Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NEED HELP PLEASE. win 7 goes to system recover after FRST64


  • This topic is locked This topic is locked
33 replies to this topic

#1 A-10

A-10

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 April 2012 - 10:42 AM

Hello,

I attempted to use FRST64. After doing so, on reboot, my computer goes directly into WINRE. I really need help.

Win 7 home prem 64bit

Please someone.....

Edited by hamluis, 24 April 2012 - 11:27 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:50 PM

Posted 24 April 2012 - 11:26 AM

Can you provide some details...on why you wanted to use that tool?

Louis

#3 A-10

A-10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 April 2012 - 11:41 AM

Ok, Thanks for responding.

1. ran virus scan, it detected a rootkit
2. downloaded avg tdsskiller, after that scan, computer no longer booted BSOD 0x0000007b
3. tried various methods none of whiched worked (Win7 live cd, startup repair, bootrec, fixmbr, xpud mbrfix)
4. ran across FRST, tried it, hit fix, now when computer boots in goes directly to system recovery.

Please let me know if more info is need.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 24 April 2012 - 02:03 PM

Hi A-10,

Welcome to Bleeping Computer.

Ran across FRST, tried it, hit fix, now when computer boots in goes directly to system recovery.

I'm very much interested to hear what you have exactly done with FRST. Just pushing Fix button does nothing to the system. Please give me detailed information.

Please run FRST from recovery environment as you did. Press Scan and post the log (FRST.txt) it makes on your flash drive.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 24 April 2012 - 02:03 PM

Also I'll move the topic to the appropriate forum.

#6 A-10

A-10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 April 2012 - 03:31 PM

Hi,

I followed instructions from another site:

1. scan with FRST64
2. cmd notepad--rename FRST.txt to Fixlist.txt
3. back to FRST64, fix

after doing that,now it goes directly to system recovery.

thanks for responding

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 24 April 2012 - 04:32 PM

cmd notepad--rename FRST.txt to Fixlist.txt

By doing that actually you removed everything that was listed. We can easily restore all the registry entries, but I'm not sure how many files and folders are moved.

Could you do what I asked you to do in my first post to see if we can do something about this?

Also there is a Fixlog.txt on the flash drive. Please attach it to your reply.

Edited by farbar, 24 April 2012 - 04:34 PM.


#8 A-10

A-10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 April 2012 - 04:51 PM

This is crazy. My computer started right up this time. when to start >> typed cmd >>> ran FRST64 scan

My user files are no where to be found. Docs, Pics, Vids, gone. Is there anyway i can get those back? My program files are still entacted. Haven't tried to actually run a
program yet though. My computer seems different, slow to respond. Here's the info you asked for. It'll be later tonight before I get back on. Headed to class, 5:55-9:15 CST.

thanks for your help


Scan result of Farbar Recovery Scan Tool Version: 22-04-2012
Ran by owner at 24-04-2012 16:40:24
Running from G:\
(X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

Attention: The tool is not run from recovery environment and will not function properly.

========================== Registry (Whitelisted) =============

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell]
HKLM-x32\...\Winlogon: [Shell] [x ] ()

==================== Services (Whitelisted) ======


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-24 16:39 - 2012-04-24 16:39 - 0000000 ____D C:\Users\owner\AppData\Roaming\Hewlett-Packard
2012-04-24 16:39 - 2012-04-24 16:39 - 0000000 ____A C:\Users\owner\AppData\Local\DSwitch.txt
2012-04-24 16:39 - 2012-04-24 16:38 - 0000000 ____A C:\Users\owner\AppData\Local\AtStart.txt
2012-04-24 16:39 - 2012-04-24 14:53 - 0000000 ____A C:\Users\owner\AppData\Local\QSwitch.txt
2012-04-24 16:39 - 2010-11-11 20:34 - 0000187 ____A C:\Users\All Users\HPWALog.txt
2012-04-24 16:39 - 2010-11-11 20:34 - 0000187 ____A C:\ProgramData\HPWALog.txt
2012-04-24 16:38 - 2012-04-24 14:53 - 0000000 ____D C:\Users\owner\AppData\Roaming\Apple Computer
2012-04-24 16:38 - 2012-04-24 14:53 - 0000000 ____D C:\Users\owner\AppData\Local\Apple Computer
2012-04-24 16:36 - 2012-04-24 16:40 - 3145089024 __ASH C:\hiberfil.sys
2012-04-24 13:07 - 2011-05-11 22:57 - 0000000 ____D C:\Users\All Users\Recovery
2012-04-24 13:07 - 2011-05-11 22:57 - 0000000 ____D C:\ProgramData\Recovery
2012-04-24 13:01 - 2009-07-13 21:34 - 0000000 ____D C:\Windows\System32\config\HiveBackup
2012-04-24 12:39 - 2009-07-14 00:08 - 0000000 ____D C:\FRST


============ 3 Months Modified Files and Folders =============

2012-04-24 16:40 - 2012-04-24 12:39 - 0000000 ____D C:\FRST
2012-04-24 16:39 - 2012-04-24 16:39 - 0116304 ____A C:\Users\owner\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-24 16:39 - 2012-04-24 16:39 - 0000187 ____A C:\Users\All Users\HPWALog.txt
2012-04-24 16:39 - 2012-04-24 16:39 - 0000187 ____A C:\ProgramData\HPWALog.txt
2012-04-24 16:39 - 2012-04-24 16:39 - 0000000 ____D C:\Users\owner\AppData\Roaming\Hewlett-Packard
2012-04-24 16:39 - 2012-04-24 16:39 - 0000000 ____A C:\Users\owner\AppData\Local\QSwitch.txt
2012-04-24 16:39 - 2012-04-24 16:39 - 0000000 ____A C:\Users\owner\AppData\Local\DSwitch.txt
2012-04-24 16:39 - 2012-04-24 16:39 - 0000000 ____A C:\Users\owner\AppData\Local\AtStart.txt
2012-04-24 16:39 - 2011-11-10 18:34 - 0000000 ____D C:\Users\owner\AppData\Roaming\Dropbox
2012-04-24 16:39 - 2010-05-24 22:14 - 0000000 ____D C:\Users\owner\AppData\Roaming\LimeWire
2012-04-24 16:38 - 2012-04-24 16:38 - 0000000 ____D C:\Users\owner\AppData\Roaming\Apple Computer
2012-04-24 16:38 - 2012-04-24 16:38 - 0000000 ____D C:\Users\owner\AppData\Local\Apple Computer
2012-04-24 16:38 - 2011-09-19 09:00 - 0000000 ____D C:\Users\owner\AppData\Roaming\Skype
2012-04-24 16:37 - 2012-02-26 03:03 - 0001568 ____A C:\Windows\setupact.log
2012-04-24 16:37 - 2011-03-30 10:42 - 0000000 ____D C:\Users\All Users\VMware
2012-04-24 16:37 - 2011-03-30 10:42 - 0000000 ____D C:\ProgramData\VMware
2012-04-24 16:37 - 2010-02-11 08:02 - 0000000 ____D C:\users\owner
2012-04-24 16:37 - 2009-07-14 00:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-24 16:36 - 2012-04-24 16:36 - 3145089024 __ASH C:\hiberfil.sys
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Windows\System32\WinBioPlugIns
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Windows\Offline Web Pages
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Windows\addins
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Program Files\Windows Sidebar
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Program Files\Windows Photo Viewer
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Program Files\Windows Defender
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Program Files\DVD Maker
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Program Files (x86)\Windows Sidebar
2012-04-24 14:55 - 2009-07-14 00:32 - 0000000 ____D C:\Program Files (x86)\Windows Defender
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 __RSD C:\Windows\Media
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 __RHD C:\Users\Public\Libraries
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ___RD C:\users\Public
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\TAPI
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\SysWOW64\zh-TW
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\SysWOW64\zh-CN
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\SysWOW64\el-GR
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\SysWOW64\cs-CZ
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\SysWOW64\com
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\SysWOW64\bg-BG
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\zh-CN
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\sysprep
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\sv-SE
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\sl-SI
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\migwiz
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\lt-LT
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\ko-KR
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\cs-CZ
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\com
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\AdvancedInstallers
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\servicing
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\rescache
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\L2Schemas
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\IME
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Program Files\Common Files\System
2012-04-24 14:55 - 2009-07-13 22:20 - 0000000 ____D C:\Program Files\Common Files\Services
2012-04-24 14:54 - 2010-02-17 15:32 - 0000000 ____D C:\Windows\SysWOW64\%COREALLUSERPATH%
2012-04-24 14:54 - 2009-08-25 03:35 - 0000000 ____D C:\Windows\SysWOW64\x64
2012-04-24 14:54 - 2009-07-14 00:37 - 0000000 ____D C:\Windows\SysWOW64\winrm
2012-04-24 14:54 - 2009-07-14 00:37 - 0000000 ____D C:\Windows\SysWOW64\WCN
2012-04-24 14:54 - 2009-07-14 00:37 - 0000000 ____D C:\Windows\System32\winrm
2012-04-24 14:54 - 2009-07-14 00:37 - 0000000 ____D C:\Windows\System32\WCN
2012-04-24 14:53 - 2012-03-20 09:33 - 0000000 ____D C:\Users\owner\petersons
2012-04-24 14:53 - 2012-03-20 09:33 - 0000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2012-04-24 14:53 - 2012-03-20 09:33 - 0000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2012-04-24 14:53 - 2012-03-20 09:33 - 0000000 ____D C:\Program Files (x86)\Test Prep
2012-04-24 14:53 - 2012-02-29 15:00 - 0000000 ____D C:\Users\owner\Desktop\redsn0w_win_0.9.10b5c
2012-04-24 14:53 - 2012-02-29 11:37 - 0000000 ____D C:\Users\owner\Desktop\redsn0w_win_0.9.10b1
2012-04-24 14:53 - 2012-02-26 02:58 - 0000000 ____D C:\Users\owner\Desktop\addins
2012-04-24 14:53 - 2012-02-23 13:42 - 0000000 ____D C:\Program Files\Hitman Pro 3.5
2012-04-24 14:53 - 2012-01-14 18:27 - 0000000 ____D C:\Program Files (x86)\WinSCP
2012-04-24 14:53 - 2011-12-15 10:56 - 0000000 ____D C:\Users\All Users\Hitman Pro
2012-04-24 14:53 - 2011-12-15 10:56 - 0000000 ____D C:\ProgramData\Hitman Pro
2012-04-24 14:53 - 2011-12-13 10:15 - 0000000 ____D C:\Program Files\CCleaner
2012-04-24 14:53 - 2011-12-13 00:47 - 0000000 ____D C:\Users\owner\AppData\Roaming\SUPERAntiSpyware.com
2012-04-24 14:53 - 2011-12-13 00:46 - 0000000 ____D C:\Program Files\SUPERAntiSpyware
2012-04-24 14:53 - 2011-12-08 09:46 - 0000000 ____D C:\Program Files (x86)\QuickTime
2012-04-24 14:53 - 2011-12-08 09:42 - 0000000 ____D C:\Program Files\iTunes
2012-04-24 14:53 - 2011-12-08 09:42 - 0000000 ____D C:\Program Files\iPod
2012-04-24 14:53 - 2011-11-10 18:36 - 0000000 ___RD C:\Users\owner\Dropbox
2012-04-24 14:53 - 2011-10-22 13:26 - 0000000 ____D C:\Program Files (x86)\TuneUpMedia
2012-04-24 14:53 - 2011-09-13 11:22 - 0000000 ____D C:\Program Files (x86)\MagicDisc
2012-04-24 14:53 - 2011-05-23 10:33 - 0000000 ____D C:\Program Files\IDT
2012-04-24 14:53 - 2011-05-11 22:57 - 0000000 ____D C:\Users\owner\AppData\Roaming\PureEdge
2012-04-24 14:53 - 2011-04-05 13:59 - 0000000 ____D C:\Users\owner\Documents\YSFLIGHT.COM
2012-04-24 14:53 - 2011-04-05 11:32 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-04-24 14:53 - 2011-04-05 11:32 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-04-24 14:53 - 2011-04-05 11:32 - 0000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-04-24 14:53 - 2011-03-30 10:56 - 0000000 ____D C:\Users\owner\AppData\Roaming\VMware
2012-04-24 14:53 - 2010-12-05 01:34 - 0000000 ____D C:\Users\owner\AppData\Roaming\Malwarebytes
2012-04-24 14:53 - 2010-12-05 01:33 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-24 14:53 - 2010-11-11 20:35 - 0000000 ____D C:\Users\owner\AppData\Roaming\Yahoo!
2012-04-24 14:53 - 2010-11-11 20:30 - 0000000 ____D C:\Users\All Users\HP
2012-04-24 14:53 - 2010-11-11 20:30 - 0000000 ____D C:\ProgramData\HP
2012-04-24 14:53 - 2010-11-02 22:28 - 0000000 ____D C:\Users\owner\Documents\18 WoS Haulin
2012-04-24 14:53 - 2010-10-27 23:17 - 0000000 ____D C:\Program Files (x86)\Microsoft Office Suite Activation Assistant
2012-04-24 14:53 - 2010-10-27 23:14 - 0000000 ____D C:\Users\owner\AppData\Local\Microsoft Help
2012-04-24 14:53 - 2010-10-27 23:14 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-24 14:53 - 2010-10-27 23:14 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-24 14:53 - 2010-10-27 23:13 - 0000000 __RHD C:\MSOCache
2012-04-24 14:53 - 2010-09-28 20:14 - 0000000 __RSD C:\Users\owner\Documents\My Stationery
2012-04-24 14:53 - 2010-09-24 17:55 - 0000000 ____D C:\Users\owner\Desktop\redsn0w-win_0.9.4
2012-04-24 14:53 - 2010-09-20 22:23 - 0000000 ____D C:\Users\owner\Desktop\redsn0w-win_0.8
2012-04-24 14:53 - 2010-07-22 20:16 - 0000000 ____D C:\Program Files (x86)\WinRAR
2012-04-24 14:53 - 2010-07-12 21:17 - 0000000 ____D C:\Users\owner\Documents\Vuze Downloads
2012-04-24 14:53 - 2010-07-12 21:17 - 0000000 ____D C:\Users\owner\AppData\Roaming\Azureus
2012-04-24 14:53 - 2010-07-12 21:16 - 0000000 ____D C:\Program Files (x86)\Vuze
2012-04-24 14:53 - 2010-07-09 22:19 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-04-24 14:53 - 2010-07-09 22:17 - 0000000 ____D C:\Program Files\Common Files\Apple
2012-04-24 14:53 - 2010-05-24 22:14 - 0000000 ____D C:\Program Files (x86)\LimeWire
2012-04-24 14:53 - 2010-05-11 20:26 - 0000000 ____D C:\Users\owner\Documents\Drive Green
2012-04-24 14:53 - 2010-03-15 19:24 - 0000000 ____D C:\Users\owner\AppData\Local\Adobe
2012-04-24 14:53 - 2010-02-11 11:48 - 0000000 ____D C:\Users\owner\AppData\Roaming\Mozilla
2012-04-24 14:53 - 2010-02-11 11:48 - 0000000 ____D C:\Users\owner\AppData\Local\Mozilla
2012-04-24 14:53 - 2010-02-11 11:47 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-04-24 14:53 - 2010-02-11 08:31 - 0000000 ____D C:\Users\owner\AppData\Local\Microsoft Games
2012-04-24 14:53 - 2010-02-11 08:25 - 0000000 ____D C:\Users\owner\AppData\Roaming\Adobe
2012-04-24 14:53 - 2010-02-11 08:25 - 0000000 ____D C:\Users\owner\AppData\Local\Sling_Media,_Inc
2012-04-24 14:53 - 2010-02-11 08:16 - 0000000 ____D C:\Users\owner\Documents\Webcam
2012-04-24 14:53 - 2010-02-11 08:15 - 0000000 ____D C:\Users\owner\AppData\Roaming\Macromedia
2012-04-24 14:53 - 2010-02-11 08:09 - 0000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-04-24 14:53 - 2010-02-11 08:07 - 0000000 ____D C:\Users\owner\AppData\Local\VirtualStore
2012-04-24 14:53 - 2010-02-11 08:07 - 0000000 ____D C:\Users\owner\AppData\Local\Hewlett-Packard_Company
2012-04-24 14:53 - 2010-02-11 08:03 - 0000000 ____D C:\Users\owner\AppData\Local\Hewlett-Packard
2012-04-24 14:53 - 2010-02-11 08:02 - 0000000 ____D C:\Users\owner\AppData\LocalLow
2012-04-24 14:53 - 2009-08-25 04:27 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-04-24 14:53 - 2009-08-25 03:38 - 0000000 ____D C:\Windows\System32\SRSLabs
2012-04-24 14:53 - 2009-08-25 03:36 - 0000000 ____D C:\Program Files\Synaptics
2012-04-24 14:53 - 2009-08-25 03:36 - 0000000 ____D C:\Program Files\LSI SoftModem
2012-04-24 14:53 - 2009-08-09 04:27 - 0000000 ____D C:\Program Files (x86)\NetZeroPreloader
2012-04-24 14:53 - 2009-08-09 04:26 - 0000000 ____D C:\Program Files (x86)\JunoPreloader
2012-04-24 14:53 - 2009-08-09 03:35 - 0000000 ____D C:\Users\All Users\CyberLink
2012-04-24 14:53 - 2009-08-09 03:35 - 0000000 ____D C:\ProgramData\CyberLink
2012-04-24 14:53 - 2009-08-09 03:35 - 0000000 ____D C:\Program Files (x86)\CyberLink
2012-04-24 14:53 - 2009-08-09 03:23 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-04-24 14:53 - 2009-08-09 03:01 - 0000000 ____D C:\Users\All Users\Symantec
2012-04-24 14:53 - 2009-08-09 03:01 - 0000000 ____D C:\ProgramData\Symantec
2012-04-24 14:53 - 2009-08-09 02:50 - 0000000 ____D C:\Program Files (x86)\Microsoft Works
2012-04-24 14:53 - 2009-08-09 02:42 - 0000000 ___RD C:\Program Files (x86)\Online Services
2012-04-24 14:53 - 2009-08-09 02:42 - 0000000 ____D C:\Users\All Users\WildTangent
2012-04-24 14:53 - 2009-08-09 02:42 - 0000000 ____D C:\ProgramData\WildTangent
2012-04-24 14:53 - 2009-08-09 02:42 - 0000000 ____D C:\Program Files (x86)\HP Games
2012-04-24 14:53 - 2009-07-16 18:15 - 0000000 ___HD C:\SYSTEM.SAV
2012-04-24 14:53 - 2009-07-14 00:32 - 0000000 ____D C:\Windows\System32\restore
2012-04-24 14:53 - 2009-07-13 23:45 - 0000000 ____D C:\Windows\Setup
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\spp
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\spool
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\Speech
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\SMI
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\NDF
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\MUI
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\Speech
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\schemas
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\Resources
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\Globalization
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\Branding
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\AppCompat
2012-04-24 14:53 - 2009-07-13 22:20 - 0000000 ____D C:\Program Files\Common Files\Microsoft Shared
2012-04-24 14:53 - 2009-07-13 22:18 - 0000000 __SHD C:\$Recycle.Bin
2012-04-24 14:48 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\registration
2012-04-24 14:39 - 2009-07-14 00:32 - 0000000 ____D C:\Windows\SysWOW64\WindowsPowerShell
2012-04-24 14:39 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\Web
2012-04-24 14:39 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\Vss
2012-04-24 14:35 - 2009-07-14 00:32 - 0000000 ____D C:\Windows\System32\WindowsPowerShell
2012-04-24 14:34 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\NetworkList
2012-04-24 14:34 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\Msdtc
2012-04-24 14:32 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\System32\Dism
2012-04-24 14:31 - 2009-07-13 23:45 - 0000000 ____D C:\Windows\ServiceProfiles
2012-04-24 14:31 - 2009-07-13 22:20 - 0000000 ____D C:\Windows\security
2012-04-24 14:27 - 2010-07-09 22:19 - 0000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-04-24 14:27 - 2010-07-09 22:19 - 0000000 ____D C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-04-24 14:27 - 2009-07-13 22:20 - 0000000 __RHD C:\users\Default
2012-04-24 14:26 - 2009-08-09 02:16 - 0000000 ____D C:\Users\All Users\Norton
2012-04-24 14:26 - 2009-08-09 02:16 - 0000000 ____D C:\ProgramData\Norton
2012-04-24 14:26 - 2009-07-14 00:32 - 0000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2012-04-24 14:26 - 2009-07-14 00:32 - 0000000 ____D C:\Program Files (x86)\Reference Assemblies
2012-04-24 14:26 - 2009-07-13 22:20 - 0000000 ____D C:\Program Files\Windows NT
2012-04-24 14:26 - 2009-07-13 22:20 - 0000000 ____D C:\Program Files\Common Files\SpeechEngines
2012-04-24 14:26 - 2009-07-13 22:20 - 0000000 ____D C:\Program Files (x86)\Windows NT
2012-04-24 14:25 - 2009-08-09 02:00 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-04-24 14:25 - 2009-07-14 00:32 - 0000000 ____D C:\Program Files (x86)\MSBuild
2012-04-24 14:23 - 2009-08-09 02:41 - 0000000 ___HD C:\HP
2012-04-24 13:28 - 2012-04-24 13:07 - 0000000 ____D C:\Users\All Users\Recovery
2012-04-24 13:28 - 2012-04-24 13:07 - 0000000 ____D C:\ProgramData\Recovery
2012-04-24 13:05 - 2012-04-24 13:01 - 0000000 ____D C:\Windows\System32\config\HiveBackup
2012-03-20 13:10 - 2009-08-25 03:32 - 1713707 ____A C:\Windows\WindowsUpdate.log
2012-03-20 09:33 - 2012-03-20 09:33 - 0000881 ____A C:\Users\Public\Desktop\Test Prep.lnk
2012-03-19 13:08 - 2009-07-13 23:45 - 0023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-19 13:08 - 2009-07-13 23:45 - 0023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-16 19:24 - 2009-07-14 00:13 - 0730528 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-15 13:21 - 2011-12-15 10:56 - 0023112 ____A C:\Windows\System32\Drivers\hitmanpro35.sys
2012-03-15 13:08 - 2012-02-29 13:53 - 0002728 ____A C:\Windows\PFRO.log
2012-03-15 10:45 - 2012-03-15 10:45 - 0012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-03-06 15:03 - 2011-02-23 22:42 - 0000344 ____A C:\Windows\Tasks\HPCeeScheduleForOWNER-PC$.job
2012-03-03 00:38 - 2011-01-26 18:43 - 0000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-03-03 00:33 - 2011-11-10 18:36 - 0001017 ____A C:\Users\owner\Desktop\Dropbox.lnk
2012-03-03 00:33 - 2011-11-10 18:34 - 0000997 ____A C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2012-02-29 12:52 - 2012-02-29 12:02 - 0304540 ____A C:\Windows\ntbtlog.txt
2012-02-29 12:16 - 2012-01-10 10:36 - 0000334 ____A C:\Windows\Tasks\HPCeeScheduleForowner.job
2012-02-26 03:03 - 2012-02-26 03:03 - 0000000 ____A C:\Windows\setuperr.log
2012-02-23 16:11 - 2011-12-13 10:15 - 0000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-02-23 13:46 - 2011-12-15 11:00 - 0000426 ____A C:\Windows\System32\.crusader
2012-02-23 13:42 - 2012-02-23 13:42 - 0001974 ____A C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
2012-02-23 13:34 - 2012-02-23 13:34 - 0001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-02-23 13:29 - 2012-02-23 13:29 - 0025160 ____A C:\Windows\System32\Drivers\hitmanpro36.sys

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 33%
Total physical RAM: 3999.19 MB
Available physical RAM: 2658.23 MB
Total Pagefile: 7996.52 MB
Available Pagefile: 6396.82 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:285.17 GB) (Free:184.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:12.72 GB) (Free:2.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
5 Drive g: (FreeAgent Drive) (Fixed) (Total:298.09 GB) (Free:119.15 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 298 GB 1024 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 285 GB 200 MB
Partition 3 Primary 12 GB 285 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 285 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D RECOVERY NTFS Partition 12 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 G FreeAgent D NTFS Partition 298 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-19 14:25

======================= End Of Log ==========================



Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 22-04-2012
Ran by SYSTEM at 2012-04-24 10:05:32 R:2
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SmartMenu Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\IgfxTray Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HotKeysCmds Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Persistence Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SysTrayApp Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\IAAnotif Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SynTPEnh Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\HPCam_Menu Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\QlbCtrl.exe Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\NortonOnlineBackupReminder Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\UpdatePRCShortCut Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\Adobe Reader Speed Launcher Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\SunJavaUpdateSched Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\HP Software Update Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\HKLM-x32\...\Run: [] [x] Value not found.
HKLM-x32\\\.\.\.\\Run\\WirelessAssistant Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\VMware hqtray Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\masqform.exe Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\AppleSyncNotifier Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\BCSSync Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\APSDaemon Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\QuickTime Task Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\iTunesHelper Value deleted successfully.
HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run\\HPADVISOR Value not found.
HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Policies\system\\WallpaperStyle Value not found.
HKEY_USERS\Default User\Software\Microsoft\Windows\CurrentVersion\Run\\HPADVISOR Value not found.
HKEY_USERS\Default User\Software\Microsoft\Windows\CurrentVersion\Policies\system\\WallpaperStyle Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\HPADVISOR Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\LightScribe Control Panel Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\OfficeSyncProcess Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\Messenger (Yahoo!) Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\Skype Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\iCloudServices Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\SUPERAntiSpyware Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\MobileDocuments Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeUpdater6 Value not found.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Policies\system\\WallpaperStyle Value not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore Value not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui Key deleted successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\\DhcpNameServer Value deleted successfully.
!SASCORE service deleted successfully.
AESTFilters service deleted successfully.
Bonjour Service service deleted successfully.
hpsrv service deleted successfully.
Norton Internet Security service deleted successfully.
RichVideo service deleted successfully.
SBSDWSCService service deleted successfully.
STacSV service deleted successfully.
VMAuthdService service deleted successfully.
VMnetDHCP service deleted successfully.
VMUSBArbService service deleted successfully.
VMware NAT Service service deleted successfully.
ufad-ws60 service deleted successfully.
Accelerometer service deleted successfully.
BHDrvx64 service deleted successfully.
ccHP service deleted successfully.
eeCtrl service deleted successfully.
enecir service deleted successfully.
hcmon service deleted successfully.
hpdskflt service deleted successfully.
IDSVia64 service deleted successfully.
libusb0 service deleted successfully.
mcdbus service deleted successfully.
mcdbus service not found.
Netaapl service deleted successfully.
NETw1v64 service deleted successfully.
SASDIFSV service deleted successfully.
SASKUTIL service deleted successfully.
SRTSP service deleted successfully.
SRTSPX service deleted successfully.
SymEFA service deleted successfully.
SymEvent service deleted successfully.
SymIM service deleted successfully.
SYMTDI service deleted successfully.
vmkbd service deleted successfully.
VMnetAdapter service deleted successfully.
VMnetBridge service deleted successfully.
VMnetuserif service deleted successfully.
vmx86 service deleted successfully.
vstor2-ws60 service deleted successfully.
eabfiltr service deleted successfully.
NAVENG service deleted successfully.
NAVEX15 service deleted successfully.
RtsUIR service deleted successfully.
SYMFW service deleted successfully.
SYMNDISV service deleted successfully.
USBCCID service deleted successfully.
Could not move C:\FRST.
C:\REMOVE_THIS_FILE.livecd.swap not found.
C:\Kaspersky Rescue Disk 10.0 not found.
C:\Windows\System32\Drivers\atapi.sys not found.
C:\Users\All Users\Recovery moved successfully.
C:\ProgramData\Recovery not found.
C:\TDSSKiller.2.7.29.0_19.04.2012_13.52.36_log.txt not found.
C:\NVIDIA not found.
C:\Program Files\Eagle Dynamics not found.
C:\Users\owner\Desktop\DCS.ENG not found.
C:\Users\owner\Documents\Dr. Brown Midterm1.docx not found.
C:\Users\owner\Documents\Dedrick Powel12.docx not found.
C:\Windows\LastGood not found.
C:\Users\Public\Desktop\Safari.lnk not found.
C:\Program Files (x86)\Safari not found.
C:\Program Files\iTunes not found.
C:\Program Files\iPod not found.
C:\Users\Public\Desktop\iTunes.lnk not found.
C:\Users\All Users\Recovery not found.
C:\ProgramData\Recovery not found.
C:\Users\owner\Desktop\DCS.ENG not found.
C:\REMOVE_THIS_FILE.livecd.swap not found.
C:\Kaspersky Rescue Disk 10.0 not found.
C:\$Recycle.Bin not found.
C:\Windows\LastGood not found.
C:\Users\owner\AppData\Roaming\Azureus not found.
C:\Users\owner\AppData\Local\Hewlett-Packard not found.
C:\users\owner not found.
C:\Users\Public\Recorded TV not found.
C:\Users\All Users\Symantec not found.
C:\ProgramData\Symantec not found.
C:\Windows\System32\sysprep not found.
C:\Windows\registration not found.
C:\Windows\AppCompat not found.
C:\Users\owner\AppData\Roaming\Skype not found.
C:\MSOCache not found.
C:\Users\owner\AppData\Local\Adobe not found.
C:\hiberfil.sys not found.
C:\TDSSKiller.2.7.29.0_19.04.2012_13.52.36_log.txt not found.
C:\Users\owner\AppData\Roaming\HpUpdate not found.
C:\Users\owner\AppData\Roaming\Apple Computer not found.
C:\Users\All Users\HPWALog.txt not found.
C:\ProgramData\HPWALog.txt not found.
C:\Windows\System32\config\TxR not found.
C:\Users\owner\Desktop\Quants not found.
C:\Users\owner\Desktop\Contemp not found.
C:\NVIDIA not found.
C:\Program Files\Eagle Dynamics not found.
C:\Users\owner\Documents\Dr. Brown Midterm1.docx not found.
C:\Windows\WindowsUpdate.log not found.
C:\Windows\setupact.log not found.
C:\Windows\Tasks\HPCeeScheduleForOWNER-PC$.job not found.
C:\Users\owner\Documents\Dedrick Powel12.docx not found.
C:\Users\owner\AppData\Roaming\Dropbox not found.
C:\Windows\SysWOW64\DOErrors.log not found.
C:\Windows\System32\NDF not found.
C:\Users\owner\AppData\Local\Apple Computer not found.
C:\Windows\Tasks\HPCeeScheduleForowner.job not found.
C:\Windows\System32\PerfStringBackup.INI not found.
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 not found.
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 not found.
C:\Users\Public\Desktop\Safari.lnk not found.
C:\Program Files (x86)\Safari not found.
C:\Users\Public\Desktop\iTunes.lnk not found.
C:\Program Files\iTunes not found.
C:\Program Files\iPod not found.
C:\Program Files (x86)\iTunes not found.
C:\Windows\setuperr.log not found.
C:\Users\owner\AppData\Roaming\TuneUpMedia not found.
C:\Users\owner\Dropbox not found.
C:\Users\All Users\VMware not found.
C:\ProgramData\VMware not found.
C:\Users\owner\AppData\Roaming\LimeWire not found.
C:\Windows\Tasks\SA.DAT not found.
C:\Users\owner\AppData\Roaming\Thumbs.db not found.
C:\Program Files\SUPERAntiSpyware not found.
C:\Windows\System32\Drivers\hitmanpro35.sys not found.
C:\Windows\System32\Drivers\Msft_Kernel_netaapl64_01009.Wdf not found.
C:\Users\owner\petersons not found.
C:\Users\Public\Desktop\Test Prep.lnk not found.
C:\Users\Default\AppData\Roaming\Macromedia not found.
C:\Users\Default User\AppData\Roaming\Macromedia not found.
C:\Program Files (x86)\Test Prep not found.
C:\Program Files (x86)\Adobe not found.
C:\Users\owner\AppData\Roaming\Adobe not found.
C:\Users\All Users\TuneUpMedia not found.
C:\ProgramData\TuneUpMedia not found.
C:\Windows\System32\bootdelete.exe not found.
C:\Users\All Users\Hitman Pro not found.
C:\ProgramData\Hitman Pro not found.
C:\Users\owner\Desktop\addins not found.
C:\Users\owner\AppData\Local\Microsoft Help not found.
C:\Users\owner\Documents\Vuze Downloads not found.
C:\Users\owner\Desktop\Dropbox.lnk not found.
C:\Users\owner\Start Menu\Programs\Startup\Dropbox.lnk not found.
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk not found.
C:\Users\owner\AppData\Roaming\redsn0w not found.
C:\Users\owner\AppData\Roaming\UserTile.png not found.
C:\Users\owner\Desktop\redsn0w_win_0.9.10b1 not found.
C:\Users\owner\AppData\Roaming\winscp.rnd not found.
C:\Users\owner\Desktop\VA Enrollment and Information Forms.pdf not found.
C:\Users\All Users\Spybot - Search & Destroy not found.
C:\ProgramData\Spybot - Search & Destroy not found.
C:\Users\Public\Desktop\CCleaner.lnk not found.
C:\Program Files\CCleaner not found.
C:\Windows\System32\.crusader not found.
C:\Users\Public\Desktop\Hitman Pro 3.5.lnk not found.
C:\Program Files\Hitman Pro 3.5 not found.
C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk not found.
C:\Program Files (x86)\Malwarebytes' Anti-Malware not found.
C:\Windows\System32\Drivers\hitmanpro36.sys not found.
C:\Users\All Users\HitmanPro not found.
C:\ProgramData\HitmanPro not found.
C:\Windows\System32\usbaaplrc.dll not found.
C:\Windows\System32\Drivers\usbaapl64.sys not found.
C:\Users\owner\Desktop\Marketing not found.
C:\Users\owner\Desktop\redsn0w_win_0.9.10b5c not found.
C:\Users\owner\Documents\Webcam not found.
C:\Users\owner\Desktop\taxform.pdf not found.
C:\Users\owner\Desktop\theme not found.
C:\Users\owner\Desktop\Org Behavior not found.
C:\Users\owner\Documents\award.docx not found.
C:\Users\owner\Documents\Group 3_Singapore.pptx not found.
C:\Windows\System32\winlogon.exe => MD5 is legit not found.
C:\Windows\System32\wininit.exe => MD5 is legit not found.
C:\Windows\SysWOW64\wininit.exe => MD5 is legit not found.
C:\Windows\explorer.exe => MD5 is legit not found.
C:\Windows\SysWOW64\explorer.exe => MD5 is legit not found.
C:\Windows\System32\svchost.exe => MD5 is legit not found.
C:\Windows\SysWOW64\svchost.exe => MD5 is legit not found.
C:\Windows\System32\User32.dll => MD5 is legit not found.
C:\Windows\SysWOW64\User32.dll => MD5 is legit not found.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit not found.

========================= Total Pagefile: 3997.34 MB ========================

====== End Of File: ======

========================= Available Pagefile: 3263.27 MB ========================

====== End Of File: ======

An error occurred while attempting to delete the specified data element.
Element not found.
The operation completed successfully.
DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 24 April 2012 - 05:31 PM

You have run the fix twice. It takes a lot of effort to restore all of them.

I can still see what I can do. But I want you to do two things until we are done:

1. Don't do anything on your own.
2. Please read the instruction and follow them to the letter. It is hard enough to do this and I need your full attention.

Please go to C:\FRST\Logs

Inside it there are two Fixlog_Date_Time.txt
I need you to attach the first one. You have already posted the second one.

#10 A-10

A-10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 April 2012 - 09:29 PM

Hey, I'm back. You have my undivided attention. I promise. Here is the attachment you requested.

Attached Files



#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 25 April 2012 - 05:09 AM

Important: The fix should be run from recovery environment and not from normal mode or safe mode.

Please download Attached File  fixlist.txt   2.65KB   20 downloads
Save it to your flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type g:\frst64 and press Enter
[*]Press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.[/list]

#12 A-10

A-10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 25 April 2012 - 08:52 AM

Ok, here is the requested information:


Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 22-04-2012
Ran by SYSTEM at 2012-04-25 08:48:44 R:3
Running from G:\

==============================================


========= move /y c:\frst\quarantine\REMOVE_THIS_FILE.livecd.swap C:\ =========

1 file(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\Recovery "C:\Users\All Users" =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\NVIDIA C:\ =========

1 dir(s) moved.

========= End of CMD: =========


========= move /y "c:\frst\quarantine\Eagle Dynamics" "C:\Program Files" =========

1 dir(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\owner C:\users =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\DCS.ENG C:\Users\owner\Desktop =========

1 dir(s) moved.

========= End of CMD: =========


========= move /y "c:\frst\quarantine\Dr. Brown Midterm1.docx" C:\Users\owner\Documents =========

1 file(s) moved.

========= End of CMD: =========


========= move /y "c:\frst\quarantine\Dedrick Powel12.docx" C:\Users\owner\Documents =========

1 file(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\Safari.lnk C:\Users\Public\Desktop =========

The system cannot find the file specified.

========= End of CMD: =========


========= move /y c:\frst\quarantine\Safari "C:\Program Files (x86)" =========

1 dir(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\iTunes "C:\Program Files" =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\iPod "C:\Program Files" =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\iTunes.lnk C:\Users\Public\Desktop =========

The system cannot find the file specified.

========= End of CMD: =========


========= move /y c:\frst\quarantine\Hewlett-Packard C:\Users\owner\AppData\Local =========

Access is denied.

========= End of CMD: =========


========= move /y "c:\frst\quarantine\Recorded TV" C:\Users\Public =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\Symantec "C:\Users\All Users" =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\sysprep C:\Windows\System32 =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\registration C:\Windows =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\AppCompat C:\Windows\ =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\MSOCache C:\ =========

The system cannot find the file specified.

========= End of CMD: =========


========= move /y c:\frst\quarantine\TxR C:\Windows\System32\config\ =========

1 dir(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\WindowsUpdate.log C:\Windows\ =========

1 file(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\setupact.log C:\Windows\ =========

1 file(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\HPCeeScheduleForOWNER-PC$.job C:\Windows\Tasks\ =========

1 file(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\DOErrors.log C:\Windows\SysWOW64\ =========

1 file(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\NDF C:\Windows\System32\ =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\HPCeeScheduleForowner.job C:\Windows\Tasks\ =========

1 file(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\PerfStringBackup.INI C:\Windows\System32\ =========

The system cannot find the file specified.

========= End of CMD: =========


========= move /y c:\frst\quarantine\iTunes "C:\Program Files (x86)" =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\ C:\Windows\setuperr.log =========

The system cannot find the file specified.

========= End of CMD: =========


========= move /y c:\frst\quarantine\VMware "C:\Users\All Users" =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\Msft_Kernel_netaapl64_01009.Wdf C:\Windows\System32\Drivers =========

1 file(s) moved.

========= End of CMD: =========


========= move /y "c:\frst\quarantine\Test Prep.lnk" C:\Users\Public\Desktop =========

The system cannot find the file specified.

========= End of CMD: =========


========= move /y c:\frst\quarantine\Macromedia C:\Users\Default\AppData\Roaming\ =========

Access is denied.

========= End of CMD: =========


========= move /y "c:\frst\quarantine\Test Prep" "C:\Program Files (x86)" =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\Adobe "C:\Program Files (x86)" =========

Access is denied.

========= End of CMD: =========


========= move /y c:\frst\quarantine\TuneUpMedia "C:\Users\All Users" =========

1 dir(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\bootdelete.exe C:\Windows\System32\ =========

The system cannot find the file specified.

========= End of CMD: =========


========= move /y c:\frst\quarantine\.crusader C:\Windows\System32\ =========

1 file(s) moved.

========= End of CMD: =========


========= move /y c:\frst\quarantine\usbaaplrc.dll C:\Windows\System32\ =========

The system cannot find the file specified.

========= End of CMD: =========


========= move /y c:\frst\quarantine\usbaapl64.sys C:\Windows\System32\Drivers =========

The system cannot find the file specified.

========= End of CMD: =========


==== End of Fixlog ====

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 25 April 2012 - 09:41 AM

As you may notice we could recover some of the moved files. The system doesn't allow to restore some others. This is as far as we can do automatically. Programs like Malwarebytes, CCleaner and the like could be easily reinstalled. In case any important file is missing you can take a look inside the following folder:

C:\FRST\Quarantine

FRST doesn't delete any file or folder. It moves them to the above folder as a backup.

I wish I could help you more. When you used the scan result of FRST as fixlist.txt you were very lucky to remove the infection and restore the system with not a major blow to the system.

Do you have any question before we round off?

#14 A-10

A-10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 25 April 2012 - 10:04 AM

WOW!!!! You have really been a big help. I can't thank you enough. Just a few questions though,

1. I have Malware bytes, CCleaner and SuperAntiSpyware install, is there anything else I should use to clean up my computer? And will doing another scan and fix do this to my computer again (all of this started with the detection of a rootkit and using AVG tdsskiller to remove)?

2. Can the files in the C:\FRST\quarantine folder be safely restored to the appropiate areas?

3. How can I prevent this from happening again?

4. Ways to improve computer's performance?

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:50 PM

Posted 25 April 2012 - 10:45 AM

1. I have Malware bytes, CCleaner and SuperAntiSpyware install, is there anything else I should use to clean up my computer? And will doing another scan and fix do this to my computer again (all of this started with the detection of a rootkit and using AVG tdsskiller to remove)?


You don't really need SuperAntiSpyware. I recommend you to uninstall it. Malwarebytes does the job.

Beside Malwarebytes you need an antivirus. You need to install an antivirus program to have a proper protection. I recommend this good free antivirus:

Please download and install Microsoft Security Essentials.
After installing and updating please run a quick scan.

Can the files in the C:\FRST\quarantine folder be safely restored to the appropriate areas?

Yes they can. I saw only atapi.sys removed. You better not restore that file.

3. How can I prevent this from happening again?

Beside an antivirus and Malwarebytes I recommend the following:

Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

4. Ways to improve computer's performance?

CCleaner removes the junks and once a while fragmentation should do the job. I don't recommend those commercial products claiming they can improve the performance.

Happy Surfing A-10. :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users