Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Life after Rootkit - BSOD


  • This topic is locked This topic is locked
52 replies to this topic

#1 big0

big0

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 30 December 2011 - 12:26 AM

Hi All
I have a laptop with Windows 7 using Malwarebytes Pro and McAfee.
We detected the Windows 7 2012 security virus. Couldn't kick it with McAfee and Malwarebytes.
With the help and direction of a tech at Malwarebytes we ran the following
Malwarebytes Pro
DDS
Combofix (this found rootkit but couldn't fix it)
Tdsskiller
After running tdsskiller, it found rootkit (do not know the name and I did not record it) I hit the "cure" button and after running it said i had to reboot.
Did that and came up with a half second flash BSOD. Stopped the auto reboot on error and saw this code...
Stop code 0x0000007B (0xFFFFF8B0009A98E8, 0xFFFFFFFFC000000D, 0x0000000000000000, 0x0000000000000000)
The tech I am working with said I probably need to reinstall windows 7. Is there another way of fixing the BSOD without reinstalling windows 7 - but maybe repairing? The laptop has not been backed up unfortunately, so if I have to reinstall windows 7 is there a way of accessing and backing up the files and programs (not many programs) before doing so?
Any help or advice or just plain information is much appreciated.
Thanks,
Big0

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:25 AM

Posted 30 December 2011 - 06:59 PM

:welcome:

Lets give it a try. You will need a flasdrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:25 AM

Posted 30 December 2011 - 09:20 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 big0

big0
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 31 December 2011 - 01:59 PM

Here is the frst64 txt

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.1
Ran by SYSTEM at 2011-12-31 13:39:18
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [384296 2010-04-05] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-02-26] (IDT, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2010-02-22] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [387608 2010-02-22] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365592 2010-02-22] (Intel Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-17] (Dell Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807680 2010-02-09] ()
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [Corel File Shell Monitor] C:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe [x]
HKLM-x32\...\Run: [Standby] "C:\Program Files (x86)\Common Files\Corel\Standby\Standby.exe" -START [105632 2010-03-19] (Corel)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-12-13] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1484856 2011-01-17] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [449608 2011-08-31] (Malwarebytes Corporation)
HKU\Guest\...\Run: [Spyware Doctor with AntiVirus] C:\Users\Guest\Desktop\PCTools_Safe_Install.exe -min [512992 2011-12-11] ()
HKU\Guest\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-12-11] (Google Inc.)
HKU\wrights\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\wrights\...\Run: [Akamai NetSession Interface] C:\Users\wrights\AppData\Local\Akamai\netsession_win.exe [3305248 2011-12-06] (Akamai Technologies, Inc)
HKU\wrights\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\wrights\...\Run: [Corel Photo Downloader] "C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup [522752 2011-09-07] (Corel, Inc.)
HKU\wrights\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-12-11] (Google Inc.)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:25 AM

Posted 31 December 2011 - 03:07 PM

The report is incomplete. Leave the application to run l unhindered until the full scan is completed.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 big0

big0
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 31 December 2011 - 03:17 PM

Sorry copying didn't go far enough in the txt file. Didn't have to rerun. I believe it is now all here in its entirety.

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.1
Ran by SYSTEM at 2011-12-31 13:39:18
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [384296 2010-04-05] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-02-26] (IDT, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2010-02-22] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [387608 2010-02-22] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365592 2010-02-22] (Intel Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-17] (Dell Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807680 2010-02-09] ()
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [Corel File Shell Monitor] C:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe [x]
HKLM-x32\...\Run: [Standby] "C:\Program Files (x86)\Common Files\Corel\Standby\Standby.exe" -START [105632 2010-03-19] (Corel)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-12-13] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1484856 2011-01-17] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [449608 2011-08-31] (Malwarebytes Corporation)
HKU\Guest\...\Run: [Spyware Doctor with AntiVirus] C:\Users\Guest\Desktop\PCTools_Safe_Install.exe -min [512992 2011-12-11] ()
HKU\Guest\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-12-11] (Google Inc.)
HKU\wrights\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\wrights\...\Run: [Akamai NetSession Interface] C:\Users\wrights\AppData\Local\Akamai\netsession_win.exe [3305248 2011-12-06] (Akamai Technologies, Inc)
HKU\wrights\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\wrights\...\Run: [Corel Photo Downloader] "C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup [522752 2011-09-07] (Corel, Inc.)
HKU\wrights\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-12-11] (Google Inc.)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-07] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [366152 2011-08-31] (Malwarebytes Corporation)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [509416 2010-10-07] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [200056 2010-10-13] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [245352 2010-10-13] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [149032 2010-10-13] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 PSI_SVC_2; "C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe" [189728 2010-03-10] (Protexis Inc.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\STacSV64.exe [244736 2010-02-26] (IDT, Inc.)
2 Akamai; c:\program files (x86)\common files\akamai/netsession_win_d768ebc.dll [x]
2 McAfee SiteAdvisor Service; c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [x]

========================== Drivers (Whitelisted) =============

3 cfwids; C:\Windows\System32\drivers\cfwids.sys [62800 2010-10-13] (McAfee, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25416 2011-08-31] (Malwarebytes Corporation)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121248 2010-10-13] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [190136 2010-10-13] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [441328 2010-10-13] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [529128 2010-10-13] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75032 2010-10-13] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [94864 2010-10-13] (McAfee, Inc.)
1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [283360 2010-10-13] (McAfee, Inc.)
3 mfeavfk01; [x]
3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-12-23 23:03 - 2011-12-23 23:03 - 0000000 ____D C:\Emergency
2011-12-23 17:19 - 2011-12-23 17:29 - 0076102 ____A C:\TDSSKiller.2.6.25.0_23.12.2011_18.19.34_log.txt
2011-12-23 17:18 - 2011-12-23 18:39 - 0000000 ____D C:\Users\wrights\Desktop\tdsskiller
2011-12-23 17:18 - 2011-12-23 16:39 - 1558406 ____A C:\Users\wrights\Desktop\tdsskiller.zip
2011-12-23 15:23 - 2011-12-23 15:23 - 0023635 ____A C:\ComboFix.txt
2011-12-22 14:10 - 2011-12-22 14:10 - 0065536 __ASH C:\Windows\System32\config\components{7a878f8f-2cd8-11e1-8339-f04da2adbfd5}.TxR.blf
2011-12-21 16:23 - 2011-12-21 19:56 - 0000000 ____D C:\Users\wrights\Desktop\mbam logs
2011-12-21 14:53 - 2011-12-21 14:53 - 0000000 ____D C:\Users\wrights\Application Data\Malwarebytes
2011-12-21 14:53 - 2011-12-21 14:53 - 0000000 ____D C:\Users\wrights\AppData\Roaming\Malwarebytes
2011-12-19 20:57 - 2011-12-19 20:57 - 0065536 __ASH C:\Windows\System32\config\components{767313ab-28f1-11e1-a1a5-f04da2adbfd5}.TxR.blf
2011-12-18 18:37 - 2011-12-18 18:37 - 0000000 ____D C:\_OTM
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG1
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG1
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG1
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG1
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG1
2011-12-17 20:19 - 2011-12-30 17:29 - 0000000 ____D C:\Windows\ERDNT
2011-12-17 20:19 - 2011-12-24 11:51 - 0000000 ____D C:\Qoobox
2011-12-15 16:43 - 2011-12-15 16:43 - 0607260 ___RA (Swearware) C:\Users\wrights\Desktop\dds.scr
2011-12-14 07:43 - 2011-12-14 07:43 - 0000000 __SHD C:\Windows\SysWOW64\%USERPROFILE%
2011-12-12 19:52 - 2011-12-11 13:01 - 0000319 ____A C:\Users\wrights\Desktop\trojan_fakerean_exe_fix.reg
2011-12-12 19:51 - 2011-10-27 22:05 - 52174280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2011-12-12 19:40 - 2011-12-11 13:01 - 0000319 ____A C:\Users\Guest\Desktop\trojan_fakerean_exe_fix.reg
2011-12-12 19:18 - 2011-12-12 19:18 - 0001445 ____A C:\Users\Guest\Desktop\Internet Explorer.lnk
2011-12-12 18:34 - 2011-12-12 18:34 - 0270880 ____A C:\Windows\Minidump\121211-21746-01.dmp
2011-12-12 18:17 - 2011-12-12 18:17 - 0000000 ____D C:\Users\Guest\Local Settings\Dell Edoc Viewer
2011-12-12 18:17 - 2011-12-12 18:17 - 0000000 ____D C:\Users\Guest\Local Settings\Application Data\Dell Edoc Viewer
2011-12-12 18:17 - 2011-12-12 18:17 - 0000000 ____D C:\Users\Guest\AppData\Local\Dell Edoc Viewer
2011-12-12 18:13 - 2011-12-12 18:13 - 0270880 ____A C:\Windows\Minidump\121211-18439-01.dmp
2011-12-12 05:40 - 2011-12-12 18:34 - 215908899 ____A C:\Windows\MEMORY.DMP
2011-12-12 05:40 - 2011-12-12 18:34 - 0000000 ____D C:\Windows\Minidump
2011-12-12 05:40 - 2011-12-12 18:33 - 0666924 ____A C:\Windows\ntbtlog.txt
2011-12-12 05:40 - 2011-12-12 05:40 - 0277080 ____A C:\Windows\Minidump\121211-23306-01.dmp
2011-12-12 05:35 - 2011-12-12 05:35 - 0000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2011-12-11 21:13 - 2009-07-13 19:14 - 0020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2011-12-11 19:19 - 2011-12-11 19:19 - 2342648 ____A (Google Inc.) C:\Users\wrights\Desktop\GoogleToolbarInstaller_en32_signed.exe
2011-12-11 16:32 - 2011-12-11 18:43 - 0000000 ____D C:\Program Files (x86)\PC Tools Security
2011-12-11 16:32 - 2011-12-11 16:33 - 1849520 ____A C:\Windows\System32\Drivers\Cat.DB
2011-12-11 16:29 - 2011-12-11 18:42 - 0000000 ____D C:\Users\All Users\PC Tools
2011-12-11 16:29 - 2011-12-11 18:42 - 0000000 ____D C:\Users\All Users\Application Data\PC Tools
2011-12-11 16:29 - 2011-12-11 18:42 - 0000000 ____D C:\ProgramData\PC Tools
2011-12-11 16:29 - 2011-12-11 16:29 - 0512992 ____A C:\Users\Guest\Desktop\PCTools_Safe_Install.exe
2011-12-11 16:04 - 2011-12-11 16:04 - 0000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2011-12-11 16:04 - 2011-12-11 16:04 - 0000824 ____A C:\Users\All Users\Desktop\CCleaner.lnk
2011-12-11 16:04 - 2011-12-11 16:04 - 0000000 ____D C:\Program Files\CCleaner
2011-12-11 14:04 - 2011-12-11 14:04 - 0010474 __ASH C:\Users\All Users\Application Data\1296064230
2011-12-11 14:04 - 2011-12-11 14:04 - 0010474 __ASH C:\Users\All Users\1296064230
2011-12-11 14:04 - 2011-12-11 14:04 - 0010474 __ASH C:\ProgramData\1296064230
2011-12-11 13:16 - 2011-12-11 13:07 - 2619504 ____A (Piriform Ltd) C:\Users\wrights\Desktop\ccsetup313_slim.exe
2011-12-11 09:56 - 2011-12-11 16:03 - 0010568 __ASH C:\Users\wrights\Local Settings\n2ee12q3co7aih
2011-12-11 09:56 - 2011-12-11 16:03 - 0010568 __ASH C:\Users\wrights\Local Settings\Application Data\n2ee12q3co7aih
2011-12-11 09:56 - 2011-12-11 16:03 - 0010568 __ASH C:\Users\wrights\AppData\Local\n2ee12q3co7aih
2011-12-11 09:56 - 2011-12-11 16:03 - 0010568 __ASH C:\Users\All Users\n2ee12q3co7aih
2011-12-11 09:56 - 2011-12-11 16:03 - 0010568 __ASH C:\Users\All Users\Application Data\n2ee12q3co7aih
2011-12-11 09:56 - 2011-12-11 16:03 - 0010568 __ASH C:\ProgramData\n2ee12q3co7aih
2011-12-10 11:36 - 2011-12-10 11:36 - 0000734 ____A C:\Users\wrights\My Documents\=[.rtf
2011-12-10 11:36 - 2011-12-10 11:36 - 0000734 ____A C:\Users\wrights\Documents\=[.rtf
2011-12-05 19:30 - 2011-12-05 19:30 - 0000364 ____A C:\Users\wrights\My Documents\interactive poster.txt
2011-12-05 19:30 - 2011-12-05 19:30 - 0000364 ____A C:\Users\wrights\Documents\interactive poster.txt
2011-12-02 19:13 - 2011-12-02 19:13 - 0835888 ____A C:\Users\wrights\My Documents\sad.gif
2011-12-02 19:13 - 2011-12-02 19:13 - 0835888 ____A C:\Users\wrights\Documents\sad.gif
2011-12-01 15:57 - 2011-12-04 18:09 - 0000050 ____A C:\Users\wrights\My Documents\subscriptions.txt
2011-12-01 15:57 - 2011-12-04 18:09 - 0000050 ____A C:\Users\wrights\Documents\subscriptions.txt


============ 3 Months Modified Files and Folders =============

2011-12-31 13:39 - 2011-12-31 13:39 - 0000000 ____D C:\FRST
2011-12-30 17:30 - 2011-11-07 17:43 - 0000000 ____D C:\users\Guest
2011-12-30 17:30 - 2010-11-17 09:36 - 0000000 ____D C:\users\wrights
2011-12-30 17:29 - 2011-12-17 20:19 - 0000000 ____D C:\Windows\ERDNT
2011-12-30 17:29 - 2011-11-23 14:48 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-30 17:29 - 2011-11-23 10:27 - 0000000 ____D C:\Users\wrights\Application Data\fBtxP0ycSiDoFaH
2011-12-30 17:29 - 2011-11-23 10:27 - 0000000 ____D C:\Users\wrights\AppData\Roaming\fBtxP0ycSiDoFaH
2011-12-30 17:29 - 2011-11-23 08:56 - 0000000 ____D C:\Users\wrights\Application Data\DWK8fRL9hXjCkBz
2011-12-30 17:29 - 2011-11-23 08:56 - 0000000 ____D C:\Users\wrights\AppData\Roaming\DWK8fRL9hXjCkBz
2011-12-30 17:29 - 2011-11-23 08:36 - 0000000 ____D C:\Users\wrights\Application Data\LrzzONyxAuvSiF
2011-12-30 17:29 - 2011-11-23 08:36 - 0000000 ____D C:\Users\wrights\AppData\Roaming\LrzzONyxAuvSiF
2011-12-30 17:29 - 2011-11-03 19:31 - 0000000 ____D C:\Users\wrights\Local Settings\Application Data\Akamai
2011-12-30 17:29 - 2011-11-03 19:31 - 0000000 ____D C:\Users\wrights\Local Settings\Akamai
2011-12-30 17:29 - 2011-11-03 19:31 - 0000000 ____D C:\Users\wrights\AppData\Local\Akamai
2011-12-30 17:29 - 2011-08-12 21:58 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2011-12-30 17:29 - 2011-08-07 13:22 - 0000000 ____D C:\Users\All Users\Tarma Installer
2011-12-30 17:29 - 2011-08-07 13:22 - 0000000 ____D C:\Users\All Users\Application Data\Tarma Installer
2011-12-30 17:29 - 2011-08-07 13:22 - 0000000 ____D C:\ProgramData\Tarma Installer
2011-12-30 17:29 - 2010-11-12 01:38 - 0000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2011-12-30 17:29 - 2009-07-13 21:20 - 0000000 ____D C:\Windows\System32\NDF
2011-12-30 17:29 - 2009-07-13 21:20 - 0000000 ____D C:\Windows\registration
2011-12-30 17:29 - 2009-07-13 21:18 - 0000000 __SHD C:\$RECYCLE.BIN
2011-12-30 17:21 - 2011-11-07 17:49 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-12-30 17:21 - 2011-11-07 17:49 - 0000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2011-12-30 17:21 - 2011-11-07 17:49 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-12-30 17:21 - 2009-07-13 21:20 - 0000000 ___RD C:\users\Public
2011-12-24 11:51 - 2011-12-17 20:19 - 0000000 ____D C:\Qoobox
2011-12-23 23:03 - 2011-12-23 23:03 - 0000000 ____D C:\Emergency
2011-12-23 18:39 - 2011-12-23 17:18 - 0000000 ____D C:\Users\wrights\Desktop\tdsskiller
2011-12-23 17:29 - 2011-12-23 17:19 - 0076102 ____A C:\TDSSKiller.2.6.25.0_23.12.2011_18.19.34_log.txt
2011-12-23 16:39 - 2011-12-23 17:18 - 1558406 ____A C:\Users\wrights\Desktop\tdsskiller.zip
2011-12-23 15:23 - 2011-12-23 15:23 - 0023635 ____A C:\ComboFix.txt
2011-12-23 14:19 - 2010-11-12 03:22 - 3190050816 __ASH C:\hiberfil.sys
2011-12-23 14:19 - 2010-11-12 01:55 - 0000000 ____D C:\Users\Default\Local Settings\SoftThinks
2011-12-23 14:19 - 2010-11-12 01:55 - 0000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
2011-12-23 14:19 - 2010-11-12 01:55 - 0000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2011-12-23 14:19 - 2010-11-12 01:55 - 0000000 ____D C:\Users\Default User\Local Settings\SoftThinks
2011-12-23 14:19 - 2010-11-12 01:55 - 0000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
2011-12-23 14:19 - 2010-11-12 01:55 - 0000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2011-12-22 18:53 - 2009-07-13 20:34 - 62390272 ____A C:\Windows\System32\config\software.bak
2011-12-22 18:53 - 2009-07-13 20:34 - 19136512 ____A C:\Windows\System32\config\system.bak
2011-12-22 18:53 - 2009-07-13 20:34 - 0262144 ____A C:\Windows\System32\config\security.bak
2011-12-22 18:53 - 2009-07-13 20:34 - 0262144 ____A C:\Windows\System32\config\sam.bak
2011-12-22 18:53 - 2009-07-13 20:34 - 0262144 ____A C:\Windows\System32\config\default.bak
2011-12-22 18:06 - 2011-01-05 16:47 - 0000000 ____D C:\Users\wrights\Tracing
2011-12-22 14:26 - 2009-07-13 21:20 - 0000000 ____D C:\Windows\System32\config\TxR
2011-12-22 14:10 - 2011-12-22 14:10 - 0065536 __ASH C:\Windows\System32\config\components{7a878f8f-2cd8-11e1-8339-f04da2adbfd5}.TxR.blf
2011-12-21 19:56 - 2011-12-21 16:23 - 0000000 ____D C:\Users\wrights\Desktop\mbam logs
2011-12-21 14:53 - 2011-12-21 14:53 - 0000000 ____D C:\Users\wrights\Application Data\Malwarebytes
2011-12-21 14:53 - 2011-12-21 14:53 - 0000000 ____D C:\Users\wrights\AppData\Roaming\Malwarebytes
2011-12-21 14:01 - 2010-11-17 09:36 - 0000000 ____D C:\Users\wrights\Local Settings\SoftThinks
2011-12-21 14:01 - 2010-11-17 09:36 - 0000000 ____D C:\Users\wrights\Local Settings\Application Data\SoftThinks
2011-12-21 14:01 - 2010-11-17 09:36 - 0000000 ____D C:\Users\wrights\AppData\Local\SoftThinks
2011-12-19 20:57 - 2011-12-19 20:57 - 0065536 __ASH C:\Windows\System32\config\components{767313ab-28f1-11e1-a1a5-f04da2adbfd5}.TxR.blf
2011-12-18 18:37 - 2011-12-18 18:37 - 0000000 ____D C:\_OTM
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG1
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG1
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG1
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG1
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG2
2011-12-17 21:10 - 2011-12-17 21:10 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG1
2011-12-15 16:55 - 2009-07-13 23:10 - 2010077 ____A C:\Windows\WindowsUpdate.log
2011-12-15 16:51 - 2010-11-17 09:43 - 0000422 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2011-12-15 16:43 - 2011-12-15 16:43 - 0607260 ___RA (Swearware) C:\Users\wrights\Desktop\dds.scr
2011-12-15 16:39 - 2009-07-13 22:45 - 0014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2011-12-15 16:39 - 2009-07-13 22:45 - 0014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2011-12-15 16:32 - 2011-04-28 14:35 - 0001830 ____A C:\Users\Public\Desktop\McAfee Total Protection.lnk
2011-12-15 16:32 - 2011-04-28 14:35 - 0001830 ____A C:\Users\All Users\Desktop\McAfee Total Protection.lnk
2011-12-15 16:32 - 2010-12-25 09:45 - 0000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-12-15 16:31 - 2009-07-13 23:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-12-15 16:31 - 2009-07-13 22:51 - 0173224 ____A C:\Windows\setupact.log
2011-12-14 14:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At32.job
2011-12-14 14:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At31.job
2011-12-14 14:04 - 2010-12-25 09:45 - 0000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-12-14 13:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At30.job
2011-12-14 13:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At29.job
2011-12-14 12:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At28.job
2011-12-14 12:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At27.job
2011-12-14 11:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At26.job
2011-12-14 11:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At25.job
2011-12-14 10:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At24.job
2011-12-14 10:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At23.job
2011-12-14 09:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At22.job
2011-12-14 09:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At21.job
2011-12-14 08:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At20.job
2011-12-14 08:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At19.job
2011-12-14 08:00 - 2010-11-17 14:41 - 0003766 __ASH C:\Users\All Users\KGyGaAvL.sys
2011-12-14 08:00 - 2010-11-17 14:41 - 0003766 __ASH C:\Users\All Users\Application Data\KGyGaAvL.sys
2011-12-14 08:00 - 2010-11-17 14:41 - 0003766 __ASH C:\ProgramData\KGyGaAvL.sys
2011-12-14 07:52 - 2009-07-13 23:13 - 0726316 ____A C:\Windows\System32\PerfStringBackup.INI
2011-12-14 07:43 - 2011-12-14 07:43 - 0000000 __SHD C:\Windows\SysWOW64\%USERPROFILE%
2011-12-12 21:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At46.job
2011-12-12 21:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At45.job
2011-12-12 21:00 - 2010-11-17 09:43 - 0000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2011-12-12 20:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At44.job
2011-12-12 20:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At43.job
2011-12-12 19:18 - 2011-12-12 19:18 - 0001445 ____A C:\Users\Guest\Desktop\Internet Explorer.lnk
2011-12-12 18:34 - 2011-12-12 18:34 - 0270880 ____A C:\Windows\Minidump\121211-21746-01.dmp
2011-12-12 18:34 - 2011-12-12 05:40 - 215908899 ____A C:\Windows\MEMORY.DMP
2011-12-12 18:34 - 2011-12-12 05:40 - 0000000 ____D C:\Windows\Minidump
2011-12-12 18:33 - 2011-12-12 05:40 - 0666924 ____A C:\Windows\ntbtlog.txt
2011-12-12 18:17 - 2011-12-12 18:17 - 0000000 ____D C:\Users\Guest\Local Settings\Dell Edoc Viewer
2011-12-12 18:17 - 2011-12-12 18:17 - 0000000 ____D C:\Users\Guest\Local Settings\Application Data\Dell Edoc Viewer
2011-12-12 18:17 - 2011-12-12 18:17 - 0000000 ____D C:\Users\Guest\AppData\Local\Dell Edoc Viewer
2011-12-12 18:13 - 2011-12-12 18:13 - 0270880 ____A C:\Windows\Minidump\121211-18439-01.dmp
2011-12-12 17:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At38.job
2011-12-12 17:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At37.job
2011-12-12 05:40 - 2011-12-12 05:40 - 0277080 ____A C:\Windows\Minidump\121211-23306-01.dmp
2011-12-12 05:35 - 2011-12-12 05:35 - 0000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2011-12-11 21:13 - 2010-11-12 03:22 - 0036048 ____A C:\Windows\PFRO.log
2011-12-11 19:29 - 2011-07-05 16:49 - 0001193 ____A C:\Users\wrights\Desktop\Cursors.lnk
2011-12-11 19:29 - 2011-07-05 16:44 - 0001648 ____A C:\Users\wrights\Start Menu\Programs\Startup\Mouse Magic CS.lnk
2011-12-11 19:29 - 2011-07-05 16:44 - 0001648 ____A C:\Users\wrights\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mouse Magic CS.lnk
2011-12-11 19:29 - 2010-11-17 09:45 - 0002025 ____A C:\Users\wrights\Start Menu\Programs\Startup\Dell Dock.lnk
2011-12-11 19:29 - 2010-11-17 09:45 - 0002025 ____A C:\Users\wrights\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
2011-12-11 19:23 - 2010-12-25 09:45 - 0000000 ____D C:\Users\wrights\Local Settings\Google
2011-12-11 19:23 - 2010-12-25 09:45 - 0000000 ____D C:\Users\wrights\Local Settings\Application Data\Google
2011-12-11 19:23 - 2010-12-25 09:45 - 0000000 ____D C:\Users\wrights\AppData\Local\Google
2011-12-11 19:23 - 2010-12-25 09:45 - 0000000 ____D C:\Users\All Users\Google
2011-12-11 19:23 - 2010-12-25 09:45 - 0000000 ____D C:\Users\All Users\Application Data\Google
2011-12-11 19:23 - 2010-12-25 09:45 - 0000000 ____D C:\ProgramData\Google
2011-12-11 19:22 - 2010-12-25 09:45 - 0000000 ____D C:\Program Files\Google
2011-12-11 19:22 - 2010-12-25 09:45 - 0000000 ____D C:\Program Files (x86)\Google
2011-12-11 19:19 - 2011-12-11 19:19 - 2342648 ____A (Google Inc.) C:\Users\wrights\Desktop\GoogleToolbarInstaller_en32_signed.exe
2011-12-11 19:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At42.job
2011-12-11 19:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At41.job
2011-12-11 18:43 - 2011-12-11 16:32 - 0000000 ____D C:\Program Files (x86)\PC Tools Security
2011-12-11 18:42 - 2011-12-11 16:29 - 0000000 ____D C:\Users\All Users\PC Tools
2011-12-11 18:42 - 2011-12-11 16:29 - 0000000 ____D C:\Users\All Users\Application Data\PC Tools
2011-12-11 18:42 - 2011-12-11 16:29 - 0000000 ____D C:\ProgramData\PC Tools
2011-12-11 18:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At40.job
2011-12-11 18:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At39.job
2011-12-11 16:51 - 2009-07-13 23:08 - 0032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-12-11 16:33 - 2011-12-11 16:32 - 1849520 ____A C:\Windows\System32\Drivers\Cat.DB
2011-12-11 16:29 - 2011-12-11 16:29 - 0512992 ____A C:\Users\Guest\Desktop\PCTools_Safe_Install.exe
2011-12-11 16:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At36.job
2011-12-11 16:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At35.job
2011-12-11 16:04 - 2011-12-11 16:04 - 0000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2011-12-11 16:04 - 2011-12-11 16:04 - 0000824 ____A C:\Users\All Users\Desktop\CCleaner.lnk
2011-12-11 16:04 - 2011-12-11 16:04 - 0000000 ____D C:\Program Files\CCleaner
2011-12-11 16:03 - 2011-12-11 09:56 - 0010568 __ASH C:\Users\wrights\Local Settings\n2ee12q3co7aih
2011-12-11 16:03 - 2011-12-11 09:56 - 0010568 __ASH C:\Users\wrights\Local Settings\Application Data\n2ee12q3co7aih
2011-12-11 16:03 - 2011-12-11 09:56 - 0010568 __ASH C:\Users\wrights\AppData\Local\n2ee12q3co7aih
2011-12-11 16:03 - 2011-12-11 09:56 - 0010568 __ASH C:\Users\All Users\n2ee12q3co7aih
2011-12-11 16:03 - 2011-12-11 09:56 - 0010568 __ASH C:\Users\All Users\Application Data\n2ee12q3co7aih
2011-12-11 16:03 - 2011-12-11 09:56 - 0010568 __ASH C:\ProgramData\n2ee12q3co7aih
2011-12-11 15:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At34.job
2011-12-11 15:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At33.job
2011-12-11 14:04 - 2011-12-11 14:04 - 0010474 __ASH C:\Users\All Users\Application Data\1296064230
2011-12-11 14:04 - 2011-12-11 14:04 - 0010474 __ASH C:\Users\All Users\1296064230
2011-12-11 14:04 - 2011-12-11 14:04 - 0010474 __ASH C:\ProgramData\1296064230
2011-12-11 13:07 - 2011-12-11 13:16 - 2619504 ____A (Piriform Ltd) C:\Users\wrights\Desktop\ccsetup313_slim.exe
2011-12-11 13:01 - 2011-12-12 19:52 - 0000319 ____A C:\Users\wrights\Desktop\trojan_fakerean_exe_fix.reg
2011-12-11 13:01 - 2011-12-12 19:40 - 0000319 ____A C:\Users\Guest\Desktop\trojan_fakerean_exe_fix.reg
2011-12-11 09:57 - 2009-07-13 23:37 - 0000000 ____D C:\Windows\SysWOW64\sysprep
2011-12-10 11:36 - 2011-12-10 11:36 - 0000734 ____A C:\Users\wrights\My Documents\=[.rtf
2011-12-10 11:36 - 2011-12-10 11:36 - 0000734 ____A C:\Users\wrights\Documents\=[.rtf
2011-12-10 10:30 - 2010-11-17 13:49 - 0000000 ____D C:\Users\wrights\Local Settings\Corel
2011-12-10 10:30 - 2010-11-17 13:49 - 0000000 ____D C:\Users\wrights\Local Settings\Application Data\Corel
2011-12-10 10:30 - 2010-11-17 13:49 - 0000000 ____D C:\Users\wrights\AppData\Local\Corel
2011-12-10 10:20 - 2010-11-17 13:49 - 0000000 ____D C:\Users\wrights\My Documents\My PSP Files
2011-12-10 10:20 - 2010-11-17 13:49 - 0000000 ____D C:\Users\wrights\Documents\My PSP Files
2011-12-10 07:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At18.job
2011-12-10 07:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At17.job
2011-12-06 22:09 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At48.job
2011-12-06 22:09 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At47.job
2011-12-05 19:30 - 2011-12-05 19:30 - 0000364 ____A C:\Users\wrights\My Documents\interactive poster.txt
2011-12-05 19:30 - 2011-12-05 19:30 - 0000364 ____A C:\Users\wrights\Documents\interactive poster.txt
2011-12-04 18:09 - 2011-12-01 15:57 - 0000050 ____A C:\Users\wrights\My Documents\subscriptions.txt
2011-12-04 18:09 - 2011-12-01 15:57 - 0000050 ____A C:\Users\wrights\Documents\subscriptions.txt
2011-12-04 17:55 - 2011-08-22 21:38 - 0010623 ____A C:\Users\wrights\My Documents\The Cabin [fanfic].txt
2011-12-04 17:55 - 2011-08-22 21:38 - 0010623 ____A C:\Users\wrights\Documents\The Cabin [fanfic].txt
2011-12-04 10:21 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At8.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At6.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At16.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At14.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At12.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At10.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At9.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At7.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At5.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At15.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At13.job
2011-12-04 10:21 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At11.job
2011-12-04 01:07 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At4.job
2011-12-04 01:07 - 2011-11-23 14:29 - 0000350 ____A C:\Windows\Tasks\At2.job
2011-12-04 01:07 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At3.job
2011-12-04 01:07 - 2011-11-23 14:29 - 0000348 ____A C:\Windows\Tasks\At1.job
2011-12-02 19:13 - 2011-12-02 19:13 - 0835888 ____A C:\Users\wrights\My Documents\sad.gif
2011-12-02 19:13 - 2011-12-02 19:13 - 0835888 ____A C:\Users\wrights\Documents\sad.gif
2011-11-30 19:37 - 2011-11-30 19:37 - 3446766 ____A C:\Users\wrights\My Documents\porcelain black gif.gif
2011-11-30 19:37 - 2011-11-30 19:37 - 3446766 ____A C:\Users\wrights\Documents\porcelain black gif.gif
2011-11-29 20:25 - 2011-11-27 18:14 - 8332984 ____A C:\Users\wrights\My Documents\halloween outfit [2012].rtf
2011-11-29 20:25 - 2011-11-27 18:14 - 8332984 ____A C:\Users\wrights\Documents\halloween outfit [2012].rtf
2011-11-26 14:45 - 2011-11-26 13:10 - 0012714 __ASH C:\Users\wrights\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8
2011-11-26 14:45 - 2011-11-26 13:10 - 0012714 __ASH C:\Users\wrights\Local Settings\157850g1p046c522p184r5dtv4q8
2011-11-26 14:45 - 2011-11-26 13:10 - 0012714 __ASH C:\Users\wrights\AppData\Local\157850g1p046c522p184r5dtv4q8
2011-11-26 14:45 - 2011-11-26 13:10 - 0012714 __ASH C:\Users\All Users\Application Data\157850g1p046c522p184r5dtv4q8
2011-11-26 14:45 - 2011-11-26 13:10 - 0012714 __ASH C:\Users\All Users\157850g1p046c522p184r5dtv4q8
2011-11-26 14:45 - 2011-11-26 13:10 - 0012714 __ASH C:\ProgramData\157850g1p046c522p184r5dtv4q8
2011-11-25 23:07 - 2011-11-25 23:07 - 0000010 ____A C:\Users\wrights\My Documents\look up tumblr.txt
2011-11-25 23:07 - 2011-11-25 23:07 - 0000010 ____A C:\Users\wrights\Documents\look up tumblr.txt
2011-11-24 17:37 - 2011-06-12 21:52 - 0000884 ____A C:\Users\wrights\My Documents\songs i need to get.txt
2011-11-24 17:37 - 2011-06-12 21:52 - 0000884 ____A C:\Users\wrights\Documents\songs i need to get.txt
2011-11-23 14:48 - 2011-11-23 14:48 - 0001115 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2011-11-23 14:48 - 2011-11-23 14:48 - 0001115 ____A C:\Users\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
2011-11-23 14:42 - 2011-11-07 17:46 - 9850880 ____A (Malwarebytes Corporation ) C:\Users\Guest\Downloads\mbam-setup-1.51.2.1300.exe
2011-11-23 14:33 - 2011-11-23 14:33 - 0000000 ____A C:\Windows\SysWOW64\1F5sd01.com.b
2011-11-23 14:33 - 2011-11-23 14:29 - 0000112 ____A C:\Users\All Users\Application Data\7UJ2r4UYR.dat
2011-11-23 14:33 - 2011-11-23 14:29 - 0000112 ____A C:\Users\All Users\7UJ2r4UYR.dat
2011-11-23 14:33 - 2011-11-23 14:29 - 0000112 ____A C:\ProgramData\7UJ2r4UYR.dat
2011-11-23 14:26 - 2011-11-23 14:24 - 9850880 ____A (Malwarebytes Corporation ) C:\Users\Guest\Downloads\mbam-consumer.exe
2011-11-23 14:17 - 2011-11-23 14:17 - 0000000 ____D C:\Users\Guest\Local Settings\Google
2011-11-23 14:17 - 2011-11-23 14:17 - 0000000 ____D C:\Users\Guest\Local Settings\Application Data\Google
2011-11-23 14:17 - 2011-11-23 14:17 - 0000000 ____D C:\Users\Guest\Application Data\Google
2011-11-23 14:17 - 2011-11-23 14:17 - 0000000 ____D C:\Users\Guest\AppData\Roaming\Google
2011-11-23 14:17 - 2011-11-23 14:17 - 0000000 ____D C:\Users\Guest\AppData\Local\Google
2011-11-23 14:17 - 2011-11-07 17:43 - 0000000 ____D C:\Users\Guest\AppData\LocalLow
2011-11-23 08:59 - 2011-11-23 08:59 - 0000000 ____D C:\Users\Guest\Application Data\Malwarebytes
2011-11-23 08:59 - 2011-11-23 08:59 - 0000000 ____D C:\Users\Guest\AppData\Roaming\Malwarebytes
2011-11-20 09:37 - 2011-08-03 18:06 - 0022408 ____A C:\Users\wrights\My Documents\yay fanfiction!.txt
2011-11-20 09:37 - 2011-08-03 18:06 - 0022408 ____A C:\Users\wrights\Documents\yay fanfiction!.txt
2011-11-16 05:41 - 2011-06-05 19:53 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2011-11-15 16:31 - 2011-11-15 16:31 - 0000033 ____A C:\Users\wrights\My Documents\tumblr.txt
2011-11-15 16:31 - 2011-11-15 16:31 - 0000033 ____A C:\Users\wrights\Documents\tumblr.txt
2011-11-13 20:58 - 2011-11-13 20:57 - 0000095 ____A C:\Users\wrights\My Documents\hair dying =3.txt
2011-11-13 20:58 - 2011-11-13 20:57 - 0000095 ____A C:\Users\wrights\Documents\hair dying =3.txt
2011-11-11 07:50 - 2011-11-05 15:26 - 0002747 ____A C:\Users\wrights\My Documents\updated christmas lisy.rtf
2011-11-11 07:50 - 2011-11-05 15:26 - 0002747 ____A C:\Users\wrights\Documents\updated christmas lisy.rtf
2011-11-09 19:55 - 2009-07-13 22:45 - 0301624 ____A C:\Windows\System32\FNTCACHE.DAT
2011-11-09 19:54 - 2009-07-13 21:20 - 0000000 ____D C:\Program Files\Common Files\System
2011-11-08 20:20 - 2011-06-14 21:46 - 0013486 ____A C:\Users\wrights\My Documents\best.txt
2011-11-08 20:20 - 2011-06-14 21:46 - 0013486 ____A C:\Users\wrights\Documents\best.txt
2011-11-07 17:46 - 2011-11-07 17:46 - 0000000 ____D C:\Users\Guest\Application Data\Macromedia
2011-11-07 17:46 - 2011-11-07 17:46 - 0000000 ____D C:\Users\Guest\Application Data\Adobe
2011-11-07 17:46 - 2011-11-07 17:46 - 0000000 ____D C:\Users\Guest\AppData\Roaming\Macromedia
2011-11-07 17:46 - 2011-11-07 17:46 - 0000000 ____D C:\Users\Guest\AppData\Roaming\Adobe
2011-11-07 17:45 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Application Data\Mozilla
2011-11-07 17:45 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\AppData\Roaming\Mozilla
2011-11-07 17:44 - 2011-11-07 17:44 - 0073856 ____A C:\Users\Guest\Local Settings\GDIPFONTCACHEV1.DAT
2011-11-07 17:44 - 2011-11-07 17:44 - 0073856 ____A C:\Users\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2011-11-07 17:44 - 2011-11-07 17:44 - 0073856 ____A C:\Users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2011-11-07 17:44 - 2011-11-07 17:44 - 0001980 ____A C:\Users\Guest\Start Menu\Programs\Startup\Dell Dock.lnk
2011-11-07 17:44 - 2011-11-07 17:44 - 0001980 ____A C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Local Settings\Stardock_Corporation
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Local Settings\Mozilla
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Local Settings\DataSafeOnline
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Local Settings\Application Data\Stardock_Corporation
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Local Settings\Application Data\Mozilla
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Local Settings\Application Data\DataSafeOnline
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Application Data\Roxio
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Application Data\Dell
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\Application Data\Apple Computer
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\AppData\Roaming\Roxio
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\AppData\Roaming\Dell
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\AppData\Roaming\Apple Computer
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\AppData\Local\Stardock_Corporation
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\AppData\Local\Mozilla
2011-11-07 17:44 - 2011-11-07 17:44 - 0000000 ____D C:\Users\Guest\AppData\Local\DataSafeOnline
2011-11-07 17:44 - 2011-11-07 17:43 - 0000402 __ASH C:\Users\Guest\My Documents\desktop.ini
2011-11-07 17:44 - 2011-11-07 17:43 - 0000174 ___SH C:\Users\Guest\Start Menu\Programs\Startup\desktop.ini
2011-11-07 17:44 - 2011-11-07 17:43 - 0000174 ___SH C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2011-11-07 17:43 - 2011-11-07 17:43 - 0000020 ___SH C:\Users\Guest\ntuser.ini
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\Templates
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\Start Menu
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\PrintHood
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\NetHood
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\My Documents\My Videos
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\My Documents\My Pictures
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\My Documents\My Music
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\My Documents
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\Local Settings\Temporary Internet Files
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\Local Settings\History
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\Local Settings\Application Data\Temporary Internet Files
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\Local Settings\Application Data\History
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\Documents\My Videos
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\Documents\My Pictures
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\Documents\My Music
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\AppData\Local\Temporary Internet Files
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 __SHD C:\Users\Guest\AppData\Local\History
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 ____D C:\Users\Guest\Local Settings\VirtualStore
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 ____D C:\Users\Guest\Local Settings\Application Data\VirtualStore
2011-11-07 17:43 - 2011-11-07 17:43 - 0000000 ____D C:\Users\Guest\AppData\Local\VirtualStore
2011-11-05 18:47 - 2011-11-05 18:47 - 0000034 ____A C:\Users\wrights\My Documents\lemon.txt
2011-11-05 18:47 - 2011-11-05 18:47 - 0000034 ____A C:\Users\wrights\Documents\lemon.txt
2011-11-05 12:14 - 2011-11-05 12:14 - 0758024 ____A (Adobe Systems Incorporated) C:\Users\wrights\My Documents\install_flashplayer11x64ax_gtbp_chrd_aih.exe
2011-11-05 12:14 - 2011-11-05 12:14 - 0758024 ____A (Adobe Systems Incorporated) C:\Users\wrights\Documents\install_flashplayer11x64ax_gtbp_chrd_aih.exe
2011-11-05 12:13 - 2011-11-05 12:13 - 0000000 ____D C:\Windows\System32\Macromed
2011-10-28 14:42 - 2011-10-28 14:42 - 0000008 ____A C:\Users\wrights\My Documents\emily's number.txt
2011-10-28 14:42 - 2011-10-28 14:42 - 0000008 ____A C:\Users\wrights\Documents\emily's number.txt
2011-10-27 22:05 - 2011-12-12 19:51 - 52174280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2011-10-27 16:58 - 2011-10-27 16:58 - 0001667 ____A C:\Users\wrights\My Documents\letter.txt
2011-10-27 16:58 - 2011-10-27 16:58 - 0001667 ____A C:\Users\wrights\Documents\letter.txt
2011-10-20 14:19 - 2011-10-20 14:19 - 0000025 ____A C:\Users\wrights\My Documents\song i forgot.txt
2011-10-20 14:19 - 2011-10-20 14:19 - 0000025 ____A C:\Users\wrights\Documents\song i forgot.txt
2011-10-18 19:57 - 2011-10-18 19:57 - 0000052 ____A C:\Users\wrights\My Documents\preciousmetal story link.txt
2011-10-18 19:57 - 2011-10-18 19:57 - 0000052 ____A C:\Users\wrights\Documents\preciousmetal story link.txt
2011-10-13 19:37 - 2011-10-10 19:32 - 6613747 ____A C:\Users\wrights\My Documents\christmas outfit.rtf
2011-10-13 19:37 - 2011-10-10 19:32 - 6613747 ____A C:\Users\wrights\Documents\christmas outfit.rtf
2011-10-12 13:17 - 2011-10-12 13:17 - 0000046 ____A C:\Users\wrights\My Documents\yaoi bag~.txt
2011-10-12 13:17 - 2011-10-12 13:17 - 0000046 ____A C:\Users\wrights\Documents\yaoi bag~.txt
2011-10-11 17:43 - 2011-10-11 17:43 - 0000071 ____A C:\Users\wrights\My Documents\best quote rhyme ever...txt
2011-10-11 17:43 - 2011-10-11 17:43 - 0000071 ____A C:\Users\wrights\Documents\best quote rhyme ever...txt
2011-10-09 13:52 - 2011-10-09 13:52 - 3023080 ____A C:\Users\wrights\My Documents\jacob halloween.rtf
2011-10-09 13:52 - 2011-10-09 13:52 - 3023080 ____A C:\Users\wrights\Documents\jacob halloween.rtf
2011-10-08 15:37 - 2011-10-08 15:37 - 0000039 ____A C:\Users\wrights\My Documents\money.txt
2011-10-08 15:37 - 2011-10-08 15:37 - 0000039 ____A C:\Users\wrights\Documents\money.txt

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4056.36 MB
Available physical RAM: 3486.15 MB
Total Pagefile: 4054.51 MB
Available Pagefile: 3473.73 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:283.4 GB) (Free:217.06 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:7.77 GB) NTFS ==>[Drive with boot components]
5 Drive g: () (Removable) (Total:14.9 GB) (Free:14.84 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 14 GB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 283 GB 14 GB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 39 MB Healthy Hidden

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 14 GB Healthy

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 283 GB Healthy

==========================================================

Last Boot: 2011-11-25 12:53

======================= End Of Log ==========================

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:25 AM

Posted 31 December 2011 - 04:08 PM

Download the enclosed file.

Save it in the flash drive.

Run FRST as you did before, except that this time around click on the fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

Attempt to boot in Normal Mode. If successful, run Combofix as follows:


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 big0

big0
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 31 December 2011 - 05:35 PM

Below is the fix log. I could not restart normally. I received the same error stop code(s). How should I proceed?

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.1)
Ran by SYSTEM at 2011-12-31 17:29:11 R:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
C:\Users\wrights\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8 moved successfully.
C:\Users\wrights\Local Settings\157850g1p046c522p184r5dtv4q8 not found.
C:\Users\wrights\AppData\Local\157850g1p046c522p184r5dtv4q8 not found.
C:\Users\All Users\Application Data\157850g1p046c522p184r5dtv4q8 moved successfully.
C:\Users\All Users\157850g1p046c522p184r5dtv4q8 not found.
C:\ProgramData\157850g1p046c522p184r5dtv4q8 not found.
C:\Windows\Tasks\At8.job moved successfully.
C:\Windows\Tasks\At6.job moved successfully.
C:\Windows\Tasks\At16.job moved successfully.
C:\Windows\Tasks\At14.job moved successfully.
C:\Windows\Tasks\At12.job moved successfully.
C:\Windows\Tasks\At10.job moved successfully.
C:\Windows\Tasks\At9.job moved successfully.
C:\Windows\Tasks\At7.job moved successfully.
C:\Windows\Tasks\At5.job moved successfully.
C:\Windows\Tasks\At15.job moved successfully.
C:\Windows\Tasks\At13.job moved successfully.
C:\Windows\Tasks\At11.job moved successfully.
C:\Windows\Tasks\At4.job moved successfully.
C:\Windows\Tasks\At2.job moved successfully.
C:\Windows\Tasks\At3.job moved successfully.
C:\Windows\Tasks\At1.job moved successfully.
C:\Windows\Tasks\At18.job moved successfully.
C:\Windows\Tasks\At17.job moved successfully.
C:\Windows\Tasks\At48.job moved successfully.
C:\Windows\Tasks\At47.job moved successfully.
C:\Users\All Users\Application Data\1296064230 moved successfully.
C:\Users\All Users\1296064230 not found.
C:\ProgramData\1296064230 not found.
C:\Users\wrights\Local Settings\n2ee12q3co7aih moved successfully.
C:\Users\wrights\Local Settings\Application Data\n2ee12q3co7aih not found.
C:\Users\wrights\AppData\Local\n2ee12q3co7aih not found.
C:\Users\All Users\n2ee12q3co7aih moved successfully.
C:\Users\All Users\Application Data\n2ee12q3co7aih not found.
C:\ProgramData\n2ee12q3co7aih not found.
C:\Windows\Tasks\At34.job moved successfully.
C:\Windows\Tasks\At33.job moved successfully.
C:\Windows\Tasks\At36.job moved successfully.
C:\Windows\Tasks\At35.job moved successfully.
C:\Windows\Tasks\At42.job moved successfully.
C:\Windows\Tasks\At41.job moved successfully.
C:\Windows\Tasks\At38.job moved successfully.
C:\Windows\Tasks\At37.job moved successfully.
C:\Windows\Tasks\At32.job moved successfully.
C:\Windows\Tasks\At31.job moved successfully.
C:\Windows\Tasks\At30.job moved successfully.
C:\Windows\Tasks\At29.job moved successfully.
C:\Windows\Tasks\At28.job moved successfully.
C:\Windows\Tasks\At27.job moved successfully.
C:\Windows\Tasks\At26.job moved successfully.
C:\Windows\Tasks\At25.job moved successfully.
C:\Windows\Tasks\At24.job moved successfully.
C:\Windows\Tasks\At23.job moved successfully.
C:\Windows\Tasks\At22.job moved successfully.
C:\Windows\Tasks\At21.job moved successfully.
C:\Windows\Tasks\At20.job moved successfully.
C:\Windows\Tasks\At19.job moved successfully.
C:\Users\wrights\Application Data\fBtxP0ycSiDoFaH moved successfully.
C:\Users\wrights\AppData\Roaming\fBtxP0ycSiDoFaH not found.
C:\Users\wrights\Application Data\DWK8fRL9hXjCkBz moved successfully.
C:\Users\wrights\AppData\Roaming\DWK8fRL9hXjCkBz not found.
C:\Users\wrights\Application Data\LrzzONyxAuvSiF moved successfully.
C:\Users\wrights\AppData\Roaming\LrzzONyxAuvSiF not found.

==== End of Fixlog ====

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:25 AM

Posted 31 December 2011 - 08:29 PM

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file and save it in the USB drive.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 big0

big0
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 31 December 2011 - 09:17 PM

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.1)
Ran by SYSTEM at 2011-12-31 21:13:35 R:2
Running from G:\

==============================================


========= G:\MbrFix64 /drive 0 savembr G:\MBRDUMP.txt =========


========= End of CMD: =========


==== End of Fixlog ====

Attached Files



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:25 AM

Posted 01 January 2012 - 12:46 AM

The boot sector is in place. Lets check the Boot Configuration Data (BCD).

Download the enclosed file.

Save it in the USB drive overwriting the existing one.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). Copy and Paste the contents of the Fixlog.txt in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 big0

big0
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 01 January 2012 - 08:24 AM

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.1)
Ran by SYSTEM at 2012-01-01 08:22:36 R:3
Running from G:\

==============================================


========= bcdedit /enum all /v =========


Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=D:
description Windows Boot Manager
locale en-us
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {2ebb911a-ee3b-11df-8b62-bc61f9903a96}
resumeobject {2ebb9119-ee3b-11df-8b62-bc61f9903a96}
displayorder {2ebb911a-ee3b-11df-8b62-bc61f9903a96}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {2ebb911a-ee3b-11df-8b62-bc61f9903a96}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-us
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {2ebb911b-ee3b-11df-8b62-bc61f9903a96}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {2ebb9119-ee3b-11df-8b62-bc61f9903a96}
nx OptIn

Windows Boot Loader
-------------------
identifier {2ebb911b-ee3b-11df-8b62-bc61f9903a96}
device ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{2ebb911c-ee3b-11df-8b62-bc61f9903a96}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{2ebb911c-ee3b-11df-8b62-bc61f9903a96}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {2ebb9119-ee3b-11df-8b62-bc61f9903a96}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=D:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
custom:26000022 Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {2ebb911c-ee3b-11df-8b62-bc61f9903a96}
description Ramdisk Options
ramdisksdidevice partition=D:
ramdisksdipath \Recovery\WindowsRE\boot.sdi

========= End of CMD: =========


==== End of Fixlog ====

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:25 AM

Posted 01 January 2012 - 01:44 PM

Lets try this fix.

Download the enclosed file.

Save it in the USB drive overwriting the existing one.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). Copy and Paste the contents of the Fixlog.txt in your next reply.

If successful, attempt to boot in Normal mode. I able to do so, run Combofix as suggested.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 big0

big0
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 01 January 2012 - 03:51 PM

Here's the last fixlog. Happy to say I'm logged in! I'll be running combofix and send it to you shortly.

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.1)
Ran by SYSTEM at 2012-01-01 15:23:57 R:4
Running from G:\

==============================================


========= bcdedit /deletevalue {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9} custom:26000022 =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog ====

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:25 AM

Posted 01 January 2012 - 04:42 PM

:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users