Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SMART HDD Data Recovery Virus Issues - Fix Not working so far


  • This topic is locked This topic is locked
26 replies to this topic

#1 notapcgenius

notapcgenius

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 26 June 2012 - 04:07 PM

My Previous Post Topic Link

This is in response to my first post - I have the dds log as requested, but no gmer log since I am running 64 bit vista.
Attached File  dds.txt   18.56KB   6 downloads

Per my previous post above, I had renamed the 'virus' files to keep tabs on them each time it ran/made another entry - to my knowledge they are 122, 123, 133 and there could possibly be a 4th one I missed (since I am seeing the long combo of letters/numbers) in the log. The virus struck Fri 6/22 sometime mid morning.

I haven't done any of the other suggested fixes found around the net - as mentioned in my first posting. I only tried the one at bc and couldn't get it to fix this for whatever reason this time around. Also, I do have a paid for licensed, program called data recovery wizard by easeus, which I may have 'mistakingly' renamed as one of the affected files - seeing 'data recovery'.

I will check back for more information and appreciate any help ~ Thanks so much!

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:16 PM

Posted 26 June 2012 - 04:30 PM

Hello notapcgenius,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 notapcgenius

notapcgenius
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 27 June 2012 - 04:14 PM

Hello Fireman4it - thank you for your assistance. I do have a few questions before continuing - I had read all the warnings about combofix when I first joined the site, so I'm left wondering - IF I follow your directions exactly, will combofix run the risk of losing any of my files, clearing my system, etc? I can't backup everything I'd like to, since I can't get into all of my folders or connect to the internet. (I have a deployed family member and would be devistated if I had to reinstall/format and lose messages, etc.)

Am I supposed to be in safe mode w/ networking still (even when I don't have internet access)? Or do I reboot in 'normal' mode?

Also, I am unsure how I can disable my av - if it is even running - I have no icons in the task tray and I cannot open the av folder to manually force the program open, as it will tell me 'access is denied' anytime I try to open certain folders.

As stated earlier I do NOT have internet access on the 'infected' computer - just using another one to download/transfer things back and forth. How will I be able to get the windows recovery console to install, when it says you must have an active internet connection?

Lastly, I tried the tdsskiller again and there are 2 issues - if I save it to a USB and then transfer to my desktop I get two error messages when attempting to run the program - "cannot initalize log" and "cannot load driver" - but the program runs, does the scan, but doesn't create a log. This same thing happened EVEN when I tried renaming the program.

If I run it from the usb, it doesn't give the error messages, it DOES create the log, and scans 5 more items - either way it doesn't find anything. I am pasting the tdss log from the usb and hope you can tell me if that is sufficient or not.

Once I hear back, I will proceed as directed with whatever else you advise. Sorry to be paranoid about losing my stuff - I know this just holds up the repair issue by asking questions. I certainly didn't have any trouble removing the 1st version of this virus in the past...so this one has me stressing.

Attached Files


Edited by notapcgenius, 28 June 2012 - 09:13 AM.


#4 notapcgenius

notapcgenius
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 29 June 2012 - 11:16 AM

here is the aswmbr log too - as requested in a different post.

Again, when saving the program to the desktop as opposed to running it from the usb drive it's saved on, the program doesn't run a proper scan.

Sorry I'm not sure where I'm supposed to go from here or what I'm supposed to do to get you the proper logs you need. I'm also attaching the file below from the desktop attempt - labeled aswmbr1

Attached Files


Edited by notapcgenius, 29 June 2012 - 11:36 AM.


#5 notapcgenius

notapcgenius
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 29 June 2012 - 11:37 AM

here is the desktop save attempt of the log

Attached Files



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:16 PM

Posted 29 June 2012 - 03:03 PM

Hello Fireman4it - thank you for your assistance. I do have a few questions before continuing - I had read all the warnings about combofix when I first joined the site, so I'm left wondering - IF I follow your directions exactly, will combofix run the risk of losing any of my files, clearing my system, etc? I can't backup everything I'd like to, since I can't get into all of my folders or connect to the internet. (I have a deployed family member and would be devistated if I had to reinstall/format and lose messages, etc.)


When fighting any malware, especially malware today there is a chance your machine may become unbootable. Combofix is a multiple tool that checks for many infections.


Am I supposed to be in safe mode w/ networking still (even when I don't have internet access)? Or do I reboot in 'normal' mode?

Yes please use Safemode with networking.

Am I supposed to be in safe mode w/ networking still (even when I don't have internet access)? Or do I reboot in 'normal' mode?


Just ignore any warnings and run Combofix.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 notapcgenius

notapcgenius
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 30 June 2012 - 04:17 AM

Hello fireman4it,
When I transfer combofix to my desktop and try to run it, I'm getting an error message that says "error writing temporary file. make sure your temp folder is valid". Can I try and run combofix from the usb instead or will this not serve any purpose?

It doesn't seem as though I'm having any luck using an automatic removal tool for this. I've seen the instructions at bc for manual removal & know that I do have the registry values mentioned, but access is denied to my 'documents and settings' folder so I can't even view the files in there. Would it be helpful to remove the known registry files & delete the obvious data_recovery files I do have access to, or will this still not solve anything?

As for "how is my system running?" - well it's the same as it's always been - it boots just fine & the desktop looks normal (since I unhid/redid my background for now). I don't get any error messages for the data_recovery program (it doesn't actually launch itself - ie no pop ups of the recovery console to 'scan now', no hard drive failing error messages, etc). It did create a quick launch icon a few days ago - a day or so after the infection, not immediately. The main issues I'm having with the system are the access denied folders, security programs not opening and no internet access. I haven't bothered redoing the start menu files, as I know that's rather pointless until the data_recovery virus is removed. Is there anyway to at least repair the internet connection so I can try to download things directly to my desktop?

I'll await further direction before attempting anything and Thank you again for your assistance.

Edited by notapcgenius, 30 June 2012 - 04:21 AM.


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:16 PM

Posted 09 July 2012 - 03:18 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list][/quote]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 notapcgenius

notapcgenius
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 09 July 2012 - 07:00 PM

Thank you for getting back with me - ran with no problems - here is the FRST Log.

Scan result of Farbar Recovery Scan Tool Version: 09-07-2012
Ran by SYSTEM at 09-07-2012 17:41:06
Running from F:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1220392 2008-01-18] (Synaptics, Inc.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.)
HKLM\...\Run: [DLCJCATS] rundll32 C:\Windows\system32\spool\DRIVERS\x64\3\DLCJtime.dll,RunDLLEntry [28672 2006-10-20] ()
HKLM\...\Run: [Corel Photo Downloader] "C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup [532808 2008-08-18] (Corel, Inc.)
HKLM-x32\...\Run: [Corel Photo Downloader] "C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup [532808 2008-08-18] (Corel, Inc.)
HKLM-x32\...\Run: [Corel File Shell Monitor] C:\Program Files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe [16712 2008-08-18] ()
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime [417792 2009-09-22] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-06-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1675160 2012-03-21] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [hkpLyQOvOGk.exe] C:\ProgramData\hkpLyQOvOGk.exe [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\hello\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\hello\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2008-06-09] (Hewlett-Packard Company)
HKU\Mary Ann\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Mary Ann\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [13351304 2010-09-02] (Skype Technologies S.A.)
HKU\Mary Ann\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
HKU\Mary Ann\...\Run: [ICQ] "C:\Program Files (x86)\ICQ7.1\ICQ.exe" silent loginmode=4 [133432 2011-01-05] (ICQ, LLC.)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent [462408 2012-04-04] (Malwarebytes Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25

==================== Services (Whitelisted) ======

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_58be29c0\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 dlcj_device; C:\Windows\system32\dlcjcoms.exe -service [566152 2006-11-17] ( )
3 GameConsoleService; "C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe" [165416 2008-05-05] (WildTangent, Inc.)
2 ICQ Service; C:\Program Files (x86)\ICQ6Toolbar\ICQ Service.exe [246520 2010-01-03] ()
2 iWinTrusted; C:\Program Files (x86)\iWin Games\iWinTrusted.exe [176848 2011-04-08] (iWin Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [502032 2012-03-22] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [199272 2012-03-20] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [210584 2012-03-20] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [162192 2012-03-20] (McAfee, Inc.)
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365904 2008-09-23] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-06-29] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_58be29c0\STacSV64.exe [240128 2009-07-21] (IDT, Inc.)
2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-09-24] ()
2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-09-24] ()

========================== Drivers (Whitelisted) =============

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [65264 2012-02-22] (McAfee, Inc.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [160792 2012-02-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [229528 2012-02-22] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [487296 2012-02-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [647208 2012-02-22] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75936 2012-02-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [100912 2012-02-22] (McAfee, Inc.)
1 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [289664 2012-02-22] (McAfee, Inc.)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [27632 2008-09-26] (Cyberlink Corp.)
4 eabfiltr; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-09 17:40 - 2012-07-09 17:40 - 00000000 ____D C:\FRST
2012-07-09 10:09 - 2012-07-09 10:09 - 00000948 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-09 10:09 - 2012-07-09 10:09 - 00000948 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-08 19:05 - 2012-07-08 19:07 - 00000000 ____D C:\Users\Mary Ann\Desktop\ARMY
2012-07-08 19:05 - 2012-07-08 19:05 - 00000000 ____D C:\Users\Mary Ann\Desktop\Tax Records
2012-07-08 18:20 - 2012-07-08 18:23 - 00000370 ____A C:\rkill.log
2012-06-30 00:23 - 2012-06-03 21:35 - 56731752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MRT.exe
2012-06-29 09:16 - 2012-07-09 07:48 - 00000000 ___AH C:\Users\Mary Ann\BITFDEF.tmp
2012-06-26 12:21 - 2012-06-26 12:21 - 00000000 ____A C:\Users\Mary Ann\defogger_reenable
2012-06-25 03:48 - 2012-06-25 03:48 - 00000000 ____D C:\Program Files (x86)\ESET
2012-06-24 18:41 - 2012-06-24 18:41 - 00253688 ____A C:\Users\All Users\Application Data\6onUTiZu7Y3OC0.exe
2012-06-24 18:41 - 2012-06-24 18:41 - 00253688 ____A C:\Users\All Users\6onUTiZu7Y3OC0.exe
2012-06-24 18:41 - 2012-06-22 08:44 - 00345336 ____A C:\Users\All Users\Application Data\133.exe
2012-06-24 18:41 - 2012-06-22 08:44 - 00345336 ____A C:\Users\All Users\133.exe
2012-06-24 18:38 - 2012-06-24 18:38 - 00000256 ____A C:\Users\All Users\Application Data\122
2012-06-24 18:38 - 2012-06-24 18:38 - 00000256 ____A C:\Users\All Users\122
2012-06-22 19:09 - 2012-06-22 19:09 - 00000000 ____D C:\Windows\ERDNT
2012-06-22 19:08 - 2012-06-22 19:09 - 00000000 ____D C:\Program Files (x86)\ERUNT
2012-06-22 17:34 - 2012-06-22 17:34 - 00000000 ____D C:\Users\Mary Ann\Application Data\TestApp
2012-06-22 17:34 - 2012-06-22 17:34 - 00000000 ____D C:\Users\Mary Ann\AppData\Roaming\TestApp
2012-06-22 16:30 - 2012-06-22 16:30 - 00003594 ____A C:\Users\hello\Desktop\12345.bat.exe - Shortcut.lnk
2012-06-22 16:22 - 2012-06-22 17:21 - 00001356 ____A C:\Windows\PFRO.log
2012-06-22 13:47 - 2012-06-22 13:47 - 00000000 ____D C:\Users\hello\Application Data\Malwarebytes
2012-06-22 13:47 - 2012-06-22 13:47 - 00000000 ____D C:\Users\hello\AppData\Roaming\Malwarebytes
2012-06-22 13:46 - 2012-06-22 13:46 - 00000000 ____D C:\Users\hello\Local Settings\Hewlett-Packard
2012-06-22 13:46 - 2012-06-22 13:46 - 00000000 ____D C:\Users\hello\Local Settings\Application Data\Hewlett-Packard
2012-06-22 13:46 - 2012-06-22 13:46 - 00000000 ____D C:\Users\hello\Application Data\Hewlett-Packard
2012-06-22 13:46 - 2012-06-22 13:46 - 00000000 ____D C:\Users\hello\AppData\Roaming\Hewlett-Packard
2012-06-22 13:46 - 2012-06-22 13:46 - 00000000 ____D C:\Users\hello\AppData\Local\Hewlett-Packard
2012-06-22 13:46 - 2012-06-22 13:36 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\hello\Desktop\12345.com.exe
2012-06-22 13:44 - 2012-06-22 13:44 - 00076240 ____A C:\Users\hello\Local Settings\GDIPFONTCACHEV1.DAT
2012-06-22 13:44 - 2012-06-22 13:44 - 00076240 ____A C:\Users\hello\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-06-22 13:44 - 2012-06-22 13:44 - 00076240 ____A C:\Users\hello\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____D C:\Users\hello\Application Data\Yahoo!
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____D C:\Users\hello\AppData\Roaming\Yahoo!
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\QSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\DSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\AtStart.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\Application Data\QSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\Application Data\DSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\Application Data\AtStart.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\AppData\Local\QSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\AppData\Local\DSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\AppData\Local\AtStart.txt
2012-06-22 13:41 - 2012-06-25 03:59 - 00000000 ____D C:\users\hello
2012-06-22 13:41 - 2012-06-22 19:20 - 00524288 __ASH C:\Users\hello\NTUSER.bak
2012-06-22 13:41 - 2012-06-22 13:41 - 00000020 ___SH C:\Users\hello\ntuser.ini
2012-06-22 13:41 - 2009-09-11 01:05 - 00000000 ____D C:\Users\hello\Local Settings\Microsoft Help
2012-06-22 13:41 - 2009-09-11 01:05 - 00000000 ____D C:\Users\hello\Local Settings\Application Data\Microsoft Help
2012-06-22 13:41 - 2009-09-11 01:05 - 00000000 ____D C:\Users\hello\AppData\Local\Microsoft Help
2012-06-22 11:50 - 2012-07-09 09:02 - 00205496 ____A C:\Windows\WindowsUpdate.log
2012-06-22 11:39 - 2012-06-22 11:39 - 00000000 ____D C:\Program Files\CCleaner
2012-06-22 09:37 - 2012-06-22 09:38 - 00000256 ____A C:\Users\All Users\I4l0eut31q3Njv
2012-06-22 09:37 - 2012-06-22 09:38 - 00000256 ____A C:\Users\All Users\Application Data\I4l0eut31q3Njv
2012-06-22 09:36 - 2012-06-22 09:36 - 00253688 ____A C:\Users\All Users\Application Data\122.exe
2012-06-22 09:36 - 2012-06-22 09:36 - 00253688 ____A C:\Users\All Users\122.exe
2012-06-22 08:46 - 2012-06-22 08:44 - 00345336 ____A C:\Users\All Users\Application Data\123.exe
2012-06-22 08:46 - 2012-06-22 08:44 - 00345336 ____A C:\Users\All Users\123.exe
2012-06-21 10:40 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 10:40 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 10:40 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-21 10:40 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 10:40 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 10:40 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 10:40 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-21 10:40 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 10:40 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 10:40 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-21 10:39 - 2012-06-02 13:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 10:39 - 2012-06-02 13:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-21 10:39 - 2012-06-02 13:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-21 10:39 - 2012-06-02 13:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-12 13:02 - 2012-05-15 12:15 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 13:02 - 2012-05-01 06:29 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-12 13:01 - 2012-05-14 22:37 - 01212416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-12 13:01 - 2012-05-14 22:37 - 00916992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-12 13:01 - 2012-05-14 22:37 - 00105984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-12 13:01 - 2012-05-14 22:33 - 06007808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-12 13:01 - 2012-05-14 22:33 - 00629760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-06-12 13:01 - 2012-05-14 22:33 - 00067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-12 13:01 - 2012-05-14 22:32 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-12 13:01 - 2012-05-14 22:31 - 11111424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-12 13:01 - 2012-05-14 22:31 - 02000384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-12 13:01 - 2012-05-14 18:19 - 01488384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-12 13:01 - 2012-05-14 18:19 - 01147392 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-12 13:01 - 2012-05-14 18:18 - 00243712 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-06-12 13:01 - 2012-05-14 18:16 - 01062912 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-06-12 13:01 - 2012-05-14 18:15 - 09328640 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-12 13:01 - 2012-05-14 18:15 - 00742912 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-12 13:01 - 2012-05-14 18:15 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-12 13:01 - 2012-05-14 18:15 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-06-12 13:01 - 2012-05-14 18:15 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-06-12 13:01 - 2012-05-14 18:15 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-12 13:01 - 2012-05-14 18:14 - 12508672 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-12 13:01 - 2012-05-14 18:14 - 02350592 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-12 13:01 - 2012-05-14 18:14 - 00459776 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-06-12 13:01 - 2012-05-14 18:14 - 00252416 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-06-12 13:01 - 2012-05-14 18:14 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-12 13:01 - 2012-05-14 18:14 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-06-12 13:01 - 2012-05-14 18:14 - 00072192 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-06-12 13:00 - 2012-05-14 22:35 - 00206848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-06-12 13:00 - 2012-05-14 22:33 - 00611840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2012-06-12 13:00 - 2012-05-14 22:33 - 00055296 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-06-12 13:00 - 2012-05-14 22:32 - 01469440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-12 13:00 - 2012-05-14 22:32 - 00043520 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-06-12 13:00 - 2012-05-14 22:31 - 00387584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-06-12 13:00 - 2012-05-14 22:31 - 00184320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-06-12 13:00 - 2012-05-14 22:31 - 00164352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-12 13:00 - 2012-05-14 22:31 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-06-12 13:00 - 2012-05-14 22:31 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-06-12 13:00 - 2012-05-14 22:31 - 00055808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-06-12 13:00 - 2012-05-14 21:01 - 00385024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-06-12 13:00 - 2012-05-14 19:26 - 00133632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-12 13:00 - 2012-05-14 19:25 - 00174080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-06-12 13:00 - 2012-05-14 19:24 - 00013312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-06-12 13:00 - 2012-05-14 19:23 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-12 13:00 - 2012-05-14 18:19 - 00108032 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-12 13:00 - 2012-05-14 18:14 - 01538560 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-12 13:00 - 2012-05-14 18:14 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-06-12 13:00 - 2012-05-14 17:21 - 00479232 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-06-12 13:00 - 2012-05-14 16:40 - 00162816 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-12 13:00 - 2012-05-14 16:40 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-06-12 13:00 - 2012-05-14 16:39 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-12 13:00 - 2012-05-14 16:39 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-06-12 13:00 - 2012-04-23 08:25 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-12 13:00 - 2012-04-23 08:25 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-12 13:00 - 2012-04-23 08:25 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-12 13:00 - 2012-04-23 08:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-12 13:00 - 2012-04-23 08:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-12 13:00 - 2012-04-23 08:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

============ 3 Months Modified Files ========================

2012-07-09 10:09 - 2012-07-09 10:09 - 00000948 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-09 10:09 - 2012-07-09 10:09 - 00000948 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-09 09:53 - 2006-11-02 04:46 - 00707520 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-09 09:02 - 2012-06-22 11:50 - 00205496 ____A C:\Windows\WindowsUpdate.log
2012-07-09 09:02 - 2008-10-23 16:49 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-07-09 09:02 - 2006-11-02 07:42 - 00032640 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-09 09:02 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-09 09:02 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-09 09:02 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-09 07:48 - 2012-06-29 09:16 - 00000000 ___AH C:\Users\Mary Ann\BITFDEF.tmp
2012-07-09 07:41 - 2009-08-21 04:38 - 00052981 ____A C:\Users\All Users\nvModes.001
2012-07-09 07:41 - 2009-08-21 04:38 - 00052981 ____A C:\Users\All Users\Application Data\nvModes.001
2012-07-09 07:41 - 2009-08-21 04:36 - 00052981 ____A C:\Users\All Users\nvModes.dat
2012-07-09 07:41 - 2009-08-21 04:36 - 00052981 ____A C:\Users\All Users\Application Data\nvModes.dat
2012-07-08 20:13 - 2009-09-17 10:33 - 00059904 ____A C:\Users\Mary Ann\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-08 20:13 - 2009-09-17 10:33 - 00059904 ____A C:\Users\Mary Ann\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-08 20:13 - 2009-09-17 10:33 - 00059904 ____A C:\Users\Mary Ann\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-08 18:23 - 2012-07-08 18:20 - 00000370 ____A C:\rkill.log
2012-07-08 16:40 - 2012-05-25 09:21 - 00000346 ____A C:\Windows\Tasks\HPCeeScheduleForMary Ann.job
2012-06-29 09:15 - 2009-08-14 09:15 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-06-26 12:21 - 2012-06-26 12:21 - 00000000 ____A C:\Users\Mary Ann\defogger_reenable
2012-06-24 18:41 - 2012-06-24 18:41 - 00253688 ____A C:\Users\All Users\Application Data\6onUTiZu7Y3OC0.exe
2012-06-24 18:41 - 2012-06-24 18:41 - 00253688 ____A C:\Users\All Users\6onUTiZu7Y3OC0.exe
2012-06-24 18:38 - 2012-06-24 18:38 - 00000256 ____A C:\Users\All Users\Application Data\122
2012-06-24 18:38 - 2012-06-24 18:38 - 00000256 ____A C:\Users\All Users\122
2012-06-22 19:20 - 2012-06-22 13:41 - 00524288 __ASH C:\Users\hello\NTUSER.bak
2012-06-22 19:20 - 2009-06-27 14:20 - 03145728 __ASH C:\Users\Mary Ann\ntuser.bak
2012-06-22 19:20 - 2006-11-02 04:33 - 74711040 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-06-22 19:20 - 2006-11-02 04:33 - 50855936 ____A C:\Windows\System32\config\SYSTEM.bak
2012-06-22 19:20 - 2006-11-02 04:33 - 47710208 ____A C:\Windows\System32\config\COMPONENTS.bak
2012-06-22 19:20 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
2012-06-22 19:20 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2012-06-22 19:20 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bak
2012-06-22 17:54 - 2012-03-26 17:11 - 00000732 ____A C:\Users\Mary Ann\Local Settings\d3d9caps64.dat
2012-06-22 17:54 - 2012-03-26 17:11 - 00000732 ____A C:\Users\Mary Ann\Local Settings\Application Data\d3d9caps64.dat
2012-06-22 17:54 - 2012-03-26 17:11 - 00000732 ____A C:\Users\Mary Ann\AppData\Local\d3d9caps64.dat
2012-06-22 17:21 - 2012-06-22 16:22 - 00001356 ____A C:\Windows\PFRO.log
2012-06-22 16:30 - 2012-06-22 16:30 - 00003594 ____A C:\Users\hello\Desktop\12345.bat.exe - Shortcut.lnk
2012-06-22 13:44 - 2012-06-22 13:44 - 00076240 ____A C:\Users\hello\Local Settings\GDIPFONTCACHEV1.DAT
2012-06-22 13:44 - 2012-06-22 13:44 - 00076240 ____A C:\Users\hello\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-06-22 13:44 - 2012-06-22 13:44 - 00076240 ____A C:\Users\hello\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\QSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\DSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\AtStart.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\Application Data\QSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\Application Data\DSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\Local Settings\Application Data\AtStart.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\AppData\Local\QSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\AppData\Local\DSwitch.txt
2012-06-22 13:43 - 2012-06-22 13:43 - 00000000 ____A C:\Users\hello\AppData\Local\AtStart.txt
2012-06-22 13:41 - 2012-06-22 13:41 - 00000020 ___SH C:\Users\hello\ntuser.ini
2012-06-22 13:36 - 2012-06-22 13:46 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\hello\Desktop\12345.com.exe
2012-06-22 11:48 - 2006-11-02 07:21 - 00316256 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-22 09:38 - 2012-06-22 09:37 - 00000256 ____A C:\Users\All Users\I4l0eut31q3Njv
2012-06-22 09:38 - 2012-06-22 09:37 - 00000256 ____A C:\Users\All Users\Application Data\I4l0eut31q3Njv
2012-06-22 09:36 - 2012-06-22 09:36 - 00253688 ____A C:\Users\All Users\Application Data\122.exe
2012-06-22 09:36 - 2012-06-22 09:36 - 00253688 ____A C:\Users\All Users\122.exe
2012-06-22 08:44 - 2012-06-24 18:41 - 00345336 ____A C:\Users\All Users\Application Data\133.exe
2012-06-22 08:44 - 2012-06-24 18:41 - 00345336 ____A C:\Users\All Users\133.exe
2012-06-22 08:44 - 2012-06-22 08:46 - 00345336 ____A C:\Users\All Users\Application Data\123.exe
2012-06-22 08:44 - 2012-06-22 08:46 - 00345336 ____A C:\Users\All Users\123.exe
2012-06-08 17:16 - 2009-08-18 06:05 - 00000952 __ASH C:\Windows\SysWOW64\KGyGaAvL.sys
2012-06-03 21:35 - 2012-06-30 00:23 - 56731752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MRT.exe
2012-06-03 21:28 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-02 14:19 - 2012-06-21 10:40 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 10:40 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 10:40 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-21 10:40 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 10:40 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 10:40 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-21 10:40 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-21 10:40 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 10:40 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-21 10:40 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 13:19 - 2012-06-21 10:39 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 13:19 - 2012-06-21 10:39 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 13:15 - 2012-06-21 10:39 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 13:12 - 2012-06-21 10:39 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-05-15 12:15 - 2012-06-12 13:02 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-14 22:37 - 2012-06-12 13:01 - 01212416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-14 22:37 - 2012-06-12 13:01 - 00916992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 22:37 - 2012-06-12 13:01 - 00105984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-14 22:35 - 2012-06-12 13:00 - 00206848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-05-14 22:33 - 2012-06-12 13:01 - 06007808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-14 22:33 - 2012-06-12 13:01 - 00629760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-05-14 22:33 - 2012-06-12 13:01 - 00067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-14 22:33 - 2012-06-12 13:00 - 00611840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2012-05-14 22:33 - 2012-06-12 13:00 - 00055296 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-05-14 22:32 - 2012-06-12 13:01 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-14 22:32 - 2012-06-12 13:00 - 01469440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-14 22:32 - 2012-06-12 13:00 - 00043520 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-05-14 22:31 - 2012-06-12 13:01 - 11111424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-14 22:31 - 2012-06-12 13:01 - 02000384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-14 22:31 - 2012-06-12 13:00 - 00387584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-05-14 22:31 - 2012-06-12 13:00 - 00184320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-05-14 22:31 - 2012-06-12 13:00 - 00164352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 22:31 - 2012-06-12 13:00 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-05-14 22:31 - 2012-06-12 13:00 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-05-14 22:31 - 2012-06-12 13:00 - 00055808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-05-14 21:01 - 2012-06-12 13:00 - 00385024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-05-14 19:26 - 2012-06-12 13:00 - 00133632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-14 19:25 - 2012-06-12 13:00 - 00174080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-05-14 19:24 - 2012-06-12 13:00 - 00013312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-05-14 19:23 - 2012-06-12 13:00 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-14 18:19 - 2012-06-12 13:01 - 01488384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-14 18:19 - 2012-06-12 13:01 - 01147392 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 18:19 - 2012-06-12 13:00 - 00108032 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-14 18:18 - 2012-06-12 13:01 - 00243712 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-05-14 18:16 - 2012-06-12 13:01 - 01062912 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-05-14 18:15 - 2012-06-12 13:01 - 09328640 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-14 18:15 - 2012-06-12 13:01 - 00742912 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-05-14 18:15 - 2012-06-12 13:01 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-14 18:15 - 2012-06-12 13:01 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-05-14 18:15 - 2012-06-12 13:01 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-05-14 18:15 - 2012-06-12 13:01 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 18:14 - 2012-06-12 13:01 - 12508672 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-14 18:14 - 2012-06-12 13:01 - 02350592 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-14 18:14 - 2012-06-12 13:01 - 00459776 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-05-14 18:14 - 2012-06-12 13:01 - 00252416 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-05-14 18:14 - 2012-06-12 13:01 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-14 18:14 - 2012-06-12 13:01 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-05-14 18:14 - 2012-06-12 13:01 - 00072192 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-05-14 18:14 - 2012-06-12 13:00 - 01538560 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-14 18:14 - 2012-06-12 13:00 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-05-14 17:21 - 2012-06-12 13:00 - 00479232 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-05-14 16:40 - 2012-06-12 13:00 - 00162816 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-14 16:40 - 2012-06-12 13:00 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-05-14 16:39 - 2012-06-12 13:00 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-14 16:39 - 2012-06-12 13:00 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-05-04 13:37 - 2012-03-26 14:56 - 00008592 ____A C:\Users\Mary Ann\Local Settings\d3d9caps.dat
2012-05-04 13:37 - 2012-03-26 14:56 - 00008592 ____A C:\Users\Mary Ann\Local Settings\Application Data\d3d9caps.dat
2012-05-04 13:37 - 2012-03-26 14:56 - 00008592 ____A C:\Users\Mary Ann\AppData\Local\d3d9caps.dat
2012-05-01 06:29 - 2012-06-12 13:02 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-24 13:30 - 2006-11-02 04:33 - 73138176 ____A C:\Windows\System32\config\software_previous
2012-04-24 13:30 - 2006-11-02 04:33 - 54263808 ____A C:\Windows\System32\config\system_previous
2012-04-24 13:30 - 2006-11-02 04:33 - 47710208 ____A C:\Windows\System32\config\components_previous
2012-04-24 13:30 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-04-24 13:30 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-04-24 13:30 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\default_previous
2012-04-23 08:25 - 2012-06-12 13:00 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 08:25 - 2012-06-12 13:00 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 08:25 - 2012-06-12 13:00 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 08:00 - 2012-06-12 13:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 08:00 - 2012-06-12 13:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 08:00 - 2012-06-12 13:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 6110.02 MB
Available physical RAM: 5344.93 MB
Total Pagefile: 5722.97 MB
Available Pagefile: 5324.81 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:451.78 GB) (Free:202.57 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:13.98 GB) (Free:2.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:7.47 GB) (Free:6.83 GB) FAT32
5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 1024 KB
Disk 1 Online 7658 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 452 GB 32 KB
Partition 2 Primary 14 GB 452 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 452 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D RECOVERY NTFS Partition 14 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7656 MB 22 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F FAT32 Removable 7656 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-09 09:21

======================= End Of Log ==========================

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:16 PM

Posted 09 July 2012 - 07:43 PM

1.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM-x32\...\Run: [hkpLyQOvOGk.exe] C:\ProgramData\hkpLyQOvOGk.exe [x]
C:\ProgramData\hkpLyQOvOGk.exe
C:\Users\All Users\Application Data\6onUTiZu7Y3OC0.exe
C:\Users\All Users\6onUTiZu7Y3OC0.exe
C:\Users\All Users\I4l0eut31q3Njv
C:\Users\All Users\Application Data\I4l0eut31q3Njv

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.


2.

Please download Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Edited by fireman4it, 09 July 2012 - 07:49 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 notapcgenius

notapcgenius
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 10 July 2012 - 04:46 PM

The link to listparts64 went back to frst - I assume this was just a copy/paste error, so I went ahead and found a different post at bc with a link to listparts64. Hope that's correct & ok.


Fix Log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 10-07-2012
Ran by SYSTEM at 2012-07-10 15:21:34 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\hkpLyQOvOGk.exe Value deleted successfully.
C:\ProgramData\hkpLyQOvOGk.exe not found.
C:\Users\All Users\Application Data\6onUTiZu7Y3OC0.exe moved successfully.
C:\Users\All Users\6onUTiZu7Y3OC0.exe not found.
C:\Users\All Users\I4l0eut31q3Njv moved successfully.
C:\Users\All Users\Application Data\I4l0eut31q3Njv not found.

==== End of Fixlog ====


Result Log:

ListParts by Farbar Version: 06-07-2012
Ran by SYSTEM (administrator) on 10-07-2012 at 15:24:08
Windows Vista (X64)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 6110.02 MB
Available physical RAM: 5446.78 MB
Total Pagefile: 5722.97 MB
Available Pagefile: 5431.13 MB
Total Virtual: 8192 MB
Available Virtual: 8191.92 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:451.78 GB) (Free:202.57 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:13.98 GB) (Free:2.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:7.47 GB) (Free:6.83 GB) FAT32
5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 1024 KB
Disk 1 Online 7658 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 452 GB 32 KB
Partition 2 Primary 14 GB 452 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 452 GB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D RECOVERY NTFS Partition 14 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7656 MB 22 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F FAT32 Removable 7656 MB Healthy

======================================================================================================

****** End Of Log ******

#12 notapcgenius

notapcgenius
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 11 July 2012 - 02:35 PM

Just a note - Rebooted in normal mode (for now) and the icons/quick launch buttons are gone for data_recovery & access has been restored to all of my folders - so good news there! :thumbup2: Unfortunately, I still don't have an internet connection on the affected laptop.

In case you respond while I'm away today - I went ahead and included the FSS log as well - don't know if you need it, but figured no harm in at least posting it. As you can see I have a few issues with registry keys - Not sure how they went missing in the first place.

Farbar Service Scanner Version: 08-07-2012
Ran by Mary Ann (administrator) on 11-07-2012 at 12:40:02
Running from "H:\"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys
[2012-02-16 11:49] - [2012-01-03 08:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-18 15:52] - [2012-03-30 06:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E

C:\Windows\System32\dnsrslvr.dll
[2011-04-12 21:13] - [2011-03-02 10:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-06-27 16:57] - [2009-04-11 00:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll
[2009-06-27 16:57] - [2009-04-11 00:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll
[2009-06-27 16:57] - [2009-04-11 00:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll
[2009-11-06 05:08] - [2009-08-06 20:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D

C:\Windows\System32\qmgr.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll
[2012-06-12 15:00] - [2012-04-23 10:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF



**** End of log ****

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:16 PM

Posted 11 July 2012 - 07:36 PM

Hello,

1.
Please download each of these registry fixes to your desktop. Then right click each one and select merge to allow them to be merged into your registry.

http://download.bleepingcomputer.com/win-services/vista/BFE.reg

http://download.bleepingcomputer.com/win-services/vista/MpsSvc.reg

http://download.bleepingcomputer.com/win-services/vista/WinDefend.reg


2.
Goto Start > All Programs > Accessories > Command Prompt. Rt-click on it and ‘Run As Administrator’. Type the following and hit enter: ipconfig /flushdns

You should be able to see a confirmation dialog window:

Windows IP Configuration. Successfully flushed the DNS Resolver Cache.


Please run Farbar Service Scanner again and post its log. Internet connection back?
IF not is it a wireless or direct cable connection?

Edited by fireman4it, 11 July 2012 - 07:46 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 notapcgenius

notapcgenius
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 11 July 2012 - 09:12 PM

Attempted flush of the dns cache was returned with 'could not flush the dns resolver cache: function failed during execution'. I'm using a wireless connection - same one that I'm using on this laptop to respond.

On the taskbar where the internet connection should show, it just has the 2 tiny computer icons w/ no transmissions - hovering the mouse over this displays 'local connection only, unidentified network (actiontec), no internet'.

Here is the next FSS log
Farbar Service Scanner Version: 08-07-2012
Ran by Mary Ann (administrator) on 11-07-2012 at 19:53:23
Running from "H:\"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys
[2012-02-16 11:49] - [2012-01-03 08:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-18 15:52] - [2012-03-30 06:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E

C:\Windows\System32\dnsrslvr.dll
[2011-04-12 21:13] - [2011-03-02 10:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-06-27 16:57] - [2009-04-11 00:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll
[2009-06-27 16:57] - [2009-04-11 00:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll
[2009-06-27 16:57] - [2009-04-11 00:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll
[2009-11-06 05:08] - [2009-08-06 20:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D

C:\Windows\System32\qmgr.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll
[2012-06-12 15:00] - [2012-04-23 10:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-06-27 16:58] - [2009-04-11 00:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF



**** End of log ****

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:16 PM

Posted 11 July 2012 - 09:47 PM

Hello,


1.
GoTo Start

In the Search box at the bottom of the page type cmd and click Enter. IN the Command window type

net start dnscache then click Enter


2.
Goto Start > All Programs > Accessories > Command Prompt. Rt-click on it and ‘Run As Administrator’. Type the following and hit enter: ipconfig /flushdns

You should be able to see a confirmation dialog window:

Windows IP Configuration. Successfully flushed the DNS Resolver Cache


Internet connection now?

Please post a new Farbar Service Scanner log.

Edited by fireman4it, 11 July 2012 - 09:48 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users