TechSpot

Windows has encountered a problem and with shut down in two minutes please save your work

Inactive
By justiceotuya
Aug 3, 2012
  1. I saw how broni helped someone with same problem,then I followed the method and here is my frst.txt details here. I will be greatful if you help me Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01 Ran by SYSTEM at 03-08-2012 17:02:47 Running from H:\ Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-14] (Synaptics Incorporated) HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.) HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610872 2009-08-25] () HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation) HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-08-04] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [222504 2009-05-19] (CyberLink Corp.) HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [60464 2009-09-02] (EasyBits Software AS) HKLM-x32\...\Run: [] [x] :\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [417792 2009-11-10] (Apple Inc.) HKLM-x32\...\Run: [YMailAdvisor] "C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe" [125208 2008-06-05] (Yahoo! Inc.) HKLM-x32\...\Run: [YSearchProtection] "C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [111856 2008-06-26] (Yahoo! Inc) HKLM-x32\...\Run: [NokiaMServer] C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup [x] HKLM-x32\...\Run: [USB Security] C:\Program Files (x86)\USB
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Please review the 5-Step removal instructions and post the logs back here for my review.
  3. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    Dmj am using a phone and so cannot copy and paste the log files on this forum because of its size. The only option is for me to upload it. I dont know if you will accept it. I am writing my project now and because of this problem I can no longer access my documents. Pls help
  4. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    Dmj am using a phone and so cannot copy and paste the log files on this forum because of its size. The only option is for me to upload it. I dont know if you will accept it. I am writing my project now and because of this problem I can no longer access my documents. Pls help
  5. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    Dmj am using a phone and so cannot copy and paste the log files on this forum because of its size. The only option is for me to upload it. I dont know if you will accept it. I am writing my project now and because of this problem I can no longer access my documents. Pls help
  6. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 03-08-2012 17:02:47
    Running from H:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-14] (Synaptics Incorporated)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.)
    HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610872 2009-08-25] ()
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-08-04] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [222504 2009-05-19] (CyberLink Corp.)
    HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [60464 2009-09-02] (EasyBits Software AS)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [USB Antivirus] C:\Program Files (x86)\USB Disk Security\USBGuard.exe [635808 2012-02-16] (Zbshareware Lab)
    HKLM-x32\...\Run: [Corel Graphics Suite 1117] C:\Program Files (x86)\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=111810 serial=DR11CED-0160924-QUS [315392 2002-07-02] (Corel Corporation)
    HKLM-x32\...\Run: [RemoteControl] "C:\Program Files (x86)\Safari\PDVDServ.exe" [30208 2005-12-07] (Cyberlink Corp.)
    HKLM-x32\...\Run: [LanguageShortcut] "C:\Program Files (x86)\Safari\Language\Language.exe" [49152 2006-04-13] ()
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [417792 2009-11-10] (Apple Inc.)
    HKLM-x32\...\Run: [YMailAdvisor] "C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe" [125208 2008-06-05] (Yahoo! Inc.)
    HKLM-x32\...\Run: [YSearchProtection] "C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [111856 2008-06-26] (Yahoo! Inc)
    HKLM-x32\...\Run: [NokiaMServer] C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup [x]
    HKLM-x32\...\Run: [USB Security] C:\Program Files (x86)\USB Disk Security\USBGuard.exe [635808 2012-02-16] (Zbshareware Lab)
    HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE [1890744 2012-07-25] (Bandoo Media, inc)
    HKU\USER\...\Run: [] [x]
    HKU\USER\...\Run: [Facebook Update] "C:\Users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-12] (Facebook Inc.)
    HKU\USER\...\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot [3478936 2012-07-23] (Tonec Inc.)
    HKU\USER\...\Policies\system: [DisableLockWorkstation] 0
    HKU\USER\...\Policies\system: [DisableChangePassword] 0
    HKU\USER\...\Winlogon: [Shell] Explorer.exe
    HKLM-x32\...\Runonce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unins...wBVAEsAOABBAC0AUgBSADcARgA2AC0AMABNADkASwBBAA"&"inst=NwA2AC0AOQA0ADgAMwAwADYAMwAyADcALQBOADEARAArADEALQBTAFQAOQAwAEEAUABQACsAMQAtAFAATAArADkALQBEAEQAVAArADAA"&"prod=94"&"ver=9.0.914 [x]
    AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
    Startup: C:\Users\USER\Start Menu\Programs\Startup\Bible Verse.lnk
    ShortcutTarget: Bible Verse.lnk -> C:\Program Files (x86)\Bible Verse\verse.exe ()
    Startup: C:\Users\USER\Start Menu\Programs\Startup\Facebook Messenger.lnk
    ShortcutTarget: Facebook Messenger.lnk -> (No File)

    ==================== Services (Whitelisted) ======

    2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
    2 DCSHost.exe; C:\ProgramData\DatacardService\DCSHost.exe [110592 2009-04-23] ()
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
  7. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 03-08-2012 17:02:47
    Running from H:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-14] (Synaptics Incorporated)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.)
    HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610872 2009-08-25] ()
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-08-04] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [222504 2009-05-19] (CyberLink Corp.)
    HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [60464 2009-09-02] (EasyBits Software AS)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [USB Antivirus] C:\Program Files (x86)\USB Disk Security\USBGuard.exe [635808 2012-02-16] (Zbshareware Lab)
    HKLM-x32\...\Run: [Corel Graphics Suite 1117] C:\Program Files (x86)\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=111810 serial=DR11CED-0160924-QUS [315392 2002-07-02] (Corel Corporation)
    HKLM-x32\...\Run: [RemoteControl] "C:\Program Files (x86)\Safari\PDVDServ.exe" [30208 2005-12-07] (Cyberlink Corp.)
    HKLM-x32\...\Run: [LanguageShortcut] "C:\Program Files (x86)\Safari\Language\Language.exe" [49152 2006-04-13] ()
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [417792 2009-11-10] (Apple Inc.)
    HKLM-x32\...\Run: [YMailAdvisor] "C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe" [125208 2008-06-05] (Yahoo! Inc.)
    HKLM-x32\...\Run: [YSearchProtection] "C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [111856 2008-06-26] (Yahoo! Inc)
    HKLM-x32\...\Run: [NokiaMServer] C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup [x]
    HKLM-x32\...\Run: [USB Security] C:\Program Files (x86)\USB Disk Security\USBGuard.exe [635808 2012-02-16] (Zbshareware Lab)
    HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE [1890744 2012-07-25] (Bandoo Media, inc)
    HKU\USER\...\Run: [] [x]
    HKU\USER\...\Run: [Facebook Update] "C:\Users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-12] (Facebook Inc.)
    HKU\USER\...\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot [3478936 2012-07-23] (Tonec Inc.)
    HKU\USER\...\Policies\system: [DisableLockWorkstation] 0
    HKU\USER\...\Policies\system: [DisableChangePassword] 0
    HKU\USER\...\Winlogon: [Shell] Explorer.exe
    HKLM-x32\...\Runonce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unins...wBVAEsAOABBAC0AUgBSADcARgA2AC0AMABNADkASwBBAA"&"inst=NwA2AC0AOQA0ADgAMwAwADYAMwAyADcALQBOADEARAArADEALQBTAFQAOQAwAEEAUABQACsAMQAtAFAATAArADkALQBEAEQAVAArADAA"&"prod=94"&"ver=9.0.914 [x]
    AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
    Startup: C:\Users\USER\Start Menu\Programs\Startup\Bible Verse.lnk
    ShortcutTarget: Bible Verse.lnk -> C:\Program Files (x86)\Bible Verse\verse.exe ()
    Startup: C:\Users\USER\Start Menu\Programs\Startup\Facebook Messenger.lnk
    ShortcutTarget: Facebook Messenger.lnk -> (No File)

    ==================== Services (Whitelisted) ======

    2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
    2 DCSHost.exe; C:\ProgramData\DatacardService\DCSHost.exe [110592 2009-04-23] ()
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
  8. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    C:\Windows\System32\icardie.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00078848____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00076800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
    2012-07-23 05:51 - 2012-07-23 05:51 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
    2012-07-23 05:51 - 2012-07-23 05:51 - 00074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
    2012-07-23 05:51 - 2012-07-23 05:51 - 00074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00074240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
    2012-07-23 05:51 - 2012-07-23 05:51 - 00066048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00063488 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
    2012-07-23 05:51 - 2012-07-23 05:51 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00054272 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00049664 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00035840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00031744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
    2012-07-23 05:51 - 2012-07-23 05:51 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
    2012-07-23 05:51 - 2012-07-23 05:51 - 00010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
    2012-07-23 05:51 - 2012-07-23 05:51 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
    2012-07-23 05:49 - 2012-07-23 05:51 - 00003841 ____A C:\Windows\IE9_main.log
    2012-07-23 04:47 - 2012-07-23 04:47 - 00000000 ____D C:\Users\USER\AppData\Local\HP Drivers Update Utility
    2012-07-23 04:47 - 2012-07-23 04:47 - 00000000 ____D C:\Program Files (x86)\HP Drivers Update Utility
    2012-07-23 04:02 - 2012-07-23 04:02 - 00000973 ____A C:\Users\Public\Desktop\Quick 3D Cover.lnk
    2012-07-23 04:02 - 2012-07-23 04:02 - 00000000 ____D C:\Program Files (x86)\Quick 3D Cover
    2012-07-23 02:27 - 2012-07-23 02:27 - 00000000 ____D C:\Users\USER\AppData\Local\Macromedia
    2012-07-23 02:25 - 2012-08-02 16:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-23 02:25 - 2012-08-01 02:56 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-23 02:25 - 2012-08-01 02:56 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-23 02:25 - 2012-07-23 02:25 - 00000000 ____D C:\Windows\System32\Macromed
    2012-07-23 02:18 - 2012-07-23 02:19 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-23 02:18 - 2012-07-23 02:18 - 00004728 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-23 02:18 - 2012-07-23 02:18 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-23 02:17 - 2010-04-09 03:06 - 00374664 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
    2012-07-23 02:16 - 2012-07-23 02:16 - 00000000 ____D C:\Users\All Users\Mozilla
    2012-07-23 02:16 - 2012-07-23 02:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2012-07-23 02:12 - 2012-05-04 02:52 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-07-23 02:12 - 2012-05-04 02:08 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-07-23 02:12 - 2012-05-04 02:08 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-07-23 02:12 - 2012-04-23 21:59 - 01460224 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-07-23 02:12 - 2012-04-23 21:59 - 00182272 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-07-23 02:12 - 2012-04-23 21:59 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-07-23 02:12 - 2012-04-23 20:47 - 01156608 ____A (Microsoft
  9. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    p.INI
    2012-08-03 04:35 - 2012-08-03 04:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F5F701EB6DE2F5B3
    2012-08-03 04:27 - 2012-08-03 04:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.17718B1FB599CAAA
    2012-08-03 04:20 - 2012-08-03 04:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6BDC9B2DFBF82F2C
    2012-08-03 04:17 - 2012-08-01 02:46 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-03 04:12 - 2012-08-03 04:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0E2339A123D53B54
    2012-08-02 16:44 - 2012-07-23 02:25 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-02 16:18 - 2012-08-01 02:46 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-02 16:15 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
    2012-08-02 16:08 - 2012-04-17 11:04 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2342668357-1074823843-759307325-1000UA.job
    2012-08-02 08:33 - 2012-08-02 08:31 - 00278976 ____A C:\Windows\Minidump\080212-158325-01.dmp
    2012-08-02 08:31 - 2010-10-30 05:40 - 474795464 ____A C:\Windows\MEMORY.DMP
    2012-08-01 07:08 - 2012-04-17 11:04 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2342668357-1074823843-759307325-1000Core.job
    2012-08-01 03:14 - 2010-10-11 03:36 - 00133824 ____A C:\Users\USER\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-08-01 03:11 - 2009-07-13 20:45 - 00482992 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-01 03:06 - 2012-08-01 02:49 - 00000985 ____A C:\Users\Public\Desktop\iLivid.lnk
    2012-08-01 03:05 - 2012-08-01 03:05 - 00001176 ____A C:\Users\Public\Desktop\Play Games.lnk
    2012-08-01 03:05 - 2012-08-01 03:05 - 00001144 ____A C:\Users\Public\Desktop\Upgrade Facebook Chat Experience.lnk
    2012-08-01 02:56 - 2012-08-01 02:56 - 00004515 ____A C:\Users\USER\Downloads\st_7.htm
    2012-08-01 02:56 - 2012-08-01 02:56 - 00004512 ____A C:\Users\USER\Downloads\st_6.htm
    2012-08-01 02:56 - 2012-07-23 02:25 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-01 02:56 - 2012-07-23 02:25 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-01 02:53 - 2012-08-01 02:53 - 00004515 ____A C:\Users\USER\Downloads\st_5.htm
    2012-08-01 02:53 - 2012-08-01 02:53 - 00004509 ____A C:\Users\USER\Downloads\st_4.htm
    2012-08-01 02:52 - 2012-08-01 02:52 - 00004515 ____A C:\Users\USER\Downloads\st
    2012-08-01 02:51 - 2012-08-01 02:51 - 00004515 ____A C:\Users\USER\Downloads\st_3.htm
    2012-08-01 02:46 - 2012-08-01 02:46 - 03993600 ____A C:\Program Files (x86)\GUT824A.tmp
    2012-08-01 02:46 - 2012-08-01 02:46 - 00004515 ____A C:\Users\USER\Downloads\st_2.htm
    2012-08-01 02:44 - 2012-08-01 02:44 - 00004515 ____A C:\Users\USER\Downloads\st.htm
    2012-08-01 02:10 - 2012-07-25 01:47 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForUSER.job
    2012-08-01 00:27 - 2012-08-01 00:27 - 00002236 ____A C:\Users\Public\Desktop\Student and Home Edition.lnk
    2012-07-30 13:34 - 2010-12-26 21:55 - 00050688 ____A C:\Users\USER\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-23 05:51 - 2012-07-23 05:51 - 03695416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
    2012-07-23 05:51 - 2012-07-23 05:51 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
    2012-07-23 05:51 - 2012-07-23 05:51 - 00697344 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00603648 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00580608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00534528 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00452608 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00448512 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
    2012-07-23 05:51 - 2012-07-23 05:51 - 00434176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00403248 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00367104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
    2012-07-23 05:51 - 2012-07-23 05:51 - 00353792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00353584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00282112 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
    2012-07-23 05:51 - 2012-07-23 05:51 - 00267776 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
    2012-07-23 05:51 - 2012-07-23 05
  10. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    :\Users\USER\AppData\Local\{63781c0e-9709-3549-22ac-296523ea73ce}\@
    C:\Users\USER\AppData\Local\{63781c0e-9709-3549-22ac-296523ea73ce}\L
    C:\Users\USER\AppData\Local\{63781c0e-9709-3549-22ac-296523ea73ce}\n
    C:\Users\USER\AppData\Local\{63781c0e-9709-3549-22ac-296523ea73ce}\U

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 17%
    Total physical RAM: 4092.2 MB
    Available physical RAM: 3370.22 MB
    Total Pagefile: 4090.35 MB
    Available Pagefile: 3365.8 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:451.89 GB) (Free:230.38 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive e: (RECOVERY) (Fixed) (Total:13.57 GB) (Free:2.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
    5 Drive h: (Ajidon) (Removable) (Total:0.93 GB) (Free:0.02 GB) FAT
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 0 B
    Disk 1 Online 954 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 199 MB 1024 KB
    Partition 2 Primary 451 GB 200 MB
    Partition 3 Primary 13 GB 452 GB
    Partition 4 Primary 103 MB 465 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 451 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E RECOVERY NTFS Partition 13 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 4
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 953 MB 64 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- --------
  11. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    I just sent the frst.txt log file. I will be sending the services.txt file now
     
  12. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    I meant search.txt not services.txt Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-03 17:10:18
    Running from H:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

    ====== End Of Search ======
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Restart the computer, and post a new FRST log as well.
  14. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    Here is the fixlog.txt Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01 Ran by SYSTEM at 2012-08-08 16:16:06 Run:1 Running from H:\ ============================================== Could not find C:\Windows\System32\services.exe. Could not find C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe. ==== End of Fixlog ====
  15. justiceotuya

    justiceotuya Newcomer, in training Topic Starter

    I will later post the other one
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please retry the fix, as it didn't work.
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.