Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan removal attempt -- now real problems


  • This topic is locked This topic is locked
70 replies to this topic

#1 SkypilotDown

SkypilotDown

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 25 April 2012 - 04:32 PM

Hi, I hope I'm posting in the right place:

Lenovo t400
Vista 32 OS

A day ago I started getting browser redirects to happili.com

I ran malwarebytes, which found the (apparent) Trojan and needed to reboot to remove it, however on reboot I recall there was an issue and the browser redirects continued.

Malwarebytes could no longer find anything though, and neither could Spybot S&D, or TDSSKiller.

I searched around and found a suggestion to try panda securities free remover for that (pretty sure it was Panda Anti-Rootkit). I ran it and it requested a reboot - said something about a library or dll file perhaps? I don't remember exactly.

Now however when I try to boot after I login at the vista users login screen I get a blue screen that says it is shutting down to protect my system. It will then continue doing this unless I try to go to safe mode -- then i am forced to go directly to lenovo's thinkvantage rescue and recovery.

I am afraid to try anything else without further advice. I'd like to not have to restore my system if possible but can't even boot to safe mode.

If someone can help me out of this jam I'd be forever greatful.

Edit: the more I Google around about this the more I think the Panda Anti-Rootkit caused the issue (maybe because not compatible with system?)

Edited by SkypilotDown, 25 April 2012 - 05:07 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:14 PM

Posted 25 April 2012 - 05:21 PM

Hi,

Please do the following:

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 SkypilotDown

SkypilotDown
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 26 April 2012 - 04:57 PM

Thanks for your reply.

I can't seem to be able to access the flash drive the file is on.

When I boot the computer and press F8 it seems to ignore it. If I type it very fast I can get into a "BIOS setup utility." My only other option is to hit the thinkVantage button on startup and go into its rescue and recovery program.

Something I have noticed is I used to have a BIOS password -- I no longer get the prompt to enter that, even though it will continue booting until the windows login screen. At that point I get the blue screen telling me that my computer is being shut down to protect it.

What would you suggest I try next? Thanks for your assistance!!

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:14 PM

Posted 26 April 2012 - 05:14 PM

do you have access to an installation disk so you can access the Recovery Environment that way?

On boot up if you tap F8 repeatedly what happens?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 SkypilotDown

SkypilotDown
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 26 April 2012 - 07:07 PM

No, I don't think I have access to an instillation disk.

If I tap F8 repeatedly I get the following message:

ERROR
0210: Stuck Key 42
Press <F1> to setup


Then if I press F1 I get taken to the BIOS Setup Utility


I'm assuming this is because I'm pressing the key so quickly.

Otherwise, if I type F8 slightly slower it seems to have no effect, and I see the same thing as if I didn't type any keys: I can see the page that normally allows you to choose safe mode but it flickers for maybe a tenth of a second (if that) before continuing to load in normal mode. Almost as if its choosing normal over safe mode instantaneously.

EDIT I hit escape after the error stuck key warning and then continued with F8 and I seem to have gotten somewhere!!! Will report back soon thanks

Edited by SkypilotDown, 26 April 2012 - 07:10 PM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:14 PM

Posted 26 April 2012 - 07:24 PM

then i am forced to go directly to lenovo's thinkvantage rescue and recovery.

are you referring to the recovery partition here that will reformat your computer?



try the following:


Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.
Please include the following in your next post:
  • Attach the mbr.zip file located on your USB drive

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:14 PM

Posted 26 April 2012 - 07:26 PM

hi,

please continue on with FRST if you are able to boot to the recovery environment and disregard my last post

please ad a new post if you have further information for me as I don't get notified for post edits

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 SkypilotDown

SkypilotDown
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 27 April 2012 - 12:48 AM

I apologize for my sloppy edit of my post.

I am now able to get into safe mode. I have also created a FRST.txt file as instructed.

Is it okay to try to access the Internet through safe mode? This would make things easier as I currently have to wait to post here from a work computer. Otherwise I'd post the FRST.txt file right now (I'm doing this with an iPad)

All I have done so far since gaining access to safe mode is run malwarebytes (found nothing). I'm currently doing an Avast full system scan. I hope it's ok that I'm doing that, I'll post results in a new post.

I also found the specific software I ran right before I started getting blue screens on attempted vista startup: Yorkyt.exe from panda security.
Their site is: http://www.pandasecurity.com/enterprise/support/card?id=1672&idIdioma=2

On their site they list step 4 as:
A reboot will be requested to install a driver.

It was on that reboot that I recall the problems started with the blue screens. Could be unrelated but I mention it just because my ignorant hunch is that it wasn't the browser redirect Trojan/virus that caused the serious issues but rather that damn panda program.

One last final thing-- In a previous post I said I lost access to a bios password, not sure if it matters but please disregard that I think I was mistaken.

Thanks so much for your help so far! Sorry for all this info and no FRST file yet, still in panic mode since I have so much important data on this computer so just wanted to give a rambling update and see if it's okay to use the Internet in safe mode for posting here.

#9 SkypilotDown

SkypilotDown
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 27 April 2012 - 06:14 AM

I guess what I meant to say was is it okay for me to boot to safe mode with networking in order to post here?

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:14 PM

Posted 27 April 2012 - 07:13 AM

Yes,

It's OK to boot into safe mode with networking to post here

Please don't run any more scans on your own

Please try and be patient while I come up with a fix,

this requires a customized fix that you AV or other tools wont be able to resolve, they just might make it harder for me to fix.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 SkypilotDown

SkypilotDown
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 27 April 2012 - 04:37 PM

I was unable to get an internet connection using safe mode with networking, so am doing so from another computer. Here is the frst.txt file:

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 22-04-2012
Ran by SYSTEM at 27-04-2012 10:07:36
Running from G:\
Windows Vista ™ Ultimate Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [820520 2007-11-21] (Synaptics, Inc.)
HKLM\...\Run: [] [x]
HKLM\...\Run: [TpShocks] TpShocks.exe [x]
HKLM\...\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [68976 2008-09-30] (Lenovo Group Limited)
HKLM\...\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [242976 2008-06-04] (Lenovo Group Ltd.)
HKLM\...\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [487424 2008-05-24] (Lenovo Group Limited)
HKLM\...\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [165208 2008-09-01] (Lenovo Group Limited)
HKLM\...\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe [124248 2008-09-01] (Lenovo Group Limited)
HKLM\...\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor [640288 2008-11-20] (Lenovo Group Limited)
HKLM\...\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog [214576 2008-07-28] ()
HKLM\...\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [431392 2008-10-27] (Lenovo)
HKLM\...\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe [148768 2008-10-27] (Lenovo)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [150040 2008-09-12] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [178712 2008-09-12] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [154136 2008-09-12] (Intel Corporation)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2008-01-21] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s [1527808 2008-10-26] (AuthenTec)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1797008 2010-07-21] (Microsoft Corporation)
HKLM\...\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui [3744552 2011-11-28] (AVAST Software)
HKLM\...\Run: [VX3000] C:\Windows\vVX3000.exe [757248 2009-06-26] (Microsoft Corporation)
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [KeePass 2 PreLoad] "C:\Program Files\KeePass Password Safe 2\KeePass.exe" --preload [1823744 2012-01-05] (Dominik Reichl)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Matt\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Matt\...\Run: [AdobeBridge] [x]
HKU\Matt\...\Run: [Google Update] "C:\Users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-07-17] (Google Inc.)
HKU\Matt\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Matt\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Matt\...\Run: [angriz] rundll32.exe "C:\Users\Matt\AppData\Local\Temp\angriz.dll",D3D9ResourceGetMappedArray [260096 2012-04-13] (Midiman/M-Audio)
HKU\Matt\...\Run: [wmsbc] rundll32.exe "C:\Users\Matt\AppData\Local\Temp\wmsbc.dll",mpegInNew [x]
HKU\Matt\...\Run: [Winamp] Rundll32.exe C:\Users\Matt\AppData\Local\Winamp\bwnmopnb.dll,NxGetApexSDK [557056 2012-02-18] (NVIDIA Corporation)
HKLM\...\Runonce: [yorkyt.exe] cmd.exe /c start C:\Users\Matt\Pictures\HOWARD~1\yorkyt.exe [x]
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Lsa: [Notification Packages] scecli
ACGina

================================ Services (Whitelisted) ==================

2 AcPrfMgrSvc; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [116000 2008-10-27] (Lenovo)
2 AcSvc; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [238880 2008-10-27] (Lenovo)
3 ADMonitor; C:\Windows\system32\ADMonitor.exe [106496 2008-10-26] ()
2 Ati External Event Utility; C:\Windows\System32\Ati2evxx.exe [700416 2008-10-02] (ATI Technologies Inc.)
2 ATService; C:\Windows\system32\AtService.exe [1676536 2008-10-26] (AuthenTec, Inc.)
2 avast! Antivirus; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [44768 2011-11-28] (AVAST Software)
2 BcmSqlStartupSvc; "C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [30312 2008-01-11] (Microsoft Corporation)
2 btwdins; C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe [518696 2008-03-17] (Broadcom Corporation.)
2 dlbk_device; C:\Windows\system32\dlbkcoms.exe -service [538096 2007-03-28] ( )
2 dtsvc; C:\Windows\system32\DTS.exe [98304 2008-10-26] ()
2 EvtEng; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [819200 2008-07-10] (Intel® Corporation)
3 FLEXnet Licensing Service; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [655624 2010-03-03] (Acresso Software Inc.)
2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [136176 2010-07-17] (Google Inc.)
3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [136176 2010-07-17] (Google Inc.)
2 IBMPMSVC; C:\Windows\System32\ibmpmsvc.exe [38176 2008-09-29] (Lenovo)
2 IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [112152 2007-01-04] (InterVideo)
3 Lavasoft Ad-Aware Service; "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" [1375992 2010-11-14] (Lavasoft)
2 RegSrvc; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [466944 2008-07-10] (Intel® Corporation)
3 RoxMediaDB10; "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe" [1120752 2008-04-25] (Sonic Solutions)
2 TPHDEXLGSVC; C:\Windows\System32\TPHDEXLG.exe [37416 2008-05-14] (Lenovo.)
2 TPHKSVC; C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [58736 2008-10-24] (Lenovo Group Limited)
2 TVT Backup Protection Service; "C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe" [520192 2008-05-24] ()
2 TVT Backup Service; "C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe" [950272 2008-05-24] (Lenovo Group Limited)
2 TVT_UpdateMonitor; C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [360448 2008-10-09] (Lenovo Group Limited)
3 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x]
4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
2 SessionLauncher; C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
2 SUService; c:\program files\lenovo\system update\suservice.exe [x]
2 ThinkVantage Registry Monitor Service; "c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe" [x]
2 TVT Scheduler; "c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe" [x]

========================== Drivers (Whitelisted) =============

2 adfs; C:\Windows\System32\Drivers\adfs.sys [74720 2008-08-14] (Adobe Systems, Inc.)
3 amdkmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [3881472 2008-10-02] (ATI Technologies Inc.)
3 amdkmdap; C:\Windows\System32\DRIVERS\atikmpag.sys [54784 2008-10-02] (Advanced Micro Devices, Inc.)
2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [20568 2011-11-28] (AVAST Software)
2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [55128 2011-11-28] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [34392 2011-11-28] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [435032 2011-11-28] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [314456 2011-11-28] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [52952 2011-11-28] (AVAST Software)
3 ATSwpWDF; C:\Windows\System32\Drivers\ATSwpWDF.sys [482176 2008-10-26] (AuthenTec, Inc.)
3 btwl2cap; C:\Windows\System32\DRIVERS\btwl2cap.sys [29736 2008-01-28] (Broadcom Corporation.)
0 DasBoot; C:\Windows\System32\drivers\DasBoot.SYS [20744 2012-01-17] ()
0 DasBootF; C:\Windows\System32\drivers\DasBootF.SYS [59272 2012-01-17] ()
2 DLABMFSM; C:\Windows\System32\DLA\DLABMFSM.SYS [35064 2007-06-18] (Roxio)
2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [32472 2007-06-18] (Roxio)
1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [12856 2007-02-08] (Roxio)
2 DLADResM; C:\Windows\System32\DLA\DLADResM.SYS [9400 2007-06-18] (Roxio)
2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [105048 2007-06-18] (Roxio)
2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [26744 2007-06-18] (Roxio)
2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [14520 2007-06-18] (Roxio)
1 DLARTL_M; C:\Windows\System32\Drivers\DLARTL_M.SYS [28120 2007-02-08] (Roxio)
2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [93752 2007-06-18] (Roxio)
2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [98136 2007-06-18] (Roxio)
0 DRVMCDB; C:\Windows\System32\Drivers\DRVMCDB.SYS [99848 2007-03-12] (Sonic Solutions)
2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [51768 2007-02-09] (Roxio)
3 e1yexpress; C:\Windows\System32\DRIVERS\e1y6032.sys [225408 2008-08-22] (Intel Corporation)
0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-03] ()
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [200704 2008-01-20] (Conexant Systems, Inc.)
3 IBMPMDRV; C:\Windows\System32\DRIVERS\ibmpmdrv.sys [23848 2008-09-29] (Lenovo.)
3 intelkmd; C:\Windows\System32\DRIVERS\igdkmd32.sys [2472448 2008-09-02] (Intel Corporation)
0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [64288 2010-09-22] (Lavasoft AB)
1 lenovo.smi; C:\Windows\System32\DRIVERS\smiif32.sys [13480 2008-05-12] (Lenovo Group Limited)
3 motmodem; C:\Windows\System32\DRIVERS\motmodem.sys [23680 2007-06-18] (Motorola)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 NETw5v32; C:\Windows\System32\DRIVERS\NETw5v32.sys [3662848 2008-06-26] (Intel Corporation)
3 Point32; C:\Windows\System32\DRIVERS\point32.sys [40848 2010-07-21] (Microsoft Corporation)
3 psadd; C:\Windows\System32\DRIVERS\psadd.sys [31680 2008-09-24] (Lenovo (United States) Inc.)
3 Revoflt; C:\Windows\System32\DRIVERS\revoflt.sys [27192 2009-12-30] (VS Revo Group)
2 rimmptsk; C:\Windows\System32\DRIVERS\rimmptsk.sys [46592 2008-02-15] (REDC)
2 rimsptsk; C:\Windows\System32\DRIVERS\rimsptsk.sys [43008 2007-07-29] (REDC)
2 rismxdp; C:\Windows\System32\DRIVERS\rixdptsk.sys [38400 2007-07-29] (REDC)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [9968 2010-01-05] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [7408 2010-01-05] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [74480 2010-01-05] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
0 Shockprf; C:\Windows\System32\DRIVERS\Apsx86.sys [114728 2008-05-14] (Lenovo.)
4 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [41016 2008-01-20] (Microsoft Corporation)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [9598080 2007-02-16] ()
0 speedfan; C:\Windows\System32\speedfan.sys [5248 2006-09-24] (Windows ® 2000 DDK provider)
0 TPDIGIMN; C:\Windows\System32\DRIVERS\ApsHM86.sys [19496 2008-05-14] (Lenovo.)
3 tpflhlp; \??\C:\Program Files\Lenovo\System Update\session\7uuj07us\tpflhlp.sys [13352 2008-10-10] (Lenovo Group Limited)
3 TPM; C:\Windows\System32\drivers\tpm.sys [45624 2008-01-20] (Microsoft Corporation)
1 TPPWRIF; C:\Windows\System32\drivers\Tppwr32v.sys [11552 2008-06-13] (Lenovo Group Limited)
2 TVicPort; C:\Windows\System32\Drivers\TVicPort.sys [20512 2006-10-13] (EnTech Taiwan)
2 tvtfilter; C:\Windows\System32\DRIVERS\tvtfilter.sys [33536 2008-09-12] (Lenovo)
3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [37312 2008-02-22] (Lenovo (United States) Inc.)
1 tvtumon; C:\Windows\System32\DRIVERS\tvtumon.sys [48192 2008-07-11] (Lenovo)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2008-01-20] (Promise Technology, Inc.)
3 VX3000; C:\Windows\System32\DRIVERS\VX3000.sys [1956352 2009-06-26] (Microsoft Corporation)
3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam.sys [11520 2008-05-06] (Western Digital Technologies)
3 WimFltr; C:\Windows\System32\DRIVERS\wimfltr.sys [128104 2008-04-18] (Microsoft Corporation)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
0 laixaee; C:\Windows\System32\drivers\wqmdynps.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-27 08:53 - 2012-01-02 22:03 - 0000000 ____D C:\Users\Matt\Desktop\Temporary
2012-04-27 00:33 - 2012-04-25 10:20 - 0144732 ____A C:\TDSSKiller.2.7.33.0_27.04.2012_01.33.59_log.txt
2012-04-26 17:18 - 2009-08-31 17:38 - 0000000 ____D C:\FRST
2012-04-25 12:51 - 2012-04-27 00:34 - 0001732 ____A C:\tvtpktfilter.dat
2012-04-25 11:46 - - 0144856 ____A C:\Windows\Minidump\Mini042512-01.dmp
2012-04-25 11:45 - 2009-05-12 22:20 - 332272206 ____A C:\Windows\MEMORY.DMP
2012-04-25 11:40 - 2008-09-15 11:31 - 0001024 ____A C:\.rnd
2012-04-25 11:40 - 2008-01-20 18:21 - 0137764 ____A C:\Windows\System32\PHOOKSmf.txt
2012-04-25 11:32 - 2012-01-17 12:55 - 0225664 ____A C:\Windows\System32\Drivers\DasBootS.SYS
2012-04-25 11:32 - 2012-01-17 12:55 - 0059272 ____A C:\Windows\System32\Drivers\DasBootF.SYS
2012-04-25 11:32 - 2012-01-17 12:55 - 0027528 ____A C:\Windows\System32\Drivers\DasBootK.SYS
2012-04-25 11:32 - 2012-01-17 12:55 - 0009096 ____A C:\Windows\System32\Drivers\DasBootI.SYS
2012-04-25 11:32 - 2012-01-17 12:55 - 0003072 ____A C:\Windows\System32\Drivers\DasBootD.SYS
2012-04-25 11:32 - 2010-05-03 17:37 - 0009096 ____A C:\Windows\System32\Drivers\DasBootE.SYS
2012-04-25 11:32 - 2008-09-12 19:03 - 0020744 ____A C:\Windows\System32\Drivers\DasBoot.SYS
2012-04-25 11:32 - 2006-11-02 04:32 - 0000000 ____D C:\Windows\System32\DBBK
2012-04-25 10:19 - 2012-04-25 10:02 - 0144152 ____A C:\TDSSKiller.2.7.33.0_25.04.2012_11.19.27_log.txt
2012-04-25 10:18 - 2008-01-20 18:21 - 0944642 ____A C:\Windows\ntbtlog.txt
2012-04-25 09:59 - 2012-04-25 12:49 - 0144940 ____A C:\TDSSKiller.2.7.33.0_25.04.2012_10.59.27_log.txt
2012-04-24 23:23 - 2011-07-08 17:43 - 0000000 ____D C:\Users\Matt\AppData\Local\Winamp
2012-04-23 11:09 - 2011-11-18 21:52 - 0001674 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-04-23 11:07 - 2012-04-23 11:07 - 0000000 ____D C:\Program Files\iTunes
2012-04-23 11:07 - 2008-09-12 18:42 - 0000000 ____D C:\Program Files\iPod
2012-04-20 07:09 - 2010-11-14 14:28 - 0000070 ____A C:\Users\Matt\Documents\quote.txt
2012-04-20 00:21 - 2008-10-03 21:02 - 0000000 ____D C:\olddos
2012-04-19 23:47 - 2009-04-21 23:58 - 0000870 ____A C:\Users\Matt\Desktop\Notepad++.lnk
2012-04-17 23:23 - 2012-04-17 23:22 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-04-17 23:23 - 2012-04-17 23:22 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-04-17 23:23 - 2009-05-12 22:29 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-04-17 23:23 - 2008-09-12 18:42 - 0000000 ____D C:\Program Files\Common Files\Java
2012-04-13 17:34 - 2011-04-11 16:54 - 0000000 ____D C:\Users\Matt\AppData\Local\{0031340F-85D2-11E1-826D-B8AC6F996F26}
2012-04-10 16:30 - 2012-04-10 16:12 - 7520168 ____A C:\Users\Matt\Downloads\05 - Out & About.mp3
2012-04-10 16:27 - - 6683205 ____A C:\Users\Matt\Downloads\01 - Whitman.mp3
2012-04-10 16:13 - 2012-03-13 16:22 - 0000000 ____D C:\Users\Matt\Downloads\swift, richard - walt wolfman - 2011
2012-04-10 16:04 - 2012-04-10 16:29 - 6834801 ____A C:\Users\Matt\Downloads\02 shake it out.mp3
2012-03-31 16:01 - 2008-09-23 22:45 - 0000869 ____A C:\Users\Public\Desktop\VLC media player.lnk

============ 3 Months Modified Files and Folders ===============

2012-04-27 08:57 - 2006-11-02 02:33 - 0830718 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-27 08:56 - 2012-04-25 10:18 - 0944642 ____A C:\Windows\ntbtlog.txt
2012-04-27 08:55 - 2012-04-27 08:53 - 0000000 ____D C:\Users\Matt\Desktop\Temporary
2012-04-27 00:34 - 2012-04-27 00:33 - 0144732 ____A C:\TDSSKiller.2.7.33.0_27.04.2012_01.33.59_log.txt
2012-04-27 00:33 - 2008-11-03 22:50 - 0000000 ____D C:\Users\Matt\AppData\Roaming\Notepad++
2012-04-27 00:33 - 2008-11-03 22:50 - 0000000 ____D C:\Program Files\Notepad++
2012-04-26 23:53 - 2008-09-16 00:41 - 0000000 ____D C:\Users\Matt\AppData\Roaming\KeePass
2012-04-26 23:43 - 2009-04-16 01:12 - 0100072 ____A C:\aaw7boot.log
2012-04-26 23:43 - 2006-11-02 04:46 - 2361368 ____A C:\Windows\System32\FNTCACHE.DAT
2012-04-26 23:40 - 2012-04-25 11:40 - 0137764 ____A C:\Windows\System32\PHOOKSmf.txt
2012-04-26 23:39 - 2012-04-25 11:40 - 0001024 ____A C:\.rnd
2012-04-26 23:39 - 2006-11-02 04:46 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-26 23:39 - 2006-11-02 04:46 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-26 22:14 - 2011-10-22 14:30 - 0000000 ____D C:\Program Files\mIRC
2012-04-26 17:21 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\LogFiles
2012-04-26 17:19 - 2012-04-26 17:18 - 0000000 ____D C:\FRST
2012-04-26 14:53 - 2008-09-12 17:56 - 0000000 ____D C:\SWShare
2012-04-26 13:42 - 2012-04-25 11:32 - 0000000 ____D C:\Windows\System32\DBBK
2012-04-25 12:51 - 2012-04-25 12:51 - 0001732 ____A C:\tvtpktfilter.dat
2012-04-25 11:46 - 2012-04-25 11:46 - 0144856 ____A C:\Windows\Minidump\Mini042512-01.dmp
2012-04-25 11:46 - 2012-04-25 11:45 - 332272206 ____A C:\Windows\MEMORY.DMP
2012-04-25 11:46 - 2008-11-26 14:08 - 0000000 ____D C:\Windows\Minidump
2012-04-25 11:33 - 2012-03-17 14:42 - 1129523 ____A C:\Windows\WindowsUpdate.log
2012-04-25 11:33 - 2010-08-22 16:47 - 0000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1395037138-3911999115-1905124741-1003UA.job
2012-04-25 11:33 - 2008-09-12 18:21 - 0000012 ____A C:\Windows\bthservsdp.dat
2012-04-25 11:33 - 2006-11-02 05:00 - 0032642 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-25 11:33 - 2006-11-02 05:00 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-25 11:32 - 2008-09-12 18:34 - 3428032 ____A C:\Windows\System32\TPAPSLOG.LOG
2012-04-25 11:27 - 2012-03-23 23:00 - 0000000 ___RD C:\Users\Matt\Dropbox
2012-04-25 11:27 - 2012-03-23 22:57 - 0000000 ____D C:\Users\Matt\AppData\Roaming\Dropbox
2012-04-25 11:25 - 2010-07-17 14:11 - 0000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-04-25 11:24 - 2008-09-12 18:49 - 0360050 ____A C:\sysiclog.txt
2012-04-25 11:23 - 2008-09-12 18:34 - 1736576 ____A C:\Windows\System32\TPHDLOG0.LOG
2012-04-25 10:20 - 2012-04-25 10:19 - 0144152 ____A C:\TDSSKiller.2.7.33.0_25.04.2012_11.19.27_log.txt
2012-04-25 10:04 - 2010-02-08 20:44 - 0000000 ____D C:\Users\Matt\Desktop\Anti-Spyware
2012-04-25 10:02 - 2012-04-25 09:59 - 0144940 ____A C:\TDSSKiller.2.7.33.0_25.04.2012_10.59.27_log.txt
2012-04-25 10:00 - 2010-07-17 14:11 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-25 09:49 - 2008-10-04 02:04 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-04-25 09:49 - 2008-10-04 02:04 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-04-24 23:54 - 2008-09-15 13:59 - 0057344 ____A C:\Users\Matt\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-24 23:23 - 2012-04-24 23:23 - 0000000 ____D C:\Users\Matt\AppData\Local\Winamp
2012-04-24 12:33 - 2010-08-22 16:47 - 0000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1395037138-3911999115-1905124741-1003Core.job
2012-04-24 08:14 - 2008-09-16 00:38 - 0000000 ____D C:\Users\Matt\Documents\KeePass - do not delete
2012-04-23 23:46 - 2012-01-17 01:17 - 0000000 ____D C:\Users\Matt\AppData\Roaming\vlc
2012-04-23 11:09 - 2012-04-23 11:09 - 0001674 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-04-23 11:09 - 2012-04-23 11:07 - 0000000 ____D C:\Program Files\iTunes
2012-04-23 11:09 - 2008-11-16 20:44 - 0000000 __SHD C:\Config.Msi
2012-04-23 11:07 - 2012-04-23 11:07 - 0000000 ____D C:\Program Files\iPod
2012-04-23 11:07 - 2009-05-26 14:11 - 0000000 ____D C:\Program Files\Common Files\Apple
2012-04-22 11:50 - 2008-12-28 23:26 - 0000000 ____D C:\Users\Matt\AppData\Roaming\uTorrent
2012-04-21 23:28 - 2008-12-28 23:30 - 0000000 ____D C:\Users\Matt\Downloads\UTorrent downloads
2012-04-20 07:09 - 2012-04-20 07:09 - 0000070 ____A C:\Users\Matt\Documents\quote.txt
2012-04-20 00:21 - 2012-04-20 00:21 - 0000000 ____D C:\olddos
2012-04-19 23:47 - 2012-04-19 23:47 - 0000870 ____A C:\Users\Matt\Desktop\Notepad++.lnk
2012-04-18 19:02 - 2010-07-17 14:13 - 0001981 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-04-18 14:14 - 2012-02-20 21:54 - 0000000 ____D C:\Users\Matt\Documents\temp PDF folder before Mendeley processing
2012-04-17 23:23 - 2012-04-17 23:23 - 0000000 ____D C:\Program Files\Common Files\Java
2012-04-17 23:22 - 2012-04-17 23:23 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-04-17 23:22 - 2012-04-17 23:23 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-04-17 23:22 - 2012-04-17 23:23 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-04-17 23:22 - 2011-07-01 17:50 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-04-14 13:21 - 2008-02-06 11:03 - 0000000 ____D C:\Windows\Panther
2012-04-14 13:12 - 2012-01-02 22:06 - 0000916 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-14 13:12 - 2009-05-09 01:46 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-04-14 13:00 - 2012-03-23 22:58 - 0000930 ____A C:\Users\Matt\Start Menu\Programs\Startup\Dropbox.lnk
2012-04-14 13:00 - 2012-03-23 22:58 - 0000930 ____A C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2012-04-14 13:00 - 2008-09-22 19:25 - 0000000 ____D C:\Users\Matt\AppData\Roaming\wsInspector
2012-04-14 08:58 - 2008-09-15 10:54 - 0013128 ____A C:\Users\Matt\AppData\Local\d3d9caps.dat
2012-04-13 17:34 - 2012-04-13 17:34 - 0000000 ____D C:\Users\Matt\AppData\Local\{0031340F-85D2-11E1-826D-B8AC6F996F26}
2012-04-12 02:06 - 2008-09-12 18:57 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-12 02:06 - 2008-09-12 18:57 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-12 02:02 - 2006-11-02 02:24 - 55154568 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-04-10 21:33 - 2008-09-15 12:05 - 0000000 ____D C:\Users\Matt\AppData\Roaming\Mozilla
2012-04-10 16:53 - 2012-04-10 16:13 - 0000000 ____D C:\Users\Matt\Downloads\swift, richard - walt wolfman - 2011
2012-04-10 16:33 - 2012-04-10 16:30 - 7520168 ____A C:\Users\Matt\Downloads\05 - Out & About.mp3
2012-04-10 16:29 - 2012-04-10 16:27 - 6683205 ____A C:\Users\Matt\Downloads\01 - Whitman.mp3
2012-04-10 16:12 - 2012-04-10 16:04 - 6834801 ____A C:\Users\Matt\Downloads\02 shake it out.mp3
2012-04-08 20:12 - 2011-04-10 20:32 - 0000000 ____D C:\Users\Matt\Documents\My Kindle Content
2012-04-05 21:17 - 2012-02-19 18:28 - 0000000 ____D C:\Users\Matt\Documents\Mendeley PDF library
2012-04-04 14:56 - 2009-05-09 01:46 - 0022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-03 14:56 - 2008-09-28 00:52 - 0000393 ____A C:\Users\Public\Documents\BluetoothLog.html
2012-03-31 16:01 - 2012-03-31 16:01 - 0000869 ____A C:\Users\Public\Desktop\VLC media player.lnk
2012-03-27 02:07 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\microsoft shared
2012-03-27 02:05 - 2006-11-02 02:23 - 0000284 ____A C:\Windows\win.ini
2012-03-26 22:26 - 2012-01-12 11:31 - 0000000 ____D C:\Users\Matt\Documents\Interview
2012-03-23 23:00 - 2012-03-23 23:00 - 0000950 ____A C:\Users\Matt\Desktop\Dropbox.lnk
2012-03-23 23:00 - 2008-09-15 10:52 - 0000000 ____D C:\users\Matt
2012-03-22 08:17 - 2012-04-25 11:32 - 0225664 ____A C:\Windows\System32\Drivers\DasBootS.SYS
2012-03-20 21:08 - 2008-09-12 18:38 - 0000000 ____D C:\Windows\System32\Macromed
2012-03-16 21:33 - 2008-09-15 12:05 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-03-15 11:25 - 2011-03-26 23:45 - 0018161 ____A C:\Users\Matt\Documents\Weed.xlsx
2012-03-14 19:02 - 2012-03-14 19:02 - 0000896 ____A C:\Users\Matt\Desktop\Tag&Rename.lnk
2012-03-14 19:02 - 2012-03-14 19:02 - 0000000 ____D C:\Program Files\TagRename
2012-03-13 16:22 - 2009-10-25 23:46 - 0000000 ____D C:\Users\Matt\Downloads\Incomplete
2012-03-13 16:21 - 2009-10-25 23:45 - 0000000 ____D C:\Users\Matt\Downloads\FrostWire
2012-03-13 15:07 - 2009-05-26 14:13 - 0000000 ____D C:\Users\Matt\AppData\Roaming\Apple Computer
2012-03-10 12:23 - 2012-03-10 12:23 - 0000044 ____A C:\Users\Matt\.gtk-bookmarks
2012-03-10 12:23 - 2011-01-28 15:02 - 0000000 ____D C:\Users\Matt\AppData\Roaming\gtk-2.0
2012-03-09 00:41 - 2010-11-21 15:31 - 0000000 ____D C:\Users\Matt\Documents\Eureqa files
2012-03-09 00:39 - 2012-03-09 00:39 - 0000000 ____D C:\Program Files\Nutonian
2012-03-09 00:39 - 2012-02-15 19:02 - 0002042 ____A C:\Users\Public\Desktop\Eureqa Formulize.lnk
2012-03-09 00:38 - 2012-02-15 19:00 - 0000000 ____D C:\Users\Matt\AppData\Local\Downloaded Installations
2012-03-03 02:23 - 2010-04-28 16:15 - 0000000 ____D C:\Users\Matt\Documents\Lab
2012-03-01 15:25 - 2010-11-23 00:40 - 0000814 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-03-01 15:25 - 2010-01-24 15:49 - 0000000 ____D C:\Program Files\CCleaner
2012-02-26 16:11 - 2011-09-20 23:53 - 0011812 ____A C:\Users\Matt\AppData\Roaming\mindhabits.dat
2012-02-25 18:48 - 2012-02-25 18:48 - 0000000 ____D C:\attProbe
2012-02-23 09:18 - 2009-10-02 20:19 - 0237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-22 01:15 - 2008-11-14 17:34 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-02-19 18:25 - 2011-12-30 19:25 - 0000000 ____D C:\Users\Matt\Documents\Books
2012-02-19 15:48 - 2012-02-19 15:48 - 0000000 ____D C:\Program Files\OutLier
2012-02-19 15:48 - 2012-02-19 15:46 - 0286720 ____N (Microsoft Corporation) C:\Windows\Setup1.exe
2012-02-19 15:48 - 2012-02-19 15:46 - 0073216 ____A (Microsoft Corporation) C:\Windows\ST6UNST.EXE
2012-02-19 15:40 - 2012-02-19 15:40 - 0001015 ____A C:\Users\Public\Desktop\R 2.14.1.lnk
2012-02-19 15:39 - 2012-02-19 15:39 - 0000000 ____D C:\Program Files\R
2012-02-19 15:34 - 2008-09-15 10:52 - 0000000 ____D C:\Users\Matt\AppData\LocalLow
2012-02-15 18:34 - 2011-10-19 12:08 - 0018777 ____A C:\Users\Matt\Documents\Ask.xlsx
2012-02-15 10:01 - 2012-02-15 10:01 - 4547944 ____A (Apple, Inc.) C:\Windows\System32\usbaaplrc.dll
2012-02-15 10:01 - 2012-02-15 10:01 - 0043520 ____A (Apple, Inc.) C:\Windows\System32\Drivers\usbaapl.sys
2012-02-13 10:05 - 2012-02-13 10:04 - 0004257 ____A C:\Windows\System32\jupdate-1.6.0_30-b12.log
2012-02-13 10:05 - 2009-04-09 21:18 - 0000000 ____D C:\Program Files\Java
2012-02-11 16:17 - 2012-02-11 16:17 - 0000000 ____D C:\Users\Matt\AppData\Local\Evernote
2012-02-11 16:13 - 2012-02-11 16:13 - 0000725 ____A C:\Users\Matt\Desktop\Evernote.lnk
2012-02-11 16:13 - 2012-02-11 16:13 - 0000000 ____D C:\Program Files\Evernote
2012-01-31 17:38 - 2012-01-31 17:38 - 0000924 ____A C:\Users\Matt\Desktop\KeePass.lnk
2012-01-31 17:28 - 2012-01-31 17:28 - 0000912 ____A C:\Users\Matt\Desktop\KeePass 2.lnk
2012-01-31 17:28 - 2012-01-31 17:28 - 0000000 ____D C:\Program Files\KeePass Password Safe 2
2012-01-30 12:58 - 2012-01-30 12:58 - 0001736 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-01-30 12:58 - 2012-01-30 12:58 - 0000000 ____D C:\Program Files\QuickTime


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2008-12-09 17:42] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation)

C:\Windows\System32\winlogon.exe
[2008-01-20 18:22] - [2008-01-20 18:22] - 0314880 ____A (Microsoft Corporation)

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll
[2008-01-20 18:22] - [2008-01-20 18:22] - 0627200 ____A (Microsoft Corporation)

C:\Windows\System32\Drivers\volsnap.sys
[2008-01-20 18:21] - [2008-01-20 18:21] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9


========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 2967.07 MB
Available physical RAM: 2471.12 MB
Total Pagefile: 2727.07 MB
Available Pagefile: 2554.86 MB
Total Virtual: 2047.88 MB
Available Virtual: 1980.95 MB

======================= Partitions =========================

1 Drive c: (SW_Preload) (Fixed) (Total:137.82 GB) (Free:5.15 GB) NTFS
2 Drive e: (Lenovo) (Fixed) (Total:9.77 GB) (Free:3.49 GB) NTFS
4 Drive g: (Cruzer) (Removable) (Total:3.74 GB) (Free:3.73 GB) FAT32
5 Drive h: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SERVICEV003) (Fixed) (Total:1.46 GB) (Free:0.69 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 3836 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1500 MB 1024 KB
Partition 2 Primary 138 GB 1501 MB
Partition 3 Primary 10 GB 139 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y SERVICEV003 NTFS Partition 1500 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C SW_Preload NTFS Partition 138 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E Lenovo NTFS Partition 10 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3828 MB 19 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 G Cruzer FAT32 Removable 3828 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-27 00:01

======================= End Of Log ==========================

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:14 PM

Posted 27 April 2012 - 05:00 PM

Hi

Looks like you are missing some files that are required to boot, so let's see if we can find replacements

please do the following:


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [] [x]
HKU\Matt\...\Run: [angriz] rundll32.exe "C:\Users\Matt\AppData\Local\Temp\angriz.dll",D3D9ResourceGetMappedArray [260096 2012-04-13] (Midiman/M-Audio)
HKU\Matt\...\Run: [wmsbc] rundll32.exe "C:\Users\Matt\AppData\Local\Temp\wmsbc.dll",mpegInNew [x]
HKU\Matt\...\Run: [Winamp] Rundll32.exe C:\Users\Matt\AppData\Local\Winamp\bwnmopnb.dll,NxGetApexSDK [557056 2012-02-18] (NVIDIA Corporation)
2012-04-25 11:40 - 2008-09-15 11:31 - 0001024 ____A C:\.rnd
end
Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


  • While you are still booted into System Recovery Options run FRST.

    Type the following in the edit box after "Search:" so it looks like this:

    Search: explorer.exe;winlogon.exe;User32.dll


    Click Search button and post the log it makes to your reply.

Edited by CatByte, 27 April 2012 - 05:01 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 SkypilotDown

SkypilotDown
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 27 April 2012 - 06:47 PM

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 22-04-2012
Ran by SYSTEM at 2012-04-27 16:03:36 R:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HKLM\...\Run: [] [x] Value not found.
HKEY_USERS\Matt\Software\Microsoft\Windows\CurrentVersion\Run\\angriz Value deleted successfully.
HKEY_USERS\Matt\Software\Microsoft\Windows\CurrentVersion\Run\\wmsbc Value deleted successfully.
HKEY_USERS\Matt\Software\Microsoft\Windows\CurrentVersion\Run\\Winamp Value deleted successfully.
C:\.rnd moved successfully.

==== End of Fixlog ====



Farbar Recovery Scan Tool Version: 22-04-2012
Ran by SYSTEM at 2012-04-27 16:06:14
Running from G:\

================== Search: "explorer.exe;winlogon.exe;User32.dll" ===================

C:\Windows\explorer.exe
[2008-12-09 17:42] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe
[2008-01-20 18:22] - [2008-01-20 18:22] - 0314880 ____A (Microsoft Corporation) C2610B6BDBEFC053BBDAB4F1B965CB24

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll
[2008-01-20 18:22] - [2008-01-20 18:22] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2008-12-09 17:42] - [2008-10-29 19:59] - 2927616 ____A (Microsoft Corporation) 50BA5850147410CDE89C523AD3BC606E

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008-12-09 17:42] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[2008-01-20 18:22] - [2008-01-20 18:22] - 2927104 ____A (Microsoft Corporation) FFA764631CB70A30065C12EF8E174F9F

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008-12-09 17:42] - [2008-10-27 18:15] - 2923520 ____A (Microsoft Corporation) E7156B0B74762D9DE0E66BDCDE06E5FB

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008-12-09 17:42] - [2008-10-28 22:20] - 2923520 ____A (Microsoft Corporation) 37440D09DEAE0B672A04DCCF7ABF06BE

C:\Windows\System32\user32.dll
[2008-01-20 18:22] - [2008-01-20 18:22] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\System32\winlogon.exe
[2008-01-20 18:22] - [2008-01-20 18:22] - 0314880 ____A (Microsoft Corporation) C2610B6BDBEFC053BBDAB4F1B965CB24

C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2009-09-17 03:03] - [2009-04-10 22:28] - 0314368 ____A (Microsoft Corporation) 898E7C06A350D4A1A64A9EA264D55452

C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32.dll
[2009-09-17 03:03] - [2009-04-10 22:28] - 0627712 ____A (Microsoft Corporation) 75510147B94598407666F4802797C75A

C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2009-09-17 03:03] - [2009-04-10 22:27] - 2926592 ____A (Microsoft Corporation) D07D4C3038F3578FFCE1C0237F2A1253

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2012-01-02 22:06] - [2012-04-04 14:56] - 0199240 ____A () 097D0E812D7A9A3101CE46CB2BE0474D

=== End Of Search ===

Thanks again for all your help so far!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:14 PM

Posted 27 April 2012 - 09:48 PM

Hi

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
cmd: bootrec /FixMbr
cmd: bootrec /fixboot
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Now restart, let it boot normally and tell me how it went.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 SkypilotDown

SkypilotDown
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 27 April 2012 - 10:17 PM

I ran FRST (I assume you meant use that one), and have posted the results. When I try to start my computer now it still stops at the windows login screen. If I enter my password I get the blue screen that it is shutting down to protect my computer (as it does some kind of memory dump). So it seems the same as before. If I don't try to login and instead let it sit there at the windows login screen fairly soon it gets the blue screen even if I do nothing. At that point it will repeat that cycle of booting to windows login screen then blue screen over and over unless I shut down the computer.

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 22-04-2012
Ran by SYSTEM at 2012-04-27 20:03:41 R:2
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

========= bootrec /FixMbr =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


========= bootrec /fixboot =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


==== End of Fixlog ====




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users