Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Arestocrat Lock Screen


  • Please log in to reply

#1
DaShonk

DaShonk

    New Member

  • Member
  • Pip
  • 3 posts
I need a work around for the Arestocrat Lock Screen virus.
I've attached the FARBAR FRST and Services search log files below for your reference.
Thanks in advance for your help!

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-05-2013
Ran by SYSTEM on 08-05-2013 13:23:26
Running from G:\
Windows 7 Professional (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [546712 2012-08-24] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [495708 2010-05-26] (IDT, Inc.)
HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [PNMService] c:\Program Files\Intel\IntelPNM\PNMService.exe [400896 2010-01-20] (Intel Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5249024 2010-02-02] (Dell Inc.)
HKLM\...\Run: [] [x]
HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [38840 2010-09-23] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640440 2010-09-22] (Adobe Systems Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM\...\Run: [DellBtrEvent] D:\Program Files\Dell\Reader 2.1\DellBtrEvent.exe [x]
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [121064 2011-03-25] (Trend Micro Inc.)
HKLM\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-03-24] (Hewlett-Packard)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [DisplaySwitch] "C:\ProgramData\DisplaySwitch.exe" [90112 2013-05-06] (Hilgraeve, Inc.)
HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]
HKLM\...\Winlogon: [Shell] C:\ProgramData\DisplaySwitch.exe [x ] ()
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\822\G2AWinLogon.dll [X]
HKU\mattr.CORP\...\Run: [MobiLink3] C:\Program Files\Novatel Wireless\MobiLink3\MobiLink3.exe [ 2010-05-20] (Novatel Wireless Inc.)
HKU\mattr.CORP\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [ 2009-07-26] (Microsoft Corporation)
HKU\mattr.CORP\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [ 2012-07-13] (Skype Technologies S.A.)

========================== Services (Whitelisted) =================

S2 Advanced Monitoring Agent; C:\Program Files\Advanced Monitoring Agent GP\winagent.exe [3517952 2013-02-25] (Remote Monitoring)
S2 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [812448 2010-03-23] (Broadcom Corporation)
S2 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [27040 2010-03-23] (Broadcom Corporation)
S2 DvmMDES; D:\Program Files\Dell\Reader 2.1\DVMExportService.exe [327680 2010-05-04] (DeviceVM, Inc.)
S2 gfi_lanss11_attservice; C:\PROGRA~1\ADVANC~1\patchman\lnssatt.exe [118640 2012-07-17] (GFI Software Development Ltd.)
S2 InstallFilterService; C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [60928 2010-01-10] ()
S2 NvtlService; C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [88912 2010-05-20] ()
S3 PSEXESVC; C:\Windows\PSEXESVC.EXE [181064 2013-05-08] (Sysinternals)
S2 QDLService2kDell; C:\Program Files\QUALCOMM\QDLService2k\QDLService2kDell.exe [330488 2010-04-26] (QUALCOMM, Inc.)
S3 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2010-10-04] (SolidWorks)
S2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [245842 2010-05-26] (IDT, Inc.)
S3 TmListen; C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe [677200 2010-12-03] (Trend Micro Inc.)
S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4539392 2010-02-02] (Dell Inc.)
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=qb -dt=60000 [x]

==================== Drivers (Whitelisted) ====================

S3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [42672 2010-01-18] (ST Microelectronics)
S3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2010-02-02] (Broadcom Corporation)
S3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [33832 2009-10-30] (Broadcom Corporation)
S1 DVMIO; D:\Program Files\Dell\Reader 2.1\dvmio.sys [18320 2010-05-04] (DeviceVM, Inc.)
S3 NAL; C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-02] (Intel Corporation )
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [25712 2013-01-29] (Microsoft Corporation)
S0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
S3 qcfilterdl2k; C:\Windows\System32\DRIVERS\qcfilterdl2k.sys [5248 2010-04-28] (QUALCOMM Incorporated)
S3 qcusbnetdl2k; C:\Windows\System32\DRIVERS\qcusbnetdl2k.sys [209408 2010-04-28] (QUALCOMM Incorporated)
S3 qcusbserdl2k; C:\Windows\System32\DRIVERS\qcusbserdl2k.sys [106880 2010-04-28] (QUALCOMM Incorporated)
S2 risdpcie; C:\Windows\System32\DRIVERS\risdpe86.sys [59904 2010-03-21] (REDC)
S3 rixdpcie; C:\Windows\system32\DRIVERS\rixdpe86.sys [38912 2010-03-21] (REDC)
S3 SIUSBXP; C:\Windows\System32\drivers\SiUSBXp.sys [14592 2010-01-06] (Silicon Laboratories)
S0 stdflt; C:\Windows\System32\DRIVERS\stdfltn.sys [17072 2010-01-18] (ST Microelectronics)
S2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [81168 2011-02-25] (Trend Micro Inc.)
S2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [190736 2011-02-25] (Trend Micro Inc.)
S2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [65296 2011-02-25] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [92112 2010-09-30] (Trend Micro Inc.)
S3 tmpfw;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-08 13:22 - 2013-05-08 13:22 - 00000000 ____D C:\FRST
2013-05-08 07:25 - 2013-05-08 07:25 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-05-08 07:25 - 2013-05-08 07:25 - 00002580 ____A C:\Users\administrator\Desktop\Rkill.txt
2013-05-08 07:03 - 2013-05-08 06:33 - 01752992 ____A (Bleeping Computer, LLC) C:\rkill.com
2013-05-08 07:03 - 2013-05-08 06:32 - 01752992 ____A (Bleeping Computer, LLC) C:\rkill.exe
2013-05-08 07:03 - 2013-05-08 06:32 - 01752992 ____A (Bleeping Computer, LLC) C:\iExplore.exe
2013-05-08 07:03 - 2013-05-08 06:27 - 05067786 ____A (Swearware) C:\ComboFix.exe
2013-05-08 07:03 - 2013-05-08 06:24 - 00791040 ____A C:\RogueKillerX64.exe
2013-05-08 07:03 - 2013-05-08 06:22 - 00602112 ____A (OldTimer Tools) C:\OTL.exe
2013-05-08 04:52 - 2013-05-08 04:52 - 00141624 ____A C:\Windows\Minidump\050813-14040-01.dmp
2013-05-08 04:43 - 2013-05-08 04:43 - 00141480 ____A C:\Windows\Minidump\050813-13759-01.dmp
2013-05-07 00:48 - 2013-05-07 00:48 - 00141480 ____A C:\Windows\Minidump\050713-15553-01.dmp
2013-05-07 00:46 - 2013-05-07 00:46 - 00141480 ____A C:\Windows\Minidump\050713-13353-01.dmp
2013-05-06 18:21 - 2013-05-08 04:52 - 212334905 ____A C:\Windows\MEMORY.DMP
2013-05-06 18:21 - 2013-05-08 04:52 - 00000000 ____D C:\Windows\Minidump
2013-05-06 18:21 - 2013-05-06 18:21 - 00141480 ____A C:\Windows\Minidump\050613-23696-01.dmp
2013-05-06 18:03 - 2013-05-06 18:03 - 00090112 ____A (Hilgraeve, Inc.) C:\ProgramData\DisplaySwitch.exe
2013-04-24 04:07 - 2013-04-12 05:45 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-19 05:36 - 2013-04-24 04:33 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-04-11 04:45 - 2013-02-21 02:30 - 01766912 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-11 04:45 - 2013-02-21 02:30 - 01129984 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-11 04:45 - 2013-02-21 02:30 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-04-11 04:45 - 2013-02-21 02:29 - 14323200 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 13761024 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 02046464 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-11 04:45 - 2013-02-21 02:29 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-04-11 04:45 - 2013-02-19 04:01 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-11 04:45 - 2013-02-19 03:10 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-04-10 04:06 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-04-10 04:06 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-10 04:06 - 2013-03-18 20:48 - 00038912 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-10 04:06 - 2013-03-18 18:49 - 00069632 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-10 04:06 - 2013-02-28 19:09 - 02347008 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-10 04:06 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-10 04:06 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-10 04:06 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-10 04:06 - 2013-01-23 20:47 - 00196328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys

==================== One Month Modified Files and Folders ========

2013-05-08 13:22 - 2013-05-08 13:22 - 00000000 ____D C:\FRST
2013-05-08 07:36 - 2012-08-28 03:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-08 07:33 - 2010-10-28 06:04 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-08 07:25 - 2013-05-08 07:25 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-05-08 07:25 - 2013-05-08 07:25 - 00002580 ____A C:\Users\administrator\Desktop\Rkill.txt
2013-05-08 07:09 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-08 07:09 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-08 07:08 - 2011-10-04 04:02 - 00000000 ____D C:\Program Files\Advanced Monitoring Agent GP
2013-05-08 07:02 - 2010-10-28 06:04 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-08 07:02 - 2010-10-04 10:21 - 00000136 ____A C:\Windows\System32\config\netlogon.ftl
2013-05-08 07:02 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-08 07:01 - 2009-07-13 20:39 - 00114037 ____A C:\Windows\setupact.log
2013-05-08 06:54 - 2010-09-25 19:46 - 02502318 ____A C:\Windows\PFRO.log
2013-05-08 06:33 - 2013-05-08 07:03 - 01752992 ____A (Bleeping Computer, LLC) C:\rkill.com
2013-05-08 06:32 - 2013-05-08 07:03 - 01752992 ____A (Bleeping Computer, LLC) C:\rkill.exe
2013-05-08 06:32 - 2013-05-08 07:03 - 01752992 ____A (Bleeping Computer, LLC) C:\iExplore.exe
2013-05-08 06:27 - 2013-05-08 07:03 - 05067786 ____A (Swearware) C:\ComboFix.exe
2013-05-08 06:24 - 2013-05-08 07:03 - 00791040 ____A C:\RogueKillerX64.exe
2013-05-08 06:22 - 2013-05-08 07:03 - 00602112 ____A (OldTimer Tools) C:\OTL.exe
2013-05-08 05:24 - 2009-07-13 20:55 - 01592214 ____A C:\Windows\WindowsUpdate.log
2013-05-08 04:59 - 2010-09-25 18:01 - 00775392 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-08 04:52 - 2013-05-08 04:52 - 00141624 ____A C:\Windows\Minidump\050813-14040-01.dmp
2013-05-08 04:52 - 2013-05-06 18:21 - 212334905 ____A C:\Windows\MEMORY.DMP
2013-05-08 04:52 - 2013-05-06 18:21 - 00000000 ____D C:\Windows\Minidump
2013-05-08 04:43 - 2013-05-08 04:43 - 00141480 ____A C:\Windows\Minidump\050813-13759-01.dmp
2013-05-08 03:56 - 2013-03-01 06:09 - 00000000 ____D C:\Windows\Patches
2013-05-07 00:48 - 2013-05-07 00:48 - 00141480 ____A C:\Windows\Minidump\050713-15553-01.dmp
2013-05-07 00:46 - 2013-05-07 00:46 - 00141480 ____A C:\Windows\Minidump\050713-13353-01.dmp
2013-05-06 18:21 - 2013-05-06 18:21 - 00141480 ____A C:\Windows\Minidump\050613-23696-01.dmp
2013-05-06 18:07 - 2010-11-06 10:43 - 00000000 ____D C:\Users\mattr.CORP\AppData\Roaming\Skype
2013-05-06 18:03 - 2013-05-06 18:03 - 00090112 ____A (Hilgraeve, Inc.) C:\ProgramData\DisplaySwitch.exe
2013-05-04 05:07 - 2011-02-11 08:13 - 00000000 ____D C:\Users\mattr.CORP\Tracing
2013-05-01 22:06 - 2010-10-04 09:38 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-04-30 05:32 - 2010-10-04 10:16 - 00000000 ____D C:\ProgramData\FLEXnet
2013-04-24 04:33 - 2013-04-19 05:36 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-04-24 04:33 - 2012-04-26 11:09 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-04-12 05:45 - 2013-04-24 04:07 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-12 04:28 - 2010-10-28 06:06 - 00002131 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-04-11 05:07 - 2009-07-13 20:33 - 00429936 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-11 04:46 - 2010-10-04 10:30 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-04-10 13:33 - 2010-10-04 10:44 - 70490256 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-08 16:36 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-TW
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-HK
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-CN
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\tr-TR
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\sv-SE
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ru-RU
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-PT
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-BR
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pl-PL
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nl-NL
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nb-NO
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ko-KR
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ja-JP
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\it-IT
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\hu-HU
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fr-FR
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fi-FI
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\el-GR
2013-04-08 06:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\de-DE

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-10 13:33:23
Restore point made on: 2013-04-11 04:44:48
Restore point made on: 2013-04-16 03:36:36
Restore point made on: 2013-04-19 04:04:00
Restore point made on: 2013-04-24 04:05:56
Restore point made on: 2013-04-24 13:16:55
Restore point made on: 2013-04-29 04:36:37
Restore point made on: 2013-05-03 04:49:01
Restore point made on: 2013-05-08 03:50:45

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 3957.83 MB
Available physical RAM: 3435.04 MB
Total Pagefile: 3956.11 MB
Available Pagefile: 3440.02 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.3 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:295.32 GB) (Free:184.53 GB) NTFS
Drive d: (READER) (Fixed) (Total:2 GB) (Free:1.9 GB) FAT32
Drive g: (TOSHIBA) (Removable) (Total:14.89 GB) (Free:9.98 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 259D4594)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=750 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=295 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=2 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=15 GB) - (Type=0C)


Last Boot: 2013-05-04 06:24

==================== End Of Log ============================

Farbar Recovery Scan Tool (x86) Version: 08-05-2013
Ran by SYSTEM at 2013-05-08 13:25:20
Running from G:\
Boot Mode: Recovery

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
:welcome:

You see to have ran every tool in the neighborhood.

Download the enclosed file next to FRST: [attachment=64568:fixlist.txt]

Run FRST and click on the fix button.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

If successful, give it a test run and let me know the outcome.
  • 0

#3
DaShonk

DaShonk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 08-05-2013
Ran by SYSTEM at 2013-05-08 17:02:30 Run:1
Running from G:\
Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\DisplaySwitch => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*WerKernelReporting => Value deleted successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist => Key deleted successfully.
C:\ProgramData\DisplaySwitch.exe => Moved successfully.

==== End of Fixlog ====
  • 0

#4
DaShonk

DaShonk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I just restarted the machine after deploying your fix, and it got me around the screen lock!
Thanks so much for the awesome help!!! You Guys Rock!!!
  • 0

#5
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • Click the green ESET Online Scanner box
  • Tick the box next to YES, I accept the Terms of Use
    then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, make sure you copy the logfile first!
  • Then click on: Finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP