Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Startup Repair Loop after Security Shield Removal


  • This topic is locked This topic is locked
14 replies to this topic

#1 J.J. LVN

J.J. LVN

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 22 March 2012 - 01:43 PM

Yesterday, I used the Security Shield Removal Guide to fix that problem on my Windows 7 64-bit machine. I followed those instructions to the letter, including the piece with the HOSTS file. Today, I'm having a problem similar to this user in that on boot, it would automatically load into the Windows Error Recovery console. Clicking on Launch Startup Repair would prompt it to load files before immediately jumping straight back to the Error Recovery Console. Using F8 to get to the System Recovery options, I tried both "Repair Your Computer" and "Use Last Known Good Configuration" to no avail.

I had to create a recovery disk from another machine and boot from that to even get the System Recovery Options to work. Startup repair failed to automatically fix the problem and a system restore to an earlier point did not work.

From reading other forums, I leapt ahead to downloading the Farbar Recovery Scan Tool and running it. I hope I haven't jumped the gun on any fixes or damaged the computer, but here is the FRST Log from that scan. Any help would be greatly appreciated. Thank you.

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 22-03-2012 12:00:00
Running from F:\
(X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell]
HKLM-x32\...\Winlogon: [Shell] [x ] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

==================== Services (Whitelisted) ======

2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [63928 2012-01-03] ()
3 ALG; C:\Windows\System32\alg.exe [79360 2009-07-13] ()
2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [202752 2010-03-29] ()
2 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support

\AppleMobileDeviceService.exe" [55144 2011-10-24] ()
2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] ()
2 CcmExec; C:\windows\SysWOW64\CCM\CcmExec.exe [764768 2009-09-18] (Microsoft Corporation)
2 CMGShield; C:\Windows\System32\CmgShieldSvc.exe [2967656 2011-06-06] ()
3 COMSysApp; C:\Windows\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} [9728

2009-07-13] ()
2 DcaSvc; "C:\Program Files (x86)\DirectAccess Connectivity Assistant\DcaSvc.exe" [122768 2010-11-25] ()
2 EFS; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
2 EMS; EMSService.exe [1606248 2011-06-06] ()
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [27136 2009-07-13] ()
3 Fax; C:\Windows\System32\fxssvc.exe [689152 2010-11-20] ()
2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [136176 2011-08-29] ()
3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [136176 2011-08-29] ()
3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [182768 2011-08

-29] ()
3 iPod Service; "C:\Program Files\iPod\bin\iPodService.exe" [934760 2012-01-16] ()
3 KeyIso; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
2 lxee_device; C:\windows\system32\lxeecoms.exe -service [1052328 2010-04-14] ()
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232

2010-01-15] ()
3 Microsoft SharePoint Workspace Audit Service; "C:\Program Files (x86)\Microsoft Office

\Office14\GROOVE.EXE" /auditservice [30969208 2010-03-25] ()
3 MSDTC; C:\Windows\System32\msdtc.exe [141824 2009-07-13] ()
3 msiserver; C:\Windows\System32\msiexec.exe /V [128000 2010-11-20] ()
2 Netlogon; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
3 ose; "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [149352 2010-01-09]

()
3 osppsvc; "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

[4925184 2010-01-09] ()
3 ProtectedStorage; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
3 RpcLocator; C:\Windows\System32\locator.exe [10240 2009-07-13] ()
2 SamSs; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
2 SeaPort; "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe" [249136 2010-

07-27] ()
2 SkypeUpdate; "C:\Program Files (x86)\Skype\Updater\Updater.exe" [158856 2012-02-29] ()
3 smstsmgr; C:\windows\SysWOW64\CCM\TSManager.exe /service [246624 2009-09-18] (Microsoft Corporation)
3 SNMPTRAP; C:\Windows\System32\snmptrap.exe [14336 2009-07-13] ()
2 Spooler; C:\Windows\System32\spoolsv.exe [559104 2010-11-20] ()
2 sppsvc; C:\Windows\System32\sppsvc.exe [3524608 2010-11-20] ()
2 SwiCardDetectSvc; "C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe" [308592

2010-09-13] ()
3 UI0Detect; C:\Windows\System32\UI0Detect.exe [40960 2009-07-13] ()
3 VaultSvc; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
3 vds; C:\Windows\System32\vds.exe [533504 2010-11-20] ()
3 VSS; C:\Windows\System32\vssvc.exe [1600512 2010-11-20] ()
3 wbengine; "C:\Windows\system32\wbengine.exe" [1504256 2010-11-20] ()
3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] ()
3 WMPNetworkSvc; "C:\Program Files\Windows Media Player\wmpnetwk.exe" [1525248 2010-11-20] ()
2 WSearch; C:\Windows\System32\SearchIndexer.exe /Embedding [591872 2011-05-03] ()
2 YahooAUService; "C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe" [602392 2008-11-09]

()
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 Accelerometer; C:\Windows\System32\Drivers\Accelerometer.sys [43320 2010-07-16] (Hewlett-Packard

Company)
3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [6405632 2010-03-29] (ATI Technologies Inc.)
0 CmgHiber; C:\Windows\System32\Drivers\CmgHiber.sys [92520 2011-06-06] (CREDANT Technologies, Inc.)
0 CmgPCS; C:\Windows\System32\Drivers\CmgPCS.sys [122720 2011-06-06] (CREDANT Technologies, Inc.)
0 CmgShieldCEF; C:\Windows\System32\DRIVERS\CMGShCEF.sys [364392 2011-06-06] (CREDANT Technologies,

Inc.)
0 CMGShieldReg; C:\Windows\System32\DRIVERS\CmgShREG.sys [24424 2011-06-06] (CREDANT Technologies, Inc.)
1 ctxusbm; C:\Windows\System32\Drivers\ctxusbm.sys [87600 2010-04-16] (Citrix Systems, Inc.)
3 dmvsc; C:\Windows\System32\Drivers\dmvsc.sys [71168 2010-11-20] (Microsoft Corporation)
3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [293552 2009-11-05] (Intel Corporation)
0 hpdskflt; C:\Windows\System32\Drivers\hpdskflt.sys [30008 2010-07-16] (Hewlett-Packard Company)
3 prepdrvr; \??\C:\windows\SysWOW64\CCM\prepdrv.sys [26992 2009-09-18] (Microsoft Corporation)
3 RICOH SmartCard Reader; C:\Windows\System32\DRIVERS\rismcx64.sys [79488 2006-10-03] (RICOH Company,

Ltd.)
3 swiwdmbus; C:\Windows\System32\DRIVERS\swiwdmbusx64.sys [102656 2010-06-21] (Sierra Wireless Inc.)
3 SWNC8UA3; C:\Windows\System32\Drivers\SWNC8UA3.sys [240640 2010-06-21] (Sierra Wireless Inc.)
3 SWUMXA3; C:\Windows\System32\Drivers\SWUMXA3.sys [210944 2010-06-21] (Sierra Wireless Inc.)
3 Synth3dVsc; C:\Windows\System32\Drivers\Synth3dVsc.sys [88960 2010-11-20] (Microsoft Corporation)
3 terminpt; C:\Windows\System32\Drivers\terminpt.sys [34816 2010-11-20] (Microsoft Corporation)
3 TPM; C:\Windows\System32\Drivers\TPM.sys [38400 2009-07-13] (Microsoft Corporation)
3 TsUsbGD; C:\Windows\System32\Drivers\TsUsbGD.sys [31232 2010-11-20] (Microsoft Corporation)
3 tsusbhub; C:\Windows\System32\Drivers\tsusbhub.sys [117248 2010-11-20] (Microsoft Corporation)
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-03-22 11:59 - 2012-03-22 12:00 - 0000000 ____D C:\FRST
2012-03-21 16:06 - 2012-02-09 22:36 - 1544192 ____A (Microsoft Corporation) C:\Windows

\System32\DWrite.dll
2012-03-21 16:06 - 2012-02-09 21:38 - 1077248 ____A (Microsoft Corporation) C:\Windows

\SysWOW64\DWrite.dll
2012-03-21 16:06 - 2012-02-02 20:34 - 3145728 ____A (Microsoft Corporation) C:\Windows

\System32\win32k.sys
2012-03-21 16:06 - 2012-01-24 22:38 - 0149504 ____A (Microsoft Corporation) C:\Windows

\System32\rdpcorekmts.dll
2012-03-21 16:06 - 2012-01-24 22:38 - 0077312 ____A (Microsoft Corporation) C:\Windows

\System32\rdpwsx.dll
2012-03-21 16:06 - 2012-01-24 22:33 - 0009216 ____A (Microsoft Corporation) C:\Windows

\System32\rdrmemptylst.exe
2012-03-21 14:01 - 2012-03-21 14:01 - 0671046 ____A C:\Users\sjjennaway\Desktop\BoundsIRAMorningstar.pdf
2012-03-21 10:03 - 2012-03-21 08:44 - 0000824 ____A C:\Windows\System32\Drivers\etc\hosts
2012-03-21 09:57 - 2012-02-16 22:38 - 1112064 ____A (Microsoft Corporation) C:\Windows

\System32\rdpcorets.dll
2012-03-21 09:57 - 2012-02-16 22:38 - 1031680 ____A (Microsoft Corporation) C:\Windows

\System32\rdpcore.dll
2012-03-21 09:57 - 2012-02-16 21:34 - 0826880 ____A (Microsoft Corporation) C:\Windows

\SysWOW64\rdpcore.dll
2012-03-21 09:57 - 2012-02-16 20:58 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers

\rdpwd.sys
2012-03-21 09:57 - 2012-02-16 20:57 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers

\tdtcp.sys
2012-03-21 09:57 - 2011-11-19 07:20 - 5559152 ____A C:\Windows\System32\ntoskrnl.exe
2012-03-21 09:57 - 2011-11-19 06:50 - 3968368 ____A (Microsoft Corporation) C:\Windows

\SysWOW64\ntkrnlpa.exe
2012-03-21 09:57 - 2011-11-19 06:50 - 3913584 ____A (Microsoft Corporation) C:\Windows

\SysWOW64\ntoskrnl.exe
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-21 08:44 - 2011-12-10 12:24 - 0023152 ____A (Malwarebytes Corporation) C:\Windows

\System32\Drivers\mbam.sys
2012-03-21 08:43 - 2012-03-21 08:43 - 0000359 ____A C:\rkill.log
2012-03-19 08:23 - 2012-03-21 09:59 - 0454960 ____A C:\Windows\ntbtlog.txt
2012-03-04 18:36 - 2012-03-05 01:57 - 0011687 ____A C:\Users\sjjennaway\Desktop\Daddy's Meds.xlsx

============ 3 Months Modified Files and Folders =============

2012-03-22 12:00 - 2012-03-22 11:59 - 0000000 ____D C:\FRST
2012-03-22 06:10 - 2012-01-23 14:59 - 0007696 __ASH C:\Windows\System32\config\CredDB.CEF
2012-03-22 06:10 - 2011-04-07 10:07 - 3015884800 __ASH C:\hiberfil.sys
2012-03-21 16:07 - 2012-01-23 14:25 - 0005920 __ASH C:\Windows\CredDB.CEF
2012-03-21 16:07 - 2011-04-07 10:11 - 2094479 ____A C:\Windows\WindowsUpdate.log
2012-03-21 16:07 - 2011-02-14 09:14 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-03-21 16:07 - 2011-02-14 09:14 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-03-21 16:05 - 2011-02-14 09:28 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-03-21 16:04 - 2012-01-23 13:15 - 0000592 __ASH C:\Users\sjjennaway\AppData\Local\CredDB.CEF
2012-03-21 15:49 - 2012-01-23 15:15 - 0002072 __ASH C:\Windows\Tasks\CredDB.CEF
2012-03-21 15:49 - 2011-08-29 10:52 - 0000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-03-21 15:17 - 2011-02-14 11:07 - 0000528 ____A C:\Windows\System32\config\netlogon.ftl
2012-03-21 15:00 - 2011-07-06 15:01 - 0000478 ____A C:\Windows\Tasks\ParetoLogic Registration3.job
2012-03-21 14:01 - 2012-03-21 14:01 - 0671046 ____A C:\Users\sjjennaway\Desktop\BoundsIRAMorningstar.pdf
2012-03-21 14:01 - 2012-01-23 14:00 - 0002982 __ASH C:\Users\sjjennaway\Desktop\CredDB.CEF
2012-03-21 11:15 - 2009-07-13 20:45 - 0012080 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-

9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-21 11:15 - 2009-07-13 20:45 - 0012080 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-

9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-21 10:49 - 2011-08-29 10:52 - 0000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-03-21 10:09 - 2009-07-13 21:13 - 0736356 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-21 10:06 - 2012-01-21 14:11 - 0001776 __ASH C:\Users\All Users\CredDB.CEF
2012-03-21 10:06 - 2012-01-21 14:11 - 0001776 __ASH C:\ProgramData\CredDB.CEF
2012-03-21 10:06 - 2011-04-07 10:25 - 0010515 ____A C:\Users\All Users\lxeescan.log
2012-03-21 10:06 - 2011-04-07 10:25 - 0010515 ____A C:\ProgramData\lxeescan.log
2012-03-21 10:04 - 2011-02-28 13:51 - 0255464 _RASH C:\Users\All Users\ntuser.pol
2012-03-21 10:04 - 2011-02-28 13:51 - 0255464 _RASH C:\ProgramData\ntuser.pol
2012-03-21 10:03 - 2011-02-28 14:04 - 0000556 ____A C:\Windows\SMSCFG.ini
2012-03-21 10:02 - 2011-07-04 07:34 - 0000000 ____D C:\Users\sjjennaway\AppData\Local\attcm
2012-03-21 10:01 - 2012-01-21 14:05 - 0000320 __ASH C:\CMG3301d.DAT
2012-03-21 10:00 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-03-21 09:59 - 2012-03-19 08:23 - 0454960 ____A C:\Windows\ntbtlog.txt
2012-03-21 09:59 - 2012-01-21 14:05 - 0000416 ___AS C:\CMGb2ce9.DAT
2012-03-21 09:59 - 2009-07-13 20:51 - 0062403 ____A C:\Windows\setupact.log
2012-03-21 09:51 - 2012-01-21 14:05 - 0000416 ___AS C:\CMGb2ce9.ALT
2012-03-21 09:50 - 2011-02-14 10:39 - 0047652 ____A C:\Windows\PFRO.log
2012-03-21 09:35 - 2010-09-27 03:06 - 0000000 ___HD C:\OEM
2012-03-21 08:44 - 2012-03-21 10:03 - 0000824 ____A C:\Windows\System32\Drivers\etc\hosts
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-21 08:43 - 2012-03-21 08:43 - 0000359 ____A C:\rkill.log
2012-03-21 08:43 - 2012-01-21 14:05 - 0000888 __ASH C:\CredDB.CEF
2012-03-21 08:31 - 2012-01-21 14:05 - 0000416 ___AS C:\CMGb2ce9.BCK
2012-03-21 08:22 - 2012-01-23 13:15 - 0002956 __ASH C:\Users\sjjennaway\CredDB.CEF
2012-03-21 08:22 - 2011-04-07 10:51 - 0000516 _RASH C:\Users\sjjennaway\ntuser.pol
2012-03-21 08:22 - 2011-04-07 10:51 - 0000000 ____D C:\users\sjjennaway
2012-03-19 08:55 - 2011-06-16 14:08 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Skype
2012-03-18 16:08 - 2011-08-29 10:52 - 0000000 ____D C:\Users\sjjennaway\AppData\Local\Google
2012-03-16 12:19 - 2012-01-13 08:27 - 0000000 ____D C:\Users\All Users\CREDANT
2012-03-16 12:19 - 2012-01-13 08:27 - 0000000 ____D C:\ProgramData\CREDANT
2012-03-15 07:35 - 2011-07-06 15:01 - 0000452 ____A C:\Windows\Tasks\ParetoLogic Update Version3.job
2012-03-14 07:26 - 2011-07-06 15:01 - 0000398 ____A C:\Windows\Tasks\FileCure Default.job
2012-03-07 12:28 - 2012-01-23 13:14 - 0003888 __ASH C:\Users\Public\Desktop\CredDB.CEF
2012-03-07 12:28 - 2011-06-16 14:08 - 0002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-03-07 12:28 - 2011-06-16 14:08 - 0000000 ___RD C:\Program Files (x86)\Skype
2012-03-07 12:28 - 2011-06-16 14:08 - 0000000 ____D C:\Users\All Users\Skype
2012-03-07 12:28 - 2011-06-16 14:08 - 0000000 ____D C:\ProgramData\Skype
2012-03-05 01:57 - 2012-03-04 18:36 - 0011687 ____A C:\Users\sjjennaway\Desktop\Daddy's Meds.xlsx
2012-03-05 01:27 - 2012-01-23 14:13 - 0001776 __ASH C:\Users\sjjennaway\Documents\CredDB.CEF
2012-02-25 12:08 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-02-19 13:22 - 2012-02-19 13:22 - 0633899 ____A C:\Users\sjjennaway\Desktop\1960-AMSNon-IRA[1].pdf
2012-02-17 08:58 - 2011-08-19 08:02 - 0000000 ____D C:\Users\sjjennaway\Tracing
2012-02-16 22:38 - 2012-03-21 09:57 - 1112064 ____A (Microsoft Corporation) C:\Windows

\System32\rdpcorets.dll
2012-02-16 22:38 - 2012-03-21 09:57 - 1031680 ____A (Microsoft Corporation) C:\Windows

\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-21 09:57 - 0826880 ____A (Microsoft Corporation) C:\Windows

\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-21 09:57 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers

\rdpwd.sys
2012-02-16 20:57 - 2012-03-21 09:57 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers

\tdtcp.sys
2012-02-09 22:36 - 2012-03-21 16:06 - 1544192 ____A (Microsoft Corporation) C:\Windows

\System32\DWrite.dll
2012-02-09 21:38 - 2012-03-21 16:06 - 1077248 ____A (Microsoft Corporation) C:\Windows

\SysWOW64\DWrite.dll
2012-02-02 20:34 - 2012-03-21 16:06 - 3145728 ____A (Microsoft Corporation) C:\Windows

\System32\win32k.sys
2012-02-01 10:52 - 2012-01-23 14:56 - 0126728 __ASH C:\Windows\System32\CredDB.CEF
2012-01-31 04:44 - 2011-02-14 10:37 - 0279656 ____N C:\Windows\System32\MpSigStub.exe
2012-01-27 14:59 - 2012-01-27 14:59 - 0001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-01-27 14:59 - 2012-01-27 14:59 - 0000000 ____D C:\Program Files\iTunes
2012-01-27 14:59 - 2012-01-27 14:59 - 0000000 ____D C:\Program Files\iPod
2012-01-27 14:59 - 2011-12-14 19:51 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-01-26 17:04 - 2012-01-26 17:04 - 0022416 ____A C:\Users\sjjennaway\Documents\Derek Kite

Insurance.docx
2012-01-26 12:24 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Registration
2012-01-26 12:23 - 2011-04-07 10:18 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\ICAClient
2012-01-26 12:22 - 2011-12-14 19:46 - 0000000 ____D C:\Program Files (x86)\Bonjour
2012-01-26 12:22 - 2011-02-14 09:13 - 0000000 ____D C:\Program Files (x86)\DirectAccess Connectivity

Assistant
2012-01-24 22:38 - 2012-03-21 16:06 - 0149504 ____A (Microsoft Corporation) C:\Windows

\System32\rdpcorekmts.dll
2012-01-24 22:38 - 2012-03-21 16:06 - 0077312 ____A (Microsoft Corporation) C:\Windows

\System32\rdpwsx.dll
2012-01-24 22:33 - 2012-03-21 16:06 - 0009216 ____A (Microsoft Corporation) C:\Windows

\System32\rdrmemptylst.exe
2012-01-23 19:35 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PolicyDefinitions
2012-01-23 15:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\TAPI
2012-01-23 15:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\zh-TW
2012-01-23 15:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\zh-HK
2012-01-23 15:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\zh-CN
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\uk-UA
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\tr-TR
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\th-TH
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sv-SE
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sr-Latn-CS
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sppui
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sl-SI
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sk-SK
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ru-RU
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ro-RO
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Recovery
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ras
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\pt-PT
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\pt-BR
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\pl-PL
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\oobe
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\nl-NL
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\nb-NO
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\manifeststore
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\lv-LV
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\lt-LT
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ko-KR
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ja-JP
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\it-IT
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\icsxml
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\hu-HU
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\hr-HR
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\he-IL
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\GroupPolicy
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\fr-FR
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\fi-FI
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\et-EE
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\es-ES
2012-01-23 15:06 - 2012-01-23 15:06 - 0000592 __ASH C:\Windows\SysWOW64\Drivers\CredDB.CEF
2012-01-23 15:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\el-GR
2012-01-23 15:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\de-DE
2012-01-23 15:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\da-DK
2012-01-23 15:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\cs-CZ
2012-01-23 15:05 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\com
2012-01-23 15:04 - 2012-01-23 15:02 - 0085248 __ASH C:\Windows\SysWOW64\CredDB.CEF
2012-01-23 15:04 - 2011-02-28 14:04 - 0000000 ____D C:\Windows\SysWOW64\CCM
2012-01-23 15:04 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\bg-BG
2012-01-23 15:04 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ar-SA
2012-01-23 14:55 - 2009-07-13 23:23 - 0000000 ____D C:\Windows\ShellNew
2012-01-23 14:53 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-01-23 14:51 - 2011-02-14 10:18 - 0000000 ____D C:\Windows\Panther
2012-01-23 14:51 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Offline Web Pages
2012-01-23 14:45 - 2009-07-13 19:20 - 0000000 __RSD C:\Windows\Media
2012-01-23 14:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\L2Schemas
2012-01-23 14:34 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-01-23 14:32 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Cursors
2012-01-23 14:31 - 2011-02-28 14:02 - 0000000 ____D C:\Windows\ccmsetup
2012-01-23 14:31 - 2009-07-13 23:23 - 0000000 __SHD C:\Windows\BitLockerDiscoveryVolumeContents
2012-01-23 14:26 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\addins
2012-01-23 14:14 - 2012-01-23 14:14 - 0000296 __ASH C:\Users\sjjennaway\Downloads\CredDB.CEF
2012-01-23 14:13 - 2011-07-25 17:48 - 0000000 ____D C:\Users\sjjennaway\Desktop\Teena Photos
2012-01-23 14:04 - 2011-07-23 20:21 - 0000000 ____D C:\Users\sjjennaway\Desktop\Hawaii photos
2012-01-23 14:00 - 2011-10-28 09:54 - 0000000 ____D C:\Users\sjjennaway\Desktop\Clients
2012-01-23 13:58 - 2012-01-23 13:58 - 0000296 __ASH C:\Users\sjjennaway\Start Menu\Programs\Startup

\CredDB.CEF
2012-01-23 13:58 - 2012-01-23 13:58 - 0000296 __ASH C:\Users\sjjennaway\AppData\Roaming\Microsoft

\Windows\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:48 - 2011-04-07 10:51 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\ICAClient
2012-01-23 13:47 - 2012-01-23 13:47 - 0000296 __ASH C:\Users\sjjennaway\AppData\Roaming\CredDB.CEF
2012-01-23 13:37 - 2011-04-07 10:54 - 0000000 ____D C:\Users\sjjennaway\AppData\Local\MigWiz
2012-01-23 13:15 - 2011-04-25 10:08 - 0000000 ____D C:\Users\sjjennaway\.morena
2012-01-23 13:15 - 2011-04-25 10:08 - 0000000 ____D C:\Users\sjjennaway\.epaysol
2012-01-23 13:15 - 2009-07-13 23:23 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-01-23 13:14 - 2012-01-23 13:14 - 0000296 __ASH C:\Users\Public\Downloads\CredDB.CEF
2012-01-23 13:14 - 2012-01-23 13:14 - 0000296 __ASH C:\Users\Public\Documents\CredDB.CEF
2012-01-23 13:14 - 2009-07-13 19:20 - 0000000 __RHD C:\Users\Public\Libraries
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Public\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\Start Menu\Programs\Startup

\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\Downloads\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\Documents\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\Desktop\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\AppData\Roaming\Microsoft\Windows

\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\Start Menu\Programs\Startup

\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\Downloads\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\Documents\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\Desktop\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\AppData\Roaming\Microsoft

\Windows\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:13 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-01-23 13:12 - 2011-02-28 12:55 - 0000000 ____D C:\Users\Default\AppData\Roaming\ICAClient
2012-01-23 13:12 - 2011-02-28 12:55 - 0000000 ____D C:\Users\Default User\AppData\Roaming\ICAClient
2012-01-23 13:10 - 2012-01-23 13:10 - 0002660 __ASH C:\Users\Default\CredDB.CEF
2012-01-23 13:10 - 2012-01-23 13:10 - 0000592 __ASH C:\Users\Default\AppData\Local\CredDB.CEF
2012-01-23 13:10 - 2012-01-23 13:10 - 0000592 __ASH C:\Users\Default User\AppData\Local\CredDB.CEF
2012-01-23 13:10 - 2009-07-13 19:20 - 0000000 __RHD C:\users\Default
2012-01-23 13:05 - 2012-01-23 13:05 - 0000592 __ASH C:\Users\Administrator\Downloads\CredDB.CEF
2012-01-23 13:05 - 2012-01-23 13:05 - 0000296 __ASH C:\Users\Administrator\Start Menu\Programs\Startup

\CredDB.CEF
2012-01-23 13:05 - 2012-01-23 13:05 - 0000296 __ASH C:\Users\Administrator\Documents\CredDB.CEF
2012-01-23 13:05 - 2012-01-23 13:05 - 0000296 __ASH C:\Users\Administrator\Desktop\CredDB.CEF
2012-01-23 13:05 - 2012-01-23 13:05 - 0000296 __ASH C:\Users\Administrator\AppData\Roaming\Microsoft

\Windows\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 12:59 - 2012-01-23 12:59 - 0002364 __ASH C:\Users\Administrator\CredDB.CEF
2012-01-23 12:59 - 2012-01-23 12:59 - 0000592 __ASH C:\Users\Administrator\AppData\Local\CredDB.CEF
2012-01-23 12:59 - 2012-01-23 12:59 - 0000296 __ASH C:\users\CredDB.CEF
2012-01-23 12:59 - 2012-01-05 19:25 - 0000000 ____D C:\Users\All Users\Yahoo! Companion
2012-01-23 12:59 - 2012-01-05 19:25 - 0000000 ____D C:\ProgramData\Yahoo! Companion
2012-01-23 12:59 - 2011-04-07 10:18 - 0000000 ____D C:\users\Administrator
2012-01-23 12:59 - 2011-02-14 09:24 - 0000000 ____D C:\Users\All Users\WinZip
2012-01-23 12:59 - 2011-02-14 09:24 - 0000000 ____D C:\ProgramData\WinZip
2012-01-23 12:57 - 2012-01-23 12:57 - 0000888 __ASH C:\Users\All Users\Start Menu\Programs\Startup

\CredDB.CEF
2012-01-23 12:52 - 2011-09-01 09:35 - 0000000 ____D C:\Users\All Users\McAfee Security Scan
2012-01-23 12:52 - 2011-09-01 09:35 - 0000000 ____D C:\ProgramData\McAfee Security Scan
2012-01-23 12:52 - 2011-04-07 10:29 - 0000000 ____D C:\Users\All Users\lx_Cats
2012-01-23 12:52 - 2011-04-07 10:29 - 0000000 ____D C:\ProgramData\lx_Cats
2012-01-23 12:51 - 2011-11-21 14:13 - 0000000 ____D C:\Users\All Users\HP Photo Creations
2012-01-23 12:51 - 2011-11-21 14:13 - 0000000 ____D C:\ProgramData\HP Photo Creations
2012-01-23 12:49 - 2011-07-06 15:01 - 0000000 ____D C:\Users\All Users\FileCure
2012-01-23 12:49 - 2011-07-06 15:01 - 0000000 ____D C:\ProgramData\FileCure
2012-01-23 12:42 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\FxsTmp
2012-01-23 12:38 - 2011-02-14 09:24 - 0000000 ____D C:\Program Files (x86)\WinZip
2012-01-23 12:35 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Sidebar
2012-01-23 12:35 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Portable Devices
2012-01-23 12:35 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2012-01-23 12:35 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Defender
2012-01-23 12:30 - 2011-04-07 13:22 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-01-23 12:30 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\MSBuild
2012-01-23 12:01 - 2011-09-01 09:35 - 0000000 ____D C:\Program Files (x86)\McAfee Security Scan
2012-01-23 11:41 - 2011-11-21 14:13 - 0000000 ____D C:\Program Files (x86)\HP Photo Creations
2012-01-23 11:40 - 2011-02-14 09:34 - 0000000 ____D C:\Program Files (x86)\GPLGS
2012-01-23 11:38 - 2011-11-21 14:13 - 0000000 ____D C:\Program Files (x86)\Coupons
2012-01-23 11:26 - 2011-11-21 14:13 - 0000000 ____D C:\Program Files (x86)\Bing Bar Installer
2012-01-23 11:22 - 2011-12-14 19:50 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2012-01-23 11:18 - 2011-12-14 19:46 - 0000000 ____D C:\Program Files\Bonjour
2012-01-23 11:18 - 2011-10-14 09:34 - 0000000 ____D C:\Program Files\Microsoft Security Client
2012-01-23 11:14 - 2012-01-23 11:14 - 0000296 __ASH C:\Program Files (x86)\CredDB.CEF
2012-01-23 11:11 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Sidebar
2012-01-23 11:11 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Portable Devices
2012-01-23 11:11 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Photo Viewer
2012-01-23 11:11 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Defender
2012-01-23 11:06 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\DVD Maker
2012-01-23 11:05 - 2011-02-28 13:27 - 0000000 ____D C:\Program Files\DellTPad
2012-01-23 11:05 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2012-01-23 11:05 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\Services
2012-01-23 11:04 - 2011-04-08 06:09 - 0000000 ____D C:\Program Files\ATI Technologies
2012-01-23 11:03 - 2012-01-23 11:03 - 0000296 __ASH C:\Program Files\CredDB.CEF
2012-01-20 13:23 - 2012-01-12 18:02 - 0260694 ____A C:\credant_install.log
2012-01-20 00:55 - 2012-01-13 17:24 - 0020187 ____A C:\Windows\System32\Drivers\cmghbbtl.dat
2012-01-18 16:17 - 2009-07-13 20:45 - 0418192 ____A C:\Windows\System32\FNTCACHE.DAT
2012-01-17 12:00 - 2011-12-14 19:52 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Apple Computer
2012-01-13 08:27 - 2012-01-13 08:27 - 10485760 _RASH C:\Windows\System32\credsys.vlt
2012-01-12 18:02 - 2012-01-12 18:02 - 0000000 ____D C:\Program Files\CREDANT
2012-01-12 18:02 - 2012-01-12 18:02 - 0000000 ____D C:\Program Files\Common Files\PostureAgent
2012-01-12 17:58 - 2012-01-12 17:58 - 0000000 ____D C:\Windows\System32\appmgmt
2012-01-05 19:25 - 2012-01-05 19:25 - 0001135 ____A C:\Users\Public\Desktop\Yahoo! Messenger.lnk
2012-01-05 19:25 - 2011-04-07 16:23 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Yahoo!
2012-01-05 19:25 - 2011-04-07 16:21 - 0000000 ____D C:\Users\All Users\Yahoo!
2012-01-05 19:25 - 2011-04-07 16:21 - 0000000 ____D C:\ProgramData\Yahoo!
2012-01-05 19:25 - 2011-04-07 16:20 - 0000000 ____D C:\Program Files (x86)\Yahoo!
2012-01-05 19:25 - 2011-04-07 10:51 - 0000000 ____D C:\Users\sjjennaway\AppData\LocalLow
2012-01-05 14:53 - 2012-01-05 14:50 - 0000000 ____D C:\Users\sjjennaway\Desktop\Taxes

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe
[2011-02-28 13:19] - [2010-11-20 05:25] - 0390656 ____A () EBB8D54C33C00566E1E33DEC39628428

C:\Windows\System32\wininit.exe
[2009-07-13 15:52] - [2009-07-13 17:39] - 0129024 ____A () E5F89DE57C5DD2A0DA40C65508A97708

C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2009-07-13 15:31] - [2009-07-13 17:39] - 0027136 ____A () 65D45AF95F778E1DA099E71BF36E38B3

C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 3834.9 MB
Available physical RAM: 3303.32 MB
Total Pagefile: 3833.05 MB
Available Pagefile: 3289.1 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:417.31 GB) NTFS
2 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
3 Drive f: (Lexar) (Removable) (Total:7.32 GB) (Free:7.32 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from

reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7512 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7511 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F Lexar FAT32 Removable 7511 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-21 10:37

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:24 PM

Posted 22 March 2012 - 05:08 PM

Hi

there are some patched files preventing you from booting, we need to find replacements for them

Please re-run FRST


Type the following in the edit box after "Search:" so it looks like this:

Search: svchost.exe;winlogon.exe;wininit.exe

Click Search button and post the log it makes to your reply.

Edited by CatByte, 23 March 2012 - 04:41 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 J.J. LVN

J.J. LVN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 23 March 2012 - 09:26 AM

Thank you for your reply. Here is the log:

Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 2012-03-23 09:16:19
Running from F:\

================== Search: "svchost.exe;winlogon.exe;wininit.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe
[2009-07-13 15:36] - [2009-07-13 17:14] - 0096256 ____A (Microsoft Corporation) B5C5DCAD3899512020D135600129D665

C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009-07-13 15:19] - [2009-07-13 17:14] - 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
[2011-02-28 13:19] - [2010-11-20 05:25] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_cc522fd507b468f8\winlogon.exe
[2011-02-14 10:44] - [2009-10-27 23:01] - 0389632 ____A (Microsoft Corporation) A93D41A4D4B0D91C072D11DD8AF266DE

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad\winlogon.exe
[2011-02-14 10:44] - [2009-10-27 22:24] - 0389632 ____A (Microsoft Corporation) DA3E2A6FA9660CC75B471530CE88453A

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe
[2009-07-13 15:52] - [2009-07-13 17:39] - 0389120 ____A (Microsoft Corporation) 132328DF455B0028F13BF0ABEE51A63A

C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe
[2009-07-13 15:52] - [2009-07-13 17:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA

C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe
[2009-07-13 15:31] - [2009-07-13 17:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D

C:\Windows\SysWOW64\svchost.exe
[2009-07-13 15:19] - [2009-07-13 17:14] - 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866

C:\Windows\SysWOW64\wininit.exe
[2009-07-13 15:36] - [2009-07-13 17:14] - 0096256 ____A (Microsoft Corporation) B5C5DCAD3899512020D135600129D665

C:\Windows\System32\svchost.exe
[2009-07-13 15:31] - [2009-07-13 17:39] - 0027136 ____A () 65D45AF95F778E1DA099E71BF36E38B3

C:\Windows\System32\wininit.exe
[2009-07-13 15:52] - [2009-07-13 17:39] - 0129024 ____A () E5F89DE57C5DD2A0DA40C65508A97708

C:\Windows\System32\winlogon.exe
[2011-02-28 13:19] - [2010-11-20 05:25] - 0390656 ____A () EBB8D54C33C00566E1E33DEC39628428

C:\Users\sjjennaway\AppData\Local\Temp\RarSFX0\winlogon.exe
[2012-03-21 08:42] - [2009-05-26 15:47] - 0031232 ____A () 44FC10C51BF041E9DA6C3BD6925639E7

C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2012-03-21 08:44] - [2012-01-31 10:13] - 0182856 ____A () 7AD474A49831E03551EBFC6BAAD7EDD2

C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2012-03-21 08:44] - [2012-01-31 10:13] - 0182856 ____A () 7AD474A49831E03551EBFC6BAAD7EDD2

====== End Of Search ======

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:24 PM

Posted 23 March 2012 - 04:40 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe C:\Windows\System32\svchost.exe
Replace: C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe C:\Windows\System32\wininit.exe
Replace: C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe C:\Windows\System32\winlogon.exe
end


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Please try rebooting normally, let me know how it goes

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 J.J. LVN

J.J. LVN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 23 March 2012 - 04:49 PM

Ran the fix and tried to boot from the hard disk. It went into the Startup Repair Loop again. Here is the fixlog:

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 15-03-2012
Ran by SYSTEM at 2012-03-23 16:45:31 R:1
Running from F:\

==============================================

C:\Windows\System32\svchost.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe copied successfully to C:\Windows\System32\svchost.exe
C:\Windows\System32\wininit.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe copied successfully to C:\Windows\System32\wininit.exe
C:\Windows\System32\winlogon.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe copied successfully to C:\Windows\System32\winlogon.exe

==== End of Fixlog ====

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:24 PM

Posted 23 March 2012 - 04:51 PM

OK,

Let's try this now


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
cmd: bootrec /FixMbr
cmd: bootrec /fixboot
end


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Please try rebooting normally, let me know how it goes

Edited by CatByte, 23 March 2012 - 04:52 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 J.J. LVN

J.J. LVN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 23 March 2012 - 04:58 PM

Same result, Startup Repair loop. Again, thank you for helping me try to fix this.

Log:

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 15-03-2012
Ran by SYSTEM at 2012-03-23 16:55:07 R:2
Running from F:\

==============================================


========= bootrec /FixMbr =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


========= bootrec /fixboot =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


==== End of Fixlog ====

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:24 PM

Posted 23 March 2012 - 05:02 PM

OK,

let's have another look, can you please post a fresh scan with FRST64

(same instructions as your first post)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 J.J. LVN

J.J. LVN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 23 March 2012 - 05:10 PM

Here you go!

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 23-03-2012 17:06:02
Running from F:\
(X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell]
HKLM-x32\...\Winlogon: [Shell] [x ] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

==================== Services (Whitelisted) ======

2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [63928 2012-01-03] ()
3 ALG; C:\Windows\System32\alg.exe [79360 2009-07-13] ()
2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [202752 2010-03-29] ()
2 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [55144 2011-10-24] ()
2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] ()
2 CcmExec; C:\windows\SysWOW64\CCM\CcmExec.exe [764768 2009-09-18] (Microsoft Corporation)
2 CMGShield; C:\Windows\System32\CmgShieldSvc.exe [2967656 2011-06-06] ()
3 COMSysApp; C:\Windows\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} [9728 2009-07-13] ()
2 DcaSvc; "C:\Program Files (x86)\DirectAccess Connectivity Assistant\DcaSvc.exe" [122768 2010-11-25] ()
2 EFS; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
2 EMS; EMSService.exe [1606248 2011-06-06] ()
3 Fax; C:\Windows\System32\fxssvc.exe [689152 2010-11-20] ()
2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [136176 2011-08-29] ()
3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [136176 2011-08-29] ()
3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [182768 2011-08-29] ()
3 iPod Service; "C:\Program Files\iPod\bin\iPodService.exe" [934760 2012-01-16] ()
3 KeyIso; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
2 lxee_device; C:\windows\system32\lxeecoms.exe -service [1052328 2010-04-14] ()
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] ()
3 Microsoft SharePoint Workspace Audit Service; "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice [30969208 2010-03-25] ()
3 MSDTC; C:\Windows\System32\msdtc.exe [141824 2009-07-13] ()
3 msiserver; C:\Windows\System32\msiexec.exe /V [128000 2010-11-20] ()
2 Netlogon; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
3 ose; "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [149352 2010-01-09] ()
3 osppsvc; "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" [4925184 2010-01-09] ()
3 ProtectedStorage; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
3 RpcLocator; C:\Windows\System32\locator.exe [10240 2009-07-13] ()
2 SamSs; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
2 SeaPort; "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe" [249136 2010-07-27] ()
2 SkypeUpdate; "C:\Program Files (x86)\Skype\Updater\Updater.exe" [158856 2012-02-29] ()
3 smstsmgr; C:\windows\SysWOW64\CCM\TSManager.exe /service [246624 2009-09-18] (Microsoft Corporation)
3 SNMPTRAP; C:\Windows\System32\snmptrap.exe [14336 2009-07-13] ()
2 Spooler; C:\Windows\System32\spoolsv.exe [559104 2010-11-20] ()
2 sppsvc; C:\Windows\System32\sppsvc.exe [3524608 2010-11-20] ()
2 SwiCardDetectSvc; "C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe" [308592 2010-09-13] ()
3 UI0Detect; C:\Windows\System32\UI0Detect.exe [40960 2009-07-13] ()
3 VaultSvc; C:\Windows\System32\lsass.exe [31232 2011-11-16] ()
3 vds; C:\Windows\System32\vds.exe [533504 2010-11-20] ()
3 VSS; C:\Windows\System32\vssvc.exe [1600512 2010-11-20] ()
3 wbengine; "C:\Windows\system32\wbengine.exe" [1504256 2010-11-20] ()
3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] ()
3 WMPNetworkSvc; "C:\Program Files\Windows Media Player\wmpnetwk.exe" [1525248 2010-11-20] ()
2 WSearch; C:\Windows\System32\SearchIndexer.exe /Embedding [591872 2011-05-03] ()
2 YahooAUService; "C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe" [602392 2008-11-09] ()
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 Accelerometer; C:\Windows\System32\Drivers\Accelerometer.sys [43320 2010-07-16] (Hewlett-Packard Company)
3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [6405632 2010-03-29] (ATI Technologies Inc.)
0 CmgHiber; C:\Windows\System32\Drivers\CmgHiber.sys [92520 2011-06-06] (CREDANT Technologies, Inc.)
0 CmgPCS; C:\Windows\System32\Drivers\CmgPCS.sys [122720 2011-06-06] (CREDANT Technologies, Inc.)
0 CmgShieldCEF; C:\Windows\System32\DRIVERS\CMGShCEF.sys [364392 2011-06-06] (CREDANT Technologies, Inc.)
0 CMGShieldReg; C:\Windows\System32\DRIVERS\CmgShREG.sys [24424 2011-06-06] (CREDANT Technologies, Inc.)
1 ctxusbm; C:\Windows\System32\Drivers\ctxusbm.sys [87600 2010-04-16] (Citrix Systems, Inc.)
3 dmvsc; C:\Windows\System32\Drivers\dmvsc.sys [71168 2010-11-20] (Microsoft Corporation)
3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [293552 2009-11-05] (Intel Corporation)
0 hpdskflt; C:\Windows\System32\Drivers\hpdskflt.sys [30008 2010-07-16] (Hewlett-Packard Company)
3 prepdrvr; \??\C:\windows\SysWOW64\CCM\prepdrv.sys [26992 2009-09-18] (Microsoft Corporation)
3 RICOH SmartCard Reader; C:\Windows\System32\DRIVERS\rismcx64.sys [79488 2006-10-03] (RICOH Company, Ltd.)
3 swiwdmbus; C:\Windows\System32\DRIVERS\swiwdmbusx64.sys [102656 2010-06-21] (Sierra Wireless Inc.)
3 SWNC8UA3; C:\Windows\System32\Drivers\SWNC8UA3.sys [240640 2010-06-21] (Sierra Wireless Inc.)
3 SWUMXA3; C:\Windows\System32\Drivers\SWUMXA3.sys [210944 2010-06-21] (Sierra Wireless Inc.)
3 Synth3dVsc; C:\Windows\System32\Drivers\Synth3dVsc.sys [88960 2010-11-20] (Microsoft Corporation)
3 terminpt; C:\Windows\System32\Drivers\terminpt.sys [34816 2010-11-20] (Microsoft Corporation)
3 TPM; C:\Windows\System32\Drivers\TPM.sys [38400 2009-07-13] (Microsoft Corporation)
3 TsUsbGD; C:\Windows\System32\Drivers\TsUsbGD.sys [31232 2010-11-20] (Microsoft Corporation)
3 tsusbhub; C:\Windows\System32\Drivers\tsusbhub.sys [117248 2010-11-20] (Microsoft Corporation)
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-03-22 11:59 - 2012-03-23 17:06 - 0000000 ____D C:\FRST
2012-03-21 16:06 - 2012-02-09 22:36 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-03-21 16:06 - 2012-02-09 21:38 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-03-21 16:06 - 2012-02-02 20:34 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-21 16:06 - 2012-01-24 22:38 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-03-21 16:06 - 2012-01-24 22:38 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-03-21 16:06 - 2012-01-24 22:33 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-03-21 14:01 - 2012-03-21 14:01 - 0671046 ____A C:\Users\sjjennaway\Desktop\BoundsIRAMorningstar.pdf
2012-03-21 10:03 - 2012-03-21 08:44 - 0000824 ____A C:\Windows\System32\Drivers\etc\hosts
2012-03-21 09:57 - 2012-02-16 22:38 - 1112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-03-21 09:57 - 2012-02-16 22:38 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-03-21 09:57 - 2012-02-16 21:34 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-03-21 09:57 - 2012-02-16 20:58 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-03-21 09:57 - 2012-02-16 20:57 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-03-21 09:57 - 2011-11-19 07:20 - 5559152 ____A C:\Windows\System32\ntoskrnl.exe
2012-03-21 09:57 - 2011-11-19 06:50 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-21 09:57 - 2011-11-19 06:50 - 3913584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-21 08:44 - 2011-12-10 12:24 - 0023152 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-21 08:43 - 2012-03-21 08:43 - 0000359 ____A C:\rkill.log
2012-03-19 08:23 - 2012-03-21 09:59 - 0454960 ____A C:\Windows\ntbtlog.txt
2012-03-04 18:36 - 2012-03-05 01:57 - 0011687 ____A C:\Users\sjjennaway\Desktop\Daddy's Meds.xlsx

============ 3 Months Modified Files and Folders =============

2012-03-23 17:06 - 2012-03-22 11:59 - 0000000 ____D C:\FRST
2012-03-22 06:10 - 2012-01-23 14:59 - 0007696 __ASH C:\Windows\System32\config\CredDB.CEF
2012-03-22 06:10 - 2011-04-07 10:07 - 3015884800 __ASH C:\hiberfil.sys
2012-03-21 16:07 - 2012-01-23 14:25 - 0005920 __ASH C:\Windows\CredDB.CEF
2012-03-21 16:07 - 2011-04-07 10:11 - 2094479 ____A C:\Windows\WindowsUpdate.log
2012-03-21 16:07 - 2011-02-14 09:14 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-03-21 16:07 - 2011-02-14 09:14 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-03-21 16:05 - 2011-02-14 09:28 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-03-21 16:04 - 2012-01-23 13:15 - 0000592 __ASH C:\Users\sjjennaway\AppData\Local\CredDB.CEF
2012-03-21 15:49 - 2012-01-23 15:15 - 0002072 __ASH C:\Windows\Tasks\CredDB.CEF
2012-03-21 15:49 - 2011-08-29 10:52 - 0000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-03-21 15:17 - 2011-02-14 11:07 - 0000528 ____A C:\Windows\System32\config\netlogon.ftl
2012-03-21 15:00 - 2011-07-06 15:01 - 0000478 ____A C:\Windows\Tasks\ParetoLogic Registration3.job
2012-03-21 14:01 - 2012-03-21 14:01 - 0671046 ____A C:\Users\sjjennaway\Desktop\BoundsIRAMorningstar.pdf
2012-03-21 14:01 - 2012-01-23 14:00 - 0002982 __ASH C:\Users\sjjennaway\Desktop\CredDB.CEF
2012-03-21 11:15 - 2009-07-13 20:45 - 0012080 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-21 11:15 - 2009-07-13 20:45 - 0012080 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-21 10:49 - 2011-08-29 10:52 - 0000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-03-21 10:09 - 2009-07-13 21:13 - 0736356 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-21 10:06 - 2012-01-21 14:11 - 0001776 __ASH C:\Users\All Users\CredDB.CEF
2012-03-21 10:06 - 2012-01-21 14:11 - 0001776 __ASH C:\ProgramData\CredDB.CEF
2012-03-21 10:06 - 2011-04-07 10:25 - 0010515 ____A C:\Users\All Users\lxeescan.log
2012-03-21 10:06 - 2011-04-07 10:25 - 0010515 ____A C:\ProgramData\lxeescan.log
2012-03-21 10:04 - 2011-02-28 13:51 - 0255464 _RASH C:\Users\All Users\ntuser.pol
2012-03-21 10:04 - 2011-02-28 13:51 - 0255464 _RASH C:\ProgramData\ntuser.pol
2012-03-21 10:03 - 2011-02-28 14:04 - 0000556 ____A C:\Windows\SMSCFG.ini
2012-03-21 10:02 - 2011-07-04 07:34 - 0000000 ____D C:\Users\sjjennaway\AppData\Local\attcm
2012-03-21 10:01 - 2012-01-21 14:05 - 0000320 __ASH C:\CMG3301d.DAT
2012-03-21 10:00 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-03-21 09:59 - 2012-03-19 08:23 - 0454960 ____A C:\Windows\ntbtlog.txt
2012-03-21 09:59 - 2012-01-21 14:05 - 0000416 ___AS C:\CMGb2ce9.DAT
2012-03-21 09:59 - 2009-07-13 20:51 - 0062403 ____A C:\Windows\setupact.log
2012-03-21 09:51 - 2012-01-21 14:05 - 0000416 ___AS C:\CMGb2ce9.ALT
2012-03-21 09:50 - 2011-02-14 10:39 - 0047652 ____A C:\Windows\PFRO.log
2012-03-21 09:35 - 2010-09-27 03:06 - 0000000 ___HD C:\OEM
2012-03-21 08:44 - 2012-03-21 10:03 - 0000824 ____A C:\Windows\System32\Drivers\etc\hosts
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-03-21 08:44 - 2012-03-21 08:44 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-21 08:43 - 2012-03-21 08:43 - 0000359 ____A C:\rkill.log
2012-03-21 08:43 - 2012-01-21 14:05 - 0000888 __ASH C:\CredDB.CEF
2012-03-21 08:31 - 2012-01-21 14:05 - 0000416 ___AS C:\CMGb2ce9.BCK
2012-03-21 08:22 - 2012-01-23 13:15 - 0002956 __ASH C:\Users\sjjennaway\CredDB.CEF
2012-03-21 08:22 - 2011-04-07 10:51 - 0000516 _RASH C:\Users\sjjennaway\ntuser.pol
2012-03-21 08:22 - 2011-04-07 10:51 - 0000000 ____D C:\users\sjjennaway
2012-03-19 08:55 - 2011-06-16 14:08 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Skype
2012-03-18 16:08 - 2011-08-29 10:52 - 0000000 ____D C:\Users\sjjennaway\AppData\Local\Google
2012-03-16 12:19 - 2012-01-13 08:27 - 0000000 ____D C:\Users\All Users\CREDANT
2012-03-16 12:19 - 2012-01-13 08:27 - 0000000 ____D C:\ProgramData\CREDANT
2012-03-15 07:35 - 2011-07-06 15:01 - 0000452 ____A C:\Windows\Tasks\ParetoLogic Update Version3.job
2012-03-14 07:26 - 2011-07-06 15:01 - 0000398 ____A C:\Windows\Tasks\FileCure Default.job
2012-03-07 12:28 - 2012-01-23 13:14 - 0003888 __ASH C:\Users\Public\Desktop\CredDB.CEF
2012-03-07 12:28 - 2011-06-16 14:08 - 0002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-03-07 12:28 - 2011-06-16 14:08 - 0000000 ___RD C:\Program Files (x86)\Skype
2012-03-07 12:28 - 2011-06-16 14:08 - 0000000 ____D C:\Users\All Users\Skype
2012-03-07 12:28 - 2011-06-16 14:08 - 0000000 ____D C:\ProgramData\Skype
2012-03-05 01:57 - 2012-03-04 18:36 - 0011687 ____A C:\Users\sjjennaway\Desktop\Daddy's Meds.xlsx
2012-03-05 01:27 - 2012-01-23 14:13 - 0001776 __ASH C:\Users\sjjennaway\Documents\CredDB.CEF
2012-02-25 12:08 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-02-19 13:22 - 2012-02-19 13:22 - 0633899 ____A C:\Users\sjjennaway\Desktop\1960-AMSNon-IRA[1].pdf
2012-02-17 08:58 - 2011-08-19 08:02 - 0000000 ____D C:\Users\sjjennaway\Tracing
2012-02-16 22:38 - 2012-03-21 09:57 - 1112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-02-16 22:38 - 2012-03-21 09:57 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-21 09:57 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-21 09:57 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-21 09:57 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-09 22:36 - 2012-03-21 16:06 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-09 21:38 - 2012-03-21 16:06 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-02 20:34 - 2012-03-21 16:06 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-01 10:52 - 2012-01-23 14:56 - 0126728 __ASH C:\Windows\System32\CredDB.CEF
2012-01-31 04:44 - 2011-02-14 10:37 - 0279656 ____N C:\Windows\System32\MpSigStub.exe
2012-01-27 14:59 - 2012-01-27 14:59 - 0001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-01-27 14:59 - 2012-01-27 14:59 - 0000000 ____D C:\Program Files\iTunes
2012-01-27 14:59 - 2012-01-27 14:59 - 0000000 ____D C:\Program Files\iPod
2012-01-27 14:59 - 2011-12-14 19:51 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-01-26 17:04 - 2012-01-26 17:04 - 0022416 ____A C:\Users\sjjennaway\Documents\Derek Kite Insurance.docx
2012-01-26 12:24 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Registration
2012-01-26 12:23 - 2011-04-07 10:18 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\ICAClient
2012-01-26 12:22 - 2011-12-14 19:46 - 0000000 ____D C:\Program Files (x86)\Bonjour
2012-01-26 12:22 - 2011-02-14 09:13 - 0000000 ____D C:\Program Files (x86)\DirectAccess Connectivity Assistant
2012-01-24 22:38 - 2012-03-21 16:06 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-01-24 22:38 - 2012-03-21 16:06 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-01-24 22:33 - 2012-03-21 16:06 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-01-23 19:35 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PolicyDefinitions
2012-01-23 15:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\TAPI
2012-01-23 15:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\zh-TW
2012-01-23 15:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\zh-HK
2012-01-23 15:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\zh-CN
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\uk-UA
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\tr-TR
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\th-TH
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sv-SE
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sr-Latn-CS
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sppui
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sl-SI
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sk-SK
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ru-RU
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ro-RO
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Recovery
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ras
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\pt-PT
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\pt-BR
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\pl-PL
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\oobe
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\nl-NL
2012-01-23 15:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\nb-NO
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\manifeststore
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\lv-LV
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\lt-LT
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ko-KR
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ja-JP
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\it-IT
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\icsxml
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\hu-HU
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\hr-HR
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\he-IL
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\GroupPolicy
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\fr-FR
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\fi-FI
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\et-EE
2012-01-23 15:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\es-ES
2012-01-23 15:06 - 2012-01-23 15:06 - 0000592 __ASH C:\Windows\SysWOW64\Drivers\CredDB.CEF
2012-01-23 15:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\el-GR
2012-01-23 15:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\de-DE
2012-01-23 15:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\da-DK
2012-01-23 15:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\cs-CZ
2012-01-23 15:05 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\com
2012-01-23 15:04 - 2012-01-23 15:02 - 0085248 __ASH C:\Windows\SysWOW64\CredDB.CEF
2012-01-23 15:04 - 2011-02-28 14:04 - 0000000 ____D C:\Windows\SysWOW64\CCM
2012-01-23 15:04 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\bg-BG
2012-01-23 15:04 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\ar-SA
2012-01-23 14:55 - 2009-07-13 23:23 - 0000000 ____D C:\Windows\ShellNew
2012-01-23 14:53 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-01-23 14:51 - 2011-02-14 10:18 - 0000000 ____D C:\Windows\Panther
2012-01-23 14:51 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Offline Web Pages
2012-01-23 14:45 - 2009-07-13 19:20 - 0000000 __RSD C:\Windows\Media
2012-01-23 14:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\L2Schemas
2012-01-23 14:34 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-01-23 14:32 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Cursors
2012-01-23 14:31 - 2011-02-28 14:02 - 0000000 ____D C:\Windows\ccmsetup
2012-01-23 14:31 - 2009-07-13 23:23 - 0000000 __SHD C:\Windows\BitLockerDiscoveryVolumeContents
2012-01-23 14:26 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\addins
2012-01-23 14:14 - 2012-01-23 14:14 - 0000296 __ASH C:\Users\sjjennaway\Downloads\CredDB.CEF
2012-01-23 14:13 - 2011-07-25 17:48 - 0000000 ____D C:\Users\sjjennaway\Desktop\Teena Photos
2012-01-23 14:04 - 2011-07-23 20:21 - 0000000 ____D C:\Users\sjjennaway\Desktop\Hawaii photos
2012-01-23 14:00 - 2011-10-28 09:54 - 0000000 ____D C:\Users\sjjennaway\Desktop\Clients
2012-01-23 13:58 - 2012-01-23 13:58 - 0000296 __ASH C:\Users\sjjennaway\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:58 - 2012-01-23 13:58 - 0000296 __ASH C:\Users\sjjennaway\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:48 - 2011-04-07 10:51 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\ICAClient
2012-01-23 13:47 - 2012-01-23 13:47 - 0000296 __ASH C:\Users\sjjennaway\AppData\Roaming\CredDB.CEF
2012-01-23 13:37 - 2011-04-07 10:54 - 0000000 ____D C:\Users\sjjennaway\AppData\Local\MigWiz
2012-01-23 13:15 - 2011-04-25 10:08 - 0000000 ____D C:\Users\sjjennaway\.morena
2012-01-23 13:15 - 2011-04-25 10:08 - 0000000 ____D C:\Users\sjjennaway\.epaysol
2012-01-23 13:15 - 2009-07-13 23:23 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-01-23 13:14 - 2012-01-23 13:14 - 0000296 __ASH C:\Users\Public\Downloads\CredDB.CEF
2012-01-23 13:14 - 2012-01-23 13:14 - 0000296 __ASH C:\Users\Public\Documents\CredDB.CEF
2012-01-23 13:14 - 2009-07-13 19:20 - 0000000 __RHD C:\Users\Public\Libraries
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Public\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\Downloads\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\Documents\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\Desktop\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\Downloads\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\Documents\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\Desktop\CredDB.CEF
2012-01-23 13:13 - 2012-01-23 13:13 - 0000296 __ASH C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:13 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-01-23 13:12 - 2011-02-28 12:55 - 0000000 ____D C:\Users\Default\AppData\Roaming\ICAClient
2012-01-23 13:12 - 2011-02-28 12:55 - 0000000 ____D C:\Users\Default User\AppData\Roaming\ICAClient
2012-01-23 13:10 - 2012-01-23 13:10 - 0002660 __ASH C:\Users\Default\CredDB.CEF
2012-01-23 13:10 - 2012-01-23 13:10 - 0000592 __ASH C:\Users\Default\AppData\Local\CredDB.CEF
2012-01-23 13:10 - 2012-01-23 13:10 - 0000592 __ASH C:\Users\Default User\AppData\Local\CredDB.CEF
2012-01-23 13:10 - 2009-07-13 19:20 - 0000000 __RHD C:\users\Default
2012-01-23 13:05 - 2012-01-23 13:05 - 0000592 __ASH C:\Users\Administrator\Downloads\CredDB.CEF
2012-01-23 13:05 - 2012-01-23 13:05 - 0000296 __ASH C:\Users\Administrator\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 13:05 - 2012-01-23 13:05 - 0000296 __ASH C:\Users\Administrator\Documents\CredDB.CEF
2012-01-23 13:05 - 2012-01-23 13:05 - 0000296 __ASH C:\Users\Administrator\Desktop\CredDB.CEF
2012-01-23 13:05 - 2012-01-23 13:05 - 0000296 __ASH C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 12:59 - 2012-01-23 12:59 - 0002364 __ASH C:\Users\Administrator\CredDB.CEF
2012-01-23 12:59 - 2012-01-23 12:59 - 0000592 __ASH C:\Users\Administrator\AppData\Local\CredDB.CEF
2012-01-23 12:59 - 2012-01-23 12:59 - 0000296 __ASH C:\users\CredDB.CEF
2012-01-23 12:59 - 2012-01-05 19:25 - 0000000 ____D C:\Users\All Users\Yahoo! Companion
2012-01-23 12:59 - 2012-01-05 19:25 - 0000000 ____D C:\ProgramData\Yahoo! Companion
2012-01-23 12:59 - 2011-04-07 10:18 - 0000000 ____D C:\users\Administrator
2012-01-23 12:59 - 2011-02-14 09:24 - 0000000 ____D C:\Users\All Users\WinZip
2012-01-23 12:59 - 2011-02-14 09:24 - 0000000 ____D C:\ProgramData\WinZip
2012-01-23 12:57 - 2012-01-23 12:57 - 0000888 __ASH C:\Users\All Users\Start Menu\Programs\Startup\CredDB.CEF
2012-01-23 12:52 - 2011-09-01 09:35 - 0000000 ____D C:\Users\All Users\McAfee Security Scan
2012-01-23 12:52 - 2011-09-01 09:35 - 0000000 ____D C:\ProgramData\McAfee Security Scan
2012-01-23 12:52 - 2011-04-07 10:29 - 0000000 ____D C:\Users\All Users\lx_Cats
2012-01-23 12:52 - 2011-04-07 10:29 - 0000000 ____D C:\ProgramData\lx_Cats
2012-01-23 12:51 - 2011-11-21 14:13 - 0000000 ____D C:\Users\All Users\HP Photo Creations
2012-01-23 12:51 - 2011-11-21 14:13 - 0000000 ____D C:\ProgramData\HP Photo Creations
2012-01-23 12:49 - 2011-07-06 15:01 - 0000000 ____D C:\Users\All Users\FileCure
2012-01-23 12:49 - 2011-07-06 15:01 - 0000000 ____D C:\ProgramData\FileCure
2012-01-23 12:42 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\FxsTmp
2012-01-23 12:38 - 2011-02-14 09:24 - 0000000 ____D C:\Program Files (x86)\WinZip
2012-01-23 12:35 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Sidebar
2012-01-23 12:35 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Portable Devices
2012-01-23 12:35 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2012-01-23 12:35 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Defender
2012-01-23 12:30 - 2011-04-07 13:22 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-01-23 12:30 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\MSBuild
2012-01-23 12:01 - 2011-09-01 09:35 - 0000000 ____D C:\Program Files (x86)\McAfee Security Scan
2012-01-23 11:41 - 2011-11-21 14:13 - 0000000 ____D C:\Program Files (x86)\HP Photo Creations
2012-01-23 11:40 - 2011-02-14 09:34 - 0000000 ____D C:\Program Files (x86)\GPLGS
2012-01-23 11:38 - 2011-11-21 14:13 - 0000000 ____D C:\Program Files (x86)\Coupons
2012-01-23 11:26 - 2011-11-21 14:13 - 0000000 ____D C:\Program Files (x86)\Bing Bar Installer
2012-01-23 11:22 - 2011-12-14 19:50 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2012-01-23 11:18 - 2011-12-14 19:46 - 0000000 ____D C:\Program Files\Bonjour
2012-01-23 11:18 - 2011-10-14 09:34 - 0000000 ____D C:\Program Files\Microsoft Security Client
2012-01-23 11:14 - 2012-01-23 11:14 - 0000296 __ASH C:\Program Files (x86)\CredDB.CEF
2012-01-23 11:11 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Sidebar
2012-01-23 11:11 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Portable Devices
2012-01-23 11:11 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Photo Viewer
2012-01-23 11:11 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Defender
2012-01-23 11:06 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\DVD Maker
2012-01-23 11:05 - 2011-02-28 13:27 - 0000000 ____D C:\Program Files\DellTPad
2012-01-23 11:05 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2012-01-23 11:05 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\Services
2012-01-23 11:04 - 2011-04-08 06:09 - 0000000 ____D C:\Program Files\ATI Technologies
2012-01-23 11:03 - 2012-01-23 11:03 - 0000296 __ASH C:\Program Files\CredDB.CEF
2012-01-20 13:23 - 2012-01-12 18:02 - 0260694 ____A C:\credant_install.log
2012-01-20 00:55 - 2012-01-13 17:24 - 0020187 ____A C:\Windows\System32\Drivers\cmghbbtl.dat
2012-01-18 16:17 - 2009-07-13 20:45 - 0418192 ____A C:\Windows\System32\FNTCACHE.DAT
2012-01-17 12:00 - 2011-12-14 19:52 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Apple Computer
2012-01-13 08:27 - 2012-01-13 08:27 - 10485760 _RASH C:\Windows\System32\credsys.vlt
2012-01-12 18:02 - 2012-01-12 18:02 - 0000000 ____D C:\Program Files\CREDANT
2012-01-12 18:02 - 2012-01-12 18:02 - 0000000 ____D C:\Program Files\Common Files\PostureAgent
2012-01-12 17:58 - 2012-01-12 17:58 - 0000000 ____D C:\Windows\System32\appmgmt
2012-01-05 19:25 - 2012-01-05 19:25 - 0001135 ____A C:\Users\Public\Desktop\Yahoo! Messenger.lnk
2012-01-05 19:25 - 2011-04-07 16:23 - 0000000 ____D C:\Users\sjjennaway\AppData\Roaming\Yahoo!
2012-01-05 19:25 - 2011-04-07 16:21 - 0000000 ____D C:\Users\All Users\Yahoo!
2012-01-05 19:25 - 2011-04-07 16:21 - 0000000 ____D C:\ProgramData\Yahoo!
2012-01-05 19:25 - 2011-04-07 16:20 - 0000000 ____D C:\Program Files (x86)\Yahoo!
2012-01-05 19:25 - 2011-04-07 10:51 - 0000000 ____D C:\Users\sjjennaway\AppData\LocalLow
2012-01-05 14:53 - 2012-01-05 14:50 - 0000000 ____D C:\Users\sjjennaway\Desktop\Taxes

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3834.9 MB
Available physical RAM: 3284.86 MB
Total Pagefile: 3833.05 MB
Available Pagefile: 3262.83 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:417.33 GB) NTFS
2 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
3 Drive f: (Lexar) (Removable) (Total:7.32 GB) (Free:7.32 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7512 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7511 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F Lexar FAT32 Removable 7511 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-21 10:37

======================= End Of Log ==========================

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:24 PM

Posted 23 March 2012 - 05:19 PM

OK

I don't think the files we replaced are correct

we will need to replace them again

do you have access to an installation disk or a machine with exactly the same OS where we can obtain copies from?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 J.J. LVN

J.J. LVN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 23 March 2012 - 05:49 PM

I will have access to a healthy Windows 7 64-bit machine tomorrow. It will be the same machine from which I created the restore disk that I have been using to access the System Recovery options.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:24 PM

Posted 23 March 2012 - 06:29 PM

OK

you need to copy these files from the good machine

C:\Windows\System32\svchost.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\winlogon.exe

you will need to copy the files to the same location as FRST64.exe

if that is your E:\ drive then the file path will be


E:\svchost.exe
E:\wininit.exe
E:\winlogon.exe

if it is not your E:\ drive, then replace E:\ with the appropriate letter


then the script would be:


Open notepad > copy/paste the following text inside the codebox > Save it on the flashdrive as fixlist.txt
start
Replace: E:\svchost.exe C:\Windows\System32\svchost.exe
Replace: E:\wininit.exe C:\Windows\System32\wininit.exe
Replace: E:\winlogon.exe C:\Windows\System32\winlogon.exe
end

Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Please try rebooting normally, let me know how it goes, hopefully it will work this time with the correct files

Edited by CatByte, 23 March 2012 - 06:35 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 J.J. LVN

J.J. LVN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 26 March 2012 - 11:07 AM

I wanted to follow up and close this case. Unfortunately, I didn't get a chance to try this solution as the hardware is now irreparably damaged (I promise it was not a result of frustration, but rather the result of carelessly leaving a laptop near the edge of a counter where a two-year old can reach.)

Thank you so much for taking the time to try and help me!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:24 PM

Posted 26 March 2012 - 02:35 PM

oh dear, sorry to hear that :o

you might be able to rescue your important data if you remove the hard drive and "slave" it to another computer

http://www.wikihow.com/Recover-Data-from-the-Hard-Drive-of-a-Dead-Laptop

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:24 PM

Posted 29 March 2012 - 09:52 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users