Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Here it goes again (Client's Computer Riddled with Malware. [Solve


  • This topic is locked This topic is locked

#1
EmishOrc

EmishOrc

    Member

  • Member
  • PipPipPip
  • 150 posts

I am working on an Acer laptop that a client gave to me and it was riddled with viruses! It is running Vista and I have done a lot of scans using none other than Avast, MBAM, AdwCleaner and Junkware Removal Tool all while the system was intact. One major problem though as after a god [bleep] restart it comes up to the start screen, but it's black with only a cursor spinning in the background. I cannot do anything and i'm stuck on Hirens Boot CD trying my best to get rid of every rootkit possible as GMER detects a lot of them. Bitdefender found variant Kazy and ClamWin found Trojan.Crypt.O.

 

Please help :)

 

Regards Robert :)


  • 0

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,016 posts

Hello EmishOrc,

 

From what you say these options may not work but it will make things easier if one of them does. If neither of them works then come back and tell me. We will try a different approach.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Here are some instructions to help you access the Recovery Environment to run a scan.

There are two options shown below. For the first, you will only need a flash drive or some such, for the second, you will need both a flash drive and a Windows Installation Disk..

If you are unable to access the Recovery Environment through the first option and have a Windows Installation disc for that machine then option two will be a good one to try.

Now

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

 To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will create a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 


  • 0

#3
EmishOrc

EmishOrc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts

Done through Recovery Environment Hirens Boot (Latest Version)

 

Scanresultaten van Farbar Recovery Scan Tool (FRST) (x86) Versie:07-02-2016
Gestart door SYSTEM op MiniXP (13-02-2016 17:26:04)
Gestart vanaf D:\
Platform: Windows Vista ™ Home Premium (X86) Taal: English (United States)
Internet Explorer Versie 9
Boot Modus: Recovery
Standaard: ControlSet001
AANDACHT!:=====> Als het systeem kan opstarten, , moet FRST worden uitgevoerd in normaal of Veilige Modus om een compleet log te maken.
 
Handleiding voor Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Register (gefilterd) ===========================
 
(Als een item is opgenomen in de fixlist, het registry item zal worden teruggezet naar de standaardwaarden of verwijderd. Het bestand zal niet worden verplaatst.)
 
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [ArcadeDeluxeAgent] => C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe [156968 2009-01-21] (CyberLink Corp.)
HKLM\...\Run: [CLMLServer] => C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe [202024 2009-01-21] (CyberLink)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6793760 2009-02-19] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] => C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-02-19] (Realtek Semiconductor Corp.)
HKLM\...\Run: [PLFSetI] => C:\Windows\PLFSetI.exe [200704 2008-07-30] ()
HKLM\...\Run: [VitaKeyPdtWzd] => c:\Program Files\Acer Bio Protection\PdtWzd.exe [3551744 2009-02-19] (Egis Technology Inc.)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [204800 2009-02-24] (Alps Electric Co., Ltd.)
HKLM\...\Run: [LManager] => C:\Program Files\Launch Manager\LManager.exe [866824 2009-02-19] (Dritek System Inc.)
HKLM\...\Run: [BackupManagerTray] => C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [249600 2009-04-12] (NewTech Infosystems, Inc.)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe [440864 2009-04-15] (Acer Incorporated)
HKLM\...\Run: [EgisTecLiveUpdate] => C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe [199464 2008-10-27] (EgisTec Inc.)
HKLM\...\Run: [mwlDaemon] => C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe [346672 2008-10-27] (EgisTec Inc.)
HKLM\...\Run: [PlayMovie] => C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe [173288 2008-12-27] (Acer Corp.)
HKLM\...\Run: [Google Desktop Search] => C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-09-02] (Google)
HKLM\...\Run: [Acer Assist Launcher] => C:\Program Files\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()
HKLM\...\Run: [Acer Product Registration] => C:\Program Files\Acer\Acer Registration\ACE1.exe [3387392 2007-11-26] (Leader Technologies)
HKLM\...\Run: [hpqSRMon] => [X]
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-11-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [421736 2011-12-07] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-11] (Oracle Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-10-02] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [935288 2009-09-04] (Adobe Systems Incorporated)
HKLM\...\Run: [tvncontrol] => C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2015-06-30] (Comodo Security Solutions, Inc.)
HKLM\...\RunOnce: [AvgUninstallURL] => cmd.exe /c start hxxp://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAWgBZAEYAOAAtAEMASwA3AFEARwAtADkAVQBCAFUAUgAtADcAUwBVAEwAUwAtADQANABLAFIAMgA"&"inst=NwA3AC0AMwA5AD (de data item heeft 360 mee tekens).
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-11-20] (Malwarebytes Corporation)
HKU\Default\...\RunOnce: [ScrSav] => C:\Windows\Screensavers\Acer\run_Acer.exe [53248 2009-01-21] (TODO: <Company name>)
HKU\Default\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\System32\Acer.scr [413696 2009-01-22] (Acer)
HKU\Default User\...\RunOnce: [ScrSav] => C:\Windows\Screensavers\Acer\run_Acer.exe [53248 2009-01-21] (TODO: <Company name>)
HKU\Default User\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\System32\Acer.scr [413696 2009-01-22] (Acer)
HKU\natalie\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation)
HKU\natalie\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-21] (Microsoft Corporation)
HKU\natalie\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2009-07-22] (Google Inc.)
HKU\natalie\...\Run: [uTorrent] => C:\Users\natalie\AppData\Local\Temp\uttEBBF.tmp.exe [1329744 2014-08-21] (BitTorrent Inc.) <===== AANDACHT
HKU\natalie\...\Run: [Facebook Update] => "C:\Users\natalie\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\natalie\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [18643560 2013-03-01] (Skype Technologies S.A.)
HKU\natalie\...\Run: [Akamai NetSession Interface] => "C:\Users\natalie\AppData\Local\Akamai\netsession_win.exe"
HKU\natalie\...\RunOnce: [Report] => C:\AdwCleaner\AdwCleaner[C1].txt [12466 2016-02-11] ()
HKU\natalie\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Acer.scr [413696 2009-01-22] (Acer)
AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL => C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll [123392 2010-09-02] (Google)
Lsa: [Notification Packages] c:\Program Files\Acer Bio Protection\PwdFilter
 
==================== Services (gefilterd) ========================
 
(Als een item is opgenomen in de fixlist, wordt uit het register verwijderd. Het bestand zal niet worden verplaatst tenzij apart vermeld.)
 
S2 CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [75048 2008-12-18] ()
S2 CLPSLauncher; C:\Program Files\Common Files\COMODO\launcher_service.exe [70848 2015-08-13] (Comodo Security Solutions, Inc.)
S2 ePowerSvc; C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [703008 2009-04-15] (Acer Incorporated)
S2 GeekBuddyRSP; C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2015-06-30] (Comodo Security Solutions, Inc.)
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-09-02] (Google)
S2 IGBASVC; c:\Program Files\Acer Bio Protection\BASVC.exe [3440128 2009-02-19] (Egis Technology Inc.)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-20] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-20] (Malwarebytes Corporation)
S2 MWLService; C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [306736 2008-10-27] (EgisTec Inc.)
S2 NSBU; C:\Program Files\Norton Security with Backup\Engine\22.5.2.15\NSBU.exe [282016 2015-07-16] (Symantec Corporation)
S2 NTI IScheduleSvc; C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [61184 2009-04-12] (NewTech Infosystems, Inc.)
S2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [144632 2008-09-23] (NewTech Infosystems, Inc.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation)
S3 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe" [X]
 
===================== Drivers (gefilterd) ==========================
 
(Als een item is opgenomen in de fixlist, wordt uit het register verwijderd. Het bestand zal niet worden verplaatst tenzij apart vermeld.)
 
S0 AlfaFF; C:\Windows\System32\drivers\AlfaFF.sys [42608 2008-07-11] (Alfa Corporation)
S3 ATSWPDRV; C:\Windows\System32\DRIVERS\ATSwpDrv.sys [146944 2008-05-30] (AuthenTec, Inc.)
S1 BHDrvx86; C:\Program Files\Norton Security with Backup\NortonData\22.5.2.15\Definitions\BASHDefs\20150706.001\BHDrvx86.sys [1181424 2015-07-11] (Symantec Corporation)
S1 ccSet_NSBU; C:\Windows\system32\drivers\NSBU\1605020.00F\ccSetx86.sys [137456 2015-07-11] (Symantec Corporation)
S1 CFRMD; C:\Windows\System32\DRIVERS\CFRMD.sys [35064 2014-06-26] (Windows ® Win 7 DDK provider)
S1 IDSVix86; C:\Program Files\Norton Security with Backup\NortonData\22.5.2.15\Definitions\IPSDefs\20150710.001\IDSVix86.sys [523512 2015-07-11] (Symantec Corporation)
S2 int15; c:\Windows\system32\drivers\int15.sys [69632 2008-03-13] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-20] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-20] (Malwarebytes Corporation)
S2 mwlPSDFilter; C:\Windows\System32\DRIVERS\mwlPSDFilter.sys [19504 2008-10-09] (Egis Incorporated.)
S2 mwlPSDNServ; C:\Windows\System32\DRIVERS\mwlPSDNServ.sys [16432 2008-10-09] (Egis Incorporated.)
S2 mwlPSDVDisk; C:\Windows\System32\DRIVERS\mwlPSDVDisk.sys [59952 2008-10-09] (Egis Incorporated.)
S3 NAVENG; C:\Program Files\Norton Security with Backup\NortonData\22.5.2.15\Definitions\VirusDefs\20150710.002\NAVENG.SYS [104440 2015-05-20] (Symantec Corporation)
S3 NAVEX15; C:\Program Files\Norton Security with Backup\NortonData\22.5.2.15\Definitions\VirusDefs\20150710.002\NAVEX15.SYS [1645432 2015-05-20] (Symantec Corporation)
S3 SRTSP; C:\Windows\system32\drivers\NSBU\1605020.00F\SRTSP.SYS [711408 2015-07-11] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NSBU\1605020.00F\SRTSPX.SYS [44792 2015-07-11] (Symantec Corporation)
S0 SymEFASI; C:\Windows\System32\drivers\NSBU\1605020.00F\SYMEFASI.SYS [1286896 2015-07-11] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [103152 2015-10-21] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NSBU\1605020.00F\Ironx86.SYS [234744 2015-07-11] (Symantec Corporation)
S1 SYMTDIv; C:\Windows\system32\drivers\NSBU\1605020.00F\SYMTDIV.SYS [358104 2015-07-11] (Symantec Corporation)
S0 dpnfhfx; System32\drivers\cits.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 MFE_RR; \??\C:\Users\natalie\AppData\Local\Temp\mfe_rr.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
 
==================== NetSvcs (gefilterd) ===================
 
(Als een item is opgenomen in de fixlist, wordt uit het register verwijderd. Het bestand zal niet worden verplaatst tenzij apart vermeld.)
 
 
==================== Een Maand Gemaakt bestanden en mappen ========
 
(Als een item is opgenomen in de fixlist, het bestand/map wordt verplaatst.)
 
2016-02-13 10:22 - 2016-02-13 10:26 - 00000000 ____D C:\RescueCD Logs
2016-02-12 08:23 - 2016-02-12 08:24 - 00000000 ____D C:\FRST
2016-02-11 04:52 - 2016-02-11 04:56 - 00000000 ____D C:\AdwCleaner
2016-02-11 04:14 - 2016-02-11 04:14 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2016-02-11 04:13 - 2016-02-11 04:13 - 00000903 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-02-11 04:13 - 2016-02-11 04:13 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-02-11 04:13 - 2014-11-20 20:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2016-02-11 04:13 - 2014-11-20 20:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2016-02-11 04:13 - 2014-11-20 20:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2016-02-11 04:09 - 2016-02-11 04:09 - 00006450 _____ C:\Users\natalie\Desktop\JRT.txt
2016-02-11 03:58 - 2016-01-27 20:01 - 01609032 _____ (Malwarebytes) C:\Users\natalie\Desktop\JRT.exe
2016-02-11 03:19 - 2016-02-11 03:19 - 00051088 _____ C:\Windows\ntbtlog.txt
2016-02-02 09:47 - 2016-02-02 19:36 - 00000000 ____D C:\Program Files\GUMF7E6.tmp
2016-01-31 07:20 - 2016-01-31 07:20 - 00000000 ____D C:\Users\natalie\Local Settings\Application Data\CrashDumps
2016-01-31 07:20 - 2016-01-31 07:20 - 00000000 ____D C:\Users\natalie\AppData\Local\CrashDumps
 
==================== Een Maand Gewijzigd bestanden en mappen ========
 
(Als een item is opgenomen in de fixlist, het bestand/map wordt verplaatst.)
 
2016-02-13 02:29 - 2006-11-02 12:47 - 00003616 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-13 02:29 - 2006-11-02 12:47 - 00003616 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-12 08:24 - 2009-07-22 10:41 - 00000000 ____D C:\users\natalie
2016-02-11 04:58 - 2012-02-26 02:38 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2016-02-11 04:58 - 2009-07-22 10:41 - 00000000 ____D C:\Users\natalie\Local Settings\Application Data\Temp
2016-02-11 04:58 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\ModemLogs
2016-02-11 04:57 - 2015-06-01 06:20 - 01474832 _____ C:\Windows\System32\Drivers\sfi.dat
2016-02-11 04:57 - 2009-06-07 03:39 - 00000012 _____ C:\Windows\bthservsdp.dat
2016-02-11 04:56 - 2009-08-03 10:26 - 00000000 ____D C:\Users\natalie\AppData\Roaming\Yahoo!
2016-02-11 03:53 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\inf
2016-02-11 03:45 - 2010-09-02 01:57 - 00000000 ____D C:\Users\natalie\AppData\Roaming\Skype
2016-02-11 03:33 - 2010-08-03 04:33 - 00247976 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2016-02-11 03:28 - 2012-09-19 10:13 - 00000000 ____D C:\Users\natalie\AppData\Roaming\uTorrent
2016-02-02 11:43 - 2015-10-21 05:12 - 00000000 ____D C:\Windows\System32\Drivers\NSBU
2016-01-31 07:55 - 2012-03-05 03:00 - 00001975 _____ C:\Users\Public\Desktop\Google Chrome.lnk
 
Bestanden om te verplaatsen of verwijderen:
====================
C:\Users\natalie\AppData\Local\Temp\uttEBBF.tmp.exe
 
 
Sommige bestanden in TEMP:
====================
C:\Users\natalie\AppData\Local\Temp\8hauqew9.dll
C:\Users\natalie\AppData\Local\Temp\9oixyovz.dll
C:\Users\natalie\AppData\Local\Temp\contentDATs.exe
C:\Users\natalie\AppData\Local\Temp\czschkz3.dll
C:\Users\natalie\AppData\Local\Temp\dmrmsmnv.dll
C:\Users\natalie\AppData\Local\Temp\jiz8uxi0.dll
C:\Users\natalie\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\natalie\AppData\Local\Temp\k7cemwjj.dll
C:\Users\natalie\AppData\Local\Temp\msg10C4.exe
C:\Users\natalie\AppData\Local\Temp\mssinstaller.exe
C:\Users\natalie\AppData\Local\Temp\mwddw1gs.dll
C:\Users\natalie\AppData\Local\Temp\oqmzrc35.dll
C:\Users\natalie\AppData\Local\Temp\RtkBtMnt.exe
C:\Users\natalie\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\natalie\AppData\Local\Temp\sqlite3.dll
C:\Users\natalie\AppData\Local\Temp\udwveq7r.dll
C:\Users\natalie\AppData\Local\Temp\Update.exe
C:\Users\natalie\AppData\Local\Temp\uttEBBF.tmp.exe
C:\Users\natalie\AppData\Local\Temp\{7014C715-C262-417F-8D9E-48DD6FF8F346}-GoogleEarth-Win-Bundle-7.0.3.8542.exe
C:\Users\natalie\AppData\Local\Temp\{CDA9E0FD-F112-4F97-B2DF-4D848956626C}-26.0.1410.43_25.0.1364.172_chrome_updater.exe
 
 
==================== Known DLLs (gefilterd) =========================
 
 
==================== Bamital & volsnap =================
 
(Er is geen automatische fix voor bestanden die de verificatie niet doorkomen.)
 
C:\Windows\explorer.exe => MD5 is legitim
C:\Windows\System32\winlogon.exe => MD5 is legitim
C:\Windows\System32\wininit.exe => MD5 is legitim
C:\Windows\System32\svchost.exe => MD5 is legitim
C:\Windows\System32\services.exe
[2015-05-15 00:35] - [2015-04-10 23:22] - 0279552 ____A (Microsoft Corporation) 4F0A7910FC7D8A66433FA9961EEF8BB5
 
C:\Windows\System32\User32.dll => MD5 is legitim
C:\Windows\System32\userinit.exe => MD5 is legitim
C:\Windows\System32\rpcss.dll => MD5 is legitim
C:\Windows\System32\dnsapi.dll
[2011-04-19 23:19] - [2011-03-02 15:44] - 0168448 ____A (Microsoft Corporation) 85E861D0B88DB2B54ACB0839654C09F7
 
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legitim
 
==================== EXE Bestandskoppeling (gefilterd) =============
 
 
==================== Herstelpunten  =========================
 
Herstelpoint datum: 2015-05-19 08:53
Herstelpoint datum: 2015-05-25 23:48
Herstelpoint datum: 2015-05-27 03:33
Herstelpoint datum: 2015-05-28 00:29
Herstelpoint datum: 2015-05-28 00:31
Herstelpoint datum: 2015-06-18 04:07
Herstelpoint datum: 2015-07-01 00:42
Herstelpoint datum: 2015-07-17 02:19
Herstelpoint datum: 2015-07-20 00:26
Herstelpoint datum: 2015-07-28 00:11
Herstelpoint datum: 2015-08-12 04:19
Herstelpoint datum: 2015-08-12 21:56
Herstelpoint datum: 2015-08-23 05:32
Herstelpoint datum: 2015-09-16 23:37
Herstelpoint datum: 2015-10-21 03:29
Herstelpoint datum: 2015-11-02 22:44
Herstelpoint datum: 2016-02-11 03:32
Herstelpoint datum: 2016-02-11 03:50
Herstelpoint datum: 2016-02-11 04:02
Herstelpoint datum: 2016-02-14 01:16
 
==================== Geheugen info =========================== 
 
Percentage geheugen in gebruik: 12%
Totaal fysiek RAM-geheugen: 3066.77 MB
Beschikbaar fysiek RAM-geheugen: 2688.05 MB
Totaal Virtueel geheugen: 2833.34 MB
Beschikbaar Virtual geheugen: 1903.53 MB
 
==================== Schijven ================================
 
Drive b: (RamDrive) (Fixed) (Total:0.83 GB) (Free:0.82 GB) NTFS
Drive c: (ACER) (Fixed) (Total:288.32 GB) (Free:185.05 GB) NTFS ==>[systeem met boot componenten (verkregen van schijf)]
Drive d: (MOVIES) (Removable) (Total:30.22 GB) (Free:30.08 GB) NTFS
Drive e: (HBCD 15.2) (CDROM) (Total:0.58 GB) (Free:0 GB) CDFS
Drive x: (Mini Xp) (Fixed) (Total:0.23 GB) (Free:0.23 GB) NTFS
 
==================== MBR & Partitietabel ==================
 
========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 591DAAD6)
Partition 1: (Not Active) - (Size=9.8 GB) - (Type=27)
Partition 2: (Active) - (Size=288.3 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 30.2 GB) (Disk ID: 0002C5AE)
Partition 1: (Active) - (Size=30.2 GB) - (Type=07 NTFS)
 
 
LastRegBack: 2016-02-11 05:35
 
==================== Eind van FRST.txt ============================

  • 0

#4
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,016 posts

Hello EmishOrc,

 

Download the attached fixlist.txt file and save it on the flashdrive as fixlist.txt

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Please enter System Recovery Options, as we've done previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

After that

See if you can boot up in normal mode.

If you can, please download a fresh copy of FRST to the machines desktop. Run FRST by adding the word English to the name e.g. EnglishFRST.exe with the Addition.txt box ticked and post back the two logs generated - FRST.txt and Addition.txt.

If you are still unable to boot to normal mode, see if you can get to Safe Mode and follow the above actions. If you can't do either, come back and tell me.

So when you come back please post

  • Fixlog.txt
  • FRST.txt
  • Addition.txt

 

Edit: Just to tell you I am signing off now. Late where I am... catch you tomorrow NZ time. :)

Attached Files


Edited by emeraldnzl, 13 February 2016 - 02:14 AM.
Added - am signing off.

  • 0

#5
EmishOrc

EmishOrc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts

Still cannot boot both Safe and normal. Even after FRST fixlist did it. May I ask I had 2 Rogue Antivirus programs that were on the system I think that something happened to it after restart. 


  • 0

#6
EmishOrc

EmishOrc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts

Running from secondary PC as a last resort. Feel free to work with me as i'm in a very happy and great mood.


  • 0

#7
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,016 posts

May I ask I had 2 Rogue Antivirus programs that were on the system I think that something happened to it after restart.


There are multiple security programs on that machine. Whether or not they are legitimate there is likely to be conflict causing problems.

As soon as we can, we want to uninstall them all.

As far as something happening, it could be a rogue AV or it could just be Comodo which gets in the way of our fixes and which FRST was attempting to disable while it ran the fix.

Moving on

I take it from what you said that the fixlist was processed.

Can I see the Fixlog it generated?


  • 0

#8
EmishOrc

EmishOrc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts

Sure :)

 

Fix resultaat van Farbar Recovery Scan Tool (x86) Versie:07-02-2016
Gestart door SYSTEM (2016-02-13 18:42:08) Run:2
Gestart vanaf D:\
Boot Modus: Recovery
 
==============================================
 
fixlist Inhoud:
*****************
DisableService:CLPSLauncher
DisableService:GeekBuddyRSP
HKU\natalie\...\Run: [uTorrent] => C:\Users\natalie\AppData\Local\Temp\uttEBBF.tmp.exe [1329744 2014-08-21] (BitTorrent Inc.) <===== AANDACHT
C:\Users\natalie\AppData\Local\Temp\uttEBBF.tmp.exe
C:\Users\natalie\Local Settings\Application Data\Temp
C:\Users\natalie\AppData\Roaming\uTorrent
C:\Users\natalie\AppData\Local\Temp\8hauqew9.dll
C:\Users\natalie\AppData\Local\Temp\9oixyovz.dll
C:\Users\natalie\AppData\Local\Temp\contentDATs.exe
C:\Users\natalie\AppData\Local\Temp\czschkz3.dll
C:\Users\natalie\AppData\Local\Temp\dmrmsmnv.dll
C:\Users\natalie\AppData\Local\Temp\jiz8uxi0.dll
C:\Users\natalie\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\natalie\AppData\Local\Temp\k7cemwjj.dll
C:\Users\natalie\AppData\Local\Temp\msg10C4.exe
C:\Users\natalie\AppData\Local\Temp\mwddw1gs.dll
C:\Users\natalie\AppData\Local\Temp\oqmzrc35.dll
C:\Users\natalie\AppData\Local\Temp\RtkBtMnt.exe
C:\Users\natalie\AppData\Local\Temp\udwveq7r.dl l
C:\Users\natalie\AppData\Local\Temp\Update.exe
*****************
 
CLPSLauncher => service uitgeschakeld
GeekBuddyRSP => service uitgeschakeld
HKU\natalie\Software\Microsoft\Windows\CurrentVersion\Run\\uTorrent => waarde is succesvol verwijderd.
C:\Users\natalie\AppData\Local\Temp\uttEBBF.tmp.exe => is succesvol verplaatst.
C:\Users\natalie\Local Settings\Application Data\Temp => is succesvol verplaatst.
C:\Users\natalie\AppData\Roaming\uTorrent => is succesvol verplaatst.
"C:\Users\natalie\AppData\Local\Temp\8hauqew9.dll" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\9oixyovz.dll" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\contentDATs.exe" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\czschkz3.dll" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\dmrmsmnv.dll" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\jiz8uxi0.dll" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\k7cemwjj.dll" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\msg10C4.exe" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\mwddw1gs.dll" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\oqmzrc35.dll" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\RtkBtMnt.exe" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\udwveq7r.dl l" => niet gevonden.
"C:\Users\natalie\AppData\Local\Temp\Update.exe" => niet gevonden.
 
==== Eind van Fixlog 18:42:08 ====

Edited by EmishOrc, 13 February 2016 - 05:14 PM.

  • 0

#9
EmishOrc

EmishOrc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts

Don't worry now I am going to reinstall Vista so i'm backing up my clients documents for him. Seems that BV:Revenon.A wrecked the entire system. 

 

 

(Solved)


Edited by EmishOrc, 13 February 2016 - 06:18 PM.

  • 0

#10
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,016 posts

Thank you for telling us. :thumbsup:


  • 0

#11
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,016 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP