Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

White screen after login [Closed]


  • This topic is locked This topic is locked

#1
bhchan77

bhchan77

    New Member

  • Member
  • Pip
  • 1 posts
Hello,

I am infected with malware or virus. I have a windows 7 pc (home premium). After I log on, I get a white screen. Nothing else. If I select ctl-alt-del
I get the options for shut down and task manager. When I select task manager all I get is the white screen. When I select safe mode, it restarts by its own. I also tried selecting last known good startup but no use. I tried to restore to previous date but it failed to restore.

Any suggestions?

I found below topic/issue similar to mine so I ran FRST64 and scan log is as below.
http://www.geekstogo...n-after-log-in/


Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-05-2013
Ran by SYSTEM on 21-05-2013 06:12:20
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] T.EXE [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8158240 2009-10-09] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] DOWS\SYSTEM32\IGFXTRAY.EXE [x]
HKLM\...\Run: [HotKeysCmds] DOWS\SYSTEM32\HKCMD.EXE [x]
HKLM\...\Run: [Persistence] DOWS\SYSTEM32\IGFXPERS.EXE [x]
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3189016 2009-10-01] (Dell Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] CARD\WLTRAY.EXE [x]
HKLM\...\Run: [MsmqIntCert] regsvr32 /s mqrt.dll [x]
HKLM\...\Run: [lxdxmon.exe] .EXE" [x]
HKLM\...\Run: [lxdxamon] .EXE" [x]
HKLM\...\Run: [Zune Launcher] CHER.EXE" [x]
HKLM\...\Run: [CNAP2 Launcher] AP2LAK.EXE [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-12-29] (CyberLink Corp.)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [x]
HKLM-x32\...\Run: [] 1.0.7.0 [x]
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-23] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [300472 2010-05-12] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [GearSyncAutoStart] "C:\Program Files (x86)\Humana\GearSync\Humana_GearSync.exe" [532040 2012-05-10] (Humana Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Zoolz Tray] "C:\Program Files\Genie9\Zoolz2\ZoolzLauncher.exe" "C:\Program Files\Genie9\Zoolz2\Zoolz.exe" "-Delay" [1569808 2013-03-24] (Genie9)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1532992 2013-03-13] (McAfee, Inc.)
HKU\bhavesh\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\bhavesh\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6497592 2011-11-23] (Yahoo! Inc.)
HKU\bhavesh\...\Run: [nhneci] "C:\Windows\System32\rundll32.exe" "C:\Users\bhavesh\AppData\Roaming\nhneci.dll",get_pixel_aspect_ratio [x]
HKU\bhavesh\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\bhavesh\...\Run: [cdloader] "C:\Users\bhavesh\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK [50592 2012-02-01] (magicJack L.P.)
HKU\bhavesh\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18678376 2013-04-19] (Skype Technologies S.A.)
HKU\bhavesh\...\Winlogon: [Shell] explorer.exe,C:\Users\bhavesh\AppData\Roaming\skype.dat [93696 2011-11-16] (EA TechBuilder Labs) <==== ATTENTION
Startup: C:\Users\bhavesh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
Startup: C:\Users\Classic .NET AppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\DefaultAppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) =================

S2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2012-05-31] (Microsoft Corporation)
S2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
S2 lxdxCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [29184 2009-10-16] (Lexmark International, Inc.)
S2 lxdx_device; C:\Windows\system32\lxdxcoms.exe [1039872 2009-10-16] ( )
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McAWFwk; c:\PROGRA~1\mcafee\msc\mcawfwk.exe [225216 2011-01-28] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [384048 2013-02-25] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 MsDtsServer100; C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [214040 2008-07-10] (Microsoft Corporation)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 MSMQ; C:\Windows\system32\mqsvc.exe [9216 2009-07-13] (Microsoft Corporation)
S2 MSMQTriggers; C:\Windows\system32\mqtgsvc.exe [189440 2010-11-20] (Microsoft Corporation)
S2 MSSQL$DEVBOX; C:\Program Files\Microsoft SQL Server\MSSQL10.DEVBOX\MSSQL\Binn\sqlservr.exe [57820696 2008-07-10] (Microsoft Corporation)
S2 MSSQL$SQLEXPRESS; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 msvsmon80; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x64\msvsmon.exe [4476096 2005-09-22] (Microsoft Corporation)
S4 msvsmon90; C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe [4466688 2007-11-07] (Microsoft Corporation)
S2 NMSAccessU; C:\Program Files (x86)\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe [71096 2008-05-03] ()
S2 ReportServer$DEVBOX; C:\Program Files\Microsoft SQL Server\MSRS10.DEVBOX\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2045464 2008-07-10] (Microsoft Corporation)
S3 SQLAgent$DEVBOX; C:\Program Files\Microsoft SQL Server\MSSQL10.DEVBOX\MSSQL\Binn\SQLAGENT.EXE [430616 2008-07-10] (Microsoft Corporation)
S2 USTSScheduler; C:\Program Files (x86)\USTechSupport\SchedulerService\SchedulerService.exe [736648 2012-07-12] (US Tech Support LLC)
S2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
S2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe [3417088 2009-07-17] (Dell Inc.)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)
S2 Zoolz 2 Service; C:\Program Files\Genie9\Zoolz2\ZoolzService.exe [450064 2013-03-24] (Genie9)
S2 MSOLAP$DEVBOX; "C:\Program Files\Microsoft SQL Server\MSAS10.DEVBOX\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSAS10.DEVBOX\OLAP\Config" [x]
S3 MSSQLFDLauncher$DEVBOX; "C:\Program Files\Microsoft SQL Server\MSSQL10.DEVBOX\MSSQL\Binn\fdlauncher.exe" -s MSSQL10.DEVBOX [x]

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S0 McPvDrv; C:\Windows\System32\drivers\McPvDrv.sys [73096 2012-09-14] (McAfee, Inc.)
S0 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S3 MQAC; C:\Windows\System32\drivers\mqac.sys [189440 2009-07-13] (Microsoft Corporation)
S3 ztemtusbser; C:\Windows\System32\DRIVERS\CT_ZTEMT_U_USBSER.sys [120704 2011-12-25] (ZTEMT Incorporated)
S3 mfeavfk01; No ImagePath
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-21 06:12 - 2013-05-21 06:12 - 00000000 ____D C:\FRST
2013-05-20 19:48 - 2013-05-21 01:48 - 00000004 ____A C:\Users\bhavesh\AppData\Roaming\skype.ini
2013-05-19 07:45 - 2013-05-19 07:45 - 00000000 ____D C:\Users\bhavesh\AppData\Roaming\Macrovision
2013-05-18 06:05 - 2013-05-01 22:06 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-05-18 06:01 - 2013-05-20 20:06 - 00001830 ____A C:\Users\Public\Desktop\McAfee Total Protection.lnk
2013-05-18 06:00 - 2013-05-18 06:00 - 00000000 __RSD C:\Users\bhavesh\Documents\McAfee Vaults
2013-05-18 06:00 - 2013-05-18 06:00 - 00000000 ____D C:\Users\bhavesh\AppData\Local\McAfee Anti-Theft
2013-05-18 06:00 - 2013-05-18 06:00 - 00000000 ____D C:\Program Files (x86)\McAfee.com
2013-05-18 06:00 - 2012-09-14 12:26 - 00073096 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\McPvDrv.sys
2013-05-18 06:00 - 2012-04-20 12:40 - 00196440 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2013-05-18 05:59 - 2013-05-18 05:59 - 00000000 ____D C:\Program Files\McAfee.com
2013-05-18 05:59 - 2013-02-19 09:59 - 00070112 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\cfwids.sys
2013-05-18 05:59 - 2013-02-19 09:56 - 00340216 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfewfpk.sys
2013-05-18 05:59 - 2013-02-19 09:55 - 00106552 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mferkdet.sys
2013-05-18 05:59 - 2013-02-19 09:55 - 00010728 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeclnk.sys
2013-05-18 05:59 - 2013-02-19 09:54 - 00771536 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfehidk.sys
2013-05-18 05:59 - 2013-02-19 09:53 - 00515968 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfefirek.sys
2013-05-18 05:59 - 2013-02-19 09:53 - 00309840 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeavfk.sys
2013-05-18 05:59 - 2013-02-19 09:52 - 00179280 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeapfk.sys
2013-05-14 23:04 - 2013-05-05 13:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-14 23:04 - 2013-05-05 13:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-14 23:04 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-14 23:04 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-14 23:02 - 2013-04-04 17:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-14 23:02 - 2013-04-04 17:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-14 23:02 - 2013-04-04 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-14 23:02 - 2013-04-04 16:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-14 23:02 - 2013-04-04 16:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-14 23:02 - 2013-04-04 16:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-14 23:02 - 2013-04-04 16:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-14 23:02 - 2013-04-04 16:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-14 23:02 - 2013-04-04 16:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-14 23:02 - 2013-04-04 16:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-14 23:02 - 2013-04-04 16:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-14 23:02 - 2013-04-04 16:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-14 23:02 - 2013-04-04 16:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-14 23:02 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-14 23:02 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-05-14 23:02 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-14 23:02 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-14 23:02 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-05-14 23:02 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-14 23:02 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-14 23:02 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-05-14 23:02 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-05-14 23:02 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-14 23:02 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-14 23:02 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-05-14 23:02 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-14 23:01 - 2013-04-04 17:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-14 23:01 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-14 21:29 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-14 21:29 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-14 21:28 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-14 21:28 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-14 21:28 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-14 21:28 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-14 21:28 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-14 21:28 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-14 21:28 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-14 21:28 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-14 21:28 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-14 21:28 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-07 21:01 - 2013-05-07 21:01 - 00001712 ____A C:\Users\bhavesh\Desktop\MakeMyTripCode.txt
2013-05-05 11:00 - 2013-05-05 11:03 - 00004096 ___AH C:\Users\bhavesh\AppData\Local\keyfile3.drm
2013-04-23 17:39 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

==================== One Month Modified Files and Folders =======

2013-05-21 06:12 - 2013-05-21 06:12 - 00000000 ____D C:\FRST
2013-05-21 02:06 - 2009-07-13 21:10 - 01146526 ____A C:\Windows\WindowsUpdate.log
2013-05-21 02:06 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-21 02:06 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-21 02:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\inetsrv
2013-05-21 01:59 - 2012-10-09 18:35 - 00024149 ____A C:\Windows\setupact.log
2013-05-21 01:59 - 2010-04-23 14:03 - 00000000 ____D C:\users\bhavesh
2013-05-21 01:59 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-21 01:48 - 2013-05-20 19:48 - 00000004 ____A C:\Users\bhavesh\AppData\Roaming\skype.ini
2013-05-20 20:06 - 2013-05-18 06:01 - 00001830 ____A C:\Users\Public\Desktop\McAfee Total Protection.lnk
2013-05-20 20:02 - 2011-08-08 14:07 - 00000000 ____D C:\Users\bhavesh\Tracing
2013-05-20 19:18 - 2011-06-04 15:18 - 00000000 ____D C:\Users\bhavesh\AppData\Roaming\Skype
2013-05-20 18:15 - 2011-01-15 21:16 - 00000422 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2013-05-20 17:50 - 2010-08-12 20:26 - 00000000 ____D C:\Users\bhavesh\AppData\Local\TSVNCache
2013-05-20 17:48 - 2010-04-09 08:54 - 00550496 ____A C:\Windows\PFRO.log
2013-05-19 19:47 - 2012-01-06 17:50 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-05-19 19:44 - 2010-06-30 14:01 - 00000000 ____D C:\Users\bhavesh\AppData\Roaming\FileZilla
2013-05-19 17:57 - 2012-01-06 17:50 - 00000000 ____D C:\Program Files\McAfee
2013-05-19 07:45 - 2013-05-19 07:45 - 00000000 ____D C:\Users\bhavesh\AppData\Roaming\Macrovision
2013-05-19 05:42 - 2010-04-09 07:26 - 00000000 ____D C:\ProgramData\McAfee
2013-05-18 07:08 - 2009-07-13 21:13 - 01071886 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-18 06:01 - 2009-07-13 18:34 - 00000510 ____A C:\Windows\win.ini
2013-05-18 06:00 - 2013-05-18 06:00 - 00000000 __RSD C:\Users\bhavesh\Documents\McAfee Vaults
2013-05-18 06:00 - 2013-05-18 06:00 - 00000000 ____D C:\Users\bhavesh\AppData\Local\McAfee Anti-Theft
2013-05-18 06:00 - 2013-05-18 06:00 - 00000000 ____D C:\Program Files (x86)\McAfee.com
2013-05-18 06:00 - 2012-01-06 17:50 - 00000000 ____D C:\Program Files\Common Files\McAfee
2013-05-18 05:59 - 2013-05-18 05:59 - 00000000 ____D C:\Program Files\McAfee.com
2013-05-18 05:39 - 2011-06-04 15:18 - 00000000 ____D C:\ProgramData\Skype
2013-05-18 05:38 - 2012-11-24 09:06 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-05-18 05:28 - 2011-02-14 21:11 - 00002002 ___AH C:\Users\bhavesh\Documents\Default.rdp
2013-05-15 00:05 - 2013-03-20 00:36 - 00000000 ____D C:\Windows\rescache
2013-05-14 23:28 - 2011-01-15 21:16 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2013-05-14 23:28 - 2009-07-13 20:45 - 00552952 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-14 23:06 - 2010-06-04 22:38 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-07 21:01 - 2013-05-07 21:01 - 00001712 ____A C:\Users\bhavesh\Desktop\MakeMyTripCode.txt
2013-05-07 21:01 - 2010-07-21 17:10 - 00000000 ____D C:\Users\bhavesh\Documents\SQL Server Management Studio
2013-05-05 13:36 - 2013-05-14 23:04 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-05 13:16 - 2013-05-14 23:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-05 11:25 - 2013-05-14 23:04 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-05 11:12 - 2013-05-14 23:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-05 11:03 - 2013-05-05 11:00 - 00004096 ___AH C:\Users\bhavesh\AppData\Local\keyfile3.drm
2013-05-01 22:06 - 2013-05-18 06:05 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

ZeroAccess:
C:\Users\bhavesh\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}
C:\Users\bhavesh\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\@
C:\Users\bhavesh\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\L
C:\Users\bhavesh\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U

Other Malware:
===========
C:\Users\bhavesh\AppData\Roaming\skype.dat
C:\Users\bhavesh\AppData\Roaming\skype.ini

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-20 22:58:01

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3892.54 MB
Available physical RAM: 3230.44 MB
Total Pagefile: 3890.69 MB
Available Pagefile: 3220.24 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:58.59 GB) (Free:8.44 GB) NTFS (Disk=0 Partition=3)
Drive d: () (Fixed) (Total:229.63 GB) (Free:62.59 GB) NTFS (Disk=0 Partition=4)
Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
Drive h: () (Removable) (Total:1.91 GB) (Free:1.9 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:4.98 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows Vista) (Size: 298 GB) (Disk ID: CDDDD0D0)
Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)
Partition 2: (Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=59 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=230 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: B8DA4BC3)
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)


Last Boot: 2013-05-13 21:31

==================== End Of Log ============================
  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello bhchan77 and welcome to my office here at G2G! :)

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTES:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste it to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Please copy the attached fixlist.txt to your flash drive.

Attached File  fixlist.txt   467bytes   31 downloads

Now please enter System Recovery Options again.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

If you computer will now boot, continue with steps below:

Step 2

  • Run OTL.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open notepad window. OTL.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file, and post it with your next reply.

Step 3

Download GMER from Here. Note the file\'s name and save it to your root folder, such as C:.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Step 4

Please don't forget to include these items in your reply:

  • FIRST Fixlog
  • OTL log
  • OTL Extras log
  • GMER log
It would be helpful if you could post each log in separate post using "Add Reply" button
  • 0

#3
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP