Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Operating system wipe out


  • This topic is locked This topic is locked
135 replies to this topic

#1 mmohler

mmohler

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 12 September 2011 - 12:23 PM

Hi!
This is my first posting and need recommendations.
I have Windows 7 64 byte OS but my computer is not recognizing it any longer.
Im pretty certain a virus has caused this.
I have spent many hours trying to research and attempt to recover everything myself.
Using Sytem Recovery Tool it clearly shows the OS is UNKNOWN on local disk.
Startup repair cannot repair automatically.
Diagnosis & repair details show no OS files found on disk.
Error code 0X3bc3.

I have the Windows 7 CD with product key that is in the disk drive.
Windows loads files.
Starting Windows screen.
I get to Configure language and location options in Windows 7 Setup screen
Windows 7 Install Windows screen
Repair your computer
System Recovery Options dialog box
System Recovery Options - nothing listed.
If I select LOAD DRIVER I can look in drives and folders but dont know what I am looking at or for.
I have C drive/System D drive/Boot X drive
Im not sure about what to do or if a virus is hiding somewhere.

Boot configuration is screwed up...I dont know what to do at this point.
Even if I try system restore a virus could be hidden somewhere?

Any recommendations for this fabulous situation I am in???
I have backed up my system on a WD my passport. God only knows if that was done correctly or not.
All I want is my ITUNES back and my music - I dont care about anything else in life - HAHAHAHA!

Thanks
Melanie

BC AdBot (Login to Remove)

 


#2 Allan

Allan

  • BC Advisor
  • 8,602 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:07:16 PM

Posted 12 September 2011 - 12:26 PM

Let's start at the beginning. Are you trying to repair the system or are you prepared to start from scratch with a format and reinstall? If the former, you should post in the Am I Infected forum on this site because if your system IS infected, running a repair won't help - the system will still be infected. If you are willing to start from scratch please let us know and we'll walk you through it.

#3 mmohler

mmohler
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 12 September 2011 - 12:38 PM

Allan

Hi and thanks for your reply.
I would like to repair incase I have not backed up my files correctly but dont know how difficult that will be.
I can try I AM INFECTED :) and if I cant get anywhere then I start from scratch.

Thanks
Melanie

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:16 PM

Posted 12 September 2011 - 01:55 PM

Hello, I moved this to Am I Infected.

Does this boot to Windowsif so lets do two scans first.
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mmohler

mmohler
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 12 September 2011 - 02:01 PM

Hi!
To my knowledge this does not boot at all so I cannot run anything or save files to desktop.

I have seen NO BOOTABLE DISK

At one time I saw
File\Boot\BCD
Status 0XC000000F
Boot config data
Needs windows installation disk

Now I cannot even locate BCD in command prompts.

Think OS was removed by virus.

Melanie

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:16 PM

Posted 12 September 2011 - 02:42 PM

Malanie,I need to have another look her that specializes in Non Booters
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mmohler

mmohler
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 12 September 2011 - 02:44 PM

Thank you.

Melanie

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:16 PM

Posted 12 September 2011 - 10:47 PM

Lets give it a try. We first need to look at the system, if any, from an external source.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Edited by Orange Blossom, 12 September 2011 - 11:03 PM.
Moved to log forum. ~ OB

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 mmohler

mmohler
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 13 September 2011 - 07:31 AM

HI & THANK YOU!!!

In the Farbar Recovery Scanner Tool
The whitelist options - everything was checked except List Drivers MD5 (which I assume is correct)

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.2.1
Ran by SYSTEM at 2011-09-13 08:27:02
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [165912 2009-09-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [387608 2009-09-02] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [365592 2009-09-02] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [909624 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]
HKLM\...\Run: [TFPUPWDBankService] C:\Program Files\TOSHIBA\TFPU\TFPUPWDBank.exe /start [924080 2009-08-20] (TOSHIBA)
HKLM\...\Run: [TFPUService] C:\Program Files\TOSHIBA\TFPU\TFPUTaskMonitor.exe /start [792496 2009-08-20] (TOSHIBA)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-08-03] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1436736 2011-06-15] (Microsoft Corporation)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED [529256 2009-07-16] (Toshiba)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-08-17] (TOSHIBA Corporation)
HKU\owner\...\Run: [MyTOSHIBA] "C:\Program Files (x86)\TOSHIBA\My Toshiba\MyToshiba.exe" /AUTO [264048 2009-08-06] (TOSHIBA)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

==================== Services (Whitelisted) ======

2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 ATService; C:\Program Files\Fingerprint Sensor\ATService.exe [2688248 2009-08-04] (AuthenTec, Inc.)
3 GameConsoleService; "C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [250616 2009-05-22] (WildTangent, Inc.)
2 lxdxCATSCustConnectService; C:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [29184 2009-10-16] (Lexmark International, Inc.)
2 lxdx_device; C:\windows\system32\lxdxcoms.exe -service [1044648 2008-02-27] ( )
2 Thpsrv; C:\windows\system32\ThpSrv.exe [531520 2009-07-08] (TOSHIBA Corporation)
3 TOSHIBA Bluetooth Service; C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [192368 2009-07-30] (TOSHIBA CORPORATION)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
4 NetMsmqActivator; "c:\windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [x]
4 NetPipeActivator; c:\windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpActivator; c:\windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpPortSharing; c:\windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 ATSwpWDF; C:\Windows\System32\Drivers\ATSwpWDF.sys [734720 2009-08-04] (AuthenTec, Inc.)
3 OlyCamComm; C:\Windows\System32\DRIVERS\OlyCamComm.sys [24208 2009-09-09] (OLYMPUS IMAGING CORP.)
2 rimmptsk; C:\Windows\System32\DRIVERS\rimmpx64.sys [67584 2009-06-25] (REDC)
2 rimsptsk; C:\Windows\System32\DRIVERS\rimspx64.sys [55296 2009-06-25] (REDC)
3 swmsflt; C:\Windows\System32\DRIVERS\swmsflt.sys [47104 2009-10-20] ()
3 SWMX00; C:\Windows\System32\DRIVERS\swmx00.sys [211328 2009-08-04] (Sierra Wireless Inc.)
3 SWNC5E00; C:\Windows\System32\DRIVERS\SWNC5E00.sys [285696 2009-08-04] (Sierra Wireless Inc.)
0 Thpdrv; C:\Windows\System32\DRIVERS\thpdrv.sys [34880 2009-06-29] (TOSHIBA Corporation)
0 Thpevm; C:\Windows\System32\DRIVERS\Thpevm.SYS [14784 2009-06-29] (TOSHIBA Corporation)
3 tosrfec; C:\Windows\System32\DRIVERS\tosrfec.sys [19824 2009-07-13] (TOSHIBA Corporation)
3 Tosrfcom; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-09-13 08:26 - 2011-09-13 08:27 - 0000000 ____D C:\FRST
2011-08-21 13:30 - 2011-08-21 13:30 - 0002453 ____A C:\Users\Public\Desktop\SeaTools for Windows.lnk
2011-08-21 13:30 - 2011-08-21 13:30 - 0000000 ____D C:\Program Files (x86)\Seagate
2011-08-21 13:23 - 2011-08-21 13:31 - 17977016 ____A C:\Users\owner\Downloads\SeaToolsforWindowsSetup-1205.exe
2011-08-19 17:28 - 2011-08-16 09:16 - 0741205 ____A C:\Users\owner\Desktop\p8061023.jpg
2011-08-17 08:33 - 2011-08-17 08:34 - 0000000 ____D C:\Users\owner\AppData\Local\{20CD0273-F500-4644-97BB-7F77BBD50B15}
2011-08-16 13:02 - 2011-08-16 13:02 - 0779938 ____A C:\Users\owner\Desktop\alaina.zip
2011-08-16 12:43 - 2011-08-16 09:16 - 0787034 ____A C:\Users\owner\Desktop\alaina.jpg

============ 3 Months Modified Files and Folders =============

2011-09-13 08:27 - 2011-09-13 08:26 - 0000000 ____D C:\FRST
2011-08-22 09:57 - 2009-11-23 23:23 - 1787490 ____A C:\Windows\WindowsUpdate.log
2011-08-21 13:31 - 2011-08-21 13:23 - 17977016 ____A C:\Users\owner\Downloads\SeaToolsforWindowsSetup-1205.exe
2011-08-21 13:30 - 2011-08-21 13:30 - 0002453 ____A C:\Users\Public\Desktop\SeaTools for Windows.lnk
2011-08-21 13:30 - 2011-08-21 13:30 - 0000000 ____D C:\Program Files (x86)\Seagate
2011-08-21 13:10 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2011-08-21 13:10 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2011-08-21 13:03 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-08-21 13:03 - 2009-07-13 20:51 - 0086074 ____A C:\Windows\setupact.log
2011-08-20 18:35 - 2009-07-13 21:13 - 0782702 ____A C:\Windows\System32\PerfStringBackup.INI
2011-08-19 18:54 - 2010-03-16 13:53 - 0000000 ____D C:\Users\All Users\Lx_cats
2011-08-19 18:54 - 2010-03-16 13:53 - 0000000 ____D C:\ProgramData\Lx_cats
2011-08-19 17:28 - 2010-03-12 14:32 - 5776384 ___RA C:\Users\Public\Documents\ESBK.mb
2011-08-19 17:28 - 2010-03-12 14:32 - 13901824 ___RA C:\Users\Public\Documents\ESBK.mbb
2011-08-17 08:34 - 2011-08-17 08:33 - 0000000 ____D C:\Users\owner\AppData\Local\{20CD0273-F500-4644-97BB-7F77BBD50B15}
2011-08-17 08:34 - 2011-07-15 04:19 - 0000000 ____D C:\Users\owner\AppData\Roaming\Windows Live Writer
2011-08-16 13:02 - 2011-08-16 13:02 - 0779938 ____A C:\Users\owner\Desktop\alaina.zip
2011-08-16 12:10 - 2010-08-19 10:51 - 0000000 ____D C:\Users\owner\Desktop\PRINT
2011-08-16 09:16 - 2011-08-19 17:28 - 0741205 ____A C:\Users\owner\Desktop\p8061023.jpg
2011-08-16 09:16 - 2011-08-16 12:43 - 0787034 ____A C:\Users\owner\Desktop\alaina.jpg
2011-08-12 12:24 - 2011-08-12 12:24 - 0000000 ____D C:\Users\All Users\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-08-12 12:24 - 2011-08-12 12:24 - 0000000 ____D C:\ProgramData\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-08-12 08:35 - 2011-01-26 17:09 - 0776918 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2011-08-12 07:42 - 2011-01-26 17:09 - 0000000 ____D C:\Program Files\Microsoft Security Client
2011-08-12 07:33 - 2011-01-26 17:10 - 0001945 ____A C:\Windows\epplauncher.mif
2011-08-12 07:32 - 2011-08-12 07:32 - 0000000 ____D C:\Program Files (x86)\Microsoft Security Client
2011-08-11 04:05 - 2009-12-16 20:56 - 54065608 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2011-08-11 03:58 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2011-08-10 12:27 - 2011-08-10 12:27 - 0001794 ____A C:\Users\Public\Desktop\iTunes.lnk
2011-08-10 12:27 - 2011-08-10 12:25 - 0000000 ____D C:\Program Files\iTunes
2011-08-10 12:27 - 2011-08-10 12:25 - 0000000 ____D C:\Program Files (x86)\iTunes
2011-08-10 12:26 - 2011-08-10 12:26 - 0000000 ____D C:\Program Files\iPod
2011-08-10 12:22 - 2011-08-10 12:22 - 0000000 ____D C:\Program Files\Bonjour
2011-08-10 12:22 - 2011-08-10 12:22 - 0000000 ____D C:\Program Files (x86)\Bonjour
2011-08-10 12:12 - 2011-08-10 12:12 - 0001856 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2011-08-10 12:12 - 2011-08-10 12:11 - 0000000 ____D C:\Program Files (x86)\QuickTime
2011-08-10 07:39 - 2011-08-10 07:33 - 0219116 ____A C:\Windows\ntbtlog.txt
2011-08-09 13:09 - 2010-03-02 05:47 - 0000000 ____D C:\Users\owner\AppData\Local\ElevatedDiagnostics
2011-08-09 13:07 - 2011-08-09 13:07 - 0000000 ____D C:\Windows\pss
2011-08-09 13:03 - 2011-08-09 12:59 - 0000000 ____D C:\Users\owner\AppData\Local\{13AAF21A-CF3D-448E-B6FA-839497D11792}
2011-08-09 12:59 - 2011-08-09 12:58 - 0000000 ____D C:\Users\owner\AppData\Local\{6351098C-17D8-4914-A576-356CC26B996C}
2011-08-09 12:59 - 2010-11-22 04:11 - 0000000 ____D C:\Users\owner\AppData\Local\Windows Live
2011-08-09 12:57 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2011-08-09 12:56 - 2010-01-27 20:42 - 0000000 ____D C:\Users\owner\Tracing
2011-08-09 12:52 - 2009-12-16 19:41 - 0000000 ____D C:\users\owner
2011-08-09 12:50 - 2009-07-13 19:20 - 0000000 __RSD C:\Windows\Media
2011-08-09 12:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PolicyDefinitions
2011-08-09 12:49 - 2011-08-08 14:33 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2011-08-09 12:49 - 2011-06-06 08:11 - 0000000 ____D C:\Windows\en
2011-08-09 12:49 - 2011-06-06 08:09 - 0000000 ____D C:\Program Files\Windows Live
2011-08-09 12:49 - 2010-03-12 14:28 - 0000000 ____D C:\Users\owner\AppData\Roaming\Arcsoft
2011-08-09 12:49 - 2010-03-12 14:28 - 0000000 ____D C:\Users\All Users\ArcSoft
2011-08-09 12:49 - 2010-03-12 14:28 - 0000000 ____D C:\ProgramData\ArcSoft
2011-08-09 12:49 - 2009-12-16 19:44 - 0000000 ____D C:\Users\owner\AppData\Local\Toshiba
2011-08-09 12:49 - 2009-09-02 20:43 - 0000000 ____D C:\Program Files (x86)\Windows Live
2011-08-09 12:49 - 2009-09-02 20:36 - 0000000 ____D C:\Program Files\Google
2011-08-09 12:49 - 2009-09-02 20:36 - 0000000 ____D C:\Program Files (x86)\Google
2011-08-09 12:49 - 2009-09-02 20:23 - 0000000 ____D C:\Program Files (x86)\TOSHIBA
2011-08-09 12:49 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2011-08-09 12:49 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\Microsoft Shared
2011-08-09 12:48 - 2009-07-13 19:20 - 0000000 ___HD C:\Windows\System32\GroupPolicy
2011-08-09 12:48 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2011-08-09 12:45 - 2009-09-02 20:36 - 0000000 ____D C:\Users\All Users\Google
2011-08-09 12:45 - 2009-09-02 20:36 - 0000000 ____D C:\ProgramData\Google
2011-08-09 12:45 - 2009-09-02 20:35 - 0000000 ____D C:\Users\All Users\Adobe
2011-08-09 12:45 - 2009-09-02 20:35 - 0000000 ____D C:\ProgramData\Adobe
2011-08-09 12:45 - 2009-09-02 20:24 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2011-08-09 12:44 - 2010-04-28 18:01 - 0000000 ____D C:\Program Files (x86)\Adobe
2011-08-08 14:35 - 2009-12-16 19:45 - 0000000 ____D C:\Users\owner\AppData\Local\Google
2011-08-08 14:33 - 2011-08-08 14:33 - 0000000 ____D C:\Users\owner\AppData\Roaming\Mozilla
2011-08-08 14:33 - 2011-08-08 14:33 - 0000000 ____D C:\Users\owner\AppData\Local\Mozilla
2011-08-08 13:28 - 2011-08-08 13:28 - 0000000 ____D C:\Users\owner\AppData\Local\{8C5F5825-C31E-458C-BC78-9A57EEA33999}
2011-08-08 13:28 - 2011-08-08 13:28 - 0000000 ____D C:\Users\owner\AppData\Local\{77F20ABA-57D4-4BDA-94AE-3525E00F6117}
2011-08-08 13:11 - 2011-08-08 13:10 - 0000000 ____D C:\Users\owner\AppData\Local\{8459556A-72B0-4CDF-9857-2DBD05058C1C}
2011-08-08 13:10 - 2011-08-08 13:10 - 0000000 ____D C:\Users\owner\AppData\Local\{0D6F9B6B-FD8B-4736-9348-A385C5D0EFC5}
2011-08-08 12:20 - 2011-08-08 12:20 - 0065536 __ASH C:\Windows\System32\config\components{30865c0d-63dc-11e0-b31c-00266c34b2b4}.TxR.blf
2011-08-08 12:17 - 2011-08-08 12:17 - 0000000 ____D C:\Users\owner\AppData\Local\{D78B4C06-2851-4D27-A4B1-4DC7C9017AFD}
2011-08-08 12:17 - 2011-08-08 12:17 - 0000000 ____D C:\Users\owner\AppData\Local\{BC4073D0-2736-427D-A910-76BBB4F6B445}
2011-08-07 06:58 - 2011-08-07 06:57 - 0000000 ____D C:\Users\owner\AppData\Local\{7097458A-EC0D-49ED-BA6D-DFA0106B8B3A}
2011-08-04 07:46 - 2011-08-04 07:46 - 0000000 ____D C:\Users\All Users\WD_SmartWareCommon
2011-08-04 07:46 - 2011-08-04 07:46 - 0000000 ____D C:\ProgramData\WD_SmartWareCommon
2011-08-04 07:42 - 2011-08-04 07:42 - 0000000 ____D C:\Users\owner\AppData\Roaming\Western Digital
2011-08-04 07:42 - 2011-08-04 07:42 - 0000000 ____D C:\Users\All Users\Western Digital
2011-08-04 07:42 - 2011-08-04 07:42 - 0000000 ____D C:\ProgramData\Western Digital
2011-08-04 07:41 - 2011-08-04 07:41 - 0000000 ____D C:\Program Files\Western Digital
2011-08-04 07:41 - 2011-08-04 07:41 - 0000000 ____D C:\Program Files (x86)\Western Digital
2011-08-04 07:36 - 2010-01-25 07:09 - 0000000 ____D C:\Users\owner\AppData\Local\Adobe
2011-08-04 07:31 - 2011-08-04 07:31 - 0000000 ____D C:\Users\owner\AppData\Roaming\InstallShield
2011-08-04 07:29 - 2011-08-04 07:26 - 13415176 ____A C:\Users\owner\Downloads\TC10106100A.exe
2011-08-04 07:15 - 2011-08-04 07:15 - 0000000 ____D C:\Users\owner\AppData\Local\Western Digital
2011-08-04 03:54 - 2011-08-04 03:53 - 0000000 ____D C:\Users\owner\AppData\Local\{FB4213DE-C359-4084-B57D-C7C7AC7E9CC2}
2011-08-02 15:50 - 2011-08-01 12:17 - 0000000 ____D C:\Users\owner\AppData\Local\{15C9D7A9-00EC-4977-BD73-F11B06C4FA70}
2011-08-01 12:14 - 2009-07-13 23:44 - 0000000 ___RD C:\Users\Public\Recorded TV
2011-08-01 11:15 - 2011-08-01 11:15 - 0000000 ____D C:\Users\owner\AppData\Local\Apps\2.0
2011-08-01 10:00 - 2011-08-01 10:00 - 0000000 ____D C:\Users\owner\AppData\Local\{2EEC0ABA-FE73-4CE5-8239-D15B53A90416}
2011-07-25 18:15 - 2011-07-25 18:14 - 0000000 ____D C:\Users\owner\AppData\Local\{C84BEA11-9B04-439E-9BAF-6266C10F75ED}
2011-07-25 03:39 - 2011-07-25 03:39 - 0000000 ____D C:\Users\owner\AppData\Local\{8F8AEA15-15D7-493D-B7F6-E9E0F1EFEC22}
2011-07-24 13:38 - 2011-07-24 13:37 - 0000000 ____D C:\Users\owner\AppData\Local\{BC587C18-DEE9-4A0E-900F-F0D9DD79FCE8}
2011-07-22 08:45 - 2011-07-22 08:45 - 0117352 ____A C:\Users\owner\Desktop\booze.gif
2011-07-21 21:52 - 2011-08-11 03:54 - 17782272 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-07-21 21:42 - 2011-08-11 03:55 - 2303488 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-07-21 21:40 - 2011-08-11 03:54 - 10886144 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-07-21 21:36 - 2011-08-11 03:54 - 1389056 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-07-21 21:36 - 2011-08-11 03:54 - 1344512 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-07-21 21:35 - 2011-08-11 03:54 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-07-21 21:34 - 2011-08-11 03:54 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-07-21 21:33 - 2011-08-11 03:55 - 2143232 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-07-21 21:33 - 2011-08-11 03:54 - 0818176 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-07-21 21:32 - 2011-08-11 03:55 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-07-21 21:32 - 2011-08-11 03:55 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-07-21 21:30 - 2011-08-11 03:55 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-07-21 18:54 - 2011-08-11 03:54 - 1797632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2011-07-21 18:54 - 2011-08-11 03:54 - 12273664 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-07-21 18:51 - 2011-08-11 03:54 - 9704448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-07-21 18:49 - 2011-08-11 03:54 - 1102848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-07-21 18:48 - 2011-08-11 03:54 - 1126912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-07-21 18:47 - 2011-08-11 03:54 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-07-21 18:46 - 2011-08-11 03:54 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-07-21 18:45 - 2011-08-11 03:54 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2011-07-21 18:44 - 2011-08-11 03:55 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-07-21 18:44 - 2011-08-11 03:55 - 1791488 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-07-21 18:44 - 2011-08-11 03:55 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-07-21 18:43 - 2011-08-11 03:55 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-07-16 07:02 - 2011-07-16 07:01 - 0000000 ____D C:\Users\owner\AppData\Local\{542C1078-6FC8-41C9-9814-2D906EF05F09}
2011-07-15 21:41 - 2011-08-10 10:20 - 0362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2011-07-15 21:41 - 2011-08-10 10:20 - 0243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2011-07-15 21:41 - 2011-08-10 10:20 - 0013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2011-07-15 21:39 - 2011-08-10 10:20 - 0016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2011-07-15 21:37 - 2011-08-10 10:20 - 1162752 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2011-07-15 21:37 - 2011-08-10 10:20 - 0421888 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-15 21:21 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2011-07-15 20:29 - 2011-08-10 10:20 - 0014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2011-07-15 20:25 - 2011-08-10 10:20 - 0025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2011-07-15 20:24 - 2011-08-10 10:20 - 1114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2011-07-15 20:24 - 2011-08-10 10:20 - 0272384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2011-07-15 20:24 - 2011-08-10 10:20 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2011-07-15 20:15 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2011-07-15 18:21 - 2011-08-10 10:20 - 0007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2011-07-15 18:21 - 2011-08-10 10:20 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2011-07-15 18:17 - 2011-08-10 10:20 - 0006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2011-07-15 18:17 - 2011-08-10 10:20 - 0004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-15 18:17 - 2011-08-10 10:20 - 0003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-15 18:17 - 2011-08-10 10:20 - 0003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2011-07-15 04:19 - 2011-07-15 04:19 - 0000000 ____D C:\Users\owner\AppData\Local\Windows Live Writer
2011-07-14 17:32 - 2011-07-14 17:32 - 0000000 ____D C:\Users\owner\AppData\Local\{D7958BAB-82B9-40CB-AECB-1861476DC60F}
2011-07-14 03:11 - 2011-07-14 03:10 - 0000000 ____D C:\Users\owner\AppData\Local\{CC08CDED-CA30-4A1B-8218-C8D30858F608}
2011-07-13 18:52 - 2009-07-13 20:45 - 0376064 ____A C:\Windows\System32\FNTCACHE.DAT
2011-07-13 15:00 - 2009-12-16 19:45 - 0095608 ____A C:\Users\owner\AppData\Local\GDIPFONTCACHEV1.DAT
2011-07-13 14:26 - 2011-07-13 14:26 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_point64_01009.Wdf
2011-07-13 14:26 - 2011-07-13 14:26 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_NuidFltr_01009.Wdf
2011-07-13 14:26 - 2011-07-13 14:26 - 0000000 ____D C:\Program Files\Microsoft IntelliPoint
2011-07-13 14:20 - 2011-07-13 14:20 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf
2011-07-13 14:18 - 2011-07-13 14:18 - 0000000 ____D C:\Users\owner\AppData\Local\{7DD92C83-E079-43F2-B822-7ADB49EE0A08}
2011-07-12 16:57 - 2011-07-12 16:57 - 0000000 ____D C:\Users\owner\AppData\Local\{05C967A2-9B8E-4973-BCFF-24A83920A68B}
2011-07-12 07:34 - 2011-07-12 07:34 - 0212840 ____A (Apple Inc.) C:\Windows\System32\dnssdX.dll
2011-07-12 07:34 - 2011-07-12 07:34 - 0096104 ____A (Apple Inc.) C:\Windows\System32\dns-sd.exe
2011-07-12 07:34 - 2011-07-12 07:34 - 0085864 ____A (Apple Inc.) C:\Windows\System32\dnssd.dll
2011-07-12 07:20 - 2011-07-12 07:20 - 0178536 ____A (Apple Inc.) C:\Windows\SysWOW64\dnssdX.dll
2011-07-12 07:20 - 2011-07-12 07:20 - 0083816 ____A (Apple Inc.) C:\Windows\SysWOW64\dns-sd.exe
2011-07-12 07:20 - 2011-07-12 07:20 - 0073064 ____A (Apple Inc.) C:\Windows\SysWOW64\dnssd.dll
2011-07-12 03:40 - 2011-07-11 15:02 - 0000000 ____D C:\Users\owner\AppData\Local\{F36A445D-B095-4E50-B4DB-8025901C8294}
2011-07-08 18:46 - 2011-08-10 10:20 - 0288768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb10.sys
2011-07-08 07:17 - 2011-07-08 07:17 - 0048339 ____A C:\Users\owner\Downloads\AmazonMP3-1310138264.amz
2011-07-07 16:33 - 2011-07-07 16:33 - 0000000 ____D C:\Users\owner\AppData\Local\{BD16D237-EC49-42C4-AC42-1E252DB7E9D0}
2011-07-07 16:29 - 2009-07-13 21:08 - 0032570 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-07-07 03:58 - 2011-07-07 03:58 - 0000000 ____D C:\Users\owner\AppData\Local\{8A250A57-629F-40EF-A2D3-874FAD1DF77E}
2011-07-06 14:17 - 2011-07-06 14:17 - 0000000 ____D C:\Users\owner\AppData\Local\{00DCD82F-E1D5-45CD-B557-9AFB2B51C66A}
2011-07-06 03:23 - 2011-07-06 03:23 - 0000000 ____D C:\Users\owner\AppData\Local\{253403E7-0C3E-4C4E-9F20-15B51DA303EB}
2011-07-05 19:06 - 2011-07-05 19:06 - 0000000 ____D C:\Users\owner\AppData\Local\{60F6ED58-4254-4124-A90A-0D20EFAAC63F}
2011-07-05 14:37 - 2011-07-05 14:37 - 0094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
2011-07-05 14:37 - 2011-07-05 14:37 - 0069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
2011-07-05 07:15 - 2011-07-05 07:15 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2011-07-04 20:09 - 2011-07-04 06:32 - 0000000 ____D C:\Users\owner\AppData\Local\{7F272CFC-93A1-45B5-AE6C-E3050416FF2D}
2011-07-03 05:56 - 2011-07-02 16:04 - 0000000 ____D C:\Users\owner\AppData\Local\{A137B95B-94EF-410E-B542-10E548CAB577}
2011-07-01 17:29 - 2010-03-12 14:10 - 0000400 ____A C:\Windows\Tasks\EasyShare Registration Task.job
2011-07-01 05:07 - 2011-06-30 17:06 - 0000000 ____D C:\Users\owner\AppData\Local\{8C6F9CCD-1039-4BBF-A358-A09223676BE7}
2011-06-30 05:05 - 2011-06-30 05:05 - 0000000 ____D C:\Users\owner\AppData\Local\{F741A154-31D9-4FE6-97E2-52A877FBEC79}
2011-06-29 05:02 - 2011-06-29 05:02 - 0000000 ____D C:\Users\owner\AppData\Local\{4FCA151C-BF30-4BDC-A85B-5CCEC99BE7AC}
2011-06-28 04:05 - 2011-06-28 04:05 - 0000000 ____D C:\Users\owner\AppData\Local\{69DD2BAF-E6CE-4CAE-AFFF-8C90788D4D64}
2011-06-28 03:59 - 2009-09-02 20:55 - 0187972 ____A C:\Windows\PFRO.log
2011-06-27 16:56 - 2009-12-16 19:43 - 0000174 ___SH C:\Users\owner\Start Menu\Programs\Startup\desktop.ini
2011-06-27 16:56 - 2009-12-16 19:43 - 0000174 ___SH C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2011-06-27 16:44 - 2009-07-13 23:45 - 0000000 ____D C:\Program Files\Windows Journal
2011-06-27 16:44 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Sidebar
2011-06-27 16:44 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Portable Devices
2011-06-27 16:44 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Photo Viewer
2011-06-27 16:44 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Defender
2011-06-27 16:44 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\DVD Maker
2011-06-27 16:44 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Sidebar
2011-06-27 16:44 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Portable Devices
2011-06-27 16:44 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sppui
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Setup
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\oobe
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\manifeststore
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\es-ES
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Dism
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\da-DK
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\cs-CZ
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sppui
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Setup
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\oobe
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\migwiz
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\manifeststore
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\es-ES
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Dism
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\da-DK
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\cs-CZ
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\AdvancedInstallers
2011-06-27 16:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\servicing
2011-06-27 14:08 - 2009-07-13 18:36 - 0175616 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2011-06-27 14:08 - 2009-07-13 18:36 - 0152576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2011-06-27 13:54 - 2011-06-27 13:54 - 0000000 ____D C:\Windows\System32\SPReview
2011-06-27 13:24 - 2011-06-27 13:24 - 0000000 ____D C:\Windows\System32\EventProviders
2011-06-27 08:01 - 2011-06-26 20:00 - 0000000 ____D C:\Users\owner\AppData\Local\{6570CD2B-BE65-4F5B-88D4-C6F14AC9FF64}
2011-06-25 11:23 - 2011-06-25 11:23 - 0000000 ____D C:\Users\owner\AppData\Local\{B7978DC7-8A45-4308-9C84-22E1D4764004}
2011-06-23 21:34 - 2011-08-10 10:20 - 0214528 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2011-06-23 21:25 - 2011-08-10 10:20 - 0338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2011-06-23 17:14 - 2011-06-23 17:14 - 0000000 ____D C:\Users\owner\AppData\Local\{8337D451-5707-4FB4-AD4B-A49838D85D4C}
2011-06-23 04:57 - 2011-05-02 05:31 - 0001211 ____A C:\Users\Public\Desktop\Amazon MP3 Uploader.lnk
2011-06-22 21:43 - 2011-08-10 10:19 - 5561216 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2011-06-22 20:33 - 2011-08-10 10:19 - 3967872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2011-06-22 20:33 - 2011-08-10 10:19 - 3912576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2011-06-22 07:06 - 2011-06-22 07:06 - 0000000 ____D C:\Users\owner\AppData\Local\{0D9DC60E-551B-4D78-B331-542B77B0FCA8}
2011-06-21 18:56 - 2011-06-21 18:55 - 0000000 ____D C:\Users\owner\AppData\Local\{38DA7203-3BE4-42BA-9014-79AC12E30DE1}
2011-06-21 12:49 - 2011-05-17 16:42 - 0000000 ____D C:\Users\owner\Desktop\New folder
2011-06-21 05:59 - 2011-06-21 05:58 - 0000000 ____D C:\Users\owner\AppData\Local\{EC635CA1-F600-4EA2-8DB4-AC756C7F134C}
2011-06-21 05:41 - 2009-09-02 20:47 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2011-06-21 05:21 - 2009-11-23 23:37 - 0000000 ____D C:\Users\All Users\Microsoft Help
2011-06-21 05:21 - 2009-11-23 23:37 - 0000000 ____D C:\ProgramData\Microsoft Help
2011-06-20 22:34 - 2011-08-10 10:19 - 1923968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3935 MB
Available physical RAM: 3319.7 MB
Total Pagefile: 3933.15 MB
Available Pagefile: 3313.91 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI105136W0A) (Fixed) (Total:454.39 GB) (Free:370.92 GB) NTFS
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS
3 Drive e: (GRMCULXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
4 Drive f: () (Removable) (Total:1.88 GB) (Free:0.03 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==========================================================

Last Boot: 2011-05-26 20:54

======================= End Of Log ==========================

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:16 PM

Posted 13 September 2011 - 11:45 AM

Lets attempt to obtain a copy of the Boot Record.

Download MBRFix. Save and extract its contents to the desktop. Once extracted, there will be three files in the folder. Copy just the MBRFix64 application to the USB drive.

Also download the enclosed file to the USB drive.

Boot to the Windows CD and insert the USB drive.

Run FRST64 as you did before and this time around press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post its contents in your reply. It will also produce another file, MBRDUMP.txt, that although it may look a a text file, it is a hex file. You must attach this report on your reply instead of posting its contents.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 mmohler

mmohler
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 13 September 2011 - 01:03 PM

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.1)
Ran by SYSTEM at 2011-09-13 13:59:27 R:1
Running from F:\

==============================================


========= F:\MbrFix64 /drive 0 savembr F:\MBRDUMP.txt =========


========= End of CMD: =========


==== End of Fixlog ====

#12 mmohler

mmohler
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 13 September 2011 - 01:08 PM

Attachment

Attached Files



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:16 PM

Posted 13 September 2011 - 06:11 PM

The MBR seems clear. Lets check the disk for errors and if clear, then attempt to reset the BCD store.

Boot with the CD, Select Repair your Computer and bring the computer to a command prompt. At the prompt type the following and press Enter:

CHKDSK /R

This command will require a considerable amount of time. Allow it to run unhindered. Once completed restart the computer and test. If unable to boot, then try the following:


Boot with the CD, Select Repair your Computer and bring the computer to a command prompt. At the prompt type the following and press Enter:

BCDEdit /export c:\bcd_backup

Leave a space among the following arguments:

BCDEdit
/export
c:\bcd_backup


This command should be successful before continuing. It is always important to backup the BCD before rebuilding the store. If successful, at the prompt type the following and press Enter after each line:

Line 1

Attrib -r -s -h C:\boot\bcd

Leave a space among the following arguments:

Attrib
-r
-s
-h
C:\boot\bcd


Line 2

Ren C:\boot\bcd bcd.old

Leave a space among the following arguments:

Ren
C:\boot\bcd
bcd.old


Line 3

bootrec /rebuildbcd

Leave a space among the following arguments:

bootrec
/rebuildbcd



The computer will be scanned, and once the installation is detected a dialog box will appear asking if you want to add the installation to the boot list. Select Yes(Y)

If successful, restart the computer and test normal mode.

Edited by JSntgRvr, 13 September 2011 - 06:15 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 mmohler

mmohler
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 13 September 2011 - 07:28 PM

Let me know if I have dont this incorrectly...as I could not get past step 1

Command prompt

X:\Sources>chkdsk/r
The type of the file ststem is NTFS.
Cannot lock current drive.
Windows cannot run disk checking on this volume because it is write protected.

I have not clue about this :)

Melanie

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:16 PM

Posted 13 September 2011 - 11:50 PM

Every error is information we can use to move to the next step. Just don't be concern with errors, just post them.

Hold-on on the BCD for the time being.

Lets try including the volume letter. Run the following instead:

CHKDSK C: /R

Leave a space between the following arguments:

CHKDSK
C:
/R


If you still having problems please let me know.

----------------------------------------------

Lets find where the BCD store is before we attempt to restore it.

At the command prompt type the following:

Dir /a C:\*.*
Dir /a D:\*.*

Where is the boot folder, in C: or D:?

----------------------------------------------------

Lets check the disk structure. You will need to type the results in Notepad, save the document in the flash drive and post this information for me to see:

At the prompt type Diskpart and press Enter. Wait until the Diskpart prompt appears.

At the diskpart prompt type the following and press Enter:

list volume

Write down this information. We will be working on C: and D:, so take note of the volume number for each partition. In my computer the C: is Volume 1. So to check the C: volume I will need to run the following commands and press Enter after each line:

select volume 1
detail volume


This will produce a report of the C: volume. Write it down and save it in a Notepad documents.

To check the D: volume, chances are the volume is 2, so run the following commands to receive a report of the drive:

select volume 2
detail volume


Post the results of these actions. To leave Diskpart type Exit and press Enter.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users