TechSpot

Last ditch effort before rebuild

By kwspony
Aug 2, 2013
  1. So I have this Sony Vaio from a friend. he said he got the dirty decrypter virus and tried to remove it herself. I have ran a bunch of scans on it and removed a few things. what I am left with now is a black screen with just the mouse pointer which can be moved around but nothing else works or at least I cannot see it. no version of safe mode works either. I can boot in to it with a boot disc though. Anyone have any tricks up their sleeves before I rebuild it?
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================

    What Windows version is it?
     
  3. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    Windows 7 64 bit Home Premium
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  5. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    FRST scan results:
    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-08-2013
    Ran by SYSTEM on 02-08-2013 13:02:38
    Running from G:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    Internet Explorer Version 8
    Boot Mode: Recovery
    The current controlset is ControlSet001
    ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
    ==================== Registry (Whitelisted) ==================
    HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
    HKLM\...\Run: [EKIJ5000StatusMonitor] - C:\Windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe [2023936 2009-08-03] (Eastman Kodak Company)
    HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess?
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?
    HKLM-x32\...\Run: [] - [x]
    HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-03-24] (Hewlett-Packard)
    HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
    HKU\Shelly\...\Run: [AdobeBridge] - [x]
    HKU\Shelly\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-05-08] (Google Inc.)
    HKU\Shelly\...\Run: [GoogleDriveSync] - C:\Program Files (x86)\Google\Drive\googledrivesync.exe [19676256 2013-06-06] (Google)
    HKU\Shelly\...\Run: [UpdaeteServer] - C:\Users\Shelly\AppData\Roaming\Media Center Programs\WINF4D0.exe [119296 2013-05-15] ()
    HKU\Shelly\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_224_Plugin.exe [814472 2013-06-11] (Adobe Systems Incorporated)
    IMEO\OLT.exe: [Debugger] svchost.exe
    Startup: C:\Users\Shelly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RCA Detective.lnk
    ShortcutTarget: RCA Detective.lnk -> (No File)
    ==================== Services (Whitelisted) =================
    S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
    S2 hshld; C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [527728 2012-11-15] (AnchorFree Inc.)
    S3 HssTrayService; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [78072 2012-11-14] ()
    S2 HssWd; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [389488 2012-11-14] ()
    S3 Roxio UPnP Renderer 10; C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [313840 2009-08-31] (Sonic Solutions)
    S2 Roxio Upnp Server 10; C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [362992 2009-08-31] (Sonic Solutions)
    S3 SampleCollector; C:\Program Files\Sony\VAIO Care\collsvc.exe [167424 2009-09-16] (Intel Corporation)
    S2 SBAMSvc; C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMSvc.exe [2763080 2010-08-20] (Sunbelt Software)
    S2 SBPIMSvc; C:\Program Files (x86)\Sunbelt Software\VIPRE\SBPIMSvc.exe [181584 2010-08-20] (Sunbelt Software)
    S3 SOHDBSvr; C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [70952 2009-10-15] (Sony Corporation)
    S3 SOHPlMgr; C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [91432 2009-10-15] (Sony Corporation)
    S2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)
    S3 VAIO Entertainment TV Device Arbitration Service; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe [69632 2009-09-14] (Sony Corporation)
    S2 VCFw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [642416 2009-09-14] (Sony Corporation)
    S3 VUAgent; C:\Program Files\Sony\VAIO Update 5\VUAgent.exe [1165680 2009-10-30] (Sony Corporation)
    S2 VzCdbSvc; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [206336 2009-09-14] (Sony Corporation)
    ==================== Drivers (Whitelisted) ====================
    S3 AndNetDiag; C:\Windows\System32\DRIVERS\lgandnetdiag64.sys [29696 2011-06-03] (LG Electronics Inc.)
    S3 ANDNetModem; C:\Windows\System32\DRIVERS\lgandnetmodem64.sys [37376 2011-06-03] (LG Electronics Inc.)
    S3 andnetndis; C:\Windows\System32\DRIVERS\lgandnetndis64.sys [90624 2011-06-03] (LG Electronics Inc.)
    S3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.)
    S1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [42248 2012-11-14] (AnchorFree Inc.)
    S2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [64600 2010-06-14] (Sunbelt Software)
    S1 SbFw; C:\Windows\System32\drivers\SbFw.sys [253528 2010-07-27] (Sunbelt Software, Inc.)
    S3 SBFWIMCL; C:\Windows\System32\DRIVERS\sbfwim.sys [84056 2010-04-15] (Sunbelt Software, Inc.)
    S3 SBFWIMCLMP; C:\Windows\System32\DRIVERS\SBFWIM.sys [84056 2010-04-15] (Sunbelt Software, Inc.)
    S3 sbhips; C:\Windows\System32\drivers\sbhips.sys [60504 2010-07-27] (Sunbelt Software, Inc.)
    S1 SBRE; C:\Windows\system32\drivers\SBREdrv.sys [49752 2010-03-22] (Sunbelt Software)
    S1 SbTis; C:\Windows\System32\drivers\sbtis.sys [94296 2010-07-27] (Sunbelt Software, Inc.)
    S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [40712 2012-11-14] (Anchorfree Inc.)
    S3 vrvd5; C:\Windows\System32\DRIVERS\vrvd5.sys [13344 2012-04-09] (Rsupport Corporation)
    S3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-11-12] ()
    S2 MSSQL$DDNI;
    S2 Oasis2Service;
    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========
    2013-08-02 13:02 - 2013-08-02 13:02 - 00000000 ____D C:\FRST
    2013-08-01 18:12 - 2013-08-01 18:12 - 00000000 ____D C:\NBRT
    2013-07-23 16:44 - 2013-07-29 08:55 - 00000000 ____D C:\Users\Shelly\AppData\Roaming\Dirty
    2013-07-23 12:48 - 2013-07-23 16:52 - 00000000 ____D C:\Users\Shelly\AppData\Local\Facebook
    2013-07-20 23:21 - 2013-07-23 20:29 - 00000000 ____D C:\Users\Shelly\Desktop\Cheer Motions
    2013-07-20 21:39 - 2013-07-20 21:39 - 00000491 _____ C:\Users\Shelly\Desktop\cheer7.htm
    2013-07-14 02:00 - 2013-07-14 02:00 - 00000000 _____ C:\Windows\setuperr.log
    2013-07-14 02:00 - 2013-07-14 02:00 - 00000000 _____ C:\Windows\setupact.log
    2013-07-03 15:04 - 2013-08-02 07:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    ==================== One Month Modified Files and Folders =======
    2013-08-02 08:40 - 2009-07-13 20:45 - 00014144 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-08-02 08:40 - 2009-07-13 20:45 - 00014144 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-08-02 08:35 - 2013-02-10 20:48 - 01080303 _____ C:\Windows\WindowsUpdate.log
    2013-08-02 08:33 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2013-08-02 08:00 - 2010-07-15 18:20 - 00000000 ____D C:\users\Shelly
    2013-08-02 08:00 - 2010-04-26 17:01 - 00000000 ____D C:\Program Files\Windows Journal
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\WinBioPlugIns
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\addins
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
    2013-08-02 08:00 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\uk-UA
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\th-TH
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sr-Latn-CS
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sl-SI
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sk-SK
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ro-RO
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Recovery
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ras
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lv-LV
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lt-LT
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\icsxml
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\hr-HR
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\he-IL
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\et-EE
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\com
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\bg-BG
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ar-SA
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\th-TH
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sl-SI
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sk-SK
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ro-RO
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ras
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Msdtc
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lv-LV
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lt-LT
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\icsxml
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ias
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\hr-HR
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\he-IL
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\et-EE
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\com
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\bg-BG
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ar-SA
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\L2Schemas
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\IME
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
    2013-08-02 08:00 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Services
    2013-08-02 07:55 - 2013-05-23 17:33 - 00000000 ____D C:\Windows\System32\SPReview
    2013-08-02 07:55 - 2013-05-23 17:33 - 00000000 ____D C:\Windows\System32\EventProviders
    2013-08-02 07:55 - 2013-04-22 20:02 - 00000000 ____D C:\Windows\SysWOW64\syncdb
    2013-08-02 07:55 - 2011-10-15 00:38 - 00000000 ____D C:\Windows\System32\Macromed
    2013-08-02 07:55 - 2010-07-31 18:20 - 00000000 ____D C:\Windows\System32\kodak
    2013-08-02 07:55 - 2010-07-13 08:44 - 00000000 ____D C:\Windows\System32\Tasks\SONY
    2013-08-02 07:55 - 2010-07-13 08:37 - 00000000 ____D C:\Windows\SysWOW64\winrm
    2013-08-02 07:55 - 2010-07-13 08:37 - 00000000 ____D C:\Windows\SysWOW64\slmgr
    2013-08-02 07:55 - 2010-07-13 08:36 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
    2013-08-02 07:55 - 2010-07-13 08:36 - 00000000 ____D C:\Windows\System32\WCN
    2013-08-02 07:55 - 2010-07-13 08:36 - 00000000 ____D C:\Windows\System32\Printing_Admin_Scripts
    2013-08-02 07:55 - 2010-07-13 08:06 - 00000000 ____D C:\Windows\Sonysys
    2013-08-02 07:55 - 2010-07-13 07:45 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
    2013-08-02 07:55 - 2010-04-26 17:01 - 00000000 ____D C:\Windows\ShellNew
    2013-08-02 07:55 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Speech
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\NetworkList
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\MUI
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Msdtc
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\spp
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Speech
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\SMI
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\IME
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system
    2013-08-02 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Speech
    2013-08-02 07:54 - 2012-03-26 12:30 - 00000000 ____D C:\Windows\pss
    2013-08-02 07:54 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security
    2013-08-02 07:54 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\schemas
    2013-08-02 07:54 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Resources
    2013-08-02 07:54 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Globalization
    2013-08-02 07:53 - 2013-07-03 15:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-08-02 07:53 - 2013-05-23 18:44 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox.bak
    2013-08-02 07:53 - 2013-03-29 18:13 - 00000000 ____D C:\Program Files (x86)\Audacity
    2013-08-02 07:53 - 2013-03-13 22:19 - 00000000 ____D C:\Program Files\Microsoft Silverlight
    2013-08-02 07:53 - 2013-03-13 22:19 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
    2013-08-02 07:53 - 2013-03-03 21:33 - 00000000 ____D C:\Users\Shelly\Documents\RCA Digital Voice Manager
    2013-08-02 07:53 - 2013-03-03 21:33 - 00000000 ____D C:\Users\Shelly\Documents\RCA Detective
    2013-08-02 07:53 - 2013-02-21 17:43 - 00000000 ____D C:\ProgramData\WebEx
    2013-08-02 07:53 - 2012-12-18 22:05 - 00000000 ____D C:\Program Files (x86)\Hotspot Shield
    2013-08-02 07:53 - 2012-10-16 19:22 - 00000000 ___SD C:\Users\Shelly\Google Drive
    2013-08-02 07:53 - 2012-10-03 18:02 - 00000000 ____D C:\Users\Shelly\AppData\Roaming\Elluminate
    2013-08-02 07:53 - 2012-09-06 18:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-08-02 07:53 - 2012-09-02 14:43 - 00000000 ____D C:\Users\Shelly\AppData\Local\Unity
    2013-08-02 07:53 - 2012-07-31 13:44 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
    2013-08-02 07:53 - 2012-07-31 13:43 - 00000000 ____D C:\ProgramData\HP Photo Creations
    2013-08-02 07:53 - 2012-07-31 13:43 - 00000000 ____D C:\Program Files (x86)\HP Photo Creations
    2013-08-02 07:53 - 2012-07-31 13:43 - 00000000 ____D C:\Program Files (x86)\Coupons
    2013-08-02 07:53 - 2012-07-31 13:42 - 00000000 ____D C:\Program Files (x86)\HP
    2013-08-02 07:53 - 2012-07-31 13:39 - 00000000 ____D C:\Users\Shelly\AppData\Local\HP
    2013-08-02 07:53 - 2012-06-10 18:41 - 00000000 ____D C:\Program Files (x86)\Free Offers from Freeze.com
    2013-08-02 07:53 - 2012-02-07 20:49 - 00000000 ____D C:\Users\Shelly\Desktop\Misc
    2013-08-02 07:53 - 2011-12-01 18:30 - 00000000 ____D C:\Users\Shelly\AppData\Roaming\Audacity
    2013-08-02 07:53 - 2011-12-01 18:26 - 00000000 ____D C:\Program Files (x86)\Audacity 1.3 Beta (Unicode)
    2013-08-02 07:53 - 2011-11-19 18:25 - 00000000 ____D C:\Program Files (x86)\QuickTime
    2013-08-02 07:53 - 2011-09-14 20:34 - 00000000 ____D C:\Program Files\Google
    2013-08-02 07:53 - 2011-09-14 20:21 - 00000000 ____D C:\Users\Shelly\AppData\Roaming\ArcSoft
    2013-08-02 07:53 - 2011-09-14 20:17 - 00000000 ____D C:\Program Files (x86)\Google
    2013-08-02 07:53 - 2011-09-14 20:16 - 00000000 ___RD C:\Program Files (x86)\Skype
    2013-08-02 07:53 - 2011-09-14 20:16 - 00000000 ____D C:\ProgramData\Skype
    2013-08-02 07:53 - 2011-02-04 18:38 - 00000000 ____D C:\ProgramData\Real
    2013-08-02 07:53 - 2011-02-04 18:38 - 00000000 ____D C:\Program Files (x86)\Real
    2013-08-02 07:53 - 2011-01-08 10:05 - 00000000 ____D C:\Users\Shelly\AppData\Roaming\Juniper Networks
    2013-08-02 07:53 - 2010-08-31 16:12 - 00000000 ____D C:\Program Files (x86)\CCleaner
    2013-08-02 07:53 - 2010-07-16 06:55 - 00000000 ____D C:\Program Files (x86)\SureThing Express Labeler
    2013-08-02 07:53 - 2010-07-16 06:04 - 00000000 ____D C:\Users\Shelly\AppData\Local\Downloaded Installations
    2013-08-02 07:53 - 2010-07-16 05:59 - 00000000 ____D C:\Users\Public\Documents\Pinnacle
    2013-08-02 07:53 - 2010-07-15 18:42 - 00000000 ____D C:\Program Files (x86)\Microsoft Works
    2013-08-02 07:53 - 2010-07-15 18:35 - 00000000 ____D C:\ProgramData\Microsoft Help
    2013-08-02 07:53 - 2010-07-15 18:30 - 00000000 ____D C:\ProgramData\FLEXnet
    2013-08-02 07:53 - 2010-07-13 09:07 - 00000000 ____D C:\Program Files (x86)\Windows Live SkyDrive
    2013-08-02 07:53 - 2010-07-13 09:06 - 00000000 ____D C:\Program Files (x86)\Windows Live
    2013-08-02 07:53 - 2010-07-13 08:18 - 00000000 ____D C:\Program Files\Shutterfly
    2013-08-02 07:53 - 2010-07-13 08:18 - 00000000 ____D C:\Program Files\PlayReady
    2013-08-02 07:53 - 2010-07-13 08:16 - 00000000 ____D C:\ProgramData\Norton
    2013-08-02 07:53 - 2010-07-13 07:47 - 00000000 ____D C:\Program Files\Apoint
    2013-08-02 07:53 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
    2013-08-02 07:52 - 2010-12-17 10:53 - 00000000 ____D C:\8acfb9046ac15f220fbb64
    2013-08-02 07:46 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
    2013-08-02 06:50 - 2011-02-05 14:42 - 00000000 ____D C:\Users\Shelly\Documents\School
    2013-08-02 06:50 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
    2013-08-02 06:47 - 2010-07-13 07:49 - 00000000 ____D C:\Program Files\Sony
    2013-08-01 18:12 - 2013-08-01 18:12 - 00000000 ____D C:\NBRT
    2013-07-29 08:55 - 2013-07-23 16:44 - 00000000 ____D C:\Users\Shelly\AppData\Roaming\Dirty
    2013-07-29 08:55 - 2011-01-18 17:33 - 00000000 ____D C:\Windows\Minidump
    2013-07-29 06:51 - 2010-07-15 18:30 - 00000000 ____D C:\Users\Shelly\AppData\Local\Adobe
    2013-07-23 20:29 - 2013-07-20 23:21 - 00000000 ____D C:\Users\Shelly\Desktop\Cheer Motions
    2013-07-23 16:52 - 2013-07-23 12:48 - 00000000 ____D C:\Users\Shelly\AppData\Local\Facebook
    2013-07-23 07:04 - 2011-03-11 19:40 - 00000000 ____D C:\Users\Shelly\AppData\Local\CrashDumps
    2013-07-20 21:39 - 2013-07-20 21:39 - 00000491 _____ C:\Users\Shelly\Desktop\cheer7.htm
    2013-07-14 20:35 - 2012-07-20 18:32 - 00000000 ____D C:\Users\Shelly\Documents\Paul
    2013-07-14 02:01 - 2012-09-09 09:23 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-07-14 02:01 - 2012-07-31 13:43 - 00000258 _____ C:\Windows\Tasks\HP Photo Creations Messager.job
    2013-07-14 02:01 - 2010-07-13 08:07 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-07-14 02:00 - 2013-07-14 02:00 - 00000000 _____ C:\Windows\setuperr.log
    2013-07-14 02:00 - 2013-07-14 02:00 - 00000000 _____ C:\Windows\setupact.log
    2013-07-13 11:27 - 2010-07-13 08:07 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-07-13 11:22 - 2010-07-13 08:07 - 00003908 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
    2013-07-13 11:22 - 2010-07-13 08:07 - 00003656 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
    2013-07-13 11:09 - 2009-07-13 21:13 - 00005168 _____ C:\Windows\System32\PerfStringBackup.INI
    2013-07-09 16:02 - 2011-06-26 21:31 - 00198462 _____ C:\test.xml
    2013-07-09 15:02 - 2012-05-23 19:39 - 00003942 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{084A3F5B-E5D1-4557-BE40-75CB207E2AC1}
    2013-07-04 09:22 - 2011-05-09 20:49 - 00001108 _____ C:\Windows\SysWOW64\ServiceConfig.xml
    2013-07-04 09:22 - 2011-05-09 20:49 - 00000810 _____ C:\Windows\SysWOW64\RegistrationConfig.xml
    ==================== Known DLLs (Whitelisted) ================

    ==================== Bamital & volsnap Check =================
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: <===== ATTENTION!
    HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
    HKLM\...\exefile\open\command: <===== ATTENTION!
    ==================== Restore Points =========================
    Restore point made on: 2013-07-14 02:01:58
    Restore point made on: 2013-07-21 18:12:01
    Restore point made on: 2013-07-23 19:52:25
    Restore point made on: 2013-07-29 07:32:51
    ==================== Memory info ===========================
    Percentage of memory in use: 15%
    Total physical RAM: 3950.1 MB
    Available physical RAM: 3324.24 MB
    Total Pagefile: 3948.25 MB
    Available Pagefile: 3313.2 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.85 MB
    ==================== Drives ================================
    Drive c: (Windows) (Fixed) (Total:284.36 GB) (Free:175.68 GB) NTFS (Disk=0 Partition=3)
    Drive e: (Recovery) (Fixed) (Total:13.64 GB) (Free:0.8 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
    Drive g: (KARL 3) (Removable) (Total:30.08 GB) (Free:25.99 GB) FAT32 (Disk=1 Partition=1)
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
    ==================== MBR & Partition Table ==================
    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 67F2CEB1)
    Partition 1: (Not Active) - (Size=14 GB) - (Type=27)
    Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=284 GB) - (Type=07 NTFS)
    ========================================================
    Disk: 1 (Size: 30 GB) (Disk ID: 04030201)
    Partition 1: (Not Active) - (Size=30 GB) - (Type=0C)

    LastRegBack: 2013-07-24 13:13
    ==================== End Of Log ============================
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
    See if you can boot now.
     

    Attached Files:

  7. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    Fix Log:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-08-2013
    Ran by SYSTEM at 2013-08-02 13:10:42 Run:1
    Running from G:\
    Boot Mode: Recovery
    ==============================================
    HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => Value was restored successfully.
    HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
    HKU\Shelly\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => Value deleted successfully.
    HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\OLT.exe => Key deleted successfully.
    ShortcutTarget: RCA Detective.lnk -> (No File) not found.
    HKLM\Software\Classes\.exe\\Default => Value was restored successfully.
    HKLM\Software\Classes\exefile\DefaultIcon\\Default => Value was restored successfully.
    HKLM\Software\Classes\exefile\shell\open\command\\Default => Value was restored successfully.
    ==== End of Fixlog ====
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

     
  9. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    Rebooted with same results. black screen with mouse cursor.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Delete existing "fixlist.txt" file from your USB drive and....

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
     

    Attached Files:

  11. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    Next log:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-08-2013
    Ran by SYSTEM at 2013-08-02 13:21:17 Run:2
    Running from G:\
    Boot Mode: Recovery
    ==============================================
    DEFAULT hive was successfully copied to System32\config\HiveBackup
    DEFAULT hive was successfully restored from registry back up.
    SAM hive was successfully copied to System32\config\HiveBackup
    SAM hive was successfully restored from registry back up.
    SECURITY hive was successfully copied to System32\config\HiveBackup
    SECURITY hive was successfully restored from registry back up.
    SOFTWARE hive was successfully copied to System32\config\HiveBackup
    SOFTWARE hive was successfully restored from registry back up.
    SYSTEM hive was successfully copied to System32\config\HiveBackup
    SYSTEM hive was successfully restored from registry back up.
    ==== End of Fixlog ====
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    See if you can boot now.
     
  13. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    Same results
     
  14. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    It is getting better though. If I hit fn\f7 I get the extend desktop box but still no main image.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Can you access Task Manager if you press CTRL+ALT+DEL?
     
  16. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    No. I haven't been able to get anything else to show up.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Try Safe Mode.
     
  18. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    Nope, same result.
     
  19. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Unfortunately there is not much more I can do here.
    There was some ZeroAccess rootkit infection but it's gone by now.
    We also restored your computer to the state from last successful boot but it didn't help either.

    Hopefully this is not some hardware issue but the only thing I can advice at this point is to reinstall Windows.
    I'm sorry :(
     
  20. kwspony

    kwspony TS Booster Topic Starter Posts: 121

    I was headed that way anyways. Thanks for your help Broni!!!!!!!!!!!
     
  21. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You're very welcome [​IMG]
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...