also @ TechSpot: Qualcomm shows off Mirasol, 1.5-inch panel shipping in products soon

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Serifef.ab and p

Discussion in 'Virus and Malware Removal' started by Sistrunk, Dec 9, 2012.

Post New Reply

Page 2 of 6

Broni Malware Annihilator Posts: 39,349 +175

Keep me posted....

Broni, Dec 18, 2012

#21
Sistrunk Newcomer, in training Posts: 69

Okay have the file now. Here's the post from the first fix where the comp still did not boot.
going to load new file later and hopefully post back tonight.

RogueKiller V8.3.2 [Dec 7 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Jose [Admin rights]
Mode : Scan -- Date : 12/09/2012 23:38:03

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49} (C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\{55662437-DA8C-40c0-AADA-2C816A897A49} (C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (127.0.0.1:5555) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{117FB9A4-AC77-4B87-888C-04DCEBA4D039} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{117FB9A4-AC77-4B87-888C-04DCEBA4D039} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{4C8822D5-7D54-4BE8-B6EF-DEA9659094A3} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK3252GSX ATA Device +++++
--- User ---
[MBR] b424df27bf04a85c6a2b283f75a9bf42
[BSP] 0046ad4d393ab0194bcc5e4e3109c6c0 : Toshiba tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 292028 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 598075392 | Size: 13213 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Ativa 1GB USB Device +++++
--- User ---
[MBR] 9d91487f44fb2ffb075e82c1d7101251
[BSP] 096ca65415799301792a33c93b5e78da : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16-LBA (0x0e) [VISIBLE] Offset (sectors): 8 | Size: 953 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_12092012_02d2338.txt >>
RKreport[1]_S_12092012_02d2338.txt

Sistrunk, Dec 19, 2012

#22
Broni Malware Annihilator Posts: 39,349 +175

This is not Fixlog.txt log.
It's RogueKiller log.

Broni, Dec 19, 2012

#23
Sistrunk Newcomer, in training Posts: 69

Sorry clicked on the wrong one. Still trying to get a comp online at home. 

Sistrunk, Dec 24, 2012

#24
Sistrunk Newcomer, in training Posts: 69

The comp is still not booting and here is the fix log.
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012
Ran by SYSTEM at 2012-12-19 17:58:59 Run:3
Running from F:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

Sistrunk, Dec 27, 2012

#25

Broni Malware Annihilator Posts: 39,349 +175

Same issue if you try to boot to safe mode?
What does exactly happen when you try to boot normally?

Broni, Dec 27, 2012

#26

Sistrunk Newcomer, in training Posts: 69

When booting normally, the computer reboots itself just after the [microsoft corporation with loading animation] screen .
During Safe mode it loaded the drivers, said please wait at the bottom and then rebooted as well.

Sistrunk, Dec 27, 2012

#27
Broni Malware Annihilator Posts: 39,349 +175
Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.

As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.

Use the arrow keys to select the Repair your computer menu item.

Select US as the keyboard language settings, and then click Next.

Select the operating system you want to repair, and then click Next.

Select your user account an click Next.

Try "Startup repair".
Broni, Dec 27, 2012

#28
Sistrunk Newcomer, in training Posts: 69

To add, after reboot in both modes it boots to the "launch repair or start normally' screen

Sistrunk, Dec 27, 2012

#29
Sistrunk Newcomer, in training Posts: 69

Ok trying that now

Sistrunk, Dec 27, 2012

#30
Sistrunk Newcomer, in training Posts: 69

Completed startup repair but its still not booting

Sistrunk, Dec 27, 2012

#31
Broni Malware Annihilator Posts: 39,349 +175

Post new FRST log.

Broni, Dec 27, 2012

#32
Sistrunk Newcomer, in training Posts: 69

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-12-2012 (ATTENTION: FRST version is 16 days old)
Ran by SYSTEM at 27-12-2012 17:22:04
Running from F:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [456192 2009-08-13] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM\...\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h [9577680 2012-11-07] (COMODO)
HKLM-x32\...\Run: [ThreatFire] "C:\Program Files (x86)\ThreatFire\TFTray.exe" [378128 2010-01-14] (PC Tools)
HKLM-x32\...\Run: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [34672 2008-06-12] (Adobe Systems Incorporated)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\Jose\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Jose\...\RunOnce: [Shockwave Updater] C:\Windows\SysWOW64\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB5; FunWebProducts; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 3.5.21022)" -"http://www.miniclip.com/games/alien-hive/en/" [460216 2009-03-19] (Adobe Systems, Inc.)
HKU\Jose\...\Winlogon: [Shell] Explorer.exe
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{117FB9A4-AC77-4B87-888C-04DCEBA4D039}: [NameServer]8.26.56.26,156.154.70.22
Tcpip\..\Interfaces\{4C8822D5-7D54-4BE8-B6EF-DEA9659094A3}: [NameServer]8.26.56.26,156.154.70.22
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Scrybe.lnk
ShortcutTarget: Scrybe.lnk -> C:\Windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe (Acresso Software Inc.)

==================== Services (Whitelisted) ===================

2 AcrSch2Svc; "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe" [1054568 2010-03-27] (Acronis)
2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 afcdpsrv; C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2480048 2010-11-21] (Acronis)
2 cmdAgent; "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe" [2828408 2012-11-07] (COMODO)
2 DragonUpdater; C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [1853584 2012-09-28] ()
2 HauppaugeTVServer; C:\PROGRA~2\WinTV\TVServer\HAUPPA~1.EXE [602624 2010-03-29] (Hauppauge Computer Works)
2 jjtAutoLaunch; "C:\Program Files (x86)\Sound Devices\USBPre\Services\jjtAutoLaunch.exe" [114688 2002-01-22] (Sound Devices, LLC)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-07-24] ()
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-10-06] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-06-29] ()
2 ScrybeUpdater; "C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe" [1300264 2011-05-27] (Synaptics, Inc.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\STacSV64.exe [240640 2009-08-13] (IDT, Inc.)
2 ThreatFire; C:\Program Files (x86)\ThreatFire\TFService.exe service [70928 2010-01-14] (PC Tools)
2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-09-24] ()
2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-09-24] ()
3 w7Svc; C:\Program Files (x86)\webcam 7\wService.exe /startedbyscm:5053B757-40E35B3B-webcam7SRV [4999680 2011-07-27] (Moonware Studios)
2 AGCoreService; "C:\Program Files (x86)\AGI\core\4.2.0.10753\AGCoreService.exe" [x]

==================== Drivers (Whitelisted) =====================

1 cmdGuard; C:\Windows\System32\Drivers\cmdGuard.sys [584056 2012-11-07] (COMODO)
1 cmdHlp; C:\Windows\System32\Drivers\cmdHlp.sys [45872 2012-11-07] (COMODO)
3 hcw72ADFilter; C:\Windows\System32\Drivers\hcw72ADFilter.sys [38656 2010-04-23] (Hauppauge Computer Works, Inc.)
3 hcw72ATV; C:\Windows\System32\Drivers\hcw72ATV.sys [1631488 2010-04-23] (Hauppauge Computer Works, Inc.)
3 hcw72DTV; C:\Windows\System32\Drivers\hcw72DTV.sys [1634176 2010-04-23] (Hauppauge Computer Works, Inc.)
3 libusb0; C:\Windows\SysWow64\Drivers\libusb0.sys [28672 2011-08-26] (http://libusb-win32.sourceforge.net)
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
0 tdrpman258; C:\Windows\System32\DRIVERS\tdrpm258.sys [1477728 2010-11-21] (Acronis)
0 TfFsMon; C:\Windows\System32\Drivers\TfFsMon.sys [65072 2010-01-14] (PC Tools)
3 TfNetMon; C:\Windows\System32\Drivers\TfNetMon.sys [41888 2010-01-14] (PC Tools)
0 TfSysMon; C:\Windows\System32\Drivers\TfSysMon.sys [59880 2010-01-14] (PC Tools)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [27632 2008-09-25] (Cyberlink Corp.)
4 eabfiltr; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-11 17:46 - 2012-12-11 17:46 - 00000000 ____D C:\FRST
2012-12-09 20:41 - 2012-12-09 20:41 - 00003021 ____A C:\Users\Jose\Desktop\RKreport[2]_D_12092012_02d2341.txt
2012-12-09 20:38 - 2012-12-09 20:38 - 00002918 ____A C:\Users\Jose\Desktop\RKreport[1]_S_12092012_02d2338.txt
2012-12-09 20:36 - 2012-12-09 20:40 - 00000000 ____D C:\Users\Jose\Desktop\RK_Quarantine
2012-12-09 20:34 - 2012-12-09 20:35 - 04732416 ____A (AVAST Software) C:\Users\Jose\Desktop\aswMBR.exe
2012-12-09 20:34 - 2012-12-09 20:34 - 00753664 ____A C:\Users\Jose\Desktop\RogueKiller.exe
2012-12-09 19:03 - 2012-12-09 19:03 - 00015931 ____A C:\Users\Jose\Desktop\dds.txt
2012-12-09 19:03 - 2012-12-09 19:03 - 00013584 ____A C:\Users\Jose\Desktop\attach.txt
2012-12-09 18:53 - 2012-12-09 18:53 - 00688992 ____R (Swearware) C:\Users\Jose\Desktop\dds.com
2012-12-09 18:52 - 2012-12-09 18:52 - 00688992 ____A (Swearware) C:\Users\Jose\Downloads\dds.com

==================== One Month Modified Files and Folders =======

2012-12-18 19:21 - 2012-12-18 19:21 - 00000000 ____D C:\Windows\System32\config\HiveBackup
2012-12-11 17:46 - 2012-12-11 17:46 - 00000000 ____D C:\FRST
2012-12-09 23:02 - 2008-01-20 19:26 - 00193650 ____A C:\Windows\PFRO.log
2012-12-09 23:01 - 2009-02-12 14:44 - 01831480 ____A C:\Windows\WindowsUpdate.log
2012-12-09 23:01 - 2008-10-22 23:45 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-12-09 23:01 - 2006-11-02 07:42 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-12-09 23:01 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-09 23:01 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-09 23:01 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-09 23:00 - 2006-11-02 05:34 - 00000000 ____D C:\Windows\tracing
2012-12-09 22:04 - 2012-04-01 00:05 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-12-09 21:45 - 2012-09-25 21:20 - 00000000 ____D C:\Users\Jose\Local Settings\Windows Live
2012-12-09 21:45 - 2012-09-25 21:20 - 00000000 ____D C:\Users\Jose\Local Settings\Application Data\Windows Live
2012-12-09 21:45 - 2012-09-25 21:20 - 00000000 ____D C:\Users\Jose\AppData\Local\Windows Live
2012-12-09 20:48 - 2012-11-23 05:50 - 00000000 ____D C:\Users\Jose\{945e8b33-257c-47a6-a7b1-1bea1374f118}
2012-12-09 20:48 - 2006-11-02 05:34 - 00000000 ____D C:\Windows\System32\spool
2012-12-09 20:48 - 2006-11-02 04:33 - 86245376 ____A C:\Windows\System32\config\software_previous
2012-12-09 20:47 - 2006-11-02 05:33 - 00000000 ____D C:\Windows\registration
2012-12-09 20:47 - 2006-11-02 04:33 - 26214400 ____A C:\Windows\System32\config\system_previous
2012-12-09 20:41 - 2012-12-09 20:41 - 00003021 ____A C:\Users\Jose\Desktop\RKreport[2]_D_12092012_02d2341.txt
2012-12-09 20:40 - 2012-12-09 20:36 - 00000000 ____D C:\Users\Jose\Desktop\RK_Quarantine
2012-12-09 20:38 - 2012-12-09 20:38 - 00002918 ____A C:\Users\Jose\Desktop\RKreport[1]_S_12092012_02d2338.txt
2012-12-09 20:35 - 2012-12-09 20:34 - 04732416 ____A (AVAST Software) C:\Users\Jose\Desktop\aswMBR.exe
2012-12-09 20:34 - 2012-12-09 20:34 - 00753664 ____A C:\Users\Jose\Desktop\RogueKiller.exe
2012-12-09 20:28 - 2006-11-02 04:33 - 00057344 ____A C:\Windows\System32\config\sam_previous
2012-12-09 20:28 - 2006-11-02 04:33 - 00024576 ____A C:\Windows\System32\config\security_previous
2012-12-09 19:05 - 2006-11-02 04:46 - 00756338 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-09 19:03 - 2012-12-09 19:03 - 00015931 ____A C:\Users\Jose\Desktop\dds.txt
2012-12-09 19:03 - 2012-12-09 19:03 - 00013584 ____A C:\Users\Jose\Desktop\attach.txt
2012-12-09 18:54 - 2006-11-02 07:27 - 00189181 ____A C:\Windows\setupact.log
2012-12-09 18:53 - 2012-12-09 18:53 - 00688992 ____R (Swearware) C:\Users\Jose\Desktop\dds.com
2012-12-09 18:52 - 2012-12-09 18:52 - 00688992 ____A (Swearware) C:\Users\Jose\Downloads\dds.com
2012-12-09 18:48 - 2006-11-02 05:33 - 00000000 ____D C:\Windows\rescache
2012-12-09 18:36 - 2012-11-23 05:47 - 00000000 ____D C:\Users\All Users\Comodo
2012-12-09 18:36 - 2012-11-23 05:47 - 00000000 ____D C:\Users\All Users\Application Data\Comodo
2012-12-09 18:34 - 2009-03-01 17:29 - 00000000 ____D C:\users\Jose
2012-12-09 18:32 - 2006-11-02 07:21 - 00325464 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-09 18:29 - 2006-11-02 07:07 - 00000000 ____D C:\Windows\SysWOW64\XPSViewer
2012-12-09 18:28 - 2006-11-02 07:07 - 00000000 ____D C:\Program Files\Windows Journal
2012-12-09 17:25 - 2006-11-02 04:33 - 55574528 ____A C:\Windows\System32\config\components_previous
2012-12-09 17:25 - 2006-11-02 04:33 - 00524288 ____A C:\Windows\System32\config\default_previous

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-08 22:26:41
Restore point made on: 2012-10-10 22:42:47
Restore point made on: 2012-11-12 00:44:20
Restore point made on: 2012-11-19 20:39:37
Restore point made on: 2012-11-21 16:06:14
Restore point made on: 2012-11-21 16:35:25
Restore point made on: 2012-11-22 01:58:39
Restore point made on: 2012-11-22 09:16:18
Restore point made on: 2012-11-22 13:57:29
Restore point made on: 2012-11-22 14:42:25
Restore point made on: 2012-11-22 16:23:52
Restore point made on: 2012-11-23 05:18:55
Restore point made on: 2012-11-23 05:51:24
Restore point made on: 2012-12-09 15:07:43

==================== Memory info ===========================

Percentage of memory in use: 32%
Total physical RAM: 1789.02 MB
Available physical RAM: 1209.86 MB
Total Pagefile: 1535.46 MB
Available Pagefile: 1183.55 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:285.18 GB) (Free:115.99 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:12.9 GB) (Free:2.02 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (My 1GB) (Removable) (Total:0.93 GB) (Free:0.75 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 Online 954 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 285 GB 1024 KB
Partition 2 Primary 13 GB 285 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 285 GB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 13 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 953 MB 4096 B

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F My 1GB FAT Removable 953 MB Healthy

=========================================================

Last Boot: 2012-12-09 18:38

==================== End Of Log =============================

Sistrunk, Dec 27, 2012

#33
Broni Malware Annihilator Posts: 39,349 +175
Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if you can boot normally.
Attached Files:
- fixlist.txt
  
  File size:
  
  70 bytes
  
  Views:
  
  3
Broni, Dec 27, 2012

#34
Sistrunk Newcomer, in training Posts: 69

Man you're good!! Finally a successful boot!
Whats next?

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012
Ran by SYSTEM at 2012-12-27 17:34:41 Run:4
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
C:\Windows\System32\consrv.dll not found.

==== End of Fixlog ====

Sistrunk, Dec 27, 2012

#35
Broni Malware Annihilator Posts: 39,349 +175

Super!

Hold on. I need to scroll back to see what's next...

Broni, Dec 27, 2012

#36
Broni Malware Annihilator Posts: 39,349 +175

Re-run RogueKiller and post new log.

Next....

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Broni, Dec 27, 2012

#37
Sistrunk Newcomer, in training Posts: 69

Wow, that was a long scan. But here she is.
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-27 17:58:04
-----------------------------
17:58:04.348 OS Version: Windows x64 6.0.6002 Service Pack 2
17:58:04.348 Number of processors: 2 586 0x301
17:58:04.364 ComputerName: RYAN-LAPTOP UserName: Jose
17:58:06.844 Initialize success
18:01:39.017 AVAST engine defs: 12122701
18:01:46.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:01:46.478 Disk 0 Vendor: TOSHIBA_MK3252GSX LV011C Size: 305245MB BusType: 3
18:01:46.630 Disk 0 MBR read successfully
18:01:46.637 Disk 0 MBR scan
18:01:46.651 Disk 0 unknown MBR code
18:01:47.035 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 292028 MB offset 2048
18:01:47.230 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13213 MB offset 598075392
18:01:47.311 Disk 0 scanning C:\Windows\system32\drivers
18:02:29.643 Service scanning
18:03:41.335 Modules scanning
18:03:41.355 Disk 0 trace - called modules:
18:03:41.391 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
18:03:41.402 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005dcd790]
18:03:41.414 3 CLASSPNP.SYS[fffffa6000a06c33] -> nt!IofCallDriver -> [0xfffffa8005cc31f0]
18:03:41.429 5 hpdskflt.sys[fffffa6001fec2bd] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004d824b0]
18:03:43.642 AVAST engine scan C:\Windows
18:03:50.776 AVAST engine scan C:\Windows\system32
18:15:19.264 AVAST engine scan C:\Windows\system32\drivers
18:15:48.643 AVAST engine scan C:\Users\Jose
20:01:01.622 AVAST engine scan C:\ProgramData
20:22:56.732 Scan finished successfully
20:39:22.262 Disk 0 MBR has been saved successfully to "C:\Users\Jose\Desktop\MBR.dat"
20:39:22.274 The log file has been saved successfully to "C:\Users\Jose\Desktop\aswMBR.txt"

Sistrunk, Dec 27, 2012

#38
Broni Malware Annihilator Posts: 39,349 +175

Re-run RogueKiller and post new log.

Broni, Dec 27, 2012

#39
Sistrunk Newcomer, in training Posts: 69

RogueKiller V8.4.1 [Dec 27 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 8 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (127.0.0.1:5555) -> NOT REMOVED, USE PROXYFIX
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{117FB9A4-AC77-4B87-888C-04DCEBA4D039} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{4C8822D5-7D54-4BE8-B6EF-DEA9659094A3} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{117FB9A4-AC77-4B87-888C-04DCEBA4D039} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{4C8822D5-7D54-4BE8-B6EF-DEA9659094A3} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK3252GSX ATA Device +++++
--- User ---
[MBR] b424df27bf04a85c6a2b283f75a9bf42
[BSP] 0046ad4d393ab0194bcc5e4e3109c6c0 : Toshiba tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 292028 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 598075392 | Size: 13213 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[4]_D_12272012_02d2100.txt >>
RKreport[1]_S_12092012_02d2338.txt ; RKreport[2]_D_12092012_02d2341.txt ; RKreport[3]_S_12272012_02d2100.txt ; RKreport[4]_D_12272012_02d2100.txt

Sistrunk, Dec 27, 2012

#40

Page 2 of 6

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.