Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Asus X52F Laptop with Bootup Virus


  • This topic is locked This topic is locked
50 replies to this topic

#1 mondoboss

mondoboss

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 09 February 2012 - 09:55 AM

Edit
Moved from WIN7 to the Am I Infected forum for better assistance


Hi,

Last night I was on my laptop, simply using NeoOffice and iTunes and nothing else, and abruptly all my windows closed and my computer restarted, only to boot back up in Startup Restore, which was not able to solve anything. System Restore does not work as well, and I tried running it through DOS to no avail.

I've had this problem before and have had it fixed here. I will admit I did not go through all the follow-up procedures. I have Malaware, but I have not updated it recently. I still have P2P software on my computer, but I have seldom used it (I will definitely delete it this time).

Furthermore, my computer has been in possession of a fellow friend after a different type of virus attacked me months back. He fixed it, but he also turned off my Malaware, claiming it was not a good program and could mess me up.

I am not sure if this virus was caught due to him or due to something else. The only thing I did on the net last night besides e-mail corresponding was download one song. One. Song. I can only imagine the virus was stored on there, but who knows?

Any help would be appreciated, and as tomorrow's payday, I will gladly be donating. Thanks!

Edited by boopme, 09 February 2012 - 10:04 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:45 PM

Posted 09 February 2012 - 10:10 AM

Hello, I moved you to here.
Your friend doesn't know malware tools to well.:)

Lets run a few tools and see how it is.


Run RKill....


Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

>>>

Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


>>>>
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

>>>>

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 09 February 2012 - 10:11 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mondoboss

mondoboss
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 09 February 2012 - 10:15 AM

Thanks, sorry for posting in the wrong forum.

Unfortunately, the boot-up is stuck in a loop. System Restore starts upon bootup, and all I can do from there is shut down or restart. The desktop never gets a chance to boot.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:45 PM

Posted 09 February 2012 - 11:49 AM

I will ask someone to look her that handles these loopers ...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mondoboss

mondoboss
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 09 February 2012 - 11:52 AM

Sounds good, thanks! I'm off to lunch! :lol:

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:45 PM

Posted 09 February 2012 - 12:45 PM

Hi mondoboss,

Seems you are again.:)

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:45 PM

Posted 09 February 2012 - 12:46 PM

I also moved the topic to malware removal forum.

#8 mondoboss

mondoboss
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 09 February 2012 - 01:11 PM

Ah, yes, you are the user who helped me before. And I thank you. :)
So sorry to be a poor customer and having to come back so soon. I think I am going to disregard my other friend's future advice and keep my computer away from him as well, haha. And I will definitely be more up-to-date with the Malware definitions. Two times within a year is too much!

Anyway, here is my log:

Scan result of Farbar Recovery Scan Tool Version: 28-01-2012
Ran by SYSTEM at 2012-02-09 13:01:56
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe [649608 2010-06-09] (ELAN Microelectronic Corp.)
HKLM\...\Run: [ASUS WebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe [1754448 2010-03-15] ()
HKLM\...\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [1022904 2010-02-23] (Trend Micro Inc.)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2009-11-18] ()
HKLM\...\Run: [Setwallpaper] c:\programdata\SetWallpaper.cmd [x]
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-08-25] (Intel Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-05] (Adobe Systems Incorporated)
HKLM\...\Run: [MRT] "C:\Windows\system32\MRT.exe" /R [54008112 2012-01-12] (Microsoft Corporation)
HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Boingo Wi-Fi] "C:\Program Files (x86)\Boingo\Boingo Wi-Fi\Boingo.lnk" [2429 2010-08-12] ()
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [6806144 2010-06-24] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-05-03] (ASUS)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [1597440 2010-07-02] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2011-01-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-03-07] (Apple Inc.)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [GIZMO2] "C:\Program Files (x86)\GIZMO2\GIZMO.exe" -BootProcess [137048 2011-01-21] (ants Inc.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [273544 2011-06-01] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [449584 2011-05-29] (Malwarebytes Corporation)
HKU\Josh\...\Run: [Syncables] C:\Program Files (x86)\syncables\syncables desktop\Syncables.exe [370480 2010-04-05] (syncables, LLC)
HKU\Josh\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
HKU\Josh\...\Run: [ares] "C:\Program Files (x86)\Ares\Ares.exe" -h [x]
HKU\Josh\...\Run: [AdobeBridge] [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 38.8.82.2
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 ASLDRService; C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe [84536 2009-06-15] (ASUS)
2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2009-12-15] (ASUS)
2 BBUpdate; "C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE" [249648 2011-06-15] (Microsoft Corporation)
3 FLEXnet Licensing Service; "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [654848 2011-03-13] (Macrovision Europe Ltd.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [366640 2011-05-29] (Malwarebytes Corporation)
2 SfCtlCom; "C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe" [859712 2010-10-09] (Trend Micro Inc.)
2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [995232 2011-10-10] (Enigma Software Group USA, LLC.)
3 TMBMServer; "C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service [570632 2010-02-23] (Trend Micro Inc.)
3 TmProxy; "C:\Program Files\Trend Micro\Internet Security\TmProxy.exe" [917768 2010-02-23] (Trend Micro Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2314240 2009-09-30] (Intel Corporation)

========================== Drivers (Whitelisted) =============

2 ASMMAP64; \??\C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [15416 2009-07-02] (ASUS)
3 JME; C:\Windows\System32\DRIVERS\JME.sys [115312 2010-02-24] (JMicron Technology Corp.)
3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
0 lullaby; C:\Windows\System32\DRIVERS\lullaby.sys [15928 2009-06-18] (Windows ® Win 7 DDK provider)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25912 2011-05-29] (Malwarebytes Corporation)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1806400 2009-06-05] ()
2 tmpreflt; C:\Windows\System32\DRIVERS\tmpreflt.sys [42576 2010-07-30] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [107536 2010-02-23] (Trend Micro Inc.)
2 tmxpflt; C:\Windows\System32\DRIVERS\tmxpflt.sys [309840 2010-07-30] (Trend Micro Inc.)
2 vsapint; C:\Windows\System32\DRIVERS\vsapint.sys [1988176 2010-07-30] (Trend Micro Inc.)
3 tmlwf; [x]
3 tmwfp; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-02-02 16:52 - 2012-02-02 16:52 - 13463982 ____A C:\Users\Josh\Desktop\design samples.zip
2012-02-02 16:30 - 2012-02-02 16:52 - 0000000 ____D C:\Users\Josh\Desktop\graphic examples
2012-01-29 15:36 - 2011-11-16 22:35 - 0029184 ____A (Microsoft Corporation) C:\Windows\System32\sspisrv.dll
2012-01-29 15:36 - 2011-11-16 21:28 - 0096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-01-25 19:06 - 2012-01-25 19:06 - 0375215 ____A C:\Users\Josh\Desktop\logo.docx
2012-01-22 16:02 - 2012-01-22 16:02 - 0000272 ___AH C:\Users\All Users\~itDPFwrMumu25f
2012-01-22 16:02 - 2012-01-22 16:02 - 0000272 ___AH C:\ProgramData\~itDPFwrMumu25f
2012-01-22 16:02 - 2012-01-22 16:02 - 0000168 ___AH C:\Users\All Users\~itDPFwrMumu25fr
2012-01-22 16:02 - 2012-01-22 16:02 - 0000168 ___AH C:\ProgramData\~itDPFwrMumu25fr
2012-01-22 15:51 - 2012-01-22 15:57 - 0000440 ___AH C:\Users\All Users\itDPFwrMumu25f
2012-01-22 15:51 - 2012-01-22 15:57 - 0000440 ___AH C:\ProgramData\itDPFwrMumu25f
2012-01-18 20:15 - 2012-01-18 20:15 - 0053760 ____A C:\Users\Josh\Documents\Lady Who Left Town excerpt.doc
2012-01-18 17:18 - 2012-01-18 17:59 - 2647244 ___AH C:\Users\Josh\Desktop\Newport Beach HealthPoint template full.pdf
2012-01-11 17:41 - 2012-01-11 17:41 - 0015301 ____A C:\Users\Josh\Documents\rest of post.odt
2012-01-11 16:45 - 2011-11-19 06:58 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\packager.dll
2012-01-11 16:45 - 2011-11-19 06:01 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2012-01-11 16:45 - 2011-11-16 22:41 - 1731920 ____A (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2012-01-11 16:45 - 2011-11-16 21:38 - 1292080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2012-01-11 16:45 - 2011-10-25 21:25 - 1572864 ____A (Microsoft Corporation) C:\Windows\System32\quartz.dll
2012-01-11 16:45 - 2011-10-25 21:25 - 0366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-01-11 16:45 - 2011-10-25 20:32 - 1328128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2012-01-11 16:45 - 2011-10-25 20:32 - 0514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-01-11 16:45 - 2011-10-13 21:31 - 0918528 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-01-11 16:45 - 2011-10-13 20:24 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

============ 3 Months Modified Files and Folders =============

2012-02-09 13:02 - 2011-07-01 02:48 - 0000000 ____D C:\FRST
2012-02-09 09:47 - 2011-03-12 11:17 - 0000000 ____D C:\Users\Josh\AppData\Roaming\vlc
2012-02-09 09:47 - 2011-03-12 04:52 - 0000000 ____D C:\users\Josh
2012-02-09 09:47 - 2010-08-12 23:41 - 0000000 ____D C:\Users\All Users\P4G
2012-02-09 09:47 - 2010-08-12 23:41 - 0000000 ____D C:\ProgramData\P4G
2012-02-09 09:47 - 2010-08-12 23:28 - 0000000 ____D C:\Intel
2012-02-09 09:47 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sysprep
2012-02-09 09:47 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-02-09 09:46 - 2011-06-01 16:50 - 0000000 ____D C:\Users\All Users\Real
2012-02-09 09:46 - 2011-06-01 16:50 - 0000000 ____D C:\ProgramData\Real
2012-02-09 09:46 - 2011-05-13 16:57 - 0000000 ____D C:\Users\Josh\AppData\Local\Yahoo
2012-02-09 09:46 - 2011-05-06 03:40 - 0000000 ___RD C:\Users\Josh\Dropbox
2012-02-09 09:46 - 2011-05-06 03:39 - 0000000 ____D C:\Users\Josh\AppData\Roaming\Dropbox
2012-02-06 16:26 - 2011-03-13 07:48 - 3054940160 __ASH C:\hiberfil.sys
2012-02-02 18:52 - 2011-07-05 19:18 - 0000000 ____D C:\Users\Josh\Desktop\Batch Folder
2012-02-02 16:52 - 2012-02-02 16:52 - 13463982 ____A C:\Users\Josh\Desktop\design samples.zip
2012-02-02 16:52 - 2012-02-02 16:30 - 0000000 ____D C:\Users\Josh\Desktop\graphic examples
2012-02-02 16:32 - 2011-05-13 15:44 - 0001456 ____A C:\Users\Josh\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-01-30 05:01 - 2010-08-12 22:50 - 1640793 ____A C:\Windows\WindowsUpdate.log
2012-01-30 04:56 - 2010-08-12 23:16 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-01-30 04:28 - 2010-08-12 23:16 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-01-29 18:07 - 2009-07-13 21:13 - 0726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-01-26 17:30 - 2009-07-13 20:45 - 0009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-01-26 17:30 - 2009-07-13 20:45 - 0009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-01-26 17:21 - 2011-12-15 18:11 - 0001288 ____A C:\Windows\setupact.log
2012-01-26 17:21 - 2011-11-08 08:55 - 0045056 ____A C:\Windows\System32\acovcnt.exe
2012-01-26 17:21 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-01-25 19:06 - 2012-01-25 19:06 - 0375215 ____A C:\Users\Josh\Desktop\logo.docx
2012-01-25 17:03 - 2011-08-25 16:11 - 0000132 ____A C:\Users\Josh\AppData\Roaming\Adobe PNG Format CS5 Prefs
2012-01-22 23:01 - 2011-03-12 10:49 - 0000000 ____D C:\Users\Josh\Documents\Writing
2012-01-22 16:17 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-01-22 16:15 - 2011-08-25 21:35 - 0000000 ____D C:\Users\Josh\AppData\Local\Encryptomatic,_LLC
2012-01-22 16:15 - 2011-06-01 16:47 - 0000000 ____D C:\Users\Josh\AppData\Roaming\OpenCandy
2012-01-22 16:15 - 2011-05-13 16:56 - 0000000 ____D C:\Users\All Users\Yahoo! Companion
2012-01-22 16:15 - 2011-05-13 16:56 - 0000000 ____D C:\Users\All Users\Yahoo!
2012-01-22 16:15 - 2011-05-13 16:56 - 0000000 ____D C:\ProgramData\Yahoo! Companion
2012-01-22 16:15 - 2011-05-13 16:56 - 0000000 ____D C:\ProgramData\Yahoo!
2012-01-22 16:15 - 2011-04-30 19:39 - 0000000 ____D C:\Users\Josh\AppData\Roaming\dvdcss
2012-01-22 16:15 - 2011-04-22 21:03 - 0000000 ____D C:\Users\All Users\Norton
2012-01-22 16:15 - 2011-04-22 21:03 - 0000000 ____D C:\ProgramData\Norton
2012-01-22 16:15 - 2011-04-06 14:50 - 0000000 ____D C:\Users\Josh\AppData\Roaming\gtk-2.0
2012-01-22 16:15 - 2011-03-16 05:58 - 0000000 ____D C:\Users\Josh\AppData\Roaming\Skype
2012-01-22 16:15 - 2011-03-13 12:40 - 0000000 ____D C:\Users\All Users\FLEXnet
2012-01-22 16:15 - 2011-03-13 12:40 - 0000000 ____D C:\ProgramData\FLEXnet
2012-01-22 16:15 - 2011-03-12 05:01 - 0000000 ____D C:\Users\Josh\AppData\Roaming\Asus WebStorage
2012-01-22 16:14 - 2011-06-01 16:48 - 0000000 ____D C:\Users\Josh\AppData\Roaming\Real
2012-01-22 16:14 - 2011-05-13 16:56 - 0000000 ____D C:\Users\Josh\AppData\Roaming\Yahoo!
2012-01-22 16:14 - 2011-03-18 05:21 - 0000000 ____D C:\Users\Josh\Documents\Fax
2012-01-22 16:14 - 2011-03-12 10:19 - 0000000 ____D C:\Users\Josh\Graphic Stuffs
2012-01-22 16:14 - 2011-03-12 06:55 - 0000000 ____D C:\Users\Josh\AppData\Roaming\OpenOffice.org
2012-01-22 16:14 - 2011-03-12 05:48 - 0000000 ____D C:\Users\Josh\AppData\Roaming\Mozilla
2012-01-22 16:14 - 2009-07-13 23:44 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-01-22 16:13 - 2011-05-30 17:08 - 0000000 ____D C:\Users\Josh\AppData\Local\GIZMO2
2012-01-22 16:13 - 2011-05-14 23:10 - 0000000 ____D C:\Users\Josh\AppData\Local\ASUS
2012-01-22 16:13 - 2011-03-21 20:24 - 0000000 ____D C:\Users\Josh\AppData\Roaming\FrostWire
2012-01-22 16:13 - 2011-03-14 09:42 - 0000000 ____D C:\Users\Josh\AppData\Local\Adobe
2012-01-22 16:13 - 2011-03-12 07:18 - 0000000 ____D C:\Users\Josh\AppData\Roaming\Greyfirst
2012-01-22 16:13 - 2011-03-12 07:18 - 0000000 ____D C:\Users\Josh\AppData\Local\Greyfirst
2012-01-22 16:13 - 2011-03-12 05:48 - 0000000 ____D C:\Users\Josh\AppData\Local\Mozilla
2012-01-22 16:13 - 2011-03-12 05:40 - 0000000 ____D C:\Users\Josh\AppData\Roaming\Adobe
2012-01-22 16:13 - 2011-03-12 05:01 - 0000000 ____D C:\Users\Josh\AppData\Local\SRS Labs
2012-01-22 16:13 - 2011-03-12 04:53 - 0000000 ____D C:\Users\Josh\AppData\Local\VirtualStore
2012-01-22 16:13 - 2011-03-12 04:52 - 0000000 ____D C:\Users\Josh\AppData\Roaming\Macromedia
2012-01-22 16:13 - 2011-03-12 04:52 - 0000000 ____D C:\Users\Josh\AppData\LocalLow
2012-01-22 16:12 - 2011-09-24 01:53 - 0000000 ____D C:\Users\Josh\.frostwire5
2012-01-22 16:12 - 2011-07-02 17:36 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-01-22 16:12 - 2011-07-02 17:36 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-01-22 16:12 - 2011-05-14 23:10 - 0000000 ____D C:\Users\All Users\ASUS
2012-01-22 16:12 - 2011-05-14 23:10 - 0000000 ____D C:\ProgramData\ASUS
2012-01-22 16:12 - 2011-03-15 08:18 - 0000000 ____D C:\Users\All Users\Apple Computer
2012-01-22 16:12 - 2011-03-15 08:18 - 0000000 ____D C:\ProgramData\Apple Computer
2012-01-22 16:12 - 2011-03-15 08:17 - 0000000 ____D C:\Users\All Users\Apple
2012-01-22 16:12 - 2011-03-15 08:17 - 0000000 ____D C:\ProgramData\Apple
2012-01-22 16:12 - 2010-08-12 23:23 - 0000000 ____D C:\Users\All Users\Trend Micro
2012-01-22 16:12 - 2010-08-12 23:23 - 0000000 ____D C:\ProgramData\Trend Micro
2012-01-22 16:12 - 2010-08-12 23:21 - 0000000 ____D C:\Users\All Users\Skype
2012-01-22 16:12 - 2010-08-12 23:21 - 0000000 ____D C:\Users\All Users\OberonGameConsole
2012-01-22 16:12 - 2010-08-12 23:21 - 0000000 ____D C:\ProgramData\Skype
2012-01-22 16:12 - 2010-08-12 23:21 - 0000000 ____D C:\ProgramData\OberonGameConsole
2012-01-22 16:12 - 2010-08-12 23:09 - 0000000 ____D C:\Users\All Users\Adobe
2012-01-22 16:12 - 2010-08-12 23:09 - 0000000 ____D C:\ProgramData\Adobe
2012-01-22 16:12 - 2010-08-12 23:05 - 0000000 ____D C:\Users\All Users\CyberLink
2012-01-22 16:12 - 2010-08-12 23:05 - 0000000 ____D C:\ProgramData\CyberLink
2012-01-22 16:02 - 2012-01-22 16:02 - 0000272 ___AH C:\Users\All Users\~itDPFwrMumu25f
2012-01-22 16:02 - 2012-01-22 16:02 - 0000272 ___AH C:\ProgramData\~itDPFwrMumu25f
2012-01-22 16:02 - 2012-01-22 16:02 - 0000168 ___AH C:\Users\All Users\~itDPFwrMumu25fr
2012-01-22 16:02 - 2012-01-22 16:02 - 0000168 ___AH C:\ProgramData\~itDPFwrMumu25fr
2012-01-22 15:57 - 2012-01-22 15:51 - 0000440 ___AH C:\Users\All Users\itDPFwrMumu25f
2012-01-22 15:57 - 2012-01-22 15:51 - 0000440 ___AH C:\ProgramData\itDPFwrMumu25f
2012-01-18 20:15 - 2012-01-18 20:15 - 0053760 ____A C:\Users\Josh\Documents\Lady Who Left Town excerpt.doc
2012-01-18 17:59 - 2012-01-18 17:18 - 2647244 ___AH C:\Users\Josh\Desktop\Newport Beach HealthPoint template full.pdf
2012-01-12 16:14 - 2011-03-16 03:19 - 54008112 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-01-11 17:41 - 2012-01-11 17:41 - 0015301 ____A C:\Users\Josh\Documents\rest of post.odt
2012-01-03 20:23 - 2012-01-03 20:23 - 0015350 ___AH C:\Users\Josh\.recently-used.xbel
2012-01-02 11:09 - 2012-01-02 11:09 - 0669873 ___AH C:\Users\Josh\Desktop\ConX postcard side 1.pdf
2012-01-01 14:39 - 2012-01-01 14:29 - 2182078 ___AH C:\Users\Josh\Desktop\postcard.pdf
2012-01-01 14:30 - 2012-01-01 14:30 - 0000000 ____D C:\Users\Josh\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-01-01 01:08 - 2012-01-01 01:08 - 0000000 ____A C:\Windows\System32\Drivers\etc\hosts
2012-01-01 01:07 - 2009-07-13 21:08 - 0032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-12-26 20:30 - 2011-12-26 20:30 - 0000000 ____A C:\Users\Josh\AppData\Local\{A4ACAE2E-C0EA-4367-A6D6-0B7C63F80462}
2011-12-26 01:03 - 2011-12-26 01:03 - 0000000 ____A C:\Users\Josh\AppData\Local\BITA038.tmp
2011-12-26 01:03 - 2011-12-26 01:03 - 0000000 ____A C:\Users\Josh\AppData\Local\{6FE450C9-2498-4E1F-85B9-39FA68F20550}
2011-12-22 17:10 - 2011-03-12 05:48 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2011-12-22 17:09 - 2011-12-22 17:09 - 0001144 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2011-12-22 17:08 - 2011-12-22 17:07 - 15292208 ____A (Mozilla) C:\Users\Josh\Downloads\Firefox Setup 9.0.1.exe
2011-12-16 16:20 - 2009-07-13 20:45 - 8214128 ____A C:\Windows\System32\FNTCACHE.DAT
2011-12-15 18:16 - 2011-12-15 18:16 - 0002390 ____A C:\Windows\PFRO.log
2011-12-15 18:12 - 2010-08-12 23:43 - 0001308 ____A C:\Windows\System32\ServiceFilter.ini
2011-12-15 18:11 - 2011-12-15 18:11 - 0000000 ____A C:\Windows\setuperr.log
2011-12-15 18:11 - 2011-07-02 17:36 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-15 18:09 - 2011-12-15 18:09 - 0000296 ____A C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1823383926-1956454017-1876174199-1000.job
2011-12-15 18:07 - 2011-12-15 18:07 - 0002258 ____A C:\Users\Josh\Desktop\SpyHunter.lnk
2011-12-15 18:07 - 2011-12-15 18:07 - 0000000 ____D C:\sh4ldr
2011-12-15 18:07 - 2011-12-15 18:07 - 0000000 ____D C:\Program Files\Enigma Software Group
2011-12-15 18:07 - 2011-12-15 18:07 - 0000000 ____A C:\autoexec.bat
2011-12-15 18:07 - 2011-12-15 18:06 - 0000000 ____D C:\Windows\89A072791DB3485AB1DF584DF86774B9.TMP
2011-12-15 17:56 - 2011-12-15 15:51 - 0010402 __ASH C:\Users\Josh\AppData\Local\786687y7c168q428n153s8xbl4s1
2011-12-15 17:56 - 2011-12-15 15:51 - 0010402 __ASH C:\Users\All Users\786687y7c168q428n153s8xbl4s1
2011-12-15 17:56 - 2011-12-15 15:51 - 0010402 __ASH C:\ProgramData\786687y7c168q428n153s8xbl4s1
2011-12-15 17:50 - 2011-12-15 17:50 - 1847150 ____A C:\Windows\System32\Drivers\Cat.DB
2011-12-15 17:42 - 2011-12-15 17:40 - 38357400 ____A (PC Tools ) C:\Users\Josh\Downloads\spdoc.exe
2011-12-15 17:29 - 2011-12-15 17:28 - 0706976 ____A (Enigma Software Group USA, LLC.) C:\Users\Josh\Downloads\SpyHunter-Installer.exe
2011-12-15 17:10 - 2011-12-15 17:10 - 9852544 ____A (Malwarebytes Corporation ) C:\Users\Josh\Downloads\mbam-setup-1.51.2.1300.exe
2011-12-15 16:58 - 2011-07-05 16:30 - 0000000 ____D C:\Users\Josh\AppData\Roaming\FileZilla
2011-12-15 16:58 - 2011-06-01 18:47 - 0000000 ____D C:\Users\Josh\AppData\Roaming\uTorrent
2011-12-15 16:26 - 2009-07-13 23:45 - 0000000 ____D C:\Program Files\Windows Journal
2011-12-15 16:26 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Sidebar
2011-12-15 16:26 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Portable Devices
2011-12-15 16:26 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Photo Viewer
2011-12-15 16:26 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Defender
2011-12-15 16:26 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\DVD Maker
2011-12-15 16:26 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Sidebar
2011-12-15 16:26 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Portable Devices
2011-12-15 16:26 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sppui
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Setup
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\oobe
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\manifeststore
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\es-ES
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Dism
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\da-DK
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\cs-CZ
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sppui
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Setup
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\oobe
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\migwiz
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\manifeststore
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\es-ES
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Dism
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\da-DK
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\cs-CZ
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\AdvancedInstallers
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\servicing
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PolicyDefinitions
2011-12-15 16:26 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2011-12-15 16:20 - 2009-07-13 18:36 - 0175616 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2011-12-15 16:20 - 2009-07-13 18:36 - 0152576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2011-12-15 15:51 - 2011-12-15 15:51 - 0333824 ____A C:\Users\Josh\AppData\Local\gxd.exe
2011-12-15 15:51 - 2011-12-15 15:51 - 0000000 ____D C:\Windows\system64
2011-12-15 15:51 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\sysprep
2011-12-10 09:52 - 2011-12-10 09:52 - 0000000 ____D C:\Users\Public\CyberLink
2011-12-10 09:52 - 2011-12-10 09:52 - 0000000 ____D C:\Users\Josh\AppData\Roaming\CyberLink
2011-12-10 09:52 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2011-12-07 20:05 - 2011-05-06 03:40 - 0001017 ____A C:\Users\Josh\Desktop\Dropbox.lnk
2011-12-07 20:05 - 2011-05-06 03:40 - 0000997 ____A C:\Users\Josh\Start Menu\Programs\Startup\Dropbox.lnk
2011-12-07 20:05 - 2011-05-06 03:40 - 0000997 ____A C:\Users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2011-12-05 03:50 - 2011-03-16 06:03 - 0000000 ____D C:\Users\Josh\AppData\Roaming\skypePM
2011-11-26 15:32 - 2011-11-26 15:32 - 0152518 ____A C:\Users\Josh\Documents\Painfully Sarah.pdf
2011-11-24 07:55 - 2011-11-24 07:55 - 0004480 ____A C:\Users\Josh\Documents\ULTRAMAN SORTA V OUTLINE.rtf
2011-11-23 20:52 - 2011-12-13 21:25 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-11-23 18:59 - 2011-06-10 02:03 - 0013555 ____A C:\Users\Josh\Documents\Submissions.rtf
2011-11-23 15:41 - 2010-08-12 23:16 - 0000000 ____D C:\Program Files (x86)\ASUS
2011-11-22 04:38 - 2011-11-19 20:02 - 0000000 ____D C:\Users\Josh\Documents\Moth
2011-11-20 19:18 - 2011-11-20 19:18 - 0000000 ___HD C:\Users\Josh\Desktop\no need to ping me
2011-11-19 06:58 - 2012-01-11 16:45 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\packager.dll
2011-11-19 06:01 - 2012-01-11 16:45 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2011-11-16 22:41 - 2012-01-11 16:45 - 1731920 ____A (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2011-11-16 22:35 - 2012-01-29 15:36 - 0029184 ____A (Microsoft Corporation) C:\Windows\System32\sspisrv.dll
2011-11-16 21:38 - 2012-01-11 16:45 - 1292080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2011-11-16 21:28 - 2012-01-29 15:36 - 0096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2011-11-14 22:06 - 2011-11-14 21:42 - 0761826 ____A C:\Users\Josh\Documents\LI publishing contract Issue 11sx_Bugosh.pdf
2011-11-14 22:04 - 2011-11-14 22:04 - 0001657 ____A C:\Users\Josh\Documents\JoshBugosh.pfx
2011-11-14 19:34 - 2011-09-24 04:04 - 0000000 ____D C:\Users\Josh\AppData\Local\WMTools Downloaded Files
2011-11-14 19:26 - 2011-09-24 04:04 - 0003584 ____A C:\Users\Josh\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3884.56 MB
Available physical RAM: 3297.86 MB
Total Pagefile: 3882.71 MB
Available Pagefile: 3280.05 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:74.52 GB) (Free:10.31 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (DATA) (Fixed) (Total:204.03 GB) (Free:191.43 GB) NTFS
4 Drive f: () (Removable) (Total:0.03 GB) (Free:0.03 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 Online 31 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 19 GB 31 KB
Partition 2 Primary 74 GB 19 GB
Partition 0 Extended 204 GB 94 GB
Partition 3 Logical 204 GB 94 GB

Disk: 0
Partition 1
Type : 1C
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 74 GB Healthy

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 204 GB Healthy

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 31 MB 31 KB

Disk: 1
Partition 1
Type : 04
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 31 MB Healthy


==========================================================
TDL4: custom:26000022
==========================================================

Last Boot: 2011-11-11 19:57

======================= End Of Log ==========================

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:45 PM

Posted 09 February 2012 - 01:25 PM

Note: Please don't run any scanner or cleaner or making any change after the system booted or you may loose some files or folders.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Josh\...\Run: [ares] "C:\Program Files (x86)\Ares\Ares.exe" -h [x]
HKU\Josh\...\Run: [AdobeBridge]  [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
SubSystems: [Windows] ==> ZeroAccess
2011-12-15 17:56 - 2011-12-15 15:51 - 0010402 __ASH C:\Users\Josh\AppData\Local\786687y7c168q428n153s8xbl4s1
2011-12-15 17:56 - 2011-12-15 15:51 - 0010402 __ASH C:\Users\All Users\786687y7c168q428n153s8xbl4s1
2011-12-15 17:56 - 2011-12-15 15:51 - 0010402 __ASH C:\ProgramData\786687y7c168q428n153s8xbl4s1
cmd: bootrec /FixMbr
TDL4: custom:26000022
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

#10 mondoboss

mondoboss
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 09 February 2012 - 01:30 PM

Thanks! I initially let the startup repair run its scan yesterday, hopefully that's not going to affect anything. I will report back shortly!

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:45 PM

Posted 09 February 2012 - 01:32 PM

The startup repair doesn't do any harm. In case it wanted to run at boot let it run to completion and tell me about it.

#12 mondoboss

mondoboss
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 09 February 2012 - 01:39 PM

Alrighty. I ran FRST and rebooted. It started up a bit slow, but everything appears to be normal. Running just like it was before, I see no missing files yet.

Here is my fix log:

start
HKU\Josh\...\Run: [ares] "C:\Program Files (x86)\Ares\Ares.exe" -h [x]
HKU\Josh\...\Run: [AdobeBridge] [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
SubSystems: [Windows] ==> ZeroAccess
2011-12-15 17:56 - 2011-12-15 15:51 - 0010402 __ASH C:\Users\Josh\AppData\Local\786687y7c168q428n153s8xbl4s1
2011-12-15 17:56 - 2011-12-15 15:51 - 0010402 __ASH C:\Users\All Users\786687y7c168q428n153s8xbl4s1
2011-12-15 17:56 - 2011-12-15 15:51 - 0010402 __ASH C:\ProgramData\786687y7c168q428n153s8xbl4s1
cmd: bootrec /FixMbr
TDL4: custom:26000022
end

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:45 PM

Posted 09 February 2012 - 01:41 PM

Great. :thumbup2:

But this is the content of the fixlist. We need the content of the Fixlog.txt that is made on the flash drive.

Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#14 mondoboss

mondoboss
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 09 February 2012 - 01:46 PM

Whoops, silly me! Fixlog is here:

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 28-01-2012
Ran by SYSTEM at 2012-02-09 13:33:31 R:2
Running from F:\

==============================================

HKEY_USERS\Josh\Software\Microsoft\Windows\CurrentVersion\Run\\ares Value deleted successfully.
HKEY_USERS\Josh\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore Value deleted successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
C:\Users\Josh\AppData\Local\786687y7c168q428n153s8xbl4s1 moved successfully.
C:\Users\All Users\786687y7c168q428n153s8xbl4s1 moved successfully.
C:\ProgramData\786687y7c168q428n153s8xbl4s1 not found.

========= bootrec /FixMbr =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

I have to step out for a quick minute, but I will be back and will post the results of the scan in a little bit.
Thank you for your help (again!)

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:45 PM

Posted 09 February 2012 - 01:53 PM

:thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users