TechSpot

Win 7 - White Screen, Cursor, No Task Manager, No Safe Mode

By David Oliver
Sep 13, 2013
  1. Hi Tech Spot

    I have just been handed my brothers HP laptop which has the symptoms described in the title (Starting in safe mode results in an instant reboot, Ctrl-Alt-Del allows task manager to launch but it's hidden behind the white window of doom) Normal desktop is breiflly visible when shutting down the machine. This looks like the zeroacces rootkit - but I'd appreciate some experinced advice on removing it.

    I have manager to get into command prompt and Run Farbar64. Here are the results:-

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-09-2013
    Ran by John (administrator) on LANDY-HP on 13-09-2013 12:12:03
    Running from F:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Safe Mode (minimal)

    ==================== Could not list processes ===============

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2281256 2010-09-13] (Synaptics Incorporated)
    HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6489704 2010-09-22] (Realtek Semiconductor)
    HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
    HKLM\...\Run: [BullGuard] - C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2148664 2011-08-23] (BullGuard Ltd.)
    HKLM\...\InprocServer32: [Default-wbemess] \\.\globalroot\systemroot\Installer\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\n. ATTENTION! ====> ZeroAccess?
    HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
    HKCU\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2736128 2010-08-16] (Hewlett-Packard Company)
    HKCU\...\Run: [Google Update] - C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-08-23] (Google Inc.)
    HKCU\...\Run: [Update] - C:\Users\John\AppData\Roaming\glom0_og.exe
    HKCU\...\Run: [Mozilla] - C:\Users\John\AppData\Roaming\uwfavjvt\bcceubjs.exe [71168 2009-07-14] (The OpenSSL Project, http://www.openssl.org/)
    HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
    HKCU\...\Winlogon: [Shell] explorer.exe,C:\Users\John\AppData\Roaming\data.dat [94208 2011-11-17] () <==== ATTENTION
    HKCR\...0c966feabec1\InprocServer32: [Default-shell32] C:\Users\John\AppData\Local\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\n. ATTENTION! ====> ZeroAccess?
    HKCU\...\Policies\system: [DisableLockWorkstation] 0
    HKCU\...\Policies\system: [DisableChangePassword] 0
    HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-09-30] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
    HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
    HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [976832 2010-06-09] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2010-06-20] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Easybits Recovery] - C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [61112 2010-08-30] (EasyBits Software AS)
    HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [] - [x]
    HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
    HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
    Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
    ShortcutTarget: ctfmon.lnk -> C:\ProgramData\lsass.exe (No File)

    ==================== Internet (Whitelisted) ====================

    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/CQNOT/2
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/CQNOT/2
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/CQNOT/2
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/CQNOT/2
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/CQNOT/2
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/CQNOT/2
    StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    SearchScopes: HKLM - DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
    SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
    SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
    SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
    SearchScopes: HKLM - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/710-111095-2958-0/4?satitle={searchTerms}&mfe=Notebooks
    SearchScopes: HKLM-x32 - DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
    SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
    SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
    SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
    SearchScopes: HKLM-x32 - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/710-111095-2958-0/4?satitle={searchTerms}&mfe=Notebooks
    SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKCU - {0497FFEC-3472-47E6-ACDB-4CD1C50C6CFA} URL = http://websearch.ask.com/redirect?c...pn_sauid=6DDB0B56-FB23-4166-B031-17B817543D76
    BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
    BHO: BGAntiphishingBHO Class - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIEBHO.dll (BullGuard Ltd.)
    BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
    BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
    BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    BHO-x32: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
    BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
    BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
    BHO-x32: BGAntiphishingBHO Class - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - C:\Program Files\BullGuard Ltd\BullGuard\Files32\Antiphishing\IE\BGAntiphishingIEBHO.dll (BullGuard Ltd.)
    Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
    Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    DPF: HKLM-x32 {298BFFEE-662D-11D5-ADAF-00E0810232D7} http://lanes.simulcast.manheim.co.uk/simulcast5/LiveSound.dll
    DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: HKLM-x32 {E39EB9E7-BF7C-45FE-903F-5AF938F56181} http://www.exam2score.com/AzpCtl.CAB
    ShellExecuteHooks-x32: EasyBits ShellExecute Hook - {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWow64\EZUPBH~1.DLL [52920 2010-10-19] (EasyBits Software Corp.)
    Winsock: Catalog9 01 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 02 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 03 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 04 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 05 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 06 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 07 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 08 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 09 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 10 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9 21 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 01 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 02 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 03 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 04 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 05 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 06 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 07 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 08 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 09 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 10 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Winsock: Catalog9-x64 21 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

    Chrome:
    =======
    CHR HomePage: hxxp://www.google.com
    CHR RestoreOnStartup: "hxxp://www.google.com"
    CHR DefaultSearchURL: (Ask) - http://websearch.ask.com/redirect?c...817543D76&apn_dtid=OSJ000YYUK&q={searchTerms}
    CHR DefaultSuggestURL: (Ask) - http://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}
    CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
    CHR Plugin: (Native Client) - C:\Users\John\AppData\Local\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()
    CHR Plugin: (Chrome PDF Viewer) - C:\Users\John\AppData\Local\Google\Chrome\Application\29.0.1547.66\pdf.dll ()
    CHR Plugin: (Shockwave Flash) - C:\Users\John\AppData\Local\Google\Chrome\Application\29.0.1547.66\gcswf32.dll No File
    CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
    CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
    CHR Plugin: (Java(TM) Platform SE 6 U26) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    CHR Plugin: (Bing Bar) - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
    CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    CHR Plugin: (Google Update) - C:\Users\John\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
    CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
    CHR Extension: (YouTube) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
    CHR Extension: (Google Search) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
    CHR Extension: (Chrome In-App Payments service) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
    CHR Extension: (Gmail) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
    CHR HKLM-x32\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Users\John\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx
    CHR StartMenuInternet: Google Chrome - C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

    ==================== Services (Whitelisted) =================

    S3 BgRaSvc; C:\Program Files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe [157576 2011-08-23] (BullGuard Ltd.)
    S2 BsBrowser; C:\Program Files\BullGuard Ltd\BullGuard\BsBrowser.dll [73096 2011-08-23] (BullGuard Ltd.)
    S2 BsFileScan; C:\Program Files\BullGuard Ltd\BullGuard\BsFileScan.dll [354648 2011-08-23] (BullGuard Ltd.)
    S2 BsFire; C:\Program Files\BullGuard Ltd\BullGuard\BsFire.dll [529240 2011-08-23] (BullGuard Ltd.)
    S2 BsMailProxy; C:\Program Files\BullGuard Ltd\BullGuard\BsMailProxy\BsMailProxy.dll [233864 2011-08-23] (BullGuard Ltd.)
    R2 BsMain; C:\Program Files\BullGuard Ltd\BullGuard\BsMain.dll [244864 2011-08-23] (BullGuard Ltd.)
    S3 BsScanner; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [341896 2011-08-23] (BullGuard Ltd.)
    S2 BsUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [426328 2011-08-23] (BullGuard Ltd.)
    S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
    S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)

    ==================== Drivers (Whitelisted) ====================

    S1 AFW; C:\Windows\System32\DRIVERS\afw.sys [31768 2010-07-08] (Agnitum Ltd.)
    S3 afwcore; C:\Windows\System32\DRIVERS\afwcore.sys [413208 2010-07-08] (Agnitum Ltd.)
    S1 BdSpy; C:\Windows\System32\DRIVERS\BdSpy.sys [63712 2011-08-23] (BullGuard Ltd.)

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-09-13 12:11 - 2013-09-13 12:11 - 00000000 ____D C:\FRST
    2013-09-12 17:39 - 2013-09-12 17:39 - 00003416 ____N C:\bootsqm.dat
    2013-09-12 17:38 - 2013-09-12 17:38 - 00000000 __SHD C:\found.000
    2013-09-12 15:25 - 2013-09-12 17:28 - 00012292 _____ C:\.DS_Store
    2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.Trashes
    2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.fseventsd
    2013-09-07 17:42 - 2013-09-12 19:50 - 00000004 _____ C:\Users\John\AppData\Roaming\settings.ini
    2013-08-23 08:15 - 2013-08-23 08:15 - 00001904 _____ C:\Users\John\Downloads\MyDesktopStBedes.RDP
    2013-08-15 19:54 - 2013-08-15 19:55 - 00000000 ____D C:\Users\John\AppData\Local\{4A081748-5E93-41AA-9C90-6DA5A2A7603E}

    ==================== One Month Modified Files and Folders =======

    2013-09-13 12:11 - 2013-09-13 12:11 - 00000000 ____D C:\FRST
    2013-09-13 04:42 - 2013-03-08 17:48 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2013-09-13 04:42 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache
    2013-09-13 04:42 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\registration
    2013-09-13 04:42 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\AppCompat
    2013-09-13 04:35 - 2010-10-19 14:42 - 00000000 ____D C:\ProgramData\Recovery
    2013-09-12 19:50 - 2013-09-07 17:42 - 00000004 _____ C:\Users\John\AppData\Roaming\settings.ini
    2013-09-12 19:50 - 2013-07-13 18:01 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-09-12 19:50 - 2011-08-23 20:35 - 00000000 ____D C:\ProgramData\BullGuard
    2013-09-12 19:49 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2013-09-12 19:49 - 2009-07-14 05:51 - 00105883 _____ C:\Windows\setupact.log
    2013-09-12 19:47 - 2011-08-23 20:38 - 00255628 _____ C:\Windows\system32\config\afw_db.conf
    2013-09-12 19:47 - 2011-08-23 20:38 - 00001632 _____ C:\Windows\system32\config\afw_hm.conf
    2013-09-12 19:47 - 2011-06-23 09:41 - 02056189 _____ C:\Windows\WindowsUpdate.log
    2013-09-12 19:47 - 2009-07-14 05:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-09-12 19:47 - 2009-07-14 05:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-09-12 19:44 - 2011-08-23 19:30 - 00000000 ____D C:\Users\John
    2013-09-12 17:42 - 2011-10-31 09:48 - 00000000 ____D C:\Users\John\AppData\Local\CrashDumps
    2013-09-12 17:39 - 2013-09-12 17:39 - 00003416 ____N C:\bootsqm.dat
    2013-09-12 17:38 - 2013-09-12 17:38 - 00000000 __SHD C:\found.000
    2013-09-12 17:28 - 2013-09-12 15:25 - 00012292 _____ C:\.DS_Store
    2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.Trashes
    2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.fseventsd
    2013-09-09 02:33 - 2011-06-23 10:25 - 00000000 ___RD C:\Users\Public\Recorded TV
    2013-09-07 18:20 - 2013-07-13 18:01 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-09-07 18:18 - 2013-03-08 17:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-09-07 17:53 - 2011-08-23 20:46 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3188238764-2307040380-1222809871-1000UA.job
    2013-09-07 17:41 - 2011-08-23 20:46 - 00000000 ____D C:\Users\John\AppData\Local\Google
    2013-09-07 10:53 - 2011-08-23 20:46 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3188238764-2307040380-1222809871-1000Core.job
    2013-08-27 18:52 - 2011-10-13 22:00 - 00000000 ____D C:\Users\John\AppData\Roaming\SoftGrid Client
    2013-08-26 18:59 - 2012-11-23 21:14 - 00003180 _____ C:\Windows\System32\Tasks\HPCeeScheduleForJohn
    2013-08-26 18:59 - 2011-10-26 19:12 - 00000328 _____ C:\Windows\Tasks\HPCeeScheduleForJohn.job
    2013-08-24 15:38 - 2013-03-08 17:48 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-08-24 15:38 - 2013-03-08 17:48 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-08-24 15:38 - 2013-03-08 17:48 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2013-08-24 15:38 - 2011-08-26 15:34 - 00000000 ____D C:\Users\John\AppData\Local\Adobe
    2013-08-23 08:15 - 2013-08-23 08:15 - 00001904 _____ C:\Users\John\Downloads\MyDesktopStBedes.RDP
    2013-08-21 18:35 - 2013-06-13 08:18 - 17737608 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2013-08-20 20:02 - 2011-08-23 19:31 - 00000000 ____D C:\Users\John\AppData\Local\VirtualStore
    2013-08-20 19:06 - 2012-11-15 23:59 - 00743424 ___SH C:\Users\John\Downloads\Thumbs.db
    2013-08-18 19:18 - 2011-08-30 10:10 - 00000000 ____D C:\Users\John\Desktop\Lisa baby lamby chops
    2013-08-16 16:38 - 2011-08-23 20:31 - 00000342 _____ C:\Windows\Tasks\HPCeeScheduleForLANDY-HP$.job
    2013-08-16 16:37 - 2011-08-23 20:31 - 00003218 _____ C:\Windows\System32\Tasks\HPCeeScheduleForLANDY-HP$
    2013-08-15 19:55 - 2013-08-15 19:54 - 00000000 ____D C:\Users\John\AppData\Local\{4A081748-5E93-41AA-9C90-6DA5A2A7603E}

    ZeroAccess:
    C:\Windows\Installer\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}
    C:\Windows\Installer\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\@

    ZeroAccess:
    C:\Users\John\AppData\Local\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}
    C:\Users\John\AppData\Local\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\@

    Files to move or delete:
    ====================
    ZeroAccess:
    C:\Users\John\AppData\Local\Google\Desktop\Install
    C:\ProgramData\dsgsdgdsgdsgw.pad
    C:\Users\John\AppData\Local\Temp\loyrwm1m.dll
    C:\Users\John\AppData\Local\Temp\msimg32.dll
    C:\Users\John\AppData\Local\Temp\Resource.exe
    C:\Users\John\AppData\Local\Temp\setup.exe
    C:\Users\John\AppData\Local\Temp\SP51650.exe
    C:\Users\John\AppData\Local\Temp\SP51976.exe
    C:\Users\John\AppData\Local\Temp\SP52131.exe
    C:\Users\John\AppData\Local\Temp\sp54373.exe
    C:\Users\John\AppData\Local\Temp\sp54620.exe
    C:\Users\John\AppData\Local\Temp\sp58915.exe
    C:\Users\John\AppData\Local\Temp\UninstallHPSA.exe
    C:\Users\John\AppData\Local\Temp\UninstallHPTCA.exe

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


    LastRegBack: 2013-09-06 11:09

    ==================== End Of Log ============================
     
  2. David Oliver

    David Oliver TS Rookie Topic Starter

    Never mind - I managed to build my own fixlist file :)
     
  3. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Let me know if you still need help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...