Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 System Repair loop


  • This topic is locked This topic is locked
19 replies to this topic

#1 glascow

glascow

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 03 November 2012 - 09:08 AM

The problem that I have been experiencing is very similar to this one, but with a few possibly key differences:

http://www.bleepingcomputer.com/forums/topic448339.html/page__pid__2654556

Startup Repair details log
Problem Event Name: StartupRepairOffline
Problem Signature 01: 6.1.7600.16385
Problem Signature 02: 6.1.7600.16385
Problem Signature 03: unknown
Problem Signature 04: 21200203
Problem Signature 05: AutoFailover
Problem Signature 06: 11
Problem Signature 07: NoRootCause
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033

My laptop is a HP Pavilion dm4-1160 with Windows 7 OS. Prior to this event, I was uninstalling and deleting old videogames and their files that I don't use any more, afterwards I scanned my system with Malwarebytes in an attempt to remove an annoying form of adware/spyware that highlights random words green and puts up irrelevant advertisements all over any website I go to (Youtube, Wikipedia, even foreign sites). When I rebooted my laptop, this loop started to occur. Whenever I try to start normally, a blue screen flashes very briefly a few seconds after the Windows logo animation appears, then after rebooting I am directed to Startup Repair, which obviously is unable to solve the problem.

I have followed the instructions in the post I have linked; I have Farbar Recovery Scan Tool in a spare flashdrive, went into System Recovery Options from Advanced Boot Options, and followed the Command Prompt instructions, with Notepad and everything. This is where I have stopped, for I suspect that my FRST.txt log may be different from the one the previous user had. I have attached my log to this post and I await for further instructions on what to do.

System restore points do not work, and I am unable to use Safe Mode or any of its variations. Malwarebytes and Spybot are the only antivirus programs I have installed. Every other site with a similar problem to this has ended with the solution of reinstalling the OS itself, which I am unwilling to do since that results in the extinction of all my personal stuff.

I am not a troll or a spambot, I sincerely do need this help and I will be grateful for any quick response to have my computer back again.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-10-2012
Ran by SYSTEM at 03-11-2012 02:50:55
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324096 2010-06-25] (Alcor Micro Corp.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-17] (IDT, Inc.)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-01-20] ()
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [401192 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201512 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisTSR.exe /run [380272 2010-06-08] (Egis Technology Inc. )
HKLM-x32\...\Run: [Bing Bar] "C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe" [243544 2010-04-13] (Microsoft Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602168 2010-06-29] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [x]
HKU\admin\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\admin\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671872 2012-04-17] (DT Soft Ltd)
HKU\admin\...\Run: [EPSON NX420 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGCA.EXE /FU "C:\Windows\TEMP\E_SCE39.tmp" /EF "HKCU" [224768 2009-09-13] (SEIKO EPSON CORPORATION)
HKU\admin\...\Run: [dlerox] rundll32.exe "C:\Users\admin\AppData\Roaming\dlerox.dll",Clear [149504 2012-07-16] (DT Soft Ltd)
HKU\admin\...\Run: [wexptf] "C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Roaming\wexptf.dll",GetNextPageS [375808 2012-07-16] (M-Audio)
HKU\admin\...\Run: [AVG Secure Search] rundll32.exe "C:\Users\admin\AppData\Local\Broadcom\AVG Secure Search\zjfdkvut.dll",fltInfoW [334848 2012-10-23] (Microsoft Corporation)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.200.1
Tcpip\..\Interfaces\{A7B9AF38-9170-4D2F-828B-83926C18EAB3}: [NameServer]0.0.0.0
Lsa: [Notification Packages] EgisPwdFilter EgisDSPwdFilter
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

==================== Services (Whitelisted) ===================

2 DvmMDES; "C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe" [338168 2010-06-25] (DeviceVM, Inc.)
2 EgisTec Service; "C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe" [697712 2010-06-08] (Egis Technology Inc. )
2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-06-29] ()
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.0.0.128\diMaster.dll" /prefetch:1 [176504 2010-05-26] (Symantec Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

==================== Drivers (Whitelisted) =====================

1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-05-08] (DT Soft Ltd)
1 DVMIO; C:\Windows\System32\Drivers\DVMIO.sys [20056 2009-11-11] (DeviceVM, Inc.)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20100528.021\ENG64.SYS [117808 2010-05-28] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20100528.021\EX64.SYS [1773104 2010-05-28] (Symantec Corporation)
1 SRTSP; C:\Windows\system32\drivers\NISx64\1200000.080\SRTSP64.SYS [701800 2010-05-23] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NISx64\1200000.080\SRTSPX64.SYS [38248 2010-05-23] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-02 13:23 - 2012-11-02 13:23 - 00000000 __SHD C:\found.023
2012-11-02 04:37 - 2012-11-02 04:38 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-11-02 04:37 - 2012-11-02 04:37 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-11-02 04:36 - 2012-11-02 04:36 - 16409960 ____A (Safer Networking Limited ) C:\Users\admin\Downloads\spybotsd162.exe
2012-11-02 03:57 - 2012-11-02 03:57 - 00279272 ____A C:\Windows\Minidump\110212-43071-01.dmp
2012-11-01 16:43 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-01 16:38 - 2012-11-01 16:38 - 00000000 __SHD C:\found.022
2012-11-01 13:28 - 2012-11-01 13:29 - 00279256 ____A C:\Windows\Minidump\110112-39031-01.dmp
2012-11-01 12:34 - 2012-11-02 07:31 - 00000000 ____D C:\Users\admin\Downloads\Hidden_Orchestra
2012-11-01 12:17 - 2012-11-01 12:17 - 00279368 ____A C:\Windows\Minidump\110112-43867-01.dmp
2012-11-01 12:05 - 2012-11-01 12:05 - 00016867 ____A C:\Users\admin\Downloads\[isoHunt]_Hidden_Orchestra_-_2010_-_Night_Walks.torrent
2012-11-01 09:48 - 2012-11-01 09:48 - 00021575 ____A C:\Users\admin\Downloads\[isoHunt]MAchinariumexpansion_download.torrent
2012-11-01 09:46 - 2012-11-01 09:46 - 32062166 ____A C:\Users\admin\Downloads\machinarium_soundtrack_bonus_ep.zip
2012-11-01 09:40 - 2012-11-01 09:40 - 00014518 ____A C:\Users\admin\Downloads\[isoHunt]_Floex_-_Pocustone.6959858.TPB.torrent
2012-11-01 09:14 - 2012-11-01 09:15 - 00024019 ____A C:\Users\admin\Downloads\[torrent.cd].Tomas_Dvorak_Albums_(Machinarium_ect).torrent
2012-10-31 12:46 - 2012-10-31 12:46 - 00279368 ____A C:\Windows\Minidump\103112-61698-01.dmp
2012-10-31 12:37 - 2012-10-31 12:37 - 00000000 __SHD C:\found.021
2012-10-31 03:43 - 2012-10-31 03:43 - 00279392 ____A C:\Windows\Minidump\103112-65177-01.dmp
2012-10-31 03:33 - 2012-10-31 03:33 - 00000000 __SHD C:\found.020
2012-10-30 10:01 - 2012-10-30 10:01 - 00279312 ____A C:\Windows\Minidump\103012-77282-01.dmp
2012-10-30 09:57 - 2012-10-30 09:58 - 00279384 ____A C:\Windows\Minidump\103012-63820-01.dmp
2012-10-30 09:50 - 2012-10-30 09:50 - 00900776 ____A C:\Windows\Minidump\103012-63352-01.dmp
2012-10-29 14:06 - 2012-10-29 14:06 - 00000000 __SHD C:\found.019
2012-10-29 02:53 - 2012-10-25 16:29 - 00001636 ____A C:\Users\admin\Desktop\Pixia.lnk
2012-10-28 04:33 - 2012-10-28 04:33 - 00279384 ____A C:\Windows\Minidump\102812-63196-01.dmp
2012-10-28 04:26 - 2012-10-28 04:26 - 00279312 ____A C:\Windows\Minidump\102812-62540-01.dmp
2012-10-28 01:54 - 2012-10-28 01:54 - 00279312 ____A C:\Windows\Minidump\102712-49311-01.dmp
2012-10-27 19:47 - 2012-10-27 19:47 - 00933640 ____A C:\Windows\Minidump\102712-66160-01.dmp
2012-10-27 10:13 - 2012-10-27 10:16 - 00000000 ____D C:\Users\admin\Downloads\Finntroll - Discography
2012-10-26 19:13 - 2012-10-26 19:13 - 00279312 ____A C:\Windows\Minidump\102612-66799-01.dmp
2012-10-26 19:09 - 2012-10-26 19:09 - 00000000 __SHD C:\found.018
2012-10-26 18:59 - 2012-10-26 18:59 - 00279312 ____A C:\Windows\Minidump\102612-71682-01.dmp
2012-10-26 18:22 - 2012-10-26 18:23 - 00279472 ____A C:\Windows\Minidump\102612-71760-01.dmp
2012-10-26 00:37 - 2012-10-26 00:37 - 00279328 ____A C:\Windows\Minidump\102512-36613-01.dmp
2012-10-25 18:03 - 2012-10-25 18:03 - 00000000 ____D C:\Users\All Users\CELSYS
2012-10-25 18:02 - 2012-10-25 18:02 - 00000000 ____D C:\Users\admin\AppData\Roaming\Smith Micro
2012-10-25 18:01 - 2012-10-25 18:01 - 00002196 ____A C:\Users\Public\Desktop\Manga Studio EX 4.0.lnk
2012-10-25 18:01 - 2012-10-25 18:01 - 00000000 ____D C:\Users\admin\Documents\Smith Micro
2012-10-25 18:01 - 2012-10-25 18:01 - 00000000 ____D C:\Program Files (x86)\Smith Micro
2012-10-25 17:57 - 2012-10-25 17:57 - 00000000 ____D C:\Users\admin\Downloads\ComicStudioEX4.0
2012-10-25 17:56 - 2010-01-16 03:08 - 00000249 ____A C:\Users\admin\Downloads\serial.txt
2012-10-25 16:36 - 2012-10-29 02:54 - 00000000 ____D C:\Users\admin\AppData\Roaming\.krita
2012-10-25 16:35 - 2012-10-25 16:35 - 00002549 ____A C:\Users\Public\Desktop\Krita.lnk
2012-10-25 16:34 - 2012-10-25 16:35 - 00000000 ____D C:\Program Files (x86)\Krita
2012-10-25 16:30 - 2012-10-29 02:28 - 00000000 ____D C:\Program Files (x86)\Phierha
2012-10-25 16:29 - 2012-10-29 02:27 - 00000000 ____D C:\Program Files (x86)\Pixia
2012-10-25 16:28 - 2012-10-25 16:28 - 00000000 ____D C:\Users\admin\AppData\Local\Downloaded Installations
2012-10-25 16:26 - 2012-10-25 16:26 - 00001230 ____A C:\Users\Public\Desktop\ArtRage Studio Pro.lnk
2012-10-25 16:26 - 2012-10-25 16:26 - 00000000 ____D C:\Program Files (x86)\Ambient Design
2012-10-25 16:25 - 2012-10-25 16:26 - 00000000 ____D C:\Users\admin\AppData\Roaming\Ambient Design
2012-10-25 08:20 - 2012-10-25 08:26 - 00000000 ____D C:\Users\admin\Downloads\Krita
2012-10-25 08:13 - 2012-10-25 08:15 - 00000000 ____D C:\Users\admin\Downloads\Pixia_phierha
2012-10-25 07:57 - 2012-10-25 08:00 - 00000000 ____D C:\Users\admin\Downloads\ArtRage Studio Pro v3.5 and KeyGen
2012-10-25 07:29 - 2012-10-25 07:33 - 00000000 ____D C:\Users\admin\Downloads\Korpiklaani
2012-10-25 03:44 - 2012-10-25 03:44 - 00000000 ____D C:\Users\admin\Downloads\Alkaline Trio - Discography [V0 MP3] politux
2012-10-24 06:02 - 2012-10-24 06:02 - 00000000 ____D C:\Users\All Users\szoiimjcxgugozv
2012-10-24 06:00 - 2012-10-24 06:02 - 00097642 ____A C:\Users\All Users\ttylhblrjznnnwr
2012-10-23 17:42 - 2012-10-23 17:43 - 00280192 ____A C:\Windows\Minidump\102312-44975-01.dmp
2012-10-23 17:39 - 2012-10-23 17:39 - 00000000 __SHD C:\found.017
2012-10-22 22:34 - 2012-10-22 22:34 - 00000525 ____A C:\Users\Public\Desktop\AG3 Play.lnk
2012-10-22 22:34 - 2012-10-22 22:34 - 00000525 ____A C:\Users\Public\Desktop\AG3 Make.lnk
2012-10-22 22:27 - 2012-10-22 22:27 - 00000000 ____D C:\ILLUSION
2012-10-22 22:26 - 2012-10-22 22:26 - 00743420 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-10-22 06:46 - 2012-10-31 01:45 - 00003280 ____A C:\Users\admin\Documents\current_to_be_deleted_after.txt
2012-10-22 06:25 - 2012-10-23 06:18 - 00000000 ____D C:\Users\admin\Downloads\AG3ENG
2012-10-21 05:46 - 2012-10-21 05:46 - 00279368 ____A C:\Windows\Minidump\102112-53118-01.dmp
2012-10-21 05:42 - 2012-10-21 05:42 - 00923680 ____A C:\Windows\Minidump\102112-53133-01.dmp
2012-10-21 02:16 - 2012-10-21 02:16 - 00001674 ____A C:\Users\admin\Documents\slamper.txt
2012-10-21 00:39 - 2012-10-21 00:39 - 00000000 ____D C:\Users\admin\Downloads\Breaking Benjamin
2012-10-20 06:32 - 2012-10-20 06:32 - 00945112 ____A C:\Windows\Minidump\102012-53867-01.dmp
2012-10-19 21:26 - 2012-10-19 21:26 - 00874744 ____A C:\Windows\Minidump\101912-53461-01.dmp
2012-10-18 16:41 - 2012-10-18 16:41 - 00000000 __SHD C:\found.016
2012-10-17 13:26 - 2012-10-17 13:26 - 00000000 __SHD C:\found.015
2012-10-17 13:16 - 2012-10-17 13:16 - 00279336 ____A C:\Windows\Minidump\101712-72119-01.dmp
2012-10-16 22:53 - 2012-10-16 22:54 - 00279432 ____A C:\Windows\Minidump\101612-65224-01.dmp
2012-10-16 22:50 - 2012-10-16 22:50 - 00000000 __SHD C:\found.014
2012-10-16 15:15 - 2012-10-16 15:16 - 00877016 ____A C:\Windows\Minidump\101612-74350-01.dmp
2012-10-13 14:20 - 2012-10-13 14:20 - 00000000 __SHD C:\found.013
2012-10-13 14:06 - 2012-10-13 14:07 - 00000000 ____D C:\Users\admin\Documents\OUR bleep
2012-10-13 05:42 - 2012-10-13 05:42 - 00279392 ____A C:\Windows\Minidump\101312-67673-01.dmp
2012-10-13 04:18 - 2012-10-13 04:18 - 00279312 ____A C:\Windows\Minidump\101312-77891-01.dmp
2012-10-12 11:31 - 2012-10-12 11:31 - 00279368 ____A C:\Windows\Minidump\101212-60933-01.dmp
2012-10-11 02:42 - 2012-10-11 02:42 - 00000000 ____D C:\Program Files (x86)\MDickie
2012-10-11 02:37 - 2012-10-11 02:39 - 00000000 ____D C:\Users\admin\Downloads\Hardtime
2012-10-10 23:01 - 2012-10-10 23:01 - 00279376 ____A C:\Windows\Minidump\101012-67595-01.dmp
2012-10-10 22:42 - 2012-10-10 22:43 - 00279328 ____A C:\Windows\Minidump\101012-82072-01.dmp
2012-10-10 00:00 - 2012-10-10 00:01 - 00279312 ____A C:\Windows\Minidump\100912-67704-01.dmp
2012-10-09 23:56 - 2012-10-09 23:57 - 00279312 ____A C:\Windows\Minidump\100912-68952-01.dmp
2012-10-07 17:18 - 2012-10-07 17:18 - 00279424 ____A C:\Windows\Minidump\100712-67033-01.dmp
2012-10-07 16:52 - 2012-10-07 16:52 - 00279312 ____A C:\Windows\Minidump\100712-66893-01.dmp
2012-10-07 09:39 - 2012-10-07 09:39 - 00279480 ____A C:\Windows\Minidump\100712-56441-01.dmp
2012-10-04 12:31 - 2012-10-04 12:31 - 00000000 __SHD C:\found.012
2012-10-04 05:31 - 2012-10-05 17:05 - 00000000 ____D C:\Users\admin\Downloads\SupraMayroKrat_v1_Data
2012-10-04 05:31 - 2012-06-26 17:48 - 09148416 ____A C:\Users\admin\Downloads\SupraMayroKrat_v1.exe
2012-10-04 05:00 - 2012-10-04 05:00 - 09063781 ____A C:\Users\admin\Downloads\SupraMayroKratt_v1.rar


==================== 3 Months Modified Files ==================

2012-11-02 16:55 - 2009-07-13 20:45 - 00023024 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-02 16:55 - 2009-07-13 20:45 - 00023024 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-02 16:53 - 2009-07-13 21:13 - 00727188 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-02 16:48 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-02 16:48 - 2009-07-13 20:51 - 00064928 ____A C:\Windows\setupact.log
2012-11-02 16:24 - 2012-04-02 04:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-02 15:03 - 2009-07-13 15:36 - 00050176 ____A (Microsoft Corporation) C:\Windows\System32\srclient.dll
2012-11-02 04:36 - 2012-11-02 04:36 - 16409960 ____A (Safer Networking Limited ) C:\Users\admin\Downloads\spybotsd162.exe
2012-11-02 03:57 - 2012-11-02 03:57 - 00279272 ____A C:\Windows\Minidump\110212-43071-01.dmp
2012-11-02 03:57 - 2012-05-09 01:24 - 418057673 ____A C:\Windows\MEMORY.DMP
2012-11-01 16:42 - 2012-03-20 20:00 - 00049698 ____A C:\Windows\PFRO.log
2012-11-01 13:29 - 2012-11-01 13:28 - 00279256 ____A C:\Windows\Minidump\110112-39031-01.dmp
2012-11-01 12:17 - 2012-11-01 12:17 - 00279368 ____A C:\Windows\Minidump\110112-43867-01.dmp
2012-11-01 12:05 - 2012-11-01 12:05 - 00016867 ____A C:\Users\admin\Downloads\[isoHunt]_Hidden_Orchestra_-_2010_-_Night_Walks.torrent
2012-11-01 09:48 - 2012-11-01 09:48 - 00021575 ____A C:\Users\admin\Downloads\[isoHunt]MAchinariumexpansion_download.torrent
2012-11-01 09:46 - 2012-11-01 09:46 - 32062166 ____A C:\Users\admin\Downloads\machinarium_soundtrack_bonus_ep.zip
2012-11-01 09:40 - 2012-11-01 09:40 - 00014518 ____A C:\Users\admin\Downloads\[isoHunt]_Floex_-_Pocustone.6959858.TPB.torrent
2012-11-01 09:15 - 2012-11-01 09:14 - 00024019 ____A C:\Users\admin\Downloads\[torrent.cd].Tomas_Dvorak_Albums_(Machinarium_ect).torrent
2012-11-01 03:33 - 2012-03-21 11:19 - 00000183 ____A C:\Users\admin\AppData\Local\mv_Photo.xml
2012-11-01 03:33 - 2012-03-21 11:19 - 00000130 ____A C:\Users\admin\AppData\Local\mv_music.xml
2012-10-31 12:46 - 2012-10-31 12:46 - 00279368 ____A C:\Windows\Minidump\103112-61698-01.dmp
2012-10-31 03:48 - 2012-03-20 19:52 - 00934529 ____A C:\Windows\WindowsUpdate.log
2012-10-31 03:43 - 2012-10-31 03:43 - 00279392 ____A C:\Windows\Minidump\103112-65177-01.dmp
2012-10-31 01:45 - 2012-10-22 06:46 - 00003280 ____A C:\Users\admin\Documents\current_to_be_deleted_after.txt
2012-10-30 10:01 - 2012-10-30 10:01 - 00279312 ____A C:\Windows\Minidump\103012-77282-01.dmp
2012-10-30 09:58 - 2012-10-30 09:57 - 00279384 ____A C:\Windows\Minidump\103012-63820-01.dmp
2012-10-30 09:50 - 2012-10-30 09:50 - 00900776 ____A C:\Windows\Minidump\103012-63352-01.dmp
2012-10-28 04:33 - 2012-10-28 04:33 - 00279384 ____A C:\Windows\Minidump\102812-63196-01.dmp
2012-10-28 04:26 - 2012-10-28 04:26 - 00279312 ____A C:\Windows\Minidump\102812-62540-01.dmp
2012-10-28 01:54 - 2012-10-28 01:54 - 00279312 ____A C:\Windows\Minidump\102712-49311-01.dmp
2012-10-27 19:47 - 2012-10-27 19:47 - 00933640 ____A C:\Windows\Minidump\102712-66160-01.dmp
2012-10-26 19:13 - 2012-10-26 19:13 - 00279312 ____A C:\Windows\Minidump\102612-66799-01.dmp
2012-10-26 18:59 - 2012-10-26 18:59 - 00279312 ____A C:\Windows\Minidump\102612-71682-01.dmp
2012-10-26 18:23 - 2012-10-26 18:22 - 00279472 ____A C:\Windows\Minidump\102612-71760-01.dmp
2012-10-26 05:41 - 2012-03-21 11:37 - 00005068 ____A C:\Users\admin\Documents\abo.txt
2012-10-26 00:37 - 2012-10-26 00:37 - 00279328 ____A C:\Windows\Minidump\102512-36613-01.dmp
2012-10-25 18:01 - 2012-10-25 18:01 - 00002196 ____A C:\Users\Public\Desktop\Manga Studio EX 4.0.lnk
2012-10-25 16:35 - 2012-10-25 16:35 - 00002549 ____A C:\Users\Public\Desktop\Krita.lnk
2012-10-25 16:29 - 2012-10-29 02:53 - 00001636 ____A C:\Users\admin\Desktop\Pixia.lnk
2012-10-25 16:26 - 2012-10-25 16:26 - 00001230 ____A C:\Users\Public\Desktop\ArtRage Studio Pro.lnk
2012-10-24 06:02 - 2012-10-24 06:00 - 00097642 ____A C:\Users\All Users\ttylhblrjznnnwr
2012-10-23 17:43 - 2012-10-23 17:42 - 00280192 ____A C:\Windows\Minidump\102312-44975-01.dmp
2012-10-22 22:34 - 2012-10-22 22:34 - 00000525 ____A C:\Users\Public\Desktop\AG3 Play.lnk
2012-10-22 22:34 - 2012-10-22 22:34 - 00000525 ____A C:\Users\Public\Desktop\AG3 Make.lnk
2012-10-22 22:26 - 2012-10-22 22:26 - 00743420 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-10-22 22:23 - 2010-10-26 09:20 - 00110607 ____A C:\Windows\DirectX.log
2012-10-22 06:28 - 2012-03-21 11:37 - 00068972 ____A C:\Users\admin\Documents\haiiiii.txt
2012-10-22 05:50 - 2012-06-25 12:45 - 00001560 ____A C:\Users\admin\Documents\ebay.txt
2012-10-21 05:46 - 2012-10-21 05:46 - 00279368 ____A C:\Windows\Minidump\102112-53118-01.dmp
2012-10-21 05:42 - 2012-10-21 05:42 - 00923680 ____A C:\Windows\Minidump\102112-53133-01.dmp
2012-10-21 02:16 - 2012-10-21 02:16 - 00001674 ____A C:\Users\admin\Documents\slamper.txt
2012-10-20 06:32 - 2012-10-20 06:32 - 00945112 ____A C:\Windows\Minidump\102012-53867-01.dmp
2012-10-19 21:26 - 2012-10-19 21:26 - 00874744 ____A C:\Windows\Minidump\101912-53461-01.dmp
2012-10-19 21:26 - 2009-07-13 21:08 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-17 13:16 - 2012-10-17 13:16 - 00279336 ____A C:\Windows\Minidump\101712-72119-01.dmp
2012-10-16 22:54 - 2012-10-16 22:53 - 00279432 ____A C:\Windows\Minidump\101612-65224-01.dmp
2012-10-16 15:16 - 2012-10-16 15:15 - 00877016 ____A C:\Windows\Minidump\101612-74350-01.dmp
2012-10-13 05:42 - 2012-10-13 05:42 - 00279392 ____A C:\Windows\Minidump\101312-67673-01.dmp
2012-10-13 04:18 - 2012-10-13 04:18 - 00279312 ____A C:\Windows\Minidump\101312-77891-01.dmp
2012-10-12 11:31 - 2012-10-12 11:31 - 00279368 ____A C:\Windows\Minidump\101212-60933-01.dmp
2012-10-12 11:07 - 2012-08-31 23:45 - 00007387 ____A C:\Users\admin\Documents\dbunk.txt
2012-10-10 23:01 - 2012-10-10 23:01 - 00279376 ____A C:\Windows\Minidump\101012-67595-01.dmp
2012-10-10 22:43 - 2012-10-10 22:42 - 00279328 ____A C:\Windows\Minidump\101012-82072-01.dmp
2012-10-10 14:07 - 2012-07-28 01:28 - 00011740 ____A C:\Users\admin\Documents\KITTYS.txt
2012-10-10 00:01 - 2012-10-10 00:00 - 00279312 ____A C:\Windows\Minidump\100912-67704-01.dmp
2012-10-09 23:57 - 2012-10-09 23:56 - 00279312 ____A C:\Windows\Minidump\100912-68952-01.dmp
2012-10-09 05:10 - 2012-06-25 12:45 - 00003527 ____A C:\Users\admin\Documents\jmelo.txt
2012-10-08 22:24 - 2012-04-02 04:08 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-10-08 22:24 - 2012-04-02 04:08 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-10-07 17:18 - 2012-10-07 17:18 - 00279424 ____A C:\Windows\Minidump\100712-67033-01.dmp
2012-10-07 16:52 - 2012-10-07 16:52 - 00279312 ____A C:\Windows\Minidump\100712-66893-01.dmp
2012-10-07 09:39 - 2012-10-07 09:39 - 00279480 ____A C:\Windows\Minidump\100712-56441-01.dmp
2012-10-06 02:27 - 2012-10-03 05:51 - 00000622 ____A C:\Users\admin\Documents\currentwebsitesave.txt
2012-10-04 14:23 - 2012-03-21 11:37 - 00009912 ____A C:\Users\admin\Documents\keynote.txt
2012-10-04 05:00 - 2012-10-04 05:00 - 09063781 ____A C:\Users\admin\Downloads\SupraMayroKratt_v1.rar
2012-10-01 01:14 - 2012-10-01 01:14 - 00999856 ____A (Solid State Networks) C:\Users\admin\Documents\install_flashplayer11x32ax_gtbd_chrd_dn_aih.exe
2012-10-01 01:14 - 2012-10-01 01:14 - 00999856 ____A (Solid State Networks) C:\Users\admin\Documents\install_flashplayer11x32ax_gtbd_chrd_dn_aih - Copy.exe
2012-09-30 02:17 - 2012-09-30 02:17 - 00279408 ____A C:\Windows\Minidump\093012-52634-01.dmp
2012-09-29 23:07 - 2012-09-29 23:07 - 00283752 ____A C:\Windows\Minidump\092912-51090-01.dmp
2012-09-29 21:54 - 2012-07-16 11:36 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-29 15:16 - 2012-09-29 15:15 - 00884784 ____A C:\Windows\Minidump\092912-56706-01.dmp
2012-09-24 22:18 - 2012-09-24 22:17 - 00279640 ____A C:\Windows\Minidump\092412-56971-01.dmp
2012-09-21 11:24 - 2012-09-21 11:24 - 03102489 ____A (Igor Pavlov) C:\Users\admin\Downloads\CD-Extra.exe
2012-09-17 22:46 - 2012-09-17 22:37 - 00000808 ____A C:\Users\admin\Downloads\Index.dat_Suite.ini
2012-09-17 22:37 - 2012-09-17 22:37 - 00778963 ____A C:\Users\admin\Downloads\idsuite_noins.zip
2012-09-17 22:37 - 2012-09-17 22:37 - 00000466 ____A C:\Users\admin\Downloads\dnret.ids
2012-09-14 12:44 - 2012-09-14 12:44 - 00279472 ____A C:\Windows\Minidump\091412-62135-01.dmp
2012-09-12 16:32 - 2012-09-12 16:32 - 00001854 ____A C:\Users\admin\Documents\TURN.txt
2012-09-12 12:20 - 2012-09-12 12:20 - 00279592 ____A C:\Windows\Minidump\091212-55115-01.dmp
2012-09-11 00:03 - 2012-09-09 23:24 - 00014350 ____A C:\Users\admin\Downloads\1.txt
2012-09-08 19:31 - 2012-09-08 19:31 - 00030589 ____A C:\Users\admin\Downloads\[isoHunt]_Empire_Earth_2___Art_of_Supremacy.torrent
2012-09-02 18:44 - 2012-09-02 18:44 - 00001901 ____A C:\Users\admin\Desktop\Geneforge.lnk
2012-09-02 18:44 - 2012-08-29 07:16 - 00286720 ____A (Indigo Rose Corporation) C:\Windows\iun504.exe
2012-09-02 03:56 - 2012-09-02 03:56 - 00003854 ____A C:\Users\admin\Downloads\fraps3.4.7registered13808[A4]secure.torrent
2012-09-02 03:54 - 2012-09-02 03:54 - 01187896 ____A (OOO Industry) C:\Users\admin\Downloads\fraps_3.4.7_registered_13808[A4]_secure.exe
2012-08-31 11:08 - 2012-08-31 11:08 - 00874920 ____A C:\Windows\Minidump\083112-51776-01.dmp
2012-08-29 07:17 - 2012-08-29 07:17 - 00001933 ____A C:\Users\admin\Desktop\Geneforge 3.lnk
2012-08-29 07:16 - 2012-08-29 07:16 - 00001933 ____A C:\Users\admin\Desktop\Geneforge 2.lnk
2012-08-29 04:39 - 2012-08-29 04:28 - 117083637 ____A C:\Users\admin\Downloads\Carmageddon 1.rar
2012-08-29 04:31 - 2012-08-29 04:29 - 44969189 ____A C:\Users\admin\Downloads\Carmageddon 2.rar
2012-08-26 08:47 - 2012-08-26 08:47 - 00023945 ____A C:\Users\admin\Downloads\Tomas_Dvorak_Albums_(Machinarium_ect)_[2056945].torrent
2012-08-25 17:32 - 2012-08-25 17:32 - 00001220 ____A C:\Users\admin\Desktop\Minecraft 1.3.2.lnk
2012-08-24 02:30 - 2012-08-24 02:30 - 118269869 ____A C:\Users\admin\Downloads\Slender2HospiceV13.zip
2012-08-24 02:30 - 2012-08-24 02:30 - 104849460 ____A C:\Users\admin\Downloads\Slender2Sanatorium14.zip
2012-08-23 03:37 - 2012-08-23 03:37 - 00874952 ____A C:\Windows\Minidump\082312-49077-01.dmp
2012-08-20 04:50 - 2012-08-20 04:49 - 47745554 ____A C:\Users\admin\Downloads\Minecraft_Cracked_v1.3.2.zip
2012-08-20 04:03 - 2012-08-20 04:01 - 68734862 ____A (FEarBG ) C:\Users\admin\Downloads\Minecraft 1.2.5 with Mods (Request by ionicuji) [FEarBG].exe
2012-08-20 03:22 - 2012-08-20 03:17 - 168442788 ____A C:\Users\admin\Downloads\MultiMC_v1.zip
2012-08-15 08:27 - 2012-07-25 02:27 - 00002821 ____A C:\Users\admin\Documents\fap.txt
2012-08-15 06:36 - 2012-08-15 06:36 - 00000315 ____A C:\Users\admin\Documents\formerclocknames.txt
2012-08-15 04:36 - 2012-08-20 04:51 - 51022520 ____A (minecraftinstall.net ) C:\Users\admin\Downloads\Minecraft_Cracked_v1.3.2.exe
2012-08-14 17:05 - 2012-08-14 17:05 - 31044328 ____A C:\Users\admin\Downloads\SCP - Containment Breach v0.2.1.zip
2012-08-13 04:10 - 2012-08-13 04:10 - 00279512 ____A C:\Windows\Minidump\081312-30622-01.dmp
2012-08-12 17:58 - 2012-08-12 17:54 - 151102793 ____A C:\Users\admin\Downloads\Lego Racers.7z
2012-08-12 17:40 - 2012-07-25 13:06 - 00000516 ____A C:\Windows\sierra.ini
2012-08-10 13:50 - 2012-08-10 13:18 - 452975542 ____A C:\Users\admin\Downloads\LSD Dream Emulator.rar
2012-08-10 13:08 - 2012-08-10 12:54 - 452214486 ____A C:\Users\admin\Downloads\LSD - Dream Emulator [Limited Edition][jap] PSX-PSP (indolemugen).rar
2012-08-10 03:24 - 2012-08-10 03:24 - 60869579 ____A C:\Users\admin\Downloads\Slender_v0_9_5.zip
2012-08-09 23:27 - 2012-08-09 23:27 - 00279344 ____A C:\Windows\Minidump\080912-74989-01.dmp


ZeroAccess:
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\@
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\L
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\U
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\L\00000004.@
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\L\201d3dde
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\U\00000004.@
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\U\00000008.@
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\U\000000cb.@
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\U\80000000.@
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\U\80000032.@
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2284440560-2780697144-91482775-1000\$57657a62a2337c352a734be01c9627a4

ZeroAccess:
C:\Users\admin\AppData\Local\{57657a62-a233-7c35-2a73-4be01c9627a4}
C:\Users\admin\AppData\Local\{57657a62-a233-7c35-2a73-4be01c9627a4}\@
C:\Users\admin\AppData\Local\{57657a62-a233-7c35-2a73-4be01c9627a4}\L
C:\Users\admin\AppData\Local\{57657a62-a233-7c35-2a73-4be01c9627a4}\U
C:\Users\admin\AppData\Local\{57657a62-a233-7c35-2a73-4be01c9627a4}\L\00000004.@
C:\Users\admin\AppData\Local\{57657a62-a233-7c35-2a73-4be01c9627a4}\L\1afb2d56
C:\Users\admin\AppData\Local\{57657a62-a233-7c35-2a73-4be01c9627a4}\U\00000004.@

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-01 13:20:17
Restore point made on: 2012-11-01 13:20:44

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3893.86 MB
Available physical RAM: 3197.62 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3189.73 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:441.76 GB) (Free:185.31 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:23.7 GB) (Free:3.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (EDMW_1) (CDROM) (Total:0.51 GB) (Free:0 GB) CDFS
4 Drive g: () (Removable) (Total:14.9 GB) (Free:14.9 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 103 MB
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 441 GB 200 MB
Partition 3 Primary 23 GB 441 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 441 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 23 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 14 GB Healthy

=========================================================

Last Boot: 2012-10-16 23:24

==================== End Of Log =============================

Edited by Farbar, 03 November 2012 - 08:05 PM.


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:59 AM

Posted 03 November 2012 - 02:23 PM

Hi,

I just want to let you know I moved the topic to the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay, and I have alerted the team members who specialize in unbootable computers. Another member will be along to help you.

Please be patient, and good luck!

bloopie

#3 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 03 November 2012 - 06:34 PM

Thank you very much, Bloopie, I greatly appreciate it

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 03 November 2012 - 07:57 PM

Hello glascow,

Welcome to the forum.

Your system is badly infected with two different rootkit/bootkit infection. I will be assisting you to clean the infection and restore the system to full functionality. It requires you to refrain from doing any fixes on your own unless you think you don't need any assistance any more.

Please let me know if the condition of the system is the same as when you posted the log and we will take it from there.

#5 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 03 November 2012 - 08:36 PM

Thank you Farbar for your time.

Yes, its condition has remained the same as when I have posted the log.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 03 November 2012 - 08:42 PM

Just to let you know, it is too late over here and I might not be available until tomorrow.

Please copy and paste the logs instead of attaching them unless otherwise requested. Thank you.

We are going to remove the main infections, boot the system and clean any leftovers from normal mode.

Please make sure you do all the steps in the order they are written.

  • Please download Listparts and save it to your flash drive.You have x64 version.
  • Download Attached File  fix.txt   120bytes   21 downloads
    Save it to your flash drive.
  • Please download Attached File  fixlist.txt   1.85KB   20 downloads
    Save it to your flash drive.
  • Boot to System Recovery Options and select "Command Prompt".

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it later on to your reply. You may close the tool.
  • While still in the recovery environment run ListParts by typing g:\listparts64 in the command prompt and pressing Enter.
    Click Fix. Close the pop up after the fix is done.
  • Please restart, let it boot normally and tell me how it went.


#7 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 03 November 2012 - 10:19 PM

Yay, instructions!

4) Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-10-2012
Ran by SYSTEM at 2012-11-03 16:57:54 Run:2
Running from G:\

==============================================

HKEY_USERS\admin\Software\Microsoft\Windows\CurrentVersion\Run\\dlerox Value deleted successfully.
HKEY_USERS\admin\Software\Microsoft\Windows\CurrentVersion\Run\\wexptf Value deleted successfully.
HKEY_USERS\admin\Software\Microsoft\Windows\CurrentVersion\Run\\AVG Secure Search Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore Value deleted successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A7B9AF38-9170-4D2F-828B-83926C18EAB3}\\NameServer Value deleted successfully.
C:\Users\admin\AppData\Roaming\wexptf.dll moved successfully.
C:\Users\admin\AppData\Roaming\dlerox.dll moved successfully.
C:\Users\admin\AppData\Local\Broadcom\AVG Secure Search\zjfdkvut.dll moved successfully.
C:\Windows\svchost.exe moved successfully.
C:\Users\admin\Downloads\[isoHunt]_Hidden_Orchestra_-_2010_-_Night_Walks.torrent moved successfully.
C:\Users\admin\Downloads\[isoHunt]MAchinariumexpansion_download.torrent moved successfully.
C:\Users\admin\Downloads\[isoHunt]_Floex_-_Pocustone.6959858.TPB.torrent moved successfully.
C:\Users\admin\Downloads\[torrent.cd].Tomas_Dvorak_Albums_(Machinarium_ect).torrent moved successfully.
C:\Users\All Users\szoiimjcxgugozv moved successfully.
C:\Users\All Users\ttylhblrjznnnwr moved successfully.
C:\Windows\Installer\{57657a62-a233-7c35-2a73-4be01c9627a4} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\$Recycle.Bin\S-1-5-21-2284440560-2780697144-91482775-1000\$57657a62a2337c352a734be01c9627a4 moved successfully.
C:\Users\admin\AppData\Local\{57657a62-a233-7c35-2a73-4be01c9627a4} moved successfully.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

6) The computer managed to reboot normally without any conflict. It managed to reach the desktop, with nothing visually changed or removed. It is currently sitting there running a screensaver, and I won't touch it until further instructions.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 04 November 2012 - 06:01 AM

Great. :thumbup2:

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Please download AdwCleaner and save it to your desktop.
    • Close all open programs.
    • Double click on AdwCleaner.exe to run it.
    • Click on Search.
    • Please post the content of the log to your reply.
    • A copy of the log will be saved at C:\AdwCleaner[R1].txt.
  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List installed programs.
    • List Devices (only check the box and let the default radio button as it is).
    Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.


#9 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 04 November 2012 - 06:43 AM

1) MBAM log:
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.04.02

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
admin :: ADMIN-HP [administrator]

2012/11/04 午前 01:21:01
mbam-log-2012-11-04 (01-21-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219578
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2) AdwCleaner log:
# AdwCleaner v2.006 - Logfile created 11/04/2012 at 01:32:48
# Updated 30/10/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : admin - ADMIN-HP
# Boot Mode : Normal
# Running from : C:\Users\admin\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Found : C:\Users\admin\AppData\Local\Temp\Uninstall.exe
Folder Found : C:\Program Files (x86)\Babylon
Folder Found : C:\Program Files\Babylon
Folder Found : C:\Users\admin\AppData\Local\Temp\avg@toolbar

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\StartSearch
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16385

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [3052 octets] - [04/11/2012 01:32:48]

########## EOF - C:\AdwCleaner[R1].txt - [3112 octets] ##########

3) MiniToolBox Result.txt:
MiniToolBox by Farbar Version: 23-07-2012
Ran by admin (administrator) on 04-11-2012 at 01:34:30
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is enabled.
No Proxy Server is set.
========================= Hosts content: =================================



========================= IP Configuration: ================================

Intel® WiFi Link 1000 BGN = Wireless Network Connection (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set subinterface interface=?' subinterface=ethernet_9 mtu=1477
add address name="Wireless Network Connection 2" address=192.168.16.2


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : admin-HP
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hawaiiantel.net

Wireless LAN adapter Wireless Network Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
Physical Address. . . . . . . . . : 8C-A9-82-31-FF-EB
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : 8C-A9-82-31-FF-EB
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : hawaiiantel.net
Description . . . . . . . . . . . : Intel® WiFi Link 1000 BGN
Physical Address. . . . . . . . . : 8C-A9-82-31-FF-EA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ac86:4ca5:3aa3:79da%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.200.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 2012?11?3? ?? 05:01:20
Lease Expires . . . . . . . . . . : 2012?11?4? ?? 02:20:39
Default Gateway . . . . . . . . . : 192.168.200.1
DHCP Server . . . . . . . . . . . : 192.168.200.1
DHCPv6 IAID . . . . . . . . . . . : 277653890
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-FB-08-39-64-31-50-8A-79-83
DNS Servers . . . . . . . . . . . : 192.168.200.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : CC-52-AF-06-A9-E3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{B541B0CD-0461-4ECC-B9B7-72AF4B24687F}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.hawaiiantel.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{A7B9AF38-9170-4D2F-828B-83926C18EAB3}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{541D1390-E367-414B-B237-D51D4238B6CA}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.200.1

Name: google.com
Addresses: 2607:f8b0:4007:800::1009
74.125.224.229
74.125.224.227
74.125.224.238
74.125.224.231
74.125.224.232
74.125.224.225
74.125.224.224
74.125.224.226
74.125.224.228
74.125.224.233
74.125.224.230


Pinging google.com [74.125.224.230] with 32 bytes of data:
Reply from 74.125.224.230: bytes=32 time=74ms TTL=56
Reply from 74.125.224.230: bytes=32 time=74ms TTL=56

Ping statistics for 74.125.224.230:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 74ms, Maximum = 74ms, Average = 74ms
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.200.1

Name: yahoo.com
Addresses: 98.139.183.24
72.30.38.140
98.138.253.109


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=196ms TTL=49
Reply from 98.138.253.109: bytes=32 time=165ms TTL=44

Ping statistics for 98.138.253.109:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 165ms, Maximum = 196ms, Average = 180ms
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.200.1

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
16...8c a9 82 31 ff eb ......Microsoft Virtual WiFi Miniport Adapter #2
15...8c a9 82 31 ff eb ......Microsoft Virtual WiFi Miniport Adapter
14...8c a9 82 31 ff ea ......Intel® WiFi Link 1000 BGN
12...cc 52 af 06 a9 e3 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.200.1 192.168.200.7 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.200.0 255.255.255.0 On-link 192.168.200.7 281
192.168.200.7 255.255.255.255 On-link 192.168.200.7 281
192.168.200.255 255.255.255.255 On-link 192.168.200.7 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.200.7 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.200.7 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
14 281 fe80::/64 On-link
14 281 fe80::ac86:4ca5:3aa3:79da/128
On-link
1 306 ff00::/8 On-link
14 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Catalog5 02 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [35840] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 10 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
x64-Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

x64-Catalog5 02 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [46592] (Microsoft Corporation)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 10 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 mswsock.dll [File Not found] ()
x64-Catalog9 02 mswsock.dll [File Not found] ()
x64-Catalog9 03 mswsock.dll [File Not found] ()
x64-Catalog9 04 mswsock.dll [File Not found] ()
x64-Catalog9 05 mswsock.dll [File Not found] ()
x64-Catalog9 06 mswsock.dll [File Not found] ()
x64-Catalog9 07 mswsock.dll [File Not found] ()
x64-Catalog9 08 mswsock.dll [File Not found] ()
x64-Catalog9 09 mswsock.dll [File Not found] ()
x64-Catalog9 10 mswsock.dll [File Not found] ()
x64-Catalog9 11 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/04/2012 00:34:12 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
Invalid Xml syntax.

Error: (11/04/2012 00:33:53 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (11/03/2012 05:51:50 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
Invalid Xml syntax.

Error: (11/03/2012 05:50:52 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (11/02/2012 02:43:11 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.16385, time stamp: 0x4a5bc69e
Faulting module name: IEFRAME.dll, version: 8.0.7600.16625, time stamp: 0x4c2ae03f
Exception code: 0xc0000005
Fault offset: 0x0011c571
Faulting process id: 0x131c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (11/02/2012 02:43:08 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.16385, time stamp: 0x4a5bc69e
Faulting module name: OLEAUT32.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdaca
Exception code: 0xc0000005
Fault offset: 0x00033db1
Faulting process id: 0x1c30
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (11/02/2012 01:07:57 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
Invalid Xml syntax.

Error: (11/02/2012 01:06:00 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (11/02/2012 11:51:54 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c5
Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b29c
Exception code: 0xc0000005
Fault offset: 0x0002e1fe
Faulting process id: 0x23f0
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (11/02/2012 11:42:34 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c5
Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b29c
Exception code: 0xc0000005
Fault offset: 0x00032785
Faulting process id: 0x10d0
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3


System errors:
=============
Error: (11/04/2012 01:20:24 AM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (11/04/2012 01:20:24 AM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (11/04/2012 00:18:24 AM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (11/04/2012 00:18:24 AM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (11/03/2012 05:01:42 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (11/03/2012 05:01:42 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (11/02/2012 02:50:00 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (11/02/2012 02:50:00 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (11/02/2012 01:05:26 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (11/02/2012 01:05:26 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891


Microsoft Office Sessions:
=========================
Error: (11/04/2012 00:34:12 AM) (Source: SideBySide)(User: )
Description: c:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dllc:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll2

Error: (11/04/2012 00:33:53 AM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (11/03/2012 05:51:50 PM) (Source: SideBySide)(User: )
Description: c:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dllc:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll2

Error: (11/03/2012 05:50:52 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (11/02/2012 02:43:11 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.163854a5bc69eIEFRAME.dll8.0.7600.166254c2ae03fc00000050011c571131c01cdb95724eeca7bC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\IEFRAME.dll70e5c702-254f-11e2-a4d2-cc52af06a9e3

Error: (11/02/2012 02:43:08 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.163854a5bc69eOLEAUT32.dll6.1.7600.163854a5bdacac000000500033db11c3001cdb95724aeb436C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\syswow64\OLEAUT32.dll6f62cad8-254f-11e2-a4d2-cc52af06a9e3

Error: (11/02/2012 01:07:57 PM) (Source: SideBySide)(User: )
Description: c:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dllc:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll2

Error: (11/02/2012 01:06:00 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (11/02/2012 11:51:54 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc3c5ntdll.dll6.1.7600.165594ba9b29cc00000050002e1fe23f001cdb9431ccd7284\\.\globalroot\systemroot\svchost.exeC:\Windows\SysWOW64\ntdll.dll83b375db-2537-11e2-a4d2-cc52af06a9e3

Error: (11/02/2012 11:42:34 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc3c5ntdll.dll6.1.7600.165594ba9b29cc00000050003278510d001cdb940efbb0136\\.\globalroot\systemroot\svchost.exeC:\Windows\SysWOW64\ntdll.dll35fd2777-2536-11e2-a4d2-cc52af06a9e3


=========================== Installed Programs ============================

???????3D
オTorrent (Version: 1.8.2)
3D Snow version 5.0
3D Ultra MiniGolf Deluxe
3D Ultra TrainTown Deluxe
Acrobat.com (Version: 1.6.65)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.3)
Adobe AIR (Version: 1.5.3.9130)
Adobe Flash Player 11 ActiveX (Version: 11.4.402.287)
Adobe Reader 9.3 MUI (Version: 9.3.0)
Adobe Shockwave Player 11.5 (Version: 11.5.7.609)
Adobe Shockwave Player 11.6 (Version: 11.6.5.635)
Age of Wonders Shadow Magic
カスタムメイド3D
Alcor Micro USB Card Reader (Version: 1.2.517.35221)
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
Artificial Girl 3 (Version: 1.5)
ArtRage Studio Pro (Version: 3.5.0)
Audacity 2.0
Bejeweled 2 Deluxe (Version: 2.2.0.95)
Bing Bar (Version: 5.0.1438.0)
Bing Bar Platform (Version: 5.0.1438.0)
BioExcess (Version: 7.0.33.0)
Blackhawk Striker 2 (Version: 2.2.0.95)
Bonjour (Version: 3.0.0.10)
Broadcom 2070 Bluetooth 3.0 (Version: 6.3.0.5600)
Build-a-lot 2 (Version: 2.2.0.95)
Chuzzle Deluxe (Version: 2.2.0.95)
CinemaNow Media Manager (Version: 1.9.1.105)
CyberLink DVD Suite (Version: 7.0.3003)
DAEMON Tools Lite (Version: 4.45.4.0315)
Diner Dash 2 Restaurant Rescue (Version: 2.2.0.95)
Dora's Carnival Adventure (Version: 2.2.0.95)
DVD Menu Pack for HP MediaSmart Video (Version: 4.1.4121)
むすめダンシングビジュアライザ むすめいく! Ver.
Empires Dawn of the Modern World
Energy Star Digital Logo (Version: 1.0.1)
Epson Event Manager (Version: 2.40.0001)
EPSON NX420 Series Printer Uninstall
EPSON Scan
Escape Rosecliff Island (Version: 2.2.0.95)
ESU for Microsoft Windows 7 (Version: 1.0.0)
FATE (Version: 2.2.0.95)
Final Drive Nitro (Version: 2.2.0.95)
Fraps (remove only)
Geneforge
Hard Time (Version: )
Heroes of Hellas 2 - Olympia (Version: 2.2.0.95)
HF pAppLoc version 1.0 (Version: 1.0)
HP 3D DriveGuard (Version: 4.0.5.1)
HP Advisor (Version: 3.4.10262.3295)
HP Customer Experience Enhancements (Version: 6.0.1.4)
HP Documentation (Version: 1.1.1.0)
HP Game Console
HP Games (Version: 1.0.1.3)
HP MediaSmart CinemaNow 2.0 (Version: 2.0)
HP MediaSmart DVD (Version: 4.1.4229)
HP MediaSmart Movies and TV (Version: 1.0.0.10)
HP MediaSmart Music (Version: 4.1.4215)
HP MediaSmart Photo (Version: 4.1.4211)
HP MediaSmart SmartMenu (Version: 3.1.1.12)
HP MediaSmart Video (Version: 4.1.4214)
HP MediaSmart Webcam (Version: 4.1.3024)
HP MediaSmart/TouchSmart Netflix (Version: 1.0.3.0)
HP Photo Creations (Version: 1.0.0.3611)
HP Power Manager (Version: 1.0.3)
HP Quick Launch (Version: 2.1.5)
HP QuickWeb Installer (Version: 1.3.11.0)
HP Setup (Version: 8.1.4186.3400)
HP SimplePass Identity Protection (Version: 7.0.33.0)
HP Software Framework (Version: 4.0.39.1)
HP Support Assistant (Version: 5.0.14.2)
HP Wireless Assistant (Version: 4.0.9.0)
HPAsset component for HP Active Support Library (Version: 3.0.0.3)
Hulu Desktop (Version: 0.9.13)
IDT Audio (Version: 1.0.6289.0)
Intel PROSet Wireless
Intel® Control Center (Version: 1.2.1.1007)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.2141)
Intel® Management Engine Components (Version: 6.0.0.1179)
Intel® PROSet/Wireless WiFi Software (Version: 13.02.0000)
Intel® Rapid Storage Technology (Version: 9.6.0.1014)
Intel® Wireless Display (Version: 1.2.15.0)
iTunes (Version: 10.6.1.7)
Java Auto Updater (Version: 2.0.2.1)
Java™ 6 Update 20 (64-bit) (Version: 6.0.200)
Java™ 6 Update 20 (Version: 6.0.200)
Jewel Quest 3 (Version: 2.2.0.95)
Jewel Quest Solitaire 2 (Version: 2.2.0.95)
Junk Mail filter update (Version: 14.0.8117.416)
Krita 2.5.2 (Version: 2.5.2.0)
LabelPrint (Version: 2.5.2907)
LAME v3.99.3 (for Windows)
Malwarebytes Anti-Malware version 1.65.1.1000 (Version: 1.65.1.1000)
Manga Studio EX 4.0 (Version: 4.1.4)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Default Manager (Version: 2.1.55.0)
Microsoft IntelliPoint 8.2 (Version: 8.20.468.0)
Microsoft Midtown Madness
Microsoft Midtown Madness 2
Microsoft Office 2010 (Version: 14.0.4763.1000)
Microsoft Search Enhancement Pack (Version: 2.0.271.0)
Microsoft Silverlight (Version: 4.0.50401.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Windows Application Compatibility Database
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Minecraft Cracked
Movie Theme Pack for HP MediaSmart Video (Version: 4.1.4030)
MSVCRT (Version: 14.0.1468.721)
Norton Internet Security (Version: 18.0.0.128)
Norton Online Backup (Version: 2.1.17869)
Penguins! (Version: 2.2.0.95)
Phierha (Version: 1.80.0001)
PhotoNow! (Version: 1.1.6904)
piaip AppLocale (Version: 1.0.0)
Pixia (Version: 4.79e)
Plants vs. Zombies (Version: 2.2.0.95)
Poker Superstars III (Version: 2.2.0.95)
Polar Bowler (Version: 2.2.0.95)
Polar Golfer (Version: 2.2.0.95)
Power2Go (Version: 6.1.4204)
PowerDirector (Version: 8.0.3003)
PowerISO (Version: 5.1)
Realtek Ethernet Controller Driver (Version: 7.25.824.2010)
Recovery Manager (Version: 5.5.3023)
Roxio CinemaNow 2.0 (Version: 1.0.284)
Sierra Utilities
Soldat 1.5.0
Spybot - Search & Destroy (Version: 1.6.2)
Sumo Paint Air (Version: 3.6.5)
swMSM (Version: 12.0.0.1)
Synaptics Pointing Device Driver (Version: 15.0.17.4)
Test Drive Unlimited (Version: 0.10.0000)
The Path update from 1.01 to 1.1
Times Reader (Version: 2.061)
Ultimate Knight ウィンダムXP
Validity Sensors DDK (Version: 4.1.139.0)
Virtual Families (Version: 2.2.0.95)
Virtual Villagers - The Secret City (Version: 2.2.0.95)
Wheel of Fortune 2 (Version: 2.2.0.95)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Photo Gallery (Version: 14.0.8117.416)
Windows Live Sync (Version: 14.0.8117.416)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8117.0416)
WinRAR archiver
Zuma Deluxe (Version: 2.2.0.95)

========================= Devices: ================================


**** End of log ****

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 04 November 2012 - 07:15 AM

The malware has corrupted winsock and we need to repair it.

  • Please download Attached File  winsock64.reg   768bytes   4 downloads
    Double-click it and confirm the prompt to allow to merge.
  • Important: Restart.
  • Please download Attached File  winsock.bat   94bytes   3 downloads
    You save it to the computer and not run it from Internet Explorer temporary files.
    Important: right-click and select "Run as administrator".
    A command window and then a log file (log00.txt) will open.
    Please post the content to your reply.
  • Important: Restart.
  • Run MiniToolBox with only "Reset IE Proxy" and "List Winsock Entries" checked, press "Go" and post the log.


#11 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 04 November 2012 - 07:44 AM

3) log00.txt:
Start

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

5) MiniToolBox Result.txt:

MiniToolBox by Farbar Version: 23-07-2012
Ran by admin (administrator) on 04-11-2012 at 02:39:53
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
***************************************************************************

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [51712] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [35840] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 10 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70144] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [46592] (Microsoft Corporation)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 10 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

**** End of log ****

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 04 November 2012 - 07:50 AM

That looks good.

I will be away for around two hours.

  • Please run AdwCleaner again.
    • Close all open programs.
    • Double click on AdwCleaner.exe to run it.
    • Click on Delete and confirm the prompt.
    • After it is finished the computer will be restarted. A text file will open after the restart.
    • Please post the content of that log to your reply.
    • A copy of the log will be saved at C:\AdwCleaner[S1].txt.
  • Please download Farbar Service Scanner and run it on the computer with the issue.
    • Check all the boxes.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


#13 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 04 November 2012 - 08:51 AM

Take all the time you need, I will be waiting for return.

1) AdwCleaner[S1].txt:

# AdwCleaner v2.006 - Logfile created 11/04/2012 at 03:41:09
# Updated 30/10/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : admin - ADMIN-HP
# Boot Mode : Normal
# Running from : C:\Users\admin\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\Babylon
Deleted on reboot : C:\Program Files\Babylon
Deleted on reboot : C:\Users\admin\AppData\Local\Temp\avg@toolbar
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\admin\AppData\Local\Temp\Uninstall.exe

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\StartSearch
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16385

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [3177 octets] - [04/11/2012 01:32:48]
AdwCleaner[S1].txt - [3183 octets] - [04/11/2012 03:41:09]

########## EOF - C:\AdwCleaner[S1].txt - [3243 octets] ##########


2) FSS.txt:

Farbar Service Scanner Version: 03-11-2012
Ran by admin (administrator) on 04-11-2012 at 03:45:48
Running from "C:\Users\admin\Desktop"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll
[2009-07-13 13:21] - [2009-07-13 15:40] - 0182272 ____A (Microsoft Corporation) 676108C4E3AA6F6B34633748BD0BEBD9

C:\Windows\System32\mpssvc.dll
[2009-07-13 14:09] - [2009-07-13 15:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 13:36] - [2009-07-13 15:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2009-07-13 14:36] - [2009-07-13 15:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 04 November 2012 - 09:55 AM

ZeroAccess infection has damaged some of Windows services including Windows firewall and Windows automatic update. We are going to restore them.

  • Please download ServicesRepair and save it to your desktop.

    • Double-click ServicesRepair.exe.
    • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
    • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
    • A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.
  • After restart wait for a couple of minutes till the system has settled down. Then run Farbar Service scanner once more with all the options checked and post the log.


#15 glascow

glascow
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 04 November 2012 - 10:24 AM

1) SvcRepair:

Log Opened: 2012-11-04 @ 05:15:28
05:15:28 - -----------------
05:15:28 - | Begin Logging |
05:15:28 - -----------------
05:15:28 - Fix started on a WIN_7 X64 computer
05:15:28 - Prep in progress. Please Wait.
05:15:29 - Prep complete
05:15:29 - Repairing Services Now. Please wait...
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\BFE.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\SubLayer>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Provider>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\BITS.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Performance>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\iphlpsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Teredo\{FA88062C-9A61-4C1E-AC45-7143F8F01AAD}>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Isatap\{8AD2FB26-F91E-44F1-9B24-3C0AE56C9CE0}>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Isatap>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\IPHTTPS>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Interfaces>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\config>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\MpsSvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\DHCP>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\DHCP> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\SharedAccess.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch2>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\WinDefend.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\TriggerInfo\0>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\TriggerInfo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\wscsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\wuauserv.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.
05:15:31 - Services Repair Complete.
05:15:43 - Reboot Initiated


2) FSS.txt:

Farbar Service Scanner Version: 03-11-2012
Ran by admin (administrator) on 04-11-2012 at 05:20:05
Running from "C:\Users\admin\Desktop"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll
[2009-07-13 13:21] - [2009-07-13 15:40] - 0182272 ____A (Microsoft Corporation) 676108C4E3AA6F6B34633748BD0BEBD9

C:\Windows\System32\mpssvc.dll
[2009-07-13 14:09] - [2009-07-13 15:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 13:36] - [2009-07-13 15:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2009-07-13 14:36] - [2009-07-13 15:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users