Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD


  • This topic is locked This topic is locked
35 replies to this topic

#1 goldenchild

goldenchild

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:10:15 PM

Posted 06 January 2012 - 08:27 AM

Hello I have been working on a Hp Pavilion dv5-1002nr Entertainment Notebook PC for the last few days because I believe it had a virus on it. I had issues logging online but was able to get that fix. I updated malwarebytes and found some trojans. I downloading avast free, updated it ran it and found a rootkit. I was opted to delete it. I had to reboot in order for the action to take place. When I rebooted the system I got a BSOD stating: stop: c0000021a {fatal system error} The non-dll files included in knowndll list. system process terminated unexpectedly with a status 0xc000036f (0xa15c1848 0x00000000). The system has been shut down.

This is a 32 bit system running on Vista service pack 1.

Thank you in advance for you assistance.

Edited by hamluis, 06 January 2012 - 09:12 AM.
Moved from Vista to Am I Infected.

Golden Lucks "Gifted and Talented"

BC AdBot (Login to Remove)

 


#2 Allan

Allan

  • BC Advisor
  • 8,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:15 PM

Posted 06 January 2012 - 08:29 AM

Please post in the Am I Infected forum.

#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:15 PM

Posted 06 January 2012 - 08:39 AM

Are you able to load Windows at all, either normally or in Safe Mode?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:10:15 PM

Posted 06 January 2012 - 09:13 AM

Sorry for posting in the wrong section. I never know which is which. Anywho, I am not able to load in safe mode nor am I able to go to last known good configuration. Whenever I attempt to do so it starts to load then goes to bsod.
Golden Lucks "Gifted and Talented"

#5 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:15 PM

Posted 06 January 2012 - 09:22 AM

No you haven't posted in the "wrong" forum: No need to post elsewhere.

If you can't load Windows normally, nor in Safe Mode, and LKGC doesn't work either ... then you have an "unbootable" system. I will request some expert assistance for you, and they will reply in this topic when they are available.

Please sit tight and be patient.

I will request that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:10:15 PM

Posted 06 January 2012 - 09:45 AM

Thank you very much. I really appreciate your assistance.
Golden Lucks "Gifted and Talented"

#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:15 PM

Posted 06 January 2012 - 09:47 AM

No worries: The request for assistance has been made. It's just a matter of waiting now.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 07 January 2012 - 08:51 AM

Hello, do you have your Vista DVD at hand?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:10:15 PM

Posted 07 January 2012 - 11:28 AM

Unfortunately. No. This is a friend's. Computer I'm trying to clean.
Golden Lucks "Gifted and Talented"

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 07 January 2012 - 12:00 PM

Please start the computer and tap F8 until the advanced boot options menu comes up. Do you see the Repair Windows option?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:10:15 PM

Posted 07 January 2012 - 12:05 PM

Yes I have the repair option
Golden Lucks "Gifted and Talented"

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 07 January 2012 - 12:12 PM

Please run the following scan.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:10:15 PM

Posted 07 January 2012 - 12:49 PM

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.2
Ran by SYSTEM at 2012-01-07 12:48:24
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [x]
HKLM\...\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe [x]
HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0" [222504 2007-12-24] (CyberLink Corp.)
HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe [442433 2008-04-16] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1033512 2008-01-17] (Synaptics, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [149280 2010-03-19] (Sun Microsystems, Inc.)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [61440 2008-01-21] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [468264 2008-05-14] (CyberLink Corp.)
HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [202032 2008-03-14] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [554288 2007-11-01] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-04-26] (Apple Inc.)
HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2007-11-20] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [80896 2008-06-01] (Hewlett-Packard)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [70912 2008-04-15] (Hewlett-Packard)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40048 2007-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [3744552 2011-11-28] (AVAST Software)
HKU\Default\...\Run: [ooVoo.exe] C:\Program Files\ooVoo\ooVoo.exe /minimized [18784440 2010-02-10] (ooVoo LLC)
HKU\Default User\...\Run: [ooVoo.exe] C:\Program Files\ooVoo\ooVoo.exe /minimized [18784440 2010-02-10] (ooVoo LLC)
HKU\Leaf\...\Run: [Aim6] [x]
HKU\Leaf\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Leaf\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [23975720 2009-01-29] (Skype Technologies S.A.)
HKU\Leaf\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2289664 2008-02-26] (Hewlett-Packard Company)
HKU\Leaf\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Leaf\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)
HKU\Default\...\Run: [ooVoo.exe] C:\Program Files\ooVoo\ooVoo.exe /minimized [18784440 2010-02-10] (ooVoo LLC)
HKU\Default User\...\Run: [ooVoo.exe] C:\Program Files\ooVoo\ooVoo.exe /minimized [18784440 2010-02-10] (ooVoo LLC)
HKU\Leaf\...\Run: [Aim6] [x]
HKU\Leaf\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Leaf\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [23975720 2009-01-29] (Skype Technologies S.A.)
HKU\Leaf\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2289664 2008-02-26] (Hewlett-Packard Company)
HKU\Leaf\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Leaf\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

================================ Services (Whitelisted) ==================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\aestsrv.exe [73728 2008-02-11] (Andrea Electronics Corporation)
2 AgereModemAudio; C:\Windows\system32\agrsmsvc.exe [12800 2007-12-11] (Agere Systems)
2 Ati External Event Utility; C:\Windows\System32\Ati2evxx.exe [667648 2008-03-28] (ATI Technologies Inc.)
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44768 2011-11-28] (AVAST Software)
3 GameConsoleService; "C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [181784 2007-12-04] (WildTangent, Inc.)
2 hpsrv; C:\Windows\System32\Hpservice.exe [19456 2008-03-18] (Hewlett-Packard Corporation)
2 NSL; "C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe" /s "NSL" /m "C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\diMaster.dll" /prefetch:1 [303544 2011-10-11] (Symantec Corporation)
2 QPCapSvc; "C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [292248 2008-05-14] ()
2 QPSched; "C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [116112 2008-05-14] ()
2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [183688 2007-05-31] (Microsoft Corporation)
2 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [341328 2008-03-26] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\STacSV.exe [221239 2008-04-16] (IDT, Inc.)
2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [379784 2007-05-31] (Microsoft Corporation)
2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]

========================== Drivers (Whitelisted) =============

3 Accelerometer; C:\Windows\System32\DRIVERS\Accelerometer.sys [34664 2008-03-27] (Hewlett-Packard Corporation)
3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1202560 2008-02-29] (Agere Systems)
0 ahcix86s; C:\Windows\System32\DRIVERS\ahcix86s.sys [170000 2008-04-14] (AMD Technologies Inc.)
0 Amddfltr; C:\Windows\System32\DRIVERS\Amddfltr.sys [15416 2008-01-07] (Advanced Micro Devices)
2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [20568 2011-11-28] (AVAST Software)
2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [55128 2011-11-28] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [34392 2011-11-28] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [435032 2011-11-28] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [314456 2011-11-28] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [52952 2011-11-28] (AVAST Software)
3 atikmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [3544064 2008-03-28] (ATI Technologies Inc.)
0 AtiPcie; C:\Windows\System32\DRIVERS\AtiPcie.sys [7680 2006-10-29] (ATI Technologies Inc.)
3 BCM43XV; C:\Windows\System32\DRIVERS\bcmwl6.sys [464384 2006-11-01] (Broadcom Corporation)
1 ccSet_NST; C:\Windows\System32\drivers\NST\0200000.010\ccSetx86.sys [132744 2011-08-08] (Symantec Corporation)
3 enecir; C:\Windows\System32\DRIVERS\enecir.sys [52736 2008-01-23] (ENE TECHNOLOGY INC.)
0 hpdskflt; C:\Windows\System32\DRIVERS\hpdskflt.sys [24424 2008-03-27] (Hewlett-Packard Corporation)
3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-11] (Hewlett-Packard Development Company, L.P.)
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [200704 2008-01-20] (Conexant Systems, Inc.)
3 HSF_DPV; C:\Windows\System32\DRIVERS\VSTDPV3.SYS [987648 2008-01-20] (Conexant Systems, Inc.)
0 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 NVENETFD; C:\Windows\System32\DRIVERS\nvm60x32.sys [429056 2006-11-01] (NVIDIA Corporation)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh86.sys [118784 2008-04-14] (Realtek Corporation )
3 RTSTOR; C:\Windows\System32\drivers\RTSTOR.SYS [62976 2008-04-21] (Realtek Semiconductor Corp.)
0 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [41016 2008-01-20] (Microsoft Corporation)
0 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
0 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2008-01-20] (Promise Technology, Inc.)
3 usb_rndisx; C:\Windows\System32\DRIVERS\usb8023x.sys [15872 2008-01-20] (Microsoft Corporation)
3 winachsf; C:\Windows\System32\DRIVERS\VSTCNXT3.SYS [654336 2008-01-20] (Conexant Systems, Inc.)
1 eabfiltr; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 UIUSys; C:\Windows\System32\DRIVERS\UIUSYS.SYS [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-01-06 05:20 - 2012-01-06 05:20 - 0496136 ____A C:\Windows\ntbtlog.txt
2012-01-05 19:39 - 2012-01-06 00:38 - 0554456 ____A C:\Windows\PFRO.log
2012-01-05 19:31 - 2012-01-05 19:31 - 0000000 ____D C:\Windows\System32\Drivers\NST
2012-01-05 19:31 - 2012-01-05 19:31 - 0000000 ____D C:\Program Files\Norton Safe Web Lite
2012-01-05 19:24 - 2012-01-05 19:24 - 0117312 ____A C:\Users\Leaf\My Documents\registry backup.reg
2012-01-05 19:24 - 2012-01-05 19:24 - 0117312 ____A C:\Users\Leaf\Documents\registry backup.reg
2012-01-05 19:24 - 2012-01-05 19:24 - 0117312 ____A C:\Documents and Settings\Leaf\My Documents\registry backup.reg
2012-01-05 19:24 - 2012-01-05 19:24 - 0117312 ____A C:\Documents and Settings\Leaf\Documents\registry backup.reg
2012-01-05 19:10 - 2012-01-05 19:10 - 0001971 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-01-05 19:10 - 2012-01-05 19:10 - 0001971 ____A C:\Users\All Users\Desktop\Google Chrome.lnk
2012-01-05 19:10 - 2012-01-05 19:10 - 0001971 ____A C:\Documents and Settings\Public\Desktop\Google Chrome.lnk
2012-01-05 19:10 - 2012-01-05 19:10 - 0001971 ____A C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2012-01-05 19:09 - 2012-01-05 19:09 - 0001829 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-01-05 19:09 - 2012-01-05 19:09 - 0001829 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk
2012-01-05 19:09 - 2012-01-05 19:09 - 0001829 ____A C:\Documents and Settings\Public\Desktop\avast! Free Antivirus.lnk
2012-01-05 19:09 - 2012-01-05 19:09 - 0001829 ____A C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
2012-01-05 19:09 - 2011-11-28 09:53 - 0435032 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-01-05 19:09 - 2011-11-28 09:53 - 0314456 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-01-05 19:09 - 2011-11-28 09:52 - 0055128 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-01-05 19:09 - 2011-11-28 09:52 - 0052952 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-01-05 19:09 - 2011-11-28 09:52 - 0034392 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-01-05 19:09 - 2011-11-28 09:51 - 0020568 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-01-05 19:08 - 2011-11-28 10:01 - 0199816 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-01-05 19:08 - 2011-11-28 10:01 - 0041184 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Users\All Users\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Users\All Users\Application Data\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\ProgramData\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Program Files\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Documents and Settings\All Users\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
2012-01-05 19:00 - 2011-07-06 06:56 - 0213504 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb10.sys
2012-01-05 19:00 - 2011-06-02 04:59 - 2042368 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-01-05 19:00 - 2011-05-27 22:08 - 1211904 ____A C:\Windows\System32\urlmon.dll
2012-01-05 19:00 - 2011-05-27 22:08 - 0916480 ____A C:\Windows\System32\wininet.dll
2012-01-05 19:00 - 2011-05-27 22:07 - 0206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-01-05 19:00 - 2011-05-27 22:05 - 0611840 ____A C:\Windows\System32\mstime.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 5964800 ____A C:\Windows\System32\mshtml.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 1991680 ____A C:\Windows\System32\iertutil.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 1469440 ____A C:\Windows\System32\inetcpl.cpl
2012-01-05 19:00 - 2011-05-27 22:04 - 11081728 ____A C:\Windows\System32\ieframe.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0602112 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0184320 ____A C:\Windows\System32\iepeers.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0164352 ____A C:\Windows\System32\ieui.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0109056 ____A C:\Windows\System32\iesysprep.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0071680 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0066560 ____A C:\Windows\System32\mshtmled.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0055808 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0043520 ____A C:\Windows\System32\licmgr10.dll
2012-01-05 19:00 - 2011-05-27 22:04 - 0025600 ____A C:\Windows\System32\jsproxy.dll
2012-01-05 19:00 - 2011-05-27 22:03 - 0387584 ____A C:\Windows\System32\iedkcs32.dll
2012-01-05 19:00 - 2011-05-27 21:10 - 0385024 ____A C:\Windows\System32\html.iec
2012-01-05 19:00 - 2011-05-27 20:33 - 0133632 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-01-05 19:00 - 2011-05-27 20:32 - 0173568 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-01-05 19:00 - 2011-05-27 20:32 - 0013312 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-01-05 19:00 - 2011-05-27 20:31 - 1638912 ____A C:\Windows\System32\mshtml.tlb
2012-01-05 19:00 - 2011-05-02 07:58 - 0738816 ____A (Microsoft Corporation) C:\Windows\System32\inetcomm.dll
2012-01-05 19:00 - 2011-04-29 04:49 - 0146432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\srv2.sys
2012-01-05 19:00 - 2011-04-29 04:49 - 0105984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb.sys
2012-01-05 19:00 - 2011-04-29 04:49 - 0102400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\srvnet.sys
2012-01-05 19:00 - 2011-04-29 04:49 - 0079360 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb20.sys
2012-01-05 19:00 - 2011-04-21 05:16 - 0273408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2012-01-05 19:00 - 2011-04-14 06:24 - 0075264 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dfsc.sys
2012-01-05 19:00 - 2011-04-12 06:53 - 0890368 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-01-05 19:00 - 2010-12-20 07:39 - 0563200 ____A (Microsoft Corporation) C:\Windows\System32\oleaut32.dll
2012-01-05 18:59 - 2011-04-20 06:47 - 0375808 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-01-05 18:59 - 2011-04-20 06:44 - 0049152 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2012-01-05 17:19 - 2011-04-29 06:54 - 0276992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-01-05 17:11 - 2012-01-05 17:11 - 0000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-05 17:11 - 2012-01-05 17:11 - 0000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-05 17:11 - 2012-01-05 17:11 - 0000906 ____A C:\Documents and Settings\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-05 17:11 - 2012-01-05 17:11 - 0000906 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-05 12:09 - 2010-01-23 15:02 - 0001889 ____A C:\Users\Leaf\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
2012-01-05 12:09 - 2010-01-23 15:02 - 0001889 ____A C:\Users\Leaf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
2012-01-05 12:09 - 2010-01-23 15:02 - 0001889 ____A C:\Documents and Settings\Leaf\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
2012-01-05 12:09 - 2010-01-23 15:02 - 0001889 ____A C:\Documents and Settings\Leaf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
2012-01-05 12:09 - 2008-08-19 08:10 - 0001111 ____A C:\Users\Leaf\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
2012-01-05 12:09 - 2008-08-19 08:10 - 0001111 ____A C:\Users\Leaf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
2012-01-05 12:09 - 2008-08-19 08:10 - 0001111 ____A C:\Documents and Settings\Leaf\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
2012-01-05 12:09 - 2008-08-19 08:10 - 0001111 ____A C:\Documents and Settings\Leaf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
2012-01-04 12:16 - 2012-01-04 12:17 - 0001905 ____A C:\Windows\diagwrn.xml
2012-01-04 12:16 - 2012-01-04 12:17 - 0001905 ____A C:\Windows\diagerr.xml
2012-01-04 10:30 - 2012-01-04 21:03 - 0000000 ____D C:\bd_logs
2012-01-04 10:17 - 2012-01-05 17:11 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Users\Leaf\Application Data\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Users\Leaf\AppData\Roaming\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Documents and Settings\Leaf\Application Data\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Documents and Settings\Leaf\AppData\Roaming\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Documents and Settings\All Users\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-04 10:17 - 2011-12-10 12:24 - 0020464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-01-04 06:26 - 2012-01-05 12:09 - 0000000 ____D C:\Windows\pss


============ 3 Months Modified Files and Folders ===============

2012-01-07 12:48 - 2012-01-07 12:48 - 0000000 ____D C:\FRST
2012-01-06 05:20 - 2012-01-06 05:20 - 0496136 ____A C:\Windows\ntbtlog.txt
2012-01-06 02:59 - 2008-07-30 06:30 - 1940471 ____A C:\Windows\WindowsUpdate.log
2012-01-06 02:59 - 2006-11-02 05:01 - 0032592 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-01-06 02:59 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-01-06 02:59 - 2006-11-02 04:47 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-01-06 02:59 - 2006-11-02 04:47 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-01-06 02:15 - 2011-04-08 17:59 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-01-06 02:15 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2012-01-06 00:47 - 2006-11-02 02:33 - 0703388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-01-06 00:43 - 2008-07-30 07:11 - 0000267 ____A C:\Users\Public\Documents\hpqp.ini
2012-01-06 00:43 - 2008-07-30 07:11 - 0000267 ____A C:\Users\All Users\Documents\hpqp.ini
2012-01-06 00:43 - 2008-07-30 07:11 - 0000267 ____A C:\Documents and Settings\Public\Documents\hpqp.ini
2012-01-06 00:43 - 2008-07-30 07:11 - 0000267 ____A C:\Documents and Settings\All Users\Documents\hpqp.ini
2012-01-06 00:41 - 2011-04-08 17:59 - 0000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-01-06 00:40 - 2006-11-02 04:47 - 0303232 ____A C:\Windows\System32\FNTCACHE.DAT
2012-01-06 00:38 - 2012-01-05 19:39 - 0554456 ____A C:\Windows\PFRO.log
2012-01-06 00:19 - 2008-05-22 18:31 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-01-06 00:19 - 2008-05-22 18:31 - 0000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2012-01-06 00:19 - 2008-05-22 18:31 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-01-06 00:19 - 2008-05-22 18:31 - 0000000 ____D C:\Documents and Settings\All Users\Microsoft Help
2012-01-06 00:19 - 2008-05-22 18:31 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2012-01-05 19:44 - 2008-08-17 14:55 - 0070744 ____A C:\Users\Leaf\Local Settings\GDIPFONTCACHEV1.DAT
2012-01-05 19:44 - 2008-08-17 14:55 - 0070744 ____A C:\Users\Leaf\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-01-05 19:44 - 2008-08-17 14:55 - 0070744 ____A C:\Users\Leaf\AppData\Local\GDIPFONTCACHEV1.DAT
2012-01-05 19:44 - 2008-08-17 14:55 - 0070744 ____A C:\Documents and Settings\Leaf\Local Settings\GDIPFONTCACHEV1.DAT
2012-01-05 19:44 - 2008-08-17 14:55 - 0070744 ____A C:\Documents and Settings\Leaf\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-01-05 19:44 - 2008-08-17 14:55 - 0070744 ____A C:\Documents and Settings\Leaf\AppData\Local\GDIPFONTCACHEV1.DAT
2012-01-05 19:39 - 2009-12-16 10:13 - 0000000 ____D C:\Users\All Users\Norton
2012-01-05 19:39 - 2009-12-16 10:13 - 0000000 ____D C:\Users\All Users\Application Data\Norton
2012-01-05 19:39 - 2009-12-16 10:13 - 0000000 ____D C:\ProgramData\Norton
2012-01-05 19:39 - 2009-12-16 10:13 - 0000000 ____D C:\Documents and Settings\All Users\Norton
2012-01-05 19:39 - 2009-12-16 10:13 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2012-01-05 19:37 - 2008-08-21 19:14 - 0025600 ____A C:\Users\Leaf\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-01-05 19:37 - 2008-08-21 19:14 - 0025600 ____A C:\Users\Leaf\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-01-05 19:37 - 2008-08-21 19:14 - 0025600 ____A C:\Users\Leaf\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-01-05 19:37 - 2008-08-21 19:14 - 0025600 ____A C:\Documents and Settings\Leaf\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-01-05 19:37 - 2008-08-21 19:14 - 0025600 ____A C:\Documents and Settings\Leaf\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-01-05 19:37 - 2008-08-21 19:14 - 0025600 ____A C:\Documents and Settings\Leaf\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-01-05 19:36 - 2010-01-23 13:38 - 0000000 ____D C:\Program Files\NortonInstaller
2012-01-05 19:33 - 2008-05-22 17:09 - 0000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-01-05 19:31 - 2012-01-05 19:31 - 0000000 ____D C:\Windows\System32\Drivers\NST
2012-01-05 19:31 - 2012-01-05 19:31 - 0000000 ____D C:\Program Files\Norton Safe Web Lite
2012-01-05 19:24 - 2012-01-05 19:24 - 0117312 ____A C:\Users\Leaf\My Documents\registry backup.reg
2012-01-05 19:24 - 2012-01-05 19:24 - 0117312 ____A C:\Users\Leaf\Documents\registry backup.reg
2012-01-05 19:24 - 2012-01-05 19:24 - 0117312 ____A C:\Documents and Settings\Leaf\My Documents\registry backup.reg
2012-01-05 19:24 - 2012-01-05 19:24 - 0117312 ____A C:\Documents and Settings\Leaf\Documents\registry backup.reg
2012-01-05 19:17 - 2008-11-03 20:56 - 0000000 ____D C:\Users\Leaf\Local Settings\Google
2012-01-05 19:17 - 2008-11-03 20:56 - 0000000 ____D C:\Users\Leaf\Local Settings\Application Data\Google
2012-01-05 19:17 - 2008-11-03 20:56 - 0000000 ____D C:\Users\Leaf\AppData\Local\Google
2012-01-05 19:17 - 2008-11-03 20:56 - 0000000 ____D C:\Documents and Settings\Leaf\Local Settings\Google
2012-01-05 19:17 - 2008-11-03 20:56 - 0000000 ____D C:\Documents and Settings\Leaf\Local Settings\Application Data\Google
2012-01-05 19:17 - 2008-11-03 20:56 - 0000000 ____D C:\Documents and Settings\Leaf\AppData\Local\Google
2012-01-05 19:10 - 2012-01-05 19:10 - 0001971 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-01-05 19:10 - 2012-01-05 19:10 - 0001971 ____A C:\Users\All Users\Desktop\Google Chrome.lnk
2012-01-05 19:10 - 2012-01-05 19:10 - 0001971 ____A C:\Documents and Settings\Public\Desktop\Google Chrome.lnk
2012-01-05 19:10 - 2012-01-05 19:10 - 0001971 ____A C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2012-01-05 19:10 - 2011-04-08 17:58 - 0000000 ____D C:\Program Files\Google
2012-01-05 19:09 - 2012-01-05 19:09 - 0001829 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-01-05 19:09 - 2012-01-05 19:09 - 0001829 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk
2012-01-05 19:09 - 2012-01-05 19:09 - 0001829 ____A C:\Documents and Settings\Public\Desktop\avast! Free Antivirus.lnk
2012-01-05 19:09 - 2012-01-05 19:09 - 0001829 ____A C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
2012-01-05 19:09 - 2006-11-02 02:23 - 0002577 ____A C:\Windows\System32\config.nt
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Users\All Users\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Users\All Users\Application Data\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\ProgramData\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Program Files\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Documents and Settings\All Users\AVAST Software
2012-01-05 19:07 - 2012-01-05 19:07 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
2012-01-05 19:02 - 2010-12-08 09:40 - 0000000 ____D C:\Users\Leaf\Application Data\FrostWire
2012-01-05 19:02 - 2010-12-08 09:40 - 0000000 ____D C:\Users\Leaf\AppData\Roaming\FrostWire
2012-01-05 19:02 - 2010-12-08 09:40 - 0000000 ____D C:\Documents and Settings\Leaf\Application Data\FrostWire
2012-01-05 19:02 - 2010-12-08 09:40 - 0000000 ____D C:\Documents and Settings\Leaf\AppData\Roaming\FrostWire
2012-01-05 19:02 - 2010-03-27 14:27 - 0000000 ____D C:\Users\Leaf\Local Settings\CrashDumps
2012-01-05 19:02 - 2010-03-27 14:27 - 0000000 ____D C:\Users\Leaf\Local Settings\Application Data\CrashDumps
2012-01-05 19:02 - 2010-03-27 14:27 - 0000000 ____D C:\Users\Leaf\AppData\Local\CrashDumps
2012-01-05 19:02 - 2010-03-27 14:27 - 0000000 ____D C:\Documents and Settings\Leaf\Local Settings\CrashDumps
2012-01-05 19:02 - 2010-03-27 14:27 - 0000000 ____D C:\Documents and Settings\Leaf\Local Settings\Application Data\CrashDumps
2012-01-05 19:02 - 2010-03-27 14:27 - 0000000 ____D C:\Documents and Settings\Leaf\AppData\Local\CrashDumps
2012-01-05 19:02 - 2008-05-22 15:49 - 0000000 ____D C:\Windows\panther
2012-01-05 17:11 - 2012-01-05 17:11 - 0000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-05 17:11 - 2012-01-05 17:11 - 0000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-05 17:11 - 2012-01-05 17:11 - 0000906 ____A C:\Documents and Settings\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-05 17:11 - 2012-01-05 17:11 - 0000906 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-05 17:11 - 2012-01-04 10:17 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-01-05 12:09 - 2012-01-04 06:26 - 0000000 ____D C:\Windows\pss
2012-01-04 21:03 - 2012-01-04 10:30 - 0000000 ____D C:\bd_logs
2012-01-04 19:25 - 2010-08-16 08:32 - 0000000 ____D C:\Users\Leaf\My Documents\KLS
2012-01-04 19:25 - 2010-08-16 08:32 - 0000000 ____D C:\Users\Leaf\Documents\KLS
2012-01-04 19:25 - 2010-08-16 08:32 - 0000000 ____D C:\Documents and Settings\Leaf\My Documents\KLS
2012-01-04 19:25 - 2010-08-16 08:32 - 0000000 ____D C:\Documents and Settings\Leaf\Documents\KLS
2012-01-04 12:34 - 2006-11-02 03:18 - 0000000 ___SD C:\Windows\Downloaded Program Files
2012-01-04 12:17 - 2012-01-04 12:16 - 0001905 ____A C:\Windows\diagwrn.xml
2012-01-04 12:17 - 2012-01-04 12:16 - 0001905 ____A C:\Windows\diagerr.xml
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Users\Leaf\Application Data\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Users\Leaf\AppData\Roaming\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Documents and Settings\Leaf\Application Data\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Documents and Settings\Leaf\AppData\Roaming\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Documents and Settings\All Users\Malwarebytes
2012-01-04 10:17 - 2012-01-04 10:17 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-04 09:05 - 2008-04-10 02:26 - 0000000 ____D C:\Windows\SMINST
2012-01-04 08:01 - 2008-08-22 18:48 - 0000000 ____D C:\Windows\Minidump
2012-01-04 07:51 - 2008-08-17 14:49 - 0000000 ____D C:\Users\Leaf\AppData\LocalLow
2012-01-04 07:51 - 2008-08-17 14:49 - 0000000 ____D C:\Documents and Settings\Leaf\AppData\LocalLow
2012-01-04 07:51 - 2008-05-22 17:08 - 0000000 ___HD C:\Program Files\InstallShield Installation Information
2012-01-04 07:49 - 2010-12-08 09:39 - 0000000 ____D C:\Program Files\Ask.com
2012-01-04 07:37 - 2011-04-08 17:58 - 0000000 ____D C:\Users\All Users\Real
2012-01-04 07:37 - 2011-04-08 17:58 - 0000000 ____D C:\Users\All Users\Application Data\Real
2012-01-04 07:37 - 2011-04-08 17:58 - 0000000 ____D C:\ProgramData\Real
2012-01-04 07:37 - 2011-04-08 17:58 - 0000000 ____D C:\Program Files\Real
2012-01-04 07:37 - 2011-04-08 17:58 - 0000000 ____D C:\Documents and Settings\All Users\Real
2012-01-04 07:37 - 2011-04-08 17:58 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Real
2012-01-04 07:36 - 2011-04-08 17:58 - 0000000 ____D C:\Users\Leaf\Application Data\Real
2012-01-04 07:36 - 2011-04-08 17:58 - 0000000 ____D C:\Users\Leaf\AppData\Roaming\Real
2012-01-04 07:36 - 2011-04-08 17:58 - 0000000 ____D C:\Documents and Settings\Leaf\Application Data\Real
2012-01-04 07:36 - 2011-04-08 17:58 - 0000000 ____D C:\Documents and Settings\Leaf\AppData\Roaming\Real
2012-01-04 07:26 - 2008-05-22 18:39 - 0000000 ____D C:\Program Files\CyberLink
2012-01-04 07:15 - 2008-08-28 18:56 - 0000000 ____D C:\Users\Leaf\Local Settings\Application Data\AOL
2012-01-04 07:15 - 2008-08-28 18:56 - 0000000 ____D C:\Users\Leaf\Local Settings\AOL
2012-01-04 07:15 - 2008-08-28 18:56 - 0000000 ____D C:\Users\Leaf\AppData\Local\AOL
2012-01-04 07:15 - 2008-08-28 18:56 - 0000000 ____D C:\Documents and Settings\Leaf\Local Settings\Application Data\AOL
2012-01-04 07:15 - 2008-08-28 18:56 - 0000000 ____D C:\Documents and Settings\Leaf\Local Settings\AOL
2012-01-04 07:15 - 2008-08-28 18:56 - 0000000 ____D C:\Documents and Settings\Leaf\AppData\Local\AOL
2012-01-04 06:49 - 2008-11-03 19:59 - 0000000 ____D C:\Users\All Users\Google
2012-01-04 06:49 - 2008-11-03 19:59 - 0000000 ____D C:\Users\All Users\Application Data\Google
2012-01-04 06:49 - 2008-11-03 19:59 - 0000000 ____D C:\ProgramData\Google
2012-01-04 06:49 - 2008-11-03 19:59 - 0000000 ____D C:\Documents and Settings\All Users\Google
2012-01-04 06:49 - 2008-11-03 19:59 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Google
2012-01-04 06:49 - 2008-08-26 20:12 - 0000000 ____D C:\Program Files\LimeWire
2012-01-04 06:25 - 2011-04-08 19:15 - 0000000 ____A C:\Users\Leaf\Local Settings\Hwamixuyoyu.bin
2012-01-04 06:25 - 2011-04-08 19:15 - 0000000 ____A C:\Users\Leaf\Local Settings\Application Data\Hwamixuyoyu.bin
2012-01-04 06:25 - 2011-04-08 19:15 - 0000000 ____A C:\Users\Leaf\AppData\Local\Hwamixuyoyu.bin
2012-01-04 06:25 - 2011-04-08 19:15 - 0000000 ____A C:\Documents and Settings\Leaf\Local Settings\Hwamixuyoyu.bin
2012-01-04 06:25 - 2011-04-08 19:15 - 0000000 ____A C:\Documents and Settings\Leaf\Local Settings\Application Data\Hwamixuyoyu.bin
2012-01-04 06:25 - 2011-04-08 19:15 - 0000000 ____A C:\Documents and Settings\Leaf\AppData\Local\Hwamixuyoyu.bin
2011-12-10 12:24 - 2012-01-04 10:17 - 0020464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-12-07 08:44 - 2006-11-02 02:24 - 52988224 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-11-28 10:01 - 2012-01-05 19:08 - 0199816 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2011-11-28 10:01 - 2012-01-05 19:08 - 0041184 ____A (AVAST Software) C:\Windows\avastSS.scr
2011-11-28 09:53 - 2012-01-05 19:09 - 0435032 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2011-11-28 09:53 - 2012-01-05 19:09 - 0314456 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2011-11-28 09:52 - 2012-01-05 19:09 - 0055128 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2011-11-28 09:52 - 2012-01-05 19:09 - 0052952 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2011-11-28 09:52 - 2012-01-05 19:09 - 0034392 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2011-11-28 09:51 - 2012-01-05 19:09 - 0020568 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2011-11-15 11:29 - 2011-02-09 15:13 - 0222080 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

========================= Known DLLs (Whitelisted) ============

[2012-01-05 19:00] - [2011-05-27 22:04] - 1991680 ____A () C:\Windows\System32\IERTUTIL.dll
[2012-01-05 19:00] - [2011-05-27 22:08] - 1211904 ____A () C:\Windows\System32\URLMON.dll
[2012-01-05 19:00] - [2011-05-27 22:08] - 0916480 ____A () C:\Windows\System32\WININET.dll

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2008-12-12 00:32] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys
[2008-01-20 18:23] - [2008-01-20 18:23] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9


========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 2813.22 MB
Available physical RAM: 2307.08 MB
Total Pagefile: 2558.5 MB
Available Pagefile: 2373.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.55 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:222.9 GB) (Free:139.7 GB) NTFS ==>[Drive with boot components]
2 Drive d: (HP_RECOVERY) (Fixed) (Total:9.99 GB) (Free:1.23 GB) NTFS
4 Drive f: () (Removable) (Total:0.9 GB) (Free:0.9 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 2232 KB
Disk 1 Online 925 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 223 GB 32 KB
Partition 2 Primary 10 GB 223 GB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 223 GB Healthy

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D HP_RECOVERY NTFS Partition 10 GB Healthy

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 925 MB 32 KB

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F FAT32 Removable 925 MB Healthy



==========================================================

Last Boot: 2012-01-06 00:48

======================= End Of Log ==========================
Golden Lucks "Gifted and Talented"

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 07 January 2012 - 01:04 PM

To be sure I'd like to have a look at the MBR as well.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:10:15 PM

Posted 07 January 2012 - 01:41 PM

I need a cd and a usb or just a usb?
Golden Lucks "Gifted and Talented"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users