Another Win64 sirefef victim - constant auto reboot of PC

Solved
By MagsL
Jul 16, 2012
Topic Status:
Not open for further replies.
  1. Hi
    Please forgive ignorance as v new to this and do not understand much computer speak!
    I have bee trawling your forums and after much seraching we have deduced we have been hit by the same virus as noted here in your thread here:
    http://www.techspot.com/community/topics/win64-sirefef-victim.182902/

    Basically cannot run PC at all, and shuts down within 1 minute in normal and safe mode. I have WSE and that constantly detects 2 trojans but isnt on long enough to resolve.

    In an effort to ease assistance, I have followed the advise given by BRONI in above link, to create the summary FRST file - see attached txt file.

    Please can you help?
    I am using my laptop to communicate on this but the problem is on desktop PC - 64 bit, currently sat in dos mode awaiting your guidance.

    Thank you so much!

    Attached Files:

  2. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Hi, have I posted in correct place for advice please? Every chance its not sirefef?? No idea, just keeps rebooting and saying virus found. I use MSE and cant use to clean up as no time in reboot.
    Really need some help please and other users seem to get great help, so where do I go to next for assistance please??
    thanks
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
  4. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Hi, very strange but I cannot run the frst part? it says d:\frst64.exe is not recognised as an internal or external command etc?
    Tried 5 times and drive letter is definitely correct?
    I am rebooting PC again but fear something v wrong had happened?
  5. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Hi I have tried both available drives and the command is not being accepted h:\frst64.exe is not recognized.
    Please advise what to do next? This did work earlier but the PC has been rebooted many times now
  6. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    ok previous 2 posts show I am a hopeless novice by name and nature. Have fixed stupidity and apologise.
    Appreciate your patience!!

    So, FRST text is here:

    Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 01
    Ran by SYSTEM at 16-07-2012 17:47:21
    Running from H:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Rob\...\Policies\system: [DisableLockWorkstation] 0
    HKU\Rob\...\Policies\system: [DisableChangePassword] 0
    HKLM-x32\...\Winlogon: [Userinit] C:\Windows\system32\ezShellStart.exe [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

    ==================== Services (Whitelisted) ======

    2 BcmSqlStartupSvc; "C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [30312 2009-02-20] (Microsoft Corporation)
    2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\bin32\nSvcAppFlt.exe [920064 2008-01-29] ()
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 HsdService; "C:\Program Files (x86)\Virgin Media\Digital Home Support\HsdService.exe" [1406264 2011-03-23] (Virgin Media)
    2 lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxduserv.exe [33960 2009-08-19] (Lexmark International, Inc.)
    2 lxdu_device; C:\Windows\system32\lxducoms.exe -service [1044136 2009-08-19] ( )
    2 lxdu_device; C:\Windows\SysWow64\lxducoms.exe -service [1040552 2008-05-23] ( )
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
    4 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [877864 2008-02-18] (Nero AG)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    4 NMIndexingService; "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe" [529704 2008-04-28] (Nero AG)
    2 nSvcIp; C:\Program Files\bin32\nSvcIp.exe [193024 2008-01-29] ()
    2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.)
    2 ServicepointService; "C:\Program Files (x86)\Virgin Media\Service Manager\ServicepointService.exe" [689464 2011-03-25] (Radialpoint Inc.)
    2 TomTomHOMEService; C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [92592 2011-04-22] (TomTom)

    ========================== Drivers (Whitelisted) =============

    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-16 11:08 - 2012-07-16 11:08 - 00000000 ____D C:\FRST
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 07:19 - 2011-05-16 02:15 - 02433672 ____A (Trend Micro Inc.) C:\Users\Rob\Desktop\FakeAVRemover.exe
    2012-07-16 07:13 - 2012-07-16 07:13 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.796CEF081EA42F5B
    2012-07-16 07:05 - 2012-07-16 07:05 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.224107E38FF56BDA
    2012-07-16 07:05 - 2012-07-16 06:42 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-16 07:01 - 2012-07-16 07:01 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.06C62A241CC5F541
    2012-07-16 06:49 - 2012-07-16 07:26 - 00000000 ____D C:\Users\All Users\MFAData
    2012-07-16 06:49 - 2012-07-16 06:49 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C420456DFD26B490
    2012-07-16 06:18 - 2012-07-16 06:18 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2438971FE688A504
    2012-07-08 03:30 - 2012-07-08 03:32 - 00000418 ____A C:\Windows\Tasks\SpeedMaxPc Update3.job
    2012-07-08 03:30 - 2012-07-08 03:32 - 00000396 ____A C:\Windows\Tasks\SpeedMaxPc.job
    2012-07-08 03:30 - 2012-07-08 03:30 - 00001007 ____A C:\Users\Rob\Desktop\SpeedMaxPc.lnk
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\DriverCure
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\All Users\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Program Files (x86)\SpeedMaxPc
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-06 14:19 - 2012-07-06 14:19 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-06 14:00 - 2012-07-06 23:32 - 00000000 ____D C:\Users\Rob\AppData\Roaming\xsecva
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 02:10 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-24 02:10 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-24 02:10 - 2012-06-02 06:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

    ============ 3 Months Modified Files ========================

    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.dat
    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.001
    2012-07-16 08:24 - 2010-01-31 02:35 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-16 08:24 - 2006-11-02 07:42 - 00032602 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-16 08:24 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 07:46 - 2009-10-20 12:05 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-07-16 07:40 - 2010-01-31 02:35 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 07:13 - 2012-07-16 07:13 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.796CEF081EA42F5B
    2012-07-16 07:05 - 2012-07-16 07:05 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.224107E38FF56BDA
    2012-07-16 07:01 - 2012-07-16 07:01 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.06C62A241CC5F541
    2012-07-16 06:49 - 2012-07-16 06:49 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C420456DFD26B490
    2012-07-16 06:42 - 2012-07-16 07:05 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-16 06:18 - 2012-07-16 06:18 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2438971FE688A504
    2012-07-08 03:32 - 2012-07-08 03:30 - 00000418 ____A C:\Windows\Tasks\SpeedMaxPc Update3.job
    2012-07-08 03:32 - 2012-07-08 03:30 - 00000396 ____A C:\Windows\Tasks\SpeedMaxPc.job
    2012-07-08 03:30 - 2012-07-08 03:30 - 00001007 ____A C:\Users\Rob\Desktop\SpeedMaxPc.lnk
    2012-07-07 14:41 - 2009-07-09 15:35 - 01534265 ____A C:\Windows\WindowsUpdate.log
    2012-07-07 14:08 - 2011-05-15 09:11 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-07 14:08 - 2010-05-03 09:32 - 00778976 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-07 13:59 - 2011-04-15 03:14 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000UA.job
    2012-07-07 12:53 - 2006-11-02 04:46 - 00772686 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-06 14:16 - 2012-05-05 01:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-06 14:16 - 2011-11-20 03:53 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-07-03 14:59 - 2011-04-15 03:14 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000Core.job
    2012-07-03 13:04 - 2011-04-15 03:14 - 00002034 ____A C:\Users\Rob\Desktop\Google Chrome.lnk
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 06:17 - 2006-11-02 07:27 - 00025630 ____A C:\Windows\setupact.log
    2012-06-15 10:22 - 2006-11-02 07:21 - 00408992 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-15 09:47 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-13 12:51 - 2012-06-13 12:51 - 00001696 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-04 05:52 - 2012-06-04 05:39 - 00022362 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 31 May 2012.xlsx
    2012-06-04 05:39 - 2012-06-04 05:39 - 00022157 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 30Apr2012.xlsx
    2012-06-04 04:40 - 2012-06-04 04:40 - 02586352 ____A C:\Users\Rob\Downloads\IMG_0971 (1).MOV
    2012-06-04 04:39 - 2012-06-04 04:39 - 05228241 ____A C:\Users\Rob\Downloads\IMG_0971.MOV
    2012-06-04 04:26 - 2009-11-16 00:07 - 00000069 ____A C:\Windows\NeroDigital.ini
    2012-06-04 03:42 - 2012-06-04 03:42 - 00000126 ____A C:\Users\Rob\Desktop\Download.url
    2012-06-04 03:41 - 2012-06-04 03:40 - 13583705 ____A C:\Users\Rob\Downloads\Charlotte playing and singing.wmv
    2012-06-02 14:19 - 2012-06-24 02:10 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-24 02:10 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-24 02:10 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 06:15 - 2012-06-24 02:10 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 06:12 - 2012-06-24 02:10 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-05-31 14:39 - 2012-05-31 14:39 - 00001758 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
    2012-05-31 03:25 - 2009-12-11 10:57 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-17 18:47 - 2012-06-15 09:54 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-15 09:54 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-15 09:54 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-15 09:54 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-15 09:54 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-15 09:54 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-15 09:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-15 09:54 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-15 09:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-15 09:54 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-15 09:54 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-15 09:54 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-15 09:54 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-15 09:54 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-15 09:54 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-15 09:54 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-15 09:54 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-15 09:54 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-15 09:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-15 09:54 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-15 12:15 - 2012-06-13 11:54 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-12 22:45 - 2008-01-20 19:26 - 00377380 ____A C:\Windows\PFRO.log
    2012-05-10 14:25 - 2009-11-17 14:59 - 00007680 ____A C:\Users\Rob\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-01 06:29 - 2012-06-13 11:54 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-23 08:25 - 2012-06-13 11:54 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 08:25 - 2012-06-13 11:54 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 08:25 - 2012-06-13 11:54 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-04-18 11:56 - 2012-04-18 11:56 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
    2012-04-18 11:56 - 2012-04-18 11:56 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts


    ZeroAccess:
    C:\Windows\Installer\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}
    C:\Windows\Installer\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\@
    C:\Windows\Installer\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\L
    C:\Windows\Installer\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\n
    C:\Windows\Installer\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U
    C:\Windows\Installer\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\00000001.@
    C:\Windows\Installer\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\80000000.@
    C:\Windows\Installer\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\800000cb.@

    ZeroAccess:
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\@
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\L
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\L\00000004.@
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\L\1afb2d56
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\00000004.@
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\00000008.@
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\000000cb.@
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\80000000.@
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\80000032.@
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\80000064.@

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 13%
    Total physical RAM: 4093.62 MB
    Available physical RAM: 3543.21 MB
    Total Pagefile: 3970.49 MB
    Available Pagefile: 3528.5 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:342.02 GB) (Free:192.21 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    6 Drive h: () (Removable) (Total:31.23 GB) (Free:31.23 GB) FAT32
    7 Drive I: (DATA) (Fixed) (Total:341.97 GB) (Free:341.65 GB) NTFS
    10 Drive x: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:4.17 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 699 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 Online 31 GB 0 B
    Disk 6 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 15 GB 1024 KB
    Partition 2 Primary 342 GB 15 GB
    Partition 3 Primary 342 GB 357 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 9 X PQSERVICE NTFS Partition 15 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS NTFS Partition 342 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 I DATA NTFS Partition 342 GB Healthy

    ==================================================================================

    Partitions of Disk 5:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 31 GB 488 KB

    ==================================================================================

    Disk: 5
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 7 H FAT32 Removable 31 GB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-07 12:57

    ======================= End Of Log ==========================

    and SEARCH text is here

    Farbar Recovery Scan Tool Version: 16-07-2012 01
    Ran by SYSTEM at 2012-07-16 17:49:21
    Running from H:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-10-20 12:04] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
    [2009-10-20 12:05] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
    [2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

    C:\Windows\SysWOW64\services.exe
    [2009-10-20 12:04] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\services.exe
    [2009-10-20 12:05] - [2012-07-16 07:46] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

    ====== End Of Search ======

    THANK YOU!!
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  8. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Hi DMJ

    OK here is the text file
    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01
    Ran by SYSTEM at 2012-07-17 21:11:03 Run:1
    Running from K:\

    ==============================================

    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\SysWOW64\services.exe copied successfully to C:\Windows\System32\services.exe
    C:\Windows\Installer\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b} moved successfully.
    C:\Users\Rob\AppData\Local\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b} moved successfully.

    ==== End of Fixlog ====

    Restart just gave me a blank screen for ages so fully rebooted and I still just get a black screen. I have rebooted 3 times and still the same. I have restarted in safe mode but still the windows log in screen doesn't come up at all??

    Very worrying? What has happened. No lights flashing and hard drive not seeming to be doing anything - just a black screen with the mouse cursor showing.
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Are you able to boot to the Recovery mode at all?
  10. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Hi, yes I can. I went into safe mode but same happens, but I do get the F8 screen with the various recovery options
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Great. :) I would like to see another FRST log please, a scan as run above in my first request for FRST.
  12. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    OK here you go

    Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 01
    Ran by SYSTEM at 18-07-2012 21:04:40
    Running from K:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Rob\...\Policies\system: [DisableLockWorkstation] 0
    HKU\Rob\...\Policies\system: [DisableChangePassword] 0
    HKLM-x32\...\Winlogon: [Userinit] C:\Windows\system32\ezShellStart.exe [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

    ==================== Services (Whitelisted) ======

    2 BcmSqlStartupSvc; "C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [30312 2009-02-20] (Microsoft Corporation)
    2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\bin32\nSvcAppFlt.exe [920064 2008-01-29] ()
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 HsdService; "C:\Program Files (x86)\Virgin Media\Digital Home Support\HsdService.exe" [1406264 2011-03-23] (Virgin Media)
    2 lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxduserv.exe [33960 2009-08-19] (Lexmark International, Inc.)
    2 lxdu_device; C:\Windows\system32\lxducoms.exe -service [1044136 2009-08-19] ( )
    2 lxdu_device; C:\Windows\SysWow64\lxducoms.exe -service [1040552 2008-05-23] ( )
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
    4 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [877864 2008-02-18] (Nero AG)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    4 NMIndexingService; "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe" [529704 2008-04-28] (Nero AG)
    2 nSvcIp; C:\Program Files\bin32\nSvcIp.exe [193024 2008-01-29] ()
    2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.)
    2 ServicepointService; "C:\Program Files (x86)\Virgin Media\Service Manager\ServicepointService.exe" [689464 2011-03-25] (Radialpoint Inc.)
    2 TomTomHOMEService; C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [92592 2011-04-22] (TomTom)

    ========================== Drivers (Whitelisted) =============

    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-16 11:08 - 2012-07-16 11:08 - 00000000 ____D C:\FRST
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 07:19 - 2011-05-16 02:15 - 02433672 ____A (Trend Micro Inc.) C:\Users\Rob\Desktop\FakeAVRemover.exe
    2012-07-16 07:13 - 2012-07-16 07:13 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.796CEF081EA42F5B
    2012-07-16 07:05 - 2012-07-16 07:05 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.224107E38FF56BDA
    2012-07-16 07:05 - 2012-07-16 06:42 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-16 07:01 - 2012-07-16 07:01 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.06C62A241CC5F541
    2012-07-16 06:49 - 2012-07-16 07:26 - 00000000 ____D C:\Users\All Users\MFAData
    2012-07-16 06:49 - 2012-07-16 06:49 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C420456DFD26B490
    2012-07-16 06:18 - 2012-07-16 06:18 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2438971FE688A504
    2012-07-08 03:30 - 2012-07-08 03:32 - 00000418 ____A C:\Windows\Tasks\SpeedMaxPc Update3.job
    2012-07-08 03:30 - 2012-07-08 03:32 - 00000396 ____A C:\Windows\Tasks\SpeedMaxPc.job
    2012-07-08 03:30 - 2012-07-08 03:30 - 00001007 ____A C:\Users\Rob\Desktop\SpeedMaxPc.lnk
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\DriverCure
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\All Users\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Program Files (x86)\SpeedMaxPc
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-06 14:19 - 2012-07-06 14:19 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-06 14:00 - 2012-07-06 23:32 - 00000000 ____D C:\Users\Rob\AppData\Roaming\xsecva
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 02:10 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-24 02:10 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-24 02:10 - 2012-06-02 06:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

    ============ 3 Months Modified Files ========================

    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.dat
    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.001
    2012-07-16 08:24 - 2010-01-31 02:35 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-16 08:24 - 2006-11-02 07:42 - 00032602 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-16 08:24 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 07:40 - 2010-01-31 02:35 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 07:13 - 2012-07-16 07:13 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.796CEF081EA42F5B
    2012-07-16 07:05 - 2012-07-16 07:05 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.224107E38FF56BDA
    2012-07-16 07:01 - 2012-07-16 07:01 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.06C62A241CC5F541
    2012-07-16 06:49 - 2012-07-16 06:49 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C420456DFD26B490
    2012-07-16 06:42 - 2012-07-16 07:05 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-16 06:18 - 2012-07-16 06:18 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2438971FE688A504
    2012-07-08 03:32 - 2012-07-08 03:30 - 00000418 ____A C:\Windows\Tasks\SpeedMaxPc Update3.job
    2012-07-08 03:32 - 2012-07-08 03:30 - 00000396 ____A C:\Windows\Tasks\SpeedMaxPc.job
    2012-07-08 03:30 - 2012-07-08 03:30 - 00001007 ____A C:\Users\Rob\Desktop\SpeedMaxPc.lnk
    2012-07-07 14:41 - 2009-07-09 15:35 - 01534265 ____A C:\Windows\WindowsUpdate.log
    2012-07-07 14:08 - 2011-05-15 09:11 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-07 14:08 - 2010-05-03 09:32 - 00778976 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-07 13:59 - 2011-04-15 03:14 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000UA.job
    2012-07-07 12:53 - 2006-11-02 04:46 - 00772686 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-06 14:16 - 2012-05-05 01:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-06 14:16 - 2011-11-20 03:53 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-07-03 14:59 - 2011-04-15 03:14 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000Core.job
    2012-07-03 13:04 - 2011-04-15 03:14 - 00002034 ____A C:\Users\Rob\Desktop\Google Chrome.lnk
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 06:17 - 2006-11-02 07:27 - 00025630 ____A C:\Windows\setupact.log
    2012-06-15 10:22 - 2006-11-02 07:21 - 00408992 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-15 09:47 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-13 12:51 - 2012-06-13 12:51 - 00001696 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-04 05:52 - 2012-06-04 05:39 - 00022362 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 31 May 2012.xlsx
    2012-06-04 05:39 - 2012-06-04 05:39 - 00022157 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 30Apr2012.xlsx
    2012-06-04 04:40 - 2012-06-04 04:40 - 02586352 ____A C:\Users\Rob\Downloads\IMG_0971 (1).MOV
    2012-06-04 04:39 - 2012-06-04 04:39 - 05228241 ____A C:\Users\Rob\Downloads\IMG_0971.MOV
    2012-06-04 04:26 - 2009-11-16 00:07 - 00000069 ____A C:\Windows\NeroDigital.ini
    2012-06-04 03:42 - 2012-06-04 03:42 - 00000126 ____A C:\Users\Rob\Desktop\Download.url
    2012-06-04 03:41 - 2012-06-04 03:40 - 13583705 ____A C:\Users\Rob\Downloads\Charlotte playing and singing.wmv
    2012-06-02 14:19 - 2012-06-24 02:10 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-24 02:10 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-24 02:10 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 06:15 - 2012-06-24 02:10 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 06:12 - 2012-06-24 02:10 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-05-31 14:39 - 2012-05-31 14:39 - 00001758 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
    2012-05-31 03:25 - 2009-12-11 10:57 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-17 18:47 - 2012-06-15 09:54 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-15 09:54 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-15 09:54 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-15 09:54 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-15 09:54 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-15 09:54 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-15 09:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-15 09:54 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-15 09:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-15 09:54 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-15 09:54 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-15 09:54 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-15 09:54 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-15 09:54 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-15 09:54 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-15 09:54 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-15 09:54 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-15 09:54 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-15 09:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-15 09:54 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-15 12:15 - 2012-06-13 11:54 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-12 22:45 - 2008-01-20 19:26 - 00377380 ____A C:\Windows\PFRO.log
    2012-05-10 14:25 - 2009-11-17 14:59 - 00007680 ____A C:\Users\Rob\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-01 06:29 - 2012-06-13 11:54 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-23 08:25 - 2012-06-13 11:54 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 08:25 - 2012-06-13 11:54 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 08:25 - 2012-06-13 11:54 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll


    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe
    [2009-10-20 12:05] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 13%
    Total physical RAM: 4093.62 MB
    Available physical RAM: 3544.48 MB
    Total Pagefile: 3970.49 MB
    Available Pagefile: 3530.34 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:342.02 GB) (Free:193.01 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    7 Drive I: (DATA) (Fixed) (Total:341.97 GB) (Free:341.65 GB) NTFS
    9 Drive k: () (Removable) (Total:31.23 GB) (Free:31.23 GB) FAT32
    10 Drive x: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:4.16 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 699 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Disk 6 Online 31 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 15 GB 1024 KB
    Partition 2 Primary 342 GB 15 GB
    Partition 3 Primary 342 GB 357 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 9 X PQSERVICE NTFS Partition 15 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS NTFS Partition 342 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 I DATA NTFS Partition 342 GB Healthy

    ==================================================================================

    Partitions of Disk 6:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 31 GB 488 KB

    ==================================================================================

    Disk: 6
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 K FAT32 Removable 31 GB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-07 12:57
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Found the issue. :)

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  14. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01
    Ran by SYSTEM at 2012-07-18 21:34:47 Run:2
    Running from K:\

    ==============================================

    HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value was restored successfully .
    C:\Windows\System32\services.exe.796CEF081EA42F5B moved successfully.
    C:\Windows\System32\services.exe.224107E38FF56BDA moved successfully.
    C:\Windows\System32\services.exe.06C62A241CC5F541 moved successfully.
    C:\Windows\System32\services.exe.C420456DFD26B490 moved successfully.
    C:\Windows\Tasks\SpeedMaxPc Update3.job moved successfully.
    C:\Windows\Tasks\SpeedMaxPc.job moved successfully.
    C:\Users\Rob\Desktop\SpeedMaxPc.lnk moved successfully.
    C:\Windows\System32\services.exe.2438971FE688A504 moved successfully.

    ==== End of Fixlog ====
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Wow. Quick work. Good job!

    If you can reboot to Windows now, and actually log in, please run the following tool:

    Scan for malware

    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.
  16. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Black screen again. :(
    Have powered off and left for a minute, rebooted and gone into safe mode windows ... shows loading screen command prompts etc as normal for safe mode start up, then flicks to blank screen (at stage where you normally get the Windows starting "loading" screen...
    Repair screen options still available on F8 ...:confused:
  17. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    I'm sure you've realised, but couldnt do Malware section as no log in screen presented ...
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Another FRST log please. *nerd*
  19. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 01
    Ran by SYSTEM at 19-07-2012 20:09:55
    Running from K:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Rob\...\Policies\system: [DisableLockWorkstation] 0
    HKU\Rob\...\Policies\system: [DisableChangePassword] 0
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

    ==================== Services (Whitelisted) ======

    2 BcmSqlStartupSvc; "C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [30312 2009-02-20] (Microsoft Corporation)
    2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\bin32\nSvcAppFlt.exe [920064 2008-01-29] ()
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 HsdService; "C:\Program Files (x86)\Virgin Media\Digital Home Support\HsdService.exe" [1406264 2011-03-23] (Virgin Media)
    2 lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxduserv.exe [33960 2009-08-19] (Lexmark International, Inc.)
    2 lxdu_device; C:\Windows\system32\lxducoms.exe -service [1044136 2009-08-19] ( )
    2 lxdu_device; C:\Windows\SysWow64\lxducoms.exe -service [1040552 2008-05-23] ( )
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
    4 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [877864 2008-02-18] (Nero AG)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    4 NMIndexingService; "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe" [529704 2008-04-28] (Nero AG)
    2 nSvcIp; C:\Program Files\bin32\nSvcIp.exe [193024 2008-01-29] ()
    2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.)
    2 ServicepointService; "C:\Program Files (x86)\Virgin Media\Service Manager\ServicepointService.exe" [689464 2011-03-25] (Radialpoint Inc.)
    2 TomTomHOMEService; C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [92592 2011-04-22] (TomTom)

    ========================== Drivers (Whitelisted) =============

    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-16 11:08 - 2012-07-16 11:08 - 00000000 ____D C:\FRST
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 07:19 - 2011-05-16 02:15 - 02433672 ____A (Trend Micro Inc.) C:\Users\Rob\Desktop\FakeAVRemover.exe
    2012-07-16 07:05 - 2012-07-16 06:42 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-16 06:49 - 2012-07-16 07:26 - 00000000 ____D C:\Users\All Users\MFAData
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\DriverCure
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\All Users\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Program Files (x86)\SpeedMaxPc
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-06 14:19 - 2012-07-06 14:19 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-06 14:00 - 2012-07-06 23:32 - 00000000 ____D C:\Users\Rob\AppData\Roaming\xsecva
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 02:10 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-24 02:10 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-24 02:10 - 2012-06-02 06:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

    ============ 3 Months Modified Files ========================

    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.dat
    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.001
    2012-07-16 08:24 - 2010-01-31 02:35 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-16 08:24 - 2006-11-02 07:42 - 00032602 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-16 08:24 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 07:40 - 2010-01-31 02:35 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 06:42 - 2012-07-16 07:05 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-07 14:41 - 2009-07-09 15:35 - 01534265 ____A C:\Windows\WindowsUpdate.log
    2012-07-07 14:08 - 2011-05-15 09:11 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-07 14:08 - 2010-05-03 09:32 - 00778976 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-07 13:59 - 2011-04-15 03:14 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000UA.job
    2012-07-07 12:53 - 2006-11-02 04:46 - 00772686 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-06 14:16 - 2012-05-05 01:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-06 14:16 - 2011-11-20 03:53 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-07-03 14:59 - 2011-04-15 03:14 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000Core.job
    2012-07-03 13:04 - 2011-04-15 03:14 - 00002034 ____A C:\Users\Rob\Desktop\Google Chrome.lnk
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 06:17 - 2006-11-02 07:27 - 00025630 ____A C:\Windows\setupact.log
    2012-06-15 10:22 - 2006-11-02 07:21 - 00408992 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-15 09:47 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-13 12:51 - 2012-06-13 12:51 - 00001696 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-04 05:52 - 2012-06-04 05:39 - 00022362 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 31 May 2012.xlsx
    2012-06-04 05:39 - 2012-06-04 05:39 - 00022157 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 30Apr2012.xlsx
    2012-06-04 04:40 - 2012-06-04 04:40 - 02586352 ____A C:\Users\Rob\Downloads\IMG_0971 (1).MOV
    2012-06-04 04:39 - 2012-06-04 04:39 - 05228241 ____A C:\Users\Rob\Downloads\IMG_0971.MOV
    2012-06-04 04:26 - 2009-11-16 00:07 - 00000069 ____A C:\Windows\NeroDigital.ini
    2012-06-04 03:42 - 2012-06-04 03:42 - 00000126 ____A C:\Users\Rob\Desktop\Download.url
    2012-06-04 03:41 - 2012-06-04 03:40 - 13583705 ____A C:\Users\Rob\Downloads\Charlotte playing and singing.wmv
    2012-06-02 14:19 - 2012-06-24 02:10 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-24 02:10 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-24 02:10 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 06:15 - 2012-06-24 02:10 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 06:12 - 2012-06-24 02:10 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-05-31 14:39 - 2012-05-31 14:39 - 00001758 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
    2012-05-31 03:25 - 2009-12-11 10:57 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-17 18:47 - 2012-06-15 09:54 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-15 09:54 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-15 09:54 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-15 09:54 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-15 09:54 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-15 09:54 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-15 09:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-15 09:54 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-15 09:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-15 09:54 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-15 09:54 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-15 09:54 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-15 09:54 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-15 09:54 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-15 09:54 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-15 09:54 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-15 09:54 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-15 09:54 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-15 09:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-15 09:54 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-15 12:15 - 2012-06-13 11:54 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-12 22:45 - 2008-01-20 19:26 - 00377380 ____A C:\Windows\PFRO.log
    2012-05-10 14:25 - 2009-11-17 14:59 - 00007680 ____A C:\Users\Rob\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-01 06:29 - 2012-06-13 11:54 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-23 08:25 - 2012-06-13 11:54 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 08:25 - 2012-06-13 11:54 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 08:25 - 2012-06-13 11:54 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll


    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe
    [2009-10-20 12:05] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 13%
    Total physical RAM: 4093.62 MB
    Available physical RAM: 3543.21 MB
    Total Pagefile: 3970.49 MB
    Available Pagefile: 3531.18 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:342.02 GB) (Free:193.01 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    7 Drive I: (DATA) (Fixed) (Total:341.97 GB) (Free:341.65 GB) NTFS
    9 Drive k: () (Removable) (Total:31.23 GB) (Free:31.23 GB) FAT32
    10 Drive x: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:4.17 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 699 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Disk 6 Online 31 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 15 GB 1024 KB
    Partition 2 Primary 342 GB 15 GB
    Partition 3 Primary 342 GB 357 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 9 X PQSERVICE NTFS Partition 15 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS NTFS Partition 342 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 I DATA NTFS Partition 342 GB Healthy

    ==================================================================================

    Partitions of Disk 6:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 31 GB 488 KB

    ==================================================================================

    Disk: 6
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 K FAT32 Removable 31 GB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-07 12:57

    ======================= End Of Log ==========================
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  21. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01
    Ran by SYSTEM at 2012-07-20 20:06:28 Run:3
    Running from K:\

    ==============================================

    C:\Windows\System32\%APPDATA% moved successfully.
    C:\Users\Rob\AppData\Roaming\xsecva moved successfully.

    ==== End of Fixlog ====

    Now rebooting ... update shortly
  22. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    OK - same again, restart from recover mode = blank black screen
    Restart into safe mode (owing to forced shut down from above) = as before, scrolls the commands then get black screen.
    Restart into full windows mode - "start windows normally" = same as above
    Never gets to login screen.

    Am guessing you'd like another FRST log?? So here you go ....... meanwhile will leave in black screen mode in case something happens!! :(



    Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 01
    Ran by SYSTEM at 20-07-2012 20:29:23
    Running from H:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Rob\...\Policies\system: [DisableLockWorkstation] 0
    HKU\Rob\...\Policies\system: [DisableChangePassword] 0
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

    ==================== Services (Whitelisted) ======

    2 BcmSqlStartupSvc; "C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [30312 2009-02-20] (Microsoft Corporation)
    2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\bin32\nSvcAppFlt.exe [920064 2008-01-29] ()
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 HsdService; "C:\Program Files (x86)\Virgin Media\Digital Home Support\HsdService.exe" [1406264 2011-03-23] (Virgin Media)
    2 lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxduserv.exe [33960 2009-08-19] (Lexmark International, Inc.)
    2 lxdu_device; C:\Windows\system32\lxducoms.exe -service [1044136 2009-08-19] ( )
    2 lxdu_device; C:\Windows\SysWow64\lxducoms.exe -service [1040552 2008-05-23] ( )
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
    4 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [877864 2008-02-18] (Nero AG)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    4 NMIndexingService; "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe" [529704 2008-04-28] (Nero AG)
    2 nSvcIp; C:\Program Files\bin32\nSvcIp.exe [193024 2008-01-29] ()
    2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.)
    2 ServicepointService; "C:\Program Files (x86)\Virgin Media\Service Manager\ServicepointService.exe" [689464 2011-03-25] (Radialpoint Inc.)
    2 TomTomHOMEService; C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [92592 2011-04-22] (TomTom)

    ========================== Drivers (Whitelisted) =============

    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-16 11:08 - 2012-07-16 11:08 - 00000000 ____D C:\FRST
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 07:19 - 2011-05-16 02:15 - 02433672 ____A (Trend Micro Inc.) C:\Users\Rob\Desktop\FakeAVRemover.exe
    2012-07-16 07:05 - 2012-07-16 06:42 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-16 06:49 - 2012-07-16 07:26 - 00000000 ____D C:\Users\All Users\MFAData
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\DriverCure
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\All Users\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Program Files (x86)\SpeedMaxPc
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 02:10 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-24 02:10 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-24 02:10 - 2012-06-02 06:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

    ============ 3 Months Modified Files ========================

    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.dat
    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.001
    2012-07-16 08:24 - 2010-01-31 02:35 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-16 08:24 - 2006-11-02 07:42 - 00032602 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-16 08:24 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 07:40 - 2010-01-31 02:35 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 06:42 - 2012-07-16 07:05 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-07 14:41 - 2009-07-09 15:35 - 01534265 ____A C:\Windows\WindowsUpdate.log
    2012-07-07 14:08 - 2011-05-15 09:11 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-07 14:08 - 2010-05-03 09:32 - 00778976 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-07 13:59 - 2011-04-15 03:14 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000UA.job
    2012-07-07 12:53 - 2006-11-02 04:46 - 00772686 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-06 14:16 - 2012-05-05 01:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-06 14:16 - 2011-11-20 03:53 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-07-03 14:59 - 2011-04-15 03:14 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000Core.job
    2012-07-03 13:04 - 2011-04-15 03:14 - 00002034 ____A C:\Users\Rob\Desktop\Google Chrome.lnk
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 06:17 - 2006-11-02 07:27 - 00025630 ____A C:\Windows\setupact.log
    2012-06-15 10:22 - 2006-11-02 07:21 - 00408992 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-15 09:47 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-13 12:51 - 2012-06-13 12:51 - 00001696 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-04 05:52 - 2012-06-04 05:39 - 00022362 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 31 May 2012.xlsx
    2012-06-04 05:39 - 2012-06-04 05:39 - 00022157 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 30Apr2012.xlsx
    2012-06-04 04:40 - 2012-06-04 04:40 - 02586352 ____A C:\Users\Rob\Downloads\IMG_0971 (1).MOV
    2012-06-04 04:39 - 2012-06-04 04:39 - 05228241 ____A C:\Users\Rob\Downloads\IMG_0971.MOV
    2012-06-04 04:26 - 2009-11-16 00:07 - 00000069 ____A C:\Windows\NeroDigital.ini
    2012-06-04 03:42 - 2012-06-04 03:42 - 00000126 ____A C:\Users\Rob\Desktop\Download.url
    2012-06-04 03:41 - 2012-06-04 03:40 - 13583705 ____A C:\Users\Rob\Downloads\Charlotte playing and singing.wmv
    2012-06-02 14:19 - 2012-06-24 02:10 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-24 02:10 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-24 02:10 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 06:15 - 2012-06-24 02:10 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 06:12 - 2012-06-24 02:10 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-05-31 14:39 - 2012-05-31 14:39 - 00001758 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
    2012-05-31 03:25 - 2009-12-11 10:57 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-17 18:47 - 2012-06-15 09:54 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-15 09:54 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-15 09:54 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-15 09:54 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-15 09:54 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-15 09:54 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-15 09:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-15 09:54 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-15 09:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-15 09:54 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-15 09:54 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-15 09:54 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-15 09:54 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-15 09:54 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-15 09:54 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-15 09:54 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-15 09:54 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-15 09:54 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-15 09:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-15 09:54 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-15 12:15 - 2012-06-13 11:54 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-12 22:45 - 2008-01-20 19:26 - 00377380 ____A C:\Windows\PFRO.log
    2012-05-10 14:25 - 2009-11-17 14:59 - 00007680 ____A C:\Users\Rob\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-01 06:29 - 2012-06-13 11:54 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-23 08:25 - 2012-06-13 11:54 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 08:25 - 2012-06-13 11:54 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 08:25 - 2012-06-13 11:54 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 08:00 - 2012-06-13 11:54 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll


    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe
    [2009-10-20 12:05] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 13%
    Total physical RAM: 4093.62 MB
    Available physical RAM: 3543.55 MB
    Total Pagefile: 3970.49 MB
    Available Pagefile: 3529.09 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:342.02 GB) (Free:197.01 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    6 Drive h: () (Removable) (Total:31.23 GB) (Free:31.23 GB) FAT32
    8 Drive j: (DATA) (Fixed) (Total:341.97 GB) (Free:341.65 GB) NTFS
    10 Drive x: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:4.16 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 699 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 Online 31 GB 0 B
    Disk 6 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 15 GB 1024 KB
    Partition 2 Primary 342 GB 15 GB
    Partition 3 Primary 342 GB 357 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 9 X PQSERVICE NTFS Partition 15 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS NTFS Partition 342 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 J DATA NTFS Partition 342 GB Healthy

    ==================================================================================

    Partitions of Disk 5:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 31 GB 488 KB

    ==================================================================================

    Disk: 5
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 7 H FAT32 Removable 31 GB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-07 12:57

    ======================= End Of Log ==========================
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

    Download the OTLPE Network REATOGO Windows Recovery Environment.
    • Place a blank CD-R disc in to your CD burning drive.
    • Download OTLPENet.exe and double-click on it to burn to a CD using ISO Burner.
    • Reboot your system using the boot CD you just created.

      Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked "Do you wish to load the remote registry", select Yes
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to Non-Microsoft
      • Press Run Scan to start the scan.
      • When finished, the file will be saved in drive C:\_OTL\MovedFiles
      • Copy this file to your USB drive if you do not have internet connection on this system
      • Please post the contents of the OTL.txt file in your reply.
  24. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Hi - pls can you advise if this is going to wipe my hard drive? What is the download going to do? Looks like it will take several hours to download the file on my laptop!
  25. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    I can't get the file to copy on to a CDR (using work laptop, poss not set up - just said 0% extracting when I went to run it?) so I have copied on to USB.
    I changed to boot optiion to Removable instead of CDROM (my PC only had option for DVD anyway) and now I have a message saying:
    "AMD Data Change...Update new data to DMI!"
    What do I do now?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.