Inactive System files integrity check and repair error 0x45d, possible virus

JeffreyG

Posts: 62   +1
I had a windows update the other day and no other change since other than website searching. I run symantec endpoint protection and am up to date. I was able to use the computer yesterday and when I turn it off at night it would not restart this morning. I do not want to re install windows for fear that I have a virus that will perpetuate even if I reinstall windows. Any suggestions would be greatly appreciated. I tried system recovery and can get a c: promt. Thanks
 
I can not start at all. If I use F8 I can only start normally which hangs up or I get the blue screen with bad config sys info or I can click automatically repair and it runs and I get error 0x45d. I tried system repair and let it run for hours without success.
 
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
Below is the log from FRST.exe

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013
Ran by SYSTEM at 15-03-2013 08:31:24
Running from G:\
Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001
==================== Registry (Whitelisted) ===================
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10025576 2011-06-08] (Realtek Semiconductor)
HKLM\...\Run: [NortonOnlineBackupReminder] "C:\Program Files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [600936 2009-06-29] (Symantec Corporation)
HKLM\...\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe [563736 2009-06-18] (PDF Complete Inc)
HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [115560 2010-10-29] (Symantec Corporation)
HKLM\...\Run: [HP Color LaserJet CM2320 MFP Series Fax] C:\Program Files\HP\HP Color LaserJet CM2320 MFP Series\hppfaxprintersrv.exe "HP Color LaserJet CM2320 MFP Series Fax" [x]
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2010-05-31] (LogMeIn, Inc.)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2010-12-28] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM\...\Run: [PowerPanel Personal Edition User Interaction] C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe [316864 2010-04-09] (Cyber Power Systems, Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM\...\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1016464 2011-09-08] (Carbonite, Inc.)
HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [2643320 2012-10-25] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [CitrixReceiver] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk" [x]
HKLM\...\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup [380088 2012-07-27] (Citrix Systems, Inc.)
HKLM\...\Run: [IndexSearch] "C:\Program Files\Nuance\PaperPort\IndexSearch.exe" [46368 2010-03-08] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\Nuance\PaperPort\pptd40nt.exe" [29984 2010-03-08] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort12reminder] "C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini" [376 2013-03-13] ()
HKLM\...\Run: [PDFHook] C:\Program Files\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM\...\Run: [PDF5 Registry Controller] C:\Program Files\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM\...\Run: [ControlCenter4] C:\Program Files\ControlCenter4\BrCcBoot.exe /autorun [139264 2011-04-20] (Brother Industries, Ltd.)
HKLM\...\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN [2621440 2010-06-10] (Brother Industries, Ltd.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM\...\Run: [Regedit32] C:\Windows\system32\regedit.exe [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\administrator\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-27] (Google Inc.)
HKU\administrator\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\administrator\...\Run: [Google Update] "C:\Users\drgewirtz\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-28] (Google Inc.)
HKU\administrator\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
HKU\drgewirtz\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-27] (Google Inc.)
HKU\drgewirtz\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\drgewirtz\...\Run: [Google Update] "C:\Users\drgewirtz\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-28] (Google Inc.)
HKU\drgewirtz\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
HKU\drgewirtz\...\Run: [{08A203E4-B50A-AD7F-CD83-AF89D6D58C94}] C:\Users\drgewirtz\AppData\Roaming\Noisi\cuyx.exe [352768 2010-11-02] (?????????? ??????????)
HKU\drgewirtz\...\Run: [nixpezoxwigu] C:\Users\drgewirtz\nixpezoxwigu.exe [43984 2013-03-07] ()
HKU\Office\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-27] (Google Inc.)
HKU\Office\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Office\...\Run: [Google Update] "C:\Users\drgewirtz\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-28] (Google Inc.)
HKU\Office\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
Tcpip\Parameters: [DhcpNameServer] 167.206.245.129 167.206.245.130
AppInit_DLLs: C:\PROGRA~1\Citrix\ICACLI~1\RSHook.dll
Tcpip\..\Interfaces\{42E0AB8B-0713-409B-8232-95614B27EFCB}: [NameServer]192.168.111.16,192.168.111.1
Startup: C:\ProgramData\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)
Startup: C:\Users\drgewirtz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citrix Receiver.lnk
ShortcutTarget: Citrix Receiver.lnk -> C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe (Citrix Systems, Inc.)
Startup: C:\Users\drgewirtz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\drgewirtz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
==================== Services (Whitelisted) ===================
2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [284160 2010-12-28] (Advanced Micro Devices, Inc.)
2 AMD Reservation Manager; "C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe" [140224 2010-06-17] (Advanced Micro Devices)
2 AMD_RAIDXpert; "C:\Program Files\AMD\RAIDXpert\bin\RAIDXpertService.exe" -s [122880 2009-03-15] (AMD)
2 BrcmMgmtAgent; "C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe" -service [110592 2009-07-10] (Broadcom Corporation)
3 BrYNSvc; "C:\Program Files\Browny02\BrYNSvc.exe" [245760 2010-01-25] (Brother Industries, Ltd.)
2 CarboniteService; "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [3908752 2011-09-08] (Carbonite, Inc. (www.carbonite.com))
2 ccEvtMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2010-10-29] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2010-10-29] (Symantec Corporation)
3 DMService; C:\Windows\DOWNLO~1\DMService.exe [468368 2011-03-16] (Microsoft ® Corporation)
2 Hp.Skyroom.Windows.Service; "C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe" -startService [124984 2009-11-20] (Hewlett-Packard)
3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093880 2010-02-17] (Symantec Corporation)
2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [635416 2009-06-18] (PDF Complete Inc)
2 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.)
2 ppped; "C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe" [918976 2010-04-16] (Cyber Power Systems, Inc.)
2 QBVSS; "C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe" [1248256 2011-08-19] (Intuit Inc.)
2 SmcService; "C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" [1881368 2010-10-29] (Symantec Corporation)
4 SNAC; "C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" [349512 2010-10-29] (Symantec Corporation)
2 Symantec AntiVirus; "C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe" [1831024 2010-10-29] (Symantec Corporation)
2 uagqecsvc; C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [149904 2009-12-14] (Microsoft ® Corporation)
2 rgsender; "c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe" -l logSetup [x]
==================== Drivers (Whitelisted) ====================
0 ahcix86s; C:\Windows\system32\DRIVERS\ahcix86s.sys [185912 2009-10-20] (Advanced Micro Devices, Inc)
3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [84992 2009-05-11] (Broadcom Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-02-14] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-02-14] (Symantec Corporation)
3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130311.004\NAVENG.SYS [93296 2013-02-14] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130311.004\NAVEX15.SYS [1603824 2013-02-14] (Symantec Corporation)
3 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2010-10-29] (Symantec Corporation)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [283184 2010-10-29] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [320944 2010-10-29] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2010-10-29] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124976 2013-03-11] (Symantec Corporation)
3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [26416 2010-10-29] (Symantec Corporation)
1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [188080 2010-10-29] (Symantec Corporation)
4 LMIRfsClientNP; [x]
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2013-03-15 08:31 - 2013-03-15 08:31 - 00000000 ____D C:\FRST
2013-03-13 08:16 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-03-13 08:16 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-03-13 08:16 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-03-13 08:16 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-03-13 08:16 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-03-13 08:16 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-03-13 08:16 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-03-13 08:16 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-03-13 08:16 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-03-13 08:16 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-03-13 08:16 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-03-13 08:16 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-03-13 08:16 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-03-13 08:16 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-03-13 08:16 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-03-13 08:16 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-03-13 07:03 - 2013-03-13 07:03 - 13230080 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Mar 13,2013 11 02 AM).QBB
2013-03-12 14:23 - 2013-03-12 14:23 - 15859416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-03-09 08:47 - 2013-03-09 08:47 - 00262560 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-03-09 08:47 - 2013-03-09 08:47 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-03-09 08:47 - 2013-03-09 08:47 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-03-09 08:47 - 2013-03-09 08:47 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-03-08 18:34 - 2013-03-08 18:34 - 00002566 ____A C:\Users\Public\Documents\encryptdoc.pfx
2013-03-08 09:36 - 2013-03-08 09:36 - 13172736 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Mar 08,2013 12 36 PM).QBB
2013-03-07 07:31 - 2013-03-07 07:31 - 00043984 ____A C:\Users\drgewirtz\nixpezoxwigu.exe
2013-03-06 10:32 - 2013-03-06 10:32 - 00000000 ____A C:\Users\drgewirtz\Documents\Nuance Image Printer Writer Port
2013-03-05 10:12 - 2013-03-05 10:12 - 00000000 _RASH C:\MSDOS.SYS
2013-03-05 10:12 - 2013-03-05 10:12 - 00000000 _RASH C:\IO.SYS
2013-02-26 15:13 - 2013-02-26 15:13 - 12996608 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Feb 26,2013 06 12 PM).QBB
2013-02-21 09:17 - 2013-02-21 09:17 - 00001755 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-02-21 09:16 - 2013-02-21 09:17 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-02-21 09:16 - 2013-02-21 09:17 - 00000000 ____D C:\Program Files\iTunes
2013-02-21 09:16 - 2013-02-21 09:16 - 00000000 ____D C:\Program Files\iPod
2013-02-21 08:36 - 2013-02-21 08:36 - 00000000 ____A C:\t15o.2
2013-02-13 07:12 - 2013-01-03 19:00 - 02347008 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-02-13 07:11 - 2013-01-04 21:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-02-13 07:11 - 2013-01-04 21:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-02-13 07:11 - 2013-01-03 20:50 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-02-13 07:11 - 2013-01-02 21:05 - 01293672 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-02-13 07:11 - 2013-01-02 21:04 - 00187752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
==================== One Month Modified Files and Folders ========
2013-03-14 11:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-03-13 12:10 - 2010-10-25 12:51 - 01499510 ____A C:\Windows\WindowsUpdate.log
2013-03-13 12:05 - 2010-10-29 08:28 - 00000120 ____A C:\Windows\System32\config\netlogon.ftl
2013-03-13 12:01 - 2011-01-27 11:06 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-13 11:54 - 2011-08-22 07:02 - 00000924 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3576482904-1308803037-2723772800-1000UA.job
2013-03-13 11:23 - 2012-04-02 07:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-13 11:16 - 2010-10-29 20:41 - 00000000 ____D C:\Users\drgewirtz\AppData\Local\PDFC
2013-03-13 10:00 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-03-13 09:16 - 2010-10-29 21:31 - 00002008 ____A C:\Users\drgewirtz\Documents\Default.rdp
2013-03-13 08:48 - 2010-11-01 18:10 - 00000000 ____D C:\Users\drgewirtz\AppData\Local\Deployment
2013-03-13 08:47 - 2011-08-24 12:17 - 00000000 ___RD C:\Users\drgewirtz\Dropbox
2013-03-13 08:47 - 2011-08-24 12:13 - 00000000 ____D C:\Users\drgewirtz\AppData\Roaming\Dropbox
2013-03-13 08:47 - 2011-01-27 11:06 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-13 08:40 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-13 08:40 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-13 08:38 - 2009-07-25 04:54 - 00782838 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-13 08:32 - 2011-08-30 06:47 - 00000000 ____D C:\Program Files\CyberPower PowerPanel Personal Edition
2013-03-13 08:32 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-13 08:32 - 2009-07-13 20:39 - 00059403 ____A C:\Windows\setupact.log
2013-03-13 08:31 - 2011-07-11 13:18 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-03-13 08:31 - 2010-10-25 10:38 - 00055346 ____A C:\Windows\PFRO.log
2013-03-13 08:21 - 2010-11-04 10:45 - 00000000 ____D C:\ProgramData\LogMeIn
2013-03-13 08:21 - 2010-10-25 09:54 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-03-13 08:18 - 2010-11-02 20:11 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-03-13 07:03 - 2013-03-13 07:03 - 13230080 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Mar 13,2013 11 02 AM).QBB
2013-03-13 03:54 - 2011-08-22 07:02 - 00000872 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3576482904-1308803037-2723772800-1000Core.job
2013-03-12 14:23 - 2013-03-12 14:23 - 15859416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-03-12 14:23 - 2012-04-02 07:07 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-03-12 14:23 - 2011-05-16 05:00 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-03-12 13:33 - 2010-11-03 16:55 - 00000052 ____A C:\Windows\System32\DOErrors.log
2013-03-12 10:26 - 2012-12-07 08:26 - 00000000 ____D C:\Users\drgewirtz\Documents\pathology project
2013-03-11 20:29 - 2010-10-25 09:58 - 00000000 ____D C:\ProgramData\PDFC
2013-03-11 11:51 - 2010-10-29 07:21 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-03-11 11:14 - 2010-10-29 07:22 - 00124976 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2013-03-11 11:14 - 2010-10-29 07:22 - 00007456 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2013-03-11 11:14 - 2010-10-25 12:55 - 00000000 ____D C:\Program Files\Symantec
2013-03-09 08:47 - 2013-03-09 08:47 - 00262560 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-03-09 08:47 - 2013-03-09 08:47 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-03-09 08:47 - 2013-03-09 08:47 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-03-09 08:47 - 2013-03-09 08:47 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-03-09 08:47 - 2012-06-07 11:53 - 00861088 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-03-09 08:47 - 2010-11-15 11:48 - 00782240 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-03-09 08:44 - 2010-10-29 20:39 - 00000000 ___AD C:\users\drgewirtz
2013-03-08 18:34 - 2013-03-08 18:34 - 00002566 ____A C:\Users\Public\Documents\encryptdoc.pfx
2013-03-08 09:36 - 2013-03-08 09:36 - 13172736 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Mar 08,2013 12 36 PM).QBB
2013-03-08 06:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-03-07 08:47 - 2010-11-02 10:59 - 00000000 ____D C:\Users\drgewirtz\AppData\Roaming\Noisi
2013-03-07 07:31 - 2013-03-07 07:31 - 00043984 ____A C:\Users\drgewirtz\nixpezoxwigu.exe
2013-03-06 10:32 - 2013-03-06 10:32 - 00000000 ____A C:\Users\drgewirtz\Documents\Nuance Image Printer Writer Port
2013-03-05 13:06 - 2010-12-02 11:52 - 00000000 ____D C:\Users\drgewirtz\Documents\Outlook Files
2013-03-05 10:12 - 2013-03-05 10:12 - 00000000 _RASH C:\MSDOS.SYS
2013-03-05 10:12 - 2013-03-05 10:12 - 00000000 _RASH C:\IO.SYS
2013-03-04 21:56 - 2011-08-22 07:03 - 00002352 ____A C:\Users\drgewirtz\Desktop\Google Chrome.lnk
2013-03-01 07:07 - 2011-07-13 09:31 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleFordrgewirtz.job
2013-02-28 12:47 - 2012-11-13 06:04 - 00000426 ____A C:\Windows\BRWMARK.INI
2013-02-28 10:34 - 2012-12-12 15:00 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-02-28 10:34 - 2012-06-01 04:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-02-28 10:30 - 2011-09-26 05:38 - 00000000 ____D C:\Users\drgewirtz\Documents\Personal
2013-02-26 15:13 - 2013-02-26 15:13 - 12996608 ____A C:\Users\drgewirtz\Documents\Jeffrey B Gewirtz, DPM, LLC (Backup Feb 26,2013 06 12 PM).QBB
2013-02-25 12:55 - 2013-02-08 07:52 - 00000000 ____D C:\Users\drgewirtz\Documents\credentialling
2013-02-21 15:32 - 2009-07-13 18:04 - 00000522 ____A C:\Windows\win.ini
2013-02-21 09:17 - 2013-02-21 09:17 - 00001755 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-02-21 09:17 - 2013-02-21 09:16 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-02-21 09:17 - 2013-02-21 09:16 - 00000000 ____D C:\Program Files\iTunes
2013-02-21 09:16 - 2013-02-21 09:16 - 00000000 ____D C:\Program Files\iPod
2013-02-21 09:16 - 2011-08-18 12:22 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-02-21 09:14 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-02-21 08:36 - 2013-02-21 08:36 - 00000000 ____A C:\t15o.2
2013-02-14 09:17 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-02-14 07:07 - 2009-07-13 20:33 - 00484976 ____A C:\Windows\System32\FNTCACHE.DAT

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================

==================== Memory info ===========================
Percentage of memory in use: 15%
Total physical RAM: 3583.39 MB
Available physical RAM: 3044.86 MB
Total Pagefile: 3581.68 MB
Available Pagefile: 3086.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.68 MB
==================== Partitions =============================
1 Drive c: (OS) (Fixed) (Total:139.85 GB) (Free:69.35 GB) NTFS
2 Drive e: (HP_RECOVERY) (Fixed) (Total:7.19 GB) (Free:0.8 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (GSP1RMCPRFREO_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF
4 Drive g: (0704120902) (Removable) (Total:1.92 GB) (Free:0.37 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM) (Fixed) (Total:2 GB) (Free:1.68 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 9 MB
Disk 1 Online 1968 MB 0 B
Partitions of Disk 0:
===============
Disk ID: DA7766AF
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 2047 MB 1024 KB
Partition 2 Primary 139 GB 2048 MB
Partition 3 Primary 7360 MB 141 GB
=========================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 2047 MB Healthy
=========================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 139 GB Healthy
=========================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 7360 MB Healthy
=========================================================
Partitions of Disk 1:
===============
Disk ID: A83B35C6
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1967 MB 16 KB
=========================================================
Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G 0704120902 FAT Removable 1967 MB Healthy
=========================================================
============================== MBR Partition Table ==================
==============================
Partitions of Disk 0:
===============
Disk ID: DA7766AF
Partition 1:
=========
Hex: 80202100071550050008000000F83F00
Active: YES
Type: 07 (NTFS)
Size: 2 GB
Partition 2:
=========
Hex: 0015510507FEFFFF0000400000487B11
Active: NO
Type: 07 (NTFS)
Size: 140 GB
Partition 3:
=========
Hex: 00FEFFFF07FEFFFF0048BB110000E600
Active: NO
Type: 07 (NTFS)
Size: 7 GB
==============================
Partitions of Disk 1:
===============
Disk ID: A83B35C6
Partition 1:
=========
Hex: 800101000E0FA0BF20000000E07F3D00
Active: YES
Type: 0E
Size: 2 GB

Last Boot: 2013-03-04 21:59
==================== End Of Log ============================
 
Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if you can boot normally.
 

Attachments

  • fixlist.txt
    407 bytes · Views: 15
Thank you. The computer started and the log is below. When I ran the FRST tool I saw the virus name right away.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013
Ran by SYSTEM at 2013-03-15 19:15:41 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Regedit32 Value deleted successfully.
HKEY_USERS\drgewirtz\Software\Microsoft\Windows\CurrentVersion\Run\\{08A203E4-B50A-AD7F-CD83-AF89D6D58C94} Value deleted successfully.
HKEY_USERS\drgewirtz\Software\Microsoft\Windows\CurrentVersion\Run\\nixpezoxwigu Value deleted successfully.
C:\Users\drgewirtz\AppData\Roaming\Noisi\cuyx.exe moved successfully.
C:\Users\drgewirtz\nixpezoxwigu.exe moved successfully.

==== End of Fixlog ====
 
I restarted the computer without the windows cd and it does not offer safe mode, I cannot start normally and it just searchs in repar mode.
 
Let's try something else.
We're going to use FRST again with a different fix.

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if you can start now.
 

Attachments

  • fixlist.txt
    27 bytes · Views: 8
Computer did not start normally, it is still getting stuck at the spinning color symbol


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013
Ran by SYSTEM at 2013-03-15 20:38:07 Run:2
Running from G:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====
 
Safe mode?
When your computer starts keep tapping F8 key until you see a screen with safe mode option.
 
I tried, the only two options I get are for launch sartup repair and start normally, I cannot get a safemode option. Not sure what to do. Should I try the repair again and restart using the windows cd?
 
Not starting normally yet, keeps going back to the spinning window after I finish the repair. It seems like every time it restarts it rewrites the virus code. Is there a bootable way to scan? I very much appreciate your help
 
It actually started and I am in. I think this virus code I have is a recent trojan. I looked it up.
What should I do now?
 
Computer is not really responding and the cursor spins so I cant get malwarebytes to run. I actually recently updated so it is already loaded but I cant get in to get heh database updated and run the program nor the other. any suggestions? Thank you very much
 
Back