Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD...Unable To Run MBAM Or AVAST


  • Please log in to reply
61 replies to this topic

#1 Cal_Bear1982

Cal_Bear1982

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 17 May 2012 - 04:17 AM

Referred here from the "Am I Infected?" Forum...

http://www.bleepingcomputer.com/forums/topic453424.html

Summary of prior post: After a BSOD incident...Upon reboot, windows indicated an unexpected shutdown, and advised to run an anti-virus check. Tried to run MBAM and AVAST, but they would not complete the scan. Experiencing intermittent BSOD's since.

What I've tried:
MBAM(Starts, but does not complete scan..Locks up computer)
MBAM Chameleon Mode(Same as MBAM)
MBAM In Safe Mode
RUNSAS.EXE
SASSAFERUN.COM
AVAST(Starts, but does not complete scan)
AVAST In Safe Mode
SuperAntiSpyWare (Ran, removed tracking malware, but did not indicate any other problems)
SpyBot Seartch & Destroy (Ran, but did not detect anything)
Rkill (Ran/completed...Did not solve MBAM problem)
exeHelper (Ran/completed...Did not solve MBAM problem)
VipreRescue (Ran/completed...Did not solve MBAM problem)
Rebooted to last known point (Via F8 Menu on start-up)...Problem still exists

My System:
Toshiba SAT L775d Lap Top
A6 Vision Amd/4Gb/64bit/Win7-Home(Serv Pak 1)
Security: Private Firewall 7.0/Avast/MBAM Full Pro version

Thank you in advance...

DDS.TXT
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by TW at 1:51:57 on 2012-05-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3562.2215 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Privatefirewall *Enabled* {ADE53067-43C2-2B76-05F6-A92000CC501A}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\GFNEXSrv.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://start.toshiba.com
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Privatefirewall] C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B4B398A9-CBA0-471F-AB1C-48513B7DB1AB} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Privatefirewall] C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;C:\windows\system32\drivers\aswSP.sys --> C:\windows\system32\drivers\aswSP.sys [?]
R1 pwipf6;Privacyware Filter Driver;C:\windows\system32\DRIVERS\pwipf6.sys --> C:\windows\system32\DRIVERS\pwipf6.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 SBRE;SBRE;\??\C:\windows\system32\drivers\SBREdrv.sys --> C:\windows\system32\drivers\SBREdrv.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]
R2 aswFsBlk;aswFsBlk;C:\windows\system32\drivers\aswFsBlk.sys --> C:\windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\windows\system32\drivers\aswMonFlt.sys --> C:\windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-3-26 44768]
R2 GFNEXSrv;GFNEX Service;C:\Windows\System32\GFNEXSrv.exe --> C:\Windows\System32\GFNEXSrv.exe [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-25 652360]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2012-1-30 123320]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2012-1-30 126392]
R2 PFNet;Privacyware network service;C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe [2012-3-23 374120]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\TECO\TecoService.exe [2011-5-24 294848]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\windows\system32\drivers\AtihdW76.sys --> C:\windows\system32\drivers\AtihdW76.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]
S1 aswSnx;aswSnx;C:\windows\system32\drivers\aswSnx.sys --> C:\windows\system32\drivers\aswSnx.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 mbamchameleon;mbamchameleon;\??\C:\windows\system32\drivers\mbamchameleon.sys --> C:\windows\system32\drivers\mbamchameleon.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2012-1-30 57216]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-6-9 138152]
S3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2011-7-1 828856]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-05-14 09:14:11 -------- d-----w- C:\58d543174a8b70a39d
2012-05-14 09:00:36 -------- d-----w- C:\6b9e708248686a442b99a018
2012-05-12 21:07:13 29808 ----a-w- C:\windows\System32\drivers\mbamchameleon.sys
2012-05-12 19:53:11 49752 ----a-w- C:\windows\System32\drivers\SBREDrv.sys
2012-05-12 19:53:11 27472 ----a-w- C:\windows\System32\sbbd.exe
2012-05-12 19:52:50 -------- d-----w- C:\VIPRERESCUE
2012-05-12 13:33:32 -------- d-----w- C:\Users\TW\AppData\Roaming\SUPERAntiSpyware.com
2012-05-12 13:32:59 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-05-12 13:32:59 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-05-12 12:20:14 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-05-12 12:20:14 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-05-12 12:02:12 -------- d-----w- C:\Users\TW\AppData\Local\Diagnostics
2012-05-12 11:46:33 -------- d-----w- C:\d19a6f9e3ea9e940eedb
2012-05-12 10:29:02 -------- d-----w- C:\353292ea13a0d27f43656a8295de
2012-05-12 09:54:22 -------- d-----w- C:\1ecec73898ad58a05d47b0edc324b7
2012-05-12 09:25:54 -------- d-----w- C:\1ee3b7e78f63671d79eb6561c396d7
2012-05-12 09:06:50 -------- d-----w- C:\ee12eb78265b85738792ba6757eb8c
2012-05-11 22:24:46 1544704 ----a-w- C:\windows\System32\DWrite.dll
2012-05-11 22:24:46 1077248 ----a-w- C:\windows\SysWow64\DWrite.dll
2012-05-11 22:24:20 5559664 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-05-11 22:24:19 3146240 ----a-w- C:\windows\System32\win32k.sys
2012-05-11 22:24:18 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-05-11 22:24:17 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-05-11 22:22:25 75120 ----a-w- C:\windows\System32\drivers\partmgr.sys
2012-05-11 22:20:24 1918320 ----a-w- C:\windows\System32\drivers\tcpip.sys
2012-05-11 22:19:58 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-11 22:19:57 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 22:19:56 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 22:19:55 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-11 22:19:55 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-04-27 18:37:06 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B36ADA97-B7F6-40D7-A99A-BA79E42FD278}\mpengine.dll
.
==================== Find3M ====================
.
2012-05-17 05:48:41 70304 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-17 05:48:41 419488 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-03-06 23:15:19 41184 ----a-w- C:\windows\avastSS.scr
2012-03-06 23:04:06 819032 ----a-w- C:\windows\System32\drivers\aswSnx.sys
2012-03-06 23:02:20 53080 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2012-03-06 23:01:52 69976 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2012-03-01 06:46:16 23408 ----a-w- C:\windows\System32\drivers\fs_rec.sys
2012-03-01 06:38:27 220672 ----a-w- C:\windows\System32\wintrust.dll
2012-03-01 06:33:50 81408 ----a-w- C:\windows\System32\imagehlp.dll
2012-03-01 06:28:47 5120 ----a-w- C:\windows\System32\wmi.dll
2012-03-01 05:37:41 172544 ----a-w- C:\windows\SysWow64\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- C:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- C:\windows\SysWow64\wmi.dll
2012-02-28 06:56:48 2311168 ----a-w- C:\windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
2012-02-23 16:18:36 279656 ------w- C:\windows\System32\MpSigStub.exe
.
============= FINISH: 1:55:22.74 ===============

*GMER Scan Did Not Produce A Log Upon Completion: "No system changes detected"

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:08 PM

Posted 18 May 2012 - 11:25 PM

Welcome to Bleeping Computer, Cal_Bear1982!

Let's see if the following allows you to run scanners you had no success with...

Please launch Notepad, (Press 'Start' and 'R' simultaneously, type in: notepad)
Copy/paste all of the following text inside the code box to Notepad:

rmdir /s /q C:\58d543174a8b70a39d
rmdir /s /q C:\6b9e708248686a442b99a018
rmdir /s /q C:\d19a6f9e3ea9e940eedb
rmdir /s /q C:\353292ea13a0d27f43656a8295de
rmdir /s /q C:\1ecec73898ad58a05d47b0edc324b7
rmdir /s /q C:\1ee3b7e78f63671d79eb6561c396d7
rmdir /s /q C:\ee12eb78265b85738792ba6757eb8c
del delfld.bat

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:
Save in: Desktop
File Name: delfld.bat
Save as Type: All files
Click: Save

Exit out of Notepad.

Locate delfld.bat on your Desktop and double-click it.

Also, please disable PrivateFirewall.


~~~~
Restart the computer.

Now, try running Malwarebytes' Anti-Malware...

Please remove the MBAM previously downloaded, and get a new one from here.

Save to the Desktop.

MBAM may make changes to the Registry as part of its disinfection routine.
If using other security programs that detect Registry changes, they may interfere or alert you.
Temporarily disable such programs as shown here, or permit them to allow the changes.

Windows Seven: Right-click and select 'Run as Administrator'

When the installation begins, follow the prompts and do not make any changes to default settings.

Make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware


Click: Finish

MBAM automatically starts and you are asked to update the program.

If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.


On the Scanner tab:
Make sure the Perform Full Scan option is selected.

Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected.
Click on the Start Scan button.

The scan may take some time to complete, so please be patient.

When the scan is finished, a message box shows The scan completed successfully. Click 'Show Results' to display all objects found

Click OK to close the message box and continue with the removal process.


Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware found.
Make sure that everything is checked, and click: Remove Selected

When removal is completed, a report opens in Notepad.

The log is automatically saved and can be viewed by clicking the Logs tab.

Please copy/paste the entire contents of the MBAM report in your reply.

Exit MBAM when done.


Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot your computer so MBAM can proceed with the
disinfection process. If asked to restart the computer, please do so immediately.

Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.

Old duck...


#3 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:08 PM

Posted 18 May 2012 - 11:25 PM

Post duplicated...

Edited by Aaflac, 18 May 2012 - 11:29 PM.

Old duck...


#4 Cal_Bear1982

Cal_Bear1982
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 19 May 2012 - 01:09 PM

Followed the above instructions with the following results: First run of MBAM=BSOD after 20 min. Second Run=BSOD after 1 hour 23 min. Third time was a charm, but took over 9 hours to run. There is a screen with lots of information that appears after the BSOD, but it just flashes and disappears, so I am unable to provide any of that information. After the screen flash, computer automatically re-boots to a screen giving me the options to load into safe mode, this is without pressing F8, just goes to that screen automatically after each BSOD. Upon reboot, windows message appears telling me that it has experienced an unexpected shutdown, would I like to search for a solution. I press yes, and the message disappears with no further action or results listed.

MBAM LOG:

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.19.01

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
TW :: BIGBLUE [administrator]

Protection: Disabled

5/18/2012 11:47:13 PM
mbam-log-2012-05-18 (23-47-13).txt

Scan type: Full scan
Scan options enabled: Memory | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Startup | P2P
Objects scanned: 301585
Time elapsed: 9 hour(s), 10 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by Cal_Bear1982, 19 May 2012 - 06:44 PM.


#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:08 PM

Posted 19 May 2012 - 07:26 PM

Let's see if we can get a hold of this computer...

Do you have the Repair your computer option in the
Advanced Boot Options menu?

To find out:
Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?

If you do not have the option above, do you have a Windows Seven installation CD/DVD available?

Last, do you have a USB flash drive available, and do you have access to another computer?

Old duck...


#6 Cal_Bear1982

Cal_Bear1982
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 19 May 2012 - 09:04 PM

Do you have the Repair your computer option in the
Advanced Boot Options menu? YES..Prior to posting here, I have tried to repair; also tried to return to a save point but it tells me none exists. I have created several of these save points, so not sure what's up with that?

If you do not have the option above, do you have a Windows Seven installation CD/DVD available? YES

Last, do you have a USB flash drive available, and do you have access to another computer? YES...YES


Edited by Cal_Bear1982, 19 May 2012 - 09:05 PM.


#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:08 PM

Posted 19 May 2012 - 09:11 PM

We are going to use a special tool run from the Command Prompt in the Advanced Boot Options menu.

You may want to print these instructions so you can have access to follow them.

Please plug a flash drive into a clean computer.
Go to Start > Computer
Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.
Remove when done.

Now, since the Operating System is 64-bit, download the Farbar Recovery Scan Tool x64
Save the program to the >> USB flash drive.

Next, plug the flash drive into the infected computer.

>>>Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your language settings, and click: Next
  • Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the Command window, at the bliking cursor type notepad and press: Enter
[*]In Notepad, under the File menu select: Open
[*]Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
[*]Close out of Notepad.
[*]Click the Command window
[*]Type g:\frst64.exe, and press: Enter
Note: Replace the drive letter g with the drive letter of your flash drive!
[*]The tool starts and prepares to run. Follow the prompts...
[*]You may be asked to once again type: g:\frst64.exe at the Command prompt, and press: Enter
[*]Click Yes to the disclaimer.
[*]Press the SCAN button.
[*]The program saves the FRST.txt, on the flash drive.
[*]Click the Command prompt window, type exit, and press: Enter
[*]Back at the System Recovery Options, press: ShutDown[/list]
Please remove the USB flash drive from the infected computer, plug it into the clean computer, and copy/paste the FRST.txt in your reply.

Old duck...


#8 Cal_Bear1982

Cal_Bear1982
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 19 May 2012 - 09:56 PM

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 19-05-2012 20:48:11
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
HKLM-x32\...\Run: [Privatefirewall] C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe [3068600 2012-03-23] (Privacyware/PWI, Inc.)
HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4241512 2012-03-06] (AVAST Software)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ======

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44768 2012-03-06] (AVAST Software)
2 GFNEXSrv; C:\Windows\System32\GFNEXSrv.exe [162824 2010-09-09] ()
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe /s [123320 2011-07-19] (Symantec Corporation)
2 PCCUJobMgr; "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe" /s "PCCUJobMgr" /m "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll" /prefetch:1 [132984 2011-07-19] (Symantec Corporation)
2 PFNet; C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe [374120 2012-03-23] (Privacyware/PWI, Inc.)

========================== Drivers (Whitelisted) =============

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [24408 2012-03-06] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [69976 2012-03-06] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [53080 2012-03-06] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [819032 2012-03-06] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [337240 2012-03-06] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59224 2012-03-06] (AVAST Software)
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
3 RTL8192Ce; C:\Windows\System32\Drivers\RTL8192Ce.sys [1142376 2011-02-23] (Realtek Semiconductor Corporation )
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [49752 2010-11-09] (Sunbelt Software)
3 TsUsbGD; C:\Windows\System32\Drivers\TsUsbGD.sys [31232 2010-11-20] (Microsoft Corporation)
1 SABKUTIL; \??\C:\Users\TW\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5C7BEOM6\SABKUTIL.sys [x]
3 TDEIO; \??\C:\Windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-05-19 20:47 - 2012-05-19 20:48 - 0000000 ____D C:\FRST
2012-05-19 07:07 - 2012-05-19 07:07 - 0283304 ____A C:\Windows\Minidump\051912-28438-01.dmp
2012-05-18 21:44 - 2012-05-18 21:44 - 0275592 ____A C:\Windows\Minidump\051812-23665-01.dmp
2012-05-18 21:32 - 2012-05-18 21:32 - 0001080 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-18 21:32 - 2012-05-18 21:32 - 0001080 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-18 21:32 - 2012-04-04 13:56 - 0024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-05-18 21:30 - 2012-05-18 21:31 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\TW\Desktop\mbam-setup-1.61.0.1400.exe
2012-05-17 00:05 - 2012-05-17 00:05 - 0000000 ____D C:\Users\TW\Desktop\gmer
2012-05-17 00:03 - 2012-05-17 00:03 - 0294216 ____A C:\Users\TW\Desktop\gmer.zip
2012-05-17 00:01 - 2012-05-17 00:01 - 0024618 ____A C:\Users\TW\Desktop\Attach.txt
2012-05-17 00:01 - 2012-05-17 00:01 - 0017770 ____A C:\Users\TW\Desktop\DDS.txt
2012-05-16 23:50 - 2012-05-16 23:50 - 0000466 ____A C:\Users\TW\Desktop\defogger_disable.log
2012-05-16 23:50 - 2012-05-16 23:50 - 0000000 ____A C:\Users\TW\defogger_reenable
2012-05-16 23:39 - 2012-05-16 23:39 - 0275592 ____A C:\Windows\Minidump\051712-28314-01.dmp
2012-05-16 01:01 - 2012-05-16 01:01 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-16 01:01 - 2012-05-16 01:01 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-14 13:53 - 2012-05-14 13:53 - 0012983 ____A C:\Users\TW\Documents\BILLS.docx
2012-05-14 08:48 - 2012-05-14 08:48 - 0275592 ____A C:\Windows\Minidump\051412-31949-01.dmp
2012-05-14 01:26 - 2012-05-14 01:26 - 0275592 ____A C:\Windows\Minidump\051412-22651-01.dmp
2012-05-14 01:14 - 2012-05-14 01:14 - 0000000 ____D C:\58d543174a8b70a39d
2012-05-14 01:00 - 2012-05-14 01:00 - 0000000 ____D C:\6b9e708248686a442b99a018
2012-05-13 16:21 - 2012-05-13 16:21 - 0283304 ____A C:\Windows\Minidump\051312-32027-01.dmp
2012-05-13 15:24 - 2012-05-13 15:24 - 0001990 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-05-13 15:24 - 2012-05-13 15:24 - 0001990 ____A C:\Users\All Users\Desktop\Adobe Reader X.lnk
2012-05-12 23:54 - 2012-05-12 23:54 - 0275592 ____A C:\Windows\Minidump\051312-25100-01.dmp
2012-05-12 21:03 - 2012-05-17 00:04 - 0000000 ____D C:\Users\TW\Desktop\New folder (2)
2012-05-12 20:47 - 2012-05-12 20:47 - 0275592 ____A C:\Windows\Minidump\051212-18423-01.dmp
2012-05-12 19:57 - 2012-05-12 21:10 - 0001819 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-05-12 19:57 - 2012-05-12 21:10 - 0001819 ____A C:\Users\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-05-12 19:36 - 2012-05-12 19:36 - 0275592 ____A C:\Windows\Minidump\051212-19515-01.dmp
2012-05-12 12:35 - 2012-05-12 12:35 - 0275592 ____A C:\Windows\Minidump\051212-15896-01.dmp
2012-05-12 11:53 - 2012-05-12 11:53 - 0000000 ____A C:\Windows\SysWOW64\SBRC.dat
2012-05-12 11:53 - 2010-11-09 12:56 - 0049752 ____A (Sunbelt Software) C:\Windows\System32\Drivers\SBREDrv.sys
2012-05-12 11:53 - 2010-11-09 12:56 - 0027472 ____A (Sunbelt Software) C:\Windows\System32\sbbd.exe
2012-05-12 11:52 - 2012-05-12 11:53 - 0000000 ____D C:\VIPRERESCUE
2012-05-12 11:37 - 2012-05-12 11:50 - 113254400 ____A C:\Users\TW\Downloads\VIPRERescue11907 (1).exe
2012-05-12 11:24 - 2012-05-12 11:25 - 0275592 ____A C:\Windows\Minidump\051212-18548-01.dmp
2012-05-12 06:34 - 2012-05-12 06:34 - 0275592 ____A C:\Windows\Minidump\051212-15303-01.dmp
2012-05-12 06:24 - 2012-05-12 06:24 - 75950808 ____A C:\Users\TW\Downloads\VIPRERescue11907.exe.hruhn24.partial
2012-05-12 06:19 - 2012-05-12 06:20 - 0275592 ____A C:\Windows\Minidump\051212-14804-01.dmp
2012-05-12 06:11 - 2012-05-12 06:12 - 0275592 ____A C:\Windows\Minidump\051212-14352-01.dmp
2012-05-12 05:33 - 2012-05-12 05:33 - 0000000 ____D C:\Users\TW\AppData\Roaming\SUPERAntiSpyware.com
2012-05-12 05:32 - 2012-05-12 21:10 - 0000000 ____D C:\Program Files\SUPERAntiSpyware
2012-05-12 05:32 - 2012-05-12 05:32 - 0000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-05-12 05:32 - 2012-05-12 05:32 - 0000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2012-05-12 05:25 - 2012-05-12 05:28 - 16449280 ____A (SUPERAntiSpyware.com) C:\Users\TW\Downloads\SAS_7995.EXE
2012-05-12 05:22 - 2012-05-12 13:23 - 0000421 ____A C:\rkill.log
2012-05-12 05:11 - 2012-05-12 05:14 - 0000828 ____A C:\Users\TW\Desktop\exehelperlog.txt
2012-05-12 04:20 - 2012-05-12 05:06 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-05-12 04:20 - 2012-05-12 05:06 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-05-12 04:20 - 2012-05-12 04:20 - 0001229 ____A C:\Users\TW\Desktop\Spybot - Search & Destroy.lnk
2012-05-12 04:20 - 2012-05-12 04:20 - 0000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-05-12 03:46 - 2012-05-12 03:46 - 0000000 ____D C:\d19a6f9e3ea9e940eedb
2012-05-12 03:42 - 2012-05-12 03:42 - 0275592 ____A C:\Windows\Minidump\051212-16286-01.dmp
2012-05-12 03:22 - 2012-05-18 21:44 - 2229698 ____A C:\Windows\ntbtlog.txt
2012-05-12 02:48 - 2012-05-12 02:48 - 0275592 ____A C:\Windows\Minidump\051212-20248-01.dmp
2012-05-12 02:34 - 2012-05-12 02:34 - 0065536 __ASH C:\Windows\System32\config\COMPONENTS{c0bc36dd-9c15-11e1-881b-e840f2373fc4}.TxR.blf
2012-05-12 02:29 - 2012-05-12 02:29 - 0000000 ____D C:\353292ea13a0d27f43656a8295de
2012-05-12 02:22 - 2012-05-12 02:23 - 0275592 ____A C:\Windows\Minidump\051212-30716-01.dmp
2012-05-12 01:54 - 2012-05-12 01:54 - 0000000 ____D C:\1ecec73898ad58a05d47b0edc324b7
2012-05-12 01:35 - 2012-05-19 07:07 - 0000000 ____D C:\Windows\Minidump
2012-05-12 01:35 - 2012-05-12 01:35 - 0275592 ____A C:\Windows\Minidump\051212-24102-01.dmp
2012-05-12 01:25 - 2012-05-12 01:26 - 0000000 ____D C:\1ee3b7e78f63671d79eb6561c396d7
2012-05-12 01:21 - 2012-05-12 01:21 - 0065536 __ASH C:\Windows\System32\config\COMPONENTS{5eaf2253-7ac4-11e1-b5da-e840f2373fc4}.TxR.blf
2012-05-12 01:20 - 2012-05-19 07:07 - 620846887 ____A C:\Windows\MEMORY.DMP
2012-05-12 01:06 - 2012-05-12 01:06 - 0000000 ____D C:\ee12eb78265b85738792ba6757eb8c
2012-05-11 14:24 - 2012-03-30 22:05 - 5559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-11 14:24 - 2012-03-30 20:39 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-11 14:24 - 2012-03-30 20:39 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-11 14:24 - 2012-03-30 19:10 - 3146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 14:24 - 2012-03-02 22:35 - 1544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-05-11 14:24 - 2012-03-02 21:31 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-05-11 14:22 - 2012-03-16 23:58 - 0075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-05-11 14:20 - 2012-03-30 03:35 - 1918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-04-28 16:08 - 2012-04-28 16:08 - 0000000 ____D C:\Windows\System32\Macromed

============ 3 Months Modified Files and Folders =============

2012-05-19 20:48 - 2012-05-19 20:47 - 0000000 ____D C:\FRST
2012-05-19 18:41 - 2012-01-30 19:06 - 1509934 ____A C:\Windows\WindowsUpdate.log
2012-05-19 07:23 - 2009-07-13 20:45 - 0024400 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-19 07:23 - 2009-07-13 20:45 - 0024400 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-19 07:11 - 2009-07-13 21:13 - 0719716 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-19 07:07 - 2012-05-19 07:07 - 0283304 ____A C:\Windows\Minidump\051912-28438-01.dmp
2012-05-19 07:07 - 2012-05-12 01:35 - 0000000 ____D C:\Windows\Minidump
2012-05-19 07:07 - 2012-05-12 01:20 - 620846887 ____A C:\Windows\MEMORY.DMP
2012-05-19 07:07 - 2012-01-30 19:03 - 2801360896 __ASH C:\hiberfil.sys
2012-05-19 07:07 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-19 07:07 - 2009-07-13 20:51 - 0039267 ____A C:\Windows\setupact.log
2012-05-18 21:44 - 2012-05-18 21:44 - 0275592 ____A C:\Windows\Minidump\051812-23665-01.dmp
2012-05-18 21:44 - 2012-05-12 03:22 - 2229698 ____A C:\Windows\ntbtlog.txt
2012-05-18 21:33 - 2012-03-25 20:01 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-18 21:32 - 2012-05-18 21:32 - 0001080 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-18 21:32 - 2012-05-18 21:32 - 0001080 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-18 21:31 - 2012-05-18 21:30 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\TW\Desktop\mbam-setup-1.61.0.1400.exe
2012-05-18 21:21 - 2010-11-20 19:47 - 0747934 ____A C:\Windows\PFRO.log
2012-05-17 21:52 - 2012-03-27 12:55 - 0000000 ____D C:\Users\TW\Desktop\New folder
2012-05-17 00:05 - 2012-05-17 00:05 - 0000000 ____D C:\Users\TW\Desktop\gmer
2012-05-17 00:04 - 2012-05-12 21:03 - 0000000 ____D C:\Users\TW\Desktop\New folder (2)
2012-05-17 00:03 - 2012-05-17 00:03 - 0294216 ____A C:\Users\TW\Desktop\gmer.zip
2012-05-17 00:01 - 2012-05-17 00:01 - 0024618 ____A C:\Users\TW\Desktop\Attach.txt
2012-05-17 00:01 - 2012-05-17 00:01 - 0017770 ____A C:\Users\TW\Desktop\DDS.txt
2012-05-16 23:50 - 2012-05-16 23:50 - 0000466 ____A C:\Users\TW\Desktop\defogger_disable.log
2012-05-16 23:50 - 2012-05-16 23:50 - 0000000 ____A C:\Users\TW\defogger_reenable
2012-05-16 23:50 - 2012-03-25 17:01 - 0000000 ____D C:\users\TW
2012-05-16 23:39 - 2012-05-16 23:39 - 0275592 ____A C:\Windows\Minidump\051712-28314-01.dmp
2012-05-16 21:48 - 2012-04-02 01:48 - 0419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-05-16 21:48 - 2011-11-02 04:01 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-16 01:01 - 2012-05-16 01:01 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-16 01:01 - 2012-05-16 01:01 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-14 13:53 - 2012-05-14 13:53 - 0012983 ____A C:\Users\TW\Documents\BILLS.docx
2012-05-14 08:48 - 2012-05-14 08:48 - 0275592 ____A C:\Windows\Minidump\051412-31949-01.dmp
2012-05-14 01:26 - 2012-05-14 01:26 - 0275592 ____A C:\Windows\Minidump\051412-22651-01.dmp
2012-05-14 01:14 - 2012-05-14 01:14 - 0000000 ____D C:\58d543174a8b70a39d
2012-05-14 01:00 - 2012-05-14 01:00 - 0000000 ____D C:\6b9e708248686a442b99a018
2012-05-13 16:21 - 2012-05-13 16:21 - 0283304 ____A C:\Windows\Minidump\051312-32027-01.dmp
2012-05-13 15:24 - 2012-05-13 15:24 - 0001990 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-05-13 15:24 - 2012-05-13 15:24 - 0001990 ____A C:\Users\All Users\Desktop\Adobe Reader X.lnk
2012-05-12 23:54 - 2012-05-12 23:54 - 0275592 ____A C:\Windows\Minidump\051312-25100-01.dmp
2012-05-12 21:10 - 2012-05-12 19:57 - 0001819 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-05-12 21:10 - 2012-05-12 19:57 - 0001819 ____A C:\Users\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-05-12 21:10 - 2012-05-12 05:32 - 0000000 ____D C:\Program Files\SUPERAntiSpyware
2012-05-12 20:47 - 2012-05-12 20:47 - 0275592 ____A C:\Windows\Minidump\051212-18423-01.dmp
2012-05-12 19:36 - 2012-05-12 19:36 - 0275592 ____A C:\Windows\Minidump\051212-19515-01.dmp
2012-05-12 13:23 - 2012-05-12 05:22 - 0000421 ____A C:\rkill.log
2012-05-12 12:35 - 2012-05-12 12:35 - 0275592 ____A C:\Windows\Minidump\051212-15896-01.dmp
2012-05-12 11:53 - 2012-05-12 11:53 - 0000000 ____A C:\Windows\SysWOW64\SBRC.dat
2012-05-12 11:53 - 2012-05-12 11:52 - 0000000 ____D C:\VIPRERESCUE
2012-05-12 11:50 - 2012-05-12 11:37 - 113254400 ____A C:\Users\TW\Downloads\VIPRERescue11907 (1).exe
2012-05-12 11:25 - 2012-05-12 11:24 - 0275592 ____A C:\Windows\Minidump\051212-18548-01.dmp
2012-05-12 06:34 - 2012-05-12 06:34 - 0275592 ____A C:\Windows\Minidump\051212-15303-01.dmp
2012-05-12 06:24 - 2012-05-12 06:24 - 75950808 ____A C:\Users\TW\Downloads\VIPRERescue11907.exe.hruhn24.partial
2012-05-12 06:20 - 2012-05-12 06:19 - 0275592 ____A C:\Windows\Minidump\051212-14804-01.dmp
2012-05-12 06:12 - 2012-05-12 06:11 - 0275592 ____A C:\Windows\Minidump\051212-14352-01.dmp
2012-05-12 05:33 - 2012-05-12 05:33 - 0000000 ____D C:\Users\TW\AppData\Roaming\SUPERAntiSpyware.com
2012-05-12 05:32 - 2012-05-12 05:32 - 0000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-05-12 05:32 - 2012-05-12 05:32 - 0000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2012-05-12 05:28 - 2012-05-12 05:25 - 16449280 ____A (SUPERAntiSpyware.com) C:\Users\TW\Downloads\SAS_7995.EXE
2012-05-12 05:14 - 2012-05-12 05:11 - 0000828 ____A C:\Users\TW\Desktop\exehelperlog.txt
2012-05-12 05:06 - 2012-05-12 04:20 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-05-12 05:06 - 2012-05-12 04:20 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-05-12 04:20 - 2012-05-12 04:20 - 0001229 ____A C:\Users\TW\Desktop\Spybot - Search & Destroy.lnk
2012-05-12 04:20 - 2012-05-12 04:20 - 0000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-05-12 03:46 - 2012-05-12 03:46 - 0000000 ____D C:\d19a6f9e3ea9e940eedb
2012-05-12 03:42 - 2012-05-12 03:42 - 0275592 ____A C:\Windows\Minidump\051212-16286-01.dmp
2012-05-12 02:48 - 2012-05-12 02:48 - 0275592 ____A C:\Windows\Minidump\051212-20248-01.dmp
2012-05-12 02:34 - 2012-05-12 02:34 - 0065536 __ASH C:\Windows\System32\config\COMPONENTS{c0bc36dd-9c15-11e1-881b-e840f2373fc4}.TxR.blf
2012-05-12 02:34 - 2009-07-13 20:45 - 0414656 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-12 02:29 - 2012-05-12 02:29 - 0000000 ____D C:\353292ea13a0d27f43656a8295de
2012-05-12 02:29 - 2012-03-26 01:11 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-12 02:28 - 2012-03-30 15:27 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-05-12 02:28 - 2012-03-30 15:27 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-05-12 02:23 - 2012-05-12 02:22 - 0275592 ____A C:\Windows\Minidump\051212-30716-01.dmp
2012-05-12 01:54 - 2012-05-12 01:54 - 0000000 ____D C:\1ecec73898ad58a05d47b0edc324b7
2012-05-12 01:35 - 2012-05-12 01:35 - 0275592 ____A C:\Windows\Minidump\051212-24102-01.dmp
2012-05-12 01:26 - 2012-05-12 01:25 - 0000000 ____D C:\1ee3b7e78f63671d79eb6561c396d7
2012-05-12 01:21 - 2012-05-12 01:21 - 0065536 __ASH C:\Windows\System32\config\COMPONENTS{5eaf2253-7ac4-11e1-b5da-e840f2373fc4}.TxR.blf
2012-05-12 01:17 - 2009-07-13 21:08 - 0020394 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-12 01:06 - 2012-05-12 01:06 - 0000000 ____D C:\ee12eb78265b85738792ba6757eb8c
2012-05-12 01:01 - 2010-11-20 23:17 - 0000000 ____D C:\Program Files\Windows Journal
2012-04-28 23:37 - 2012-03-27 12:28 - 0000000 ____D C:\Users\TW\AppData\Local\ElevatedDiagnostics
2012-04-28 16:08 - 2012-04-28 16:08 - 0000000 ____D C:\Windows\System32\Macromed
2012-04-15 12:45 - 2009-07-13 18:34 - 0000478 ____A C:\Windows\win.ini
2012-04-04 13:56 - 2012-05-18 21:32 - 0024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-31 21:37 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-03-31 10:35 - 2011-11-02 04:01 - 0000000 ____D C:\Users\All Users\Adobe
2012-03-31 10:35 - 2011-11-02 04:01 - 0000000 ____D C:\ProgramData\Adobe
2012-03-31 01:02 - 2012-03-31 01:02 - 0000000 ____D C:\Users\Default\AppData\Local\Microsoft Help
2012-03-31 01:02 - 2012-03-31 01:02 - 0000000 ____D C:\Users\Default User\AppData\Local\Microsoft Help
2012-03-30 22:05 - 2012-05-11 14:24 - 5559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-30 20:39 - 2012-05-11 14:24 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-30 20:39 - 2012-05-11 14:24 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-30 19:10 - 2012-05-11 14:24 - 3146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 16:43 - 2012-03-25 17:04 - 0000174 ___SH C:\Users\TW\Start Menu\Programs\Startup\desktop.ini
2012-03-30 16:43 - 2012-03-25 17:04 - 0000174 ___SH C:\Users\TW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-03-30 16:06 - 2012-03-25 17:06 - 0108840 ____A C:\Users\TW\AppData\Local\GDIPFONTCACHEV1.DAT
2012-03-30 15:55 - 2011-11-02 04:19 - 0000000 ____D C:\Program Files (x86)\Microsoft Office
2012-03-30 15:32 - 2010-11-20 23:16 - 0000000 ____D C:\Windows\ShellNew
2012-03-30 15:32 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\MSBuild
2012-03-30 15:31 - 2012-03-30 15:31 - 0000000 ____D C:\Program Files (x86)\Microsoft Synchronization Services
2012-03-30 15:31 - 2012-03-30 15:31 - 0000000 ____D C:\Program Files (x86)\Microsoft Sync Framework
2012-03-30 15:31 - 2011-11-02 04:11 - 0000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-03-30 15:29 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\Microsoft Shared
2012-03-30 15:28 - 2012-03-30 15:28 - 0000000 ____D C:\Program Files\Microsoft Office
2012-03-30 15:28 - 2012-03-30 15:28 - 0000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8
2012-03-30 15:27 - 2012-03-30 15:27 - 0000000 __RHD C:\MSOCache
2012-03-30 15:27 - 2012-03-30 15:27 - 0000000 ____D C:\Users\TW\AppData\Local\Microsoft Help
2012-03-30 15:27 - 2012-03-30 15:27 - 0000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2012-03-30 03:35 - 2012-05-11 14:20 - 1918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-28 14:35 - 2012-03-28 14:35 - 2207744 ____A C:\Users\TW\Downloads\Diag504fCD.iso
2012-03-28 13:19 - 2012-03-25 17:01 - 0000000 ____D C:\Users\TW\AppData\LocalLow
2012-03-28 12:18 - 2012-03-28 12:18 - 8867840 ____A C:\Users\TW\Downloads\SeaToolsDOS223ALL.ISO
2012-03-27 18:57 - 2012-03-27 18:44 - 135467008 ____A C:\Users\TW\Downloads\lupu-528.iso
2012-03-27 14:57 - 2012-03-27 13:21 - 0000000 ____D C:\Users\TW\AppData\Roaming\ImgBurn
2012-03-27 13:01 - 2012-03-27 13:01 - 0001836 ____A C:\Users\Public\Desktop\ImgBurn.lnk
2012-03-27 13:01 - 2012-03-27 13:01 - 0001836 ____A C:\Users\All Users\Desktop\ImgBurn.lnk
2012-03-27 13:01 - 2012-03-27 13:01 - 0000000 ____D C:\Program Files (x86)\ImgBurn
2012-03-27 12:59 - 2012-03-27 12:59 - 6055875 ____A (LIGHTNING UK!) C:\Users\TW\Downloads\SetupImgBurn_2.5.6.0.exe
2012-03-27 12:51 - 2012-03-27 12:51 - 0000410 ____A C:\Windows\BRWMARK.INI
2012-03-27 12:51 - 2012-03-27 12:51 - 0000034 ____A C:\Windows\SysWOW64\BD2040.DAT
2012-03-27 10:03 - 2012-03-27 10:01 - 0000000 ___DC C:\Users\TW\AppData\Local\MigWiz
2012-03-26 23:22 - 2012-03-26 23:22 - 0000000 ____D C:\Users\TW\AppData\Local\Adobe
2012-03-26 23:22 - 2012-03-25 17:29 - 0000000 ____D C:\Users\TW\AppData\Roaming\Adobe
2012-03-26 01:32 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2012-03-26 00:52 - 2012-03-26 00:52 - 0000000 ____D C:\Users\TW\AppData\Local\Privatefirewall
2012-03-26 00:41 - 2012-03-26 00:41 - 0001852 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-03-26 00:41 - 2012-03-26 00:41 - 0001852 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk
2012-03-26 00:41 - 2012-03-26 00:41 - 0000000 ____A C:\Windows\SysWOW64\config.nt
2012-03-26 00:40 - 2012-03-26 00:40 - 0000000 ____D C:\Users\All Users\AVAST Software
2012-03-26 00:40 - 2012-03-26 00:40 - 0000000 ____D C:\ProgramData\AVAST Software
2012-03-26 00:40 - 2012-03-26 00:40 - 0000000 ____D C:\Program Files\AVAST Software
2012-03-25 21:08 - 2012-03-25 21:08 - 0000146 ____A C:\Windows\ODBC.INI
2012-03-25 21:08 - 2012-03-25 21:08 - 0000000 ____D C:\Users\All Users\Privacyware
2012-03-25 21:08 - 2012-03-25 21:08 - 0000000 ____D C:\ProgramData\Privacyware
2012-03-25 21:08 - 2012-03-25 21:08 - 0000000 ____D C:\Program Files (x86)\Privacyware
2012-03-25 20:17 - 2012-01-30 19:42 - 0000000 ____D C:\Program Files (x86)\Google
2012-03-25 20:02 - 2012-03-25 20:02 - 0000000 ____D C:\Users\TW\AppData\Roaming\Malwarebytes
2012-03-25 20:02 - 2012-03-25 20:02 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-03-25 20:02 - 2012-03-25 20:02 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-03-25 20:00 - 2012-03-25 17:03 - 0000000 ____D C:\Users\TW\AppData\Local\VirtualStore
2012-03-25 19:54 - 2012-01-30 19:50 - 0000000 ____D C:\Users\All Users\Norton
2012-03-25 19:54 - 2012-01-30 19:50 - 0000000 ____D C:\ProgramData\Norton
2012-03-25 19:53 - 2012-01-30 19:43 - 0000000 ____D C:\Program Files\Google
2012-03-25 19:52 - 2012-01-30 19:55 - 0000000 ____D C:\Program Files (x86)\TOSHIBA Games
2012-03-25 19:52 - 2011-11-02 04:01 - 0000000 ____D C:\Program Files\Toshiba
2012-03-25 19:51 - 2012-01-30 19:55 - 0000000 ____D C:\Users\All Users\WildTangent
2012-03-25 19:51 - 2012-01-30 19:55 - 0000000 ____D C:\ProgramData\WildTangent
2012-03-25 19:51 - 2011-11-02 04:01 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-03-25 19:50 - 2012-03-25 19:29 - 0000000 ____D C:\Users\TW\AppData\Local\Google
2012-03-25 19:50 - 2012-01-30 19:48 - 0000000 ____D C:\Program Files (x86)\NortonInstaller
2012-03-25 19:50 - 2011-11-02 04:08 - 0000000 ____D C:\Program Files (x86)\Toshiba
2012-03-25 19:50 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-03-25 19:48 - 2012-01-30 19:43 - 0000000 ____D C:\Users\All Users\Google
2012-03-25 19:48 - 2012-01-30 19:43 - 0000000 ____D C:\ProgramData\Google
2012-03-25 19:48 - 2012-01-30 19:39 - 0000000 ____D C:\Program Files (x86)\TOSHIBA Corporation
2012-03-25 19:44 - 2011-11-02 04:08 - 0000000 ____D C:\Users\All Users\Toshiba
2012-03-25 19:44 - 2011-11-02 04:08 - 0000000 ____D C:\ProgramData\Toshiba
2012-03-25 19:32 - 2012-03-25 19:29 - 0000000 ____D C:\Users\TW\AppData\Roaming\Google
2012-03-25 17:29 - 2012-03-25 17:29 - 0000000 ____D C:\Users\TW\AppData\Roaming\Tific
2012-03-25 17:07 - 2012-03-25 17:07 - 0000000 ____D C:\Users\TW\AppData\Roaming\Toshiba
2012-03-25 17:05 - 2012-03-25 17:05 - 0000000 ____D C:\Users\TW\AppData\Roaming\ATI
2012-03-25 17:05 - 2012-03-25 17:05 - 0000000 ____D C:\Users\TW\AppData\Local\ATI
2012-03-25 17:05 - 2012-03-25 17:04 - 0000000 ____D C:\Users\TW\AppData\Local\TOSHIBA
2012-03-25 17:03 - 2012-03-25 17:03 - 0000013 __RSH C:\Windows\System32\Drivers\fbd.sys
2012-03-25 17:03 - 2011-11-02 02:55 - 0000000 ____D C:\Windows\Panther
2012-03-25 17:03 - 2010-11-20 23:06 - 0000000 ____D C:\Windows\SysWOW64\sysprep
2012-03-25 17:03 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Sysprep
2012-03-25 17:03 - 2009-07-13 19:18 - 0000000 __SHD C:\$Recycle.Bin
2012-03-25 17:02 - 2012-03-25 17:02 - 0000000 ____D C:\Users\TW\AppData\Roaming\WinBatch
2012-03-25 17:02 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\restore
2012-03-25 17:01 - 2012-03-25 17:01 - 0000020 ___SH C:\Users\TW\ntuser.ini
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\Templates
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\Start Menu
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\PrintHood
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\NetHood
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\My Documents
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\Documents\My Videos
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\Documents\My Pictures
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\Documents\My Music
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\AppData\Local\Temporary Internet Files
2012-03-25 17:01 - 2012-03-25 17:01 - 0000000 __SHD C:\Users\TW\AppData\Local\History
2012-03-25 17:01 - 2009-07-13 19:20 - 0000000 __RHD C:\Users\Public\Libraries
2012-03-25 16:00 - 2009-07-13 21:01 - 0108227 ____A C:\Windows\SysWOW64\license.rtf
2012-03-25 16:00 - 2009-07-13 21:01 - 0108227 ____A C:\Windows\System32\license.rtf
2012-03-16 23:58 - 2012-05-11 14:22 - 0075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-03-06 15:15 - 2012-03-26 00:41 - 0258520 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-03-06 15:15 - 2012-03-26 00:41 - 0201352 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-03-06 15:15 - 2012-03-26 00:41 - 0041184 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-03-06 15:04 - 2012-03-26 00:41 - 0819032 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-03-06 15:04 - 2012-03-26 00:41 - 0337240 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-03-06 15:02 - 2012-03-26 00:41 - 0053080 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-03-06 15:01 - 2012-03-26 00:41 - 0069976 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-03-06 15:01 - 2012-03-26 00:41 - 0059224 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-03-06 15:01 - 2012-03-26 00:41 - 0024408 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-03-02 22:35 - 2012-05-11 14:24 - 1544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-03-02 21:31 - 2012-05-11 14:24 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-29 22:46 - 2012-04-15 12:40 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-29 22:38 - 2012-04-15 12:40 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 22:33 - 2012-04-15 12:40 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 22:28 - 2012-04-15 12:40 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 21:37 - 2012-04-15 12:40 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-02-29 21:33 - 2012-04-15 12:40 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-02-29 21:29 - 2012-04-15 12:40 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-02-27 23:34 - 2012-04-15 12:44 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 23:02 - 2012-04-15 12:44 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 22:56 - 2012-04-15 12:44 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 22:50 - 2012-04-15 12:44 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 22:49 - 2012-04-15 12:44 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 22:48 - 2012-04-15 12:44 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 22:48 - 2012-04-15 12:44 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 22:47 - 2012-04-15 12:44 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 22:45 - 2012-04-15 12:44 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 22:43 - 2012-04-15 12:44 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 22:43 - 2012-04-15 12:44 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 22:42 - 2012-04-15 12:44 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 22:39 - 2012-04-15 12:44 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-27 17:52 - 2012-04-15 12:44 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-27 17:27 - 2012-04-15 12:44 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-27 17:18 - 2012-04-15 12:44 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-27 17:12 - 2012-04-15 12:44 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-27 17:11 - 2012-04-15 12:44 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-27 17:11 - 2012-04-15 12:44 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-27 17:09 - 2012-04-15 12:44 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-27 17:08 - 2012-04-15 12:44 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-27 17:06 - 2012-04-15 12:44 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-27 17:04 - 2012-04-15 12:44 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-27 17:03 - 2012-04-15 12:44 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-27 17:03 - 2012-04-15 12:44 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-27 16:59 - 2012-04-15 12:44 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-23 08:18 - 2010-11-20 19:27 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2011-11-02 03:36] - [2011-03-01 00:07] - 0027648 ____A (Microsoft Corporation) 6F68F63794097E54F36474ED4384B759

C:\Windows\SysWOW64\svchost.exe
[2011-11-02 03:36] - [2011-03-01 00:05] - 0021504 ____A (Microsoft Corporation) ECDB182F885292145826C58252B53000

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-11-02 03:35] - [2011-02-24 22:25] - 0296320 ____A (Microsoft Corporation) DF8126BD41180351A093A3AD2FC8903B


========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3562.12 MB
Available physical RAM: 3025.07 MB
Total Pagefile: 3560.32 MB
Available Pagefile: 3009.01 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI106319W0D) (Fixed) (Total:579.96 GB) (Free:548.63 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 244 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 579 GB 1501 MB
Partition 3 Primary 14 GB 581 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI106319W0D NTFS Partition 579 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 244 MB 49 KB

======================================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 244 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-19 07:37

======================= End Of Log ==========================

#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:08 PM

Posted 20 May 2012 - 12:31 AM

Also, before attempting anything else, let's also try to obtain the Stop code for the BSOD...

Please click on the Start button, and, in the Search box above Start, type: system
Select System under the Control Panel heading in the list of results.
In the task pane on the left, click: Advanced System Settings
Locate the Startup and Recovery section and click on the Settings button.

In the Startup and Recovery window, locate and uncheck the box next to: Automatically restart
Click OK in the Startup and Recovery window.
Click OK in the System Properties window.
Close the System window.

Now, when a BSOD halts the system, Windows 7 will not force a reboot.
You will have to reboot manually when the error appears.

Restart he computer, and when the BSOD appears, write down and post the hexadecimal number after STOP: plus the four sets of hexadecimal numbers in the parentheses.

Example (Look at the last line of this image):
Posted Image

Old duck...


#10 Cal_Bear1982

Cal_Bear1982
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 20 May 2012 - 12:53 AM

Ok Thanks...The screen example you posted is the one that flashes and disappears. Will Report information on next BSOD...Never thought I would be hoping it would happen. LOL!

#11 Cal_Bear1982

Cal_Bear1982
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 20 May 2012 - 01:14 AM

Huh...Well that didn't take long.

BSOD Information:

A Problem Has Been Detected And Windows Has Been Shutdown To Prevent Damage.
[IRQL_NOT_LESS_OR_EQUAL]

STOP: 0x0000000A (0x0000000000000000, 0x0000000000000002, 0x0000000000000000, 0xFFFFF8000348B3D9)

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:08 PM

Posted 20 May 2012 - 01:27 AM

You may not have a malware problem, but, let's see what this shows:

Please download BlueScreenView
Go towards the bottom of the page to: Download BlueScreenView (in Zip file)

No installation required.

Right-click > Extract all... and unzip downloaded file.

Double-click on BlueScreenView.exe file to run the program.

When scanning is done, go to Edit > Select All.
Then, go to File > Save Selected Items, and save the report as BSOD.txt.

Open BSOD.txt in Notepad, copy all of its content, and provide the info in your reply.

Old duck...


#13 Cal_Bear1982

Cal_Bear1982
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 20 May 2012 - 02:09 AM

I was actually "hoping" I did have some form of Malware, as I am pretty lost when it comes to Windows funtions etc. :mellow:


==================================================
Dump File : 052012-36644-01.dmp
Crash Time : 5/20/2012 12:17:46 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`0348b3d9
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\052012-36644-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051912-28438-01.dmp
Crash Time : 5/19/2012 9:07:53 AM
Bug Check String : KERNEL_DATA_INPAGE_ERROR
Bug Check Code : 0x0000007a
Parameter 1 : fffff6fc`4001c850
Parameter 2 : ffffffff`c0000185
Parameter 3 : 00000001`23a5dbe0
Parameter 4 : fffff880`0390a000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051912-28438-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 283,304
==================================================

==================================================
Dump File : 051812-23665-01.dmp
Crash Time : 5/18/2012 11:44:42 PM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`034d53d9
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051812-23665-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051712-28314-01.dmp
Crash Time : 5/17/2012 1:39:12 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`0349f925
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051712-28314-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051412-31949-01.dmp
Crash Time : 5/14/2012 10:48:50 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`0348b925
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051412-31949-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051412-22651-01.dmp
Crash Time : 5/14/2012 3:26:19 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`034a93d9
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051412-22651-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051312-32027-01.dmp
Crash Time : 5/13/2012 6:21:33 PM
Bug Check String : KERNEL_DATA_INPAGE_ERROR
Bug Check Code : 0x0000007a
Parameter 1 : fffff6fc`400579a8
Parameter 2 : ffffffff`c0000185
Parameter 3 : 00000000`24605be0
Parameter 4 : fffff880`0af35000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051312-32027-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 283,304
==================================================

==================================================
Dump File : 051312-25100-01.dmp
Crash Time : 5/13/2012 1:54:10 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`0348e925
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051312-25100-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-18423-01.dmp
Crash Time : 5/12/2012 10:47:18 PM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`0349b3d9
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-18423-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-19515-01.dmp
Crash Time : 5/12/2012 9:36:56 PM
Bug Check String : DRIVER_CORRUPTED_EXPOOL
Bug Check Code : 0x000000c5
Parameter 1 : 00000000`00000008
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000001
Parameter 4 : fffff800`035c1617
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-19515-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-15896-01.dmp
Crash Time : 5/12/2012 2:35:15 PM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`034eb3d9
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-15896-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-18548-01.dmp
Crash Time : 5/12/2012 1:25:07 PM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`02ca13d9
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-18548-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-15303-01.dmp
Crash Time : 5/12/2012 8:34:14 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`02cf23d9
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-15303-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-14804-01.dmp
Crash Time : 5/12/2012 8:20:06 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`02cf03d9
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-14804-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-14352-01.dmp
Crash Time : 5/12/2012 8:12:05 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`02c903d9
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-14352-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-16286-01.dmp
Crash Time : 5/12/2012 5:42:21 AM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`02cf1d66
Parameter 3 : fffff880`08708ed0
Parameter 4 : 00000000`00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-16286-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-20248-01.dmp
Crash Time : 5/12/2012 4:48:15 AM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`02cd4d66
Parameter 3 : fffff880`09642ed0
Parameter 4 : 00000000`00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-20248-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-30716-01.dmp
Crash Time : 5/12/2012 4:23:04 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000000`00000000
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff800`02ccb415
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7cc80
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7cc80
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-30716-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

==================================================
Dump File : 051212-24102-01.dmp
Crash Time : 5/12/2012 3:35:27 AM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`02c92866
Parameter 3 : fffff880`095a4ed0
Parameter 4 : 00000000`00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7cc80
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17803 (win7sp1_gdr.120330-1504)
Processor : x64
Crash Address : ntoskrnl.exe+7cc80
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\windows\Minidump\051212-24102-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 275,592
==================================================

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:08 PM

Posted 20 May 2012 - 11:10 AM

Let's see what these show...

Please zip up the minidumps and attach the resultant zip file to your reply:
  • Navigate to C:\Windows\Minidump <<< folder
  • Click on the first minidump file to select it.
  • Hold down the <Shift> key, and click on the last minidump file to select all of the files.
  • Release the <Shift> key.
  • Now, right-click on any one of the selected files > Send to ... > Compressed (zipped) Folder.
    The zip file will be located in the same place (the Minidump folder).
  • Attach the zip file to your next reply.
    When you click on Add Reply, you will see the facility to attach a file just below the box where you type your message.

Edited by Aaflac, 20 May 2012 - 11:12 AM.

Old duck...


#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:08 PM

Posted 20 May 2012 - 11:23 AM

While the attached info is analyzed, please download the latest version of: TDSSKiller.exe
Save to the Desktop.

Execute the downloaded file:
Windows Seven: Right-click the file and select 'Run as Administrator'

In the TDSSKiller Scan prompt, click on: Change parameters
Check the box besides: Detect TDLFS file system
Click: OK

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

Do not delete or Cure any entry, just select Skip.
The tool applies the selected action.

By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_20.05.2012_15.31.43_log.txt

Please post the TDSSKiller log in your reply.


Also, see if you can run this program...

Please download: aswMBR
Save it to the Desktop.

Windows Seven: Right-click the file and select 'Run as Administrator'

When promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes

The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.
When the Avast! scan is done, the last line changes to: Avast Engine definitions #####

At this point, click the Scan button on the lower left of the aswMBR screen.
The last line will now say "Scanning" while in progress.

Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!

Exit the program.

Please post the new aswMBR log in your reply.


Note that a file named MBR.dat is also created on the Desktop.

Keep the file on the Desktop, and do not remove.
This is important, just in case we need to access the MBR information!!

However, please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/

When you get to the website, use the Browse button to navigate to the location of MBR.dat
Click on the file, then, click the Open button.
The file is now displayed in the Submit Box.

Scroll down and click Send File, and wait for the results.

If you get a message saying: 'File has already been analyzed', click: 'Reanalyze file now'

Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address there.

Then, provide the http:\\ address to the results page in your reply.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users