Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please Help BSOD after removing infection with Tdsskiller


  • Please log in to reply

#1
daguinho

daguinho

    New Member

  • Member
  • Pip
  • 1 posts
After running tdsskiller and finding an infection hp laptop with windows 7 64-bit home it will not load windows only able to enter into recovery console...

I ran a scan with Farbar Recovery Scan Tool

and got the following

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-10-2012
Ran by SYSTEM at 16-10-2012 16:02:36
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-02-14] (IDT, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-04-01] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-02-15] (Hewlett-Packard Development Company L.P.)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35768 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [61112 2011-03-16] (EasyBits Software AS)
HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [318520 2011-01-17] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2596984 2012-07-31] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [892768 2011-12-19] ()
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [296096 2012-09-22] (RealNetworks, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1644744 2012-08-08] (Ask)
HKU\jessica\...\Run: [AROReminder] C:\Program Files (x86)\ARO 2011\ARO.exe -rem [2314608 2011-10-07] (Support.com)
HKU\jessica\...\Run: [MyTomTomSA.exe] "C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe" [420312 2011-08-15] (TomTom)
HKU\jessica\...\Run: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [247728 2011-04-22] (TomTom)
HKU\jessica\...\Policies\system: [DisableLockWorkstation] 0
HKU\jessica\...\Policies\system: [DisableChangePassword] 0
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe" [5167736 2012-08-13] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
2 HPAuto; "C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe" [682040 2011-02-16] (Hewlett-Packard)
3 hpCMSrv; "C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe" [1071160 2011-02-15] (Hewlett-Packard Development Company L.P.)
3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

==================== Drivers (Whitelisted) =====================

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [291680 2012-07-26] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [384352 2012-08-24] (AVG Technologies CZ, s.r.o.)
2 NPF; C:\Windows\System32\Drivers\NPF.sys [35344 2010-06-25] (CACE Technologies, Inc.)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-10-16 16:02 - 2012-10-16 16:02 - 00000000 ____D C:\FRST
2012-10-16 13:06 - 2012-10-16 15:23 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-10-16 13:02 - 2012-10-16 13:02 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-10-16 12:56 - 2012-10-16 12:56 - 00000000 ____D C:\Users\jessica\AppData\Roaming\Wireshark
2012-10-07 14:26 - 2012-10-07 14:26 - 00000000 ____D C:\Users\jessica\AppData\Local\{97CBFD48-9A76-41D5-9FD1-B849D3AB4747}
2012-09-23 23:48 - 2012-09-23 23:48 - 00000000 ____D C:\Users\jessica\AppData\Local\{245DE0E6-4312-469C-A6DF-43C10E152040}
2012-09-23 15:53 - 2012-09-23 15:53 - 00000000 ____D C:\Program Files (x86)\WinPcap
2012-09-23 15:51 - 2012-09-23 15:53 - 00000000 ____D C:\Program Files\Wireshark
2012-09-23 15:49 - 2012-09-23 15:50 - 26624472 ____A (Wireshark development team) C:\Users\jessica\Downloads\Wireshark-win64-1.8.2.exe
2012-09-23 15:49 - 2012-09-23 15:49 - 00002019 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-09-23 15:41 - 2012-09-23 15:41 - 00007598 ____A C:\Users\jessica\AppData\Local\Resmon.ResmonCfg
2012-09-23 15:16 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-09-23 12:11 - 2012-09-23 12:11 - 00000000 ____D C:\Users\jessica\AppData\Roaming\Malwarebytes
2012-09-23 12:11 - 2012-09-23 12:11 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-09-23 12:10 - 2012-09-23 12:10 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\jessica\Downloads\mbam-setup-1.65.0.1400.exe
2012-09-23 12:10 - 2012-09-23 12:10 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\jessica\Downloads\mbam-setup-1.65.0.1400 (1).exe
2012-09-23 10:18 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-09-23 10:18 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-09-23 10:18 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-09-23 10:18 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-09-23 10:18 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-09-23 10:18 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-09-23 10:18 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-09-23 10:18 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-09-23 10:18 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-09-23 10:18 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-09-23 10:18 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-09-23 10:18 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-09-23 10:18 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-09-23 10:18 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-09-23 10:18 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-09-23 10:18 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-09-23 10:18 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-09-23 10:18 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-09-23 10:18 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-09-23 10:18 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-09-23 10:18 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-09-23 10:18 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-09-23 10:18 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-09-23 10:18 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-09-23 10:18 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-09-23 10:18 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-09-23 10:18 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-09-23 10:18 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-09-23 10:18 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-09-23 10:18 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-09-23 10:18 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-09-23 10:18 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-09-22 17:52 - 2012-09-23 22:03 - 00000000 ____D C:\Users\jessica\Incomplete
2012-09-22 17:52 - 2012-09-22 17:52 - 00000000 ____D C:\Users\jessica\AppData\Local\APN
2012-09-22 17:51 - 2012-10-16 15:44 - 00000000 ____D C:\Program Files (x86)\MP3 Rocket
2012-09-22 17:51 - 2012-09-23 15:23 - 00000000 ____D C:\Users\jessica\AppData\Roaming\MP3Rocket
2012-09-22 17:51 - 2012-09-22 17:51 - 00001994 ____A C:\Users\jessica\Desktop\MP3 Rocket 6.2.3.lnk
2012-09-22 17:49 - 2012-09-22 17:49 - 00000000 ____D C:\Program Files\Google
2012-09-22 17:48 - 2012-09-22 17:49 - 00000000 ____D C:\Users\All Users\Google
2012-09-22 17:48 - 2012-09-22 17:48 - 00001268 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2012-09-22 17:48 - 2012-09-22 17:48 - 00000000 ____D C:\Users\jessica\AppData\Local\Real
2012-09-22 17:47 - 2012-09-22 17:47 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-09-22 17:47 - 2012-09-22 17:47 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-09-22 17:47 - 2012-09-22 17:47 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-09-22 17:47 - 2012-09-22 17:47 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-09-22 17:46 - 2012-09-22 17:47 - 00000000 ____D C:\Program Files (x86)\Real
2012-09-22 17:45 - 2012-09-22 17:55 - 00002344 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-09-22 17:45 - 2012-09-22 17:49 - 00000000 ____D C:\Users\jessica\AppData\Roaming\Real
2012-09-22 17:44 - 2012-09-24 13:24 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-22 17:44 - 2012-09-23 21:15 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-22 17:44 - 2012-09-22 17:49 - 00000000 ____D C:\Program Files (x86)\Google
2012-09-22 17:44 - 2012-09-22 17:48 - 00000000 ____D C:\Users\jessica\AppData\Local\Google
2012-09-22 17:43 - 2012-10-16 15:34 - 00000000 ____D C:\Users\All Users\Real
2012-09-22 17:42 - 2012-09-22 17:42 - 00372457 ____A C:\Users\jessica\Downloads\MP3 Rocket.exe
2012-09-22 17:38 - 2012-09-23 23:50 - 00000000 ____D C:\Users\jessica\AppData\Roaming\MediaMonkey
2012-09-22 17:38 - 2012-09-22 17:38 - 00001047 ____A C:\Users\Public\Desktop\MediaMonkey.lnk
2012-09-22 17:38 - 2012-09-22 17:38 - 00000000 ____D C:\Users\jessica\AppData\Local\MediaMonkey
2012-09-22 17:38 - 2012-09-22 17:38 - 00000000 ____D C:\Users\All Users\MediaMonkey
2012-09-22 17:38 - 2012-09-22 17:38 - 00000000 ____D C:\Program Files (x86)\MediaMonkey
2012-09-22 17:36 - 2012-09-22 17:36 - 15056224 ____A (Ventis Media Inc. ) C:\Users\jessica\Downloads\MediaMonkey_4.0.6.1501.exe

==================== 3 Months Modified Files ==================

2012-09-24 13:24 - 2012-09-22 17:44 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-24 13:24 - 2011-08-19 15:12 - 01464246 ____A C:\Windows\WindowsUpdate.log
2012-09-23 21:22 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-23 21:22 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-23 21:21 - 2009-07-13 21:13 - 00714754 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-23 21:15 - 2012-09-22 17:44 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-23 21:14 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-23 21:14 - 2009-07-13 20:51 - 00060149 ____A C:\Windows\setupact.log
2012-09-23 15:56 - 2009-07-13 21:08 - 00032632 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-23 15:50 - 2012-09-23 15:49 - 26624472 ____A (Wireshark development team) C:\Users\jessica\Downloads\Wireshark-win64-1.8.2.exe
2012-09-23 15:49 - 2012-09-23 15:49 - 00002019 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-09-23 15:41 - 2012-09-23 15:41 - 00007598 ____A C:\Users\jessica\AppData\Local\Resmon.ResmonCfg
2012-09-23 15:15 - 2012-07-17 20:00 - 00000340 ____A C:\Windows\Tasks\HPCeeScheduleForjessica.job
2012-09-23 15:15 - 2010-11-20 19:47 - 00233766 ____A C:\Windows\PFRO.log
2012-09-23 12:10 - 2012-09-23 12:10 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\jessica\Downloads\mbam-setup-1.65.0.1400.exe
2012-09-23 12:10 - 2012-09-23 12:10 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\jessica\Downloads\mbam-setup-1.65.0.1400 (1).exe
2012-09-23 10:10 - 2012-08-08 17:39 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-23 10:10 - 2011-09-18 18:17 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-23 10:08 - 2012-08-04 18:52 - 00000346 ____A C:\Windows\Tasks\HPCeeScheduleForJESSICA-HP$.job
2012-09-22 17:55 - 2012-09-22 17:45 - 00002344 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-09-22 17:51 - 2012-09-22 17:51 - 00001994 ____A C:\Users\jessica\Desktop\MP3 Rocket 6.2.3.lnk
2012-09-22 17:48 - 2012-09-22 17:48 - 00001268 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2012-09-22 17:47 - 2012-09-22 17:47 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-09-22 17:47 - 2012-09-22 17:47 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-09-22 17:47 - 2012-09-22 17:47 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-09-22 17:47 - 2012-09-22 17:47 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-09-22 17:47 - 2003-03-18 19:14 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2012-09-22 17:47 - 2003-02-21 03:42 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2012-09-22 17:42 - 2012-09-22 17:42 - 00372457 ____A C:\Users\jessica\Downloads\MP3 Rocket.exe
2012-09-22 17:38 - 2012-09-22 17:38 - 00001047 ____A C:\Users\Public\Desktop\MediaMonkey.lnk
2012-09-22 17:36 - 2012-09-22 17:36 - 15056224 ____A (Ventis Media Inc. ) C:\Users\jessica\Downloads\MediaMonkey_4.0.6.1501.exe
2012-09-15 22:52 - 2011-05-17 11:58 - 00002590 ____N C:\Users\Public\Desktop\WildTangent Games App - hp.lnk
2012-09-12 20:17 - 2011-11-14 20:47 - 00000965 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-08-26 18:19 - 2012-08-26 18:19 - 00275584 ____A C:\Windows\Minidump\082612-36535-01.dmp
2012-08-26 18:19 - 2012-05-11 20:00 - 351105985 ____A C:\Windows\MEMORY.DMP
2012-08-24 14:43 - 2012-08-24 14:43 - 00384352 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2012-08-24 03:15 - 2012-09-23 10:18 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 02:39 - 2012-09-23 10:18 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 02:31 - 2012-09-23 10:18 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 02:22 - 2012-09-23 10:18 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 02:21 - 2012-09-23 10:18 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 02:20 - 2012-09-23 10:18 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 02:18 - 2012-09-23 10:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 02:17 - 2012-09-23 10:18 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 02:14 - 2012-09-23 10:18 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 02:14 - 2012-09-23 10:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 02:13 - 2012-09-23 10:18 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 02:12 - 2012-09-23 10:18 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 02:11 - 2012-09-23 10:18 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 02:10 - 2012-09-23 10:18 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 02:09 - 2012-09-23 10:18 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 02:04 - 2012-09-23 10:18 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-23 23:27 - 2012-09-23 10:18 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-23 23:03 - 2012-09-23 10:18 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-23 22:59 - 2012-09-23 10:18 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-23 22:51 - 2012-09-23 10:18 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-23 22:51 - 2012-09-23 10:18 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-23 22:51 - 2012-09-23 10:18 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-23 22:49 - 2012-09-23 10:18 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-23 22:48 - 2012-09-23 10:18 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-23 22:47 - 2012-09-23 10:18 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-23 22:47 - 2012-09-23 10:18 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-23 22:47 - 2012-09-23 10:18 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-23 22:45 - 2012-09-23 10:18 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-23 22:44 - 2012-09-23 10:18 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-23 22:44 - 2012-09-23 10:18 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-23 22:43 - 2012-09-23 10:18 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-23 22:40 - 2012-09-23 10:18 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-22 10:12 - 2012-09-12 20:13 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 10:12 - 2012-09-12 20:13 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 10:12 - 2012-09-12 20:13 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-21 15:16 - 2009-07-13 20:45 - 00276072 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-01 15:07 - 2012-08-01 15:07 - 00275584 ____A C:\Windows\Minidump\080112-44943-01.dmp
2012-07-26 02:21 - 2012-07-26 02:21 - 00291680 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys


ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-24 13:27:15
Restore point made on: 2012-09-27 16:02:18
Restore point made on: 2012-09-27 16:45:48
Restore point made on: 2012-10-02 16:33:07
Restore point made on: 2012-10-03 20:56:32
Restore point made on: 2012-10-04 13:07:48
Restore point made on: 2012-10-04 15:49:45
Restore point made on: 2012-10-07 14:13:09
Restore point made on: 2012-10-09 11:03:53
Restore point made on: 2012-10-09 12:33:55
Restore point made on: 2012-10-11 17:42:52
Restore point made on: 2012-10-11 18:19:08
Restore point made on: 2012-10-15 11:45:59
Restore point made on: 2012-10-16 11:22:43

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 3562.9 MB
Available physical RAM: 2885.22 MB
Total Pagefile: 3561.05 MB
Available Pagefile: 2879.3 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:450.73 GB) (Free:397.79 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:14.73 GB) (Free:1.63 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
5 Drive h: () (Removable) (Total:3.79 GB) (Free:3.79 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 3892 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 450 GB 200 MB
Partition 3 Primary 14 GB 450 GB
Partition 4 Primary 103 MB 465 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 450 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3891 MB 400 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 3891 MB Healthy

=========================================================

Last Boot: 2012-03-04 16:29

==================== End Of Log =============================

Please can any one help me... Attached File  FRST.txt   25.75KB   70 downloads
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,999 posts
:welcome:

Step one:

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file and save it in the USB drive. Attached File  fixlist.txt   16bytes   69 downloads

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

Step two:

For x64 bit systems please download Listparts64
and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP