Trojan Win32.Sirefef, PC reboots every minute

Solved
By ihatetrojans
Jul 8, 2012
  1. I have a similar problem to many others on this board.
    MSE detected Trojan Win32 Sirefef, (A, B I think, although there could've been others). It quarantined and tried to remove them but they kept returning and then I got stuck in the critical error / 1 minute restart issue.
    I am using Vista 32-bit.
    My head boggles with the tons of instructions given here - tried to get into System Recovery Options but got stuck at Command Prompt when I entered the drive where I stored FRST.
    I ran pc in Safe Mode, Safe Mode with network, etc etc but no luck.

    Due to this, I couldn't follow the 5 step malware removal process.

    I'd appreciate any help in resolving this.
  2. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 08-07-2012
    Ran by daphene at 08-07-2012 18:34:33
    Running from J:\
    Service Pack 2 (X86) OS Language: French Standard
    Attention: Could not load system hive.Erreur : Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.

    ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


    ============ One Month Created Files and Folders ==============

    2012-07-08 18:01 - 2012-07-08 18:34 - 00000000 ____D C:\FRST
    2012-07-07 20:24 - 2012-07-07 20:24 - 00001063 ____A C:\Users\daphene\Desktop\Revo Uninstaller.lnk
    2012-07-07 17:50 - 2012-07-07 17:50 - 00000000 ____D C:\Users\daphene\AppData\Local\Conduit
    2012-07-07 17:50 - 2012-07-07 17:50 - 00000000 ____D C:\Program Files\WiseConvert
    2012-07-07 17:50 - 2012-07-07 17:50 - 00000000 ____D C:\Program Files\Conduit
    2012-07-07 15:05 - 2012-07-07 15:05 - 00000000 ____D C:\Program Files\VS Revo Group
    2012-07-07 15:04 - 2012-07-07 15:04 - 00000000 ____D C:\Users\daphene\AppData\Roaming\Malwarebytes
    2012-07-07 15:04 - 2012-07-07 15:04 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-07-07 14:52 - 2012-07-07 20:14 - 00000000 ____D C:\Program Files\CCleaner
    2012-07-07 13:28 - 2012-07-07 13:28 - 00000000 ___SD C:\ComboFix
    2012-07-07 13:00 - 2012-07-07 13:00 - 00026872 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixTDSS.sys
    2012-07-06 23:25 - 2012-07-06 23:25 - 00000000 ____D C:\Qoobox
    2012-07-06 23:25 - 2011-06-26 08:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-07-06 23:25 - 2010-11-07 19:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-07-06 23:25 - 2009-04-20 06:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-07-06 23:25 - 2000-08-31 02:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-07-06 23:25 - 2000-08-31 02:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-07-06 23:25 - 2000-08-31 02:00 - 00098816 ____A C:\Windows\sed.exe
    2012-07-06 23:25 - 2000-08-31 02:00 - 00080412 ____A C:\Windows\grep.exe
    2012-07-06 23:25 - 2000-08-31 02:00 - 00068096 ____A C:\Windows\zip.exe
    2012-07-06 23:24 - 2012-07-06 23:24 - 00000000 ____D C:\Windows\erdnt
    2012-07-06 19:29 - 2012-07-06 19:29 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\lcfylmfc.sys
    2012-07-06 00:52 - 2012-07-06 00:52 - 00000000 ___HD C:\Windows\msdownld.tmp
    2012-07-06 00:42 - 2012-07-06 00:51 - 22291296 ____A (Microsoft Corporation) C:\Users\daphene\Downloads\BOIE9_ENUS_BO0084_VIS.EXE
    2012-07-04 12:32 - 2012-07-04 12:32 - 00000000 ____D C:\rei
    2012-07-04 12:32 - 2012-07-04 12:32 - 00000000 ____D C:\Program Files\Reimage
    2012-07-04 12:11 - 2012-07-06 00:32 - 00000000 ____D C:\TDSSKiller_Quarantine
    2012-07-03 20:54 - 2012-07-03 20:54 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-03 20:34 - 2012-07-03 20:35 - 10288512 ____A (Microsoft Corporation) C:\Users\daphene\Downloads\mseinstall(4).exe
    2012-07-02 20:30 - 2012-07-02 20:30 - 00137216 ____A (DT Soft Ltd) C:\Users\daphene\AppData\Roaming\mspap.dll
    2012-06-24 18:06 - 2012-06-24 18:07 - 01505959 ____A C:\Users\daphene\Downloads\To Maxime, Christopher and Kevin..wmv
    2012-06-23 19:30 - 2012-06-23 19:30 - 00000000 ____D C:\Users\daphene\AppData\Local\Macromedia
    2012-06-21 14:00 - 2012-06-03 00:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-21 14:00 - 2012-06-03 00:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-21 14:00 - 2012-06-03 00:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-21 14:00 - 2012-06-03 00:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-21 13:59 - 2012-06-03 00:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-21 13:59 - 2012-06-03 00:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-21 13:59 - 2012-06-03 00:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-21 13:59 - 2012-06-02 15:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-21 13:59 - 2012-06-02 15:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-16 10:01 - 2012-05-18 01:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-16 10:01 - 2012-05-18 00:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-16 10:01 - 2012-05-18 00:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-16 10:01 - 2012-05-18 00:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-16 10:01 - 2012-05-18 00:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-16 10:01 - 2012-05-18 00:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-16 10:01 - 2012-05-18 00:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-16 10:01 - 2012-05-18 00:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-16 10:01 - 2012-05-18 00:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-16 10:01 - 2012-05-18 00:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-16 10:01 - 2012-05-18 00:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-16 10:01 - 2012-05-18 00:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-16 10:01 - 2012-05-18 00:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-16 10:01 - 2012-05-18 00:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-15 17:48 - 2012-04-23 18:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-06-15 17:48 - 2012-04-23 18:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-06-15 17:48 - 2012-04-23 18:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-06-15 17:47 - 2012-05-15 21:51 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-15 17:47 - 2012-05-01 16:03 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-06-13 20:27 - 2012-06-13 20:27 - 00164659 ____A C:\Users\daphene\Downloads\Attachments_2012_06_13.zip

    ============ 3 Months Modified Files ========================

    2012-07-08 18:22 - 2012-05-27 15:48 - 00001054 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-08 18:22 - 2009-09-20 15:34 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-07-08 18:20 - 2006-11-02 15:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-08 18:20 - 2006-11-02 14:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-08 18:20 - 2006-11-02 14:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-08 17:54 - 2006-11-02 15:01 - 00032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-07 20:24 - 2012-07-07 20:24 - 00001063 ____A C:\Users\daphene\Desktop\Revo Uninstaller.lnk
    2012-07-07 17:51 - 2010-03-24 19:07 - 00035894 ____A C:\Windows\PFRO.log
    2012-07-07 13:59 - 2012-05-27 15:48 - 00001058 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-07 13:00 - 2012-07-07 13:00 - 00026872 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixTDSS.sys
    2012-07-06 23:19 - 2009-08-23 11:46 - 00005892 ____A C:\Users\daphene\AppData\Local\d3d9caps.dat
    2012-07-06 19:29 - 2012-07-06 19:29 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\lcfylmfc.sys
    2012-07-06 01:27 - 2006-11-02 12:22 - 46399488 ____A C:\Windows\System32\config\software_previous
    2012-07-06 01:27 - 2006-11-02 12:22 - 33030144 ____A C:\Windows\System32\config\system_previous
    2012-07-06 01:22 - 2006-11-02 12:22 - 38535168 ____A C:\Windows\System32\config\components_previous
    2012-07-06 01:22 - 2006-11-02 12:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
    2012-07-06 00:54 - 2008-04-15 21:10 - 01587038 ____A C:\Windows\WindowsUpdate.log
    2012-07-06 00:52 - 2012-02-08 11:02 - 00014785 ____A C:\Windows\IE9_main.log
    2012-07-06 00:51 - 2012-07-06 00:42 - 22291296 ____A (Microsoft Corporation) C:\Users\daphene\Downloads\BOIE9_ENUS_BO0084_VIS.EXE
    2012-07-05 23:14 - 2006-11-02 12:22 - 00262144 ____A C:\Windows\System32\config\security_previous
    2012-07-05 23:14 - 2006-11-02 12:22 - 00262144 ____A C:\Windows\System32\config\default_previous
    2012-07-05 20:36 - 2010-02-28 11:04 - 00010379 ____A C:\Windows\setupact.log
    2012-07-03 21:18 - 2012-03-30 11:37 - 00001002 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-03 20:54 - 2012-04-06 13:10 - 00001912 ____A C:\Windows\epplauncher.mif
    2012-07-03 20:54 - 2006-11-02 12:33 - 01525384 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-03 20:35 - 2012-07-03 20:34 - 10288512 ____A (Microsoft Corporation) C:\Users\daphene\Downloads\mseinstall(4).exe
    2012-07-02 20:30 - 2012-07-02 20:30 - 00137216 ____A (DT Soft Ltd) C:\Users\daphene\AppData\Roaming\mspap.dll
    2012-07-02 20:25 - 2012-06-03 14:20 - 00000936 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2509705252-2750708441-1710655355-1000UA.job
    2012-07-01 14:25 - 2012-06-03 14:20 - 00000914 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2509705252-2750708441-1710655355-1000Core.job
    2012-07-01 11:22 - 2008-06-30 21:27 - 00024064 ____A C:\Users\daphene\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-06-24 18:07 - 2012-06-24 18:06 - 01505959 ____A C:\Users\daphene\Downloads\To Maxime, Christopher and Kevin..wmv
    2012-06-23 17:19 - 2012-03-30 11:37 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-06-23 17:19 - 2011-05-21 11:18 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-06-22 17:15 - 2008-10-07 14:10 - 00000394 ____A C:\Windows\Tasks\1-Click Maintenance.job
    2012-06-21 21:23 - 2009-12-26 22:13 - 00000330 ____A C:\Windows\Tasks\HPCeeScheduleFordaphene.job
    2012-06-16 10:32 - 2006-11-02 14:47 - 00395776 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-16 10:08 - 2006-11-02 12:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-13 20:27 - 2012-06-13 20:27 - 00164659 ____A C:\Users\daphene\Downloads\Attachments_2012_06_13.zip
    2012-06-03 14:19 - 2012-06-03 14:19 - 00493520 ____A (Facebook Inc.) C:\Users\daphene\Downloads\FacebookVideoCallSetup_v1.2.203.0.exe
    2012-06-03 00:19 - 2012-06-21 14:00 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-03 00:19 - 2012-06-21 14:00 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-03 00:19 - 2012-06-21 14:00 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-03 00:19 - 2012-06-21 13:59 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-03 00:19 - 2012-06-21 13:59 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-03 00:12 - 2012-06-21 14:00 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-03 00:12 - 2012-06-21 13:59 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 15:19 - 2012-06-21 13:59 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 15:12 - 2012-06-21 13:59 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-31 15:44 - 2008-07-01 00:17 - 00013796 ____A C:\Users\daphene\AppData\Roaming\wklnhst.dat
    2012-05-31 15:42 - 2012-04-05 21:10 - 00750592 ____A C:\Users\daphene\Desktop\cv daphene.wps
    2012-05-30 21:40 - 2012-05-30 21:36 - 10288512 ____A (Microsoft Corporation) C:\Users\daphene\Downloads\mseinstall(3).exe
    2012-05-30 19:47 - 2012-05-30 19:44 - 10288512 ____A (Microsoft Corporation) C:\Users\daphene\Downloads\mseinstall(2).exe
    2012-05-27 15:51 - 2012-05-27 15:51 - 00198832 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
    2012-05-27 15:50 - 2012-05-27 15:50 - 00272896 ____A (Progressive Networks) C:\Windows\System32\pncrt.dll
    2012-05-27 15:50 - 2012-05-27 15:50 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
    2012-05-27 15:50 - 2012-05-27 15:50 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
    2012-05-27 15:50 - 2008-03-27 00:45 - 00348160 ____A (Microsoft Corporation) C:\Windows\System32\msvcr71.dll
    2012-05-27 15:16 - 2012-05-27 15:15 - 00693504 ____A (RealNetworks, Inc.) C:\Users\daphene\Downloads\RealPlayer_fr.exe
    2012-05-18 01:11 - 2012-06-16 10:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-18 00:48 - 2012-06-16 10:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-18 00:45 - 2012-06-16 10:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-18 00:36 - 2012-06-16 10:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-18 00:35 - 2012-06-16 10:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-18 00:35 - 2012-06-16 10:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-18 00:33 - 2012-06-16 10:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-18 00:31 - 2012-06-16 10:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-18 00:29 - 2012-06-16 10:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-18 00:29 - 2012-06-16 10:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-18 00:27 - 2012-06-16 10:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-18 00:25 - 2012-06-16 10:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-18 00:24 - 2012-06-16 10:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-18 00:20 - 2012-06-16 10:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-15 21:51 - 2012-06-15 17:47 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-12 10:09 - 2008-10-19 13:39 - 00230424 ____A C:\Windows\00000000.STI
    2012-05-07 14:07 - 2012-05-07 14:03 - 05370523 ____A C:\Users\daphene\Downloads\pics(1).zip
    2012-05-01 16:03 - 2012-06-15 17:47 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-23 18:00 - 2012-06-15 17:48 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 18:00 - 2012-06-15 17:48 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 18:00 - 2012-06-15 17:48 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-16 10:12 - 2012-04-16 10:12 - 00001878 ____A C:\Users\Public\Desktop\Skype.lnk


    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ========================= Memory info ======================

    Percentage of memory in use: 26%
    Total physical RAM: 2036.45 MB
    Available physical RAM: 1504.07 MB
    Total Pagefile: 4310.16 MB
    Available Pagefile: 3925.96 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1977.92 MB

    ======================= Partitions =========================

    1 Drive c: (COMPAQ) (Fixed) (Total:222.91 GB) (Free:142.26 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:9.97 GB) (Free:1.36 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    8 Drive j: (Nano) (Removable) (Total:3.76 GB) (Free:2.52 GB) FAT32

    Nø disque Statut Taille Libre Dyn GPT
    ---------- ------------- ------- ------------ --- ---
    Disque 0 En ligne 233 G octets 0 octets
    Disque 1 En ligne 3854 M octets 0 octets
    Disque 2 Aucun m‚di 0 octets 0 octets
    Disque 3 Aucun m‚di 0 octets 0 octets
    Disque 4 Aucun m‚di 0 octets 0 octets
    Disque 5 Aucun m‚di 0 octets 0 octets

    Partitions of Disk 0:
    ===============

    Nø partition Type Taille D‚calage
    ------------- ---------------- ------- --------
    Partition 1 Principale 223 G 32 K
    Partition 2 Principale 10 G 223 G

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Masqu‚ : Non
    Active : Oui

    Nø volume Ltr Nom Fs Type Taille Statut Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C COMPAQ NTFS Partition 223 G Sain SystŠme

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Masqu‚ : Non
    Active : Non

    Nø volume Ltr Nom Fs Type Taille Statut Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D FACTORY_IMA NTFS Partition 10 G Sain

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Nø partition Type Taille D‚calage
    ------------- ---------------- ------- --------
    * Partition 1 Principale 3854 M 0 o

    ==================================================================================

    Disk: 1
    Aucune partition n'est s‚lectionn‚e.

    Aucune partition n'est s‚lectionn‚e.
    S‚lectionnez une partition et essayez … nouveau.

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-06 00:39

    ======================= End Of Log ==========================
  3. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ========================================

    In Vista or Windows 7: Boot to System Recovery Options and run FRST.
    In Windows XP: Please boot to UBCD and run FRST.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
  4. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Ok, pleeeze don't roll your eyes....
    where do I run FRST after going to System Recovery Options?
    Do I plug in the usb where I have saved the FRST.exe ?
    Do I run the pc in safe mode or normally? As it is, I have to type rapidly to beat the minute before I get the dreaded message about rebooting.
  5. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    Please don't quote my replies.

    You go the very same way as you went to create FRST log but this time you want to search for a file.
  6. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Thanks , got it!
    However, before the search is finished, the pc reboots itself :-(
  7. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    You're doing something wrong.
    Don't boot to Windows.
    Boot to System Recovery Options so you can run FRST and search from it.
    Read my replies carefully.
  8. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Evidently I'm doing something wrong....
    I went into Safe Mode , ran FARBAR and got my FRST log.
    Now, whenever I do that to run FRST, the pc reboots.
    When I go into System Recovery Options, there is a list of menu.
    There's nothing to indicate where I can run FRST.... sorry :-(
  9. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    OK, I just noticed you ran FRST from within Windows.
    That's not how you do it.
    My fault I overlooked it.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  10. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Thanks for your patience...I managed to get these steps ;
    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    I found the FRST.EXE in my J drive but was shown the message that it isn't known...
    In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
    I tried all the letters from C to J , lowercase and uppercase but same message or one which says : the peripheral is not ready ( in French it is Le peripherique n'est pas pret )
  11. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    Please don't quote my replies.

    Say again?
     
  12. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    By

    BTW, my keyboard is French so I should choose French as the keyboard language setting tight?
    In addition, after this, I am directed to USER ACCOUNT, there isn't one asking about operating system.
  13. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68


    Ok, in the admin box,
    X:\windows\system32> j:\frst.exe
    'j:\frst.exe' n'est pas reconnu en tant que commande interne ou externe, un programme executable ou un fichier de commande

    Yes, I feel like executing the machine!
  14. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    1. If you quote my reply one more time I'll close this topic. I asked you three times already not to quote my replies.

    2. You're nor reading my instructions carefully enough. It clearly says:
  15. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    LOL, yes, exactly what I was asking!
  16. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Sorry....NOW I get what you meant about quoting you! My apologies, I got it.
  17. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    You still didn't explain this:
  18. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Ok, I have chosen US as the keyboard language but there isn't the step asking about the operating system, when I clicked NEXT after the keyboard language, it went to User Account.
    Same thing happened , when I typed J as the drive which stored the FRST.EXE , the message that it is not recognized.
  19. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    A rough translation is :
    j:\frst.exe is not recognized as internal or external command, operable program or batch file
  20. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    Now I understand.

    Do you have Vista DVD?
  21. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Thank you for putting up with me and my ignorance.
    Unfortunately, I don't have the dvd as it is a pre-installed store-bought pc.
  22. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    I'll PM you.
  23. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Hello again,
    I used the Windows Installation disc, got to Advance Boots Options but there is no Repair Your Computer
    I see the box
    Choose Advanced Options for : Windows Setup
    ( Use the arrow keys to highlight your choice.)
    Safe Mode
    Safe Mode with Networking
    .....
  24. ihatetrojans

    ihatetrojans Newcomer, in training Topic Starter Posts: 68

    Hello again,
    Please accept my humblest apologies for not being able to continue with the assistance yesterday. If you'd allow me, shall we pick this up this weekend when I've more time to stay focused and pay very close attention ?
    Please don't give up on me even though I'm such a pc dork?
    I appreciate your patience and kind comprehension very very much.
  25. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    No worries.
    If you find your topic closed after 5 days you can always PM me and I'll reopen it.

    You're doing something wrong.
    The very first screen after booting form the disk should look like this:

    [​IMG]

    Make sure you're booting from the DVD.
    You may need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.