Jump to content

FBI Virus, Can't start Safemode. Windows 7

Drakenel
 Share

Recommended Posts

Drakenel

Drakenel

Posted
Posted

Hello. Apparently my Trend Micro firewall decided to expire the previous night without warning me. Almost immediately after it notified me that it had gone down, the virus appeared Safe mode does not work, as it brings up a command prompt screen I've never seen in safe mode and then back to that screen. I'm aware I am not to use other people's solutions and scripts.

I am running windows 7 (x64) and the computer in question is a Gateway. NV53A laptop. I would greatly appreciate assistance. I do have a flash drive of fair size to use and boot from.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum, here's how we deal with that malware:

  1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    Plug the flash drive into the infected PC.
  2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
    If you are using Vista or Windows 7 enter System Recovery Options.
    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
      Select Command Prompt
      Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

Link to post
Share on other sites
Drakenel

Drakenel

Posted
  • Author
Posted

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-05-2013 04

Ran by SYSTEM on 27-05-2013 09:22:57

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet002

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1890088 2009-12-10] (Synaptics Incorporated)

HKLM\...\Run: [Acer ePower Management] C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe [860704 2010-03-17] (Acer Incorporated)

HKLM\...\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [1023416 2010-01-26] (Trend Micro Inc.)

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$d0554ea973904af407d833e263f293bd\n. ATTENTION! ====> ZeroAccess

HKLM-x32\...\Run: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k [252928 2010-03-08] (NewTech Infosystems, Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1300560 2010-03-03] (Dritek System Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-05-15] (Apple Inc.)

HKU\DAKOTA PC WAREHOUSE\...\Run: [Google Update] "C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-30] (Google Inc.)

HKU\DAKOTA PC WAREHOUSE\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)

HKU\DAKOTA PC WAREHOUSE\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6595928 2012-05-25] (Yahoo! Inc.)

HKU\DAKOTA PC WAREHOUSE\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2013-04-09] (Google Inc.)

HKU\DAKOTA PC WAREHOUSE\...\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1635752 2013-05-03] (Valve Corporation)

HKU\DAKOTA PC WAREHOUSE\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\DAKOTA PC WAREHOUSE\Documents\53da51d4.exe [40448 2013-05-26] (Adobe Systems Incorporated)

HKU\DAKOTA PC WAREHOUSE\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION

HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [154144 2010-01-14] ()

HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [154144 2010-01-14] ()

Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk

ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (No File)

Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk

ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (No File)

==================== Services (Whitelisted) =================

S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [49152 2013-03-01] ()

S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)

S2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75136 2011-09-16] ()

S2 SfCtlCom; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [836504 2010-11-08] (Trend Micro Inc.)

S3 TMBMServer; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [570632 2011-07-16] (Trend Micro Inc.)

S3 TmPfw; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [595960 2011-07-16] (Trend Micro Inc.)

S3 TmProxy; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [917768 2011-07-16] (Trend Micro Inc.)

S2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [244960 2011-10-25] ()

S3 DAUpdaterSvc; c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [x]

==================== Drivers (Whitelisted) ====================

S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [15672 2011-08-11] ()

S1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [200720 2011-07-16] (Trend Micro Inc.)

S2 tmpreflt; C:\Windows\System32\DRIVERS\tmpreflt.sys [42768 2011-07-12] (Trend Micro Inc.)

S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [107536 2011-07-16] (Trend Micro Inc.)

S2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [339984 2011-07-16] (Trend Micro Inc.)

S2 tmxpflt; C:\Windows\System32\DRIVERS\tmxpflt.sys [342288 2011-07-12] (Trend Micro Inc.)

S2 vsapint; C:\Windows\System32\DRIVERS\vsapint.sys [2077456 2011-07-12] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-27 09:22 - 2013-05-27 09:22 - 00000000 ____D C:\FRST

2013-05-26 22:35 - 2013-05-26 22:35 - 01755460 ____A C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\2433f433

2013-05-26 22:35 - 2013-05-26 22:35 - 01755425 ____A C:\Users\DAKOTA PC WAREHOUSE\AppData\Roaming\2433f433

2013-05-26 22:35 - 2013-05-26 22:35 - 01755409 ____A C:\ProgramData\2433f433

2013-05-26 22:35 - 2013-05-26 22:35 - 00040448 ____A (Adobe Systems Incorporated) C:\Users\DAKOTA PC WAREHOUSE\Documents\53da51d4.exe

2013-05-26 09:01 - 2013-05-26 09:01 - 00001414 ____A C:\Users\DAKOTA PC WAREHOUSE\Desktop\UT2004 - Shortcut.lnk

2013-05-26 08:58 - 2013-05-26 08:58 - 00002796 ____A C:\Users\DAKOTA PC WAREHOUSE\Desktop\UT99 Registry Fix.lnk

2013-05-23 01:40 - 2013-05-23 01:40 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\{E3320B07-EB06-4FAD-A45F-BF71BB6E3ED3}

2013-05-23 01:04 - 2013-05-05 13:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-23 01:04 - 2013-05-05 13:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-23 01:04 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-23 01:04 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-23 01:02 - 2013-04-04 17:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-23 01:02 - 2013-04-04 17:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-23 01:02 - 2013-04-04 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-23 01:02 - 2013-04-04 16:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-23 01:02 - 2013-04-04 16:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-23 01:02 - 2013-04-04 16:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-23 01:02 - 2013-04-04 16:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-23 01:02 - 2013-04-04 16:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-23 01:02 - 2013-04-04 16:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-23 01:02 - 2013-04-04 16:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-23 01:02 - 2013-04-04 16:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-23 01:02 - 2013-04-04 16:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-23 01:02 - 2013-04-04 16:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-23 01:02 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-23 01:02 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-05-23 01:02 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-23 01:02 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-23 01:02 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-05-23 01:02 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-23 01:02 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-23 01:02 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-05-23 01:02 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-05-23 01:02 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-23 01:02 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-23 01:02 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-05-23 01:02 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-23 01:01 - 2013-04-04 17:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-23 01:01 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-22 19:20 - 2013-05-22 19:20 - 691382464 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\CSS_v2.rar

2013-05-22 17:22 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-22 17:22 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-22 17:22 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-22 17:21 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-22 17:21 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-22 17:21 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-22 17:21 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-22 17:21 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-22 17:21 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-22 17:21 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-22 17:21 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-22 17:21 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-22 17:21 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-22 17:21 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-22 17:21 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll

2013-05-22 17:21 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll

2013-05-22 17:21 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll

2013-05-22 17:21 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll

2013-05-22 17:21 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll

2013-05-22 17:21 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll

2013-05-22 17:21 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll

2013-05-22 17:21 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll

2013-05-22 17:21 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll

2013-05-22 17:21 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll

2013-05-22 17:21 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll

2013-05-22 17:21 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll

2013-05-22 17:21 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll

2013-05-22 17:21 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

2013-05-22 17:21 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys

2013-05-22 17:21 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys

2013-05-22 17:21 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

2013-05-22 17:20 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe

2013-05-22 17:19 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe

2013-05-22 01:01 - 2013-05-22 01:01 - 00000000 ____D C:\Windows\System32\SPReview

2013-05-21 09:32 - 2013-05-21 09:32 - 26940042 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\ZAZ-DataPack_20120806.7z

2013-05-21 09:22 - 2013-05-21 09:22 - 00055672 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\SexoutZAZ.esp

2013-05-19 23:11 - 2013-05-19 23:11 - 00001774 ____A C:\Users\DAKOTA PC WAREHOUSE\Desktop\OpenXcom - Shortcut.lnk

2013-05-19 07:31 - 2013-05-25 09:23 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\Documents\OpenXcom

2013-05-19 07:31 - 2013-05-19 22:34 - 00000000 ____D C:\Program Files (x86)\OpenXcom

2013-05-18 11:41 - 2013-05-18 11:41 - 00001790 ____A C:\Users\Public\Desktop\iTunes.lnk

2013-05-18 11:40 - 2013-05-18 11:41 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-05-18 11:40 - 2013-05-18 11:41 - 00000000 ____D C:\Program Files\iTunes

2013-05-18 11:40 - 2013-05-18 11:41 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-05-18 11:40 - 2013-05-18 11:40 - 00000000 ____D C:\Program Files\iPod

2013-05-15 10:49 - 2013-05-15 10:49 - 65716042 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\Parallel Fantasy Translated Version 2.7z

2013-05-15 10:40 - 2013-05-15 10:48 - 00000000 __SHD C:\Users\DAKOTA PC WAREHOUSE\AppData\Roaming\.#

2013-05-15 10:30 - 2013-05-15 10:30 - 85724488 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\Eroico_demo_V10.rar

2013-05-13 09:02 - 2013-05-13 09:02 - 168222374 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\UrbanxLifeV01a08.rar

2013-05-08 00:52 - 2013-05-08 00:52 - 92183301 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\RJ109730 (1).zip

2013-05-08 00:48 - 2013-05-08 00:48 - 92183301 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\RJ109730.zip

2013-05-06 22:52 - 2013-05-06 22:52 - 00010226 ____A C:\Users\DAKOTA PC WAREHOUSE\Documents\Uninstall STAR WARS The Old Republic.log

2013-05-06 20:44 - 2013-05-26 19:02 - 00000000 ____D C:\Program Files (x86)\Steam

2013-05-06 20:44 - 2013-05-06 20:44 - 00000924 ____A C:\Users\Public\Desktop\Steam.lnk

2013-05-06 20:44 - 2013-05-06 20:44 - 00000000 ____D C:\Program Files (x86)\dumps

2013-05-05 21:56 - 2013-05-05 21:59 - 00000000 ____D C:\Program Files (x86)\Skulltag

2013-05-05 21:56 - 2013-05-05 21:56 - 00001024 ____A C:\Users\DAKOTA PC WAREHOUSE\Desktop\Play Skulltag (Online).lnk

2013-05-05 21:44 - 2013-05-05 21:44 - 00000094 ____A C:\Windows\SysWOW64\tcpmon.ini

2013-05-05 02:26 - 2013-05-05 02:26 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\{5D9C204C-DA4D-4C2A-BC0F-6A44584C5947}

2013-05-05 01:49 - 2013-05-05 01:49 - 02250054 ____A C:\ProgramData\1.bmp

2013-05-04 08:26 - 2013-05-04 08:26 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\{79D29B1E-4DB2-491D-9BE2-35D77457EDCD}

2013-05-01 17:16 - 2013-05-01 17:17 - 00000000 ____D C:\Program Files (x86)\elonaplus1.18R

2013-04-29 01:58 - 2013-04-29 01:58 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Roaming\Leadertech

2013-04-29 01:47 - 2013-04-29 01:47 - 00000000 ____D C:\NeverwinterNights

==================== One Month Modified Files and Folders =======

2013-05-27 09:22 - 2013-05-27 09:22 - 00000000 ____D C:\FRST

2013-05-26 22:49 - 2011-06-16 09:19 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-26 22:49 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-26 22:49 - 2009-07-13 20:51 - 00054110 ____A C:\Windows\setupact.log

2013-05-26 22:43 - 2011-06-16 09:19 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-26 22:40 - 2013-01-11 08:41 - 00000824 ____A C:\Windows\System32\Drivers\etc\tmvsthfss.bin

2013-05-26 22:40 - 2011-07-16 17:19 - 00000824 ____A C:\Windows\System32\Drivers\etc\tmvsthfud.bin

2013-05-26 22:35 - 2013-05-26 22:35 - 01755460 ____A C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\2433f433

2013-05-26 22:35 - 2013-05-26 22:35 - 01755425 ____A C:\Users\DAKOTA PC WAREHOUSE\AppData\Roaming\2433f433

2013-05-26 22:35 - 2013-05-26 22:35 - 01755409 ____A C:\ProgramData\2433f433

2013-05-26 22:35 - 2013-05-26 22:35 - 00040448 ____A (Adobe Systems Incorporated) C:\Users\DAKOTA PC WAREHOUSE\Documents\53da51d4.exe

2013-05-26 22:16 - 2010-08-02 12:29 - 01244071 ____A C:\Windows\WindowsUpdate.log

2013-05-26 22:06 - 2011-08-20 21:17 - 00000964 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2868031687-2542432534-128082859-1000UA.job

2013-05-26 21:45 - 2012-06-20 17:48 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-26 19:02 - 2013-05-06 20:44 - 00000000 ____D C:\Program Files (x86)\Steam

2013-05-26 17:06 - 2011-08-20 21:17 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2868031687-2542432534-128082859-1000Core.job

2013-05-26 09:01 - 2013-05-26 09:01 - 00001414 ____A C:\Users\DAKOTA PC WAREHOUSE\Desktop\UT2004 - Shortcut.lnk

2013-05-26 08:58 - 2013-05-26 08:58 - 00002796 ____A C:\Users\DAKOTA PC WAREHOUSE\Desktop\UT99 Registry Fix.lnk

2013-05-25 09:23 - 2013-05-19 07:31 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\Documents\OpenXcom

2013-05-24 20:47 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-24 20:47 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-24 20:40 - 2012-04-14 14:10 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\Tracing

2013-05-24 07:04 - 2011-06-17 16:57 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\Documents\My Games

2013-05-23 21:06 - 2011-08-20 21:17 - 00002437 ____A C:\Users\DAKOTA PC WAREHOUSE\Desktop\Google Chrome.lnk

2013-05-23 12:48 - 2012-09-02 05:40 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Roaming\Skype

2013-05-23 12:11 - 2011-07-16 17:31 - 00000762 ____A C:\Windows\TMFilter.log

2013-05-23 05:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-05-23 01:43 - 2009-07-13 21:13 - 00779266 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-23 01:40 - 2013-05-23 01:40 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\{E3320B07-EB06-4FAD-A45F-BF71BB6E3ED3}

2013-05-23 01:39 - 2012-05-28 17:40 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\TSVNCache

2013-05-23 01:36 - 2009-07-13 20:45 - 00343552 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-22 19:20 - 2013-05-22 19:20 - 691382464 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\CSS_v2.rar

2013-05-22 02:00 - 2010-04-11 21:13 - 02687718 ____A C:\Windows\PFRO.log

2013-05-22 01:49 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal

2013-05-22 01:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar

2013-05-22 01:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices

2013-05-22 01:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer

2013-05-22 01:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender

2013-05-22 01:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker

2013-05-22 01:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar

2013-05-22 01:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices

2013-05-22 01:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sppui

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sppui

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing

2013-05-22 01:49 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System

2013-05-22 01:45 - 2011-04-17 12:01 - 00000000 ____D C:\users\DAKOTA PC WAREHOUSE

2013-05-22 01:24 - 2009-07-13 18:36 - 00175616 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll

2013-05-22 01:24 - 2009-07-13 18:36 - 00152576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll

2013-05-22 01:01 - 2013-05-22 01:01 - 00000000 ____D C:\Windows\System32\SPReview

2013-05-21 14:10 - 2011-07-01 16:48 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\CrashDumps

2013-05-21 09:32 - 2013-05-21 09:32 - 26940042 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\ZAZ-DataPack_20120806.7z

2013-05-21 09:22 - 2013-05-21 09:22 - 00055672 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\SexoutZAZ.esp

2013-05-20 16:49 - 2011-11-27 00:28 - 00000023 ____A C:\Windows\BlendSettings.ini

2013-05-19 23:11 - 2013-05-19 23:11 - 00001774 ____A C:\Users\DAKOTA PC WAREHOUSE\Desktop\OpenXcom - Shortcut.lnk

2013-05-19 22:34 - 2013-05-19 07:31 - 00000000 ____D C:\Program Files (x86)\OpenXcom

2013-05-19 18:49 - 2012-09-02 05:40 - 00000000 ____D C:\ProgramData\Skype

2013-05-19 18:48 - 2012-12-18 09:46 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-05-18 11:41 - 2013-05-18 11:41 - 00001790 ____A C:\Users\Public\Desktop\iTunes.lnk

2013-05-18 11:41 - 2013-05-18 11:40 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-05-18 11:41 - 2013-05-18 11:40 - 00000000 ____D C:\Program Files\iTunes

2013-05-18 11:41 - 2013-05-18 11:40 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-05-18 11:40 - 2013-05-18 11:40 - 00000000 ____D C:\Program Files\iPod

2013-05-17 06:27 - 2012-06-21 18:52 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\Skyrim

2013-05-17 06:21 - 2011-11-26 23:40 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\oblivion

2013-05-16 01:00 - 2012-11-03 10:23 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-15 15:04 - 2011-06-16 08:53 - 00000000 ____D C:\Program Files (x86)\sssteam

2013-05-15 10:49 - 2013-05-15 10:49 - 65716042 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\Parallel Fantasy Translated Version 2.7z

2013-05-15 10:48 - 2013-05-15 10:40 - 00000000 __SHD C:\Users\DAKOTA PC WAREHOUSE\AppData\Roaming\.#

2013-05-15 10:30 - 2013-05-15 10:30 - 85724488 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\Eroico_demo_V10.rar

2013-05-15 03:45 - 2012-04-02 10:04 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-15 03:45 - 2011-06-16 09:08 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-13 09:02 - 2013-05-13 09:02 - 168222374 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\UrbanxLifeV01a08.rar

2013-05-12 04:50 - 2012-10-16 09:04 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\Documents\StarCraft II

2013-05-12 04:49 - 2012-10-16 09:04 - 00000000 ____D C:\Program Files (x86)\StarCraft II

2013-05-08 00:52 - 2013-05-08 00:52 - 92183301 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\RJ109730 (1).zip

2013-05-08 00:48 - 2013-05-08 00:48 - 92183301 ____A C:\Users\DAKOTA PC WAREHOUSE\Downloads\RJ109730.zip

2013-05-07 05:34 - 2011-11-10 19:33 - 00000000 ____D C:\Program Files (x86)\Warcraft III

2013-05-06 23:00 - 2011-10-18 21:30 - 00000000 ____D C:\Program Files (x86)\Electronic Arts

2013-05-06 22:59 - 2011-04-17 12:02 - 00079608 ____A C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\GDIPFONTCACHEV1.DAT

2013-05-06 22:57 - 2011-07-07 19:55 - 00000000 ____D C:\Program Files (x86)\BYOND

2013-05-06 22:54 - 2013-02-28 18:47 - 00000000 ____D C:\ProgramData\HappyCloud

2013-05-06 22:54 - 2012-01-29 00:29 - 00000000 ____D C:\Program Files (x86)\GOG.com

2013-05-06 22:52 - 2013-05-06 22:52 - 00010226 ____A C:\Users\DAKOTA PC WAREHOUSE\Documents\Uninstall STAR WARS The Old Republic.log

2013-05-06 22:51 - 2010-04-11 20:47 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information

2013-05-06 22:48 - 2012-12-19 10:58 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Roaming\GameRanger

2013-05-06 20:44 - 2013-05-06 20:44 - 00000924 ____A C:\Users\Public\Desktop\Steam.lnk

2013-05-06 20:44 - 2013-05-06 20:44 - 00000000 ____D C:\Program Files (x86)\dumps

2013-05-05 21:59 - 2013-05-05 21:56 - 00000000 ____D C:\Program Files (x86)\Skulltag

2013-05-05 21:56 - 2013-05-05 21:56 - 00001024 ____A C:\Users\DAKOTA PC WAREHOUSE\Desktop\Play Skulltag (Online).lnk

2013-05-05 21:44 - 2013-05-05 21:44 - 00000094 ____A C:\Windows\SysWOW64\tcpmon.ini

2013-05-05 13:36 - 2013-05-23 01:04 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-05 13:16 - 2013-05-23 01:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-05 11:25 - 2013-05-23 01:04 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-05 11:12 - 2013-05-23 01:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-05 02:26 - 2013-05-05 02:26 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\{5D9C204C-DA4D-4C2A-BC0F-6A44584C5947}

2013-05-05 01:58 - 2012-08-11 18:21 - 00001116 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-05 01:58 - 2012-08-11 18:21 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-05 01:49 - 2013-05-05 01:49 - 02250054 ____A C:\ProgramData\1.bmp

2013-05-04 08:26 - 2013-05-04 08:26 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\{79D29B1E-4DB2-491D-9BE2-35D77457EDCD}

2013-05-01 17:17 - 2013-05-01 17:16 - 00000000 ____D C:\Program Files (x86)\elonaplus1.18R

2013-04-29 01:58 - 2013-04-29 01:58 - 00000000 ____D C:\Users\DAKOTA PC WAREHOUSE\AppData\Roaming\Leadertech

2013-04-29 01:47 - 2013-04-29 01:47 - 00000000 ____D C:\NeverwinterNights

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-2868031687-2542432534-128082859-1000\$d0554ea973904af407d833e263f293bd

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$d0554ea973904af407d833e263f293bd

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 18%

Total physical RAM: 3834.9 MB

Available physical RAM: 3122.09 MB

Total Pagefile: 3833.05 MB

Available Pagefile: 3115.98 MB

Total Virtual: 8192 MB

Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (Gateway) (Fixed) (Total:451.66 GB) (Free:126.63 GB) NTFS (Disk=0 Partition=3)

Drive e: (PQSERVICE) (Fixed) (Total:14 GB) (Free:4.62 GB) NTFS (Disk=0 Partition=1)

Drive f: (NW_DIAMOND) (CDROM) (Total:2.56 GB) (Free:0 GB) CDFS

Drive g: () (Removable) (Total:3.73 GB) (Free:3.71 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows Vista) (Size: 466 GB) (Disk ID: B0F93237)

Partition 1: (Not Active) - (Size=14 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=452 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 4 GB) (Disk ID: 00000000)

Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)

Last Boot: 2013-05-24 02:36

==================== End Of Log ============================

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan also.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites
Drakenel

Drakenel

Posted
  • Author
Posted

Thank you. I am able to post this from my computer now. I'm running the suggested anti-rootkit and also the standard anti malwarebytes scanning now. I'll get back to you with the scan logs a little later.

Here's the fix log for now.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-05-2013 04

Ran by SYSTEM at 2013-05-27 09:53:33 Run:1

Running from G:\

Boot Mode: Recovery

==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.

HKEY_USERS\DAKOTA PC WAREHOUSE\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.

HKEY_USERS\DAKOTA PC WAREHOUSE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\Users\DAKOTA PC WAREHOUSE\AppData\Local\2433f433 => Moved successfully.

C:\Users\DAKOTA PC WAREHOUSE\AppData\Roaming\2433f433 => Moved successfully.

C:\ProgramData\2433f433 => Moved successfully.

C:\Users\DAKOTA PC WAREHOUSE\Documents\53da51d4.exe => Moved successfully.

C:\$Recycle.Bin\S-1-5-18\$d0554ea973904af407d833e263f293bd\n. => File/Directory not found.

C:\$Recycle.Bin\S-1-5-21-2868031687-2542432534-128082859-1000\$d0554ea973904af407d833e263f293bd => Moved successfully.

C:\$Recycle.Bin\S-1-5-18\$d0554ea973904af407d833e263f293bd => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept