Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My first (serious) virus


  • This topic is locked This topic is locked
31 replies to this topic

#1 Marco71

Marco71

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 30 November 2011 - 06:54 PM

Hello All,
As indicated in my topic, I've recently suffered what appears to be a rather serious malware attack on my laptop PC. Unfortunately, my inexperience with such matters hinders my ability to diagnose the cause, severity and solution to my problem. Hence, here I am looking for some guidance.

System:
Dell Vostro 1510 running Windows Vista and McKafee Antivirus/Firewall. I have also previously installed MalwareBit, RKill and TDSS Killer on this system. They are present.

What happened:
While connected to the internet, administrator permission was requested by Windows to run an "explorer" application. I closed this window which immediately re-appeared. I continued to close it as it re-appeared, along with browser windows, in an attempt to identify and halt whatever process was responsible for the admin request. I believe that I saw, in the background, a "Fix Windows" spoofware window. As I continued to close the admin request window, I accidentally clicked "yes"...allowing it to proceed. In a panic, I killed power to the machine, hoping to stop the process before it could cause too much serious damage.
I then attempted to re-boot in safe mode with networking, thinking that I might be able to run malware removal software. The computer appeared to be re-booting, but at the login window the cursor/keyboard froze. I killed power and attempted to reboot and restore Windows to a previous date. I now recognize this was likely a mistake, and it did not restore the system properly. I've also tried to use the various diagnostics/fix tools that can be access by F12 at startup, though these have provided little resolution.

Current situation:
1) When I try to initiate Windows in safe mode or otherwise, it loads drivers, then stalls on a black screen with cursor and keyboard frozen. End of game.
2) I can enter BIOS setup through F2 at power up, and keyboard works. Here, I notice on 'Advanced' tab that Boot-time Diagnostic Screen, USB Wake support, Keyboard Click and Wake On LAN are all disabled (is this normal? perhaps not relevant)
3) I can enter Boot Menu through F12 and keyboard works. Here, I notice that options are 1)Hard Drive 3)CD-ROM Drive 4) Removable Devices 5)Network 6)Diagnostics. There is no 'option 2' (normal?). I can run Diagnostics, but don't know how to access or meaningfully interpret these results.
4) I can enter Advanced Boot Options through F8 and access 'Repair Computer'. If I proceed along this path and bring up Command Prompt, the prompt is x:\Windows\system32> From here I can perform normal DOS commands, including 'DIR C:' which lists expected files and folders on the c-drive. I can also "see" expected files and folders within directories of C:. I expect this is a good thing, indicating drive and data are at least partially intact.

So, my question is, "where to go from here?" I suspect I'll need to run some kind of recovery software from outside of Windows (eg. through DOS prompt), but I don't have a clue as to how I would do this. Also, I'd like to copy or somehow salvage some key data first if it might be lost during the recovery process. Assistance with either or both of these processes would be greatly appreciated. My unguided searches of advice on the web have been a bit overwhelming, and I'm afraid to proceed along a path that might do more harm than good. Please point me in the right direction!!

Thanks....
Marco71

Edited by hamluis, 30 November 2011 - 07:07 PM.
Moved from Vista to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Marco71

Marco71
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 30 November 2011 - 07:00 PM

Also may be of use...I believe my Windows is ver. 6.0.6001

#3 zbd

zbd

  • Members
  • 390 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 01 December 2011 - 12:20 AM

Read these suggestions.

http://forums.majorgeeks.com/showthread.php?t=44525

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,814 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:40 PM

Posted 01 December 2011 - 12:23 AM

:welcome:

Lets give it a try. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:40 PM

Posted 01 December 2011 - 12:43 AM

A tip to always follow for future reference is that if you ever see a suspect window like that again that either asks for Admin priviliges to run, or tries to pretend to scan for malware (a popup on a web page that comes up without you telling it to and tells you that you are infected is always false), it is never a good idea to kill power to the computer itself. Kill the browser instead. That will prevent whatever was trying to run from doing so in a safe manner and you should ever have to deal with thing kind of stuff anymore.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#6 Marco71

Marco71
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 01 December 2011 - 06:18 PM

Hi All, and thanks for the good advice thus far!
So, I downloaded and ran frst.exe as you suggested, JSntgRvr. The log is pasted below. I couldn't help but notice the trojan footprint in the last registry entries (5n80nt8p31r817 files...http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=703993#none).
So, how to proceed? Thanks, Marco71

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.0
Ran by SYSTEM at 2011-12-01 14:50:54
Running from E:\
Windows Vista ™ Home Basic Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [159744 2008-02-21] (Alps Electric Co., Ltd.)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [OEM13Mon.exe] C:\Windows\OEM13Mon.exe [36864 2008-07-16] (Creative Technology Ltd.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2008-02-21] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [166424 2008-02-21] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133656 2008-02-21] (Intel Corporation)
HKLM\...\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s [118784 2007-07-27] (Creative Technology Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe [3563520 2008-07-03] (Dell Inc.)
HKLM\...\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [16384 2008-03-11] ( )
HKLM\...\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe [468288 2008-02-22] (McAfee, Inc.)
HKLM\...\Run: [McAfee Managed Services Tray] C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.Exe [87360 2008-02-22] (McAfee, Inc.)
HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128296 2008-05-23] (CyberLink Corp.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [246504 2010-01-11] (Sun Microsystems, Inc.)
HKLM\...\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1 [954368 2007-04-25] ()
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [31072 2008-10-25] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [963976 2010-12-20] (Malwarebytes Corporation)
HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1318552 2011-09-16] (McAfee, Inc.)
HKLM\...\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe [40960 2006-05-16] (OLYMPUS IMAGING CORP.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-06-05] (Apple Inc.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [B2C_AGENT] C:\ProgramData\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe [404568 2011-06-15] (LG Electronics)
HKLM\...\Run: [BYR_AGENT] C:\ProgramData\LGMOBILEAX\BYR_Client\VZWNotiAgent.exe [392280 2011-06-13] (LG Electronics)
HKLM\...\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot [273528 2011-11-20] (RealNetworks, Inc.)
HKU\Default\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\Default User\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\Marc\...\Run: [EPSON NX300 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEJA.EXE /FU "C:\Windows\TEMP\E_SF6F1.tmp" /EF "HKCU" [x]
HKU\Marc\...\Run: [1430750986] C:\Users\Marc\AppData\Local\Temp\1430750986.exe [x]
HKU\Marc\...\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart [57344 2006-05-16] (OLYMPUS IMAGING CORP.)
HKU\Marc\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\Marc\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [15026056 2011-01-26] (Skype Technologies S.A.)
HKU\Marc\...\Run: [AdobeBridge] [x]
HKU\McAfeeMVSUser\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\WORK\...\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart [57344 2006-05-16] (OLYMPUS IMAGING CORP.)
HKU\WORK\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [318464 2008-01-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25

================================ Services (Whitelisted) ==================

2 AERTFilters; C:\Windows\System32\AERTSrv.exe [77824 2008-02-21] (Andrea Electronics Corporation)
2 CVPND; "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" [1528616 2010-09-27] (Cisco Systems, Inc.)
2 McAfee SiteAdvisor Service; "C:\Program Files\McAfee\SiteAdvisor\McSACore.exe" [203280 2009-01-23] ()
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [361712 2011-03-17] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166288 2011-10-18] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [160608 2011-10-18] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [150856 2011-10-18] (McAfee, Inc.)
2 MOBKbackup; "C:\Program Files\McAfee Online Backup\MOBKbackup.exe" [229688 2010-02-05] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 myAgtSvc; C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe /ServiceStart [169280 2008-02-22] (McAfee, Inc.)
2 O2FLASH; C:\Windows\System32\DRIVERS\o2flash.exe [71512 2008-08-27] (O2Micro International)
3 SwitchBoard; "C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [517096 2010-02-19] (Adobe Systems Incorporated)
2 wltrysvc; C:\Windows\System32\WLTRYSVC.EXE C:\Windows\System32\bcmwltry.exe [2654208 2008-07-03] (Dell Inc.)
4 NetMsmqActivator; "c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [x]
4 NetPipeActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpPortSharing; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]

========================== Drivers (Whitelisted) =============

3 ApfiltrService; C:\Windows\System32\DRIVERS\Apfiltr.sys [155136 2008-02-21] (Alps Electric Co., Ltd.)
3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2008-07-03] (Broadcom Corporation)
3 cfwids; C:\Windows\System32\drivers\cfwids.sys [57600 2011-10-15] (McAfee, Inc.)
3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
2 CVPNDRVA; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [308859 2010-09-27] (Cisco Systems, Inc.)
3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
2 elagopro; C:\Windows\System32\DRIVERS\elagopro.sys [28672 2007-03-22] (Gteko Ltd.)
2 elaunidr; C:\Windows\System32\DRIVERS\elaunidr.sys [5376 2007-03-22] (Gteko Ltd.)
1 i8042prt; C:\Windows\System32\DRIVERS\i8042prt.sys [54784 2008-01-20] ()
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121256 2011-10-15] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180816 2011-10-15] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59456 2011-10-15] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [338176 2011-10-15] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464176 2011-10-15] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64880 2011-10-15] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87656 2011-10-15] (McAfee, Inc.)
3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [34248 2010-02-17] (McAfee, Inc.)
1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [165680 2011-10-15] (McAfee, Inc.)
1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [54776 2010-02-05] (Mozy, Inc.)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 NWADI; C:\Windows\System32\DRIVERS\NWADIenum.sys [222720 2008-06-02] (Novatel Wireless Inc)
3 NWUSBCDFIL; C:\Windows\System32\DRIVERS\NwUsbCdFil.sys [20480 2008-07-07] (Novatel Wireless Inc.)
3 NWUSBModem; C:\Windows\System32\DRIVERS\nwusbmdm.sys [174336 2008-05-09] (Novatel Wireless Inc.)
3 NWUSBPort; C:\Windows\System32\DRIVERS\nwusbser.sys [174336 2008-05-09] (Novatel Wireless Inc.)
3 NWUSBPort2; C:\Windows\System32\DRIVERS\nwusbser2.sys [174336 2008-05-09] (Novatel Wireless Inc.)
3 O2MDRDR; C:\Windows\System32\DRIVERS\o2media.sys [51288 2008-08-27] (O2Micro )
3 O2SDRDR; C:\Windows\System32\DRIVERS\o2sd.sys [43608 2008-08-27] (O2Micro )
3 OEM13Vfx; C:\Windows\System32\DRIVERS\OEM13Vfx.sys [7424 2008-07-16] (EyePower Games Pte. Ltd.)
3 OEM13Vid; C:\Windows\System32\DRIVERS\OEM13Vid.sys [235840 2008-07-16] (Creative Technology Ltd.)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh86.sys [106496 2008-02-22] (Realtek Corporation )
3 Serport; C:\Windows\System32\DRIVERS\serport.sys [47232 2000-06-21] (Prolific Technology Inc.)
4 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [41016 2008-01-20] (Microsoft Corporation)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2008-01-20] (Promise Technology, Inc.)
3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [12672 2007-04-09] (LG Electronics Inc.)
3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [21248 2007-04-09] (LG Electronics Inc.)
3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [22912 2007-04-09] (LG Electronics Inc.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-12-01 14:50 - 2011-12-01 14:50 - 0000000 ____D C:\FRST
2011-11-28 18:57 - 2011-11-28 18:57 - 0000000 __SHD C:\found.001
2011-11-28 17:08 - 2011-11-28 17:08 - 0000000 __SHD C:\found.000
2011-11-28 11:45 - 2011-11-28 11:51 - 0005994 __ASH C:\Users\Marc\Local Settings\Application Data\5n80nt8p31r817
2011-11-28 11:45 - 2011-11-28 11:51 - 0005994 __ASH C:\Users\Marc\Local Settings\5n80nt8p31r817
2011-11-28 11:45 - 2011-11-28 11:51 - 0005994 __ASH C:\Users\Marc\AppData\Local\5n80nt8p31r817
2011-11-28 11:45 - 2011-11-28 11:51 - 0005994 __ASH C:\Users\All Users\Application Data\5n80nt8p31r817
2011-11-28 11:45 - 2011-11-28 11:51 - 0005994 __ASH C:\Users\All Users\5n80nt8p31r817
2011-11-28 11:45 - 2011-11-28 11:51 - 0005994 __ASH C:\ProgramData\5n80nt8p31r817
2011-11-28 10:47 - 2011-11-28 11:15 - 197747977 ____A C:\Users\Marc\Desktop\1.mov
2011-11-27 10:40 - 2011-11-27 10:40 - 0030729 ____A C:\Users\Marc\Desktop\tdsskiller.htm
2011-11-25 21:35 - 2011-11-26 22:14 - 0000000 ____D C:\Users\Marc\Desktop\Fred 80th
2011-11-25 21:20 - 2011-11-23 12:44 - 0000314 ____A C:\Windows\Tasks\HP WEP.job
2011-11-23 23:16 - 2011-11-23 23:16 - 0001015 ____A C:\Users\WORK\Desktop\Old River Honey Bus Reg..txt
2011-11-23 23:07 - 2011-11-23 23:07 - 0000000 ____A C:\Users\WORK\Desktop\New Text Document.txt
2011-11-23 13:51 - 2011-11-23 13:09 - 3498388 ____A C:\Users\WORK\Desktop\Waples et al 2004.pdf
2011-11-23 13:51 - 2011-11-23 13:09 - 1008885 ____A C:\Users\WORK\Desktop\Seeb et al 2007.pdf
2011-11-23 13:51 - 2011-11-23 13:09 - 0575628 ____A C:\Users\WORK\Desktop\Claiborne et al 2011.pdf
2011-11-23 13:51 - 2011-11-23 13:09 - 0479847 ____A C:\Users\WORK\Desktop\Jepson et al. 2011.pdf
2011-11-23 13:51 - 2011-11-23 13:09 - 0394981 ____A C:\Users\WORK\Desktop\Anderson et al 2008.pdf
2011-11-23 13:09 - 2011-11-23 13:09 - 5451977 ____A C:\Users\WORK\Desktop\pdf.zip
2011-11-22 15:16 - 2011-11-22 15:25 - 0014272 ____A C:\Users\WORK\Desktop\Turkey recipe.docx
2011-11-21 22:16 - 2011-11-23 11:48 - 0125074 ____A C:\Users\WORK\Desktop\Siletz_steelhead.jpg
2011-11-20 19:25 - 2011-11-20 19:25 - 0000000 ____D C:\Users\Marc\Local Settings\Real
2011-11-20 19:25 - 2011-11-20 19:25 - 0000000 ____D C:\Users\Marc\Local Settings\Application Data\Real
2011-11-20 19:25 - 2011-11-20 19:25 - 0000000 ____D C:\Users\Marc\AppData\Local\Real
2011-11-20 19:24 - 2011-11-20 19:24 - 0198832 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
2011-11-20 19:24 - 2011-11-20 19:24 - 0000000 ____D C:\Program Files\Common Files\xing shared
2011-11-20 19:23 - 2011-11-20 19:23 - 0272896 ____A (Progressive Networks) C:\Windows\System32\pncrt.dll
2011-11-20 19:23 - 2011-11-20 19:23 - 0006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
2011-11-20 19:23 - 2011-11-20 19:23 - 0005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
2011-11-17 19:33 - 2011-11-17 23:29 - 0009837 ____A C:\Users\WORK\Desktop\111711 CHERRY PICKS.xlsx
2011-11-13 19:21 - 2011-11-13 19:24 - 16519152 ____A C:\Users\Marc\Downloads\Mt.Emily.zip
2011-11-13 10:29 - 2011-11-13 18:05 - 0102912 ____A C:\Users\Marc\Desktop\babygrow1.MSWMM
2011-11-13 09:59 - 2011-11-25 21:35 - 0000000 ____D C:\Users\Marc\Desktop\temp side
2011-11-13 09:58 - 2011-11-13 09:58 - 0000000 ____D C:\Users\Marc\Desktop\normalize exposure
2011-11-09 13:26 - 2011-11-09 13:27 - 1730380 ____A C:\Users\Marc\Desktop\elkefotos.rar
2011-11-09 13:26 - 2011-11-09 13:26 - 0000000 ____D C:\Users\Marc\Desktop\elkefotos
2011-11-09 12:55 - 2011-11-09 13:26 - 0000000 ____D C:\Users\Marc\Desktop\110911 elke photos
2011-11-09 12:33 - 2011-11-09 12:33 - 0905317 ____A C:\Users\Marc\Desktop\entry_wound.jpg
2011-11-09 12:26 - 2011-11-09 12:26 - 1276335 ____A C:\Users\Marc\Desktop\IMG_1479.JPG
2011-11-09 12:25 - 2011-11-09 12:42 - 0000000 ____D C:\Users\Marc\Desktop\greenhouse photos
2011-11-09 12:08 - 2011-11-09 12:08 - 0030720 ____A C:\Users\Marc\Downloads\sw_functionalcoord.xls
2011-11-09 10:20 - 2011-11-09 10:21 - 0000000 ____D C:\Users\WORK\My Old Data
2011-11-09 10:15 - 2011-09-20 13:02 - 0905088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2011-11-03 20:15 - 2011-11-03 20:15 - 0002864 ____A C:\Users\Marc\CenturyLink _ High Speed Internet, Home Phone Service and More.htm
2011-11-03 20:15 - 2011-11-03 20:15 - 0000000 ____D C:\Users\Marc\CenturyLink _ High Speed Internet, Home Phone Service and More_files
2011-11-03 11:48 - 2005-05-09 21:55 - 34355712 ____A C:\Users\WORK\Desktop\Presentation1.ppt
2011-11-02 14:58 - 2011-11-22 20:00 - 0000000 ____D C:\Users\WORK\Desktop\UWR BASINWIDE POPGEN DATA

============ 3 Months Modified Files and Folders ===============

2011-12-01 14:50 - 2011-12-01 14:50 - 0000000 ____D C:\FRST
2011-11-30 13:55 - 2011-02-11 06:41 - 1600224 ____A C:\Windows\ntbtlog.txt
2011-11-28 19:01 - 2006-11-02 04:58 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-11-28 19:01 - 2006-11-02 04:45 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-11-28 19:01 - 2006-11-02 04:45 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-11-28 18:57 - 2011-11-28 18:57 - 0000000 __SHD C:\found.001
2011-11-28 17:08 - 2011-11-28 17:08 - 0000000 __SHD C:\found.000
2011-11-28 16:51 - 2006-11-02 04:44 - 0000000 _____ C:\Windows\System32\umstartup.etl
2011-11-28 15:09 - 2006-11-02 02:33 - 0791000 ____A C:\Windows\System32\PerfStringBackup.INI
2011-11-28 15:05 - 2009-01-13 18:56 - 1240581 ____A C:\Windows\WindowsUpdate.log
2011-11-28 15:02 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\LogFiles
2011-11-28 14:27 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\config\TxR
2011-11-28 14:25 - 2011-10-12 02:40 - 0000000 ____D C:\users\McAfeeMVSUser
2011-11-28 14:25 - 2010-04-15 11:46 - 0000000 ____D C:\Users\All Users\pdf995
2011-11-28 14:25 - 2010-04-15 11:46 - 0000000 ____D C:\Users\All Users\Application Data\pdf995
2011-11-28 14:25 - 2010-04-15 11:46 - 0000000 ____D C:\ProgramData\pdf995
2011-11-28 14:25 - 2010-03-11 20:32 - 0000000 ____D C:\Users\All Users\McAfee Security Scan
2011-11-28 14:25 - 2010-03-11 20:32 - 0000000 ____D C:\Users\All Users\Application Data\McAfee Security Scan
2011-11-28 14:25 - 2010-03-11 20:32 - 0000000 ____D C:\ProgramData\McAfee Security Scan
2011-11-28 14:25 - 2010-03-08 23:43 - 0000000 ____D C:\Users\Marc\Local Settings\ApplicationHistory
2011-11-28 14:25 - 2010-03-08 23:43 - 0000000 ____D C:\Users\Marc\Local Settings\Application Data\ApplicationHistory
2011-11-28 14:25 - 2010-03-08 23:43 - 0000000 ____D C:\Users\Marc\AppData\Local\ApplicationHistory
2011-11-28 14:25 - 2010-03-08 13:01 - 0000000 ____D C:\users\WORK
2011-11-28 14:25 - 2010-03-08 12:01 - 0000000 ____D C:\users\Marc
2011-11-28 14:25 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\spool
2011-11-28 14:25 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\registration
2011-11-28 14:25 - 2006-11-02 02:22 - 54263808 ____A C:\Windows\System32\config\software_previous
2011-11-28 14:25 - 2006-11-02 02:22 - 23855104 ____A C:\Windows\System32\config\system_previous
2011-11-28 14:21 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\security_previous
2011-11-28 14:21 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\sam_previous
2011-11-28 14:09 - 2006-11-02 02:22 - 1572864 ____A C:\Windows\System32\config\default_previous
2011-11-28 14:05 - 2006-11-02 02:22 - 34340864 ____A C:\Windows\System32\config\components_previous
2011-11-28 11:51 - 2011-11-28 11:45 - 0005994 __ASH C:\Users\Marc\Local Settings\Application Data\5n80nt8p31r817
2011-11-28 11:51 - 2011-11-28 11:45 - 0005994 __ASH C:\Users\Marc\Local Settings\5n80nt8p31r817
2011-11-28 11:51 - 2011-11-28 11:45 - 0005994 __ASH C:\Users\Marc\AppData\Local\5n80nt8p31r817
2011-11-28 11:51 - 2011-11-28 11:45 - 0005994 __ASH C:\Users\All Users\Application Data\5n80nt8p31r817
2011-11-28 11:51 - 2011-11-28 11:45 - 0005994 __ASH C:\Users\All Users\5n80nt8p31r817
2011-11-28 11:51 - 2011-11-28 11:45 - 0005994 __ASH C:\ProgramData\5n80nt8p31r817
2011-11-28 11:15 - 2011-11-28 10:47 - 197747977 ____A C:\Users\Marc\Desktop\1.mov
2011-11-28 10:24 - 2011-01-26 17:18 - 0000000 ____D C:\Users\Marc\Application Data\skypePM
2011-11-28 10:24 - 2011-01-26 17:18 - 0000000 ____D C:\Users\Marc\AppData\Roaming\skypePM
2011-11-27 19:55 - 2011-01-26 17:13 - 0000000 ____D C:\Users\Marc\Application Data\Skype
2011-11-27 19:55 - 2011-01-26 17:13 - 0000000 ____D C:\Users\Marc\AppData\Roaming\Skype
2011-11-27 10:40 - 2011-11-27 10:40 - 0030729 ____A C:\Users\Marc\Desktop\tdsskiller.htm
2011-11-27 09:49 - 2010-04-29 19:42 - 0000000 ____D C:\Users\Marc\Application Data\Real
2011-11-27 09:49 - 2010-04-29 19:42 - 0000000 ____D C:\Users\Marc\AppData\Roaming\Real
2011-11-26 22:14 - 2011-11-25 21:35 - 0000000 ____D C:\Users\Marc\Desktop\Fred 80th
2011-11-25 21:41 - 2011-01-07 23:58 - 0000000 ____D C:\Users\Marc\Application Data\ZoomBrowser EX
2011-11-25 21:41 - 2011-01-07 23:58 - 0000000 ____D C:\Users\Marc\AppData\Roaming\ZoomBrowser EX
2011-11-25 21:35 - 2011-11-13 09:59 - 0000000 ____D C:\Users\Marc\Desktop\temp side
2011-11-24 11:59 - 2010-08-17 21:22 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-11-24 11:28 - 2010-08-17 21:22 - 0000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-11-23 23:16 - 2011-11-23 23:16 - 0001015 ____A C:\Users\WORK\Desktop\Old River Honey Bus Reg..txt
2011-11-23 23:07 - 2011-11-23 23:07 - 0000000 ____A C:\Users\WORK\Desktop\New Text Document.txt
2011-11-23 13:49 - 2011-10-31 22:39 - 0000000 ____D C:\Users\WORK\My CV
2011-11-23 13:14 - 2010-06-17 12:57 - 0000000 ____D C:\Users\WORK\My Publications
2011-11-23 13:09 - 2011-11-23 13:51 - 3498388 ____A C:\Users\WORK\Desktop\Waples et al 2004.pdf
2011-11-23 13:09 - 2011-11-23 13:51 - 1008885 ____A C:\Users\WORK\Desktop\Seeb et al 2007.pdf
2011-11-23 13:09 - 2011-11-23 13:51 - 0575628 ____A C:\Users\WORK\Desktop\Claiborne et al 2011.pdf
2011-11-23 13:09 - 2011-11-23 13:51 - 0479847 ____A C:\Users\WORK\Desktop\Jepson et al. 2011.pdf
2011-11-23 13:09 - 2011-11-23 13:51 - 0394981 ____A C:\Users\WORK\Desktop\Anderson et al 2008.pdf
2011-11-23 13:09 - 2011-11-23 13:09 - 5451977 ____A C:\Users\WORK\Desktop\pdf.zip
2011-11-23 13:08 - 2010-03-08 16:21 - 0001776 ___AH C:\Users\WORK\My Documents\Default.rdp
2011-11-23 13:08 - 2010-03-08 16:21 - 0001776 ___AH C:\Users\WORK\Documents\Default.rdp
2011-11-23 12:44 - 2011-11-25 21:20 - 0000314 ____A C:\Windows\Tasks\HP WEP.job
2011-11-23 12:09 - 2011-06-13 14:30 - 0000600 ____A C:\Users\WORK\Application Data\winscp.rnd
2011-11-23 12:09 - 2011-06-13 14:30 - 0000600 ____A C:\Users\WORK\AppData\Roaming\winscp.rnd
2011-11-23 12:08 - 2010-03-08 16:59 - 0000000 ____D C:\Users\WORK\Local Settings\ApplicationHistory
2011-11-23 12:08 - 2010-03-08 16:59 - 0000000 ____D C:\Users\WORK\Local Settings\Application Data\ApplicationHistory
2011-11-23 12:08 - 2010-03-08 16:59 - 0000000 ____D C:\Users\WORK\AppData\Local\ApplicationHistory
2011-11-23 12:06 - 2008-01-20 19:02 - 0044990 ____A C:\Windows\PFRO.log
2011-11-23 12:05 - 2006-11-02 04:58 - 0032584 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-11-23 11:48 - 2011-11-21 22:16 - 0125074 ____A C:\Users\WORK\Desktop\Siletz_steelhead.jpg
2011-11-23 00:19 - 2010-12-04 23:52 - 0000680 ____A C:\Users\WORK\Local Settings\d3d9caps.dat
2011-11-23 00:19 - 2010-12-04 23:52 - 0000680 ____A C:\Users\WORK\Local Settings\Application Data\d3d9caps.dat
2011-11-23 00:19 - 2010-12-04 23:52 - 0000680 ____A C:\Users\WORK\AppData\Local\d3d9caps.dat
2011-11-22 20:03 - 2011-10-18 19:37 - 0000000 ____D C:\Users\WORK\Desktop\BRAZIL TRIP
2011-11-22 20:01 - 2010-06-01 09:23 - 0000000 ____D C:\Users\WORK\My Presentations
2011-11-22 20:01 - 2010-03-10 16:22 - 0000000 ____D C:\Users\WORK\Desktop\LITERATURE
2011-11-22 20:00 - 2011-11-02 14:58 - 0000000 ____D C:\Users\WORK\Desktop\UWR BASINWIDE POPGEN DATA
2011-11-22 18:00 - 2010-03-08 12:34 - 0000440 ____A C:\Windows\Tasks\ParetoLogic Registration.job
2011-11-22 15:25 - 2011-11-22 15:16 - 0014272 ____A C:\Users\WORK\Desktop\Turkey recipe.docx
2011-11-20 19:25 - 2011-11-20 19:25 - 0000000 ____D C:\Users\Marc\Local Settings\Real
2011-11-20 19:25 - 2011-11-20 19:25 - 0000000 ____D C:\Users\Marc\Local Settings\Application Data\Real
2011-11-20 19:25 - 2011-11-20 19:25 - 0000000 ____D C:\Users\Marc\AppData\Local\Real
2011-11-20 19:25 - 2010-03-08 12:03 - 0000000 ____D C:\Users\Marc\Local Settings\Google
2011-11-20 19:25 - 2010-03-08 12:03 - 0000000 ____D C:\Users\Marc\Local Settings\Application Data\Google
2011-11-20 19:25 - 2010-03-08 12:03 - 0000000 ____D C:\Users\Marc\AppData\Local\Google
2011-11-20 19:24 - 2011-11-20 19:24 - 0198832 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
2011-11-20 19:24 - 2011-11-20 19:24 - 0000000 ____D C:\Program Files\Common Files\xing shared
2011-11-20 19:23 - 2011-11-20 19:23 - 0272896 ____A (Progressive Networks) C:\Windows\System32\pncrt.dll
2011-11-20 19:23 - 2011-11-20 19:23 - 0006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
2011-11-20 19:23 - 2011-11-20 19:23 - 0005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
2011-11-20 19:23 - 2010-04-23 10:58 - 0000000 ____D C:\Program Files\Real
2011-11-20 19:23 - 2010-04-23 10:58 - 0000000 ____D C:\Program Files\Common Files\Real
2011-11-20 19:21 - 2009-01-14 01:16 - 0000000 ____D C:\Program Files\Google
2011-11-17 23:29 - 2011-11-17 19:33 - 0009837 ____A C:\Users\WORK\Desktop\111711 CHERRY PICKS.xlsx
2011-11-14 10:02 - 2006-11-02 04:49 - 0141330 ____A C:\Windows\setupact.log
2011-11-14 08:47 - 2010-03-08 12:34 - 0000414 ____A C:\Windows\Tasks\ParetoLogic Update Version2.job
2011-11-13 19:24 - 2011-11-13 19:21 - 16519152 ____A C:\Users\Marc\Downloads\Mt.Emily.zip
2011-11-13 18:18 - 2010-03-08 12:11 - 0000000 ____D C:\Program Files\Mozilla Firefox
2011-11-13 18:05 - 2011-11-13 10:29 - 0102912 ____A C:\Users\Marc\Desktop\babygrow1.MSWMM
2011-11-13 09:58 - 2011-11-13 09:58 - 0000000 ____D C:\Users\Marc\Desktop\normalize exposure
2011-11-10 09:37 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\System
2011-11-10 09:37 - 2006-11-02 02:24 - 50295240 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-11-09 13:27 - 2011-11-09 13:26 - 1730380 ____A C:\Users\Marc\Desktop\elkefotos.rar
2011-11-09 13:26 - 2011-11-09 13:26 - 0000000 ____D C:\Users\Marc\Desktop\elkefotos
2011-11-09 13:26 - 2011-11-09 12:55 - 0000000 ____D C:\Users\Marc\Desktop\110911 elke photos
2011-11-09 12:42 - 2011-11-09 12:25 - 0000000 ____D C:\Users\Marc\Desktop\greenhouse photos
2011-11-09 12:33 - 2011-11-09 12:33 - 0905317 ____A C:\Users\Marc\Desktop\entry_wound.jpg
2011-11-09 12:26 - 2011-11-09 12:26 - 1276335 ____A C:\Users\Marc\Desktop\IMG_1479.JPG
2011-11-09 12:08 - 2011-11-09 12:08 - 0030720 ____A C:\Users\Marc\Downloads\sw_functionalcoord.xls
2011-11-09 10:21 - 2011-11-09 10:20 - 0000000 ____D C:\Users\WORK\My Old Data
2011-11-03 20:15 - 2011-11-03 20:15 - 0002864 ____A C:\Users\Marc\CenturyLink _ High Speed Internet, Home Phone Service and More.htm
2011-11-03 20:15 - 2011-11-03 20:15 - 0000000 ____D C:\Users\Marc\CenturyLink _ High Speed Internet, Home Phone Service and More_files
2011-10-31 20:15 - 2011-08-07 11:01 - 0000000 ____D C:\Users\WORK\CLEAN EMAIL
2011-10-31 14:06 - 2011-10-31 14:06 - 0088576 ____A C:\Users\Marc\Downloads\DRAFT Maturity Workshop Program (V.6-May-2011)(2).doc
2011-10-31 14:06 - 2011-10-31 14:06 - 0088576 ____A C:\Users\Marc\Desktop\DRAFT Maturity Workshop Program (V.6-May-2011).doc
2011-10-31 14:05 - 2011-10-31 14:04 - 16553441 ____A C:\Users\Marc\Desktop\seattle-2011-afs-program-print.pdf
2011-10-31 09:36 - 2011-10-31 09:36 - 3883808 ____A C:\Users\WORK\BattyForBatsFlyer.pdf
2011-10-25 22:14 - 2011-10-25 22:14 - 0683265 ____A C:\Users\Marc\Desktop\Scheuerell et al. 2006.pdf
2011-10-25 21:51 - 2011-10-25 21:51 - 1310502 ____A C:\Users\Marc\Desktop\5561_06162004_143739_tm42.pdf
2011-10-25 08:57 - 2011-02-09 19:43 - 0000000 ____D C:\Users\WORK\Application Data\ZoomBrowser EX
2011-10-25 08:57 - 2011-02-09 19:43 - 0000000 ____D C:\Users\WORK\AppData\Roaming\ZoomBrowser EX
2011-10-24 21:29 - 2011-10-24 21:29 - 0019456 ____A C:\Users\WORK\HRME Funding 1024.xls
2011-10-24 07:51 - 2011-10-24 07:50 - 4019933 ____A C:\Users\WORK\Desktop\HushHush2011.rar
2011-10-24 07:50 - 2011-10-24 07:50 - 0000000 ____D C:\Users\WORK\Desktop\HushHush2011
2011-10-23 12:57 - 2011-10-23 12:57 - 0872624 ____A C:\Users\WORK\Desktop\102311 LATE SUMMER BUCK 2.jpg
2011-10-23 12:56 - 2011-10-23 12:56 - 0832580 ____A C:\Users\WORK\Desktop\102311 LATE SUMMER BUCK.jpg
2011-10-23 12:44 - 2011-01-07 13:27 - 0000000 ____D C:\Users\All Users\ZoomBrowser
2011-10-23 12:44 - 2011-01-07 13:27 - 0000000 ____D C:\Users\All Users\Application Data\ZoomBrowser
2011-10-23 12:44 - 2011-01-07 13:27 - 0000000 ____D C:\ProgramData\ZoomBrowser
2011-10-22 10:49 - 2011-10-22 10:49 - 0000162 ___AH C:\Users\WORK\Desktop\~$jor issues.doc
2011-10-20 10:19 - 2011-10-20 10:19 - 0765145 ____A C:\Users\WORK\Desktop\OldRiverHoney2011.jpg
2011-10-18 14:32 - 2010-12-06 00:49 - 0150856 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
2011-10-15 13:16 - 2010-12-06 00:49 - 0165680 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfewfpk.sys
2011-10-15 13:16 - 2010-12-06 00:49 - 0064880 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfenlfk.sys
2011-10-15 13:16 - 2010-12-06 00:49 - 0009608 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeclnk.sys
2011-10-15 13:16 - 2010-12-06 00:48 - 0338176 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfefirek.sys
2011-10-15 13:16 - 2010-12-06 00:48 - 0180816 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeavfk.sys
2011-10-15 13:16 - 2010-12-06 00:48 - 0121256 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeapfk.sys
2011-10-15 13:16 - 2010-12-06 00:48 - 0087656 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mferkdet.sys
2011-10-15 13:16 - 2010-12-06 00:48 - 0059456 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfebopk.sys
2011-10-15 13:16 - 2010-12-06 00:48 - 0057600 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\cfwids.sys
2011-10-15 13:16 - 2009-01-14 01:16 - 0464176 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfehidk.sys
2011-10-13 08:03 - 2011-10-13 08:03 - 0162988 ____A C:\Users\WORK\cooperate.tif
2011-10-13 08:00 - 2011-10-13 08:00 - 0024283 ____A C:\Users\WORK\1-s2.0-S1874391911002508-fx1.jpg
2011-10-12 20:18 - 2011-10-12 20:18 - 0000000 ____D C:\Users\McAfeeMVSUser\AppData\LocalLow
2011-10-12 08:19 - 2011-04-05 09:57 - 0000000 ____D C:\Users\WORK\Desktop\DATA QUERIES AND SUMMARIES
2011-10-12 08:15 - 2011-06-29 07:31 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2011-10-12 02:52 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\rescache
2011-10-12 02:46 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2011-10-12 02:40 - 2011-10-12 02:40 - 0000020 __ASH C:\Users\McAfeeMVSUser\ntuser.ini
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\Templates
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\Start Menu
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\PrintHood
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\NetHood
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\My Documents\My Videos
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\My Documents\My Pictures
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\My Documents\My Music
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\My Documents
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\Local Settings\Temporary Internet Files
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\Local Settings\History
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\Local Settings\Application Data\Temporary Internet Files
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\Local Settings\Application Data\History
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\Documents\My Videos
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\Documents\My Pictures
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\Documents\My Music
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\AppData\Local\Temporary Internet Files
2011-10-12 02:40 - 2011-10-12 02:40 - 0000000 __SHD C:\Users\McAfeeMVSUser\AppData\Local\History
2011-10-12 02:35 - 2006-11-02 04:44 - 3761104 ____A C:\Windows\System32\FNTCACHE.DAT
2011-10-12 02:11 - 2010-03-28 10:37 - 0000000 ____D C:\Users\All Users\Microsoft Help
2011-10-12 02:11 - 2010-03-28 10:37 - 0000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2011-10-12 02:11 - 2010-03-28 10:37 - 0000000 ____D C:\ProgramData\Microsoft Help
2011-10-11 16:07 - 2010-03-08 13:50 - 0124416 ____A C:\Users\Marc\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-10-11 16:07 - 2010-03-08 13:50 - 0124416 ____A C:\Users\Marc\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-10-11 16:07 - 2010-03-08 13:50 - 0124416 ____A C:\Users\Marc\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-10-10 13:00 - 2010-10-12 09:33 - 0000000 ____D C:\Users\WORK\Desktop\WILLAMETTE PROJECTS
2011-10-05 20:44 - 2011-10-05 20:44 - 0017351 ____A C:\Users\Marc\programacao.pdf
2011-10-05 20:26 - 2011-10-05 20:26 - 0690771 ____A C:\Users\Marc\Downloads\17090009.zip
2011-10-05 20:07 - 2011-10-05 20:07 - 7249836 ____A C:\Users\Marc\Desktop\BOLETIM100.pdf
2011-10-04 20:22 - 2011-10-04 20:22 - 0000000 ____A C:\Users\Marc\Desktop\New Text Document.txt
2011-09-29 13:36 - 2010-03-13 23:27 - 0000020 ____H C:\Users\All Users\PKP_DLec.DAT
2011-09-29 13:36 - 2010-03-13 23:27 - 0000020 ____H C:\Users\All Users\Application Data\PKP_DLec.DAT
2011-09-29 13:36 - 2010-03-13 23:27 - 0000020 ____H C:\ProgramData\PKP_DLec.DAT
2011-09-29 11:04 - 2011-09-29 11:04 - 0001241 ____A C:\Users\WORK\Desktop\Elk Sausage Recipe.txt
2011-09-25 10:22 - 2011-09-25 10:22 - 0649180 ____A C:\Users\Marc\Desktop\092511elk.jpg
2011-09-22 12:13 - 2010-09-02 10:14 - 0000000 ____D C:\Users\All Users\Roxio
2011-09-22 12:13 - 2010-09-02 10:14 - 0000000 ____D C:\Users\All Users\Application Data\Roxio
2011-09-22 12:13 - 2010-09-02 10:14 - 0000000 ____D C:\ProgramData\Roxio
2011-09-22 08:45 - 2011-01-19 10:54 - 0000000 ____D C:\Users\WORK\Desktop\THOUGHTS
2011-09-22 08:45 - 2010-10-21 21:04 - 0000000 ____D C:\Users\WORK\Desktop\OR GENE EVOLUTION 102110
2011-09-22 08:21 - 2011-08-25 20:36 - 0000000 ____D C:\Users\WORK\Desktop\Tweak Label
2011-09-22 08:21 - 2011-06-26 16:48 - 0000000 ____D C:\Users\WORK\Desktop\New Folder (2)
2011-09-22 08:19 - 2011-04-05 09:57 - 0000000 ____D C:\Users\WORK\Desktop\MEETINGS
2011-09-21 22:24 - 2011-01-03 08:03 - 0000000 ____D C:\Users\Marc\Desktop\tempfoto
2011-09-20 13:02 - 2011-11-09 10:15 - 0905088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2011-09-19 11:39 - 2011-09-19 11:39 - 0693867 ____A C:\Users\WORK\DIRECT_DEP_MARC_JOHNSON003.pdf
2011-09-15 09:57 - 2011-09-15 09:57 - 0088064 ____A C:\Users\WORK\Furlough_Election_Form_Marc_JohnsonB.doc
2011-09-14 20:39 - 2011-09-14 20:08 - 0000000 ____D C:\Users\Marc\Desktop\091311 CALI TRIP
2011-09-14 15:13 - 2011-09-14 15:13 - 0444899 ____A C:\Users\WORK\2011_Holiday_Schedule.pdf
2011-09-14 10:41 - 2011-09-14 10:40 - 0000000 ____D C:\Users\Marc\Desktop\HONEY LABEL
2011-09-09 10:27 - 2011-09-09 10:27 - 0086528 ____A C:\Users\Marc\Desktop\Furlough_Election_Form.doc
2011-09-08 19:06 - 2011-09-08 19:05 - 7685999 ____A C:\Users\Marc\Downloads\RE_ Molalla Chinook Surveys.zip
2011-09-06 05:30 - 2011-10-11 13:08 - 2043392 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2010-03-12 23:02] - [2009-04-10 22:27] - 2926592 ____A (Microsoft Corporation)

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 3061.69 MB
Available physical RAM: 2757.4 MB
Total Pagefile: 2962.32 MB
Available Pagefile: 2829.16 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.32 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:223.08 GB) (Free:119.97 GB) NTFS ==>[System = boot components]
2 Drive d: (111211_2124) (CDROM) (Total:0.2 GB) (Free:0 GB) CDFS
3 Drive e: () (Removable) (Total:7.52 GB) (Free:7.52 GB) FAT32
4 Drive x: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:5.6 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 Online 7725 MB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 10 GB 40 MB
Partition 3 Primary 223 GB 10 GB

Disk: 0
Partition 3
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 223 GB Healthy



==========================================================

Last Boot: 2011-11-28 14:10

======================= End Of Log ==========================

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:40 PM

Posted 04 December 2011 - 03:39 AM

Hello, JSntgRvr is having some connection problems so I will take over this topic.

Boot to System Recovery Options and run FRST.
Type the following in the edit box after "Search:".

i8042prt.sys

It then should look like:

Search: i8042prt.sys

Click Search button and post the log (Search.txt) it makes in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 Marco71

Marco71
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 04 December 2011 - 06:21 PM

Hi Elise. Thanks for stepping in!
Here goes...

Farbars Recovery Scan Tool 2.0.3
Ran by SYSTEM at 2011-12-04 15:12:21
Running from E:\

================== Search: i8042prt.sys ===================

C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6001.18000_none_4e340b7cd25b3352\i8042prt.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0054784 ____A (Microsoft Corporation) 22D56C8184586B7A1F6FA60BE5F5A2BD

C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.20734_none_4cbafb05ee66fb5a\i8042prt.sys
[2008-01-20 18:14] - [2008-01-20 18:14] - 0054784 ____A (Microsoft Corporation) BEA9838CD25D36BEBA3F94386A761D60

C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.16609_none_4c56cf70d52c8670\i8042prt.sys
[2008-01-20 18:14] - [2008-01-20 18:14] - 0054784 ____A (Microsoft Corporation) 1C9EE072BAA3ABB460B91D7EE9152660

C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6002.18005_none_9939e6e4d61ab7ca\i8042prt.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0054784 ____A (Microsoft Corporation) 22D56C8184586B7A1F6FA60BE5F5A2BD

C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6001.18000_none_974e6dd8d8f8ec7e\i8042prt.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0054784 ____A (Microsoft Corporation) 22D56C8184586B7A1F6FA60BE5F5A2BD

C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.20734_none_95d55d61f504b486\i8042prt.sys
[2008-01-20 18:14] - [2008-01-20 18:14] - 0054784 ____A (Microsoft Corporation) BEA9838CD25D36BEBA3F94386A761D60

C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.16609_none_957131ccdbca3f9c\i8042prt.sys
[2008-01-20 18:14] - [2008-01-20 18:14] - 0054784 ____A (Microsoft Corporation) 1C9EE072BAA3ABB460B91D7EE9152660

C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_8b7c4328\i8042prt.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0054784 ____A (Microsoft Corporation) 22D56C8184586B7A1F6FA60BE5F5A2BD

C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_3dfa3917\i8042prt.sys
[2006-11-02 02:25] - [2006-11-02 00:51] - 0054784 ____A (Microsoft Corporation) 1060F1377F395A242E27719440ECE602

C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_f55d5e51\i8042prt.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0054784 ____A (Microsoft Corporation) 22D56C8184586B7A1F6FA60BE5F5A2BD

C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\i8042prt.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0054784 ____A (Microsoft Corporation) 22D56C8184586B7A1F6FA60BE5F5A2BD

C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_93b1c41f\i8042prt.sys
[2006-11-02 02:25] - [2006-11-02 00:51] - 0054784 ____A (Microsoft Corporation) 1060F1377F395A242E27719440ECE602

C:\Windows\System32\drivers\i8042prt.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0054784 ____A () 2A0F389B05D6DA06939EA214CB0F3F93

===

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:40 PM

Posted 05 December 2011 - 01:47 AM

Hi, lets see if we can replace the infected file now.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

replace: C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\i8042prt.sys C:\Windows\System32\drivers\i8042prt.sys

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


When done, restart your computer and see if you can get in Windows now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#10 Marco71

Marco71
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 05 December 2011 - 03:12 AM

Hi Elise,
I've done as you suggested (though I'm using the 32 bit FRST). Fixlog is pasted below. After fix, I tried to restart Windows in safemode. System drivers loaded until crcdisk.sys (as before), then stalled. System then re-initiated reboot, then proceeded to a black screen with movable cursor (previously frozen). I still can't yet enter Windows.


Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.0)
Ran by SYSTEM at 2011-12-04 23:17:27 R:1
Running from E:\

==============================================

C:\Windows\System32\drivers\i8042prt.sys moved successfully.
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\i8042prt.sys copied successfully to C:\Windows\System32\drivers\i8042prt.sys

==== End of Fixlog ====

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:40 PM

Posted 05 December 2011 - 03:45 AM

Please reboot in the recovery environment and select Command Prompt.

Type chkdsk /r and press enter. When asked to unmount the volume, confirm (Y).
If the disk check does not start right away, please rerun the chkdsk /r command.

When finished, restart your computer and let me know if you notice any change.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 Marco71

Marco71
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 05 December 2011 - 12:56 PM

-The system replies:

The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts? (Y/N)

-I entered 'y', then re-entered 'chkdsk /r' and got the same message. I restarted in safemode, but no apparent change (locks at black screen)

-I returned to recovery mode/command prompt, entered 'chkdsk' and received message below (abbreviated):

Chkdsk verified
-files
-indexes
-security descriptors
-Detected errors in the Master File Table (MFT) mirror
-found problems with the file system
-run chkdsk/f to correct these

Chkdsk then proceeded to review 10239999 KB disk space, 4288180 KB in 9143 files, 5736 K in bad sectors, 65635 KB in use by the system 53248 KB occupied by the log file, 5880448 KB available on disk, etc....

I could not run chkdsk/f...same message as chkdsk/r

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:40 PM

Posted 05 December 2011 - 01:24 PM

At the command prompt, type c: and press enter. Then enter the chkdsk /r command. Confirm to unmount and try again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 Marco71

Marco71
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 05 December 2011 - 01:40 PM

Okay....that's the first time I've been able to change directory to c:
The CHKDSK process initiated, verified files, indexes, security descriptors, USN Journal...but now appears to be stuck at 12% of 'verifying file data (stage 4 of 5). There has been no progress for >5 mins.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:40 PM

Posted 05 December 2011 - 01:48 PM

Sorry, I should have mentioned this can take a long time. Please do not interrupt it (the scan progress also may seem to "jump back").

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users