Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroaCCESS tROJAN CANT BOOT COMPUTER BSOD 0X000000f4


  • This topic is locked This topic is locked
56 replies to this topic

#1 mdricci

mdricci

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 19 August 2012 - 04:18 PM

One week ago I started getting weird pop-ups and i.e redirects. Fire fox wasn't affected. I ran malwarebytes as well as my pctools spyware doctor with anit-virus. PC tools usually does the trick for me. Both programs scanned and found the zero access rootkit virus. Both attempted to clean it, and had to reboot to finish cleaning. Every since then, I can't start my computer!! I get a BSOD with error 0x000000F4. I can't boot to safe mode either nor to a command prompt. I can get into the recovery console, however most executables (TDSSKiller, etc...) won't run in the recovery console (that I know of anyway).

Please help me!!! The OS is W7 x64 Home Premium.

PS Since I can't boot up, I can't find my logs nor create and logs.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 20 August 2012 - 03:12 AM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flash-drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 mdricci

mdricci
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 August 2012 - 04:58 PM

Gringo,

Thank you for your response. I apologize in the delay in getitng back to you. When I get home (in about 3 - 4 hours), I will do as directed. It is important (most likely) to note that I did run a live linux based rescue CD from Bitwise or bitmethod or something like that that had an AV on it. It found the trojan.sirefef.GZ in a windows installer file, but still no luck. I hope that I did not do any determiental damage in doing this. I did this prior to your repsonse. I will not do anything until directed by you from here out!


I will post the logs when completed.

#4 mdricci

mdricci
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 August 2012 - 07:02 PM

Gringo,

Below is my FRST Log:

Scan result of Farbar Recovery Scan Tool Version: 19-08-2012
Ran by SYSTEM at 20-08-2012 18:51:41
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2587944 2010-12-31] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [361984 2011-03-21] (Alcor Micro Corp.)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SF3 [2188904 2011-01-17] (Realtek Semiconductor)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2011-02-04] (Intel® Corporation)
HKLM\...\Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10361616 2011-02-11] (Intel Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [168216 2011-06-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391960 2011-06-02] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [419096 2011-06-02] (Intel Corporation)
HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Nuance PDF Reader-reminder] "C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini" [371 2012-08-16] ()
HKLM-x32\...\Run: [SonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe [984400 2010-07-09] (Virage Logic Corporation / Sonic Focus)
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5732992 2010-08-17] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [1601536 2010-09-23] ()
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.104.216\AsusWSPanel.exe /S [737104 2011-07-05] (ecareme)
HKLM-x32\...\Run: [PCTools FGuard] C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe [x]
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1163264 2011-04-01] ()
HKLM-x32\...\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler [2073976 2012-03-14] (Flexera Software LLC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI [2659768 2012-01-11] (PC Tools)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\MDRCS\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [2073976 2012-03-14] (Flexera Software LLC.)
HKU\MDRCS\...\Run: [OpenOffice.org] rundll32.exe C:\Users\MDRCS\AppData\Local\OpenOffice.org\dpgtxgru.dll,DllCanUnloadNow [575488 2012-05-01] (Hewlett-Packard)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\FancyStart daemon.lnk
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe ()
Startup: C:\Users\MDRCS\Start Menu\Programs\Startup\MyPC Backup.lnk
ShortcutTarget: MyPC Backup.lnk -> C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe (MyPCBackup.com)
Startup: C:\Users\MDRCS\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ======

2 ASLDRService; C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe [84536 2009-06-15] (ASUS)
2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2009-12-15] (ASUS)
2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [31808 2012-08-16] (Just Develop It)
2 Bluetooth Device Monitor; "C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe" [907600 2011-02-11] (Intel Corporation)
3 Bluetooth Media Service; "C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe" [1304912 2011-02-11] (Intel Corporation)
2 Bluetooth OBEX Service; "C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe" [997712 2011-02-11] (Intel Corporation)
2 Browser Defender Update Service; "C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe" [546768 2012-01-16] (Threat Expert Ltd.)
2 BTHSSecurityMgr; "C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe" [134928 2011-02-23] (Intel® Corporation)
2 MSSQL$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [29293408 2010-12-10] (Microsoft Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-02-04] ()
2 nlsX86cc; C:\Windows\SysWOW64\NLSSRV32.EXE [68928 2011-09-24] (Nalpeiron Ltd.)
2 sdAuxService; C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [402336 2012-01-11] (PC Tools)
2 sdCoreService; C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [1117624 2012-01-11] (PC Tools)
3 ThreatFire; C:\Program Files (x86)\PC Tools Security\TFEngine\TFService.exe service [71008 2012-01-11] (PC Tools)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2011-02-01] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [32768 2010-04-29] (Google Inc)
2 ASMMAP64; \??\C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [15416 2009-07-02] (ASUS)
1 ATKWMIACPIIO; \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17024 2010-07-26] (ASUS)
3 bsitf; \??\C:\Program Files (x86)\ASUS\WinFlash\bsitf64.sys [13440 2010-01-05] (ASUSTek Computer Inc.)
3 iBtFltCoex; C:\Windows\System32\Drivers\iBtFltCoex.sys [59904 2011-01-24] (Intel Corporation)
3 ISRegFlt; \??\C:\Program Files (x86)\InstallShield\2012Spring\System\ISRegFlt64.sys [39576 2011-08-11] (Flexera Software)
3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( )
3 PCTBD; C:\Windows\System32\Drivers\PCTBD64.sys [70760 2011-09-28] (PC Tools)
0 PCTCore; C:\Windows\System32\drivers\PCTCore64.sys [367912 2011-11-14] (PC Tools)
0 pctDS; C:\Windows\System32\drivers\pctDS64.sys [453896 2011-12-01] (PC Tools)
0 pctEFA; C:\Windows\System32\drivers\pctEFA64.sys [1096688 2011-12-01] (PC Tools)
1 pctgntdi; \??\C:\Windows\System32\drivers\pctgntdi64.sys [339608 2012-01-11] (PC Tools)
3 pctplsg; \??\C:\Windows\System32\drivers\pctplsg64.sys [92896 2012-01-11] (PC Tools)
1 PCTSD; C:\Windows\System32\Drivers\PCTSD64.sys [230952 2012-01-11] (PC Tools)
0 TfFsMon; C:\Windows\System32\Drivers\TfFsMon.sys [65664 2012-01-11] (PC Tools)
3 TfNetMon; C:\Windows\System32\Drivers\TfNetMon.sys [41968 2012-01-11] (PC Tools)
0 TFSysMon; C:\Windows\System32\Drivers\TFSysMon.sys [706776 2012-01-11] (PC Tools)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-20 18:51 - 2012-08-20 18:51 - 00000000 ____D C:\FRST
2012-08-19 09:05 - 2012-08-19 09:05 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-08-16 23:29 - 2012-08-16 23:22 - 00475752 ____A (McAfee, Inc.) C:\rootkitremover.exe
2012-08-16 14:25 - 2012-08-16 14:26 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{A12E97CE-F779-4D20-ADB6-16FDF34E2D68}
2012-08-16 14:25 - 2012-08-16 14:25 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{DB59E111-87D8-4E9A-97C1-239C0180DC8F}
2012-08-15 19:58 - 2012-08-15 19:58 - 09826504 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-15 18:14 - 2012-08-15 18:14 - 00000000 ____D C:\Users\MDRCS\AppData\Roaming\Malwarebytes
2012-08-15 18:13 - 2012-08-15 18:13 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-15 18:13 - 2012-08-15 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-15 18:13 - 2012-08-15 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-15 18:13 - 2012-07-03 10:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-15 18:12 - 2012-08-15 18:13 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\MDRCS\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-15 17:41 - 2012-08-15 17:48 - 00011126 ____A C:\Users\MDRCS\Desktop\3212 74th Court Expenses.xlsx
2012-08-15 15:25 - 2012-08-15 15:25 - 00000000 ____D C:\Users\MDRCS\Desktop\LR
2012-08-15 15:24 - 2012-08-15 15:24 - 08614133 ____A C:\Users\MDRCS\Desktop\LR.zip
2012-08-15 15:09 - 2012-08-15 15:09 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{F901B503-FD9F-401F-B116-0E6159F6622F}
2012-08-15 15:09 - 2012-08-15 15:09 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{EE1C4ED6-D5F6-4804-A38F-43FF4BD68CC0}
2012-08-14 17:29 - 2012-08-14 17:29 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{CE94881F-AF2A-4E93-997A-B696F455CA47}
2012-08-14 17:29 - 2012-08-14 17:29 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B5683618-9848-4124-A906-CB64668CD7A2}
2012-08-13 17:38 - 2012-08-13 17:38 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{68705541-10ED-4AD6-9775-49F757149E97}
2012-08-13 17:38 - 2012-08-13 17:38 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{1F55EF3D-B5E3-4335-92FE-1B1A56B9B0EB}
2012-08-12 07:01 - 2012-08-12 07:01 - 00476976 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-08-12 07:01 - 2012-08-12 07:01 - 00157488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-12 07:01 - 2012-08-12 07:01 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-12 07:01 - 2012-08-12 07:01 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-12 07:00 - 2012-08-12 07:00 - 00000000 ____D C:\Program Files (x86)\Java
2012-08-12 06:59 - 2012-08-12 06:59 - 00000000 ____D C:\Users\All Users\McAfee
2012-08-12 06:21 - 2012-08-12 06:21 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{84660542-F5E7-479B-9A02-24A333E1C06E}
2012-08-12 06:21 - 2012-08-12 06:21 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{08D33234-7DF5-48BA-AC81-613B35E4CC31}
2012-08-11 15:52 - 2012-08-11 15:52 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-10 17:00 - 2012-08-10 17:00 - 00002857 ____A C:\Users\MDRCS\Documents\do.htm
2012-08-10 12:39 - 2012-08-10 12:39 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{95ECB93A-39E0-4416-B4BC-B7E3EADDDE45}
2012-08-10 12:38 - 2012-08-10 12:39 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{979BABC7-B162-4EB7-B2CA-366642DD9806}
2012-08-09 18:59 - 2012-08-09 18:59 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{8FD33EBA-0AB6-42E4-8EFF-4F8200DC9DF0}
2012-08-09 18:59 - 2012-08-09 18:59 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{1F9E45B3-BEDD-4E34-A8F0-C9E5824159D2}
2012-08-08 21:12 - 2012-08-08 21:12 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{BA9E3A3F-31AB-419E-9A8C-C1267E9C02A5}
2012-08-08 21:12 - 2012-08-08 21:12 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{5CB7BCD9-8867-4E0B-887D-89013B80B35A}
2012-08-07 18:57 - 2012-08-07 18:57 - 00000000 ____D C:\Users\MDRCS\AppData\Local\OpenOffice.org
2012-08-07 17:50 - 2012-08-07 17:50 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B6F8DEA0-68BA-492A-84C9-B61AC1BB1E9C}
2012-08-07 17:50 - 2012-08-07 17:50 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B086FDFA-8EDA-453E-9244-540555AE25E6}
2012-08-06 19:51 - 2012-08-06 19:51 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{79F57A9F-204A-43B4-A425-55E5D4DB2FC4}
2012-08-06 19:50 - 2012-08-06 19:51 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{7C46952B-1E39-45B0-915C-973A4986D103}
2012-08-05 20:44 - 2012-08-05 20:44 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{A0080925-70E1-4E2B-9F7C-E3AF69B394F9}
2012-08-05 20:44 - 2012-08-05 20:44 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{534E6B9E-5312-4DAB-9F64-C92C3A6D4674}
2012-08-04 09:40 - 2012-08-04 09:40 - 00042319 ____A C:\Users\MDRCS\Desktop\215_AmerexLog.zip
2012-08-04 09:10 - 2012-08-04 09:11 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{88EABDA8-175F-4BD7-B4DA-D80F3FD7513C}
2012-08-04 09:10 - 2012-08-04 09:10 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{0A339D15-456F-4E62-ACD6-DBE82427BEC2}
2012-08-03 15:30 - 2012-08-03 15:30 - 00001002 ____A C:\Users\MDRCS\Desktop\Hostgator Info_JFS.txt
2012-08-03 15:19 - 2012-08-03 15:19 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{E79639EB-D3A8-4748-86E0-A8ECDF9F7D6B}
2012-08-03 15:19 - 2012-08-03 15:19 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{71051CBC-2416-491E-B728-6D829C689E4A}
2012-08-02 14:32 - 2012-08-02 14:33 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{16E074D3-1F4D-4D59-AB4F-DC5DEFF6E40E}
2012-08-02 14:28 - 2012-08-02 14:29 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{D2DC1A86-B108-4B22-B011-BF50A56F014C}
2012-08-01 15:00 - 2012-08-01 15:00 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B1BEBFAC-027D-4FB0-8B6F-5B80CDB58EF5}
2012-08-01 15:00 - 2012-08-01 15:00 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{5AE5384F-4352-465C-A2AB-58214043BC02}
2012-07-31 18:46 - 2012-07-31 18:46 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{495A2E8C-35E6-4862-817B-DCF7F4780A2D}
2012-07-31 18:45 - 2012-07-31 18:45 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{EA914443-AF10-49EA-B75E-B4FC5E29AB28}
2012-07-30 17:00 - 2012-07-30 17:00 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B314E819-7492-45D6-BF2C-A4532083FE78}
2012-07-30 17:00 - 2012-07-30 17:00 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{5A9FB10D-C2EB-4199-B795-9A96736F82B9}
2012-07-29 17:08 - 2012-07-29 17:08 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{A6CBE618-9B63-4E1F-BE4E-A2C527CB016F}
2012-07-29 17:08 - 2012-07-29 17:08 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{517297FB-7F83-4649-9D09-335281A0E95A}
2012-07-29 16:54 - 2012-07-29 16:54 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{F31D0252-B29A-45DE-94E3-CDCC3E224B32}
2012-07-29 16:54 - 2012-07-29 16:54 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{894528BF-FE4B-484F-8FAF-CD0131E02A1B}
2012-07-28 09:05 - 2012-07-28 09:05 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{7357B2DE-F0CB-40BA-997A-56FB5098162B}
2012-07-28 09:05 - 2012-07-28 09:05 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{5EFECF3B-D5FC-4ECF-9447-6F2FD87E5EB0}
2012-07-25 03:42 - 2012-07-25 03:42 - 00262144 ____A C:\Windows\System32\config\SAM.gsbackup
2012-07-25 03:35 - 2012-07-25 03:35 - 00000000 ____D C:\Users\All Users\Geek Squad
2012-07-25 02:47 - 2012-07-25 02:59 - 00000352 ____A C:\Windows\qawin32.INI
2012-07-21 10:47 - 2012-07-21 10:47 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{703F5A0A-7E31-4349-9069-9AC530515081}
2012-07-21 10:47 - 2012-07-21 10:47 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{13F49FCF-F139-4D2C-B4B4-393744FBE605}
2012-07-21 10:45 - 2012-08-02 18:25 - 00000000 ____D C:\Users\MDRCS\Desktop\L&R Stuff

============ 3 Months Modified Files ========================

2012-08-19 19:47 - 2012-01-07 09:40 - 00129296 ____A C:\Windows\PFRO.log
2012-08-19 19:47 - 2012-01-06 18:13 - 456471436 ____A C:\Windows\MEMORY.DMP
2012-08-19 19:47 - 2009-07-13 20:45 - 00417448 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-19 19:45 - 2011-08-03 18:23 - 03748032 ____A C:\Windows\System32\Drivers\Cat.DB
2012-08-16 23:22 - 2012-08-16 23:29 - 00475752 ____A (McAfee, Inc.) C:\rootkitremover.exe
2012-08-16 18:47 - 2011-08-02 21:28 - 00995328 ____A C:\Users\MDRCS\Desktop\Login Info.accdb
2012-08-16 18:00 - 2011-02-03 05:57 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-16 18:00 - 2011-02-03 05:57 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-16 17:58 - 2012-04-12 16:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-15 20:02 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-15 20:02 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-15 19:59 - 2009-07-13 21:13 - 00876496 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-15 19:58 - 2012-08-15 19:58 - 09826504 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-15 19:58 - 2012-04-12 16:46 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-15 19:58 - 2011-08-17 20:07 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-15 19:54 - 2012-01-03 20:38 - 00013589 ____A C:\Windows\setupact.log
2012-08-15 19:54 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-15 18:25 - 2011-05-19 12:50 - 00045056 ____A C:\Windows\System32\acovcnt.exe
2012-08-15 18:13 - 2012-08-15 18:13 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-15 18:13 - 2012-08-15 18:12 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\MDRCS\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-15 17:48 - 2012-08-15 17:41 - 00011126 ____A C:\Users\MDRCS\Desktop\3212 74th Court Expenses.xlsx
2012-08-15 15:24 - 2012-08-15 15:24 - 08614133 ____A C:\Users\MDRCS\Desktop\LR.zip
2012-08-12 07:01 - 2012-08-12 07:01 - 00476976 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-08-12 07:01 - 2012-08-12 07:01 - 00157488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-12 07:01 - 2012-08-12 07:01 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-12 07:01 - 2012-08-12 07:01 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-12 07:01 - 2011-08-06 17:35 - 00472880 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-08-11 15:47 - 2011-05-19 12:23 - 01467496 ____A C:\Windows\WindowsUpdate.log
2012-08-10 17:00 - 2012-08-10 17:00 - 00002857 ____A C:\Users\MDRCS\Documents\do.htm
2012-08-04 09:40 - 2012-08-04 09:40 - 00042319 ____A C:\Users\MDRCS\Desktop\215_AmerexLog.zip
2012-08-03 15:30 - 2012-08-03 15:30 - 00001002 ____A C:\Users\MDRCS\Desktop\Hostgator Info_JFS.txt
2012-07-28 09:01 - 2009-07-13 21:08 - 00032566 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-25 03:42 - 2012-07-25 03:42 - 00262144 ____A C:\Windows\System32\config\SAM.gsbackup
2012-07-25 02:59 - 2012-07-25 02:47 - 00000352 ____A C:\Windows\qawin32.INI
2012-07-13 00:15 - 2012-07-13 00:14 - 00264802 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-13 00:15 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-13 00:09 - 2011-08-03 15:18 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-03 10:46 - 2012-08-15 18:13 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-28 19:32 - 2012-01-30 19:40 - 00041687 ____A C:\Users\MDRCS\Documents\Invoice_Template.xlsx
2012-06-25 13:04 - 2012-06-25 13:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll
2012-06-13 18:45 - 2012-06-13 18:44 - 10912455 ____A C:\Users\MDRCS\Downloads\RST_10.0.0.1046_WHQL_RAID_AHCI_drv_and_GUI.zip
2012-06-11 19:08 - 2012-07-13 00:16 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 22:36 - 2012-06-08 22:36 - 00124921 ____A C:\Users\MDRCS\Downloads\winpak12.zip
2012-06-08 21:43 - 2012-07-12 16:31 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:59 - 2011-05-19 12:49 - 00001590 ____A C:\Windows\System32\ServiceFilter.ini
2012-06-08 20:41 - 2012-07-12 16:31 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-08 20:24 - 2012-06-08 20:24 - 05556306 ____A (Jared Breland ) C:\Users\MDRCS\Downloads\uniextract161.exe
2012-06-08 20:03 - 2012-06-08 21:50 - 06055424 ____A (Hewlett-Packard ) C:\matt.exe
2012-06-08 20:03 - 2012-06-08 20:03 - 06055424 ____A (Hewlett-Packard ) C:\Users\MDRCS\Downloads\sp50859.exe
2012-06-08 19:21 - 2012-06-08 19:21 - 00130247 ____A C:\Users\MDRCS\Downloads\bluescreenview_setup.exe
2012-06-08 19:02 - 2012-06-08 19:02 - 00002453 ____A C:\Users\Public\Desktop\SeaTools for Windows.lnk
2012-06-08 18:59 - 2012-06-08 18:59 - 21476536 ____A C:\Users\MDRCS\Downloads\SeaToolsforWindowsSetup-1206.exe
2012-06-08 17:41 - 2012-06-08 17:41 - 02108959 ____A C:\Users\MDRCS\Downloads\tdsskiller.zip
2012-06-05 22:06 - 2012-07-12 16:31 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-12 16:31 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-12 16:31 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-12 16:31 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-12 16:31 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-12 16:31 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-08 17:15 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 17:15 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 17:15 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 17:15 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 17:15 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-08 17:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-08 17:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-08 17:14 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-08 17:14 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-13 00:06 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-13 00:06 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-13 00:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-13 00:07 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:05 - 2012-07-13 00:06 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:04 - 2012-07-13 00:07 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:04 - 2012-07-13 00:06 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:03 - 2012-07-13 00:06 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-13 00:06 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-13 00:06 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-13 00:07 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-13 00:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-13 00:07 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-13 00:06 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-13 00:06 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-13 00:06 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-13 00:06 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-13 00:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-13 00:06 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-13 00:06 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-13 00:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-13 00:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-13 00:06 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-13 00:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-13 00:06 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-13 00:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-13 00:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-13 00:06 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-12 16:31 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-12 16:31 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-12 16:31 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-12 16:31 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-12 16:31 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-12 16:31 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-12 16:31 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-12 16:31 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-12 16:31 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll


ZeroAccess:
C:\Windows\Installer\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8}
C:\Windows\Installer\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8}\@
C:\Windows\Installer\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8}\U

ZeroAccess:
C:\Users\MDRCS\AppData\Local\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8}
C:\Users\MDRCS\AppData\Local\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8}\@
C:\Users\MDRCS\AppData\Local\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8}\L
C:\Users\MDRCS\AppData\Local\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 7970.21 MB
Available physical RAM: 7213.93 MB
Total Pagefile: 7968.36 MB
Available Pagefile: 7212.93 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:273.09 GB) (Free:217.34 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: () (Removable) (Total:0.24 GB) (Free:0.02 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 244 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 25 GB 1024 KB
Partition 2 Primary 273 GB 25 GB

==================================================================================

Disk: 0
Partition 1
Type : 1C
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 273 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 244 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E FAT32 Removable 244 MB Healthy

==================================================================================

Last Boot: 2012-08-11 12:48

======================= End Of Log ==========================



HERE IS THE SEARCH LOG:

Farbar Recovery Scan Tool Version: 19-08-2012
Ran by SYSTEM at 2012-08-20 18:54:14
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 21 August 2012 - 12:51 AM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
C:\Windows\Installer\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8}
C:\Users\MDRCS\AppData\Local\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8}
 


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 mdricci

mdricci
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 21 August 2012 - 12:24 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 19-08-2012
Ran by SYSTEM at 2012-08-21 12:20:35 Run:1
Running from E:\

==============================================

Could not find C:\Windows\System32\services.exe.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\Installer\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8} moved successfully.
C:\Users\MDRCS\AppData\Local\{e6d103e4-a89e-97a4-3fd9-ecaae556d9f8} moved successfully.

==== End of Fixlog ====

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 21 August 2012 - 01:04 PM

Hello mdricci

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 21 August 2012 - 05:00 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 mdricci

mdricci
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 21 August 2012 - 02:57 PM

Gringo,

Do you wnat me to try to boot to windows to run combo fix? or do it from the recovery console. Also, do you want me to uninstall AVG? I did not know I had it installed still. I thought I removed it a year ago. Can this be run from the recovery console? (the AVG removal tool that is).

Thanks Gringo, you are doing great job helping me!!!

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 21 August 2012 - 05:02 PM

sorry I copied to many instructions in there


are you able to boot into windows normally now?
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 21 August 2012 - 05:03 PM

double post! :crazy:

Edited by gringo_pr, 21 August 2012 - 05:04 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 mdricci

mdricci
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 21 August 2012 - 05:51 PM

No, windows wont start!!!

The mouse shows up, and then I get the same error - BSOD error 0x000000F4. Do you want me to run combofix from the recovery console? Usually, the recovery consle sas that the subsystem needed is not present.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 21 August 2012 - 07:13 PM

I want you to rerun FRST and send me a new report



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 mdricci

mdricci
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 21 August 2012 - 07:28 PM

Here is my log. It looks like services.exe driver is still messed up.

Scan result of Farbar Recovery Scan Tool Version: 19-08-2012
Ran by SYSTEM at 21-08-2012 19:24:54
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2587944 2010-12-31] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [361984 2011-03-21] (Alcor Micro Corp.)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SF3 [2188904 2011-01-17] (Realtek Semiconductor)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2011-02-04] (Intel® Corporation)
HKLM\...\Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10361616 2011-02-11] (Intel Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [168216 2011-06-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391960 2011-06-02] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [419096 2011-06-02] (Intel Corporation)
HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Nuance PDF Reader-reminder] "C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini" [371 2012-08-16] ()
HKLM-x32\...\Run: [SonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe [984400 2010-07-09] (Virage Logic Corporation / Sonic Focus)
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5732992 2010-08-17] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [1601536 2010-09-23] ()
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.104.216\AsusWSPanel.exe /S [737104 2011-07-05] (ecareme)
HKLM-x32\...\Run: [PCTools FGuard] C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe [x]
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1163264 2011-04-01] ()
HKLM-x32\...\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler [2073976 2012-03-14] (Flexera Software LLC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI [2659768 2012-01-11] (PC Tools)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\MDRCS\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [2073976 2012-03-14] (Flexera Software LLC.)
HKU\MDRCS\...\Run: [OpenOffice.org] rundll32.exe C:\Users\MDRCS\AppData\Local\OpenOffice.org\dpgtxgru.dll,DllCanUnloadNow [575488 2012-05-01] (Hewlett-Packard)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\FancyStart daemon.lnk
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe ()
Startup: C:\Users\MDRCS\Start Menu\Programs\Startup\MyPC Backup.lnk
ShortcutTarget: MyPC Backup.lnk -> C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe (MyPCBackup.com)
Startup: C:\Users\MDRCS\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ======

2 ASLDRService; C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe [84536 2009-06-15] (ASUS)
2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2009-12-15] (ASUS)
2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [31808 2012-08-16] (Just Develop It)
2 Bluetooth Device Monitor; "C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe" [907600 2011-02-11] (Intel Corporation)
3 Bluetooth Media Service; "C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe" [1304912 2011-02-11] (Intel Corporation)
2 Bluetooth OBEX Service; "C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe" [997712 2011-02-11] (Intel Corporation)
2 Browser Defender Update Service; "C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe" [546768 2012-01-16] (Threat Expert Ltd.)
2 BTHSSecurityMgr; "C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe" [134928 2011-02-23] (Intel® Corporation)
2 MSSQL$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [29293408 2010-12-10] (Microsoft Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-02-04] ()
2 nlsX86cc; C:\Windows\SysWOW64\NLSSRV32.EXE [68928 2011-09-24] (Nalpeiron Ltd.)
2 sdAuxService; C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [402336 2012-01-11] (PC Tools)
2 sdCoreService; C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [1117624 2012-01-11] (PC Tools)
3 ThreatFire; C:\Program Files (x86)\PC Tools Security\TFEngine\TFService.exe service [71008 2012-01-11] (PC Tools)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2011-02-01] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [32768 2010-04-29] (Google Inc)
2 ASMMAP64; \??\C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [15416 2009-07-02] (ASUS)
1 ATKWMIACPIIO; \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17024 2010-07-26] (ASUS)
3 bsitf; \??\C:\Program Files (x86)\ASUS\WinFlash\bsitf64.sys [13440 2010-01-05] (ASUSTek Computer Inc.)
3 iBtFltCoex; C:\Windows\System32\Drivers\iBtFltCoex.sys [59904 2011-01-24] (Intel Corporation)
3 ISRegFlt; \??\C:\Program Files (x86)\InstallShield\2012Spring\System\ISRegFlt64.sys [39576 2011-08-11] (Flexera Software)
3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( )
3 PCTBD; C:\Windows\System32\Drivers\PCTBD64.sys [70760 2011-09-28] (PC Tools)
0 PCTCore; C:\Windows\System32\drivers\PCTCore64.sys [367912 2011-11-14] (PC Tools)
0 pctDS; C:\Windows\System32\drivers\pctDS64.sys [453896 2011-12-01] (PC Tools)
0 pctEFA; C:\Windows\System32\drivers\pctEFA64.sys [1096688 2011-12-01] (PC Tools)
1 pctgntdi; \??\C:\Windows\System32\drivers\pctgntdi64.sys [339608 2012-01-11] (PC Tools)
3 pctplsg; \??\C:\Windows\System32\drivers\pctplsg64.sys [92896 2012-01-11] (PC Tools)
1 PCTSD; C:\Windows\System32\Drivers\PCTSD64.sys [230952 2012-01-11] (PC Tools)
0 TfFsMon; C:\Windows\System32\Drivers\TfFsMon.sys [65664 2012-01-11] (PC Tools)
3 TfNetMon; C:\Windows\System32\Drivers\TfNetMon.sys [41968 2012-01-11] (PC Tools)
0 TFSysMon; C:\Windows\System32\Drivers\TFSysMon.sys [706776 2012-01-11] (PC Tools)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-20 18:51 - 2012-08-20 18:51 - 00000000 ____D C:\FRST
2012-08-19 09:05 - 2012-08-19 09:05 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-08-16 23:29 - 2012-08-16 23:22 - 00475752 ____A (McAfee, Inc.) C:\rootkitremover.exe
2012-08-16 14:25 - 2012-08-16 14:26 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{A12E97CE-F779-4D20-ADB6-16FDF34E2D68}
2012-08-16 14:25 - 2012-08-16 14:25 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{DB59E111-87D8-4E9A-97C1-239C0180DC8F}
2012-08-15 19:58 - 2012-08-15 19:58 - 09826504 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-15 18:14 - 2012-08-15 18:14 - 00000000 ____D C:\Users\MDRCS\AppData\Roaming\Malwarebytes
2012-08-15 18:13 - 2012-08-15 18:13 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-15 18:13 - 2012-08-15 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-15 18:13 - 2012-08-15 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-15 18:13 - 2012-07-03 10:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-15 18:12 - 2012-08-15 18:13 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\MDRCS\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-15 17:41 - 2012-08-15 17:48 - 00011126 ____A C:\Users\MDRCS\Desktop\3212 74th Court Expenses.xlsx
2012-08-15 15:25 - 2012-08-15 15:25 - 00000000 ____D C:\Users\MDRCS\Desktop\LR
2012-08-15 15:24 - 2012-08-15 15:24 - 08614133 ____A C:\Users\MDRCS\Desktop\LR.zip
2012-08-15 15:09 - 2012-08-15 15:09 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{F901B503-FD9F-401F-B116-0E6159F6622F}
2012-08-15 15:09 - 2012-08-15 15:09 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{EE1C4ED6-D5F6-4804-A38F-43FF4BD68CC0}
2012-08-14 17:29 - 2012-08-14 17:29 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{CE94881F-AF2A-4E93-997A-B696F455CA47}
2012-08-14 17:29 - 2012-08-14 17:29 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B5683618-9848-4124-A906-CB64668CD7A2}
2012-08-13 17:38 - 2012-08-13 17:38 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{68705541-10ED-4AD6-9775-49F757149E97}
2012-08-13 17:38 - 2012-08-13 17:38 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{1F55EF3D-B5E3-4335-92FE-1B1A56B9B0EB}
2012-08-12 07:01 - 2012-08-12 07:01 - 00476976 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-08-12 07:01 - 2012-08-12 07:01 - 00157488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-12 07:01 - 2012-08-12 07:01 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-12 07:01 - 2012-08-12 07:01 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-12 07:00 - 2012-08-12 07:00 - 00000000 ____D C:\Program Files (x86)\Java
2012-08-12 06:59 - 2012-08-12 06:59 - 00000000 ____D C:\Users\All Users\McAfee
2012-08-12 06:21 - 2012-08-12 06:21 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{84660542-F5E7-479B-9A02-24A333E1C06E}
2012-08-12 06:21 - 2012-08-12 06:21 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{08D33234-7DF5-48BA-AC81-613B35E4CC31}
2012-08-11 15:52 - 2012-08-11 15:52 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-10 17:00 - 2012-08-10 17:00 - 00002857 ____A C:\Users\MDRCS\Documents\do.htm
2012-08-10 12:39 - 2012-08-10 12:39 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{95ECB93A-39E0-4416-B4BC-B7E3EADDDE45}
2012-08-10 12:38 - 2012-08-10 12:39 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{979BABC7-B162-4EB7-B2CA-366642DD9806}
2012-08-09 18:59 - 2012-08-09 18:59 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{8FD33EBA-0AB6-42E4-8EFF-4F8200DC9DF0}
2012-08-09 18:59 - 2012-08-09 18:59 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{1F9E45B3-BEDD-4E34-A8F0-C9E5824159D2}
2012-08-08 21:12 - 2012-08-08 21:12 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{BA9E3A3F-31AB-419E-9A8C-C1267E9C02A5}
2012-08-08 21:12 - 2012-08-08 21:12 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{5CB7BCD9-8867-4E0B-887D-89013B80B35A}
2012-08-07 18:57 - 2012-08-07 18:57 - 00000000 ____D C:\Users\MDRCS\AppData\Local\OpenOffice.org
2012-08-07 17:50 - 2012-08-07 17:50 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B6F8DEA0-68BA-492A-84C9-B61AC1BB1E9C}
2012-08-07 17:50 - 2012-08-07 17:50 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B086FDFA-8EDA-453E-9244-540555AE25E6}
2012-08-06 19:51 - 2012-08-06 19:51 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{79F57A9F-204A-43B4-A425-55E5D4DB2FC4}
2012-08-06 19:50 - 2012-08-06 19:51 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{7C46952B-1E39-45B0-915C-973A4986D103}
2012-08-05 20:44 - 2012-08-05 20:44 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{A0080925-70E1-4E2B-9F7C-E3AF69B394F9}
2012-08-05 20:44 - 2012-08-05 20:44 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{534E6B9E-5312-4DAB-9F64-C92C3A6D4674}
2012-08-04 09:40 - 2012-08-04 09:40 - 00042319 ____A C:\Users\MDRCS\Desktop\215_AmerexLog.zip
2012-08-04 09:10 - 2012-08-04 09:11 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{88EABDA8-175F-4BD7-B4DA-D80F3FD7513C}
2012-08-04 09:10 - 2012-08-04 09:10 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{0A339D15-456F-4E62-ACD6-DBE82427BEC2}
2012-08-03 15:30 - 2012-08-03 15:30 - 00001002 ____A C:\Users\MDRCS\Desktop\Hostgator Info_JFS.txt
2012-08-03 15:19 - 2012-08-03 15:19 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{E79639EB-D3A8-4748-86E0-A8ECDF9F7D6B}
2012-08-03 15:19 - 2012-08-03 15:19 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{71051CBC-2416-491E-B728-6D829C689E4A}
2012-08-02 14:32 - 2012-08-02 14:33 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{16E074D3-1F4D-4D59-AB4F-DC5DEFF6E40E}
2012-08-02 14:28 - 2012-08-02 14:29 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{D2DC1A86-B108-4B22-B011-BF50A56F014C}
2012-08-01 15:00 - 2012-08-01 15:00 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B1BEBFAC-027D-4FB0-8B6F-5B80CDB58EF5}
2012-08-01 15:00 - 2012-08-01 15:00 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{5AE5384F-4352-465C-A2AB-58214043BC02}
2012-07-31 18:46 - 2012-07-31 18:46 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{495A2E8C-35E6-4862-817B-DCF7F4780A2D}
2012-07-31 18:45 - 2012-07-31 18:45 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{EA914443-AF10-49EA-B75E-B4FC5E29AB28}
2012-07-30 17:00 - 2012-07-30 17:00 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{B314E819-7492-45D6-BF2C-A4532083FE78}
2012-07-30 17:00 - 2012-07-30 17:00 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{5A9FB10D-C2EB-4199-B795-9A96736F82B9}
2012-07-29 17:08 - 2012-07-29 17:08 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{A6CBE618-9B63-4E1F-BE4E-A2C527CB016F}
2012-07-29 17:08 - 2012-07-29 17:08 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{517297FB-7F83-4649-9D09-335281A0E95A}
2012-07-29 16:54 - 2012-07-29 16:54 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{F31D0252-B29A-45DE-94E3-CDCC3E224B32}
2012-07-29 16:54 - 2012-07-29 16:54 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{894528BF-FE4B-484F-8FAF-CD0131E02A1B}
2012-07-28 09:05 - 2012-07-28 09:05 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{7357B2DE-F0CB-40BA-997A-56FB5098162B}
2012-07-28 09:05 - 2012-07-28 09:05 - 00000000 ____D C:\Users\MDRCS\AppData\Local\{5EFECF3B-D5FC-4ECF-9447-6F2FD87E5EB0}
2012-07-25 03:42 - 2012-07-25 03:42 - 00262144 ____A C:\Windows\System32\config\SAM.gsbackup
2012-07-25 03:35 - 2012-07-25 03:35 - 00000000 ____D C:\Users\All Users\Geek Squad
2012-07-25 02:47 - 2012-07-25 02:59 - 00000352 ____A C:\Windows\qawin32.INI

============ 3 Months Modified Files ========================

2012-08-21 14:51 - 2009-07-13 20:45 - 00417448 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-21 14:50 - 2012-01-07 09:40 - 00150128 ____A C:\Windows\PFRO.log
2012-08-21 14:50 - 2012-01-06 18:13 - 326896052 ____A C:\Windows\MEMORY.DMP
2012-08-19 19:45 - 2011-08-03 18:23 - 03748032 ____A C:\Windows\System32\Drivers\Cat.DB
2012-08-16 23:22 - 2012-08-16 23:29 - 00475752 ____A (McAfee, Inc.) C:\rootkitremover.exe
2012-08-16 18:47 - 2011-08-02 21:28 - 00995328 ____A C:\Users\MDRCS\Desktop\Login Info.accdb
2012-08-16 18:00 - 2011-02-03 05:57 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-16 18:00 - 2011-02-03 05:57 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-16 17:58 - 2012-04-12 16:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-15 20:02 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-15 20:02 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-15 19:59 - 2009-07-13 21:13 - 00876496 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-15 19:58 - 2012-08-15 19:58 - 09826504 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-15 19:58 - 2012-04-12 16:46 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-15 19:58 - 2011-08-17 20:07 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-15 19:54 - 2012-01-03 20:38 - 00013589 ____A C:\Windows\setupact.log
2012-08-15 19:54 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-15 18:25 - 2011-05-19 12:50 - 00045056 ____A C:\Windows\System32\acovcnt.exe
2012-08-15 18:13 - 2012-08-15 18:13 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-15 18:13 - 2012-08-15 18:12 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\MDRCS\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-15 17:48 - 2012-08-15 17:41 - 00011126 ____A C:\Users\MDRCS\Desktop\3212 74th Court Expenses.xlsx
2012-08-15 15:24 - 2012-08-15 15:24 - 08614133 ____A C:\Users\MDRCS\Desktop\LR.zip
2012-08-12 07:01 - 2012-08-12 07:01 - 00476976 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-08-12 07:01 - 2012-08-12 07:01 - 00157488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-12 07:01 - 2012-08-12 07:01 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-12 07:01 - 2012-08-12 07:01 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-12 07:01 - 2011-08-06 17:35 - 00472880 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-08-11 15:47 - 2011-05-19 12:23 - 01467496 ____A C:\Windows\WindowsUpdate.log
2012-08-10 17:00 - 2012-08-10 17:00 - 00002857 ____A C:\Users\MDRCS\Documents\do.htm
2012-08-04 09:40 - 2012-08-04 09:40 - 00042319 ____A C:\Users\MDRCS\Desktop\215_AmerexLog.zip
2012-08-03 15:30 - 2012-08-03 15:30 - 00001002 ____A C:\Users\MDRCS\Desktop\Hostgator Info_JFS.txt
2012-07-28 09:01 - 2009-07-13 21:08 - 00032566 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-25 03:42 - 2012-07-25 03:42 - 00262144 ____A C:\Windows\System32\config\SAM.gsbackup
2012-07-25 02:59 - 2012-07-25 02:47 - 00000352 ____A C:\Windows\qawin32.INI
2012-07-13 00:15 - 2012-07-13 00:14 - 00264802 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-13 00:15 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-13 00:09 - 2011-08-03 15:18 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-03 10:46 - 2012-08-15 18:13 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-28 19:32 - 2012-01-30 19:40 - 00041687 ____A C:\Users\MDRCS\Documents\Invoice_Template.xlsx
2012-06-25 13:04 - 2012-06-25 13:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll
2012-06-13 18:45 - 2012-06-13 18:44 - 10912455 ____A C:\Users\MDRCS\Downloads\RST_10.0.0.1046_WHQL_RAID_AHCI_drv_and_GUI.zip
2012-06-11 19:08 - 2012-07-13 00:16 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 22:36 - 2012-06-08 22:36 - 00124921 ____A C:\Users\MDRCS\Downloads\winpak12.zip
2012-06-08 21:43 - 2012-07-12 16:31 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:59 - 2011-05-19 12:49 - 00001590 ____A C:\Windows\System32\ServiceFilter.ini
2012-06-08 20:41 - 2012-07-12 16:31 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-08 20:24 - 2012-06-08 20:24 - 05556306 ____A (Jared Breland ) C:\Users\MDRCS\Downloads\uniextract161.exe
2012-06-08 20:03 - 2012-06-08 21:50 - 06055424 ____A (Hewlett-Packard ) C:\matt.exe
2012-06-08 20:03 - 2012-06-08 20:03 - 06055424 ____A (Hewlett-Packard ) C:\Users\MDRCS\Downloads\sp50859.exe
2012-06-08 19:21 - 2012-06-08 19:21 - 00130247 ____A C:\Users\MDRCS\Downloads\bluescreenview_setup.exe
2012-06-08 19:02 - 2012-06-08 19:02 - 00002453 ____A C:\Users\Public\Desktop\SeaTools for Windows.lnk
2012-06-08 18:59 - 2012-06-08 18:59 - 21476536 ____A C:\Users\MDRCS\Downloads\SeaToolsforWindowsSetup-1206.exe
2012-06-08 17:41 - 2012-06-08 17:41 - 02108959 ____A C:\Users\MDRCS\Downloads\tdsskiller.zip
2012-06-05 22:06 - 2012-07-12 16:31 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-12 16:31 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-12 16:31 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-12 16:31 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-12 16:31 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-12 16:31 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-08 17:15 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 17:15 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 17:15 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 17:15 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 17:15 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-08 17:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-08 17:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-08 17:14 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-08 17:14 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-13 00:06 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-13 00:06 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-13 00:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-13 00:07 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:05 - 2012-07-13 00:06 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:04 - 2012-07-13 00:07 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:04 - 2012-07-13 00:06 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:03 - 2012-07-13 00:06 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-13 00:06 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-13 00:06 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-13 00:07 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-13 00:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-13 00:07 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-13 00:06 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-13 00:06 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-13 00:06 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-13 00:06 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-13 00:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-13 00:06 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-13 00:06 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-13 00:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-13 00:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-13 00:06 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-13 00:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-13 00:06 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-13 00:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-13 00:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-13 00:06 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-12 16:31 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-12 16:31 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-12 16:31 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-12 16:31 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-12 16:31 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-12 16:31 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-12 16:31 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-12 16:31 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-12 16:31 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 7970.21 MB
Available physical RAM: 7215.83 MB
Total Pagefile: 7968.36 MB
Available Pagefile: 7213.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:273.09 GB) (Free:217.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: () (Removable) (Total:0.24 GB) (Free:0.02 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 244 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 25 GB 1024 KB
Partition 2 Primary 273 GB 25 GB

==================================================================================

Disk: 0
Partition 1
Type : 1C
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 273 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 244 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E FAT32 Removable 244 MB Healthy

==================================================================================

Last Boot: 2012-08-11 12:48

======================= End Of Log ==========================

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 22 August 2012 - 05:12 AM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
MoveFile:
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 mdricci

mdricci
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 22 August 2012 - 06:47 AM

I will try this, but remember, I can't boot to windows so copying it to my desktop is impossible. I am checking this forum with another computer that is healthy. I will try to run it thru the command prompt via the recovery console. I will let you know what happens shortly.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users