Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit Removed Now Only Safe Mode Boot Vista [Solved]


  • This topic is locked This topic is locked

#31
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
This topic has been moved because the problem is nolonger malware related.

pleased123 machine boots to a blue screen with error message.

so I restarted and now normal boot goes to blue screen every time stop 0x0000007E, and safe mode works


Any help of a technical nature gratefully received. :)
  • 0

Advertisements


#32
The Admiral

The Admiral

    Trusted Tech

  • Technician
  • 1,067 posts
Good morning, pleased123, and thanks for your patience working with emeraldnzl! He's asked our tech staff to take a closer look at this one... so here I am! :ph34r:

When your computer bluescreens, it often dumps a ton of information into a little file. This file contains information about what was running on the computer, what caused the bluescreen, and why it happened. These dump files can be found in C:/Windows/minidump. Could you grab the two most recent files in that folder and attach them to your next reply?

Our guess is that Bitdefender might have touched a system file or driver in the process of cleaning off the rootkit. If these dump files are helpful, they may point to a specific driver that we can reinstall in Safe Mode.

I look forward to hearing back from you! :thumbsup:
  • 0

#33
pleased123

pleased123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
First off thank you for your patience and time. The minidump file is empty.
  • 0

#34
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
Hello pleased123,

One of my colleagues has reminded me of something I should have thought of.

I wonder if we can find the information The Admiral was looking for another way.

See if you can find the bitdefender logs that covered the time it found the infection. They should show whatever files bitdefender did things to.

The link below takes you to a page with instructions on how to access them:

http://www.bitdefend...ected-1012.html

See if you can copy them and paste (highlight the text and then copy (Ctrl +C) and paste (Ctrl +V)) the information back here.
  • 0

#35
pleased123

pleased123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I had uninstalled Bitdefender shortly after blue screen occured.
  • 0

#36
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts

I had uninstalled Bitdefender shortly after blue screen occured.


That won't work then lol.

Another colleague has suggested we get some Boot Configuration Data that might help us.

To do this restart your computer tapping F10, you should find yourself at a black screen showing Edit Boot Options at the top.

Write down what you see there especially the bit between the brackets.

Hit Esc and then Enter to finish booting your computer up.

Post the information back here.
  • 0

#37
pleased123

pleased123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
the brackets read: [ /noexecute=optin /minint ]
  • 0

#38
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
That should read /NOEXECUTE=OPTIN .

Caused by the infection.

I will move this back to the Malware Forum.

Thank you for your help The Admiral.

Now

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will create a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]
  • 0

#39
pleased123

pleased123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Yes!!! thank you my computer boots in normal mode fine and runs good when /minint is erased but it comes back after each boot. Here's the log you asked for:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-10-2012
Ran by SYSTEM at 24-10-2012 16:10:58
Running from F:\
Windows Vista ™ Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [x]
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1657128 2008-11-11] (Synaptics, Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [2041112 2008-09-26] (Dell Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe [4119552 2008-12-22] (Dell Inc.)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [15871520 2009-03-16] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [82464 2009-03-16] (NVIDIA Corporation)
HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [89120 2009-03-16] (NVIDIA Corporation)
HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe [x]
HKLM\...\Run: [Bdagent] C:\Program Files\Bitdefender\Bitdefender 2013\bdagent.exe [x]
HKLM-x32\...\Run: [FATrayAlert] C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe [95496 2009-05-24] (Sensible Vision )
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [250192 2009-04-24] (Microsoft Corporation)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128232 2009-02-04] (CyberLink Corp.)
HKLM-x32\...\Run: [FAStartup] [x]
HKLM-x32\...\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [378224 2008-08-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime [421888 2011-01-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-06-07] (Apple Inc.)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [766536 2012-09-29] (Malwarebytes Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
HKU\Mcx1\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Mcx1\...\Run: [AdobeBridge] [x]
HKU\Mcx1\...\Run: [Tor VM] "C:\Program Files (x86)\Tor VM\torvm.exe --bundle" [x]
HKU\Mcx1\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
HKU\Mcx1\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [196608 2009-04-10] (Microsoft Corporation)
HKU\Mcx2\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Mcx2\...\Run: [AdobeBridge] [x]
HKU\Mcx2\...\Run: [Tor VM] "C:\Program Files (x86)\Tor VM\torvm.exe --bundle" [x]
HKU\Mcx2\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
HKU\Mcx2\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [196608 2009-04-10] (Microsoft Corporation)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-05] (Dell)
Tcpip\Parameters: [DhcpNameServer] 10.255.216.1
Lsa: [Notification Packages] scecli FAPassSync
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Matt\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mcx1\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mcx2\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Tor\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ===================

3 Adobe Version Cue CS4; "C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service [284016 2008-08-15] (Adobe Systems Incorporated)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75064 2011-08-30] ()
2 wltrysvc; C:\Windows\System32\WLTRYSVC.EXE C:\Windows\System32\bcmwltry.exe [3051520 2008-12-22] (Dell Inc.)
4 BdDesktopParental; C:\Program Files\Bitdefender\Bitdefender 2013\bdparentalservice.exe [x]
2 SafeBox; C:\Program Files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe [x]
2 UPDATESRV; "C:\Program Files\Bitdefender\Bitdefender 2013\updatesrv.exe" /service [x]
2 VSSERV; "C:\Program Files\Bitdefender\Bitdefender 2013\vsserv.exe" /service [x]

==================== Drivers (Whitelisted) =====================

3 avchv; C:\Windows\System32\Drivers\avchv.sys [258736 2011-11-25] (BitDefender)
3 BDSandBox; C:\Windows\System32\Drivers\BDSandBox.sys [82384 2012-08-23] (BitDefender SRL)
3 epmntdrv; \??\C:\Windows\system32\epmntdrv.sys [16776 2011-03-24] ()
3 EuGdiDrv; \??\C:\Windows\system32\EuGdiDrv.sys [9096 2011-03-24] ()
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2009-12-13] (Duplex Secure Ltd.)
3 TORNPF; C:\Windows\SysWow64\Drivers\TORNPF.sys [27264 2010-05-26] (The Tor Project, Inc.)
0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [x]
3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [x]
1 BdfNdisf; \??\c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [x]
1 bdftdif; \??\C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdftdif.sys [x]
1 BDVEDISK; C:\Windows\System32\DRIVERS\bdvedisk.sys [x]
3 cpuz130; \??\C:\Users\Matt\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-10-24 16:10 - 2012-10-24 16:10 - 00000000 ____D C:\FRST
2012-10-24 12:03 - 2012-10-24 12:03 - 01459119 ____A (Farbar) C:\Users\Matt\Downloads\FRST64.exe
2012-10-24 04:53 - 2012-08-29 03:40 - 04699520 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-10-24 04:24 - 2012-10-24 04:24 - 00001550 ____A C:\Users\All Users\1351081469.bdinstall.bin
2012-10-24 04:24 - 2012-10-24 04:24 - 00001550 ____A C:\Users\All Users\1351081444.bdinstall.bin
2012-10-24 04:17 - 2012-09-24 11:23 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-10-24 04:17 - 2012-09-24 11:23 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-10-24 04:17 - 2012-09-24 11:23 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-10-24 04:16 - 2012-10-24 04:17 - 00002982 ____A C:\Windows\SysWOW64\jupdate-1.6.0_37-b06.log
2012-10-24 04:11 - 2012-10-24 12:05 - 00176933 ____A C:\Windows\WindowsUpdate.log
2012-10-23 18:36 - 2012-10-23 18:36 - 00001550 ____A C:\Users\All Users\1351046178.bdinstall.bin
2012-10-23 18:36 - 2012-10-23 18:36 - 00001550 ____A C:\Users\All Users\1351046163.bdinstall.bin
2012-10-23 18:35 - 2012-10-23 18:35 - 00001550 ____A C:\Users\All Users\1351046148.bdinstall.bin
2012-10-20 21:01 - 2012-10-20 21:01 - 00000000 ____A C:\Users\Matt\sfcdetails.txt
2012-10-19 22:38 - 2012-10-19 22:43 - 00000000 ___SD C:\Confuse
2012-10-19 22:38 - 2012-10-19 22:38 - 00000000 ___SD C:\32788R22FWJFW
2012-10-19 18:33 - 2012-10-19 18:33 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\94528472.sys
2012-10-18 21:11 - 2012-10-18 21:11 - 00000372 ____A C:\Users\Matt\Documents - Shortcut.lnk
2012-10-18 19:02 - 2008-05-07 18:03 - 00303616 ____A ( ) C:\SetACL.exe
2012-10-18 18:49 - 2004-06-11 12:33 - 00290304 ____A (Microsoft Corporation) C:\subinacl.exe
2012-10-18 18:45 - 2012-10-18 18:45 - 00000207 ____A C:\Windows\tweaking.com-regbackup-MATT-PC-Microsoft®-Windows-Vista™-Home-Premium-(64-bit).dat
2012-10-18 14:44 - 2012-10-18 18:16 - 00000000 ____D C:\Program Files (x86)\NirSoft
2012-10-18 14:10 - 2012-10-19 22:43 - 00000000 ____D C:\Windows\erdnt
2012-10-18 13:42 - 2012-10-18 13:42 - 00000000 ____D C:\Users\Matt\AppData\Roaming\Bitdefender
2012-10-18 13:23 - 2012-10-18 13:29 - 00000000 ____D C:\JRT
2012-10-17 18:22 - 2012-10-17 18:22 - 00000020 ____A C:\Users\Matt\defogger_reenable
2012-10-17 18:08 - 2012-09-29 15:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-10-14 19:47 - 2012-10-14 19:48 - 00000473 ____A C:\Windows\System32\checkdnsid.xml
2012-10-12 21:24 - 2012-10-12 22:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-10-10 11:20 - 2012-09-13 05:45 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-10-10 11:20 - 2012-09-13 05:28 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-10-10 11:20 - 2012-08-24 08:07 - 00218624 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-10-10 11:20 - 2012-08-24 07:53 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-10-10 11:20 - 2012-06-01 16:20 - 01268736 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-10-10 11:20 - 2012-06-01 16:20 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-10-10 11:20 - 2012-06-01 16:20 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-10-10 11:20 - 2012-06-01 16:02 - 00985088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-10-10 11:20 - 2012-06-01 16:02 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-10-10 11:20 - 2012-06-01 16:02 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-10-06 22:39 - 2012-10-11 18:10 - 00000264 ____A C:\Users\Matt\Documents\schedule.txt
2012-10-05 18:46 - 2012-10-05 18:46 - 00000385 ____A C:\Users\Matt\AppData\Roaminguser_gensett.xml
2012-10-04 22:26 - 2012-10-06 22:40 - 00000054 ____A C:\Users\Matt\Documents\clothes.txt

==================== 3 Months Modified Files ==================

2012-10-24 12:05 - 2012-10-24 04:11 - 00176933 ____A C:\Windows\WindowsUpdate.log
2012-10-24 12:05 - 2009-09-03 17:33 - 00005332 ____A C:\Windows\bthservsdp.dat
2012-10-24 12:05 - 2006-11-02 07:42 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-24 12:05 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-24 12:05 - 2006-11-02 07:22 - 00003616 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-24 12:05 - 2006-11-02 07:22 - 00003616 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-24 12:03 - 2012-10-24 12:03 - 01459119 ____A (Farbar) C:\Users\Matt\Downloads\FRST64.exe
2012-10-24 12:01 - 2006-11-02 04:46 - 00703516 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-24 11:57 - 2011-11-29 17:07 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-24 11:57 - 2009-08-26 21:14 - 00092136 ____A C:\Users\All Users\nvModes.dat
2012-10-24 11:57 - 2009-08-26 21:14 - 00092136 ____A C:\Users\All Users\nvModes.001
2012-10-24 11:40 - 2011-11-29 17:07 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-24 04:24 - 2012-10-24 04:24 - 00001550 ____A C:\Users\All Users\1351081469.bdinstall.bin
2012-10-24 04:24 - 2012-10-24 04:24 - 00001550 ____A C:\Users\All Users\1351081444.bdinstall.bin
2012-10-24 04:22 - 2009-08-19 11:36 - 00105960 ____A C:\Users\Matt\AppData\Local\GDIPFONTCACHEV1.DAT
2012-10-24 04:22 - 2006-11-02 07:21 - 02996408 ____A C:\Windows\System32\FNTCACHE.DAT
2012-10-24 04:17 - 2012-10-24 04:16 - 00002982 ____A C:\Windows\SysWOW64\jupdate-1.6.0_37-b06.log
2012-10-23 18:36 - 2012-10-23 18:36 - 00001550 ____A C:\Users\All Users\1351046178.bdinstall.bin
2012-10-23 18:36 - 2012-10-23 18:36 - 00001550 ____A C:\Users\All Users\1351046163.bdinstall.bin
2012-10-23 18:35 - 2012-10-23 18:35 - 00001550 ____A C:\Users\All Users\1351046148.bdinstall.bin
2012-10-22 21:08 - 2009-08-19 13:23 - 00008268 ____A C:\Users\Matt\AppData\Local\d3d9caps.dat
2012-10-21 20:11 - 2009-08-19 13:20 - 00001460 ____A C:\Users\Matt\AppData\Local\d3d9caps64.dat
2012-10-21 19:41 - 2009-08-20 11:46 - 00000936 ____A C:\Users\Matt\AppData\Roaming\wklnhst.dat
2012-10-20 21:01 - 2012-10-20 21:01 - 00000000 ____A C:\Users\Matt\sfcdetails.txt
2012-10-19 18:33 - 2012-10-19 18:33 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\94528472.sys
2012-10-18 21:11 - 2012-10-18 21:11 - 00000372 ____A C:\Users\Matt\Documents - Shortcut.lnk
2012-10-18 19:03 - 2011-01-26 20:16 - 00703516 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-10-18 18:45 - 2012-10-18 18:45 - 00000207 ____A C:\Windows\tweaking.com-regbackup-MATT-PC-Microsoft®-Windows-Vista™-Home-Premium-(64-bit).dat
2012-10-17 18:22 - 2012-10-17 18:22 - 00000020 ____A C:\Users\Matt\defogger_reenable
2012-10-14 19:48 - 2012-10-14 19:47 - 00000473 ____A C:\Windows\System32\checkdnsid.xml
2012-10-11 18:10 - 2012-10-06 22:39 - 00000264 ____A C:\Users\Matt\Documents\schedule.txt
2012-10-11 16:38 - 2012-09-17 11:35 - 00005160 ____A C:\Windows\System32\spsys.log
2012-10-10 11:29 - 2006-11-02 04:35 - 65309168 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-10-06 22:40 - 2012-10-04 22:26 - 00000054 ____A C:\Users\Matt\Documents\clothes.txt
2012-10-05 18:46 - 2012-10-05 18:46 - 00000385 ____A C:\Users\Matt\AppData\Roaminguser_gensett.xml
2012-09-29 15:54 - 2012-10-17 18:08 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-27 12:45 - 2012-09-17 20:03 - 00000376 ____A C:\Users\Matt\AppData\Roamingprivacy.xml
2012-09-24 11:32 - 2012-09-03 10:27 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-09-24 11:32 - 2010-05-19 09:47 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-09-24 11:23 - 2012-10-24 04:17 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-09-24 11:23 - 2012-10-24 04:17 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-09-24 11:23 - 2012-10-24 04:17 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-09-17 11:35 - 2012-09-17 11:35 - 00000385 ____A C:\Windows\System32\user_gensett.xml
2012-09-17 11:13 - 2012-09-17 11:13 - 00000000 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2012-09-17 11:13 - 2012-09-17 11:13 - 00000000 ____A C:\Windows\System32\Drivers\Msft_Kernel_avchv_01009.Wdf
2012-09-17 11:04 - 2011-01-26 20:16 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-13 05:45 - 2012-10-10 11:20 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-09-13 05:28 - 2012-10-10 11:20 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-08-29 03:40 - 2012-10-24 04:53 - 04699520 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-08-24 08:07 - 2012-10-10 11:20 - 00218624 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-08-24 07:53 - 2012-10-10 11:20 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-08-24 03:15 - 2012-09-22 05:56 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 02:39 - 2012-09-22 05:56 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 02:31 - 2012-09-22 05:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 02:22 - 2012-09-22 05:56 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 02:21 - 2012-09-22 05:56 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 02:20 - 2012-09-22 05:56 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 02:18 - 2012-09-22 05:56 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 02:17 - 2012-09-22 05:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 02:14 - 2012-09-22 05:56 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 02:14 - 2012-09-22 05:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 02:13 - 2012-09-22 05:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 02:12 - 2012-09-22 05:56 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 02:11 - 2012-09-22 05:56 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 02:10 - 2012-09-22 05:56 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 02:09 - 2012-09-22 05:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 02:04 - 2012-09-22 05:56 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-23 23:27 - 2012-09-22 05:56 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-23 23:03 - 2012-09-22 05:56 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-23 22:59 - 2012-09-22 05:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-23 22:51 - 2012-09-22 05:56 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-23 22:51 - 2012-09-22 05:56 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-23 22:51 - 2012-09-22 05:56 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-23 22:49 - 2012-09-22 05:56 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-23 22:48 - 2012-09-22 05:56 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-23 22:47 - 2012-09-22 05:56 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-23 22:47 - 2012-09-22 05:56 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-23 22:47 - 2012-09-22 05:56 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-23 22:45 - 2012-09-22 05:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-23 22:44 - 2012-09-22 05:56 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-23 22:44 - 2012-09-22 05:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-23 22:43 - 2012-09-22 05:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-23 22:40 - 2012-09-22 05:56 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-23 13:07 - 2012-09-17 11:12 - 00082384 ____A (BitDefender SRL) C:\Windows\System32\Drivers\bdsandbox.sys
2012-08-13 10:25 - 2012-08-13 10:08 - 00173295 ____A C:\Windows\hpoins46.dat
2012-08-13 10:25 - 2012-08-13 10:08 - 00000807 ____A C:\Users\All Users\hpzinstall.log
2012-07-29 16:36 - 2012-07-29 16:36 - 00012180 ____A C:\Users\Matt\AppData\Local\dd_vcredistUI61F4.txt
2012-07-29 16:36 - 2012-07-29 16:36 - 00011442 ____A C:\Users\Matt\AppData\Local\dd_vcredistUI61F5.txt
2012-07-29 16:36 - 2012-07-29 16:36 - 00001812 ____A C:\Users\Matt\AppData\Local\dd_vcredistMSI61F4.txt
2012-07-29 16:27 - 2012-07-29 16:18 - 00000368 ____A C:\Users\All Users\7mSoL6lNbSg5Tb
2012-07-29 16:27 - 2012-07-29 16:18 - 00000064 ____A C:\Users\All Users\-7mSoL6lNbSg5Tbr
2012-07-29 16:27 - 2012-07-29 16:18 - 00000064 ____A C:\Users\All Users\-7mSoL6lNbSg5Tb


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-24 04:16:48
Restore point made on: 2012-10-24 04:53:54

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 3838.36 MB
Available physical RAM: 3085.13 MB
Total Pagefile: 3836.51 MB
Available Pagefile: 3097.89 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:104.15 GB) (Free:9.54 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:8.24 GB) NTFS
3 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.25 GB) (Free:0 GB) UDF
4 Drive f: (BLUEUSB) (Removable) (Total:3.74 GB) (Free:3.73 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 119 GB 0 B
Disk 1 Online 3827 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 94 MB 31 KB
Partition 2 Primary 15 GB 95 MB
Partition 3 Primary 104 GB 15 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 94 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 15 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 104 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3826 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F BLUEUSB FAT32 Removable 3826 MB Healthy

=========================================================

Last Boot: 2012-10-24 12:02

==================== End Of Log =============================
  • 0

#40
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
Hello again pleased123,

Open notepad.

Please copy the contents of the code box below.

To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

Save it on the flashdrive as fixlist.txt

start
cmd: bootrec /FixMbr
TDL4: custom:26000022 <===== ATTENTION!
end

This Registry file is specifically written for the infection on this person's computer. It should NOT to be used on another machine. It may cause serious damage even to the point of rendering the computer unusable.

Please enter System Recovery Options, as we've done previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • 0

Advertisements


#41
pleased123

pleased123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Computer booted normally!!! Here is log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-10-2012
Ran by SYSTEM at 2012-10-24 19:54:29 Run:1
Running from F:\

==============================================


========= bootrec /FixMbr =========

˙ţT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====
  • 0

#42
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
I am traveling using my phone so just to say glad it's booting ok. I will get back to you with clean up instructions when I get computer connection.
  • 0

#43
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
Hello pleased123,

Looks good to me now. :thumbsup:

We have a couple of last steps to perform and then you're all set.Posted Image

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.
  • Go to Start > Programs > Accessories and click on Run
  • Copy and paste the the bolded text below in the box then hit OK

    Combofix /Uninstall

    Posted Image
Delete any tools left on your desktop.
-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to (re-install if unistalled during cleaning) update and turn back on any anti-malware programs you may have turned off during the cleaning process.
-------------------------------------------------------------------------------------------------------------------

Here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article Strong passwords: How to create and use them.

----------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.

  • Download Java for Windows

    Reboot your computer.
    You also need to unininstall older versions of Java.
  • Click Start > Control Panel > Add or Remove Programs
  • Remove all Java updates except the latest one you have just installed.
--------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future:

  • If you do not already have automatic updates set then it is recommended that you do set Windows to check, download and install your updates automatically.

    * Click Start > Control Panel > System and Security > Windows Update
    * Under Windows Update click on Turn automatic updating on or off
    * Check items shown to ensure you receive updates automatically. Click OK.

    And to keep your system clean consider choosing from these free for home use malware scanners and updating and running weekly.
  • Malwarebytes
  • SuperAntiSpyWare
Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

A fun way to check your online safety literacy.

Quiz - getsafeonline

Have a safe and happy computing day!
  • 0

#44
pleased123

pleased123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thank you for all your help!!
  • 0

#45
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts

Thank you for all your help!!


Your welcome. :happy:

I will keep this topic open for a day or two in case any issues arise.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP