Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Your pc is locked! [Solved]

Started by DrkMachine , Nov 17 2014 07:03 PM

  • This topic is locked This topic is locked

#16
DrkMachine
Posted 02 December 2014 - 10:43 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

OTL logfile created on: 12/2/2014 8:26:54 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Compaq_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
958.48 Mb Total Physical Memory | 460.05 Mb Available Physical Memory | 48.00% Memory free
2.26 Gb Paging File | 1.70 Gb Available in Paging File | 75.35% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 224.68 Gb Total Space | 160.81 Gb Free Space | 71.57% Space Free | Partition Type: NTFS
Drive D: | 8.18 Gb Total Space | 0.53 Gb Free Space | 6.47% Space Free | Partition Type: FAT32
 
Computer Name: PIGOTT1 | User Name: Compaq_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
 
========== Custom Scans ==========
 
< MD5 for: USER32.DL_  >
[2004/08/09 15:00:00 | 000,263,547 | ---- | M] () MD5=5BF86149AB9EA650050375F25D0FA0C2 -- C:\WINDOWS\I386\USER32.DL_
 
< MD5 for: USER32.DLL  >
[2005/03/02 12:19:56 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=1800F293BCCC8EDE8A70E12B88D80036 -- C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
[2007/03/08 09:48:36 | 000,578,048 | ---- | M] (Microsoft Corporation) MD5=7AA4F6C00405DFC4B70ED4214E7D687B -- C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
[2007/03/08 09:36:28 | 000,577,536 | ---- | M] (Microsoft Corporation) MD5=B409909F6E2E8A7067076ED748ABF1E7 -- C:\WINDOWS\$NtServicePackUninstall$\user32.dll
[2007/03/08 09:36:28 | 000,577,536 | ---- | M] (Microsoft Corporation) MD5=B409909F6E2E8A7067076ED748ABF1E7 -- C:\WINDOWS\ERDNT\cache\user32.dll
[2004/08/09 15:00:00 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=C72661F8552ACE7C5C85E16A3CF505C4 -- C:\WINDOWS\$NtUninstallKB890859$\user32.dll
[2005/03/02 12:09:30 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=DE2DB164BBB35DB061AF0997E4499054 -- C:\WINDOWS\$NtUninstallKB925902$\user32.dll
[2014/03/12 04:48:50 | 000,613,376 | ---- | M] (Microsoft Corporation) MD5=E29264387E7387B977B9AF9171B12DF9 -- C:\WINDOWS\ServicePackFiles\i386\user32.dll
[2014/03/12 04:48:50 | 000,613,376 | ---- | M] (Microsoft Corporation) MD5=E29264387E7387B977B9AF9171B12DF9 -- C:\WINDOWS\system32\user32.dll
 
< MD5 for: USER32.INI  >
[2014/03/12 04:48:50 | 000,578,560 | ---- | M] () MD5=DF74697FB06A25F2D119ECA1AC4AE8C2 -- C:\WINDOWS\ServicePackFiles\i386\user32.ini
[2014/03/12 04:48:50 | 000,578,560 | ---- | M] () MD5=DF74697FB06A25F2D119ECA1AC4AE8C2 -- C:\WINDOWS\system32\user32.ini

< End of report >
 


  • 0

Advertisements

#17
Teima
Posted 05 December 2014 - 01:30 AM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts
Hello. Thanks for that. Now. I need to check the integrity of one of the files which is present on your machine. Besides the svchost issue. How does the machine appear to be running at the moment? Are you still being prompted with the messages which were present with the infection before?

Step One
  • Upload File(s) to Virus-Total
  • I want you to upload the following suspicious file(s) to an online virus-scanner to scan.
  • Please go to www.virustotal.com
  • Click on Choose File
  • Go to C:\WINDOWS\system32\user32.dll
  • Click on Open;
  • Click on Scan it;
  • Copy and Paste the link of the result page in your response;

  • 0

#18
DrkMachine
Posted 05 December 2014 - 07:44 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

unfortunately it would seem that everything has come back. had to go back to using my livecd

 

https://www.virustot...sis/1417830095/


  • 0

#19
Teima
Posted 07 December 2014 - 04:34 PM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts
Hello DrkMachine. It looks like the ransomware has patched one of the Microsoft files which we will need to replace within this instance. That will stop the infection once this is addressed. Thanks for sticking with me. :)
 
Step One
  • Fix with FRST
    This section of the fix has two parts. For the first part please peruse the following --

    Make sure that you have access to a clean PC or a functioning user account and still have FRST.exe in your flash drive. If you do not have it, download the suitable version from here to your flash-drive.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
      Start
Replace: C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll C:\WINDOWS\system32\user32.dll
Replace: C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll C:\WINDOWS\ServicePackFiles\i386\user32.dll
End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt
      • From the Save as type drop down list, choose All Files
    • Copy and Paste fixlist.txt to your flash drive.
    You are ready to move on to the second part. Please peruse --
    • Connect your flash drive to the infected PC;
    • Please run FRST.exe a second time via minixp like before. Should you have issues with this please let me know;
    • Click on Fix;
    • After the fix a log will be created in the flash drive named FixLog.txt;
    • Copy and Paste the contents of the log in your next reply;
    • Try to boot into Normal Mode.

  • 0

#20
DrkMachine
Posted 08 December 2014 - 09:20 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-11-2014
Ran by SYSTEM at 2014-12-08 21:11:19 Run:2
Running from J:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
Start
Replace: C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll C:\WINDOWS\system32\user32.dll
Replace: C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll C:\WINDOWS\ServicePackFiles\i386\user32.dll
End
*****************

C:\WINDOWS\system32\user32.dll => Moved successfully.
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll copied successfully to C:\WINDOWS\system32\user32.dll
C:\WINDOWS\ServicePackFiles\i386\user32.dll => Moved successfully.
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll copied successfully to C:\WINDOWS\ServicePackFiles\i386\user32.dll

==== End of Fixlog ====


  • 0

#21
DrkMachine
Posted 08 December 2014 - 10:04 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

now the system boots to a black screen with just the mouse cursor.


  • 0

#22
Essexboy
Posted 09 December 2014 - 09:12 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Hi Tiema is away for the moment and I will be taking over, could you run a fresh FRST scan for me please


  • 0

#23
DrkMachine
Posted 11 December 2014 - 06:37 AM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2014 (ATTENTION: ====> FRST version is 18 days old and could be outdated)
Ran by SYSTEM on MiniXP on 11-12-2014 06:32:47
Running from J:\
Platform: Microsoft Windows XP (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\Windows\RTHDCPL.EXE [18085888 2009-02-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] ()
HKLM\...\Run: [Monitor] => C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe [118272 2014-07-11] (LeapFrog Enterprises, Inc.)
HKLM\...\Run: [LWS] => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [165208 2010-05-07] (Logitech Inc.)
HKLM\...\Run: [ehTray] => C:\WINDOWS\ehome\ehtray.exe [64512 2005-08-05] (Microsoft Corporation)
HKLM\...\Run: [DISCover] => C:\Program Files\DISC\DISCover.exe [1077248 2006-03-16] ()
HKLM\...\Run: [CanonSolutionMenuEx] => C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2516296 2010-03-25] (CANON INC.)
HKLM\...\Run: [AlwaysReady Power Message APP] => C:\Windows\ARPWRMSG.EXE [77312 2005-08-02] (Microsoft)
HKLM\...\Run: [Alcmtr] => C:\Windows\ALCMTR.EXE [57344 2008-06-19] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [3012816 2013-04-15] (COMODO)
HKLM\...\Run: [ioloGovernor] => C:\Program Files\iolo\System Mechanic Professional\ioloGovernor.exe [771344 2013-12-03] (iolo technologies, LLC)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\Administrator\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\Compaq_Administrator\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2010-03-19] (Hewlett-Packard Company)
HKU\Compaq_Administrator\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\Default User\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk
ShortcutTarget: Pin.lnk -> C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
BootExecute: autocheck autochk * autocheck smrgdf C:\Documents and Settings\Compaq_Administrator\Application Data\iolo\

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-28] (LSI Corporation)
S2 ARSVC; C:\WINDOWS\arservice.exe [58880 2005-08-02] (Microsoft)
S2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [4443912 2013-04-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [127184 2013-04-15] (COMODO)
S2 HidServ; C:\Windows\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
S2 ioloFileInfoList; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1168960 2013-12-03] (iolo technologies, LLC)
S2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1168960 2013-12-03] (iolo technologies, LLC)
S4 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2013-10-08] (Oracle Corporation)
S2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
S2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
S2 vseamps; C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe [92712 2009-10-28] (Authentium, Inc)
S2 vsedsps; C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe [117288 2009-10-28] (Authentium, Inc)
S3 vseqrts; C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe [113192 2009-10-28] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36352 2005-03-09] (Advanced Micro Devices)
S2 AMP; C:\Windows\System32\DRIVERS\amp.sys [122408 2009-10-28] (Authentium, Inc)
S2 AMPSE; C:\Windows\System32\DRIVERS\ampse.sys [1117224 2009-10-28] (Authentium, Inc)
S3 aracpi; C:\Windows\System32\DRIVERS\aracpi.sys [22784 2005-08-02] (Microsoft Corporation)
S3 arhidfltr; C:\Windows\System32\DRIVERS\arhidfltr.sys [19200 2005-08-02] (Microsoft Corporation)
S3 arkbcfltr; C:\Windows\System32\DRIVERS\arkbcfltr.sys [5376 2005-08-02] (Microsoft Corporation)
S3 armoucfltr; C:\Windows\System32\DRIVERS\armoucfltr.sys [4992 2005-08-02] (Microsoft Corporation)
S3 ARPolicy; C:\Windows\System32\DRIVERS\arpolicy.sys [10112 2005-08-02] (Microsoft Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [18528 2013-04-15] (COMODO)
S1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [592384 2013-04-15] (COMODO)
S1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [32816 2013-04-15] (COMODO)
S1 FileDisk; C:\Windows\System32\Drivers\FileDisk.sys [9341 2008-04-17] (iolo technologies, LLC (based on original work by Bo Brantén))
S3 FilterService; C:\Windows\System32\DRIVERS\lvuvcflt.sys [23904 2010-07-27] (Logitech Inc.)
S3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-09-23] (LogMeIn, Inc.)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [51120 2005-03-08] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2005-03-08] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21744 2005-03-08] (HP)
S0 Inspect; C:\Windows\System32\DRIVERS\inspect.sys [99392 2013-04-25] (COMODO)
S3 LVPr2Mon; C:\Windows\System32\Drivers\LVPr2Mon.sys [25824 2010-05-07] ()
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [34176 2006-03-03] (NVIDIA Corporation)
S3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [13056 2006-03-03] (NVIDIA Corporation)
S2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2012-07-26] (Raxco Software, Inc.)
S3 pfc; C:\Windows\System32\drivers\pfc.sys [10368 2004-04-01] (Padus, Inc.)
S3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation)
S2 vnccom; C:\Windows\System32\Drivers\vnccom.SYS [6016 2004-06-26] (RDV Soft)
S3 vncdrv; C:\Windows\System32\DRIVERS\vncdrv.sys [4736 2004-06-26] (RDV Soft)
S3 wceusbsh; C:\Windows\System32\DRIVERS\wceusbsh.sys [28672 2006-11-06] (Microsoft Corporation)
S0 XPacket; C:\Windows\System32\xpacket.sys [39424 2008-04-17] (iolo technologies, LLC)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S0 ftsata2; system32\DRIVERS\ftsata2.sys [X]
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-06 01:28 - 2014-12-10 14:22 - 00000448 _____ () C:\Windows\System32\iolo.ini
2014-12-06 01:25 - 2014-12-06 01:25 - 00263278 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2014-12-03 02:28 - 2014-12-03 02:28 - 00006002 _____ () C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.Txt
2014-12-02 19:46 - 2014-10-23 17:14 - 04012982 _____ (NathanScott Apps) C:\Documents and Settings\Compaq_Administrator\Desktop\IDTool.exe
2014-11-29 06:27 - 2014-11-29 06:27 - 00000000 _____ () C:\Windows\System32\smrgdf.txt
2014-11-25 23:32 - 2014-12-08 21:11 - 00000000 ____D () C:\FRST
2014-11-19 23:12 - 2014-11-19 23:12 - 00000000 ____D () C:\_OTL
2014-11-18 00:31 - 2014-11-18 00:31 - 00602112 _____ (OldTimer Tools) C:\Documents and Settings\Compaq_Administrator\Desktop\OTL(1).exe
2014-11-18 00:18 - 2014-11-18 00:18 - 00000075 _____ () C:\Windows\setupact.log
2014-11-18 00:18 - 2014-11-18 00:18 - 00000000 _____ () C:\Windows\setuperr.log
2014-11-17 21:13 - 2014-11-17 21:13 - 00000018 ____H () C:\SYSREST
2014-11-17 19:19 - 2014-11-18 00:18 - 00006837 _____ () C:\Windows\setupapi.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-11 10:54 - 2010-03-22 23:42 - 00032096 _____ () C:\Windows\SchedLgU.Txt
2014-12-10 14:22 - 2010-03-25 03:44 - 00000429 _____ () C:\Windows\System32\iolo.ini.txt
2014-12-10 14:15 - 2010-03-22 23:43 - 00000157 _____ () C:\Windows\wiadebug.log
2014-12-10 14:15 - 2010-03-22 23:43 - 00000050 _____ () C:\Windows\wiaservc.log
2014-12-10 14:15 - 2005-08-30 21:06 - 00001158 _____ () C:\Windows\System32\wpa.dbl
2014-12-06 01:30 - 2010-03-24 21:22 - 00000000 ____D () C:\Documents and Settings\Compaq_Administrator\Local Settings\temp
2014-12-06 01:29 - 2010-03-22 22:27 - 01205074 _____ () C:\Windows\WindowsUpdate.log
2014-12-06 01:28 - 2005-11-14 18:58 - 00000000 ____D () C:\Windows\Registration
2014-12-06 01:27 - 2006-05-05 02:59 - 00043531 _____ () C:\Windows\System32\nvapps.xml
2014-12-06 01:25 - 2011-05-08 00:40 - 01048576 _____ () C:\Windows\System32\config\iolo App.evt
2014-12-06 01:25 - 2006-08-29 03:04 - 00000178 ___SH () C:\Documents and Settings\Compaq_Administrator\ntuser.ini
2014-12-06 01:24 - 2011-08-11 02:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2014-12-03 09:38 - 2005-11-14 18:52 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-12-03 09:29 - 2005-08-30 21:07 - 00613644 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-12-02 19:48 - 2006-05-05 03:18 - 00000000 ____D () C:\Program Files\Microsoft.NET
2014-11-29 05:39 - 2014-01-01 03:44 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-22 09:47 - 2013-08-14 08:04 - 00000000 ____D () C:\Windows\System32\MRT
2014-11-22 09:07 - 2006-08-30 06:43 - 100445232 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-11-18 00:17 - 2005-11-14 19:17 - 00000000 ____D () C:\Windows\System32\Restore

Files to move or delete:
====================
C:\Documents and Settings\Compaq_Administrator\Application Data\skype.ini


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2004-08-09 21:00] - [2005-03-02 18:19] - 0577024 ____A (Microsoft Corporation) 1800f293bccc8ede8a70e12b88d80036


  • 0

#24
Essexboy
Posted 11 December 2014 - 08:49 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Download the attached fixlist.txt to the same location as FRST
Attached File  fixlist.txt   196bytes   178 downloads
Start FRST and press Fix
On completion reboot and let me know if you can achieve either a normal boot or a safe mode boot
  • 0

#25
DrkMachine
Posted 11 December 2014 - 01:43 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

unfortunately neither normal or safe boot would load.


  • 0

Advertisements

#26
Essexboy
Posted 11 December 2014 - 01:48 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you run a further FRST scan please as I would like to see what restore points are available
  • 0

#27
DrkMachine
Posted 11 December 2014 - 05:17 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

A further scan, I don't see an option for that. how do I do that?


  • 0

#28
Essexboy
Posted 12 December 2014 - 07:53 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Sorry I used my own terminology

Could you run a fresh FRST scan please
  • 0

#29
DrkMachine
Posted 12 December 2014 - 10:07 AM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2014 (ATTENTION: ====> FRST version is 19 days old and could be outdated)
Ran by SYSTEM on MiniXP-850 on 12-12-2014 09:52:07
Running from D:\
Platform: Microsoft Windows XP (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\Windows\RTHDCPL.EXE [18085888 2009-02-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] ()
HKLM\...\Run: [Monitor] => C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe [118272 2014-07-11] (LeapFrog Enterprises, Inc.)
HKLM\...\Run: [LWS] => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [165208 2010-05-07] (Logitech Inc.)
HKLM\...\Run: [ehTray] => C:\WINDOWS\ehome\ehtray.exe [64512 2005-08-05] (Microsoft Corporation)
HKLM\...\Run: [DISCover] => C:\Program Files\DISC\DISCover.exe [1077248 2006-03-16] ()
HKLM\...\Run: [CanonSolutionMenuEx] => C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2516296 2010-03-25] (CANON INC.)
HKLM\...\Run: [AlwaysReady Power Message APP] => C:\Windows\ARPWRMSG.EXE [77312 2005-08-02] (Microsoft)
HKLM\...\Run: [Alcmtr] => C:\Windows\ALCMTR.EXE [57344 2008-06-19] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [3012816 2013-04-15] (COMODO)
HKLM\...\Run: [ioloGovernor] => C:\Program Files\iolo\System Mechanic Professional\ioloGovernor.exe [771344 2013-12-03] (iolo technologies, LLC)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\Administrator\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\Compaq_Administrator\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2010-03-19] (Hewlett-Packard Company)
HKU\Compaq_Administrator\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\Default User\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk
ShortcutTarget: Pin.lnk -> C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-28] (LSI Corporation)
S2 ARSVC; C:\WINDOWS\arservice.exe [58880 2005-08-02] (Microsoft)
S2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [4443912 2013-04-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [127184 2013-04-15] (COMODO)
S2 HidServ; C:\Windows\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
S2 ioloFileInfoList; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1168960 2013-12-03] (iolo technologies, LLC)
S2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1168960 2013-12-03] (iolo technologies, LLC)
S4 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2013-10-08] (Oracle Corporation)
S2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
S2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
S2 vseamps; C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe [92712 2009-10-28] (Authentium, Inc)
S2 vsedsps; C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe [117288 2009-10-28] (Authentium, Inc)
S3 vseqrts; C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe [113192 2009-10-28] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36352 2005-03-09] (Advanced Micro Devices)
S2 AMP; C:\Windows\System32\DRIVERS\amp.sys [122408 2009-10-28] (Authentium, Inc)
S2 AMPSE; C:\Windows\System32\DRIVERS\ampse.sys [1117224 2009-10-28] (Authentium, Inc)
S3 aracpi; C:\Windows\System32\DRIVERS\aracpi.sys [22784 2005-08-02] (Microsoft Corporation)
S3 arhidfltr; C:\Windows\System32\DRIVERS\arhidfltr.sys [19200 2005-08-02] (Microsoft Corporation)
S3 arkbcfltr; C:\Windows\System32\DRIVERS\arkbcfltr.sys [5376 2005-08-02] (Microsoft Corporation)
S3 armoucfltr; C:\Windows\System32\DRIVERS\armoucfltr.sys [4992 2005-08-02] (Microsoft Corporation)
S3 ARPolicy; C:\Windows\System32\DRIVERS\arpolicy.sys [10112 2005-08-02] (Microsoft Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [18528 2013-04-15] (COMODO)
S1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [592384 2013-04-15] (COMODO)
S1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [32816 2013-04-15] (COMODO)
S1 FileDisk; C:\Windows\System32\Drivers\FileDisk.sys [9341 2008-04-17] (iolo technologies, LLC (based on original work by Bo Brantén))
S3 FilterService; C:\Windows\System32\DRIVERS\lvuvcflt.sys [23904 2010-07-27] (Logitech Inc.)
S3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-09-23] (LogMeIn, Inc.)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [51120 2005-03-08] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2005-03-08] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21744 2005-03-08] (HP)
S0 Inspect; C:\Windows\System32\DRIVERS\inspect.sys [99392 2013-04-25] (COMODO)
S3 LVPr2Mon; C:\Windows\System32\Drivers\LVPr2Mon.sys [25824 2010-05-07] ()
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [34176 2006-03-03] (NVIDIA Corporation)
S3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [13056 2006-03-03] (NVIDIA Corporation)
S2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2012-07-26] (Raxco Software, Inc.)
S3 pfc; C:\Windows\System32\drivers\pfc.sys [10368 2004-04-01] (Padus, Inc.)
S3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation)
S2 vnccom; C:\Windows\System32\Drivers\vnccom.SYS [6016 2004-06-26] (RDV Soft)
S3 vncdrv; C:\Windows\System32\DRIVERS\vncdrv.sys [4736 2004-06-26] (RDV Soft)
S3 wceusbsh; C:\Windows\System32\DRIVERS\wceusbsh.sys [28672 2006-11-06] (Microsoft Corporation)
S0 XPacket; C:\Windows\System32\xpacket.sys [39424 2008-04-17] (iolo technologies, LLC)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S0 ftsata2; system32\DRIVERS\ftsata2.sys [X]
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-06 01:28 - 2014-12-10 14:22 - 00000448 _____ () C:\Windows\System32\iolo.ini
2014-12-06 01:25 - 2014-12-06 01:25 - 00263278 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2014-12-03 02:28 - 2014-12-03 02:28 - 00006002 _____ () C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.Txt
2014-12-02 19:46 - 2014-10-23 17:14 - 04012982 _____ (NathanScott Apps) C:\Documents and Settings\Compaq_Administrator\Desktop\IDTool.exe
2014-11-29 06:27 - 2014-11-29 06:27 - 00000000 _____ () C:\Windows\System32\smrgdf.txt
2014-11-25 23:32 - 2014-12-11 13:32 - 00000000 ____D () C:\FRST
2014-11-19 23:12 - 2014-11-19 23:12 - 00000000 ____D () C:\_OTL
2014-11-18 00:31 - 2014-11-18 00:31 - 00602112 _____ (OldTimer Tools) C:\Documents and Settings\Compaq_Administrator\Desktop\OTL(1).exe
2014-11-18 00:18 - 2014-11-18 00:18 - 00000075 _____ () C:\Windows\setupact.log
2014-11-18 00:18 - 2014-11-18 00:18 - 00000000 _____ () C:\Windows\setuperr.log
2014-11-17 21:13 - 2014-11-17 21:13 - 00000018 ____H () C:\SYSREST
2014-11-17 19:19 - 2014-11-18 00:18 - 00006837 _____ () C:\Windows\setupapi.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-11 19:34 - 2010-03-22 23:43 - 00000159 _____ () C:\Windows\wiadebug.log
2014-12-11 19:34 - 2010-03-22 23:43 - 00000050 _____ () C:\Windows\wiaservc.log
2014-12-11 19:34 - 2005-08-30 21:06 - 00001158 _____ () C:\Windows\System32\wpa.dbl
2014-12-11 10:54 - 2010-03-22 23:42 - 00032096 _____ () C:\Windows\SchedLgU.Txt
2014-12-10 14:22 - 2010-03-25 03:44 - 00000429 _____ () C:\Windows\System32\iolo.ini.txt
2014-12-06 01:30 - 2010-03-24 21:22 - 00000000 ____D () C:\Documents and Settings\Compaq_Administrator\Local Settings\temp
2014-12-06 01:29 - 2010-03-22 22:27 - 01205849 _____ () C:\Windows\WindowsUpdate.log
2014-12-06 01:28 - 2005-11-14 18:58 - 00000000 ____D () C:\Windows\Registration
2014-12-06 01:27 - 2006-05-05 02:59 - 00043531 _____ () C:\Windows\System32\nvapps.xml
2014-12-06 01:25 - 2011-05-08 00:40 - 01048576 _____ () C:\Windows\System32\config\iolo App.evt
2014-12-06 01:25 - 2006-08-29 03:04 - 00000178 ___SH () C:\Documents and Settings\Compaq_Administrator\ntuser.ini
2014-12-06 01:24 - 2011-08-11 02:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2014-12-03 09:38 - 2005-11-14 18:52 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-12-03 09:29 - 2005-08-30 21:07 - 00613644 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-12-02 19:48 - 2006-05-05 03:18 - 00000000 ____D () C:\Program Files\Microsoft.NET
2014-11-29 05:39 - 2014-01-01 03:44 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-22 09:47 - 2013-08-14 08:04 - 00000000 ____D () C:\Windows\System32\MRT
2014-11-22 09:07 - 2006-08-30 06:43 - 100445232 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-11-18 00:17 - 2005-11-14 19:17 - 00000000 ____D () C:\Windows\System32\Restore

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2004-08-09 21:00] - [2005-03-02 18:19] - 0577024 ____A (Microsoft Corporation) 1800f293bccc8ede8a70e12b88d80036


  • 0

#30
Essexboy
Posted 12 December 2014 - 11:32 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I don't appear to be getting the full log could you attach it please

Also are you using minixp to access the system
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP