Jump to content

FBI virus and just mouse pointer

HelpingHandNY
 Share

Recommended Posts

HelpingHandNY

HelpingHandNY

Posted
Posted

I am trying to help someone that had become infected with the FBI virus. I looks like their system tried to remove the virus, but now when booting the system just shows a black screen with the white mouse pointer. This happens in normal boot mode and in all safe modes. I am attaching the output of FRST. Any help would be greatly appreciated!

 

The infected system is a Windows 7 Pro (32 bit?) system.

 

Steve

FRST.txt

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello Steve and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
  • One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

    If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

    Please read:

    Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

    Please let us know how you would like to proceed.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess?

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?

C:\Users\Kasson\AppData\Local\{e3e3c639-24ee-3529-8497-56c2059d9cae}

C:\Users\Kasson\AppData\Local\{e3e3c639-24ee-3529-8497-56c2059d9cae}\@

C:\Users\Kasson\jagex_cl_oldschool_LIVE.dat

C:\Users\Kasson\jagex_cl_runescape_LIVE.dat

C:\Users\Kasson\jagex_cl_runescape_LIVE1.dat

C:\Users\Kasson\jagex_runescape_preferences.dat

C:\Users\Kasson\jagex_runescape_preferences2.dat

C:\Users\Kasson\random.dat

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites
HelpingHandNY

HelpingHandNY

Posted
  • Author
Posted

I performed that step, but still ended up with the same symptom of a black screen with a white mouse pointer when booting Windows (Safe mode or normal). Below is the contents of the fixlog.txt.

 

Steve

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-08-2013 02

Ran by SYSTEM at 2013-08-22 17:49:14 Run:1
Running from H:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess?
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?
C:\Users\Kasson\AppData\Local\{e3e3c639-24ee-3529-8497-56c2059d9cae}
C:\Users\Kasson\AppData\Local\{e3e3c639-24ee-3529-8497-56c2059d9cae}\@
C:\Users\Kasson\jagex_cl_oldschool_LIVE.dat
C:\Users\Kasson\jagex_cl_runescape_LIVE.dat
C:\Users\Kasson\jagex_cl_runescape_LIVE1.dat
C:\Users\Kasson\jagex_runescape_preferences.dat
C:\Users\Kasson\jagex_runescape_preferences2.dat
C:\Users\Kasson\random.dat
*****************
 
HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => Value was restored successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
C:\Users\Kasson\AppData\Local\{e3e3c639-24ee-3529-8497-56c2059d9cae} => Moved successfully.
"C:\Users\Kasson\AppData\Local\{e3e3c639-24ee-3529-8497-56c2059d9cae}\@" => File/Directory not found.
C:\Users\Kasson\jagex_cl_oldschool_LIVE.dat => Moved successfully.
C:\Users\Kasson\jagex_cl_runescape_LIVE.dat => Moved successfully.
C:\Users\Kasson\jagex_cl_runescape_LIVE1.dat => Moved successfully.
C:\Users\Kasson\jagex_runescape_preferences.dat => Moved successfully.
C:\Users\Kasson\jagex_runescape_preferences2.dat => Moved successfully.
C:\Users\Kasson\random.dat => Moved successfully.
 
==== End of Fixlog ====

 

Link to post
Share on other sites
HelpingHandNY

HelpingHandNY

Posted
  • Author
Posted

Here are the contents of a fresh FRST log file:

 

Steve

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2013 02

Ran by SYSTEM on 22-08-2013 18:07:43
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [QLBController] - C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe [256056 2010-03-01] (Hewlett-Packard Company)
HKLM\...\Run: [iAStorIcon] - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1791272 2010-06-03] (Synaptics Incorporated)
HKLM\...\Run: [File Sanitizer] - C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe [11265536 2009-12-11] (Hewlett-Packard)
HKLM\...\Run: [startCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-08-05] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [DTRun] - c:\Program Files\ArcSoft\TotalMedia Suite\TotalMedia Theatre 3\uDTRun.exe [518656 2009-11-18] (ArcSoft Inc.)
HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2011-07-22] (IDT, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421736 2011-11-12] (Apple Inc.)
HKLM\...\Run: [HPPowerAssistant] - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe [2945080 2011-09-12] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [Zune Launcher] - C:\Program Files\Zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)
Winlogon\Notify\DeviceNP: DeviceNP.dll (Hewlett-Packard Limited)
HKU\Kasson\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2009-06-17] (Hewlett-Packard Company)
HKU\Kasson\...\Run: [EA Core] - C:\Program Files\Electronic Arts\EADM\Core.exe [ 2009-03-28] (Electronic Arts)
HKU\Kasson\...\Run: [NCsoft] -  [x]
Lsa: [Notification Packages] DPPassFilter scecli
 
========================== Services (Whitelisted) =================
 
S3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 DpHost; C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [300880 2010-07-16] (DigitalPersona, Inc.)
S3 FLCDLOCK; c:\Windows\system32\flcdlock.exe [362040 2009-11-17] (Hewlett-Packard Ltd)
S2 HP Power Assistant Service; C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [142904 2011-09-12] (Hewlett-Packard Company)
S2 HP ProtectTools Service; C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [32768 2010-10-19] (Hewlett-Packard Development Company, L.P)
S2 HP Wireless Assistant Service; C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [103992 2010-07-21] (Hewlett-Packard Company)
S2 HPDayStarterService; c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [90112 2010-05-10] (Hewlett-Packard Company)
S2 HpFkCryptService; C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [281192 2010-02-01] (McAfee, Inc.)
S2 HPFSService; C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe [297984 2009-12-11] (Hewlett-Packard)
S2 hpHotkeyMonitor; C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [264248 2010-03-01] (Hewlett-Packard Company)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-07] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-07] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
S2 PdiService; C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [113264 2011-03-16] (Portrait Displays, Inc.)
S2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [254034 2011-07-22] (IDT, Inc.)
S2 uArcCapture; C:\windows\system32\uArcCapture.exe [506472 2009-12-04] (ArcSoft, Inc.)
S2 vcsFPService; C:\windows\system32\vcsFPService.exe [1639728 2009-12-14] (Validity Sensors, Inc.)
S2 HitmanPro37CrusaderBoot; "D:\HitmanPro.exe" /crusader:boot [x]
 
==================== Drivers (Whitelisted) ====================
 
S3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
S3 ARCVCAM; C:\Windows\System32\DRIVERS\ArcSoftVCapture.sys [29824 2009-12-04] (ArcSoft, Inc.)
S0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)
S3 cur_bus; C:\Windows\System32\DRIVERS\cur_bus.sys [57744 2005-07-19] (MCCI)
S3 cur_mdfl; C:\Windows\System32\DRIVERS\cur_mdfl.sys [8336 2005-07-19] (MCCI)
S3 cur_mdm; C:\Windows\System32\DRIVERS\cur_mdm.sys [93328 2005-07-19] (MCCI)
S3 cur_serd; C:\Windows\System32\DRIVERS\cur_serd.sys [73152 2005-07-19] (MCCI)
S3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv.sys [32312 2009-10-21] (Hewlett-Packard Development Company L.P.)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [22856 2012-09-07] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [40088 2010-02-01] (McAfee, Inc.)
S3 rtsuvc; C:\Windows\System32\DRIVERS\rtsuvc.sys [78848 2010-05-20] (Realtek Semiconductor Corp.)
S0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [110520 2010-02-01] (McAfee, Inc.)
S0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [51800 2010-02-01] (McAfee, Inc.)
S0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [13256 2010-02-01] (McAfee, Inc.)
S3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
S1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
S3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
S1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-08-22 03:27 - 2013-08-22 03:27 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2013-08-22 03:27 - 2013-08-22 03:27 - 00000930 _____ C:\Windows\System32\.crusader
2013-08-22 03:10 - 2013-08-22 03:27 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-21 10:04 - 2013-08-21 10:04 - 00003288 ____N C:\bootsqm.dat
2013-08-21 10:03 - 2013-08-21 10:03 - 00000000 __SHD C:\found.000
2013-08-20 09:54 - 2013-08-20 09:54 - 17139080 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-08-20 06:58 - 2013-08-20 06:58 - 02250054 _____ C:\ProgramData\1.bmp
2013-08-16 05:31 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-16 05:31 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-16 05:31 - 2013-07-25 19:13 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-16 05:31 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-16 05:31 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-16 05:31 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-16 05:31 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-16 05:31 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-15 03:45 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-15 03:45 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-15 03:45 - 2013-07-08 21:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-08-15 03:45 - 2013-07-08 21:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-15 03:45 - 2013-07-08 20:53 - 01289096 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-15 03:45 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-15 03:45 - 2013-07-08 20:50 - 00652800 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-15 03:45 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-15 03:45 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-15 03:45 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-15 03:45 - 2013-07-05 21:05 - 01293760 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-15 03:45 - 2013-06-14 19:38 - 00031232 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2013-07-27 02:51 - 2013-08-16 05:38 - 00000000 ____D C:\Windows\System32\MRT
 
==================== One Month Modified Files and Folders =======
 
2013-08-22 17:49 - 2011-03-31 12:23 - 00000000 ____D C:\users\Kasson
2013-08-22 13:58 - 2009-07-13 20:34 - 00020944 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-22 13:58 - 2009-07-13 20:34 - 00020944 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-22 13:53 - 2011-03-06 16:29 - 01721635 _____ C:\Windows\WindowsUpdate.log
2013-08-22 13:50 - 2010-12-08 12:42 - 00000000 ____D C:\ProgramData\HPQLOG
2013-08-22 07:39 - 2013-08-22 07:39 - 00000000 ____D C:\FRST
2013-08-22 03:27 - 2013-08-22 03:27 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2013-08-22 03:27 - 2013-08-22 03:27 - 00000930 _____ C:\Windows\System32\.crusader
2013-08-22 03:27 - 2013-08-22 03:10 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-21 10:04 - 2013-08-21 10:04 - 00003288 ____N C:\bootsqm.dat
2013-08-21 10:03 - 2013-08-21 10:03 - 00000000 __SHD C:\found.000
2013-08-21 09:49 - 2011-08-03 06:34 - 00000000 ____D C:\Program Files\Inbox Toolbar
2013-08-20 09:54 - 2013-08-20 09:54 - 17139080 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-08-20 09:54 - 2012-06-29 11:20 - 00692104 _____ C:\Windows\System32\FlashPlayerApp.exe
2013-08-20 09:54 - 2011-05-22 10:03 - 00071048 _____ C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-08-20 09:52 - 2009-07-13 20:39 - 00092424 _____ C:\Windows\setupact.log
2013-08-20 06:58 - 2013-08-20 06:58 - 02250054 _____ C:\ProgramData\1.bmp
2013-08-17 12:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-08-16 12:20 - 2010-12-08 12:48 - 00726444 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-16 08:15 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-08-16 05:38 - 2013-07-27 02:51 - 00000000 ____D C:\Windows\System32\MRT
2013-08-16 05:35 - 2011-04-04 08:52 - 75778376 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-08-16 05:32 - 2011-11-03 07:09 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-08-16 05:32 - 2011-04-06 04:33 - 00000052 _____ C:\Windows\System32\DOErrors.log
2013-08-14 15:32 - 2012-03-03 04:52 - 00000000 ____D C:\Users\Kasson\Documents\Outlook Files
2013-08-10 06:50 - 2011-08-03 06:35 - 00000000 ____D C:\Program Files\AppGraffiti
2013-08-08 14:50 - 2011-04-04 12:35 - 00000000 ___RD C:\Users\Kasson\Documents\josiah
2013-07-28 03:12 - 2011-04-04 12:36 - 00000000 ____D C:\Users\Kasson\Documents\Laura
2013-07-25 19:13 - 2013-08-16 05:31 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-25 19:13 - 2013-08-16 05:31 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-25 19:13 - 2013-08-16 05:31 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-25 19:12 - 2013-08-16 05:31 - 14329344 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 02877440 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 02048512 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-25 19:11 - 2013-08-16 05:31 - 13761024 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-25 19:11 - 2013-08-16 05:31 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-25 18:49 - 2013-08-16 05:31 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-25 17:59 - 2013-08-16 05:31 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-25 00:57 - 2013-08-15 03:45 - 01620992 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-23 18:54 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION!
HKLM\...\exefile\open\command:  <===== ATTENTION!
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 2991.43 MB
Available physical RAM: 2513.89 MB
Total Pagefile: 2989.71 MB
Available Pagefile: 2517.96 MB
Total Virtual: 2047.88 MB
Available Virtual: 1939.21 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:215.6 GB) (Free:89.28 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive e: (HP_RECOVERY) (Fixed) (Total:15 GB) (Free:4.05 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.48 GB) FAT32
Drive h: (HITMANPRO) (Removable) (Total:0.95 GB) (Free:0.94 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 737A571F)
Partition 1: (Active) - (Size=300 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=216 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=2 GB) - (Type=0C)
 
========================================================
Disk: 1 (Size: 983 MB) (Disk ID: 694F7702)
Partition 1: (Active) - (Size=981 MB) - (Type=0B)
 
 
LastRegBack: 2013-08-13 10:09
 
==================== End Of Log ============================

 

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKLM\...\exefile\DefaultIcon: <===== ATTENTION!

HKLM\...\exefile\open\command: <===== ATTENTION!

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites
HelpingHandNY

HelpingHandNY

Posted
  • Author
Posted

I performed that step, but still ended up with the same symptom of a black screen with a white mouse pointer when booting Windows (Safe mode or normal).

 

Here is the contents of the fixlog.txt file:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-08-2013 02

Ran by SYSTEM at 2013-08-22 18:28:14 Run:2
Running from H:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!
*****************
 
HKLM\Software\Classes\exefile\DefaultIcon\\Default => Value was restored successfully.
HKLM\Software\Classes\exefile\shell\open\command\\Default => Value was restored successfully.
 
==== End of Fixlog ====

 

Here is the contents of a fresh FRST log file:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2013 02

Ran by SYSTEM on 22-08-2013 18:33:55
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [QLBController] - C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe [256056 2010-03-01] (Hewlett-Packard Company)
HKLM\...\Run: [iAStorIcon] - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1791272 2010-06-03] (Synaptics Incorporated)
HKLM\...\Run: [File Sanitizer] - C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe [11265536 2009-12-11] (Hewlett-Packard)
HKLM\...\Run: [startCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-08-05] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [DTRun] - c:\Program Files\ArcSoft\TotalMedia Suite\TotalMedia Theatre 3\uDTRun.exe [518656 2009-11-18] (ArcSoft Inc.)
HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2011-07-22] (IDT, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421736 2011-11-12] (Apple Inc.)
HKLM\...\Run: [HPPowerAssistant] - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe [2945080 2011-09-12] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [Zune Launcher] - C:\Program Files\Zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)
Winlogon\Notify\DeviceNP: DeviceNP.dll (Hewlett-Packard Limited)
HKU\Kasson\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2009-06-17] (Hewlett-Packard Company)
HKU\Kasson\...\Run: [EA Core] - C:\Program Files\Electronic Arts\EADM\Core.exe [ 2009-03-28] (Electronic Arts)
HKU\Kasson\...\Run: [NCsoft] -  [x]
Lsa: [Notification Packages] DPPassFilter scecli
 
========================== Services (Whitelisted) =================
 
S3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 DpHost; C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [300880 2010-07-16] (DigitalPersona, Inc.)
S3 FLCDLOCK; c:\Windows\system32\flcdlock.exe [362040 2009-11-17] (Hewlett-Packard Ltd)
S2 HP Power Assistant Service; C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [142904 2011-09-12] (Hewlett-Packard Company)
S2 HP ProtectTools Service; C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [32768 2010-10-19] (Hewlett-Packard Development Company, L.P)
S2 HP Wireless Assistant Service; C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [103992 2010-07-21] (Hewlett-Packard Company)
S2 HPDayStarterService; c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [90112 2010-05-10] (Hewlett-Packard Company)
S2 HpFkCryptService; C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [281192 2010-02-01] (McAfee, Inc.)
S2 HPFSService; C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe [297984 2009-12-11] (Hewlett-Packard)
S2 hpHotkeyMonitor; C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [264248 2010-03-01] (Hewlett-Packard Company)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-07] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-07] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
S2 PdiService; C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [113264 2011-03-16] (Portrait Displays, Inc.)
S2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [254034 2011-07-22] (IDT, Inc.)
S2 uArcCapture; C:\windows\system32\uArcCapture.exe [506472 2009-12-04] (ArcSoft, Inc.)
S2 vcsFPService; C:\windows\system32\vcsFPService.exe [1639728 2009-12-14] (Validity Sensors, Inc.)
S2 HitmanPro37CrusaderBoot; "D:\HitmanPro.exe" /crusader:boot [x]
 
==================== Drivers (Whitelisted) ====================
 
S3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
S3 ARCVCAM; C:\Windows\System32\DRIVERS\ArcSoftVCapture.sys [29824 2009-12-04] (ArcSoft, Inc.)
S0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)
S3 cur_bus; C:\Windows\System32\DRIVERS\cur_bus.sys [57744 2005-07-19] (MCCI)
S3 cur_mdfl; C:\Windows\System32\DRIVERS\cur_mdfl.sys [8336 2005-07-19] (MCCI)
S3 cur_mdm; C:\Windows\System32\DRIVERS\cur_mdm.sys [93328 2005-07-19] (MCCI)
S3 cur_serd; C:\Windows\System32\DRIVERS\cur_serd.sys [73152 2005-07-19] (MCCI)
S3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv.sys [32312 2009-10-21] (Hewlett-Packard Development Company L.P.)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [22856 2012-09-07] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [40088 2010-02-01] (McAfee, Inc.)
S3 rtsuvc; C:\Windows\System32\DRIVERS\rtsuvc.sys [78848 2010-05-20] (Realtek Semiconductor Corp.)
S0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [110520 2010-02-01] (McAfee, Inc.)
S0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [51800 2010-02-01] (McAfee, Inc.)
S0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [13256 2010-02-01] (McAfee, Inc.)
S3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
S1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
S3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
S1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-08-22 03:27 - 2013-08-22 03:27 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2013-08-22 03:27 - 2013-08-22 03:27 - 00000930 _____ C:\Windows\System32\.crusader
2013-08-22 03:10 - 2013-08-22 03:27 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-21 10:04 - 2013-08-21 10:04 - 00003288 ____N C:\bootsqm.dat
2013-08-21 10:03 - 2013-08-21 10:03 - 00000000 __SHD C:\found.000
2013-08-20 09:54 - 2013-08-20 09:54 - 17139080 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-08-20 06:58 - 2013-08-20 06:58 - 02250054 _____ C:\ProgramData\1.bmp
2013-08-16 05:31 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-16 05:31 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-16 05:31 - 2013-07-25 19:13 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-16 05:31 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-16 05:31 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-16 05:31 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-16 05:31 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-16 05:31 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-15 03:45 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-15 03:45 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-15 03:45 - 2013-07-08 21:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-08-15 03:45 - 2013-07-08 21:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-15 03:45 - 2013-07-08 20:53 - 01289096 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-15 03:45 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-15 03:45 - 2013-07-08 20:50 - 00652800 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-15 03:45 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-15 03:45 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-15 03:45 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-15 03:45 - 2013-07-05 21:05 - 01293760 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-15 03:45 - 2013-06-14 19:38 - 00031232 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2013-07-27 02:51 - 2013-08-16 05:38 - 00000000 ____D C:\Windows\System32\MRT
 
==================== One Month Modified Files and Folders =======
 
2013-08-22 17:49 - 2011-03-31 12:23 - 00000000 ____D C:\users\Kasson
2013-08-22 14:31 - 2011-03-06 16:29 - 01723022 _____ C:\Windows\WindowsUpdate.log
2013-08-22 14:29 - 2010-12-08 12:42 - 00000000 ____D C:\ProgramData\HPQLOG
2013-08-22 13:58 - 2009-07-13 20:34 - 00020944 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-22 13:58 - 2009-07-13 20:34 - 00020944 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-22 07:39 - 2013-08-22 07:39 - 00000000 ____D C:\FRST
2013-08-22 03:27 - 2013-08-22 03:27 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2013-08-22 03:27 - 2013-08-22 03:27 - 00000930 _____ C:\Windows\System32\.crusader
2013-08-22 03:27 - 2013-08-22 03:10 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-21 10:04 - 2013-08-21 10:04 - 00003288 ____N C:\bootsqm.dat
2013-08-21 10:03 - 2013-08-21 10:03 - 00000000 __SHD C:\found.000
2013-08-21 09:49 - 2011-08-03 06:34 - 00000000 ____D C:\Program Files\Inbox Toolbar
2013-08-20 09:54 - 2013-08-20 09:54 - 17139080 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-08-20 09:54 - 2012-06-29 11:20 - 00692104 _____ C:\Windows\System32\FlashPlayerApp.exe
2013-08-20 09:54 - 2011-05-22 10:03 - 00071048 _____ C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-08-20 09:52 - 2009-07-13 20:39 - 00092424 _____ C:\Windows\setupact.log
2013-08-20 06:58 - 2013-08-20 06:58 - 02250054 _____ C:\ProgramData\1.bmp
2013-08-17 12:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-08-16 12:20 - 2010-12-08 12:48 - 00726444 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-16 08:15 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-08-16 05:38 - 2013-07-27 02:51 - 00000000 ____D C:\Windows\System32\MRT
2013-08-16 05:35 - 2011-04-04 08:52 - 75778376 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-08-16 05:32 - 2011-11-03 07:09 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-08-16 05:32 - 2011-04-06 04:33 - 00000052 _____ C:\Windows\System32\DOErrors.log
2013-08-14 15:32 - 2012-03-03 04:52 - 00000000 ____D C:\Users\Kasson\Documents\Outlook Files
2013-08-10 06:50 - 2011-08-03 06:35 - 00000000 ____D C:\Program Files\AppGraffiti
2013-08-08 14:50 - 2011-04-04 12:35 - 00000000 ___RD C:\Users\Kasson\Documents\josiah
2013-07-28 03:12 - 2011-04-04 12:36 - 00000000 ____D C:\Users\Kasson\Documents\Laura
2013-07-25 19:13 - 2013-08-16 05:31 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-25 19:13 - 2013-08-16 05:31 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-25 19:13 - 2013-08-16 05:31 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-25 19:12 - 2013-08-16 05:31 - 14329344 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 02877440 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 02048512 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-25 19:11 - 2013-08-16 05:31 - 13761024 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-25 19:11 - 2013-08-16 05:31 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-25 18:49 - 2013-08-16 05:31 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-25 17:59 - 2013-08-16 05:31 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-25 00:57 - 2013-08-15 03:45 - 01620992 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-23 18:54 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 2991.43 MB
Available physical RAM: 2512.8 MB
Total Pagefile: 2989.71 MB
Available Pagefile: 2516.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1931.21 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:215.6 GB) (Free:89.23 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive e: (HP_RECOVERY) (Fixed) (Total:15 GB) (Free:4.05 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.48 GB) FAT32
Drive h: (HITMANPRO) (Removable) (Total:0.95 GB) (Free:0.94 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 737A571F)
Partition 1: (Active) - (Size=300 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=216 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=2 GB) - (Type=0C)
 
========================================================
Disk: 1 (Size: 983 MB) (Disk ID: 694F7702)
Partition 1: (Active) - (Size=981 MB) - (Type=0B)
 
 
LastRegBack: 2013-08-13 10:09
 
==================== End Of Log ============================

 

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

S2 HitmanPro37CrusaderBoot; "D:\HitmanPro.exe" /crusader:boot [x]

2013-08-21 09:49 - 2011-08-03 06:34 - 00000000 ____D C:\Program Files\Inbox Toolbar

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites
HelpingHandNY

HelpingHandNY

Posted
  • Author
Posted

I performed that step, but still ended up with the same symptom of a black screen with a white mouse pointer when booting Windows (Safe mode or normal).

 

Here are the contents of fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-08-2013 02

Ran by SYSTEM at 2013-08-23 11:01:23 Run:3
Running from H:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
S2 HitmanPro37CrusaderBoot; "D:\HitmanPro.exe" /crusader:boot [x]
2013-08-21 09:49 - 2011-08-03 06:34 - 00000000 ____D C:\Program Files\Inbox Toolbar
*****************
 
HitmanPro37CrusaderBoot => Service deleted successfully.
C:\Program Files\Inbox Toolbar => Moved successfully.
 
==== End of Fixlog ====

 

Here are the contents of a fresh FRST:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2013 02

Ran by SYSTEM on 23-08-2013 11:01:34
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [QLBController] - C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe [256056 2010-03-01] (Hewlett-Packard Company)
HKLM\...\Run: [iAStorIcon] - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1791272 2010-06-03] (Synaptics Incorporated)
HKLM\...\Run: [File Sanitizer] - C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe [11265536 2009-12-11] (Hewlett-Packard)
HKLM\...\Run: [startCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-08-05] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [DTRun] - c:\Program Files\ArcSoft\TotalMedia Suite\TotalMedia Theatre 3\uDTRun.exe [518656 2009-11-18] (ArcSoft Inc.)
HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2011-07-22] (IDT, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421736 2011-11-12] (Apple Inc.)
HKLM\...\Run: [HPPowerAssistant] - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe [2945080 2011-09-12] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [Zune Launcher] - C:\Program Files\Zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)
Winlogon\Notify\DeviceNP: DeviceNP.dll (Hewlett-Packard Limited)
HKU\Kasson\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2009-06-17] (Hewlett-Packard Company)
HKU\Kasson\...\Run: [EA Core] - C:\Program Files\Electronic Arts\EADM\Core.exe [ 2009-03-28] (Electronic Arts)
HKU\Kasson\...\Run: [NCsoft] -  [x]
Lsa: [Notification Packages] DPPassFilter scecli
 
========================== Services (Whitelisted) =================
 
S3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 DpHost; C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [300880 2010-07-16] (DigitalPersona, Inc.)
S3 FLCDLOCK; c:\Windows\system32\flcdlock.exe [362040 2009-11-17] (Hewlett-Packard Ltd)
S2 HP Power Assistant Service; C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [142904 2011-09-12] (Hewlett-Packard Company)
S2 HP ProtectTools Service; C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [32768 2010-10-19] (Hewlett-Packard Development Company, L.P)
S2 HP Wireless Assistant Service; C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [103992 2010-07-21] (Hewlett-Packard Company)
S2 HPDayStarterService; c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [90112 2010-05-10] (Hewlett-Packard Company)
S2 HpFkCryptService; C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [281192 2010-02-01] (McAfee, Inc.)
S2 HPFSService; C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe [297984 2009-12-11] (Hewlett-Packard)
S2 hpHotkeyMonitor; C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [264248 2010-03-01] (Hewlett-Packard Company)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-07] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-07] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
S2 PdiService; C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [113264 2011-03-16] (Portrait Displays, Inc.)
S2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [254034 2011-07-22] (IDT, Inc.)
S2 uArcCapture; C:\windows\system32\uArcCapture.exe [506472 2009-12-04] (ArcSoft, Inc.)
S2 vcsFPService; C:\windows\system32\vcsFPService.exe [1639728 2009-12-14] (Validity Sensors, Inc.)
 
==================== Drivers (Whitelisted) ====================
 
S3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
S3 ARCVCAM; C:\Windows\System32\DRIVERS\ArcSoftVCapture.sys [29824 2009-12-04] (ArcSoft, Inc.)
S0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)
S3 cur_bus; C:\Windows\System32\DRIVERS\cur_bus.sys [57744 2005-07-19] (MCCI)
S3 cur_mdfl; C:\Windows\System32\DRIVERS\cur_mdfl.sys [8336 2005-07-19] (MCCI)
S3 cur_mdm; C:\Windows\System32\DRIVERS\cur_mdm.sys [93328 2005-07-19] (MCCI)
S3 cur_serd; C:\Windows\System32\DRIVERS\cur_serd.sys [73152 2005-07-19] (MCCI)
S3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv.sys [32312 2009-10-21] (Hewlett-Packard Development Company L.P.)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [22856 2012-09-07] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [40088 2010-02-01] (McAfee, Inc.)
S3 rtsuvc; C:\Windows\System32\DRIVERS\rtsuvc.sys [78848 2010-05-20] (Realtek Semiconductor Corp.)
S0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [110520 2010-02-01] (McAfee, Inc.)
S0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [51800 2010-02-01] (McAfee, Inc.)
S0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [13256 2010-02-01] (McAfee, Inc.)
S3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
S1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
S3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
S1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-08-22 03:27 - 2013-08-22 03:27 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2013-08-22 03:27 - 2013-08-22 03:27 - 00000930 _____ C:\Windows\System32\.crusader
2013-08-22 03:10 - 2013-08-22 03:27 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-21 10:04 - 2013-08-21 10:04 - 00003288 ____N C:\bootsqm.dat
2013-08-21 10:03 - 2013-08-21 10:03 - 00000000 __SHD C:\found.000
2013-08-20 09:54 - 2013-08-20 09:54 - 17139080 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-08-20 06:58 - 2013-08-20 06:58 - 02250054 _____ C:\ProgramData\1.bmp
2013-08-16 05:31 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-16 05:31 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-16 05:31 - 2013-07-25 19:13 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-16 05:31 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-16 05:31 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-16 05:31 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-16 05:31 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-16 05:31 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-16 05:31 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-15 03:45 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-15 03:45 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-15 03:45 - 2013-07-08 21:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-08-15 03:45 - 2013-07-08 21:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-15 03:45 - 2013-07-08 20:53 - 01289096 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-15 03:45 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-15 03:45 - 2013-07-08 20:50 - 00652800 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-15 03:45 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-15 03:45 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-15 03:45 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-15 03:45 - 2013-07-05 21:05 - 01293760 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-15 03:45 - 2013-06-14 19:38 - 00031232 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2013-07-27 02:51 - 2013-08-16 05:38 - 00000000 ____D C:\Windows\System32\MRT
 
==================== One Month Modified Files and Folders =======
 
2013-08-23 06:37 - 2009-07-13 20:39 - 00092458 _____ C:\Windows\setupact.log
2013-08-23 06:25 - 2010-12-08 12:42 - 00000000 ____D C:\ProgramData\HPQLOG
2013-08-22 17:49 - 2011-03-31 12:23 - 00000000 ____D C:\users\Kasson
2013-08-22 14:31 - 2011-03-06 16:29 - 01723022 _____ C:\Windows\WindowsUpdate.log
2013-08-22 13:58 - 2009-07-13 20:34 - 00020944 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-22 13:58 - 2009-07-13 20:34 - 00020944 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-22 07:39 - 2013-08-22 07:39 - 00000000 ____D C:\FRST
2013-08-22 03:27 - 2013-08-22 03:27 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2013-08-22 03:27 - 2013-08-22 03:27 - 00000930 _____ C:\Windows\System32\.crusader
2013-08-22 03:27 - 2013-08-22 03:10 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-21 10:04 - 2013-08-21 10:04 - 00003288 ____N C:\bootsqm.dat
2013-08-21 10:03 - 2013-08-21 10:03 - 00000000 __SHD C:\found.000
2013-08-20 09:54 - 2013-08-20 09:54 - 17139080 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-08-20 09:54 - 2012-06-29 11:20 - 00692104 _____ C:\Windows\System32\FlashPlayerApp.exe
2013-08-20 09:54 - 2011-05-22 10:03 - 00071048 _____ C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-08-20 06:58 - 2013-08-20 06:58 - 02250054 _____ C:\ProgramData\1.bmp
2013-08-17 12:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-08-16 12:20 - 2010-12-08 12:48 - 00726444 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-16 08:15 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-08-16 05:38 - 2013-07-27 02:51 - 00000000 ____D C:\Windows\System32\MRT
2013-08-16 05:35 - 2011-04-04 08:52 - 75778376 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-08-16 05:32 - 2011-11-03 07:09 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-08-16 05:32 - 2011-04-06 04:33 - 00000052 _____ C:\Windows\System32\DOErrors.log
2013-08-14 15:32 - 2012-03-03 04:52 - 00000000 ____D C:\Users\Kasson\Documents\Outlook Files
2013-08-10 06:50 - 2011-08-03 06:35 - 00000000 ____D C:\Program Files\AppGraffiti
2013-08-08 14:50 - 2011-04-04 12:35 - 00000000 ___RD C:\Users\Kasson\Documents\josiah
2013-07-28 03:12 - 2011-04-04 12:36 - 00000000 ____D C:\Users\Kasson\Documents\Laura
2013-07-25 19:13 - 2013-08-16 05:31 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-25 19:13 - 2013-08-16 05:31 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-25 19:13 - 2013-08-16 05:31 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-25 19:12 - 2013-08-16 05:31 - 14329344 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 02877440 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 02048512 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-25 19:12 - 2013-08-16 05:31 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-25 19:11 - 2013-08-16 05:31 - 13761024 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-25 19:11 - 2013-08-16 05:31 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-25 18:49 - 2013-08-16 05:31 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-25 17:59 - 2013-08-16 05:31 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-25 00:57 - 2013-08-15 03:45 - 01620992 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 16%
Total physical RAM: 2991.43 MB
Available physical RAM: 2511.41 MB
Total Pagefile: 2989.71 MB
Available Pagefile: 2517.3 MB
Total Virtual: 2047.88 MB
Available Virtual: 1940.49 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:215.6 GB) (Free:89.19 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive e: (HP_RECOVERY) (Fixed) (Total:15 GB) (Free:4.05 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.48 GB) FAT32
Drive h: (HITMANPRO) (Removable) (Total:0.95 GB) (Free:0.94 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 737A571F)
Partition 1: (Active) - (Size=300 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=216 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=2 GB) - (Type=0C)
 
========================================================
Disk: 1 (Size: 983 MB) (Disk ID: 694F7702)
Partition 1: (Active) - (Size=981 MB) - (Type=0B)
 
 
LastRegBack: 2013-08-13 10:09
 
==================== End Of Log ============================

 

Link to post
Share on other sites
HelpingHandNY

HelpingHandNY

Posted
  • Author
Posted

Startup Repair said it could not detect any problems.

 

The owner of the system said the infection happened on Wednesday, 8/21/2013. At the time of the infection, they had Malwarebytes Pro (paid) active as well as Microsoft Security Essentials. I am not sure if either of those had the very latest definitions. When they saw the "FBI" virus message, they powered the system off. Ever since, it has only come up with the black screen and white mouse pointer. I suspect either Malwarebytes or Security Essentials tried to deal with the virus at the time of the infection and that resulted in this condition. There were still virus issues after that as well as you can see from this thread. Also of note is that system file checker (sfc) runs clean on this system. My guess is an issue in the registry. File permissions seem to look OK to me.

 

Steve

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

 

CMD: bootrec /fixmbr

CMD: bootrec /fixboot

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites
HelpingHandNY

HelpingHandNY

Posted
  • Author
Posted

The fixmbr and fixboot did not help, but copying the registry files (after backing up the current ones) from windows\system32\config\regback worked! (Those backup registry files were from a week before the infection.) I am now running Malwarebyte (pro) to clean up any other infections on the system. Thanks for your help!

 

Steve

Link to post
Share on other sites
HelpingHandNY

HelpingHandNY

Posted
  • Author
Posted

I let Malwarebytes update to the latest signature database and then ran Malwarebytes (quick scan) and let it clean up what it found and rebooted. I then ran a full scan which came up clean. I also ran a scan with Security Essentials, and a scan with McAfee which were also both clean. The system is running well at this point. 

 

Steve

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.