

2013-01-23 23:29 - 2013-01-22 11:19 - 00000000 ____D C:\Users\Jenny L\Desktop\pics from grace jan 2013

2013-01-14 11:49 - 2013-01-14 11:48 - 00008972 ____A C:\Users\Jenny L\Desktop\grace and jenny momentum budget.xlsx

2013-01-14 11:48 - 2013-01-14 11:48 - 00000165 ___AH C:\Users\Jenny L\Desktop\~$grace and jenny momentum budget.xlsx

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-2622386775-4131186126-629390652-1000\$b17f1825ea4b6bf661daedb479b942bc

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-02-09 22:18:13

==================== Memory info ===========================

Percentage of memory in use: 12%

Total physical RAM: 4090.89 MB

Available physical RAM: 3587.44 MB

Total Pagefile: 4089.17 MB

Available Pagefile: 3584.41 MB

Total Virtual: 2047.88 MB

Available Virtual: 1960.48 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:138.9 GB) (Free:18.67 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:2.99 GB) NTFS

4 Drive f: () (Removable) (Total:14.9 GB) (Free:6.07 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 Online 14 GB 0 B

Partitions of Disk 0:

===============

Disk ID: 20000000

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 149 MB 31 KB

Partition 2 Primary 10 GB 150 MB

Partition 3 Primary 138 GB 10 GB

=========================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 FAT Partition 149 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 D RECOVERY NTFS Partition 10 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 138 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: 00000000

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 14 GB 16 KB

=========================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT32 Removable 14 GB Healthy

=========================================================

Last Boot: 2013-02-03 00:01

==================== End Of Log ============================

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

OK, we have more to do though:

...............please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

http://tigzy.geeksto...ueKillerX64.exe <---use this one for 64 bit systems

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.