TechSpot

Rogue Antivirus Disabled Everything

Inactive
By dreamer4life
Jul 16, 2013
  1. I fix friends and families laptops to be nice (and sometimes get gift cards out of it, cuz they love me). Anyways, I have only run into one laptop in the last three years that I have not been able to fix, and had to wipe. That is until a week ago. For the last week almost every night I have been up messing with my best friends laptop.

    I have tried R-Kill, Trend, Anti-Malware, Super something or another, and a long list of other programs. I ran a hijack this log as well. I am stumped.

    The virus has seized everything on the laptop. It started by just taking over the networking (no internet, no network connection), then it disabled the firewall settings, and basically any options as an admin were no longer feasible. Next game programs. I could no longer run MS Office, or most programs. All this happened within one evening. She said in the months prior she had noticed a few funny things here and there and had recently installed updates.

    What I have gathered is that she installed the "Java" update in April, that messed things up, there is also a Rogue Virus (I believe it is Microsoft Client, not positive though, those are the weird file names I am running into) that I have removed traces of, and some Trojans attaching themselves to different Applications, including a fake MS Office Program (It looks like there are 2). Basically the system has totally duplicated and nothing I am doing is helping.

    I refuse to admit defeat and wipe the system, but I am putting hours into this, and it is draining me.

    Can someone please offer me some advise. I have checked countless forums, and nothing is working.
     

    Attached Files:

  2. dreamer4life

    dreamer4life TS Rookie Topic Starter

    NOTE: I want to add that I have been downloading these AV programs to a flash drive from my healthy laptop (with internet connection), then running them in both safe mode and normal mode on the infected laptop.

    Being that the infected laptop has no networking connection and can not connect to the internet or anything (everything is disabled even in safe mode), I can not update the latest version of any of these programs. That is why I have not followed the first few steps of this forums instructions . . .
     
  3. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==================================

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  4. dreamer4life

    dreamer4life TS Rookie Topic Starter

    Results (And Thank You for your help):

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-07-2013 02
    Ran by SYSTEM on 17-07-2013 12:33:18
    Running from H:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Recovery

    The current controlset is ControlSet002
    ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-03-11] (IDT, Inc.)
    HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2480936 2010-12-16] (Synaptics Incorporated)
    HKLM\...\Run: [IntelWireless] - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1933584 2011-02-04] (Intel(R) Corporation)
    HKLM\...\Run: [Kernel and Hardware Abstraction Layer] - KHALMNPR.EXE [x]
    HKLM\...\Run: [BTMTrayAgent] - C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll [10355200 2011-01-24] (Intel Corporation)
    Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
    HKLM-x32\...\Run: [] - [x]
    HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [RemoteControl10] - "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [87336 2010-02-03] (CyberLink Corp.)
    HKLM-x32\...\Run: [HPConnectionManager] - C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-02-15] (Hewlett-Packard Development Company L.P.)
    HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
    HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [Easybits Recovery] - C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [61112 2011-03-16] (EasyBits Software AS)
    HKLM-x32\...\Run: [BDRegion] - C:\Program Files (x86)\Cyberlink\Shared files\brs.exe [75048 2011-01-25] (cyberlink)
    HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [38112 2012-12-18] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
    HKLM-x32\...\Run: [StartCCC] - "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-03-15] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-12] (Intel Corporation)
    HKLM-x32\...\Run: [HPOSD] - C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [318520 2011-01-27] (Hewlett-Packard Development Company, L.P.)
    HKU\Jay\...\Policies\system: [LogonHoursAction] 2
    HKU\Jay\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    HKU\Leslie\...\Run: [SUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5622512 2013-05-14] (SUPERAntiSpyware.com)
    Startup: C:\Users\Leslie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

    ==================== Services (Whitelisted) =================

    S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [143120 2013-05-23] (SUPERAntiSpyware.com)
    S4 CLKMSVC10_38F51D56; C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\kmsvc.exe [241648 2011-01-25] (CyberLink)
    S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
    S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
    S4 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-02-04] ()

    ==================== Drivers (Whitelisted) ====================

    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
    S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
    S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-07-17 12:32 - 2013-07-17 12:32 - 00000000 ____D C:\FRST
    2013-07-16 10:23 - 2013-07-16 10:23 - 00000036 _____ C:\Users\Leslie\AppData\Local\housecall.guid.cache
    2013-07-11 07:06 - 2013-07-11 07:06 - 00002255 _____ C:\Users\Jay\Desktop\Google Chrome.lnk
    2013-07-10 18:26 - 2013-07-11 02:26 - 00000512 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task c203ad36-5aad-412d-9f12-e0700dfbce30.job
    2013-07-10 18:26 - 2013-07-10 23:00 - 00000512 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 5b5899d8-f8a7-4508-bac0-a80c6899b999.job
    2013-07-10 18:26 - 2013-07-10 18:26 - 00003590 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 5b5899d8-f8a7-4508-bac0-a80c6899b999
    2013-07-10 18:26 - 2013-07-10 18:26 - 00003516 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task c203ad36-5aad-412d-9f12-e0700dfbce30
    2013-07-10 18:26 - 2013-07-10 18:26 - 00001808 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
    2013-07-10 18:26 - 2013-07-10 18:26 - 00000000 ____D C:\Users\Leslie\AppData\Roaming\SUPERAntiSpyware.com
    2013-07-10 18:26 - 2013-07-10 18:26 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
    2013-07-10 18:26 - 2013-07-10 18:26 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2013-07-10 17:47 - 2013-07-16 10:48 - 00021468 _____ C:\Windows\WindowsUpdate.log
    2013-07-10 17:43 - 2013-07-10 17:43 - 00000552 _____ C:\Windows\PFRO.log
    2013-07-09 18:28 - 2013-07-09 18:28 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-07-09 18:28 - 2013-07-09 18:28 - 00000000 ____D C:\Users\Leslie\AppData\Roaming\Malwarebytes
    2013-07-09 18:28 - 2013-07-09 18:28 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-07-09 18:28 - 2013-07-09 18:28 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-07-09 18:28 - 2013-04-04 11:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2013-07-09 18:12 - 2013-07-09 18:12 - 00017937 _____ C:\ComboFix.txt
    2013-07-09 17:57 - 2013-07-09 17:57 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
    2013-07-09 17:57 - 2013-07-09 17:57 - 00000000 ____D C:\Program Files\CCleaner
    2013-07-09 17:52 - 2013-07-09 17:13 - 00000000 _____ C:\Users\Leslie\Downloads\ccsetup403.exe.htrc1e4.partial
    2013-07-09 17:28 - 2013-07-09 17:30 - 00002980 _____ C:\Users\Leslie\Desktop\unhide.txt
    2013-07-09 17:16 - 2013-07-09 18:12 - 00000000 ____D C:\Qoobox
    2013-07-09 17:16 - 2011-06-25 22:45 - 00256000 _____ C:\Windows\PEV.exe
    2013-07-09 17:16 - 2010-11-07 09:20 - 00208896 _____ C:\Windows\MBR.exe
    2013-07-09 17:16 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2013-07-09 17:16 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2013-07-09 17:16 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2013-07-09 17:16 - 2000-08-30 16:00 - 00098816 _____ C:\Windows\sed.exe
    2013-07-09 17:16 - 2000-08-30 16:00 - 00080412 _____ C:\Windows\grep.exe
    2013-07-09 17:16 - 2000-08-30 16:00 - 00068096 _____ C:\Windows\zip.exe
    2013-07-09 17:15 - 2013-07-09 17:22 - 00000000 ____D C:\Windows\erdnt
    2013-07-09 16:10 - 2013-07-09 16:10 - 00002255 _____ C:\Users\Leslie\Desktop\Google Chrome.lnk
    2013-07-09 15:39 - 2013-07-10 19:19 - 00003670 _____ C:\Users\Leslie\Desktop\Rkill.txt
    2013-07-09 15:39 - 2013-07-09 15:39 - 00000000 ____D C:\Users\Leslie\Desktop\rkill

    ==================== One Month Modified Files and Folders =======

    2013-07-17 12:32 - 2013-07-17 12:32 - 00000000 ____D C:\FRST
    2013-07-16 10:48 - 2013-07-10 17:47 - 00021468 _____ C:\Windows\WindowsUpdate.log
    2013-07-16 10:23 - 2013-07-16 10:23 - 00000036 _____ C:\Users\Leslie\AppData\Local\housecall.guid.cache
    2013-07-15 17:43 - 2009-07-13 21:13 - 00749674 _____ C:\Windows\System32\PerfStringBackup.INI
    2013-07-11 10:01 - 2012-10-10 17:50 - 00000258 _____ C:\Windows\Tasks\HP Photo Creations Messager.job
    2013-07-11 09:51 - 2013-05-12 05:35 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-07-11 09:14 - 2013-05-12 05:35 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-07-11 07:13 - 2009-07-13 20:45 - 00032064 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-07-11 07:13 - 2009-07-13 20:45 - 00032064 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-07-11 07:06 - 2013-07-11 07:06 - 00002255 _____ C:\Users\Jay\Desktop\Google Chrome.lnk
    2013-07-11 07:06 - 2013-05-12 05:35 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-07-11 07:06 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2013-07-11 02:26 - 2013-07-10 18:26 - 00000512 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task c203ad36-5aad-412d-9f12-e0700dfbce30.job
    2013-07-10 23:00 - 2013-07-10 18:26 - 00000512 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 5b5899d8-f8a7-4508-bac0-a80c6899b999.job
    2013-07-10 21:31 - 2012-12-04 07:50 - 00000344 _____ C:\Windows\Tasks\HPCeeScheduleForLESLIE-HP$.job
    2013-07-10 21:31 - 2012-11-16 17:52 - 00003220 _____ C:\Windows\System32\Tasks\HPCeeScheduleForLESLIE-HP$
    2013-07-10 21:21 - 2012-12-14 21:50 - 00003192 _____ C:\Windows\System32\Tasks\HPCeeScheduleForLeslie
    2013-07-10 21:21 - 2012-12-14 21:50 - 00000336 _____ C:\Windows\Tasks\HPCeeScheduleForLeslie.job
    2013-07-10 19:29 - 2013-06-07 21:13 - 00000000 ____D C:\Windows\pss
    2013-07-10 19:19 - 2013-07-09 15:39 - 00003670 _____ C:\Users\Leslie\Desktop\Rkill.txt
    2013-07-10 18:26 - 2013-07-10 18:26 - 00003590 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 5b5899d8-f8a7-4508-bac0-a80c6899b999
    2013-07-10 18:26 - 2013-07-10 18:26 - 00003516 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task c203ad36-5aad-412d-9f12-e0700dfbce30
    2013-07-10 18:26 - 2013-07-10 18:26 - 00001808 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
    2013-07-10 18:26 - 2013-07-10 18:26 - 00000000 ____D C:\Users\Leslie\AppData\Roaming\SUPERAntiSpyware.com
    2013-07-10 18:26 - 2013-07-10 18:26 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
    2013-07-10 18:26 - 2013-07-10 18:26 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2013-07-10 17:44 - 2009-07-13 21:08 - 00032540 _____ C:\Windows\Tasks\SCHEDLGU.TXT
    2013-07-10 17:43 - 2013-07-10 17:43 - 00000552 _____ C:\Windows\PFRO.log
    2013-07-09 18:28 - 2013-07-09 18:28 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-07-09 18:28 - 2013-07-09 18:28 - 00000000 ____D C:\Users\Leslie\AppData\Roaming\Malwarebytes
    2013-07-09 18:28 - 2013-07-09 18:28 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-07-09 18:28 - 2013-07-09 18:28 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-07-09 18:12 - 2013-07-09 18:12 - 00017937 _____ C:\ComboFix.txt
    2013-07-09 18:12 - 2013-07-09 17:16 - 00000000 ____D C:\Qoobox
    2013-07-09 18:11 - 2009-07-13 18:34 - 00000215 _____ C:\Windows\system.ini
    2013-07-09 18:00 - 2012-10-24 07:04 - 00000000 ____D C:\Windows\Minidump
    2013-07-09 18:00 - 2011-12-08 16:40 - 00000000 ____D C:\Users\Leslie\AppData\Local\CrashDumps
    2013-07-09 18:00 - 2007-01-01 17:25 - 00000000 ____D C:\Windows\Panther
    2013-07-09 17:57 - 2013-07-09 17:57 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
    2013-07-09 17:57 - 2013-07-09 17:57 - 00000000 ____D C:\Program Files\CCleaner
    2013-07-09 17:48 - 2013-01-08 14:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2013-07-09 17:30 - 2013-07-09 17:28 - 00002980 _____ C:\Users\Leslie\Desktop\unhide.txt
    2013-07-09 17:23 - 2009-07-13 19:20 - 00000000 ___RD C:\users\Default
    2013-07-09 17:22 - 2013-07-09 17:15 - 00000000 ____D C:\Windows\erdnt
    2013-07-09 17:13 - 2013-07-09 17:52 - 00000000 _____ C:\Users\Leslie\Downloads\ccsetup403.exe.htrc1e4.partial
    2013-07-09 16:25 - 2013-01-08 14:19 - 00002243 _____ C:\Windows\epplauncher.mif
    2013-07-09 16:10 - 2013-07-09 16:10 - 00002255 _____ C:\Users\Leslie\Desktop\Google Chrome.lnk
    2013-07-09 16:10 - 2013-05-12 05:35 - 00000000 ____D C:\Users\Leslie\AppData\Local\Google
    2013-07-09 15:39 - 2013-07-09 15:39 - 00000000 ____D C:\Users\Leslie\Desktop\rkill

    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2013-05-06 15:40:40
    Restore point made on: 2013-05-08 17:22:44
    Restore point made on: 2013-05-10 03:19:42
    Restore point made on: 2013-05-12 16:00:17
    Restore point made on: 2013-05-13 21:49:40
    Restore point made on: 2013-05-16 07:15:23
    Restore point made on: 2013-05-17 03:40:22
    Restore point made on: 2013-05-17 10:48:10
    Restore point made on: 2013-05-20 07:42:53
    Restore point made on: 2013-05-20 08:15:01
    Restore point made on: 2013-05-24 13:00:17
    Restore point made on: 2013-05-26 16:21:23
    Restore point made on: 2013-05-29 18:49:52
    Restore point made on: 2013-06-02 16:39:03
    Restore point made on: 2013-06-02 19:46:45
    Restore point made on: 2013-06-07 02:16:37
    Restore point made on: 2013-06-07 20:43:57
    Restore point made on: 2013-06-07 20:44:33

    ==================== Memory info ===========================

    Percentage of memory in use: 13%
    Total physical RAM: 6091.86 MB
    Available physical RAM: 5261.44 MB
    Total Pagefile: 6090.01 MB
    Available Pagefile: 5248.38 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.85 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:683.84 GB) (Free:605.77 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
    Drive e: (RECOVERY) (Fixed) (Total:14.5 GB) (Free:1.61 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
    Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32 (Disk=0 Partition=4)
    Drive h: () (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT (Disk=1 Partition=1)
    Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
    Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 7ADEB7CE)
    Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=684 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS)
    Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

    ========================================================
    Disk: 1 (Size: 2 GB) (Disk ID: 01350832)
    Partition 1: (Not Active) - (Size=2 GB) - (Type=06)


    LastRegBack: 2013-07-10 19:55

    ==================== End Of Log ============================
     
  5. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Hmmm... I don't actually see anything malicious there.

    In this forum, we make sure, your computer is free of malware and your computer is clean :)
    Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
    You'll get more attention.

    Good luck :)
     
  6. dreamer4life

    dreamer4life TS Rookie Topic Starter

    Thanks for your help Broni. I figured out that I had already wiped out the virus that was on there by the time I posted on here, and actually I have reasons to believe it was a worm by the way it spread. But now the entire registry is funked and basically everything is disabled (nothing works, even in safe mode). I can't even do a system restore or go back to an earlier point. I will try posting on the windows section and see if they have any advise to get the laptop working again.

    Thank you again for your help.
     
  7. Broni

    Broni Malware Annihilator Posts: 47,668   +267



Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.