FBI Lockdown.

dana k · Apr 2, 2013

This virus seems very nasty.I'm unable to start up in safe,networking or command prompt. I've tried the Hitman from flash and Kaspersky rescue disc from cd rom but goes straight to fbi page.I can hear the cd rom running for just a couple of seconds but then goes to windopws welcome page/fbi page.I am def a novice here.I'm not sure what the OTL LOG or the aswMBR LOG is exactly or how to load it without usb or rom.Would greatly appreciate any help.Thanks

kuttus · Apr 2, 2013

Hi,

Welcome to MT...

Which Operating System Are you using?

dana k · Apr 2, 2013

windows vista home edition

dana k · Apr 2, 2013

sorry, hi to you as well.

kuttus · Apr 2, 2013

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Click on Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

dana k · Apr 2, 2013

can result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013 (ATTENTION: FRST version is 20 days old)
Ran by SYSTEM at 02-04-2013 23:38:56
Running from F:\
Windows Vista (TM) Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet004

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [eRecoveryService] [x]
HKLM\...\Run: [NPSStartup] [x]
HKLM\...\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\pcTrayApp.exe" [1980416 2012-11-15] (Alcatel-Lucent)
HKLM\...\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [4394032 2013-03-13] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM\...\Run: [DisplaySwitch] "C:\ProgramData\DisplaySwitch.exe" [55296 2013-03-27] (?????????? ??????????)
HKU\Default\...\RunOnce: [AcerScrSav] C:\Windows\Acer\run_NB.exe [24576 2007-08-21] ()
HKU\Default User\...\RunOnce: [AcerScrSav] C:\Windows\Acer\run_NB.exe [24576 2007-08-21] ()
HKU\od\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]
HKLM\...\Winlogon: [Shell] C:\ProgramData\DisplaySwitch.exe [x ] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

==================== Services (Whitelisted) ===================

2 ATT MAHostService; "C:\Program Files\ATT\8.2.1.6\ma\bin\MAHostService.exe" [319488 2012-11-15] (Alcatel-Lucent)
2 AVGIDSAgent; "C:\Program Files\AVG\AVG2013\avgidsagent.exe" [4937264 2013-02-27] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files\AVG\AVG2013\avgwdsvc.exe" [282624 2013-02-19] (AVG Technologies CZ, s.r.o.)
2 BUNAgentSvc; "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe" [16384 2008-03-03] (NewTech Infosystems, Inc.)
2 ccEvtMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [107624 2006-11-22] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [107624 2006-11-22] (Symantec Corporation)
2 CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [81504 2008-01-16] ()
2 DefWatch; "C:\Program Files\Symantec AntiVirus\DefWatch.exe" [30872 2006-11-28] (Symantec Corporation)
2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-06-02] ()
3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2541248 2006-10-31] (Symantec Corporation)
2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [110592 2007-12-06] ()
2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [131072 2008-04-25] ()
2 pcServiceHost; "C:\Program Files\Common Files\Motive\pcServiceHost.exe" [342528 2012-11-15] (Alcatel-Lucent)
2 Rpcnet; C:\Windows\System32\rpcnet.exe [58288 2013-02-16] (Absolute Software Corp.)
3 SavRoam; "C:\Program Files\Symantec AntiVirus\SavRoam.exe" [122008 2006-11-28] (symantec)
2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 Symantec AntiVirus; "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" [1962136 2006-11-28] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-02-26] (AVG Technologies CZ, s.r.o.)
0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-02-08] (AVG Technologies CZ, s.r.o.)
1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.)
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [170808 2013-02-08] (AVG Technologies CZ, s.r.o.)
0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [245048 2013-02-08] (AVG Technologies CZ, s.r.o.)
0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-02-08] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-02-08] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-02-14] (AVG Technologies CZ, s.r.o.)
1 DritekPortIO; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [20112 2006-11-02] (Dritek System Inc.)
3 dvd43llh; C:\Windows\System32\DRIVERS\dvd43llh.sys [18816 2010-03-13] (RIF)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-11-14] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-11-14] (Symantec Corporation)
3 FsUsbExDisk; \??\C:\Windows\system32\FsUsbExDisk.SYS [36608 2009-08-03] ()
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [21104 2012-12-14] (Malwarebytes Corporation)
3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130221.003\NAVENG.SYS [93296 2013-02-14] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130221.003\NAVEX15.SYS [1603824 2013-02-14] (Symantec Corporation)
1 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [406672 2006-10-06] (Symantec Corporation)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [247144 2006-11-22] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [274328 2006-11-22] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [25448 2006-11-22] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [109744 2009-01-14] (Symantec Corporation)
3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [26384 2006-10-26] (Symantec Corporation)
1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [185744 2006-10-26] (Symantec Corporation)
2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl [61424 2008-07-18] (Cyberlink Corp.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-04-02 23:38 - 2013-04-02 23:38 - 00000000 ____D C:\FRST
2013-04-02 14:49 - 2013-04-02 14:49 - 00139080 ____A C:\Windows\Minidump\Mini040213-05.dmp
2013-04-02 12:12 - 2013-04-02 12:12 - 00145664 ____A C:\Windows\Minidump\Mini040213-04.dmp
2013-04-02 12:04 - 2013-04-02 12:04 - 00139080 ____A C:\Windows\Minidump\Mini040213-03.dmp
2013-04-02 06:42 - 2013-04-02 06:42 - 00131072 ____A C:\Windows\Minidump\Mini040213-02.dmp
2013-04-02 06:24 - 2013-04-02 06:24 - 00145664 ____A C:\Windows\Minidump\Mini040213-01.dmp
2013-03-31 06:39 - 2013-03-31 06:39 - 00145680 ____A C:\Windows\Minidump\Mini033113-02.dmp
2013-03-31 06:27 - 2013-03-31 06:27 - 00139080 ____A C:\Windows\Minidump\Mini033113-01.dmp
2013-03-29 21:44 - 2013-03-29 21:44 - 00139080 ____A C:\Windows\Minidump\Mini033013-03.dmp
2013-03-29 21:43 - 2013-03-29 21:43 - 00000000 ____D C:\ProgramData\HitmanPro
2013-03-29 21:42 - 2013-03-29 21:43 - 00145664 ____A C:\Windows\Minidump\Mini033013-02.dmp
2013-03-29 21:37 - 2013-03-29 21:37 - 00139080 ____A C:\Windows\Minidump\Mini033013-01.dmp
2013-03-29 20:59 - 2013-03-29 20:59 - 00139080 ____A C:\Windows\Minidump\Mini032913-09.dmp
2013-03-29 16:25 - 2013-03-29 16:25 - 00145680 ____A C:\Windows\Minidump\Mini032913-08.dmp
2013-03-29 16:14 - 2013-03-29 16:14 - 00145664 ____A C:\Windows\Minidump\Mini032913-07.dmp
2013-03-29 16:03 - 2013-03-29 16:03 - 00139080 ____A C:\Windows\Minidump\Mini032913-06.dmp
2013-03-29 13:52 - 2013-03-29 13:52 - 00145664 ____A C:\Windows\Minidump\Mini032913-05.dmp
2013-03-29 08:26 - 2013-03-29 08:26 - 00145680 ____A C:\Windows\Minidump\Mini032913-04.dmp
2013-03-29 08:16 - 2013-03-29 08:16 - 00145680 ____A C:\Windows\Minidump\Mini032913-03.dmp
2013-03-29 08:00 - 2013-03-29 08:00 - 00139080 ____A C:\Windows\Minidump\Mini032913-02.dmp
2013-03-29 07:41 - 2013-03-29 07:41 - 00139080 ____A C:\Windows\Minidump\Mini032913-01.dmp
2013-03-27 22:32 - 2013-03-27 22:32 - 00145664 ____A C:\Windows\Minidump\Mini032813-04.dmp
2013-03-27 22:20 - 2013-03-27 22:20 - 00145680 ____A C:\Windows\Minidump\Mini032813-03.dmp
2013-03-27 22:00 - 2013-03-27 22:00 - 00145680 ____A C:\Windows\Minidump\Mini032813-02.dmp
2013-03-27 21:59 - 2013-04-02 14:49 - 00017920 ____A C:\Windows\System32\rpcnetp.exe
2013-03-27 21:03 - 2013-03-27 21:03 - 00145664 ____A C:\Windows\Minidump\Mini032813-01.dmp
2013-03-27 20:31 - 2013-03-27 20:31 - 00145664 ____A C:\Windows\Minidump\Mini032713-36.dmp
2013-03-27 20:15 - 2013-03-27 20:15 - 00145680 ____A C:\Windows\Minidump\Mini032713-35.dmp
2013-03-27 20:08 - 2013-03-27 20:08 - 00139080 ____A C:\Windows\Minidump\Mini032713-34.dmp
2013-03-27 13:20 - 2013-03-27 13:20 - 00139080 ____A C:\Windows\Minidump\Mini032713-33.dmp
2013-03-27 13:13 - 2013-03-27 13:13 - 00139080 ____A C:\Windows\Minidump\Mini032713-32.dmp
2013-03-27 11:53 - 2013-03-27 11:54 - 00139080 ____A C:\Windows\Minidump\Mini032713-31.dmp
2013-03-27 11:45 - 2013-03-27 11:45 - 00139080 ____A C:\Windows\Minidump\Mini032713-30.dmp
2013-03-27 11:25 - 2013-03-27 11:25 - 00145664 ____A C:\Windows\Minidump\Mini032713-29.dmp
2013-03-27 11:17 - 2013-03-27 11:17 - 00139080 ____A C:\Windows\Minidump\Mini032713-28.dmp
2013-03-27 11:13 - 2013-03-27 11:14 - 00139080 ____A C:\Windows\Minidump\Mini032713-27.dmp
2013-03-27 11:10 - 2013-03-27 11:10 - 00131072 ____A C:\Windows\Minidump\Mini032713-26.dmp
2013-03-27 11:03 - 2013-03-27 11:03 - 00145680 ____A C:\Windows\Minidump\Mini032713-25.dmp
2013-03-27 10:13 - 2013-03-27 10:13 - 00139080 ____A C:\Windows\Minidump\Mini032713-24.dmp
2013-03-27 09:39 - 2013-03-27 09:39 - 00139080 ____A C:\Windows\Minidump\Mini032713-23.dmp
2013-03-27 09:28 - 2013-03-27 09:28 - 00139080 ____A C:\Windows\Minidump\Mini032713-22.dmp
2013-03-27 09:22 - 2013-03-27 09:22 - 00139080 ____A C:\Windows\Minidump\Mini032713-21.dmp
2013-03-27 09:16 - 2013-03-27 09:16 - 00139080 ____A C:\Windows\Minidump\Mini032713-20.dmp
2013-03-27 09:13 - 2013-03-27 09:13 - 00139080 ____A C:\Windows\Minidump\Mini032713-19.dmp
2013-03-27 09:10 - 2013-03-27 09:10 - 00145664 ____A C:\Windows\Minidump\Mini032713-18.dmp
2013-03-27 08:52 - 2013-03-27 08:52 - 00145664 ____A C:\Windows\Minidump\Mini032713-17.dmp
2013-03-27 08:43 - 2013-03-27 08:43 - 00139080 ____A C:\Windows\Minidump\Mini032713-16.dmp
2013-03-27 08:36 - 2013-03-27 08:36 - 00139080 ____A C:\Windows\Minidump\Mini032713-15.dmp
2013-03-27 02:24 - 2013-03-27 02:24 - 00131072 ____A C:\Windows\Minidump\Mini032713-14.dmp
2013-03-27 02:21 - 2013-03-27 02:21 - 00139080 ____A C:\Windows\Minidump\Mini032713-13.dmp
2013-03-27 02:18 - 2013-03-27 02:19 - 00139080 ____A C:\Windows\Minidump\Mini032713-12.dmp
2013-03-27 02:15 - 2013-03-27 02:15 - 00139080 ____A C:\Windows\Minidump\Mini032713-11.dmp
2013-03-27 02:11 - 2013-03-27 02:11 - 00139080 ____A C:\Windows\Minidump\Mini032713-10.dmp
2013-03-27 02:08 - 2013-03-27 02:08 - 00139080 ____A C:\Windows\Minidump\Mini032713-09.dmp
2013-03-27 02:04 - 2013-03-27 02:04 - 00139080 ____A C:\Windows\Minidump\Mini032713-08.dmp
2013-03-27 02:02 - 2013-03-27 02:02 - 00131072 ____A C:\Windows\Minidump\Mini032713-07.dmp
2013-03-27 02:00 - 2013-03-27 02:00 - 00131072 ____A C:\Windows\Minidump\Mini032713-06.dmp
2013-03-27 01:58 - 2013-03-27 01:58 - 00131072 ____A C:\Windows\Minidump\Mini032713-05.dmp
2013-03-27 01:56 - 2013-03-27 01:56 - 00139080 ____A C:\Windows\Minidump\Mini032713-04.dmp
2013-03-27 01:53 - 2013-03-27 01:53 - 00139080 ____A C:\Windows\Minidump\Mini032713-03.dmp
2013-03-27 01:51 - 2013-03-27 01:51 - 00139080 ____A C:\Windows\Minidump\Mini032713-02.dmp
2013-03-27 01:49 - 2013-03-27 01:49 - 00145664 ____A C:\Windows\Minidump\Mini032713-01.dmp
2013-03-27 01:37 - 2013-03-27 01:37 - 00055296 ____A (?????????? ??????????) C:\ProgramData\DisplaySwitch.exe
2013-03-27 01:36 - 2013-03-27 01:36 - 00015947 ____A C:\Users\od\Desktop\hs_err_pid5184.log
2013-03-22 06:11 - 2013-02-11 17:57 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-03-15 20:08 - 2013-03-15 20:11 - 00001891 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2013-03-15 19:31 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-03-15 19:31 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-03-15 19:31 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-03-15 19:31 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-03-15 19:31 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-03-15 19:31 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-03-15 19:31 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-03-15 19:31 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-03-15 19:31 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-03-15 19:31 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-03-15 19:31 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-03-15 19:31 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-03-15 19:31 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-03-15 19:31 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-03-15 19:31 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-03-15 19:31 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-03-05 17:21 - 2013-03-05 17:21 - 00016267 ____A C:\Users\od\Desktop\hs_err_pid7664.log

==================== One Month Modified Files and Folders ========

2013-04-02 23:38 - 2013-04-02 23:38 - 00000000 ____D C:\FRST
2013-04-02 14:49 - 2013-04-02 14:49 - 00139080 ____A C:\Windows\Minidump\Mini040213-05.dmp
2013-04-02 14:49 - 2013-03-27 21:59 - 00017920 ____A C:\Windows\System32\rpcnetp.exe
2013-04-02 14:49 - 2013-02-17 23:36 - 118804294 ____A C:\Windows\MEMORY.DMP
2013-04-02 14:49 - 2013-02-16 22:02 - 00122716 ____A C:\Windows\PFRO.log
2013-04-02 14:49 - 2012-08-16 07:45 - 00000000 ____D C:\Windows\Minidump
2013-04-02 12:12 - 2013-04-02 12:12 - 00145664 ____A C:\Windows\Minidump\Mini040213-04.dmp
2013-04-02 12:07 - 2012-12-10 16:30 - 00000000 ____D C:\ProgramData\MFAData
2013-04-02 12:06 - 2008-08-29 00:02 - 00000000 ____A C:\Windows\System32\LogConfigTemp.xml
2013-04-02 12:04 - 2013-04-02 12:04 - 00139080 ____A C:\Windows\Minidump\Mini040213-03.dmp
2013-04-02 12:04 - 2008-10-18 19:37 - 00017920 ____A C:\Windows\System32\rpcnetp.dll
2013-04-02 12:04 - 2008-10-17 21:39 - 00058288 ____A (Absolute Software Corp.) C:\Windows\System32\rpcnet.dll
2013-04-02 12:04 - 2008-08-18 18:25 - 00000147 ____A C:\Windows\System32\agent.log
2013-04-02 12:04 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-02 12:04 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-02 12:04 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-02 06:42 - 2013-04-02 06:42 - 00131072 ____A C:\Windows\Minidump\Mini040213-02.dmp
2013-04-02 06:24 - 2013-04-02 06:24 - 00145664 ____A C:\Windows\Minidump\Mini040213-01.dmp
2013-03-31 06:39 - 2013-03-31 06:39 - 00145680 ____A C:\Windows\Minidump\Mini033113-02.dmp
2013-03-31 06:33 - 2008-08-28 23:54 - 01493726 ____A C:\Windows\WindowsUpdate.log
2013-03-31 06:27 - 2013-03-31 06:27 - 00139080 ____A C:\Windows\Minidump\Mini033113-01.dmp
2013-03-29 21:44 - 2013-03-29 21:44 - 00139080 ____A C:\Windows\Minidump\Mini033013-03.dmp
2013-03-29 21:43 - 2013-03-29 21:43 - 00000000 ____D C:\ProgramData\HitmanPro
2013-03-29 21:43 - 2013-03-29 21:42 - 00145664 ____A C:\Windows\Minidump\Mini033013-02.dmp
2013-03-29 21:37 - 2013-03-29 21:37 - 00139080 ____A C:\Windows\Minidump\Mini033013-01.dmp
2013-03-29 20:59 - 2013-03-29 20:59 - 00139080 ____A C:\Windows\Minidump\Mini032913-09.dmp
2013-03-29 16:25 - 2013-03-29 16:25 - 00145680 ____A C:\Windows\Minidump\Mini032913-08.dmp
2013-03-29 16:14 - 2013-03-29 16:14 - 00145664 ____A C:\Windows\Minidump\Mini032913-07.dmp
2013-03-29 16:03 - 2013-03-29 16:03 - 00139080 ____A C:\Windows\Minidump\Mini032913-06.dmp
2013-03-29 13:52 - 2013-03-29 13:52 - 00145664 ____A C:\Windows\Minidump\Mini032913-05.dmp
2013-03-29 08:26 - 2013-03-29 08:26 - 00145680 ____A C:\Windows\Minidump\Mini032913-04.dmp
2013-03-29 08:16 - 2013-03-29 08:16 - 00145680 ____A C:\Windows\Minidump\Mini032913-03.dmp
2013-03-29 08:00 - 2013-03-29 08:00 - 00139080 ____A C:\Windows\Minidump\Mini032913-02.dmp
2013-03-29 07:41 - 2013-03-29 07:41 - 00139080 ____A C:\Windows\Minidump\Mini032913-01.dmp
2013-03-27 22:32 - 2013-03-27 22:32 - 00145664 ____A C:\Windows\Minidump\Mini032813-04.dmp
2013-03-27 22:20 - 2013-03-27 22:20 - 00145680 ____A C:\Windows\Minidump\Mini032813-03.dmp
2013-03-27 22:00 - 2013-03-27 22:00 - 00145680 ____A C:\Windows\Minidump\Mini032813-02.dmp
2013-03-27 21:03 - 2013-03-27 21:03 - 00145664 ____A C:\Windows\Minidump\Mini032813-01.dmp
2013-03-27 20:38 - 2006-11-02 02:33 - 00707392 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-27 20:34 - 2013-02-16 21:51 - 00013647 ____A C:\Windows\setupact.log
2013-03-27 20:31 - 2013-03-27 20:31 - 00145664 ____A C:\Windows\Minidump\Mini032713-36.dmp
2013-03-27 20:15 - 2013-03-27 20:15 - 00145680 ____A C:\Windows\Minidump\Mini032713-35.dmp
2013-03-27 20:08 - 2013-03-27 20:08 - 00139080 ____A C:\Windows\Minidump\Mini032713-34.dmp
2013-03-27 13:20 - 2013-03-27 13:20 - 00139080 ____A C:\Windows\Minidump\Mini032713-33.dmp
2013-03-27 13:13 - 2013-03-27 13:13 - 00139080 ____A C:\Windows\Minidump\Mini032713-32.dmp
2013-03-27 11:54 - 2013-03-27 11:53 - 00139080 ____A C:\Windows\Minidump\Mini032713-31.dmp
2013-03-27 11:45 - 2013-03-27 11:45 - 00139080 ____A C:\Windows\Minidump\Mini032713-30.dmp
2013-03-27 11:25 - 2013-03-27 11:25 - 00145664 ____A C:\Windows\Minidump\Mini032713-29.dmp
2013-03-27 11:17 - 2013-03-27 11:17 - 00139080 ____A C:\Windows\Minidump\Mini032713-28.dmp
2013-03-27 11:14 - 2013-03-27 11:13 - 00139080 ____A C:\Windows\Minidump\Mini032713-27.dmp
2013-03-27 11:10 - 2013-03-27 11:10 - 00131072 ____A C:\Windows\Minidump\Mini032713-26.dmp
2013-03-27 11:03 - 2013-03-27 11:03 - 00145680 ____A C:\Windows\Minidump\Mini032713-25.dmp
2013-03-27 10:13 - 2013-03-27 10:13 - 00139080 ____A C:\Windows\Minidump\Mini032713-24.dmp
2013-03-27 09:39 - 2013-03-27 09:39 - 00139080 ____A C:\Windows\Minidump\Mini032713-23.dmp
2013-03-27 09:28 - 2013-03-27 09:28 - 00139080 ____A C:\Windows\Minidump\Mini032713-22.dmp
2013-03-27 09:22 - 2013-03-27 09:22 - 00139080 ____A C:\Windows\Minidump\Mini032713-21.dmp
2013-03-27 09:16 - 2013-03-27 09:16 - 00139080 ____A C:\Windows\Minidump\Mini032713-20.dmp
2013-03-27 09:13 - 2013-03-27 09:13 - 00139080 ____A C:\Windows\Minidump\Mini032713-19.dmp
2013-03-27 09:10 - 2013-03-27 09:10 - 00145664 ____A C:\Windows\Minidump\Mini032713-18.dmp
2013-03-27 08:52 - 2013-03-27 08:52 - 00145664 ____A C:\Windows\Minidump\Mini032713-17.dmp
2013-03-27 08:43 - 2013-03-27 08:43 - 00139080 ____A C:\Windows\Minidump\Mini032713-16.dmp
2013-03-27 08:36 - 2013-03-27 08:36 - 00139080 ____A C:\Windows\Minidump\Mini032713-15.dmp
2013-03-27 02:24 - 2013-03-27 02:24 - 00131072 ____A C:\Windows\Minidump\Mini032713-14.dmp
2013-03-27 02:21 - 2013-03-27 02:21 - 00139080 ____A C:\Windows\Minidump\Mini032713-13.dmp
2013-03-27 02:19 - 2013-03-27 02:18 - 00139080 ____A C:\Windows\Minidump\Mini032713-12.dmp
2013-03-27 02:15 - 2013-03-27 02:15 - 00139080 ____A C:\Windows\Minidump\Mini032713-11.dmp
2013-03-27 02:11 - 2013-03-27 02:11 - 00139080 ____A C:\Windows\Minidump\Mini032713-10.dmp
2013-03-27 02:08 - 2013-03-27 02:08 - 00139080 ____A C:\Windows\Minidump\Mini032713-09.dmp
2013-03-27 02:04 - 2013-03-27 02:04 - 00139080 ____A C:\Windows\Minidump\Mini032713-08.dmp
2013-03-27 02:02 - 2013-03-27 02:02 - 00131072 ____A C:\Windows\Minidump\Mini032713-07.dmp
2013-03-27 02:00 - 2013-03-27 02:00 - 00131072 ____A C:\Windows\Minidump\Mini032713-06.dmp
2013-03-27 01:58 - 2013-03-27 01:58 - 00131072 ____A C:\Windows\Minidump\Mini032713-05.dmp
2013-03-27 01:56 - 2013-03-27 01:56 - 00139080 ____A C:\Windows\Minidump\Mini032713-04.dmp
2013-03-27 01:53 - 2013-03-27 01:53 - 00139080 ____A C:\Windows\Minidump\Mini032713-03.dmp
2013-03-27 01:51 - 2013-03-27 01:51 - 00139080 ____A C:\Windows\Minidump\Mini032713-02.dmp
2013-03-27 01:49 - 2013-03-27 01:49 - 00145664 ____A C:\Windows\Minidump\Mini032713-01.dmp
2013-03-27 01:37 - 2013-03-27 01:37 - 00055296 ____A (?????????? ??????????) C:\ProgramData\DisplaySwitch.exe
2013-03-27 01:36 - 2013-03-27 01:36 - 00015947 ____A C:\Users\od\Desktop\hs_err_pid5184.log
2013-03-27 01:01 - 2006-11-02 05:01 - 00032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-03-26 19:32 - 2012-08-28 00:16 - 00000126 __RSH C:\ProgramData\3002.xml
2013-03-25 19:15 - 2012-12-10 19:39 - 00000846 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-03-22 20:13 - 2009-01-14 06:43 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-03-15 20:20 - 2013-02-18 12:28 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-03-15 20:11 - 2013-03-15 20:08 - 00001891 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2013-03-15 20:08 - 2008-08-18 18:27 - 00000000 ____D C:\ProgramData\Adobe
2013-03-15 20:08 - 2008-08-18 18:27 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-03-15 20:08 - 2008-08-18 18:27 - 00000000 ____D C:\Program Files\Adobe
2013-03-15 20:07 - 2008-12-19 19:45 - 00000000 ____D C:\Users\od\AppData\Local\Adobe
2013-03-15 19:55 - 2006-11-02 02:24 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-03-15 19:46 - 2006-11-02 02:23 - 00000240 ____A C:\Windows\win.ini
2013-03-05 17:21 - 2013-03-05 17:21 - 00016267 ____A C:\Users\od\Desktop\hs_err_pid7664.log

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2013-02-18 00:05] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-29 13:46:34

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 1977.4 MB
Available physical RAM: 1720.63 MB
Total Pagefile: 1911.29 MB
Available Pagefile: 1790.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.72 MB

==================== Partitions =============================

1 Drive c: (Main) (Fixed) (Total:69.52 GB) (Free:13.63 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Dana) (Fixed) (Total:69.52 GB) (Free:64.03 GB) NTFS
3 Drive e: (KRD10) (CDROM) (Total:0.3 GB) (Free:0 GB) CDFS
4 Drive f: (STORE'N'GO) (Removable) (Total:0.48 GB) (Free:0.47 GB) FAT
5 Drive x: (PQSERVICE) (Fixed) (Total:10 GB) (Free:1.51 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1291 KB
Disk 1 Online 491 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 32 KB
Partition 2 Primary 70 GB 10 GB
Partition 3 Primary 70 GB 80 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 X PQSERVICE NTFS Partition 10 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Main NTFS Partition 70 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D Dana NTFS Partition 70 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 491 MB 16 KB

=========================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F STORE'N'GO FAT Removable 491 MB Healthy

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: DD93E182

Partition 1:
=========
Hex: 0001010027FEFFFF3F0000005B244001
Active: NO
Type: 27
Size: 10 GB

Partition 2:
=========
Hex: 80FEFFFF07FEFFFF0028400100C0B008
Active: YES
Type: 07 (NTFS)
Size: 70 GB

Partition 3:
=========
Hex: 00FEFFFF07FEFFFF00E8F00900A8B008
Active: NO
Type: 07 (NTFS)
Size: 70 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 800101000E0FE0AB20000000E0570F00
Active: YES
Type: 0E
Size: 491 MB

Last Boot: 2013-03-31 06:36

==================== End Of Log ============================

dana k · Apr 3, 2013

Ok Kuttus,please have a little patience w/ me,i'm prob not as up to speed as you're used to.Not sure if that is right or not. If not let me know what i've done wrong and how to correct it.

kuttus · Apr 3, 2013

Sure... We got the infected files... Let's Clear them now.......

Now please download this file and save it to your Flash Drive.

[attachment=4122]

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

dana k · Apr 3, 2013

Ok, please forgive my ignorance. Am i going into the recovery options, f8 and command prompt just as i did before?

kuttus · Apr 3, 2013

Exactly same steps...

dana k · Apr 3, 2013

kuttus said:
Exactly same steps...

Ok Kuttus, having an issue.when i type f:\frst.exe in the command window the farbar recovery scan tool opens w/ 3 choices ,scan,search or fix. i click fix and window opens says "no fixlist.txt found.the fixlist.txt should be made and saved in the same directory the tool is located."

kuttus · Apr 3, 2013

Do you download the fixlist.txt file and save in the USB Drive? Please make sure the fixlist.txt file is there in the USB Drive along with the FRST

dana k · Apr 3, 2013

Yes, downloaded the fixlist.txt file to same flash as fsrt is on. opened up the file from you as well as on the flash drive and they are the same.Maybe i'm not doing something right in the process. I followed the exact steps as before opening the command prompt window and typing f:\frst.exe and hit enter(f -my flash letter).the frst scan tool opens immediately just as before,i do not have to open a window for it. I chose the fix option and i get the window i mentioned.i will erase the fixlist from my flash and download it again. Should i have not followed the exact same steps as before?

kuttus · Apr 3, 2013

Just try one more time after you erase everything from the Flash Drive... If that one is not working we can go for next step.... Don't worry.....

dana k · Apr 3, 2013

Ok not sure what i'm doing wrong Kuttus. I erased the fixlist.txt from usb and and downloaded new copy w/ same results. I also moved the FRST log on the usb that i posted earier from the usb to another file. Only thing on usb is fixlist.txt and FRST scan tool.ran that thru recovery w/ same results. Usb is working normally however. any suggestions. Do i need to put the FRST scan log results that i posted back on the usb?

kuttus · Apr 3, 2013

May be any error in it... We can try alternative tools.....

Stage -1

Download Norton Bootable Recovery Tool from this link.
Save the Norton Bootable Recovery Tool on your computer Desktop.
After completing the Download Open the File that you saved on the Desktop. It will start the Norton Download Manager as shown below.

http://123pcworld.com/MalwareTips/DownloadManager.PNG
When the download finishes, the Norton Bootable Recovery Tool Wizard starts automatically.
In the Norton Bootable Recovery Tool Wizard, click Agree & Install to accept the User License Agreement.

If you want to change the default install location, click Install Options, and then click Browse to locate the new install location.
Follow the on-screen instructions to create the Norton Bootable Recovery Tool on a CD/DVD media or USB key.

http://123pcworld.com/MalwareTips/NBRT.PNG
It will by Default Select your CD/DVD Writer , if it is not select your CD/DVD Writer and click on Next...

http://123pcworld.com/MalwareTips/NBRT-2.PNG
Now you have to Insert a Blank CD/DVD into your CD/DVD Writer and press on Ok. It will take some time to complete the Bootable Recovery Drive Creation.

http://123pcworld.com/MalwareTips/NBRT-3.PNG

Stage -2

Insert the recovery media in the infected computer and start your computer from the recovery media. The recovery media can be a Norton Bootable Recovery Tool CD, DVD, USB key.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Read the License Agreement, type your product key, and then click I Agree. (I will send you product key in PM )
In the Norton Bootable Recovery Tool window, click Norton Advanced Recovery Scan.
Click Start Scan.
When the scan finishes, remove the recovery media from the drive or USB port, and restart your computer.

<hr />

dana k · Apr 3, 2013

Kuttus, finally got norton disc created but virus won't allow to boot from cd rom or usb. Any way i can go thru system recovery as before and boot cd that way. Guess i can download the fixlist.txt and frst file to a diff usb and try that again.Any suggestions?

kuttus · Apr 3, 2013

Okay.. In this case please do one thing. Format your USB Drive and download the FRST and fixlist.txt once again... This time Save the files inside a folder Called FIX...

So you have to type F:\FIX\frst.exe in the command prompt run the Tool...

Where F = your USB Drive letter......

dana k · Apr 3, 2013

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013
Ran by SYSTEM at 2013-04-03 19:42:37 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DisplaySwitch Value deleted successfully.
C:\ProgramData\DisplaySwitch.exe moved successfully.
C:\ProgramData\DisplaySwitch.exe not found.
C:\ProgramData\3002.xml moved successfully.

==== End of Fixlog ====

dana k · Apr 3, 2013

Ok Kuttus, deleted all from usb and downloaded FRST and FIXLIST.TXT and was able to run fix. The above post is the log generated.Also was able to log in from hd in normal mode. Desktop is up.That is amazing.THANK YOU so much... Whats next?

FBI Lockdown.

New Member

Level 2

New Member

New Member

Level 2

New Member

New Member

Level 2

Attachments

New Member

Level 2

New Member

Level 2

New Member

Level 2

New Member

Level 2

New Member

Level 2

New Member

New Member

Similar threads