1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Windows unable to start

Discussion in 'Malware and Virus Removal Archive' started by rthompson, 2015/02/02.

  1. 2015/02/02
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    [Inactive] Windows unable to start

    My friend downloaded some torrent files, seems that he caught a bad virus, I am going to purchase a pen drive, please instruct further. Thank you
     
  2. 2015/02/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===========================

    What Windows version is it?
     

  3. to hide this advert.

  4. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    It has Windows 8.1

    I tried using system restore, start-up repair. He has no installation disk or recovery disk.
     
    Last edited: 2015/02/03
  5. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    NOTE 1. Use another working computer to download Farbar Recovery Scan Tool. Use USB flash drive to transfer it from good computer to the bad one.
    NOTE 2. Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    [color= "#0000FF"]To enter System Recovery Options from the Advanced Boot Options:[/color]
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    [color= "#0000FF"]To enter System Recovery Options by using Windows installation disc:[/color]
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    [color= "#008000"]On the System Recovery Options menu you will get the following options:[/color]

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type [color= "#FF0000"]e[/color]:\frst (for x64 bit version type [color= "#FF0000"]e[/color]:\frst64) and press Enter
      Note: Replace letter [color= "#FF0000"]e[/color] with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  6. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    Subsystem not present

    After entering e:\frst the command prompt states "the subsystem needed to support the image type is not present ".
     
  7. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It looks like wrong version of FRST.
    If you tried 64-bit, try 32-bit and vice versa.
     
  8. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    version

    Command prompt reads "x:\windows\system32 ".
     
  9. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It doesn't matter.
    You downloaded wrong version of FRST.
     
  10. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    FRST log

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
    Ran by SYSTEM on MININT-ONG542R on 03-02-2015 15:14:32
    Running from E:\
    Platform: Windows 8.1 (X64) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7634288 2014-08-05] (Realtek Semiconductor)
    HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe [2755640 2013-09-26] (Hewlett-Packard)
    HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [155704 2013-09-26] (Hewlett-Packard)
    HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [155704 2013-09-26] (Hewlett-Packard)
    HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1386712 2014-08-05] (Realtek Semiconductor)
    HKLM-x32\...\Run: [YouCam Service] => c:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [267224 2013-09-01] (CyberLink Corp.)
    HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
    HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-06-05] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-10] (Oracle Corporation)
    HKLM-x32\...\Run: [CommonToolkitTray] => C:\Program Files (x86)\Fighters\Tray\FightersTray.exe [1494560 2013-08-07] (SPAMfighter ApS)
    HKLM-x32\...\Run: [CommonToolkitTray_Fighters10119] => C:\Program Files (x86)\Fighters10119\Tray\Fighters10119Tray.exe [1681952 2014-06-10] (SPAMfighter ApS)
    HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-08-19] (Hewlett-Packard)
    HKLM\...\RunOnce: [*Restore] => C:\windows\system32\rstrui.exe [271872 2014-04-06] (Microsoft Corporation)
    HKLM\...\Policies\Explorer: [NoFolderOptions] 0
    HKLM\...\Policies\Explorer: [NoControlPanel] 0
    HKU\Antoine\...\Run: [uTorrent] => C:\Users\Antoine\AppData\Roaming\uTorrent\uTorrent.exe [1690192 2014-11-16] (BitTorrent Inc.)
    HKU\Susan\...\Run: [ContentExplorer] => C:\Users\Susan\AppData\Roaming\ContentExplorer\ContentExplorer.exe [2429680 2014-11-15] (ContentExplorer)
    HKU\Susan\...\Run: [uTorrent] => C:\Users\Antoine\AppData\Roaming\uTorrent\uTorrent.exe [1690192 2014-11-16] (BitTorrent Inc.)
    HKU\Susan\...\Run: [GenieoUpdaterService] => C:\Users\Susan\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe [294240 2014-07-14] ()
    HKU\Susan\...\Run: [GenieoSystemTray] => C:\Users\Susan\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe [539488 2014-07-14] ()
    HKU\Susan\...\Run: [CFO] => C:\Program Files (x86)\Converter Free Online\Taskbar.exe [56952 2014-09-02] ()
    Startup: C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Temperature Monitor.lnk
    ShortcutTarget: Desktop Temperature Monitor.lnk -> C:\windows\system32\config\systemprofile\AppData\Local\DesktopTemperature\DesktopTemperature.exe (No File)
    Startup: C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StormWatch.lnk
    ShortcutTarget: StormWatch.lnk -> C:\Program Files (x86)\StormWatch\StormWatch.exe (Weather Protector LLC)
    Startup: C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StormWatchApp.lnk
    ShortcutTarget: StormWatchApp.lnk -> C:\Program Files (x86)\StormWatch\StormWatchApp.exe ()

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 0266311422649708mcinstcleanup; C:\windows\TEMP\026631~1.EXE [836168 2014-03-13] (McAfee, Inc.)
    S2 Cachedrv server; C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe [109568 2013-09-26] ()
    S3 Common Toolkit 2; C:\Program Files (x86)\Common Files\Common Toolkit Suite\Tools\x64\CommonToolkit2.exe [337920 2013-08-07] (SPAMfighter ApS)
    S2 ConverterFreeOnlineUpdt; C:\Program Files (x86)\Converter Free Online\ConverterFreeOnlineUpdt.exe [256512 2014-09-02] ()
    S2 CyberLink PowerDVD 12 Media Server Monitor Service; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [77576 2013-08-12] (CyberLink)
    S2 CyberLink PowerDVD 12 Media Server Service; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [298760 2013-08-12] (CyberLink)
    S2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [254016 2014-10-07] (WildTangent)
    S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
    S3 McAWFwk; c:\Program Files\Common Files\mcafee\ActWiz\McAWFwk.exe [334608 2013-07-24] (McAfee, Inc.)
    S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [603424 2014-09-04] (McAfee, Inc.)
    S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-08-20] (McAfee, Inc.)
    S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
    S2 mfevtp; C:\windows\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
    S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 NcEBnPBsQ; C:\ProgramData\gDfhJMw\NcEBnPBsQ.exe [2733824 2015-01-25] (Valid Applications)
    S2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [87552 2013-09-26] (Softex Inc.)
    S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-08-05] (Realtek Semiconductor)
    S2 Suite Service; C:\Program Files (x86)\Fighters\FighterSuiteService.exe [1279520 2013-08-06] (SPAMfighter ApS)
    S2 SWUpdater; C:\Program Files (x86)\StormWatch\SWUpdaterSvc.exe [17584 2014-11-21] (Weather Protector LLC)
    S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2013-08-24] (Microsoft Corporation)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36096 2013-05-22] (Advanced Micro Devices, Inc.)
    S3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-15] (Qualcomm Atheros Communications, Inc.)
    S3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2014-08-05] (Advanced Micro Devices)
    S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
    S1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
    S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
    S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
    S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
    S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [70600 2014-06-20] (McAfee, Inc.)
    S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
    S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
    S3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [445512 2014-08-20] (McAfee, Inc.)
    S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96592 2014-08-20] (McAfee, Inc.)
    S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
    S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [294104 2014-08-05] (Realtek Semiconductor Corp.)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-03 15:14 - 2015-02-03 15:14 - 00000000 ____D () C:\FRST
    2015-02-01 17:00 - 2015-02-03 10:59 - 00000000 _____ () C:\Recovery.txt
    2015-01-30 15:58 - 2015-02-02 14:45 - 00000000 ____D () C:\ProgramData\Recovery
    2015-01-30 12:43 - 2015-02-03 10:30 - 305633218 _____ () C:\Windows\MEMORY.DMP
    2015-01-30 12:43 - 2015-02-02 15:09 - 00000000 __SHD () C:\found.000
    2015-01-30 12:43 - 2015-01-30 12:43 - 00003880 ____N () C:\bootsqm.dat
    2015-01-30 12:25 - 2015-02-02 15:09 - 00000000 ____D () C:\ProgramData\Browser
    2015-01-28 11:48 - 2015-01-28 11:48 - 00000000 ____D () C:\FinanceAlert
    2015-01-25 16:04 - 2015-01-25 16:04 - 00000000 ____D () C:\Users\Antoine\AppData\Local\FinanceAlert
    2015-01-25 14:44 - 2015-01-25 14:44 - 00000000 ____D () C:\Users\Susan\AppData\Roaming\Fighters10119
    2015-01-25 14:44 - 2015-01-25 14:44 - 00000000 ____D () C:\Users\Susan\AppData\Local\StormWatch
    2015-01-25 14:43 - 2015-01-25 16:01 - 00000298 _____ () C:\Windows\Tasks\PC Optimizer Pro Scan.job
    2015-01-25 14:43 - 2015-01-25 14:43 - 00003158 _____ () C:\Windows\System32\Tasks\PC Optimizer Pro Scan
    2015-01-25 14:43 - 2015-01-25 14:43 - 00000000 ____D () C:\ProgramData\Winferno
    2015-01-25 14:43 - 2015-01-25 14:43 - 00000000 ____D () C:\ProgramData\PC Optimizer Pro
    2015-01-25 14:21 - 2015-01-25 14:21 - 00000000 ____D () C:\Users\Antoine\AppData\Roaming\Fighters10119
    2015-01-25 11:41 - 2015-01-30 12:21 - 00000460 _____ () C:\Windows\Tasks\SLOW-PCfighter64-Susan-Startup.job
    2015-01-25 11:41 - 2015-01-30 12:21 - 00000450 _____ () C:\Windows\Tasks\SLOW-PCfighter64-Susan-Notification.job
    2015-01-25 11:41 - 2015-01-25 11:46 - 00000000 ____D () C:\ProgramData\Fighters10119
    2015-01-25 11:41 - 2015-01-25 11:41 - 00003490 _____ () C:\Windows\System32\Tasks\SLOW-PCfighter64-Susan-Notification
    2015-01-25 11:41 - 2015-01-25 11:41 - 00002824 _____ () C:\Windows\System32\Tasks\SLOW-PCfighter64-Susan-Startup
    2015-01-25 11:41 - 2015-01-25 11:41 - 00002178 _____ () C:\Users\Public\Desktop\SLOW-PCfighter 10119.lnk
    2015-01-25 11:41 - 2015-01-25 11:41 - 00000000 ____D () C:\Program Files\Fighters10119
    2015-01-25 11:41 - 2015-01-25 11:41 - 00000000 ____D () C:\Program Files (x86)\Fighters10119
    2015-01-25 11:40 - 2015-01-25 11:40 - 00002023 _____ () C:\Users\Public\Desktop\FULL-DISKfighter.lnk
    2015-01-25 11:40 - 2015-01-25 11:40 - 00000000 ____D () C:\Users\Antoine\AppData\Roaming\Fighters
    2015-01-25 11:39 - 2015-01-25 14:44 - 00000000 ____D () C:\Users\Susan\AppData\Roaming\Fighters
    2015-01-25 11:39 - 2015-01-25 11:47 - 00000474 ____H () C:\Windows\Tasks\Norton Security Scan for Antoine.job
    2015-01-25 11:39 - 2015-01-25 11:40 - 00000000 ____D () C:\ProgramData\Fighters
    2015-01-25 11:39 - 2015-01-25 11:40 - 00000000 ____D () C:\Program Files (x86)\Fighters
    2015-01-25 11:39 - 2015-01-25 11:39 - 00003624 _____ () C:\Windows\System32\Tasks\Norton Security Scan for Antoine
    2015-01-25 11:39 - 2015-01-25 11:39 - 00001480 _____ () C:\Users\Public\Desktop\Norton Security Scan.LNK
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\Windows\System32\Drivers\NSSx64
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\ProgramData\gDfhJMw
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\ProgramData\FinanceAlert
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\ProgramData\Common Toolkit Suite
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\Program Files (x86)\Norton Security Scan
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\Program Files (x86)\File Type Helper
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\Program Files (x86)\Converter Free Online
    2015-01-25 11:38 - 2015-01-30 12:21 - 00000458 _____ () C:\Windows\Tasks\RegPowerClean.job
    2015-01-25 11:38 - 2015-01-25 16:01 - 00000444 _____ () C:\Windows\Tasks\RPCReminder.job
    2015-01-25 11:38 - 2015-01-25 14:45 - 00000000 ____D () C:\Users\Susan\AppData\Local\DesktopTemperature
    2015-01-25 11:38 - 2015-01-25 14:43 - 00003124 _____ () C:\Windows\System32\Tasks\RPCReminder
    2015-01-25 11:38 - 2015-01-25 11:38 - 00003198 _____ () C:\Windows\System32\Tasks\RegPowerClean
    2015-01-25 11:38 - 2015-01-25 11:38 - 00001394 _____ () C:\Users\Public\Desktop\Check PC for Errors.lnk
    2015-01-25 11:38 - 2015-01-25 11:38 - 00000000 ____D () C:\Users\Susan\AppData\Local\System_Alerts_LLC
    2015-01-25 11:38 - 2015-01-25 11:38 - 00000000 ____D () C:\Program Files (x86)\Winferno
    2015-01-25 11:38 - 2010-10-26 08:07 - 00499785 _____ (Capital Intellect Inc) C:\Windows\SysWOW64\WINUTIL8.DLL
    2015-01-25 11:38 - 2010-09-01 12:59 - 00835656 _____ (Capital Intellect Inc) C:\Windows\SysWOW64\WINCTL5.OCX
    2015-01-25 11:38 - 2010-01-14 07:31 - 00425984 _____ () C:\Windows\SysWOW64\WinCMR.dll
    2015-01-25 11:38 - 2009-06-05 08:04 - 00393216 _____ (Capital Intellect Inc) C:\Windows\SysWOW64\WINLCTL6.DLL
    2015-01-25 11:36 - 2015-01-25 14:21 - 00000000 ____D () C:\Users\Antoine\Downloads\St. Vincent (2014)
    2015-01-21 14:16 - 2015-01-21 15:41 - 00000000 ____D () C:\Users\Antoine\Downloads\John Wick (2014) [1080p]
    2015-01-18 07:27 - 2014-04-15 15:35 - 00028352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll
    2015-01-18 07:27 - 2014-04-15 15:34 - 00029888 _____ (Microsoft Corporation) C:\Windows\System32\aspnet_counters.dll
    2015-01-16 12:27 - 2015-01-16 12:27 - 00000000 ____D () C:\Users\Antoine\AppData\Local\MediaShow
    2015-01-15 13:48 - 2015-01-15 13:48 - 00000000 ____D () C:\Users\Antoine\Documents\CyberLink
    2015-01-15 13:48 - 2015-01-15 13:48 - 00000000 ____D () C:\Users\Antoine\AppData\Roaming\CyberLink
    2015-01-14 04:35 - 2014-12-18 22:26 - 00140800 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxdav.sys
    2015-01-14 04:35 - 2014-12-11 18:04 - 00087040 _____ (Microsoft Corporation) C:\Windows\System32\TSWbPrxy.exe
    2015-01-14 04:35 - 2014-12-11 16:51 - 00075776 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ahcache.sys
    2015-01-14 04:35 - 2014-12-08 17:50 - 00225280 _____ (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00535640 _____ (Microsoft Corporation) C:\Windows\System32\wer.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00531616 _____ (Microsoft Corporation) C:\Windows\System32\ci.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00448792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00413248 _____ (Microsoft Corporation) C:\Windows\System32\Faultrep.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00372408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Faultrep.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00108944 _____ (Microsoft Corporation) C:\Windows\System32\EncDump.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00038264 _____ (Microsoft Corporation) C:\Windows\System32\WerFaultSecure.exe
    2015-01-14 04:35 - 2014-12-08 11:42 - 00033584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFaultSecure.exe
    2015-01-14 04:35 - 2014-12-05 19:17 - 00360448 _____ (Microsoft Corporation) C:\Windows\System32\ncsi.dll
    2015-01-14 04:35 - 2014-12-05 17:41 - 00391680 _____ (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
    2015-01-14 04:35 - 2014-12-05 17:35 - 00229888 _____ (Microsoft Corporation) C:\Windows\System32\AudioEndpointBuilder.dll
    2015-01-14 04:35 - 2014-10-28 20:00 - 00465320 _____ (Microsoft Corporation) C:\Windows\System32\WerFault.exe
    2015-01-14 04:35 - 2014-10-28 20:00 - 00139984 _____ (Microsoft Corporation) C:\Windows\System32\wermgr.exe
    2015-01-14 04:35 - 2014-10-28 19:52 - 00500016 _____ (Microsoft Corporation) C:\Windows\System32\AudioSes.dll
    2015-01-14 04:35 - 2014-10-28 19:52 - 00482872 _____ (Microsoft Corporation) C:\Windows\System32\AudioEng.dll
    2015-01-14 04:35 - 2014-10-28 19:52 - 00394120 _____ (Microsoft Corporation) C:\Windows\System32\AUDIOKSE.dll
    2015-01-14 04:35 - 2014-10-28 19:52 - 00272248 _____ (Microsoft Corporation) C:\Windows\System32\audiodg.exe
    2015-01-14 04:35 - 2014-10-28 19:12 - 00413136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFault.exe
    2015-01-14 04:35 - 2014-10-28 19:12 - 00136296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wermgr.exe
    2015-01-14 04:35 - 2014-10-28 19:07 - 00424544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
    2015-01-14 04:35 - 2014-10-28 19:07 - 00370424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
    2015-01-14 04:35 - 2014-10-28 19:07 - 00344536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
    2015-01-14 04:35 - 2014-10-28 18:44 - 00037888 _____ (Microsoft Corporation) C:\Windows\System32\werdiagcontroller.dll
    2015-01-14 04:35 - 2014-10-28 17:59 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\werdiagcontroller.dll
    2015-01-14 04:35 - 2014-10-28 17:24 - 00086016 _____ (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
    2015-01-14 04:35 - 2014-10-28 17:02 - 00911360 _____ (Microsoft Corporation) C:\Windows\System32\audiosrv.dll
    2015-01-14 04:35 - 2014-10-28 17:01 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-03 10:31 - 2014-06-04 21:30 - 00065536 _____ () C:\Windows\System32\spu_storage.bin
    2015-02-02 15:09 - 2014-11-16 15:22 - 00000000 ____D () C:\Users\Antoine\AppData\Roaming\uTorrent
    2015-02-02 15:09 - 2014-09-13 12:56 - 00000000 ___RD () C:\Users\Antoine\OneDrive
    2015-02-02 15:09 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
    2015-02-02 15:09 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\sru
    2015-02-02 15:09 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\Macromed
    2015-02-02 15:09 - 2013-08-22 05:36 - 00000000 ____D () C:\Windows\System32\Sysprep
    2015-02-02 14:37 - 2014-08-08 15:53 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
    2015-01-30 12:43 - 2013-08-24 13:32 - 00022840 _____ () C:\Windows\PFRO.log
    2015-01-30 12:35 - 2014-09-13 12:56 - 00003594 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-828661788-2970797632-805723973-1004
    2015-01-30 12:30 - 2014-08-03 17:30 - 00001867 _____ () C:\Users\Public\Desktop\McAfee LiveSafe - Internet Security.lnk
    2015-01-30 12:29 - 2014-09-13 12:49 - 00003942 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{4BA4BA95-3D8C-4D4F-8FC9-D572A6ABD201}
    2015-01-30 12:29 - 2014-08-03 12:25 - 01147531 _____ () C:\Windows\WindowsUpdate.log
    2015-01-30 12:28 - 2013-08-22 05:25 - 00262144 ___SH () C:\Windows\System32\config\ELAM
    2015-01-30 12:22 - 2014-09-13 12:52 - 00000000 ____D () C:\Users\Antoine\Documents\Youcam
    2015-01-30 12:21 - 2014-11-15 10:11 - 00000432 _____ () C:\Windows\Tasks\PC Optimizer Pro startups.job
    2015-01-30 12:20 - 2013-08-22 06:46 - 00024143 _____ () C:\Windows\setupact.log
    2015-01-30 12:20 - 2013-08-22 06:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-01-28 11:52 - 2013-08-22 05:25 - 00524288 ___SH () C:\Windows\System32\config\BBI
    2015-01-28 11:50 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\AppReadiness
    2015-01-25 16:04 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\NDF
    2015-01-25 16:00 - 2013-08-22 07:20 - 00000000 ____D () C:\Windows\CbsTemp
    2015-01-25 15:59 - 2014-09-13 12:43 - 00000000 ____D () C:\users\Antoine
    2015-01-25 15:08 - 2014-11-15 10:12 - 00000298 _____ () C:\Windows\Tasks\ArcadeParlor.job
    2015-01-25 14:46 - 2014-08-03 12:28 - 00000000 ____D () C:\users\Susan
    2015-01-25 14:45 - 2014-08-03 12:29 - 00003934 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{010C4B8A-E292-4D0A-BE5A-68391FE8762D}
    2015-01-25 14:44 - 2014-11-15 10:11 - 00000000 ____D () C:\Users\Susan\AppData\Roaming\ContentExplorer
    2015-01-25 14:44 - 2014-08-03 12:30 - 00000000 ____D () C:\Users\Susan\Documents\Youcam
    2015-01-25 14:43 - 2014-11-15 10:11 - 00000000 ____D () C:\Program Files\PC Optimizer Pro
    2015-01-25 14:43 - 2014-08-03 12:32 - 00000000 __RDO () C:\Users\Susan\SkyDrive
    2015-01-21 15:22 - 2014-11-15 10:11 - 00000458 _____ () C:\Windows\Tasks\PC Optimizer Pro Idle.job
    2015-01-19 13:32 - 2014-12-15 12:21 - 00714720 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2015-01-19 13:32 - 2014-12-15 12:21 - 00106976 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2015-01-18 10:11 - 2014-11-15 10:11 - 00000460 _____ () C:\Windows\Tasks\PC Optimizer Pro Updates.job
    2015-01-15 13:48 - 2014-06-04 22:30 - 00000000 ____D () C:\ProgramData\CyberLink
    2015-01-15 13:45 - 2014-09-13 12:52 - 00000000 ____D () C:\Users\Antoine\AppData\Local\CyberLink
    2015-01-15 03:58 - 2014-08-05 15:40 - 00000000 ____D () C:\Windows\System32\MRT
    2015-01-15 03:52 - 2014-08-05 15:40 - 113365784 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2015-01-11 09:54 - 2013-08-24 13:38 - 00891920 _____ () C:\Windows\System32\PerfStringBackup.INI

    Some content of TEMP:
    ====================
    C:\Users\Antoine\AppData\Local\Temp\COMAP.EXE
    C:\Users\Susan\AppData\Local\Temp\Extract.exe
    C:\Users\Susan\AppData\Local\Temp\jreInstall.exe
    C:\Users\Susan\AppData\Local\Temp\SP67320.exe
    C:\Users\Susan\AppData\Local\Temp\SP67322.exe
    C:\Users\Susan\AppData\Local\Temp\SP67443.exe
    C:\Users\Susan\AppData\Local\Temp\SymCCIS.dll


    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe
    [2014-11-15 15:26] - [2014-08-22 23:48] - 2374784 ____A (Microsoft Corporation) ACDBE1ED38167C8B01B8F63161BB2CEA

    C:\Windows\SysWOW64\explorer.exe
    [2014-11-15 15:26] - [2014-08-22 23:13] - 2084520 ____A (Microsoft Corporation) 195822ACCDAA2B4815DD01BAFC335595

    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll
    [2014-11-15 15:43] - [2014-09-21 20:38] - 1519488 ____A (Microsoft Corporation) F0A117D19873FCDF801F082F33BFBB6C

    C:\Windows\SysWOW64\User32.dll
    [2014-11-15 15:43] - [2014-09-18 16:16] - 1346048 ____A (Microsoft Corporation) 5F333FDBF392850373C89BDA31EBEC1B

    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys
    [2014-11-22 17:21] - [2014-06-18 18:13] - 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB


    ==================== Restore Points =========================

    Restore point made on: 2014-12-28 14:52:53
    Restore point made on: 2015-01-13 09:48:15
    Restore point made on: 2015-01-18 07:25:49
    Restore point made on: 2015-01-25 16:00:24

    ==================== Memory info ===========================

    Percentage of memory in use: 23%
    Total physical RAM: 3541.78 MB
    Available physical RAM: 2718.29 MB
    Total Pagefile: 3541.78 MB
    Available Pagefile: 2737.42 MB
    Total Virtual: 131072 MB
    Available Virtual: 131071.87 MB

    ==================== Drives ================================

    Drive c: (Windows) (Fixed) (Total:449.09 GB) (Free:381.29 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive e: (EMTEC) (Removable) (Total:14.93 GB) (Free:14.93 GB) FAT32
    Drive g: (Windows RE tools) (Fixed) (Total:1 GB) (Free:0.63 GB) NTFS
    Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 465.8 GB) (Disk ID: FD4B3AC3)

    Partition: GPT Partition Type.

    ========================================================
    Disk: 1 (MBR Code: Windows XP) (Size: 14.9 GB) (Disk ID: 1DD5FA42)
    Partition 1: (Not Active) - (Size=14.9 GB) - (Type=0C)


    LastRegBack: 2015-01-17 14:04

    ==================== End Of Log ============================
     
  11. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run [color= "#0000FF"]FRST(FRST64)[/color] and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can boot now.
     

    Attached Files:

  12. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    fixlog

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
    Ran by SYSTEM at 2015-02-03 16:48:07 Run:1
    Running from E:\
    Boot Mode: Recovery
    ==============================================

    Content of fixlist:
    *****************
    HKU\Susan\...\Run: [GenieoUpdaterService] => C:\Users\Susan\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.ex e [294240 2014-07-14] ()
    HKU\Susan\...\Run: [GenieoSystemTray] => C:\Users\Susan\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe [539488 2014-07-14] ()
    C:\Users\Susan\AppData\Roaming\Genieo
    HKU\Susan\...\Run: [CFO] => C:\Program Files (x86)\Converter Free Online\Taskbar.exe [56952 2014-09-02] ()
    C:\Program Files (x86)\Converter Free Online
    Startup: C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Temperature Monitor.lnk
    ShortcutTarget: Desktop Temperature Monitor.lnk -> C:\windows\system32\config\systemprofile\AppData\Local\DesktopTemperature\DesktopTemperature.exe (No File)
    C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Temperature Monitor.lnk
    C:\windows\system32\config\systemprofile\AppData\Local\DesktopTemperature
    Startup: C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StormWatch.lnk
    ShortcutTarget: StormWatch.lnk -> C:\Program Files (x86)\StormWatch\StormWatch.exe (Weather Protector LLC)
    Startup: C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StormWatchApp.lnk
    ShortcutTarget: StormWatchApp.lnk -> C:\Program Files (x86)\StormWatch\StormWatchApp.exe ()
    C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StormWatch.lnk
    C:\Program Files (x86)\StormWatch
    S2 ConverterFreeOnlineUpdt; C:\Program Files (x86)\Converter Free Online\ConverterFreeOnlineUpdt.exe [256512 2014-09-02] ()
    S2 NcEBnPBsQ; C:\ProgramData\gDfhJMw\NcEBnPBsQ.exe [2733824 2015-01-25] (Valid Applications)
    C:\ProgramData\gDfhJMw
    S2 SWUpdater; C:\Program Files (x86)\StormWatch\SWUpdaterSvc.exe [17584 2014-11-21] (Weather Protector LLC)
    2015-01-25 14:44 - 2015-01-25 14:44 - 00000000 ____D () C:\Users\Susan\AppData\Local\StormWatch
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\Program Files (x86)\Converter Free Online
    2015-01-25 11:38 - 2015-01-25 14:45 - 00000000 ____D () C:\Users\Susan\AppData\Local\DesktopTemperature
    2015-01-25 14:43 - 2015-01-25 16:01 - 00000298 _____ () C:\Windows\Tasks\PC Optimizer Pro Scan.job
    2015-01-25 14:43 - 2015-01-25 14:43 - 00003158 _____ () C:\Windows\System32\Tasks\PC Optimizer Pro Scan
    2015-01-25 14:43 - 2015-01-25 14:43 - 00000000 ____D () C:\ProgramData\PC Optimizer Pro
    2015-01-18 10:11 - 2014-11-15 10:11 - 00000460 _____ () C:\Windows\Tasks\PC Optimizer Pro Updates.job
    C:\Users\Antoine\AppData\Local\Temp\COMAP.EXE
    C:\Users\Susan\AppData\Local\Temp\Extract.exe
    C:\Users\Susan\AppData\Local\Temp\jreInstall.exe
    C:\Users\Susan\AppData\Local\Temp\SP67320.exe
    C:\Users\Susan\AppData\Local\Temp\SP67322.exe
    C:\Users\Susan\AppData\Local\Temp\SP67443.exe
    C:\Users\Susan\AppData\Local\Temp\SymCCIS.dll

    *****************

    HKU\Susan\Software\Microsoft\Windows\CurrentVersion\Run\\GenieoUpdaterService => value deleted successfully.
    HKU\Susan\Software\Microsoft\Windows\CurrentVersion\Run\\GenieoSystemTray => value deleted successfully.
    C:\Users\Susan\AppData\Roaming\Genieo => Moved successfully.
    HKU\Susan\Software\Microsoft\Windows\CurrentVersion\Run\\CFO => value deleted successfully.
    C:\Program Files (x86)\Converter Free Online => Moved successfully.
    C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Temperature Monitor.lnk => Moved successfully.
    C:\windows\system32\config\systemprofile\AppData\Local\DesktopTemperature\DesktopTemperature.exe not found.
    "C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Temperature Monitor.lnk" => File/Directory not found.
    "C:\windows\system32\config\systemprofile\AppData\Local\DesktopTemperature" => File/Directory not found.
    C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StormWatch.lnk => Moved successfully.
    C:\Program Files (x86)\StormWatch\StormWatch.exe => Moved successfully.
    C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StormWatchApp.lnk => Moved successfully.
    C:\Program Files (x86)\StormWatch\StormWatchApp.exe => Moved successfully.
    "C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StormWatch.lnk" => File/Directory not found.
    C:\Program Files (x86)\StormWatch => Moved successfully.
    ConverterFreeOnlineUpdt => Service deleted successfully.
    NcEBnPBsQ => Service deleted successfully.
    C:\ProgramData\gDfhJMw => Moved successfully.
    SWUpdater => Service deleted successfully.
    C:\Users\Susan\AppData\Local\StormWatch => Moved successfully.
    "C:\Program Files (x86)\Converter Free Online" => File/Directory not found.
    C:\Users\Susan\AppData\Local\DesktopTemperature => Moved successfully.
    C:\Windows\Tasks\PC Optimizer Pro Scan.job => Moved successfully.
    C:\Windows\System32\Tasks\PC Optimizer Pro Scan => Moved successfully.
    C:\ProgramData\PC Optimizer Pro => Moved successfully.
    C:\Windows\Tasks\PC Optimizer Pro Updates.job => Moved successfully.
    C:\Users\Antoine\AppData\Local\Temp\COMAP.EXE => Moved successfully.
    C:\Users\Susan\AppData\Local\Temp\Extract.exe => Moved successfully.
    C:\Users\Susan\AppData\Local\Temp\jreInstall.exe => Moved successfully.
    C:\Users\Susan\AppData\Local\Temp\SP67320.exe => Moved successfully.
    C:\Users\Susan\AppData\Local\Temp\SP67322.exe => Moved successfully.
    C:\Users\Susan\AppData\Local\Temp\SP67443.exe => Moved successfully.
    C:\Users\Susan\AppData\Local\Temp\SymCCIS.dll => Moved successfully.

    ==== End of Fixlog 16:48:12 ====

    Still unable to boot.
     
  13. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let's try another fix.

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run [color= "#0000FF"]FRST(FRST64)[/color] and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
     

    Attached Files:

  14. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    fixlog 2

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
    Ran by SYSTEM at 2015-02-03 17:27:51 Run:2
    Running from E:\
    Boot Mode: Recovery
    ==============================================

    Content of fixlist:
    *****************
    LastRegBack: 2015-01-17 14:04
    *****************

    DEFAULT hive was successfully copied to System32\config\HiveBackup
    DEFAULT hive was successfully restored from registry back up.
    SAM hive was successfully copied to System32\config\HiveBackup
    SAM hive was successfully restored from registry back up.
    SECURITY hive was successfully copied to System32\config\HiveBackup
    SECURITY hive was successfully restored from registry back up.
    SOFTWARE hive was successfully copied to System32\config\HiveBackup
    SOFTWARE hive was successfully restored from registry back up.
    SYSTEM hive was successfully copied to System32\config\HiveBackup
    SYSTEM hive was successfully restored from registry back up.

    ==== End of Fixlog 17:27:58 ====

    still unabe to boot.
     
  15. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Give me fresh FRST log.
     
  16. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    Fresh frst log

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
    Ran by SYSTEM on MININT-B36TQDF on 03-02-2015 18:36:48
    Running from e:\
    Platform: Windows 8.1 (X64) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7634288 2014-08-05] (Realtek Semiconductor)
    HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe [2755640 2013-09-26] (Hewlett-Packard)
    HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [155704 2013-09-26] (Hewlett-Packard)
    HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [155704 2013-09-26] (Hewlett-Packard)
    HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1386712 2014-08-05] (Realtek Semiconductor)
    HKLM-x32\...\Run: [YouCam Service] => c:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [267224 2013-09-01] (CyberLink Corp.)
    HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
    HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-06-05] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-10] (Oracle Corporation)
    HKLM\...\RunOnce: [NCPluginUpdater] => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe [21720 2014-08-19] (Hewlett-Packard)
    HKLM\...\RunOnce: [MSPCLOCK] => rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
    HKLM\...\RunOnce: [MSPQM] => rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
    HKLM\...\RunOnce: [MSKSSRV] => rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196}
    HKLM\...\RunOnce: [MSTEE.CxTransform] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},C:\windows\inf\ksfilter.inf,MSTEE.Interf (the data entry has 11 more characters).
    HKLM\...\RunOnce: [MSTEE.Splitter] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\windows\inf\ksfilter.inf,MSTEE.Interf (the data entry has 11 more characters).
    HKLM\...\Policies\Explorer: [NoFolderOptions] 0
    HKLM\...\Policies\Explorer: [NoControlPanel] 0
    HKU\Antoine\...\Run: [uTorrent] => C:\Users\Antoine\AppData\Roaming\uTorrent\uTorrent.exe [1690192 2014-11-16] (BitTorrent Inc.)
    HKU\Susan\...\Run: [ContentExplorer] => C:\Users\Susan\AppData\Roaming\ContentExplorer\ContentExplorer.exe [2429680 2014-11-15] (ContentExplorer)
    HKU\Susan\...\Run: [uTorrent] => C:\Users\Antoine\AppData\Roaming\uTorrent\uTorrent.exe [1690192 2014-11-16] (BitTorrent Inc.)

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 Cachedrv server; C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe [109568 2013-09-26] ()
    S2 CyberLink PowerDVD 12 Media Server Monitor Service; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [77576 2013-08-12] (CyberLink)
    S2 CyberLink PowerDVD 12 Media Server Service; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [298760 2013-08-12] (CyberLink)
    S2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [254016 2014-10-07] (WildTangent)
    S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
    S3 McAWFwk; c:\Program Files\Common Files\mcafee\ActWiz\McAWFwk.exe [334608 2013-07-24] (McAfee, Inc.)
    S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [603424 2014-09-04] (McAfee, Inc.)
    S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-08-20] (McAfee, Inc.)
    S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
    S2 mfevtp; C:\windows\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
    S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [87552 2013-09-26] (Softex Inc.)
    S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-08-05] (Realtek Semiconductor)
    S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2013-08-24] (Microsoft Corporation)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
    S2 SWUpdater; C:\Program Files (x86)\StormWatch\SWUpdaterSvc.exe [X]

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36096 2013-05-22] (Advanced Micro Devices, Inc.)
    S3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-15] (Qualcomm Atheros Communications, Inc.)
    S3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2014-08-05] (Advanced Micro Devices)
    S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
    S1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
    S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
    S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
    S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
    S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [70600 2014-06-20] (McAfee, Inc.)
    S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
    S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
    S3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [445512 2014-08-20] (McAfee, Inc.)
    S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96592 2014-08-20] (McAfee, Inc.)
    S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
    S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [294104 2014-08-05] (Realtek Semiconductor Corp.)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-03 17:27 - 2015-02-03 17:27 - 00000000 ____D () C:\Windows\System32\config\HiveBackup
    2015-02-03 15:14 - 2015-02-03 17:27 - 00000000 ____D () C:\FRST
    2015-02-01 17:00 - 2015-02-03 10:59 - 00000000 _____ () C:\Recovery.txt
    2015-01-30 15:58 - 2015-02-03 16:35 - 00000000 ____D () C:\ProgramData\Recovery
    2015-01-30 12:43 - 2015-02-03 15:32 - 300799994 _____ () C:\Windows\MEMORY.DMP
    2015-01-30 12:43 - 2015-02-02 15:09 - 00000000 __SHD () C:\found.000
    2015-01-30 12:43 - 2015-01-30 12:43 - 00003880 ____N () C:\bootsqm.dat
    2015-01-30 12:25 - 2015-02-02 15:09 - 00000000 ____D () C:\ProgramData\Browser
    2015-01-28 11:48 - 2015-01-28 11:48 - 00000000 ____D () C:\FinanceAlert
    2015-01-25 16:04 - 2015-01-25 16:04 - 00000000 ____D () C:\Users\Antoine\AppData\Local\FinanceAlert
    2015-01-25 14:44 - 2015-01-25 14:44 - 00000000 ____D () C:\Users\Susan\AppData\Roaming\Fighters10119
    2015-01-25 14:43 - 2015-01-25 14:43 - 00000000 ____D () C:\ProgramData\Winferno
    2015-01-25 14:21 - 2015-01-25 14:21 - 00000000 ____D () C:\Users\Antoine\AppData\Roaming\Fighters10119
    2015-01-25 11:41 - 2015-01-30 12:21 - 00000460 _____ () C:\Windows\Tasks\SLOW-PCfighter64-Susan-Startup.job
    2015-01-25 11:41 - 2015-01-30 12:21 - 00000450 _____ () C:\Windows\Tasks\SLOW-PCfighter64-Susan-Notification.job
    2015-01-25 11:41 - 2015-01-25 11:46 - 00000000 ____D () C:\ProgramData\Fighters10119
    2015-01-25 11:41 - 2015-01-25 11:41 - 00003490 _____ () C:\Windows\System32\Tasks\SLOW-PCfighter64-Susan-Notification
    2015-01-25 11:41 - 2015-01-25 11:41 - 00002824 _____ () C:\Windows\System32\Tasks\SLOW-PCfighter64-Susan-Startup
    2015-01-25 11:41 - 2015-01-25 11:41 - 00002178 _____ () C:\Users\Public\Desktop\SLOW-PCfighter 10119.lnk
    2015-01-25 11:41 - 2015-01-25 11:41 - 00000000 ____D () C:\Program Files\Fighters10119
    2015-01-25 11:41 - 2015-01-25 11:41 - 00000000 ____D () C:\Program Files (x86)\Fighters10119
    2015-01-25 11:40 - 2015-01-25 11:40 - 00002023 _____ () C:\Users\Public\Desktop\FULL-DISKfighter.lnk
    2015-01-25 11:40 - 2015-01-25 11:40 - 00000000 ____D () C:\Users\Antoine\AppData\Roaming\Fighters
    2015-01-25 11:39 - 2015-01-25 14:44 - 00000000 ____D () C:\Users\Susan\AppData\Roaming\Fighters
    2015-01-25 11:39 - 2015-01-25 11:47 - 00000474 ____H () C:\Windows\Tasks\Norton Security Scan for Antoine.job
    2015-01-25 11:39 - 2015-01-25 11:40 - 00000000 ____D () C:\ProgramData\Fighters
    2015-01-25 11:39 - 2015-01-25 11:40 - 00000000 ____D () C:\Program Files (x86)\Fighters
    2015-01-25 11:39 - 2015-01-25 11:39 - 00003624 _____ () C:\Windows\System32\Tasks\Norton Security Scan for Antoine
    2015-01-25 11:39 - 2015-01-25 11:39 - 00001480 _____ () C:\Users\Public\Desktop\Norton Security Scan.LNK
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\Windows\System32\Drivers\NSSx64
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\ProgramData\FinanceAlert
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\ProgramData\Common Toolkit Suite
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\Program Files (x86)\Norton Security Scan
    2015-01-25 11:39 - 2015-01-25 11:39 - 00000000 ____D () C:\Program Files (x86)\File Type Helper
    2015-01-25 11:38 - 2015-01-30 12:21 - 00000458 _____ () C:\Windows\Tasks\RegPowerClean.job
    2015-01-25 11:38 - 2015-01-25 16:01 - 00000444 _____ () C:\Windows\Tasks\RPCReminder.job
    2015-01-25 11:38 - 2015-01-25 14:43 - 00003124 _____ () C:\Windows\System32\Tasks\RPCReminder
    2015-01-25 11:38 - 2015-01-25 11:38 - 00003198 _____ () C:\Windows\System32\Tasks\RegPowerClean
    2015-01-25 11:38 - 2015-01-25 11:38 - 00001394 _____ () C:\Users\Public\Desktop\Check PC for Errors.lnk
    2015-01-25 11:38 - 2015-01-25 11:38 - 00000000 ____D () C:\Users\Susan\AppData\Local\System_Alerts_LLC
    2015-01-25 11:38 - 2015-01-25 11:38 - 00000000 ____D () C:\Program Files (x86)\Winferno
    2015-01-25 11:38 - 2010-10-26 08:07 - 00499785 _____ (Capital Intellect Inc) C:\Windows\SysWOW64\WINUTIL8.DLL
    2015-01-25 11:38 - 2010-09-01 12:59 - 00835656 _____ (Capital Intellect Inc) C:\Windows\SysWOW64\WINCTL5.OCX
    2015-01-25 11:38 - 2010-01-14 07:31 - 00425984 _____ () C:\Windows\SysWOW64\WinCMR.dll
    2015-01-25 11:38 - 2009-06-05 08:04 - 00393216 _____ (Capital Intellect Inc) C:\Windows\SysWOW64\WINLCTL6.DLL
    2015-01-25 11:36 - 2015-01-25 14:21 - 00000000 ____D () C:\Users\Antoine\Downloads\St. Vincent (2014)
    2015-01-21 14:16 - 2015-01-21 15:41 - 00000000 ____D () C:\Users\Antoine\Downloads\John Wick (2014) [1080p]
    2015-01-18 07:27 - 2014-04-15 15:35 - 00028352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll
    2015-01-18 07:27 - 2014-04-15 15:34 - 00029888 _____ (Microsoft Corporation) C:\Windows\System32\aspnet_counters.dll
    2015-01-16 12:27 - 2015-01-16 12:27 - 00000000 ____D () C:\Users\Antoine\AppData\Local\MediaShow
    2015-01-15 13:48 - 2015-01-15 13:48 - 00000000 ____D () C:\Users\Antoine\Documents\CyberLink
    2015-01-15 13:48 - 2015-01-15 13:48 - 00000000 ____D () C:\Users\Antoine\AppData\Roaming\CyberLink
    2015-01-14 04:35 - 2014-12-18 22:26 - 00140800 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxdav.sys
    2015-01-14 04:35 - 2014-12-11 18:04 - 00087040 _____ (Microsoft Corporation) C:\Windows\System32\TSWbPrxy.exe
    2015-01-14 04:35 - 2014-12-11 16:51 - 00075776 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ahcache.sys
    2015-01-14 04:35 - 2014-12-08 17:50 - 00225280 _____ (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00535640 _____ (Microsoft Corporation) C:\Windows\System32\wer.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00531616 _____ (Microsoft Corporation) C:\Windows\System32\ci.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00448792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00413248 _____ (Microsoft Corporation) C:\Windows\System32\Faultrep.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00372408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Faultrep.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00108944 _____ (Microsoft Corporation) C:\Windows\System32\EncDump.dll
    2015-01-14 04:35 - 2014-12-08 11:42 - 00038264 _____ (Microsoft Corporation) C:\Windows\System32\WerFaultSecure.exe
    2015-01-14 04:35 - 2014-12-08 11:42 - 00033584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFaultSecure.exe
    2015-01-14 04:35 - 2014-12-05 19:17 - 00360448 _____ (Microsoft Corporation) C:\Windows\System32\ncsi.dll
    2015-01-14 04:35 - 2014-12-05 17:41 - 00391680 _____ (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
    2015-01-14 04:35 - 2014-12-05 17:35 - 00229888 _____ (Microsoft Corporation) C:\Windows\System32\AudioEndpointBuilder.dll
    2015-01-14 04:35 - 2014-10-28 20:00 - 00465320 _____ (Microsoft Corporation) C:\Windows\System32\WerFault.exe
    2015-01-14 04:35 - 2014-10-28 20:00 - 00139984 _____ (Microsoft Corporation) C:\Windows\System32\wermgr.exe
    2015-01-14 04:35 - 2014-10-28 19:52 - 00500016 _____ (Microsoft Corporation) C:\Windows\System32\AudioSes.dll
    2015-01-14 04:35 - 2014-10-28 19:52 - 00482872 _____ (Microsoft Corporation) C:\Windows\System32\AudioEng.dll
    2015-01-14 04:35 - 2014-10-28 19:52 - 00394120 _____ (Microsoft Corporation) C:\Windows\System32\AUDIOKSE.dll
    2015-01-14 04:35 - 2014-10-28 19:52 - 00272248 _____ (Microsoft Corporation) C:\Windows\System32\audiodg.exe
    2015-01-14 04:35 - 2014-10-28 19:12 - 00413136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFault.exe
    2015-01-14 04:35 - 2014-10-28 19:12 - 00136296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wermgr.exe
    2015-01-14 04:35 - 2014-10-28 19:07 - 00424544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
    2015-01-14 04:35 - 2014-10-28 19:07 - 00370424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
    2015-01-14 04:35 - 2014-10-28 19:07 - 00344536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
    2015-01-14 04:35 - 2014-10-28 18:44 - 00037888 _____ (Microsoft Corporation) C:\Windows\System32\werdiagcontroller.dll
    2015-01-14 04:35 - 2014-10-28 17:59 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\werdiagcontroller.dll
    2015-01-14 04:35 - 2014-10-28 17:24 - 00086016 _____ (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
    2015-01-14 04:35 - 2014-10-28 17:02 - 00911360 _____ (Microsoft Corporation) C:\Windows\System32\audiosrv.dll
    2015-01-14 04:35 - 2014-10-28 17:01 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-03 15:33 - 2014-06-04 21:30 - 00065536 _____ () C:\Windows\System32\spu_storage.bin
    2015-02-02 15:09 - 2014-11-16 15:22 - 00000000 ____D () C:\Users\Antoine\AppData\Roaming\uTorrent
    2015-02-02 15:09 - 2014-09-13 12:56 - 00000000 ___RD () C:\Users\Antoine\OneDrive
    2015-02-02 15:09 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
    2015-02-02 15:09 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\sru
    2015-02-02 15:09 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\Macromed
    2015-02-02 15:09 - 2013-08-22 05:36 - 00000000 ____D () C:\Windows\System32\Sysprep
    2015-02-02 14:37 - 2014-08-08 15:53 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
    2015-01-30 12:43 - 2013-08-24 13:32 - 00022840 _____ () C:\Windows\PFRO.log
    2015-01-30 12:35 - 2014-09-13 12:56 - 00003594 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-828661788-2970797632-805723973-1004
    2015-01-30 12:30 - 2014-08-03 17:30 - 00001867 _____ () C:\Users\Public\Desktop\McAfee LiveSafe - Internet Security.lnk
    2015-01-30 12:29 - 2014-09-13 12:49 - 00003942 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{4BA4BA95-3D8C-4D4F-8FC9-D572A6ABD201}
    2015-01-30 12:29 - 2014-08-03 12:25 - 01147531 _____ () C:\Windows\WindowsUpdate.log
    2015-01-30 12:28 - 2013-08-22 05:25 - 00262144 ___SH () C:\Windows\System32\config\ELAM
    2015-01-30 12:22 - 2014-09-13 12:52 - 00000000 ____D () C:\Users\Antoine\Documents\Youcam
    2015-01-30 12:21 - 2014-11-15 10:11 - 00000432 _____ () C:\Windows\Tasks\PC Optimizer Pro startups.job
    2015-01-30 12:20 - 2013-08-22 06:46 - 00024143 _____ () C:\Windows\setupact.log
    2015-01-30 12:20 - 2013-08-22 06:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-01-28 11:52 - 2013-08-22 05:25 - 00524288 ___SH () C:\Windows\System32\config\BBI
    2015-01-28 11:50 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\AppReadiness
    2015-01-25 16:04 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\NDF
    2015-01-25 16:00 - 2013-08-22 07:20 - 00000000 ____D () C:\Windows\CbsTemp
    2015-01-25 15:59 - 2014-09-13 12:43 - 00000000 ____D () C:\users\Antoine
    2015-01-25 15:08 - 2014-11-15 10:12 - 00000298 _____ () C:\Windows\Tasks\ArcadeParlor.job
    2015-01-25 14:46 - 2014-08-03 12:28 - 00000000 ____D () C:\users\Susan
    2015-01-25 14:45 - 2014-08-03 12:29 - 00003934 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{010C4B8A-E292-4D0A-BE5A-68391FE8762D}
    2015-01-25 14:44 - 2014-11-15 10:11 - 00000000 ____D () C:\Users\Susan\AppData\Roaming\ContentExplorer
    2015-01-25 14:44 - 2014-08-03 12:30 - 00000000 ____D () C:\Users\Susan\Documents\Youcam
    2015-01-25 14:43 - 2014-11-15 10:11 - 00000000 ____D () C:\Program Files\PC Optimizer Pro
    2015-01-25 14:43 - 2014-08-03 12:32 - 00000000 __RDO () C:\Users\Susan\SkyDrive
    2015-01-21 15:22 - 2014-11-15 10:11 - 00000458 _____ () C:\Windows\Tasks\PC Optimizer Pro Idle.job
    2015-01-19 13:32 - 2014-12-15 12:21 - 00714720 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2015-01-19 13:32 - 2014-12-15 12:21 - 00106976 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2015-01-15 13:48 - 2014-06-04 22:30 - 00000000 ____D () C:\ProgramData\CyberLink
    2015-01-15 13:45 - 2014-09-13 12:52 - 00000000 ____D () C:\Users\Antoine\AppData\Local\CyberLink
    2015-01-15 03:58 - 2014-08-05 15:40 - 00000000 ____D () C:\Windows\System32\MRT
    2015-01-15 03:52 - 2014-08-05 15:40 - 113365784 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2015-01-11 09:54 - 2013-08-24 13:38 - 00891920 _____ () C:\Windows\System32\PerfStringBackup.INI

    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe
    [2014-11-15 15:26] - [2014-08-22 23:48] - 2374784 ____A (Microsoft Corporation) ACDBE1ED38167C8B01B8F63161BB2CEA

    C:\Windows\SysWOW64\explorer.exe
    [2014-11-15 15:26] - [2014-08-22 23:13] - 2084520 ____A (Microsoft Corporation) 195822ACCDAA2B4815DD01BAFC335595

    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll
    [2014-11-15 15:43] - [2014-09-21 20:38] - 1519488 ____A (Microsoft Corporation) F0A117D19873FCDF801F082F33BFBB6C

    C:\Windows\SysWOW64\User32.dll
    [2014-11-15 15:43] - [2014-09-18 16:16] - 1346048 ____A (Microsoft Corporation) 5F333FDBF392850373C89BDA31EBEC1B

    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys
    [2014-11-22 17:21] - [2014-06-18 18:13] - 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB


    ==================== Restore Points =========================

    Restore point made on: 2014-12-28 14:52:53
    Restore point made on: 2015-01-13 09:48:15
    Restore point made on: 2015-01-18 07:25:49
    Restore point made on: 2015-01-25 16:00:24

    ==================== Memory info ===========================

    Percentage of memory in use: 22%
    Total physical RAM: 3541.78 MB
    Available physical RAM: 2742.51 MB
    Total Pagefile: 3541.78 MB
    Available Pagefile: 2760.65 MB
    Total Virtual: 131072 MB
    Available Virtual: 131071.88 MB

    ==================== Drives ================================

    Drive c: (Windows) (Fixed) (Total:449.09 GB) (Free:381.21 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive e: (EMTEC) (Removable) (Total:14.93 GB) (Free:14.93 GB) FAT32
    Drive g: (Windows RE tools) (Fixed) (Total:1 GB) (Free:0.63 GB) NTFS
    Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 465.8 GB) (Disk ID: FD4B3AC3)

    Partition: GPT Partition Type.

    ========================================================
    Disk: 1 (MBR Code: Windows XP) (Size: 14.9 GB) (Disk ID: 1DD5FA42)
    Partition 1: (Not Active) - (Size=14.9 GB) - (Type=0C)


    LastRegBack: 2015-01-17 14:04

    ==================== End Of Log ============================
     
  17. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Re-run FRST again.
    Type the following in the edit box after "Search Files: ".


    explorer.exe
    User32.dll
    volsnap.sys


    Click Search button and post the log (Search.txt) it makes in your reply.
     
  18. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    search log

    Farbar Recovery Scan Tool (x64) Version: 01-02-2015
    Ran by SYSTEM at 2015-02-03 20:11:37
    Running from e:\
    Boot Mode: Recovery

    ================== Search Files: "explorer.exe
    user32.dll
    volsnap.sys" =============

    ====== End Of Search ======
     
  19. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I apologize, wrong code...

    Re-run FRST again.
    Type the following in the edit box after "Search Files: ".


    explorer.exe;User32.dll;volsnap.sys


    Click Search button and post the log (Search.txt) it makes in your reply.
     
  20. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    search log

    Farbar Recovery Scan Tool (x64) Version: 01-02-2015
    Ran by SYSTEM at 2015-02-03 20:51:30
    Running from e:\
    Boot Mode: Recovery

    ================== Search Files: "explorer.exe;user32.dll;volsnap.sys" =============

    C:\Windows\explorer.exe
    [2014-11-15 15:26][2014-08-22 23:48] 2374784 ____A (Microsoft Corporation) ACDBE1ED38167C8B01B8F63161BB2CEA

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17347_none_c879a06475913d83\user32.dll
    [2014-11-15 15:43][2014-09-18 16:16] 1346048 ____A (Microsoft Corporation) 5F333FDBF392850373C89BDA31EBEC1B

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17238_none_c8856eb475883dc2\user32.dll
    [2014-11-22 17:13][2014-12-21 02:58] 0069789 ____A () 070D3596E11153FB60FD134C2A3BB599

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17031_none_c87e68e2758e9213\user32.dll
    [2014-08-08 15:56][2014-12-21 02:58] 0070247 ____A () 2AC315053FE3ECD1FAE8E5948537469B

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16441_none_c873b756759688ff\user32.dll
    [2014-08-05 04:54][2014-12-21 02:58] 0080858 ____A () E6825152A841EFF8C62655C52CFFFEDD

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16384_none_c84b769e75b447a1\user32.dll
    [2013-08-21 18:51][2014-12-21 02:58] 0082750 ____A () 7D7B79CE43DC3CEF0E0312A8B99B3939

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17284_none_4cc798c1821453a8\explorer.exe
    [2014-11-15 15:26][2014-08-22 23:13] 2084520 ____A (Microsoft Corporation) 195822ACCDAA2B4815DD01BAFC335595

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17238_none_4d01a98581e82d4f\explorer.exe
    [2014-11-22 17:22][2014-12-09 01:42] 0220250 ____A () 286928E00AD34E9F88EB5BFA52660A70

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17039_none_4d02a60381e74c58\explorer.exe
    [2014-08-08 16:09][2014-12-09 01:42] 0208662 ____A () C131BC6F12417306A9C8469CA49110B1

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17031_none_4cfaa3b381ee81a0\explorer.exe
    [2014-08-08 15:57][2014-11-15 11:21] 0015546 ____A () 347EFF7EC89C3EB4F72F2408E1C4E16D

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16441_none_4ceff22781f6788c\explorer.exe
    [2014-08-05 04:54][2014-11-15 11:20] 0238918 ____A () 5177BB4FECDDB9CDBCF10EF65916968D

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16408_none_4d2233dd81cfba29\explorer.exe
    [2014-08-05 05:01][2014-11-15 11:20] 0239123 ____A () 7B546CB045C2A84D26A8D2FE07F9F98C

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16384_none_4cc7b16f8214372e\explorer.exe
    [2013-08-21 18:06][2014-11-15 11:20] 0268164 ____A () 578A251C234E51BC6B9D684480EEB9DB

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.17215_none_06c1ae9bcfd2737b\volsnap.sys
    [2014-11-22 17:21][2014-06-18 18:13] 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.17041_none_069d39e3cfee67a4\volsnap.sys
    [2014-08-28 02:17][2014-12-09 01:25] 0031490 ____A () 50C79EDB89463E12CA94E0840DFD0932

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.17031_none_06a809cfcfe64bb3\volsnap.sys
    [2014-08-08 15:56][2014-11-15 10:15] 0033436 ____A () A24CC4ADEC9998D129FB7F5A1D1BA606

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.16523_none_06b4fa95cfdc3a92\volsnap.sys
    [2014-08-05 04:48][2014-11-15 10:15] 0043446 ____A () 462507EFFF00135C173E059BF0AE287B

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.16384_none_0675178bd00c0141\volsnap.sys
    [2013-08-22 03:40][2014-11-15 10:15] 0043661 ____A () 0BEEEDD2D3CD2A33EDD3C32B89881486

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17347_none_be24f61241307b88\user32.dll
    [2014-11-15 15:43][2014-09-21 20:38] 1519488 ____A (Microsoft Corporation) F0A117D19873FCDF801F082F33BFBB6C

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17238_none_be30c46241277bc7\user32.dll
    [2014-11-22 17:21][2014-12-09 01:13] 0126009 ____A () AF8914D00B6E8CE87EBA8A245D43CB36

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17031_none_be29be90412dd018\user32.dll
    [2014-08-08 15:56][2014-12-09 01:13] 0124983 ____A () 31ADEF7B319B46AA8F3B5CA26234310F

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16441_none_be1f0d044135c704\user32.dll
    [2013-08-22 01:56][2014-11-15 09:34] 0114641 ____A () FE5A453CBC75DAEE1A8F1BC3C0EE4AC5

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16384_none_bdf6cc4c415385a6\user32.dll
    [2013-08-22 01:56][2014-11-15 09:34] 0114641 ____A () FE5A453CBC75DAEE1A8F1BC3C0EE4AC5

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17284_none_4272ee6f4db391ad\explorer.exe
    [2014-11-15 15:26][2014-08-22 23:48] 2374784 ____A (Microsoft Corporation) ACDBE1ED38167C8B01B8F63161BB2CEA

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17238_none_42acff334d876b54\explorer.exe
    [2014-11-22 17:22][2014-12-03 02:23] 0270774 ____A () 2195687491E604BA42961470EDA7660E

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17039_none_42adfbb14d868a5d\explorer.exe
    [2014-08-08 16:09][2014-12-03 02:23] 0271249 ____A () 667BC926C7CB889BF276A5FEA316CAEE

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17031_none_42a5f9614d8dbfa5\explorer.exe
    [2014-08-08 15:57][2014-09-16 01:31] 0169957 ____A () 6D919C26DCB567396CD2E119B8E4310E

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16441_none_429b47d54d95b691\explorer.exe
    [2014-08-05 04:54][2014-09-16 01:31] 0283735 ____A () FA98C5D746E7C9E0912E88AC44FF9926

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16408_none_42cd898b4d6ef82e\explorer.exe
    [2014-08-05 05:01][2014-08-23 23:27] 0133444 ____A () 3DDF61E1B538A1205612192A61CC2376

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16384_none_4273071d4db37533\explorer.exe
    [2013-08-22 01:01][2014-08-23 23:26] 0274077 ____A () 95F49CF19E3CA220190E7927773EE5B1

    C:\Windows\SysWOW64\explorer.exe
    [2014-11-15 15:26][2014-08-22 23:13] 2084520 ____A (Microsoft Corporation) 195822ACCDAA2B4815DD01BAFC335595

    C:\Windows\SysWOW64\user32.dll
    [2014-11-15 15:43][2014-09-18 16:16] 1346048 ____A (Microsoft Corporation) 5F333FDBF392850373C89BDA31EBEC1B

    C:\Windows\System32\user32.dll
    [2014-11-15 15:43][2014-09-21 20:38] 1519488 ____A (Microsoft Corporation) F0A117D19873FCDF801F082F33BFBB6C

    C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_8687137d6e4faf5d\volsnap.sys
    [2014-11-22 17:21][2014-06-18 18:13] 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB

    C:\Windows\System32\drivers\volsnap.sys
    [2014-11-22 17:21][2014-06-18 18:13] 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB

    X:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.16384_none_0675178bd00c0141\volsnap.sys
    [2013-08-22 05:45][2013-08-22 05:45] 0312160 ____A (Microsoft Corporation) 9F9CE33B50611A1C61A46B8911E0B30B

    X:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16384_none_bdf6cc4c415385a6\user32.dll
    [2013-08-22 05:45][2013-08-22 05:45] 1517984 ____A (Microsoft Corporation) 1A811BAFA2114C2FC878507F9F86566C

    X:\Windows\System32\user32.dll
    [2013-08-22 05:45][2013-08-22 05:45] 1517984 ____A (Microsoft Corporation) 1A811BAFA2114C2FC878507F9F86566C

    X:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_50d690313539fa92\volsnap.sys
    [2013-08-22 05:45][2013-08-22 05:45] 0312160 ____A (Microsoft Corporation) 9F9CE33B50611A1C61A46B8911E0B30B

    X:\Windows\System32\drivers\volsnap.sys
    [2013-08-22 05:45][2013-08-22 05:45] 0312160 ____A (Microsoft Corporation) 9F9CE33B50611A1C61A46B8911E0B30B

    ====== End Of Search ======
     
  21. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    What actually happens when you try to start Windows?
    Did you try to boot to safe mode?
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.