TechSpot

Computer starts then shuts down and wants to start again.

Inactive-A
By electricjay
Jun 19, 2013
  1. Computer looks like it has some virus or something. I turn it on and log in the icons and background come up for a second, then the screen flashes and the icons disappear, then the screen flashes again and goes blank. I logged on in safe mode and logged in and the background starts to load then a dialog box pops up and says logging off. The computer shuts down and then will restart and get as far as the log in screen.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================

    What Windows version is it?
     
  3. electricjay

    electricjay TS Rookie Topic Starter

    Windows Vista
     
  4. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  5. electricjay

    electricjay TS Rookie Topic Starter

    Here is a copy of the scan



    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-06-2013
    Ran by SYSTEM on 19-06-2013 22:05:14
    Running from L:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    Internet Explorer Version 8
    Boot Mode: Recovery
    The current controlset is ControlSet001
    ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
    ==================== Registry (Whitelisted) ==================
    HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1584184 2008-01-20] (Microsoft Corporation)
    HKLM\...\Run: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe [172032 2009-02-06] ()
    HKLM\...\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe [333344 2008-08-18] (NVIDIA Corporation)
    HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [915512 2009-03-05] (Hewlett-Packard)
    HKLM\...\Run: [dleemon.exe] "C:\Program Files (x86)\Dell V715w\dleemon.exe" [770728 2011-01-23] ()
    HKLM\...\Run: [EzPrint] "C:\Program Files (x86)\Dell V715w\ezprint.exe" [139944 2011-01-23] ()
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16335976 2009-10-30] (NVIDIA Corporation)
    HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [2419512 2012-11-04] (Logitech, Inc.)
    HKLM-x32\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
    HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75016 2008-12-04] (Hewlett-Packard)
    HKLM-x32\...\Run: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [218408 2008-12-03] (CyberLink Corp.)
    HKLM-x32\...\Run: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [218408 2008-12-03] (CyberLink Corp.)
    HKLM-x32\...\Run: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" [218408 2008-12-03] (CyberLink Corp.)
    HKLM-x32\...\Run: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2009-02-02] (CyberLink Corp.)
    HKLM-x32\...\Run: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [1328424 2009-04-09] (CyberLink Corp.)
    HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [185640 2009-04-09] (CyberLink)
    HKLM-x32\...\Run: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2009-03-19] (CyberLink Corp.)
    HKLM-x32\...\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
    HKLM-x32\...\Run: [Microsoft Default Manager] "c:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [224616 2009-02-06] (Microsoft Corp.)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [34672 2008-06-12] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Device Detector] DevDetect.exe -autorun [x]
    HKLM-x32\...\Run: [Dell V715w] "C:\Program Files (x86)\Dell V715w\fm3032.exe" /s [316072 2009-07-09] ()
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253672 2011-01-07] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask)
    HKLM-x32\...\Run: [TaskTray] [x]
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
    HKU\Default\...\Run: [HPADVISOR] c:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1644088 2009-04-03] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] c:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1644088 2009-04-03] (Hewlett-Packard)
    HKU\my comp\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY [1644088 2009-04-03] (Hewlett-Packard)
    HKU\my comp\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
    HKU\my comp\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-02-03] (Google Inc.)
    HKU\my comp\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5486464 2012-01-03] (SUPERAntiSpyware.com)
    HKU\my comp\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6595928 2012-05-25] (Yahoo! Inc.)
    HKU\MY COMP 2\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY [1644088 2009-04-03] (Hewlett-Packard)
    HKU\MY COMP 2\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-02-03] (Google Inc.)
    HKU\MY COMP 2\...\Run: [ConnectionCenter] "C:\Users\MY COMP 2\AppData\Local\Citrix\ICA Client\concentr.exe" /startup [304568 2010-10-12] (Citrix Systems, Inc.)
    HKU\MY COMP 2\...\Winlogon: [Shell] explorer.exe,C:\Users\MY COMP 2\AppData\Roaming\skype.dat [71168 2010-10-15] () <==== ATTENTION
    Startup: C:\ProgramData\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
    ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\PictureMover.lnk
    ShortcutTarget: PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)
    Startup: C:\Users\my comp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
    ShortcutTarget: Logitech . Product Registration.lnk -> C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe (Leader Technologies/Logitech)
    SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)
    ==================== Services (Whitelisted) =================
    S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [140672 2011-11-21] (SUPERAntiSpyware.com)
    S2 dlee_device; C:\Windows\system32\dleecoms.exe [1052328 2010-05-21] ( )
    S2 FreemakeUtilsService; C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [74240 2011-08-04] (Freemake)
    S2 LPDSVC; C:\Windows\system32\lpdsvc.dll [41984 2008-01-20] (Microsoft Corporation)
    S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
    S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe [138272 2012-06-15] (Symantec Corporation)
    S2 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 [x]
    S2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [x]
    ==================== Drivers (Whitelisted) ====================
    S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [1384608 2012-10-23] (Symantec Corporation)
    S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [1384608 2012-10-23] (Symantec Corporation)
    S1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1309010.00E\ccSetx64.sys [167072 2012-06-06] (Symantec Corporation)
    S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-08] (Symantec Corporation)
    S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-08] (Symantec Corporation)
    S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\IPSDefs\20130103.002\IDSvia64.sys [513184 2012-09-06] (Symantec Corporation)
    S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\IPSDefs\20130103.002\IDSvia64.sys [513184 2012-09-06] (Symantec Corporation)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
    S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\VirusDefs\20130103.019\ENG64.SYS [126112 2013-01-03] (Symantec Corporation)
    S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\VirusDefs\20130103.019\ENG64.SYS [126112 2013-01-03] (Symantec Corporation)
    S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\VirusDefs\20130103.019\EX64.SYS [2084000 2013-01-03] (Symantec Corporation)
    S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\VirusDefs\20130103.019\EX64.SYS [2084000 2013-01-03] (Symantec Corporation)
    S0 nvrd64; C:\Windows\System32\drivers\nvrd64.sys [167456 2008-11-12] (NVIDIA Corporation)
    S3 OXSDIDRV_x64; C:\Windows\System32\DRIVERS\OXSDIDRV_x64.sys [51760 2009-09-28] ()
    S3 OXUDIDRV; C:\Windows\system32\Drivers\OXUDIDRV_X64.sys [31280 2010-05-25] ()
    S3 pfc; C:\Windows\SysWow64\drivers\pfc.sys [10368 2010-08-01] (Padus, Inc.)
    S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1309010.00E\SRTSP64.SYS [737952 2012-07-05] (Symantec Corporation)
    S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1309010.00E\SRTSPX64.SYS [37536 2012-07-05] (Symantec Corporation)
    S0 SymDS; C:\Windows\System32\drivers\NISx64\1309010.00E\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)
    S0 SymEFA; C:\Windows\System32\drivers\NISx64\1309010.00E\SYMEFA64.SYS [1129120 2012-05-21] (Symantec Corporation)
    S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-03-23] (Symantec Corporation)
    S1 SymIRON; C:\Windows\system32\drivers\NISx64\1309010.00E\Ironx64.SYS [190072 2012-04-17] (Symantec Corporation)
    S1 SYMTDIv; C:\Windows\System32\Drivers\NISx64\1309010.00E\SYMTDIV.SYS [445560 2012-04-17] (Symantec Corporation)
    S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
    S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
    S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
    S3 pfc; system32\drivers\pfc.sys [x]
    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========
    2013-06-19 22:04 - 2013-06-19 22:04 - 00000000 ____D C:\FRST
    2013-06-19 16:03 - 2013-06-19 16:03 - 00712264 ____A C:\Windows\isRS-000.tmp
    2013-06-19 16:03 - 2013-06-19 16:03 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-06-19 16:03 - 2013-06-19 16:03 - 00000950 ____A C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
    2013-06-19 15:54 - 2013-06-19 15:54 - 00000000 ____D C:\ProgramData\Kaspersky Lab
    2013-06-19 15:54 - 2013-06-19 15:54 - 00000000 ____D C:\ProgramData\Application Data\Kaspersky Lab
    2013-06-19 15:52 - 2013-06-19 15:52 - 00077688 ____A C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
    2013-06-19 15:52 - 2013-06-19 15:52 - 00000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
    2013-06-19 15:52 - 2013-06-19 15:52 - 00000000 ____D C:\ProgramData\Application Data\Kaspersky Lab Setup Files
    2013-06-18 20:39 - 2013-06-18 20:39 - 00000000 ____D C:\Users\my comp\Application Data\Logitech
    2013-06-18 20:39 - 2013-06-18 20:39 - 00000000 ____D C:\Users\my comp\AppData\Roaming\Logitech
    2013-06-18 13:25 - 2013-06-19 15:33 - 00000004 ____A C:\Users\MY COMP 2\Application Data\skype.ini
    2013-06-18 13:25 - 2013-06-19 15:33 - 00000004 ____A C:\Users\MY COMP 2\AppData\Roaming\skype.ini
    2013-06-13 09:02 - 2013-06-17 16:18 - 01990656 ____A C:\Users\MY COMP 2\My Documents\Backup files 6-13-13.QDF
    2013-06-13 09:02 - 2013-06-17 16:18 - 01990656 ____A C:\Users\MY COMP 2\Documents\Backup files 6-13-13.QDF
    2013-06-12 09:59 - 2013-06-13 09:02 - 01985824 ____A C:\Users\MY COMP 2\My Documents\Backup files 6-11-13.QDF
    2013-06-12 09:59 - 2013-06-13 09:02 - 01985824 ____A C:\Users\MY COMP 2\Documents\Backup files 6-11-13.QDF
    2013-06-03 08:30 - 2013-06-03 10:07 - 00012007 ____A C:\Users\MY COMP 2\My Documents\4183 Sparrow Rock.xlsx
    2013-06-03 08:30 - 2013-06-03 10:07 - 00012007 ____A C:\Users\MY COMP 2\Documents\4183 Sparrow Rock.xlsx
    2013-06-03 08:29 - 2013-06-03 08:30 - 00011995 ____A C:\Users\MY COMP 2\My Documents\7948 Crimson Point.xlsx
    2013-06-03 08:29 - 2013-06-03 08:30 - 00011995 ____A C:\Users\MY COMP 2\Documents\7948 Crimson Point.xlsx
    2013-05-22 09:30 - 2013-06-12 16:48 - 01970176 ____A C:\Users\MY COMP 2\My Documents\Backup files 5-22-13.QDF
    2013-05-22 09:30 - 2013-06-12 16:48 - 01970176 ____A C:\Users\MY COMP 2\Documents\Backup files 5-22-13.QDF
    ==================== One Month Modified Files and Folders =======
    2013-06-19 22:04 - 2013-06-19 22:04 - 00000000 ____D C:\FRST
    2013-06-19 20:57 - 2012-06-03 07:35 - 00048573 ____A C:\ProgramData\nvModes.dat
    2013-06-19 20:57 - 2012-06-03 07:35 - 00048573 ____A C:\ProgramData\Application Data\nvModes.dat
    2013-06-19 20:57 - 2011-05-31 10:18 - 00000438 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{78EFE869-EF14-4B3C-9465-0D55E9ACF415}.job
    2013-06-19 20:57 - 2009-08-19 03:12 - 01976556 ____A C:\Windows\WindowsUpdate.log
    2013-06-19 20:57 - 2006-11-02 07:42 - 00032554 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2013-06-19 20:57 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-06-19 20:57 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2013-06-19 20:57 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2013-06-19 18:38 - 2011-02-03 23:59 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-06-19 18:38 - 2011-02-03 23:59 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-06-19 18:15 - 2012-05-25 09:27 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-06-19 18:03 - 2012-01-04 21:40 - 00000000 ____D C:\Users\my comp\Local Settings\CrashDumps
    2013-06-19 18:03 - 2012-01-04 21:40 - 00000000 ____D C:\Users\my comp\Local Settings\Application Data\CrashDumps
    2013-06-19 18:03 - 2012-01-04 21:40 - 00000000 ____D C:\Users\my comp\AppData\Local\CrashDumps
    2013-06-19 18:03 - 2010-12-21 19:04 - 00224169 ____A C:\ProgramData\dleescan.log
    2013-06-19 18:03 - 2010-12-21 19:04 - 00224169 ____A C:\ProgramData\Application Data\dleescan.log
    2013-06-19 18:02 - 2012-06-03 07:36 - 00048635 ____A C:\ProgramData\nvModes.001
    2013-06-19 18:02 - 2012-06-03 07:36 - 00048635 ____A C:\ProgramData\Application Data\nvModes.001
    2013-06-19 16:12 - 2011-11-21 17:09 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-06-19 16:03 - 2013-06-19 16:03 - 00712264 ____A C:\Windows\isRS-000.tmp
    2013-06-19 16:03 - 2013-06-19 16:03 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-06-19 16:03 - 2013-06-19 16:03 - 00000950 ____A C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
    2013-06-19 15:54 - 2013-06-19 15:54 - 00000000 ____D C:\ProgramData\Kaspersky Lab
    2013-06-19 15:54 - 2013-06-19 15:54 - 00000000 ____D C:\ProgramData\Application Data\Kaspersky Lab
    2013-06-19 15:52 - 2013-06-19 15:52 - 00077688 ____A C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
    2013-06-19 15:52 - 2013-06-19 15:52 - 00000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
    2013-06-19 15:52 - 2013-06-19 15:52 - 00000000 ____D C:\ProgramData\Application Data\Kaspersky Lab Setup Files
    2013-06-19 15:33 - 2013-06-18 13:25 - 00000004 ____A C:\Users\MY COMP 2\Application Data\skype.ini
    2013-06-19 15:33 - 2013-06-18 13:25 - 00000004 ____A C:\Users\MY COMP 2\AppData\Roaming\skype.ini
    2013-06-19 15:33 - 2013-05-14 14:47 - 00000680 ____A C:\Users\MY COMP 2\Local Settings\d3d9caps.dat
    2013-06-19 15:33 - 2013-05-14 14:47 - 00000680 ____A C:\Users\MY COMP 2\Local Settings\Application Data\d3d9caps.dat
    2013-06-19 15:33 - 2013-05-14 14:47 - 00000680 ____A C:\Users\MY COMP 2\AppData\Local\d3d9caps.dat
    2013-06-18 20:39 - 2013-06-18 20:39 - 00000000 ____D C:\Users\my comp\Application Data\Logitech
    2013-06-18 20:39 - 2013-06-18 20:39 - 00000000 ____D C:\Users\my comp\AppData\Roaming\Logitech
    2013-06-18 10:39 - 2012-01-14 08:13 - 00000000 ____D C:\Users\MY COMP 2\Local Settings\CrashDumps
    2013-06-18 10:39 - 2012-01-14 08:13 - 00000000 ____D C:\Users\MY COMP 2\Local Settings\Application Data\CrashDumps
    2013-06-18 10:39 - 2012-01-14 08:13 - 00000000 ____D C:\Users\MY COMP 2\AppData\Local\CrashDumps
    2013-06-17 20:23 - 2011-11-22 09:01 - 00098816 ____A C:\Users\MY COMP 2\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2013-06-17 20:23 - 2011-11-22 09:01 - 00098816 ____A C:\Users\MY COMP 2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2013-06-17 20:23 - 2011-11-22 09:01 - 00098816 ____A C:\Users\MY COMP 2\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2013-06-17 16:18 - 2013-06-13 09:02 - 01990656 ____A C:\Users\MY COMP 2\My Documents\Backup files 6-13-13.QDF
    2013-06-17 16:18 - 2013-06-13 09:02 - 01990656 ____A C:\Users\MY COMP 2\Documents\Backup files 6-13-13.QDF
    2013-06-14 08:05 - 2011-01-30 16:37 - 01257650 ____A C:\ProgramData\dleeJSW.log
    2013-06-14 08:05 - 2011-01-30 16:37 - 01257650 ____A C:\ProgramData\Application Data\dleeJSW.log
    2013-06-13 09:02 - 2013-06-12 09:59 - 01985824 ____A C:\Users\MY COMP 2\My Documents\Backup files 6-11-13.QDF
    2013-06-13 09:02 - 2013-06-12 09:59 - 01985824 ____A C:\Users\MY COMP 2\Documents\Backup files 6-11-13.QDF
    2013-06-12 16:50 - 2011-12-15 10:57 - 00000000 ____D C:\Users\MY COMP 2\My Documents\BACKUP
    2013-06-12 16:50 - 2011-12-15 10:57 - 00000000 ____D C:\Users\MY COMP 2\Documents\BACKUP
    2013-06-12 16:48 - 2013-05-22 09:30 - 01970176 ____A C:\Users\MY COMP 2\My Documents\Backup files 5-22-13.QDF
    2013-06-12 16:48 - 2013-05-22 09:30 - 01970176 ____A C:\Users\MY COMP 2\Documents\Backup files 5-22-13.QDF
    2013-06-12 09:15 - 2012-05-25 09:27 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-06-12 09:15 - 2011-12-14 08:55 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-06-07 17:40 - 2013-04-30 11:34 - 00002027 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2013-06-07 17:40 - 2013-04-30 11:34 - 00002027 ____A C:\ProgramData\Desktop\Google Chrome.lnk
    2013-06-03 10:07 - 2013-06-03 08:30 - 00012007 ____A C:\Users\MY COMP 2\My Documents\4183 Sparrow Rock.xlsx
    2013-06-03 10:07 - 2013-06-03 08:30 - 00012007 ____A C:\Users\MY COMP 2\Documents\4183 Sparrow Rock.xlsx
    2013-06-03 08:30 - 2013-06-03 08:29 - 00011995 ____A C:\Users\MY COMP 2\My Documents\7948 Crimson Point.xlsx
    2013-06-03 08:30 - 2013-06-03 08:29 - 00011995 ____A C:\Users\MY COMP 2\Documents\7948 Crimson Point.xlsx
    2013-05-31 11:13 - 2009-11-06 15:57 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
    2013-05-22 09:30 - 2013-04-24 20:12 - 01952928 ____A C:\Users\MY COMP 2\My Documents\Backup files 4-24-13.QDF
    2013-05-22 09:30 - 2013-04-24 20:12 - 01952928 ____A C:\Users\MY COMP 2\Documents\Backup files 4-24-13.QDF
    Files to move or delete:
    ====================
    C:\Users\MY COMP 2\AppData\Roaming\skype.dat
    C:\Users\MY COMP 2\AppData\Roaming\skype.ini
    C:\ProgramData\nvModes.dat
    ==================== Known DLLs (Whitelisted) ================

    ==================== Bamital & volsnap Check =================
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points =========================
    Restore point made on: 2013-05-19 19:35:03
    Restore point made on: 2013-05-21 21:15:35
    Restore point made on: 2013-05-23 14:19:21
    Restore point made on: 2013-05-24 14:14:48
    Restore point made on: 2013-05-26 16:24:20
    Restore point made on: 2013-05-27 15:45:20
    Restore point made on: 2013-05-28 14:41:22
    Restore point made on: 2013-05-29 15:26:37
    Restore point made on: 2013-05-30 17:44:28
    Restore point made on: 2013-05-31 12:39:25
    Restore point made on: 2013-06-01 14:37:16
    Restore point made on: 2013-06-02 16:03:40
    Restore point made on: 2013-06-03 10:41:01
    Restore point made on: 2013-06-04 00:50:54
    Restore point made on: 2013-06-05 19:01:08
    Restore point made on: 2013-06-08 19:13:20
    Restore point made on: 2013-06-09 14:08:05
    Restore point made on: 2013-06-10 17:38:47
    Restore point made on: 2013-06-11 16:16:33
    Restore point made on: 2013-06-12 12:34:21
    Restore point made on: 2013-06-13 19:28:18
    Restore point made on: 2013-06-14 09:53:37
    Restore point made on: 2013-06-15 15:04:58
    Restore point made on: 2013-06-17 12:59:51
    Restore point made on: 2013-06-18 10:14:54
    ==================== Memory info ===========================
    Percentage of memory in use: 11%
    Total physical RAM: 7934.31 MB
    Available physical RAM: 7056.07 MB
    Total Pagefile: 7462.12 MB
    Available Pagefile: 7032.95 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB
    ==================== Drives ================================
    Drive c: (HP) (Fixed) (Total:582.31 GB) (Free:31.33 GB) NTFS (Disk=0 Partition=1) ==>[Drive with boot components (obtained from BCD)]
    Drive d: (FACTORY_IMAGE) (Fixed) (Total:13.86 GB) (Free:1.95 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
    Drive f: () (Fixed) (Total:465.65 GB) (Free:58.35 GB) FAT32 (Disk=1 Partition=1)
    Drive l: (STORE'N'GO) (Removable) (Total:7.53 GB) (Free:6.38 GB) FAT32 (Disk=7 Partition=1)
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    ==================== MBR & Partition Table ==================
    ========================================================
    Disk: 0 (Size: 596 GB) (Disk ID: 1549F232)
    Partition 1: (Active) - (Size=582 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=14 GB) - (Type=07 NTFS)
    ========================================================
    Disk: 1 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: A706DA6B)
    Partition 1: (Active) - (Size=466 GB) - (Type=0B)
    ========================================================
    Disk: 7 (Size: 8 GB) (Disk ID: 2C6B7369)
    Partition 1: (Not Active) - (Size=883 GB) - (Type=68)
    Partition 2: (Not Active) - (Size=257 GB) - (Type=79)
    Partition 3: (Not Active) - (Size=667 GB) - (Type=53)
    Partition 4: (Not Active) - (Size=10 MB) - (Type=49)

    LastRegBack: 2013-06-19 18:19
    ==================== End Of Log ============================
     
  6. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
    See if you can boot normally.

    If so....

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     

    Attached Files:

  7. electricjay

    electricjay TS Rookie Topic Starter

    I apologize but I am not sure how to run the FRST/FRST64. Can you tell me how to get there.
     
  8. electricjay

    electricjay TS Rookie Topic Starter

    I figured it out. Here is the report



    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-06-2013
    Ran by SYSTEM at 2013-06-20 17:12:54 Run:1
    Running from G:\
    Boot Mode: Recovery
    ==============================================
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater => Value deleted successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\TaskTray => Value deleted successfully.
    HKU\MY COMP 2\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
    C:\Users\MY COMP 2\AppData\Roaming\skype.dat => Moved successfully.
    C:\Users\my comp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk => Moved successfully.
    C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe => Moved successfully.
    Updater Service for StartNow Toolbar => Service deleted successfully.
    C:\Program Files (x86)\StartNow Toolbar => File/Directory not found.
    C:\Users\MY COMP 2\Application Data\skype.ini => Moved successfully.
    C:\Users\MY COMP 2\AppData\Roaming\skype.ini => File/Directory not found.
    C:\ProgramData\nvModes.dat => Moved successfully.
    ==== End of Fixlog ====
     
  9. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Good job :)

     
  10. electricjay

    electricjay TS Rookie Topic Starter

    Thank you so much. I am starting on the steps listed now
     
  11. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Excellent :)
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Still with me?
     
  13. electricjay

    electricjay TS Rookie Topic Starter

    Is there still more to do? What do I need to do?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Did you read my reply #9?

    [​IMG]
     
  15. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.