Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
Stubborn Garda virus
Comments
-
willciviceg5 wrote: »Ok this may be just a coincidence but I received a call on the landline today from an Indian sounding guy called "Jim" calling from windows support in relation to the problem with my windows device, I said "I do not have a computer and do you know who you are calling and he hung up" advice please.
I've had that call three times this week. Just told them I have a mac and they hung up
Anyway, this garda trojan. I'm after being infected four or five times since last Sunday. It tends to happen when I'm using Google search. Each time I just reboot to safe mode and kill it with Malwarebytes Anti Malware.
Thing is though, are there remnants of this trojan on my machine? Surely I shouldn't be getting it on a repeated basis? Would anti-virus software with real time monitoring prevent it?0 -
Just install avast. It will stop you from getting infected in the first place in most cases.
Internet browsers are from secure programs.0 -
I've had that call three times this week. Just told them I have a mac and they hung up
Anyway, this garda trojan. I'm after being infected four or five times since last Sunday. It tends to happen when I'm using Google search. Each just reboot to safe mode and kill it with Malwarebytes Anti Malware.
Thing is though, are there remnants of this trojan on my machine? Surely I shouldn't be getting it on a repeated basis? Would anti-virus software with real time monitoring prevent it?0 -
I got this virus on Sunday night. Managed to restart in safe mode with command prompt and restore the last System Restore point. I followed the instructions here http://malwaretips.com/blogs/an-garda-siochana-virus/
The first MalwareBytes found 2 keygens which were on my laptop for years and a potentially unwanted program called Funworks (all of which I let MalwaeBytes remove). I restarted and ran MalwareBytes again and nothing was found. HitmanPro found 200 or so items but they were mostly just tracking cookies no malware or viruses.
I'm currently running Avast Rootkit scanner currently, then I'm going to try ComboFix, then TDSSKiller. Just want to know should I be safe enough to start using my laptop again if nothing is found by the rest of the scans? Should some of the scans not have found something more substantial than the PUP and the 2 keygens that had been on my laptop for years or should I be ok? Thanks.0 -
post the combofix log here when its done, cant answer your question without seeing it really.
Although running that many programs should mean your ok if they don't find much0 -
ComboFix 13-03-26.01 - John 26/03/2013 18:59:33.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.353.1033.18.3039.1686 [GMT 0:00]
Running from: e:\virus\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Outdated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Disabled/Outdated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\3307476.pad
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2013-02-26 to 2013-03-26 )))))))))))))))))))))))))))))))
.
.
2013-03-26 19:18 . 2013-03-26 19:19
d
w- c:\users\John\AppData\Local\temp
2013-03-26 19:18 . 2013-03-26 19:18
d
w- c:\users\Default\AppData\Local\temp
2013-03-26 19:18 . 2013-03-26 19:18
d
w- c:\users\Home\AppData\Local\temp
2013-03-26 16:35 . 2013-03-26 16:35
d
w- c:\program files\HitmanPro
2013-03-26 16:28 . 2013-03-26 17:06
d
w- c:\programdata\HitmanPro
2013-03-25 01:41 . 2013-03-25 01:41
d
w- c:\users\John\AppData\Roaming\Malwarebytes
2013-03-25 01:41 . 2013-03-25 01:41
d
w- c:\programdata\Malwarebytes
2013-03-25 01:41 . 2013-03-25 01:41
d
w- c:\program files\Malwarebytes' Anti-Malware
2013-03-25 01:41 . 2012-12-14 16:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-25 01:41 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{496C2CB3-53E7-4418-96F1-CBFC41AC3F42}\mpengine.dll
2013-03-25 01:40 . 2013-03-25 01:40
d
w- c:\users\John\AppData\Local\Programs
2013-03-02 16:56 . 2013-03-02 16:56
d
w- c:\users\Home\AppData\Local\Programs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-14 15:52 . 2013-02-14 15:52 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-14 15:52 . 2011-10-25 21:50 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-17 01:28 . 2011-10-02 17:04 232336 ----a-w- c:\windows\system32\MpSigStub.exe
2012-02-16 14:55 . 2012-02-25 23:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2011-07-11 22:01 1194008 ----a-w- c:\windows\System32\PGPfsshl.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-08-27 434960]
"TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"Facebook Update"="c:\users\John\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-08-16 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\John\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2012-12-3 1044320]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PGP Tray.lnk - c:\windows\Installer\{65F2F996-D86C-478E-896F-DC8EAA00B6E0}\Icon6560581611.exe [2011-10-2 55296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\PGPmapih.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 apacheds-default;Apache Directory Server - default;c:\program files\Apache Directory Server\bin\apacheds.exe [x]
R2 Redis;Redis;c:\program files\Redis\RedisService.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
S0 pgpfs;PGP File Sharing;c:\windows\System32\Drivers\PGPfsfd.sys [x]
S0 Pgpwdefs;Pgpwdefs;c:\windows\system32\DRIVERS\Pgpwdefs.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [x]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [x]
S2 PGP RDD Service;PGP RDD Service;c:\program files\PGP Corporation\PGP Desktop\RDDService.exe [x]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1000Core.job
- c:\users\John\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-16 01:11]
.
2013-03-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1000UA.job
- c:\users\John\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-16 01:11]
.
2013-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1000Core.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 17:28]
.
2013-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1000UA.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 17:28]
.
2013-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1005Core.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-15 03:25]
.
2013-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1005UA.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-15 03:25]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.ie/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
LSP: c:\windows\system32\PGPlsp.dll
TCP: DhcpNameServer = 89.101.160.5 89.101.160.4
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\orbfw897.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 8008
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8008
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 8008
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8008
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
.
.
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-26 19:23:03
ComboFix-quarantined-files.txt 2013-03-26 19:23
.
Pre-Run: 149,294,694,400 bytes free
Post-Run: 153,223,897,088 bytes free
.
- - End Of File - - CF8CA99D57143F7BB3118FF6320CCCCC0 -
looks ok, but run tdsskiller as this virus tends to infect the mbr too0
-
Yep, ran tdsskiller too, and it didn't find anything.0
-
good stuff, should be grand then. If you have any issues let us know.0
-
Advertisement
-
Hi just out of curiosity how does one end up getting this dastardly virus?0
-
Any I've dealt with came from the following.. Porn sites, free film sites, free soccer sites (first row sports) and one from Facebook message0
-
Hi I have this on my laptop. I have the user split to user 1 and the other is the admin. I can use the admin user, but its the user 1 that has the virus! I tried running norton in the admin user, but it did not clear up the problem. Can I scan the user 1 part from the admin?? Hope that makes sence to people!!0
-
Join Date:Posts: 6308
Use malwarebytes to scan the pc.and yes you can use it from the admin account.0 -
Hi folks I used the posts on here to get rid of it a month ago- thanks a mil- the guy in the local computer shop wanted to charge me €170 to do it BUT its back and very nasty this time. I can't do the safe mode option but was able to do the safe mode with the command prompt hit after the system rescue ran the loch screen appeared again before I could run malware/hitman.
I think because there's two users on the machine it won't let me in on the user that's locked- is there anyway to bypass this? Or am I as well off just doing the USB thing? I presume you won't be able to download to the USB on a lot of pcs but should be allowed in an Internet cafe?
Thanks again boardsies0 -
Did you not install anything to prevent it after the first time? The likes of avast will stop the majority of this infections from ever happening in the first place.0
-
Advertisement
-
170 euro, that's dear.
I got this virus twice, both times from link to a soccer website I got from two different youtube videos. The first time I panicked because I hadn't a clue what it was and brought it into a computer shop right away which cost me 50 euro (I thought that was a lot until I read funsboro's post above).
I looked up the internet for ways to get rid of it, the Garda website has information on it but not great instructions for getting rid of it. The best site I found was actually the Met police website in the UK (I wasn't expecting that) so I printed it off. The second time I got the virus I followed their instructions and got rid of it for free.
Pressing F8 like mad on start up wouldn't work. I had to remove the battery at the back of the laptop to get it to open in safe mode.0 -
I got this on my work PC (definitely not looking at dodgy sites!). I ran a scan last week and nothing came up but couldn't get in today for ages. f8 didn't work. Anyway after many times restarting I got in and as per advice I saw on the net installed Microsoft Security essentials and ran it - found the virus, cleaned it up... do I need to do anything else??0
-
Just to ask do you have to download anything to get a virus or can it be found in the cache of Chrome and other browsers?0
-
-
-
Advertisement
-
Most AV software is useless against this.
Best way i have found to prevent it is this
Dont use internet explorer
And always use an Adblock with either Chrome or Firefox0 -
Have Adblock Plus on Chrome and run a virus scan with MBAM nearly daily on my computer as it only takes 20 mins or so with the SSD. My worst nightmare is this!0
-
-
C:\Documents and Settings\UserName\Application Data\skype.dat
Locate that file using some boot able media and delete it.0 -
Anyone got any advice for me here lads? I know f.all about computers but my mate had a go and tried a few different methods but all he said was somthing about not having restore points or something like that?
Going mad because I just spent 30 euro on a new battery :mad::mad:0 -
-
Reboot the PC in safe mode with networking.
type explorer.exe
Browse to
C:\Documents and Settings\YOURUSERNAME\Application Data\
delete the file skype.dat.
Reboot and that should get you working again.
Download Malwarebytes update the definitions and run a full scan.
Remove anything it finds.0 -
Meant to say update your version of Java as that is how it gets nto your machine, and clear your Java cache. (Control Panel -> Java -> Somewhere in here Im on a Mac so I cant remember)0
-
hi
I have had the garda virus on a laptop a while back and kind boardsies came to my help.
It's my dad's laptop and it was dropped back to me again last night with the virus again.
I went into safe mode with networking and the laptop opens in safe mode then starts to log off and then says it's shutting down. it nosies and then I'm left with a white screen.
I tried starting it in normal mode and it opens a blank white screen, My dad said that the garda virus had been on the screen.
So I am at a loss as to what to do,
Anyone have any pointers or should I just bring it into a shop?
Thanks in advance0 -
can you do the steps in post #2 here
http://www.geekstogo.com/forum/topic/288388-unbootable-system-tutorial/0 -
Advertisement
-
can you do the steps in post #2 here
http://www.geekstogo.com/forum/topic/288388-unbootable-system-tutorial/
it is asking me for the user password and i have tried entering the one I thought it was and it will not leave me go further than that .0 -
Have you done this step with another machine ?
For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
Plug the flashdrive into the infected PC.0 -
Thanks to ASJ112 , I managed to get something started below is the log
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-04-2013
Ran by SYSTEM on 25-04-2013 22:14:34
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6602856 2011-01-11] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2480936 2010-12-20] (Synaptics Incorporated)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [615584 2011-03-01] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] "C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe" [379552 2011-03-01] (Atheros Commnucations)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe [656920 2011-02-01] (PDF Complete Inc)
HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
HKU\martin\...\Run: [Google Update] "C:\Users\martin\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-12-25] (Google Inc.)
HKU\martin\...\Run: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [247768 2012-06-20] (TomTom)
HKU\martin\...\Run: [Adobe CSx Manager] C:\Users\martin\AppData\Roaming\873997d3-3f3a-4807-a625-a0032ed6e158ad\dfaaaedead.exe [3072 2013-03-29] ()
HKU\martin\...\Winlogon: [Shell] explorer.exe,C:\Users\martin\AppData\Roaming\skype.dat [58368 2011-11-16] ()
==================== Services (Whitelisted) =================
S2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [138400 2011-03-01] (Atheros)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-29] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-29] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1127448 2011-02-01] (PDF Complete Inc)
S2 XobniService; C:\Program Files (x86)\Xobni\XobniService.exe [62184 2011-02-24] (Xobni Corporation)
==================== Drivers (Whitelisted) ====================
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-04-25 22:14 - 2013-04-25 22:14 - 00000000 ____D C:\FRST
2013-04-22 07:45 - 2013-04-25 04:29 - 00000004 ____A C:\Users\martin\AppData\Roaming\skype.ini
2013-04-21 04:24 - 2013-04-25 04:28 - 00000784 ____A C:\Windows\setupact.log
2013-04-21 04:24 - 2013-04-21 04:24 - 00000000 ____A C:\Windows\setuperr.log
2013-04-18 09:26 - 2013-04-18 09:26 - 00000000 ____D C:\Users\martin\AppData\Local\{43BD7E91-CB87-4452-B01A-5B9DBB22DA2F}
2013-04-17 12:38 - 2013-04-17 12:39 - 00000000 ____D C:\Users\martin\Documents\New folder (5)
2013-04-17 12:37 - 2013-04-19 14:11 - 00000000 ____D C:\Users\martin\Documents\New folder (4)
2013-04-17 12:21 - 2011-04-04 08:39 - 00024294 ____A C:\Users\martin\Documents\mairead farrell.bmp
2013-04-17 11:48 - 2013-04-17 11:48 - 00000000 ____D C:\Users\martin\AppData\Local\{E24C7EBF-D01E-4ADA-9703-177C8D14176E}
2013-04-17 11:47 - 2013-04-17 11:47 - 00000000 ____D C:\Users\martin\AppData\Local\{91E31053-2001-475A-AD2F-0689FF9E0378}
2013-04-17 11:43 - 2013-04-17 11:43 - 00000000 ____D C:\Users\martin\AppData\Local\{6EE4F6C8-075F-4B96-AAE6-D08FCBFC37E1}
2013-04-10 13:54 - 2013-02-21 22:57 - 17817088 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-10 13:54 - 2013-02-21 22:29 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-10 13:54 - 2013-02-21 22:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-10 13:54 - 2013-02-21 22:21 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-10 13:54 - 2013-02-21 22:20 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-10 13:54 - 2013-02-21 22:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-10 13:54 - 2013-02-21 22:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-10 13:54 - 2013-02-21 22:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-10 13:54 - 2013-02-21 22:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-10 13:54 - 2013-02-21 22:15 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-10 13:54 - 2013-02-21 22:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-10 13:54 - 2013-02-21 22:14 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-10 13:54 - 2013-02-21 22:13 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-10 13:54 - 2013-02-21 22:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-10 13:54 - 2013-02-21 22:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-10 13:54 - 2013-02-21 22:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-10 13:54 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-10 13:54 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-10 13:54 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-10 13:54 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-10 13:54 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-10 13:54 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-04-10 13:54 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-04-10 13:54 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-10 13:54 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-10 13:54 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-04-10 13:54 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-04-10 13:54 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-10 13:54 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-10 13:54 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-10 13:54 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-04-10 13:54 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-10 11:40 - 2013-02-14 22:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-10 11:40 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-10 11:39 - 2013-02-14 22:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-10 11:39 - 2013-02-14 22:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-10 11:39 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-10 11:39 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-04-10 11:35 - 2013-03-01 22:04 - 01655656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-10 11:35 - 2013-02-28 19:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-10 11:29 - 2013-03-18 22:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-10 11:29 - 2013-03-18 21:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-10 11:29 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-10 11:29 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-10 11:29 - 2013-03-18 20:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-04-10 11:29 - 2013-03-18 19:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-10 11:29 - 2013-01-23 22:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
2013-03-30 04:25 - 2013-03-30 04:25 - 00000000 ____D C:\Users\martin\AppData\Local\{624EFD0C-8FF7-4812-AAB5-60C1FCE71183}
2013-03-29 13:23 - 2013-03-29 13:23 - 00000000 ____D C:\Users\martin\AppData\Local\{4A8F0A75-28E9-49F4-9A07-EBDC7FA67C59}
2013-03-29 12:48 - 2013-03-30 06:56 - 00000000 ____D C:\Users\martin\Documents\101COACH
2013-03-29 01:28 - 2013-03-29 01:28 - 00000000 ____D C:\Users\martin\AppData\Roaming\873997d3-3f3a-4807-a625-a0032ed6e158ad
2013-03-26 08:04 - 2013-02-11 20:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
==================== One Month Modified Files and Folders =======
2013-04-25 22:14 - 2013-04-25 22:14 - 00000000 ____D C:\FRST
2013-04-25 04:29 - 2013-04-22 07:45 - 00000004 ____A C:\Users\martin\AppData\Roaming\skype.ini
2013-04-25 04:29 - 2012-12-27 13:13 - 00000035 ____A C:\Users\Public\Documents\AtherosServiceConfig.ini
2013-04-25 04:29 - 2012-11-30 15:45 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-04-25 04:29 - 2011-04-24 14:38 - 00000000 ____D C:ProgramData\PDFC
2013-04-25 04:28 - 2013-04-21 04:24 - 00000784 ____A C:\Windows\setupact.log
2013-04-25 04:28 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-24 23:39 - 2011-12-25 06:00 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963050305-668444556-3006111060-1000UA.job
2013-04-24 23:33 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-24 23:33 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-24 23:30 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-24 23:29 - 2012-12-04 00:41 - 01203785 ____A C:\Windows\WindowsUpdate.log
2013-04-22 08:13 - 2012-09-07 14:47 - 00000000 ____D C:\Users\martin\Documents\Youcam
2013-04-22 08:12 - 2011-12-28 02:53 - 00000000 ____D C:\Users\martin\AppData\Local\CrashDumps
2013-04-22 07:59 - 2012-11-30 15:45 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-04-22 07:59 - 2011-12-25 03:52 - 00000000 ____D C:\Users\martin\Documents\Bluetooth Folder
2013-04-22 07:39 - 2012-04-09 06:40 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-04-22 07:39 - 2011-12-26 07:19 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-04-22 00:48 - 2009-07-13 21:08 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-04-21 04:24 - 2013-04-21 04:24 - 00000000 ____A C:\Windows\setuperr.log
2013-04-20 12:39 - 2011-12-25 06:00 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963050305-668444556-3006111060-1000Core.job
2013-04-19 14:11 - 2013-04-17 12:37 - 00000000 ____D C:\Users\martin\Documents\New folder (4)
2013-04-19 11:00 - 2012-04-16 10:14 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleFormartin.job
2013-04-18 09:26 - 2013-04-18 09:26 - 00000000 ____D C:\Users\martin\AppData\Local\{43BD7E91-CB87-4452-B01A-5B9DBB22DA2F}
2013-04-17 12:39 - 2013-04-17 12:38 - 00000000 ____D C:\Users\martin\Documents\New folder (5)
2013-04-17 11:48 - 2013-04-17 11:48 - 00000000 ____D C:\Users\martin\AppData\Local\{E24C7EBF-D01E-4ADA-9703-177C8D14176E}
2013-04-17 11:47 - 2013-04-17 11:47 - 00000000 ____D C:\Users\martin\AppData\Local\{91E31053-2001-475A-AD2F-0689FF9E0378}
2013-04-17 11:43 - 2013-04-17 11:43 - 00000000 ____D C:\Users\martin\AppData\Local\{6EE4F6C8-075F-4B96-AAE6-D08FCBFC37E1}
2013-04-16 12:30 - 2011-04-24 14:27 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2013-04-16 12:30 - 2011-02-10 11:23 - 00000000 ____D C:\SWSetup
2013-04-11 06:52 - 2009-07-13 20:45 - 00343728 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-10 13:55 - 2011-12-25 04:31 - 00000000 ____D C:ProgramData\Microsoft Help
2013-04-10 11:42 - 2011-12-25 06:05 - 00002370 ____A C:\Users\martin\Desktop\Google Chrome.lnk
2013-04-02 02:34 - 2010-11-20 19:27 - 00282744 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-03-30 06:56 - 2013-03-29 12:48 - 00000000 ____D C:\Users\martin\Documents\101COACH
2013-03-30 04:25 - 2013-03-30 04:25 - 00000000 ____D C:\Users\martin\AppData\Local\{624EFD0C-8FF7-4812-AAB5-60C1FCE71183}
2013-03-29 13:23 - 2013-03-29 13:23 - 00000000 ____D C:\Users\martin\AppData\Local\{4A8F0A75-28E9-49F4-9A07-EBDC7FA67C59}
2013-03-29 01:28 - 2013-03-29 01:28 - 00000000 ____D C:\Users\martin\AppData\Roaming\873997d3-3f3a-4807-a625-a0032ed6e158ad
Other Malware:
===========
C:\Users\martin\AppData\Roaming\skype.dat
C:\Users\martin\AppData\Roaming\skype.ini
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2013-03-09 11:23:18
Restore point made on: 2013-03-13 01:27:17
Restore point made on: 2013-03-13 15:29:01
Restore point made on: 2013-03-17 07:09:34
Restore point made on: 2013-03-20 10:21:59
Restore point made on: 2013-03-24 05:48:20
Restore point made on: 2013-03-26 14:14:44
Restore point made on: 2013-03-31 03:45:35
Restore point made on: 2013-04-04 08:59:38
Restore point made on: 2013-04-08 04:02:31
Restore point made on: 2013-04-10 13:53:24
Restore point made on: 2013-04-16 09:03:47
Restore point made on: 2013-04-16 09:19:38
Restore point made on: 2013-04-16 09:19:53
Restore point made on: 2013-04-20 01:47:27
==================== Memory info ===========================
Percentage of memory in use: 22%
Total physical RAM: 2933.86 MB
Available physical RAM: 2272.66 MB
Total Pagefile: 2932 MB
Available Pagefile: 2260.54 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:283.96 GB) (Free:230.32 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:13.83 GB) (Free:1.72 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.08 GB) FAT32 (Disk=0 Partition=4)
Drive h: (CORSAIR) (Removable) (Total:0.97 GB) (Free:0.97 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
--- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 992 MB 0 B
Partitions of Disk 0:
===============
Disk ID: 434CBBC6
Partition ### Type Size Offset
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 283 GB 200 MB
Partition 3 Primary 13 GB 284 GB
Partition 4 Primary 103 MB 297 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy
=========================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---
* Volume 2 C NTFS Partition 283 GB Healthy
=========================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---
* Volume 3 E RECOVERY NTFS Partition 13 GB Healthy
=========================================================
Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy
=========================================================
Partitions of Disk 1:
===============
Disk ID: B354FC99
Partition ### Type Size Offset
Partition 1 Primary 991 MB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---
* Volume 5 H CORSAIR FAT Removable 991 MB Healthy
=========================================================
============================== MBR & Partition Table ==================
====================================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 434CBBC6)
Partition 1: (Active) - (Size=199 MB) - (Type=07) (NTFS)
Partition 2: (Not Active) - (Size=284 GB) - (Type=07) (NTFS)
Partition 3: (Not Active) - (Size=14 GB) - (Type=07) (NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)
====================================================================
Disk: 1 (Size: 992 MB) (Disk ID: B354FC99)
Partition 1: (Active) - (Size=992 MB) - (Type=06)
Last Boot: 2013-04-14 04:12
==================== End Of Log ============================0 -
do you recognise these folders ?
2013-04-17 12:38 - 2013-04-17 12:39 - 00000000 ____D C:\Users\martin\Documents\New folder (5)
2013-04-17 12:37 - 2013-04-19 14:11 - 00000000 ____D C:\Users\martin\Documents\New folder (4)
2013-03-29 12:48 - 2013-03-30 06:56 - 00000000 ____D C:\Users\martin\Documents\101COACH
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
HKU\martin\...\Run: [Adobe CSx Manager] C:\Users\martin\AppData\Roaming\873997d3-3f3a-4807-a625-a0032ed6e158ad\dfaaaedead.exe [3072 2013-03-29] ()
HKU\martin\...\Winlogon: [Shell] explorer.exe,C:\Users\martin\AppData\Roaming\skype.dat [58368 2011-11-16] ()
2013-04-22 07:45 - 2013-04-25 04:29 - 00000004 ____A C:\Users\martin\AppData\Roaming\skype.ini
C:\Users\martin\AppData\Roaming\skype.dat
Start your computer into System Recovery Options, as we've done previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.0 -
I think the folders are of photos that he would have saved. I'm almost positive that the coach one is.
the log is
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-04-2013
Ran by SYSTEM at 2013-04-25 23:11:52 Run:1
Running from \
Boot Mode: Recovery
==============================================
HKEY_USERS\martin\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSx Manager value not found.
HKEY_USERS\martin\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell value deleted successfully.
C:\Users\martin\AppData\Roaming\skype.ini moved successfully.
C:\Users\martin\AppData\Roaming\skype.dat moved successfully.
==== End of Fixlog ====0 -
can you boot into normal mode now ?0
-
Yea, working perfectly,
Thanks so much for your help, it was much appreciated. Sorry for the brain dead questions0 -
no need to apologise, we best run another scan as some stuff probably hiding still
download and run combofix, post its log
http://www.bleepingcomputer.com/combofix/how-to-use-combofix0 -
ComboFix 13-04-25.01 - martin 25/04/2013 23:42:06.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2934.1316 [GMT 1:00]
Running from: c:\users\martin\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
.
((((((((((((((((((((((((( Files Created from 2013-03-25 to 2013-04-25 )))))))))))))))))))))))))))))))
.
.
2013-04-26 06:14 . 2013-04-26 06:14
d
w- C:\FRST
2013-04-25 22:47 . 2013-04-25 22:47
d
w- c:\users\Default\AppData\Local\temp
2013-04-25 22:36 . 2013-04-25 22:35 905296 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C45C5020-51D3-47D4-A653-92D4C4DDBA7B}\gapaengine.dll
2013-04-25 22:36 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3373225D-7E72-47B1-AE54-0F222B88070F}\mpengine.dll
2013-04-25 22:35 . 2013-04-25 22:35
d
w- c:\program files (x86)\Common Files\Java
2013-04-25 22:35 . 2013-04-25 22:34 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-25 22:34 . 2013-04-25 22:34
d
w- c:\program files (x86)\Java
2013-04-22 09:00 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-10 19:40 . 2013-02-15 06:06 3717632 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 19:40 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\SysWow64\mstscax.dll
2013-04-10 19:39 . 2013-02-15 04:34 131584 ----a-w- c:\windows\SysWow64\aaclient.dll
2013-04-10 19:39 . 2013-02-15 06:08 44032 ----a-w- c:\windows\system32\tsgqec.dll
2013-04-10 19:39 . 2013-02-15 06:02 158720 ----a-w- c:\windows\system32\aaclient.dll
2013-04-10 19:39 . 2013-02-15 03:25 36864 ----a-w- c:\windows\SysWow64\tsgqec.dll
2013-04-10 19:35 . 2013-03-01 03:36 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-04-10 19:35 . 2013-03-02 06:04 1655656 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 19:29 . 2013-01-24 06:01 223752 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-04-10 19:29 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 19:29 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-04-10 19:29 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 19:29 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-04-10 19:29 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe
2013-04-10 19:29 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-29 09:28 . 2013-03-29 09:28
d
w- c:\users\martin\AppData\Roaming\873997d3-3f3a-4807-a625-a0032ed6e158ad
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-25 22:34 . 2012-10-16 19:57 866720 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-04-25 22:34 . 2011-04-24 22:43 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-04-02 10:34 . 2010-11-21 03:27 282744
w- c:\windows\system32\MpSigStub.exe
2013-03-10 22:33 . 2012-11-26 20:37 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-10 22:33 . 2012-11-26 20:37 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-05 17:14 . 2013-03-05 17:15 317440 ----a-w- c:\windows\system32\drivers\IntcDAud.sys
2013-03-05 17:14 . 2013-03-05 17:15 14848 ----a-w- c:\windows\system32\IntcDAuC.dll
2013-03-05 17:14 . 2013-03-05 17:15 98304 ----a-w- c:\windows\SysWow64\iglhcp32.dll
2013-03-05 17:14 . 2013-03-05 17:15 98304 ----a-w- c:\windows\system32\iglhcp64.dll
2013-03-05 17:14 . 2013-03-05 17:15 90112 ----a-w- c:\windows\system32\igfxCoIn_v2430.dll
2013-03-05 17:14 . 2013-03-05 17:15 867020 ----a-w- c:\windows\system32\igkrng575.bin
2013-03-05 17:14 . 2013-03-05 17:15 510232 ----a-w- c:\windows\system32\igfxsrvc.exe
2013-03-05 17:14 . 2013-03-05 17:15 378368 ----a-w- c:\windows\system32\igfxTMM.dll
2013-03-05 17:14 . 2013-03-05 17:15 376832 ----a-w- c:\windows\SysWow64\iglhsip32.dll
2013-03-05 17:14 . 2013-03-05 17:15 376832 ----a-w- c:\windows\system32\iglhsip64.dll
2013-03-05 17:14 . 2013-03-05 17:15 167704 ----a-w- c:\windows\system32\igfxtray.exe
2013-03-05 17:14 . 2013-03-05 17:15 286208 ----a-w- c:\windows\system32\igfxrtrk.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286208 ----a-w- c:\windows\system32\igfxrsve.lrc
2013-03-05 17:14 . 2013-03-05 17:15 285696 ----a-w- c:\windows\system32\igfxrtha.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrsky.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrrus.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrrom.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrptg.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrplk.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286208 ----a-w- c:\windows\system32\igfxrslv.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286208 ----a-w- c:\windows\system32\igfxrptb.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286208 ----a-w- c:\windows\system32\igfxrnor.lrc
2013-03-05 17:14 . 2010-08-25 20:04 62464 ----a-w- c:\windows\system32\igfxsrvc.dll
2013-03-05 17:14 . 2013-03-05 17:15 287232 ----a-w- c:\windows\system32\igfxrfra.lrc
2013-03-05 17:14 . 2013-03-05 17:15 287232 ----a-w- c:\windows\system32\igfxresn.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrnld.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrita.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrhrv.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286208 ----a-w- c:\windows\system32\igfxrhun.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286208 ----a-w- c:\windows\system32\igfxrfin.lrc
2013-03-05 17:14 . 2013-03-05 17:15 285184 ----a-w- c:\windows\system32\igfxrheb.lrc
2013-03-05 17:14 . 2013-03-05 17:15 283648 ----a-w- c:\windows\system32\igfxrjpn.lrc
2013-03-05 17:14 . 2013-03-05 17:15 283136 ----a-w- c:\windows\system32\igfxrkor.lrc
2013-03-05 17:14 . 2013-03-05 17:15 285696 ----a-w- c:\windows\system32\igfxrenu.lrc
2013-03-05 17:14 . 2013-03-05 17:15 287232 ----a-w- c:\windows\system32\igfxrell.lrc
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrdeu.lrc
2013-03-05 17:14 . 2013-03-05 17:15 416024 ----a-w- c:\windows\system32\igfxpers.exe
2013-03-05 17:14 . 2013-03-05 17:15 375296 ----a-w- c:\windows\system32\igfxpph.dll
2013-03-05 17:14 . 2013-03-05 17:15 286720 ----a-w- c:\windows\system32\igfxrcsy.lrc
2013-03-05 17:14 . 2013-03-05 17:15 285696 ----a-w- c:\windows\system32\igfxrdan.lrc
2013-03-05 17:14 . 2013-03-05 17:15 285184 ----a-w- c:\windows\system32\igfxrara.lrc
2013-03-05 17:14 . 2013-03-05 17:15 282624 ----a-w- c:\windows\system32\igfxrcht.lrc
2013-03-05 17:14 . 2013-03-05 17:15 282624 ----a-w- c:\windows\system32\igfxrchs.lrc
2013-03-05 17:14 . 2013-03-05 17:15 239896 ----a-w- c:\windows\system32\igfxext.exe
2013-03-05 17:14 . 2010-08-25 20:03 9014784 ----a-w- c:\windows\system32\igfxress.dll
2013-03-05 17:14 . 2013-03-05 17:15 4096 ----a-w- c:\windows\system32\IGFXDEVLib.dll
2013-03-05 17:14 . 2013-03-05 17:15 293888 ----a-w- c:\windows\SysWow64\igfxdv32.dll
2013-03-05 17:14 . 2013-03-05 17:15 28672 ----a-w- c:\windows\system32\igfxexps.dll
2013-03-05 17:14 . 2013-03-05 17:15 24576 ----a-w- c:\windows\SysWow64\igfxexps32.dll
2013-03-05 17:14 . 2013-03-05 17:15 142336 ----a-w- c:\windows\system32\igfxdo.dll
2013-03-05 17:14 . 2013-03-05 17:15 389632 ----a-w- c:\windows\system32\igfxdev.dll
2013-03-05 17:14 . 2013-03-05 17:15 126976 ----a-w- c:\windows\system32\igfxcpl.cpl
2013-03-05 17:14 . 2013-03-05 17:15 162816 ----a-w- c:\windows\SysWow64\igfxcmrt32.dll
2013-03-05 17:14 . 2013-03-05 17:15 140288 ----a-w- c:\windows\system32\igfxcmrt64.dll
2013-03-05 17:14 . 2013-03-05 17:15 105608 ----a-w- c:\windows\system32\igfcg575m.bin
2013-03-05 17:14 . 2013-03-05 17:15 6310912 ----a-w- c:\windows\SysWow64\igdumd32.dll
2013-03-05 17:14 . 2013-03-05 17:15 577024 ----a-w- c:\windows\SysWow64\igdumdx32.dll
2013-03-05 17:14 . 2013-03-05 17:15 12231584 ----a-w- c:\windows\system32\drivers\igdkmd64.sys
2013-03-05 17:14 . 2010-08-25 20:36 8296960 ----a-w- c:\windows\system32\igdumd64.dll
2013-03-05 17:14 . 2010-08-25 20:26 14591488 ----a-w- c:\windows\system32\igd10umd64.dll
2013-03-05 17:14 . 2010-08-25 20:23 12333056 ----a-w- c:\windows\SysWow64\igd10umd32.dll
2013-03-05 17:14 . 2013-03-05 17:15 18635776 ----a-w- c:\windows\system32\ig4icd64.dll
2013-03-05 17:14 . 2013-03-05 17:15 13899776 ----a-w- c:\windows\SysWow64\ig4icd32.dll
2013-03-05 17:14 . 2013-03-05 17:15 128204 ----a-w- c:\windows\system32\igcompkrng575.bin
2013-03-05 17:14 . 2013-03-05 17:15 94208 ----a-w- c:\windows\system32\IccLibDll_x64.dll
2013-03-05 17:14 . 2013-03-05 17:15 392472 ----a-w- c:\windows\system32\hkcmd.exe
2013-03-05 17:14 . 2010-08-25 20:03 110080 ----a-w- c:\windows\system32\hccutils.dll
2013-03-05 17:14 . 2013-03-05 17:15 4378392 ----a-w- c:\windows\system32\GfxUI.exe
2013-03-05 17:14 . 2013-03-05 17:15 179992 ----a-w- c:\windows\system32\difx64.exe
2013-03-05 17:14 . 2013-03-05 17:15 146432 ----a-w- c:\windows\system32\gfxSrvc.dll
2013-02-12 05:45 . 2013-03-13 09:27 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 09:27 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-13 09:27 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-13 09:27 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-13 09:27 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 09:27 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 04:12 . 2013-03-26 16:04 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-06-21 247768]
"Adobe CSx Manager"="c:\users\martin\AppData\Roaming\873997d3-3f3a-4807-a625-a0032ed6e158ad\dfaaaedead.exe" [2013-03-29 3072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2011-02-01 656920]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-03-05 578944]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R2 XobniService;XobniService;c:\program files (x86)\Xobni\XobniService.exe [2011-02-25 62184]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-26 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [2011-03-01 138400]
S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe [2011-03-01 76448]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 86528]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-03-05 35200]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2010-12-28 1817088]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2011-02-01 1127448]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-06-21 92632]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-07-23 2320920]
S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys [2011-03-01 36000]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [2011-03-01 298656]
S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [2011-03-01 28832]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys [2011-03-01 201376]
S3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys [2011-03-01 55456]
S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys [2011-03-01 154272]
S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2011-03-01 280224]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2011-02-10 31088]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2013-03-05 317440]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-02-15 335464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-05 436840]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-30 23:45]
.
2013-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-30 23:45]
.
2013-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963050305-668444556-3006111060-1000Core.job
- c:\users\martin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-25 14:00]
.
2013-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963050305-668444556-3006111060-1000UA.job
- c:\users\martin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-25 14:00]
.
2013-04-25 c:\windows\Tasks\HPCeeScheduleFormartin.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
X64 Entries
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-01-11 6602856]
"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2011-03-01 615584]
"AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2011-03-01 379552]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2013-03-05 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2013-03-05 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2013-03-05 416024]
.
Supplementary Scan
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-BsScanner
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-25 23:51:07
ComboFix-quarantined-files.txt 2013-04-25 22:51
.
Pre-Run: 247,296,651,264 bytes free
Post-Run: 246,885,359,616 bytes free
.
- - End Of File - - C255E7B751F01D145551663B665BCCE30 -
Advertisement
-
looks good, hows it running ? any problems ?0
-
everything seems fine with it.
Should I do anything else to try prevent it happening and wrecking your head again0 -
what internet browser is used on the machine ?
also install malwarebytes on it
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html0 -
Just got my computer sorted, Left it in with a mate and it's perfect now0
-
what internet browser is used on the machine ?
also install malwarebytes on it
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
I think he normally uses crome, but not 100% on that.
I have malwarebytes put on and Jave needed updating (reading back on the thread I see some people were saying this might be an access point)0 -
yeah probably was, install this program, run it and update everything it says needs updating
http://www.filehippo.com/updatechecker/
if they use chrome, install this extension
https://www.ghostery.com/download
also update mbam and run a quick scan if you still have access to the PC. That's bout it.0 -
Advertisement
-
yeah probably was, install this program, run it and update everything it says needs updating
http://www.filehippo.com/updatechecker/
if they use chrome, install this extension
https://www.ghostery.com/download
also update mbam and run a quick scan if you still have access to the PC. That's bout it.
My Dad collected it a while ago but I'll call over tomorrow and do the above.
thanks again0 -
Is this the virus you're all talking about ? If so, can anyboy give me instructions how to get rid, in the simplest layman terms if possible. Currently downloading AVG on other user profile. When I run this will that work ?
edit: Cant upload pic on the pc but it has Ireland's national police service on it0 -
can you log into the pc in normal or safe mode ?0
-
Can log on to other users profiles as normal and only safe mode in my own.0
-
can you run this on the infected account
download and run combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix0 -
Advertisement
Advertisement