Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

White screen after log in

Started by ThaProduct76 , Aug 29 2013 12:44 PM

  • Please log in to reply

#1
ThaProduct76
Posted 29 August 2013 - 12:44 PM

ThaProduct76

    New Member

  • Member
  • Pip
  • 5 posts
Hello,

i believe i am infected with malware. i have a windows 7. After i log on i get a white screen. Nothing else. If i select ctl-alt-del
i get the options for shut down and task manager. When i select task manager all i get is the white screen. Same happens when i boot into safe mode. If
i select reboot at ctl-alt-delete i briefly see my desktop (all icons are there). i also tried selecting last known good startup.

Please help
  • 0

Advertisements

#2
Phel
Posted 29 August 2013 - 12:54 PM

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Hello, ThaProduct76 and welcome to GeeksToGo!

You can call me Phel and this time I will try to help you with your trouble.

Please, spend some time to read these instructions carefully before we start. They contain very useful information.

  • Please, stay with us until the end. I know, Malware Removal isn't very fast procedure, it usually has multiple steps, but you should stay here till your computer will be absolutely clean from malware. If your main problem is solved, that doesn't mean that another malware isn't left in your computer. Your patience will be rewarded with absolutely clean computer. :)
  • Please, let me know, if you don't understand something. It is really important to understand every instruction. If you are in doubt, how to follow one or another instruction - feel free to ask me, how to do that. I am always glad to help you with that.
  • Please, don't fix anything by yourself. Please, don't run any tools unless they are required. Trying multiple tools in hope that one of them will help can lead to unrecoverable consequences. Sometimes malware removal tools, used without supervision, can harm your computer more than malware itself.
  • Please, feel free to notify me about changes in your PC's behavior. It's really interesting for me to know, how your computer is running after each portion of fixes.
  • Please note, that I'm currently in training. It doesn't mean that my help will be worse than expert help. My posts are carefully checked by experts before they are posted. Please note, that my replies sometimes can come with delays. However, usually it takes less than 24 hours to revise my message by expert and post to you it.
  • Finally, enjoy the fight! ;)
Okay, let's start now. I want to ask you one question.

Same happens when i boot into safe mode.

Have you tried to boot into Safe Mode with Command Promt? If you haven't, try to do it now and inform me about results.
  • 0

#3
ThaProduct76
Posted 29 August 2013 - 12:57 PM

ThaProduct76

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I have tried and even in safe mode a white screen appears there also
  • 0

#4
Phel
Posted 29 August 2013 - 12:59 PM

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Do you have x64 or x32(x86) architecture of Windows 7 system?
  • 0

#5
ThaProduct76
Posted 29 August 2013 - 01:00 PM

ThaProduct76

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you for assisting me Phel
  • 0

#6
ThaProduct76
Posted 29 August 2013 - 01:02 PM

ThaProduct76

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
X64 I believe
  • 0

#7
Phel
Posted 29 August 2013 - 01:06 PM

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Okay, then follow some steps below. Plese note that you will need a clean computer with internet access and flash drive.

Download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
  • 0

#8
ThaProduct76
Posted 29 August 2013 - 01:19 PM

ThaProduct76

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-08-2013
Ran by SYSTEM on 29-08-2013 11:35:21
Running from F:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [DBRMTray] - C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\RunOnce: [DBRMTray] - C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
HKLM\...\RunOnce: [*WerKernelReporting] - %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [415232 2009-07-13] (Microsoft Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?
HKLM-x32\...\Run: [RemoteControl9] - C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2009-07-06] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-04-29] (CyberLink Corp.)
HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [NA1Messenger] - C:\PROGRAM FILES (X86)\UPS\WSTD\UPSNA1Msgr.exe [24576 2010-12-09] ()
HKLM-x32\...\Run: [Intuit SyncManager] - C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1443080 2010-09-27] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [Sendori Tray] - C:\Program Files (x86)\Sendori\SendoriTray.exe [83232 2013-07-01] (Sendori, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [OfficeScanNT Monitor] - C:\Program Files (x86)\Trend Micro\Security Agent\pccntmon.exe [1932424 2012-12-18] (Trend Micro Inc.)
HKLM-x32\...\Run: [IObit Malware Fighter] - C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe [1549120 2013-08-16] (IObit)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [AS2014] - C:\ProgramData\gV3ni763\gV3ni763.exe [577536 2013-08-29] ()
HKU\Tim\...\Run: [Google Update] - C:\Users\Tim\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-04-12] (Google Inc.)
HKU\Tim\...\Run: [Advanced SystemCare 6] - C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe [491840 2013-04-18] (IObit)
HKU\Tim\...\Run: [AS2014] - C:\ProgramData\gV3ni763\gV3ni763.exe [577536 2013-08-29] ()
HKU\Tim\...\Winlogon: [Shell] C:\Users\Tim\AppData\Roaming\dlc.xmm,explorer.exe <==== ATTENTION
Lsa: [Authentication Packages] msv1_0 wvauth

==================== Services (Whitelisted) =================

S2 AdvancedSystemCareService6; C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [574272 2013-04-18] (IObit)
S2 Apache2; c:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Apache2\bin\Apache.exe [20550 2010-10-18] (Apache Software Foundation)
S2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [119072 2013-07-01] (Sendori, Inc.)
S2 IMFservice; C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [335168 2013-04-25] (IObit)
S2 MSSQL$UPSWSDBSERVER; c:\Program Files (x86)\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S2 ntrtscan; C:\Program Files (x86)\Trend Micro\Security Agent\ntrtscan.exe [3395536 2012-12-18] (Trend Micro Inc.)
S2 ofcservice; C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe [2547256 2012-12-19] (Trend Micro Inc.)
S2 pcCMService64; C:\Program Files\Common Files\Motive\pcCMService.exe [460288 2012-10-05] (Alcatel-Lucent)
S2 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1251840 2010-09-17] ()
S3 QuickBooksDB21; C:\PROGRA~2\Intuit\QUICKB~1\QBDBMgrN.exe [679936 2010-04-27] (Intuit, Inc.)
S2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22304 2013-07-01] (sendori)
S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3623200 2013-07-01] (Sendori)
S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1629696 2010-07-13] ()
S3 TMBMServer; C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe [572464 2012-10-30] (Trend Micro Inc.)
S3 TMiCRCScanService; C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\wss\iCRCService.exe [771632 2012-11-30] (Trend Micro Inc.)
S2 tmlisten; C:\Program Files (x86)\Trend Micro\Security Agent\tmlisten.exe [3461176 2012-12-18] (Trend Micro Inc.)
S3 TmProxy; C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy.exe [918064 2012-08-08] (Trend Micro Inc.)
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{195bea59-cf36-485d-9c6f-8a46beed1d6c}\ \...\???\{195bea59-cf36-485d-9c6f-8a46beed1d6c}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 FileMonitor; C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [23048 2013-03-23] (IObit)
S3 FileMonitor; C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [23048 2013-03-23] (IObit)
S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2012-11-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2012-11-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MREMP50a64; C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [43008 2012-11-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2012-11-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2012-11-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50a64; C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [40960 2012-11-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 RegFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [34336 2013-03-26] (IObit.com)
S3 RegFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [34336 2013-03-26] (IObit.com)
S0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2013-05-22] ()
S3 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [82840 2012-10-30] (Trend Micro Inc.)
S1 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [174016 2012-11-13] (Trend Micro Inc.)
S3 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [65872 2012-10-30] (Trend Micro Inc.)
S2 TmFilter; C:\Program Files (x86)\Trend Micro\Security Agent\TmXPFlt.sys [344376 2012-12-04] (Trend Micro Inc.)
S2 TmPreFilter; C:\Program Files (x86)\Trend Micro\Security Agent\TmPreFlt.sys [42808 2012-12-04] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [108624 2011-08-31] (Trend Micro Inc.)
S3 UrlFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [23016 2013-03-26] (IObit.com)
S3 UrlFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [23016 2013-03-26] (IObit.com)
S2 VSApiNt; C:\Program Files (x86)\Trend Micro\Security Agent\VSApiNt.sys [2224952 2012-12-04] (Trend Micro Inc.)
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-29 10:30 - 2013-08-29 10:30 - 00262144 _____ C:\Windows\Minidump\082913-25147-01.dmp
2013-08-29 10:27 - 2013-08-29 10:27 - 00000020 ___SH C:\Users\DCS_TIM-VCG.Tim-VCG.002\ntuser.ini
2013-08-29 10:27 - 2013-08-29 10:27 - 00000000 ____D C:\users\DCS_TIM-VCG.Tim-VCG.002
2013-08-29 10:27 - 2012-01-15 03:04 - 00000000 ____D C:\Users\DCS_TIM-VCG.Tim-VCG.002\AppData\Local\Microsoft Help
2013-08-29 10:26 - 2013-08-29 10:26 - 00262144 _____ C:\Windows\Minidump\082913-30108-01.dmp
2013-08-29 10:23 - 2013-08-29 10:28 - 00001668 _____ C:\Users\Tim\Desktop\Antivirus Security Pro.lnk
2013-08-29 10:23 - 2013-08-29 10:28 - 00000118 _____ C:\Users\Tim\Desktop\Antivirus Security Pro support.url
2013-08-29 09:56 - 2013-08-29 09:57 - 00000004 _____ C:\Users\Tim\AppData\Roaming\cache.ini
2013-08-29 09:49 - 2013-08-29 09:49 - 00000218 _____ C:\Windows\TMFilter.log
2013-08-29 09:44 - 2013-08-29 09:48 - 00000000 ____D C:\ProgramData\909EAAFF1B7B42CE0000909E1A664815
2013-08-29 09:39 - 2013-08-29 09:39 - 00000020 ___SH C:\Users\DCS_TIM-VCG.Tim-VCG.001\ntuser.ini
2013-08-29 09:39 - 2013-08-29 09:39 - 00000000 ____D C:\users\DCS_TIM-VCG.Tim-VCG.001
2013-08-29 09:39 - 2012-01-15 03:04 - 00000000 ____D C:\Users\DCS_TIM-VCG.Tim-VCG.001\AppData\Local\Microsoft Help
2013-08-29 09:37 - 2013-08-29 09:37 - 00262144 _____ C:\Windows\Minidump\082913-22916-01.dmp
2013-08-29 07:46 - 2013-08-29 07:46 - 00262144 _____ C:\Windows\Minidump\082913-17706-01.dmp
2013-08-29 07:45 - 2013-08-29 10:29 - 488558670 _____ C:\Windows\MEMORY.DMP
2013-08-29 07:37 - 2013-08-29 09:44 - 00000000 ____D C:\ProgramData\gV3ni763
2013-08-28 19:49 - 2013-08-28 19:49 - 00201216 _____ C:\ProgramData\cfwjpg.exe
2013-08-28 19:49 - 2013-08-28 19:49 - 00000000 ____D C:\ProgramData\ulske
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\yijcb.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\rvhk.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\rfspsw.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\pssvp.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\otgmut.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\njjv.exe
2013-08-28 19:47 - 2013-08-28 19:47 - 00201216 _____ C:\ProgramData\dkrcve.exe
2013-08-28 19:31 - 2013-08-29 07:47 - 00000000 ____D C:\ProgramData\mki
2013-08-28 06:37 - 2013-08-29 10:29 - 00008230 _____ C:\Windows\PFRO.log
2013-08-28 06:37 - 2013-08-29 10:26 - 00000448 _____ C:\Windows\setupact.log
2013-08-28 06:37 - 2013-08-28 06:37 - 00000000 _____ C:\Windows\setuperr.log
2013-08-23 07:54 - 2013-08-23 07:54 - 17737608 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-08-23 07:08 - 2013-05-22 17:49 - 00017720 _____ C:\Windows\System32\Drivers\SmartDefragDriver.sys
2013-08-23 07:01 - 2013-08-29 10:31 - 00000000 ____D C:\users\DCS_TIM-VCG.Tim-VCG.000
2013-08-23 07:01 - 2013-08-23 07:01 - 00000020 ___SH C:\Users\DCS_TIM-VCG.Tim-VCG.000\ntuser.ini
2013-08-23 07:01 - 2012-01-15 03:04 - 00000000 ____D C:\Users\DCS_TIM-VCG.Tim-VCG.000\AppData\Local\Microsoft Help
2013-08-22 07:25 - 2013-08-22 07:25 - 43884544 _____ C:\Windows\System32\config\components.iobit
2013-08-15 14:22 - 2013-08-15 14:22 - 88502272 _____ C:\Windows\System32\config\software.iobit
2013-08-15 14:22 - 2013-08-15 14:22 - 00335872 _____ C:\Windows\System32\config\default.iobit
2013-08-15 14:22 - 2013-08-15 14:22 - 00065536 _____ C:\Windows\System32\config\sam.iobit
2013-08-15 14:22 - 2013-08-15 14:22 - 00028672 _____ C:\Windows\System32\config\security.iobit
2013-08-15 07:41 - 2013-08-15 07:41 - 00003218 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-606431231-295175572-1105962100-1000
2013-08-15 07:40 - 2013-08-15 07:40 - 00003356 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-606431231-295175572-1105962100-1000
2013-08-15 07:31 - 2013-07-25 21:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-15 07:31 - 2013-07-25 21:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-15 07:31 - 2013-07-25 21:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-15 07:31 - 2013-07-25 21:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-15 07:31 - 2013-07-25 21:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-15 07:31 - 2013-07-25 19:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-15 07:31 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-15 07:31 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-15 07:31 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-15 07:31 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-15 07:31 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-15 07:31 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-15 07:31 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-15 07:31 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-15 07:31 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-15 07:31 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-15 07:31 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-15 07:31 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-15 07:31 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-15 07:31 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-15 07:31 - 2013-07-25 18:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-15 07:31 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-15 07:05 - 2013-08-07 10:42 - 00000000 ____D C:\Windows\System32\MRT
2013-08-14 09:07 - 2013-07-25 01:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-14 09:07 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 09:07 - 2013-07-18 17:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-14 09:07 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 09:07 - 2013-07-08 21:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-14 09:07 - 2013-07-08 21:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-14 09:07 - 2013-07-08 21:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-14 09:07 - 2013-07-08 21:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-14 09:07 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 09:07 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 09:07 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 09:07 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 09:06 - 2013-07-08 21:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-14 09:06 - 2013-07-08 20:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 09:06 - 2013-06-14 20:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2013-08-14 09:05 - 2013-07-05 22:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-07 11:48 - 2013-08-07 11:56 - 00003188 _____ C:\Windows\System32\Tasks\IHUninstallTrackingTASK

==================== One Month Modified Files and Folders =======

2013-08-29 11:04 - 2013-08-29 11:04 - 00000000 ___DC C:\FRST
2013-08-29 10:31 - 2013-08-23 07:01 - 00000000 ____D C:\users\DCS_TIM-VCG.Tim-VCG.000
2013-08-29 10:31 - 2013-06-24 07:24 - 00000000 ____D C:\users\DCS_TIM-VCG.Tim-VCG
2013-08-29 10:31 - 2013-06-03 14:52 - 00000000 ____D C:\users\DCS_TIM-VCG
2013-08-29 10:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-08-29 10:30 - 2013-08-29 10:30 - 00262144 _____ C:\Windows\Minidump\082913-25147-01.dmp
2013-08-29 10:30 - 2012-08-10 07:12 - 00000000 ____D C:\Windows\Minidump
2013-08-29 10:29 - 2013-08-29 07:45 - 488558670 _____ C:\Windows\MEMORY.DMP
2013-08-29 10:29 - 2013-08-28 06:37 - 00008230 _____ C:\Windows\PFRO.log
2013-08-29 10:28 - 2013-08-29 10:23 - 00001668 _____ C:\Users\Tim\Desktop\Antivirus Security Pro.lnk
2013-08-29 10:28 - 2013-08-29 10:23 - 00000118 _____ C:\Users\Tim\Desktop\Antivirus Security Pro support.url
2013-08-29 10:27 - 2013-08-29 10:27 - 00000020 ___SH C:\Users\DCS_TIM-VCG.Tim-VCG.002\ntuser.ini
2013-08-29 10:27 - 2013-08-29 10:27 - 00000000 ____D C:\users\DCS_TIM-VCG.Tim-VCG.002
2013-08-29 10:27 - 2013-06-03 14:57 - 05586756 _____ C:\Windows\SysWOW64\TmInstall.log
2013-08-29 10:27 - 2011-10-24 19:22 - 03116664 _____ C:\Windows\System32\TmInstall.log
2013-08-29 10:26 - 2013-08-29 10:26 - 00262144 _____ C:\Windows\Minidump\082913-30108-01.dmp
2013-08-29 10:26 - 2013-08-28 06:37 - 00000448 _____ C:\Windows\setupact.log
2013-08-29 10:26 - 2011-10-28 15:50 - 00000196 _____ C:\Windows\Tasks\AutoKMS.job
2013-08-29 10:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-29 09:57 - 2013-08-29 09:56 - 00000004 _____ C:\Users\Tim\AppData\Roaming\cache.ini
2013-08-29 09:57 - 2011-12-13 08:45 - 00000000 ____D C:\ProgramData\Sendori
2013-08-29 09:54 - 2013-01-07 08:19 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-29 09:52 - 2009-07-13 20:45 - 00021312 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-29 09:52 - 2009-07-13 20:45 - 00021312 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-29 09:49 - 2013-08-29 09:49 - 00000218 _____ C:\Windows\TMFilter.log
2013-08-29 09:48 - 2013-08-29 09:44 - 00000000 ____D C:\ProgramData\909EAAFF1B7B42CE0000909E1A664815
2013-08-29 09:48 - 2013-06-03 14:58 - 00008980 _____ C:\Windows\cfgall.ini
2013-08-29 09:44 - 2013-08-29 07:37 - 00000000 ____D C:\ProgramData\gV3ni763
2013-08-29 09:44 - 2011-11-02 12:18 - 00000259 _____ C:\Windows\wstdUPSWSHIP.INI
2013-08-29 09:43 - 2012-02-24 13:52 - 00000000 ____D C:\users\QBDataServiceUser21
2013-08-29 09:39 - 2013-08-29 09:39 - 00000020 ___SH C:\Users\DCS_TIM-VCG.Tim-VCG.001\ntuser.ini
2013-08-29 09:39 - 2013-08-29 09:39 - 00000000 ____D C:\users\DCS_TIM-VCG.Tim-VCG.001
2013-08-29 09:37 - 2013-08-29 09:37 - 00262144 _____ C:\Windows\Minidump\082913-22916-01.dmp
2013-08-29 09:37 - 2011-10-28 13:02 - 00000000 ____D C:\users\Tim
2013-08-29 07:54 - 2011-10-24 20:46 - 01604274 _____ C:\Windows\WindowsUpdate.log
2013-08-29 07:47 - 2013-08-28 19:31 - 00000000 ____D C:\ProgramData\mki
2013-08-29 07:46 - 2013-08-29 07:46 - 00262144 _____ C:\Windows\Minidump\082913-17706-01.dmp
2013-08-29 07:37 - 2012-11-23 07:38 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-29 07:36 - 2012-11-07 07:57 - 00065536 _____ C:\Windows\System32\Ikeext.etl
2013-08-29 07:36 - 2011-10-28 15:50 - 00000202 _____ C:\Windows\Tasks\AutoKMSDaily.job
2013-08-28 19:49 - 2013-08-28 19:49 - 00201216 _____ C:\ProgramData\cfwjpg.exe
2013-08-28 19:49 - 2013-08-28 19:49 - 00000000 ____D C:\ProgramData\ulske
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\yijcb.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\rvhk.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\rfspsw.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\pssvp.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\otgmut.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\njjv.exe
2013-08-28 19:47 - 2013-08-28 19:47 - 00201216 _____ C:\ProgramData\dkrcve.exe
2013-08-28 19:18 - 2012-04-12 14:18 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606431231-295175572-1105962100-1000UA.job
2013-08-28 15:54 - 2011-10-28 16:32 - 00000000 ____D C:\Users\Tim\Documents\Outlook Files
2013-08-28 12:18 - 2012-04-12 14:18 - 00000848 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606431231-295175572-1105962100-1000Core.job
2013-08-28 06:37 - 2013-08-28 06:37 - 00000000 _____ C:\Windows\setuperr.log
2013-08-27 13:28 - 2013-05-06 09:57 - 00000000 ____D C:\Users\Tim\Desktop\Sarai's Folder
2013-08-27 07:31 - 2011-11-08 15:37 - 00002113 _____ C:\Users\Tim\Desktop\Vendor.xlsx.lnk
2013-08-23 14:05 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-08-23 07:58 - 2011-12-13 08:45 - 00000000 ____D C:\ProgramData\IObit
2013-08-23 07:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-08-23 07:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-08-23 07:54 - 2013-08-23 07:54 - 17737608 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-08-23 07:54 - 2013-01-07 08:19 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-23 07:54 - 2012-04-10 07:09 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-23 07:54 - 2011-10-24 18:52 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-23 07:01 - 2013-08-23 07:01 - 00000020 ___SH C:\Users\DCS_TIM-VCG.Tim-VCG.000\ntuser.ini
2013-08-22 07:25 - 2013-08-22 07:25 - 43884544 _____ C:\Windows\System32\config\components.iobit
2013-08-21 10:38 - 2011-12-09 14:08 - 00021236 _____ C:\Users\Tim\Desktop\Tom's Hours.xlsx
2013-08-20 07:38 - 2009-07-13 21:13 - 00926974 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-15 14:22 - 2013-08-15 14:22 - 88502272 _____ C:\Windows\System32\config\software.iobit
2013-08-15 14:22 - 2013-08-15 14:22 - 00335872 _____ C:\Windows\System32\config\default.iobit
2013-08-15 14:22 - 2013-08-15 14:22 - 00065536 _____ C:\Windows\System32\config\sam.iobit
2013-08-15 14:22 - 2013-08-15 14:22 - 00028672 _____ C:\Windows\System32\config\security.iobit
2013-08-15 07:41 - 2013-08-15 07:41 - 00003218 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-606431231-295175572-1105962100-1000
2013-08-15 07:40 - 2013-08-15 07:40 - 00003356 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-606431231-295175572-1105962100-1000
2013-08-15 07:05 - 2011-11-01 07:22 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-08-07 11:56 - 2013-08-07 11:48 - 00003188 _____ C:\Windows\System32\Tasks\IHUninstallTrackingTASK
2013-08-07 11:54 - 2013-01-28 08:05 - 00000000 ____D C:\Program Files\Common Files\Motive
2013-08-07 11:54 - 2012-11-23 07:39 - 00000000 ____D C:\Program Files\Google
2013-08-07 11:51 - 2011-11-04 12:24 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2013-08-07 11:51 - 2011-10-28 14:44 - 00000000 ____D C:\Program Files\WinRAR
2013-08-07 11:48 - 2013-01-28 08:06 - 00000000 ____D C:\Program Files (x86)\ATT
2013-08-07 11:43 - 2012-04-12 14:17 - 00000000 ____D C:\Users\Tim\AppData\Local\Google
2013-08-07 11:39 - 2013-01-17 08:08 - 00000000 ____D C:\Program Files (x86)\Application Updater
2013-08-07 11:37 - 2013-05-17 15:55 - 00000000 ____D C:\Program Files (x86)\Naver
2013-08-07 10:56 - 2011-10-28 14:19 - 00000000 ____D C:\Users\Tim\AppData\Local\Adobe
2013-08-07 10:42 - 2013-08-15 07:05 - 00000000 ____D C:\Windows\System32\MRT
2013-07-31 07:02 - 2012-08-01 16:03 - 00000129 _____ C:\Windows\System32\MRT.INI
2013-07-30 07:16 - 2009-07-13 21:08 - 00032568 _____ C:\Windows\Tasks\SCHEDLGU.TXT

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-606431231-295175572-1105962100-1000\$195bea59cf36485d9c6f8a46beed1d6c

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$195bea59cf36485d9c6f8a46beed1d6c

Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install\{195bea59-cf36-485d-9c6f-8a46beed1d6c}
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.
C:\ProgramData\cfwjpg.exe
C:\ProgramData\dkrcve.exe
C:\ProgramData\njjv.exe
C:\ProgramData\otgmut.exe
C:\ProgramData\pssvp.exe
C:\ProgramData\rfspsw.exe
C:\ProgramData\rvhk.exe
C:\ProgramData\yijcb.exe
C:\Users\Tim\AppData\Roaming\cache.dat
C:\Users\Tim\AppData\Roaming\cache.ini
C:\Users\Tim\AppData\Local\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_0\dbdata.dll

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-08-26 06:57:41
Restore point made on: 2013-08-27 06:55:09
Restore point made on: 2013-08-29 07:42:04
Restore point made on: 2013-08-29 07:54:48

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 3992.94 MB
Available physical RAM: 3334.68 MB
Total Pagefile: 3991.14 MB
Available Pagefile: 3329.63 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:281.9 GB) (Free:203.95 GB) NTFS
Drive f: (PATRIOT) (Removable) (Total:3.61 GB) (Free:3.59 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:16.15 GB) (Free:7.77 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: 894E4791)
Partition 00: (Active) - (Size=0) - (Type=00) ATTENTION ===> 0 byte partition bootkit.
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=16 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=282 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0C)


LastRegBack: 2013-08-22 16:14

==================== End Of Log ============================
  • 0

#9
Phel
Posted 29 August 2013 - 02:14 PM

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Wow, you are really fast. :)

Warning! Your computer is infected with Backdoor.

What is Backdoor?

Backdoor is malware, which allows another person to remotely control your computer, so this infection can execute files, download files from the internet or steal your data.

How can you deal with this infection?

We can clean this infection. However, we aren't sure, that you can trust your computer even after removal of this infection. So, there is only one way to completely remove this infection - format your hard drive and reinstall Windows.

Please, read info here to learn more, why you need to reinstall Windows.

So, If you decided to format hard drive and reinstall Windows, please, let me know about it. If you didn't, please, follow these steps:

Step 1. FRST Fix.

  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste.
  • Save it on the flashdrive as fixlist.txt 

start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?
HKLM-x32\...\Run: [AS2014] - C:\ProgramData\gV3ni763\gV3ni763.exe [577536 2013-08-29] ()
HKU\Tim\...\Run: [AS2014] - C:\ProgramData\gV3ni763\gV3ni763.exe [577536 2013-08-29] ()
C:\ProgramData\gV3ni763\gV3ni763.exe
HKU\Tim\...\Winlogon: [Shell] C:\Users\Tim\AppData\Roaming\dlc.xmm,explorer.exe <==== ATTENTION 
C:\Users\Tim\AppData\Roaming\dlc.xmm
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{195bea59-cf36-485d-9c6f-8a46beed1d6c}\ \...\???\{195bea59-cf36-485d-9c6f-8a46beed1d6c}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Program Files (x86)\Google\Desktop\Install\{195bea59-cf36-485d-9c6f-8a46beed1d6c}\ \...\???\{195bea59-cf36-485d-9c6f-8a46beed1d6c}\GoogleUpdate.exe
2013-08-29 07:37 - 2013-08-29 09:44 - 00000000 ____D C:\ProgramData\gV3ni763
2013-08-28 19:49 - 2013-08-28 19:49 - 00201216 _____ C:\ProgramData\cfwjpg.exe
2013-08-28 19:49 - 2013-08-28 19:49 - 00000000 ____D C:\ProgramData\ulske
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\yijcb.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\rvhk.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\rfspsw.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\pssvp.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\otgmut.exe
2013-08-28 19:48 - 2013-08-28 19:48 - 00201216 _____ C:\ProgramData\njjv.exe
2013-08-28 19:47 - 2013-08-28 19:47 - 00201216 _____ C:\ProgramData\dkrcve.exe
2013-08-29 10:23 - 2013-08-29 10:28 - 00001668 _____ C:\Users\Tim\Desktop\Antivirus Security Pro.lnk
2013-08-29 10:23 - 2013-08-29 10:28 - 00000118 _____ C:\Users\Tim\Desktop\Antivirus Security Pro support.url
C:\Program Files (x86)\Google\Desktop\Install\{195bea59-cf36-485d-9c6f-8a46beed1d6c}
C:\Users\Tim\AppData\Roaming\cache.dat
C:\Users\Tim\AppData\Roaming\cache.ini
C:\$Recycle.Bin\S-1-5-18\$195bea59cf36485d9c6f8a46beed1d6c
C:\$Recycle.Bin\S-1-5-21-606431231-295175572-1105962100-1000\$195bea59cf36485d9c6f8a46beed1d6c
C:\Windows\svchost.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
TDL4: custom:26000022
end
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

Step 2. OTL scan.

Boot in normal mode now and download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    BASESERVICES
dir "%systemdrive%\*" /S /A:L /C
  • Click on Scan All Users checkbox, which is located near Quick Scan button.
  • Then click the Run Scan button at the top.
  • Let the program run unhindered.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.
Step 3. RogueKiller scan.

Download RogueKiller to your desktop

Note: This is a French tool so don't be surprised when you find the page displays with some French.

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • Click on Scan

    Posted Image
  • Wait for the scan to finish.
  • The report is created on your desktop.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of all the RKreport.txt files from your desktop in your next Reply.

So, please, don't forget to post in your next message:

  • Fixlog.txt
  • OTL.txt
  • Extras.txt
  • RKreport.txt

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP