TechSpot

System files integrity check and repair error 0x45d, possible virus

Inactive
By JeffreyG
Mar 14, 2013
  1. I had a windows update the other day and no other change since other than website searching. I run symantec endpoint protection and am up to date. I was able to use the computer yesterday and when I turn it off at night it would not restart this morning. I do not want to re install windows for fear that I have a virus that will perpetuate even if I reinstall windows. Any suggestions would be greatly appreciated. I tried system recovery and can get a c: promt. Thanks
  2. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    It's not clear.
    You can't start it at all or it just happened once?
  3. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    I can not start at all. If I use F8 I can only start normally which hangs up or I get the blue screen with bad config sys info or I can click automatically repair and it runs and I get error 0x45d. I tried system repair and let it run for hours without success.
  4. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    What Windows version is it?
  5. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    Windows 7 and I am pretty sure 32 bit
  6. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  7. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    I will do this first thing in the morning and post it. Thanks for your help.
    adambrown likes this.
  8. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    Below is the log from FRST.exe

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013
    Ran by SYSTEM at 15-03-2013 08:31:24
    Running from G:\
    Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)
    The current controlset is ControlSet001
    ==================== Registry (Whitelisted) ===================
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10025576 2011-06-08] (Realtek Semiconductor)
    HKLM\...\Run: [NortonOnlineBackupReminder] "C:\Program Files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [600936 2009-06-29] (Symantec Corporation)
    HKLM\...\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe [563736 2009-06-18] (PDF Complete Inc)
    HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [115560 2010-10-29] (Symantec Corporation)
    HKLM\...\Run: [HP Color LaserJet CM2320 MFP Series Fax] C:\Program Files\HP\HP Color LaserJet CM2320 MFP Series\hppfaxprintersrv.exe "HP Color LaserJet CM2320 MFP Series Fax" [x]
    HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2010-05-31] (LogMeIn, Inc.)
    HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2010-12-28] (Advanced Micro Devices, Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [PowerPanel Personal Edition User Interaction] C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe [316864 2010-04-09] (Cyber Power Systems, Inc.)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
    HKLM\...\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1016464 2011-09-08] (Carbonite, Inc.)
    HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [2643320 2012-10-25] (Intuit Inc. All rights reserved.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
    HKLM\...\Run: [CitrixReceiver] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk" [x]
    HKLM\...\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup [380088 2012-07-27] (Citrix Systems, Inc.)
    HKLM\...\Run: [IndexSearch] "C:\Program Files\Nuance\PaperPort\IndexSearch.exe" [46368 2010-03-08] (Nuance Communications, Inc.)
    HKLM\...\Run: [PaperPort PTD] "C:\Program Files\Nuance\PaperPort\pptd40nt.exe" [29984 2010-03-08] (Nuance Communications, Inc.)
    HKLM\...\Run: [PPort12reminder] "C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini" [376 2013-03-13] ()
    HKLM\...\Run: [PDFHook] C:\Program Files\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
    HKLM\...\Run: [PDF5 Registry Controller] C:\Program Files\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
    HKLM\...\Run: [ControlCenter4] C:\Program Files\ControlCenter4\BrCcBoot.exe /autorun [139264 2011-04-20] (Brother Industries, Ltd.)
    HKLM\...\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN [2621440 2010-06-10] (Brother Industries, Ltd.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
    HKLM\...\Run: [Regedit32] C:\Windows\system32\regedit.exe [x]
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
    HKU\administrator\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-27] (Google Inc.)
    HKU\administrator\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
    HKU\administrator\...\Run: [Google Update] "C:\Users\drgewirtz\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-28] (Google Inc.)
    HKU\administrator\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
    HKU\drgewirtz\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-27] (Google Inc.)
    HKU\drgewirtz\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
    HKU\drgewirtz\...\Run: [Google Update] "C:\Users\drgewirtz\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-28] (Google Inc.)
    HKU\drgewirtz\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
    HKU\drgewirtz\...\Run: [{08A203E4-B50A-AD7F-CD83-AF89D6D58C94}] C:\Users\drgewirtz\AppData\Roaming\Noisi\cuyx.exe [352768 2010-11-02] (?????????? ??????????)
    HKU\drgewirtz\...\Run: [nixpezoxwigu] C:\Users\drgewirtz\nixpezoxwigu.exe [43984 2013-03-07] ()
    HKU\Office\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-27] (Google Inc.)
    HKU\Office\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
    HKU\Office\...\Run: [Google Update] "C:\Users\drgewirtz\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-28] (Google Inc.)
    HKU\Office\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
    Tcpip\Parameters: [DhcpNameServer] 167.206.245.129 167.206.245.130
    AppInit_DLLs: C:\PROGRA~1\Citrix\ICACLI~1\RSHook.dll
    Tcpip\..\Interfaces\{42E0AB8B-0713-409B-8232-95614B27EFCB}: [NameServer]192.168.111.16,192.168.111.1
    Startup: C:\ProgramData\Start Menu\Programs\Startup\Intuit Data Protect.lnk
    ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
    ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)
    Startup: C:\Users\drgewirtz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citrix Receiver.lnk
    ShortcutTarget: Citrix Receiver.lnk -> C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe (Citrix Systems, Inc.)
    Startup: C:\Users\drgewirtz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)
    Startup: C:\Users\drgewirtz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
    ==================== Services (Whitelisted) ===================
    2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [284160 2010-12-28] (Advanced Micro Devices, Inc.)
    2 AMD Reservation Manager; "C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe" [140224 2010-06-17] (Advanced Micro Devices)
    2 AMD_RAIDXpert; "C:\Program Files\AMD\RAIDXpert\bin\RAIDXpertService.exe" -s [122880 2009-03-15] (AMD)
    2 BrcmMgmtAgent; "C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe" -service [110592 2009-07-10] (Broadcom Corporation)
    3 BrYNSvc; "C:\Program Files\Browny02\BrYNSvc.exe" [245760 2010-01-25] (Brother Industries, Ltd.)
    2 CarboniteService; "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [3908752 2011-09-08] (Carbonite, Inc. (www.carbonite.com))
    2 ccEvtMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2010-10-29] (Symantec Corporation)
    2 ccSetMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2010-10-29] (Symantec Corporation)
    3 DMService; C:\Windows\DOWNLO~1\DMService.exe [468368 2011-03-16] (Microsoft ® Corporation)
    2 Hp.Skyroom.Windows.Service; "C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe" -startService [124984 2009-11-20] (Hewlett-Packard)
    3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093880 2010-02-17] (Symantec Corporation)
    2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [635416 2009-06-18] (PDF Complete Inc)
    2 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.)
    2 ppped; "C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe" [918976 2010-04-16] (Cyber Power Systems, Inc.)
    2 QBVSS; "C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe" [1248256 2011-08-19] (Intuit Inc.)
    2 SmcService; "C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" [1881368 2010-10-29] (Symantec Corporation)
    4 SNAC; "C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" [349512 2010-10-29] (Symantec Corporation)
    2 Symantec AntiVirus; "C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe" [1831024 2010-10-29] (Symantec Corporation)
    2 uagqecsvc; C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [149904 2009-12-14] (Microsoft ® Corporation)
    2 rgsender; "c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe" -l logSetup [x]
    ==================== Drivers (Whitelisted) ====================
    0 ahcix86s; C:\Windows\system32\DRIVERS\ahcix86s.sys [185912 2009-10-20] (Advanced Micro Devices, Inc)
    3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [84992 2009-05-11] (Broadcom Corporation)
    1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-02-14] (Symantec Corporation)
    3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-02-14] (Symantec Corporation)
    3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130311.004\NAVENG.SYS [93296 2013-02-14] (Symantec Corporation)
    3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130311.004\NAVEX15.SYS [1603824 2013-02-14] (Symantec Corporation)
    3 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2010-10-29] (Symantec Corporation)
    1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [283184 2010-10-29] (Symantec Corporation)
    3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [320944 2010-10-29] (Symantec Corporation)
    1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2010-10-29] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124976 2013-03-11] (Symantec Corporation)
    3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [26416 2010-10-29] (Symantec Corporation)
    1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [188080 2010-10-29] (Symantec Corporation)
    4 LMIRfsClientNP; [x]
    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========
    2013-03-15 08:31 - 2013-03-15 08:31 - 00000000 ____D C:\FRST
    2013-03-13 08:16 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-03-13 08:16 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2013-03-13 08:16 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2013-03-13 08:16 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2013-03-13 08:16 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2013-03-13 08:16 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2013-03-13 08:16 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2013-03-13 08:16 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2013-03-13 08:16 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2013-03-13 08:16 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2013-03-13 08:16 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2013-03-13 08:16 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2013-03-13 08:16 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-03-13 08:16 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2013-03-13 08:16 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2013-03-13 08:16 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2013-03-13 07:03 - 2013-03-13 07:03 - 13230080 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Mar 13,2013 11 02 AM).QBB
    2013-03-12 14:23 - 2013-03-12 14:23 - 15859416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2013-03-09 08:47 - 2013-03-09 08:47 - 00262560 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
    2013-03-09 08:47 - 2013-03-09 08:47 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
    2013-03-09 08:47 - 2013-03-09 08:47 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
    2013-03-09 08:47 - 2013-03-09 08:47 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
    2013-03-08 18:34 - 2013-03-08 18:34 - 00002566 ____A C:\Users\Public\Documents\encryptdoc.pfx
    2013-03-08 09:36 - 2013-03-08 09:36 - 13172736 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Mar 08,2013 12 36 PM).QBB
    2013-03-07 07:31 - 2013-03-07 07:31 - 00043984 ____A C:\Users\drgewirtz\nixpezoxwigu.exe
    2013-03-06 10:32 - 2013-03-06 10:32 - 00000000 ____A C:\Users\drgewirtz\Documents\Nuance Image Printer Writer Port
    2013-03-05 10:12 - 2013-03-05 10:12 - 00000000 _RASH C:\MSDOS.SYS
    2013-03-05 10:12 - 2013-03-05 10:12 - 00000000 _RASH C:\IO.SYS
    2013-02-26 15:13 - 2013-02-26 15:13 - 12996608 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Feb 26,2013 06 12 PM).QBB
    2013-02-21 09:17 - 2013-02-21 09:17 - 00001755 ____A C:\Users\Public\Desktop\iTunes.lnk
    2013-02-21 09:16 - 2013-02-21 09:17 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2013-02-21 09:16 - 2013-02-21 09:17 - 00000000 ____D C:\Program Files\iTunes
    2013-02-21 09:16 - 2013-02-21 09:16 - 00000000 ____D C:\Program Files\iPod
    2013-02-21 08:36 - 2013-02-21 08:36 - 00000000 ____A C:\t15o.2
    2013-02-13 07:12 - 2013-01-03 19:00 - 02347008 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2013-02-13 07:11 - 2013-01-04 21:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
    2013-02-13 07:11 - 2013-01-04 21:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2013-02-13 07:11 - 2013-01-03 20:50 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
    2013-02-13 07:11 - 2013-01-02 21:05 - 01293672 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2013-02-13 07:11 - 2013-01-02 21:04 - 00187752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
    ==================== One Month Modified Files and Folders ========
    2013-03-14 11:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
    2013-03-13 12:10 - 2010-10-25 12:51 - 01499510 ____A C:\Windows\WindowsUpdate.log
    2013-03-13 12:05 - 2010-10-29 08:28 - 00000120 ____A C:\Windows\System32\config\netlogon.ftl
    2013-03-13 12:01 - 2011-01-27 11:06 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-03-13 11:54 - 2011-08-22 07:02 - 00000924 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3576482904-1308803037-2723772800-1000UA.job
    2013-03-13 11:23 - 2012-04-02 07:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-03-13 11:16 - 2010-10-29 20:41 - 00000000 ____D C:\Users\drgewirtz\AppData\Local\PDFC
    2013-03-13 10:00 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
    2013-03-13 09:16 - 2010-10-29 21:31 - 00002008 ____A C:\Users\drgewirtz\Documents\Default.rdp
    2013-03-13 08:48 - 2010-11-01 18:10 - 00000000 ____D C:\Users\drgewirtz\AppData\Local\Deployment
    2013-03-13 08:47 - 2011-08-24 12:17 - 00000000 ___RD C:\Users\drgewirtz\Dropbox
    2013-03-13 08:47 - 2011-08-24 12:13 - 00000000 ____D C:\Users\drgewirtz\AppData\Roaming\Dropbox
    2013-03-13 08:47 - 2011-01-27 11:06 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-03-13 08:40 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-03-13 08:40 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-03-13 08:38 - 2009-07-25 04:54 - 00782838 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-03-13 08:32 - 2011-08-30 06:47 - 00000000 ____D C:\Program Files\CyberPower PowerPanel Personal Edition
    2013-03-13 08:32 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-03-13 08:32 - 2009-07-13 20:39 - 00059403 ____A C:\Windows\setupact.log
    2013-03-13 08:31 - 2011-07-11 13:18 - 00000000 ____D C:\Program Files\Microsoft Silverlight
    2013-03-13 08:31 - 2010-10-25 10:38 - 00055346 ____A C:\Windows\PFRO.log
    2013-03-13 08:21 - 2010-11-04 10:45 - 00000000 ____D C:\ProgramData\LogMeIn
    2013-03-13 08:21 - 2010-10-25 09:54 - 00000000 ____D C:\ProgramData\Microsoft Help
    2013-03-13 08:18 - 2010-11-02 20:11 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-03-13 07:03 - 2013-03-13 07:03 - 13230080 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Mar 13,2013 11 02 AM).QBB
    2013-03-13 03:54 - 2011-08-22 07:02 - 00000872 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3576482904-1308803037-2723772800-1000Core.job
    2013-03-12 14:23 - 2013-03-12 14:23 - 15859416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2013-03-12 14:23 - 2012-04-02 07:07 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2013-03-12 14:23 - 2011-05-16 05:00 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2013-03-12 13:33 - 2010-11-03 16:55 - 00000052 ____A C:\Windows\System32\DOErrors.log
    2013-03-12 10:26 - 2012-12-07 08:26 - 00000000 ____D C:\Users\drgewirtz\Documents\pathology project
    2013-03-11 20:29 - 2010-10-25 09:58 - 00000000 ____D C:\ProgramData\PDFC
    2013-03-11 11:51 - 2010-10-29 07:21 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
    2013-03-11 11:14 - 2010-10-29 07:22 - 00124976 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
    2013-03-11 11:14 - 2010-10-29 07:22 - 00007456 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
    2013-03-11 11:14 - 2010-10-25 12:55 - 00000000 ____D C:\Program Files\Symantec
    2013-03-09 08:47 - 2013-03-09 08:47 - 00262560 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
    2013-03-09 08:47 - 2013-03-09 08:47 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
    2013-03-09 08:47 - 2013-03-09 08:47 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
    2013-03-09 08:47 - 2013-03-09 08:47 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
    2013-03-09 08:47 - 2012-06-07 11:53 - 00861088 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
    2013-03-09 08:47 - 2010-11-15 11:48 - 00782240 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
    2013-03-09 08:44 - 2010-10-29 20:39 - 00000000 ___AD C:\users\drgewirtz
    2013-03-08 18:34 - 2013-03-08 18:34 - 00002566 ____A C:\Users\Public\Documents\encryptdoc.pfx
    2013-03-08 09:36 - 2013-03-08 09:36 - 13172736 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Mar 08,2013 12 36 PM).QBB
    2013-03-08 06:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
    2013-03-07 08:47 - 2010-11-02 10:59 - 00000000 ____D C:\Users\drgewirtz\AppData\Roaming\Noisi
    2013-03-07 07:31 - 2013-03-07 07:31 - 00043984 ____A C:\Users\drgewirtz\nixpezoxwigu.exe
    2013-03-06 10:32 - 2013-03-06 10:32 - 00000000 ____A C:\Users\drgewirtz\Documents\Nuance Image Printer Writer Port
    2013-03-05 13:06 - 2010-12-02 11:52 - 00000000 ____D C:\Users\drgewirtz\Documents\Outlook Files
    2013-03-05 10:12 - 2013-03-05 10:12 - 00000000 _RASH C:\MSDOS.SYS
    2013-03-05 10:12 - 2013-03-05 10:12 - 00000000 _RASH C:\IO.SYS
    2013-03-04 21:56 - 2011-08-22 07:03 - 00002352 ____A C:\Users\drgewirtz\Desktop\Google Chrome.lnk
    2013-03-01 07:07 - 2011-07-13 09:31 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleFordrgewirtz.job
    2013-02-28 12:47 - 2012-11-13 06:04 - 00000426 ____A C:\Windows\BRWMARK.INI
    2013-02-28 10:34 - 2012-12-12 15:00 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-02-28 10:34 - 2012-06-01 04:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2013-02-28 10:30 - 2011-09-26 05:38 - 00000000 ____D C:\Users\drgewirtz\Documents\Personal
    2013-02-26 15:13 - 2013-02-26 15:13 - 12996608 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Feb 26,2013 06 12 PM).QBB
    2013-02-25 12:55 - 2013-02-08 07:52 - 00000000 ____D C:\Users\drgewirtz\Documents\credentialling
    2013-02-21 15:32 - 2009-07-13 18:04 - 00000522 ____A C:\Windows\win.ini
    2013-02-21 09:17 - 2013-02-21 09:17 - 00001755 ____A C:\Users\Public\Desktop\iTunes.lnk
    2013-02-21 09:17 - 2013-02-21 09:16 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2013-02-21 09:17 - 2013-02-21 09:16 - 00000000 ____D C:\Program Files\iTunes
    2013-02-21 09:16 - 2013-02-21 09:16 - 00000000 ____D C:\Program Files\iPod
    2013-02-21 09:16 - 2011-08-18 12:22 - 00000000 ____D C:\Program Files\Common Files\Apple
    2013-02-21 09:14 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
    2013-02-21 08:36 - 2013-02-21 08:36 - 00000000 ____A C:\t15o.2
    2013-02-14 09:17 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
    2013-02-14 07:07 - 2009-07-13 20:33 - 00484976 ____A C:\Windows\System32\FNTCACHE.DAT

    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points =========================

    ==================== Memory info ===========================
    Percentage of memory in use: 15%
    Total physical RAM: 3583.39 MB
    Available physical RAM: 3044.86 MB
    Total Pagefile: 3581.68 MB
    Available Pagefile: 3086.14 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1960.68 MB
    ==================== Partitions =============================
    1 Drive c: (OS) (Fixed) (Total:139.85 GB) (Free:69.35 GB) NTFS
    2 Drive e: (HP_RECOVERY) (Fixed) (Total:7.19 GB) (Free:0.8 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive f: (GSP1RMCPRFREO_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF
    4 Drive g: (0704120902) (Removable) (Total:1.92 GB) (Free:0.37 GB) FAT
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    6 Drive y: (SYSTEM) (Fixed) (Total:2 GB) (Free:1.68 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 9 MB
    Disk 1 Online 1968 MB 0 B
    Partitions of Disk 0:
    ===============
    Disk ID: DA7766AF
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 2047 MB 1024 KB
    Partition 2 Primary 139 GB 2048 MB
    Partition 3 Primary 7360 MB 141 GB
    =========================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM NTFS Partition 2047 MB Healthy
    =========================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 139 GB Healthy
    =========================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E HP_RECOVERY NTFS Partition 7360 MB Healthy
    =========================================================
    Partitions of Disk 1:
    ===============
    Disk ID: A83B35C6
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1967 MB 16 KB
    =========================================================
    Disk: 1
    Partition 1
    Type : 0E
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G 0704120902 FAT Removable 1967 MB Healthy
    =========================================================
    ============================== MBR Partition Table ==================
    ==============================
    Partitions of Disk 0:
    ===============
    Disk ID: DA7766AF
    Partition 1:
    =========
    Hex: 80202100071550050008000000F83F00
    Active: YES
    Type: 07 (NTFS)
    Size: 2 GB
    Partition 2:
    =========
    Hex: 0015510507FEFFFF0000400000487B11
    Active: NO
    Type: 07 (NTFS)
    Size: 140 GB
    Partition 3:
    =========
    Hex: 00FEFFFF07FEFFFF0048BB110000E600
    Active: NO
    Type: 07 (NTFS)
    Size: 7 GB
    ==============================
    Partitions of Disk 1:
    ===============
    Disk ID: A83B35C6
    Partition 1:
    =========
    Hex: 800101000E0FA0BF20000000E07F3D00
    Active: YES
    Type: 0E
    Size: 2 GB

    Last Boot: 2013-03-04 21:59
    ==================== End Of Log ============================
  9. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can boot normally.

    Attached Files:

  10. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    Thank you. The computer started and the log is below. When I ran the FRST tool I saw the virus name right away.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013
    Ran by SYSTEM at 2013-03-15 19:15:41 Run:1
    Running from G:\

    ==============================================

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Regedit32 Value deleted successfully.
    HKEY_USERS\drgewirtz\Software\Microsoft\Windows\CurrentVersion\Run\\{08A203E4-B50A-AD7F-CD83-AF89D6D58C94} Value deleted successfully.
    HKEY_USERS\drgewirtz\Software\Microsoft\Windows\CurrentVersion\Run\\nixpezoxwigu Value deleted successfully.
    C:\Users\drgewirtz\AppData\Roaming\Noisi\cuyx.exe moved successfully.
    C:\Users\drgewirtz\nixpezoxwigu.exe moved successfully.

    ==== End of Fixlog ====
  11. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    Sorry the computer is still loading and the color window just goes in and out with no other activity
     
  12. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    See if you can start it properly in safe mode.
  13. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    Does not give me the option, only start normally or startup repair
  14. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    Go ahead with startup repair.
  15. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    Computer repaired and told me to restart. The color window is just spinning and I am waiting.
  16. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    I restarted the computer without the windows cd and it does not offer safe mode, I cannot start normally and it just searchs in repar mode.
  17. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    Let's try something else.
    We're going to use FRST again with a different fix.

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can start now.

    Attached Files:

  18. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    Computer did not start normally, it is still getting stuck at the spinning color symbol


    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013
    Ran by SYSTEM at 2013-03-15 20:38:07 Run:2
    Running from G:\

    ==============================================

    DEFAULT hive was successfully copied to System32\config\HiveBackup
    DEFAULT hive was successfully restored from registry back up.
    SAM hive was successfully copied to System32\config\HiveBackup
    SAM hive was successfully restored from registry back up.
    SECURITY hive was successfully copied to System32\config\HiveBackup
    SECURITY hive was successfully restored from registry back up.
    SOFTWARE hive was successfully copied to System32\config\HiveBackup
    SOFTWARE hive was successfully restored from registry back up.
    SYSTEM hive was successfully copied to System32\config\HiveBackup
    SYSTEM hive was successfully restored from registry back up.

    ==== End of Fixlog ====
  19. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    Safe mode?
    When your computer starts keep tapping F8 key until you see a screen with safe mode option.
  20. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    I tried, the only two options I get are for launch sartup repair and start normally, I cannot get a safemode option. Not sure what to do. Should I try the repair again and restart using the windows cd?
  21. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    Go ahead with startup repair.
  22. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    Not starting normally yet, keeps going back to the spinning window after I finish the repair. It seems like every time it restarts it rewrites the virus code. Is there a bootable way to scan? I very much appreciate your help
  23. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    It actually started and I am in. I think this virus code I have is a recent trojan. I looked it up.
    What should I do now?
  24. Broni

    Broni Malware Annihilator Posts: 46,743   +254

    Good news :)

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
  25. JeffreyG

    JeffreyG TS Rookie Topic Starter Posts: 62

    Computer is not really responding and the cursor spins so I cant get malwarebytes to run. I actually recently updated so it is already loaded but I cant get in to get heh database updated and run the program nor the other. any suggestions? Thank you very much


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.