Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C0000135 The program can't start because %hs is missing. Try resintalling the program


  • This topic is locked This topic is locked
38 replies to this topic

#1 ross3

ross3

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 28 December 2012 - 03:48 PM

Hi,

Tried to boot my computer this morning and was greeted with "C0000135 The program can't start because %hs is missing. Try resintalling the program" message. I've been scouring the web in search of a solution but can't find anything helpful apart from other similar threads on here. I've scanned with frst64.exe and got the log. I'm hoping someone can help me solve this as I have a lot of college work saved that would like to have a copy of. If I can't fix this I guess I could try boot Linux off of a USB to try rescue some files. Thanks for any help.

Ross

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-12-2012
Ran by SYSTEM at 28-12-2012 18:43:01
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11543656 2010-10-26] (Realtek Semiconductor)
HKLM\...\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-09-09] (Lenovo)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [jmekey] C:\windows\jmesoft\hotkey.exe [118784 2011-03-21] (Lenovo)
HKLM-x32\...\Run: [jmesoft] C:\Windows\jmesoft\ServiceLoader.exe [28672 2011-03-15] ()
HKLM-x32\...\Run: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe 1 [265216 2010-09-09] (Lenovo)
HKLM-x32\...\Run: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe 1 [285696 2010-10-08] (Lenovo)
HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe" [103720 2009-12-04] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [x]
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3143800 2012-11-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [x]
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [151952 2012-11-28] (Apple Inc.)
HKU\ross\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-09-09] (Google Inc.)
HKU\ross\...\Run: [Spotify Web Helper] "C:\Users\ross\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [x]
HKU\ross\...\Run: [Google Update] "C:\Users\ross\AppData\Local\Google\Update\GoogleUpdate.exe" /c [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814392 2012-11-06] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-03-15] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
3 wxpSvc; C:\Program Files (x86)\webcamXP 5\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV [5404472 2012-03-26] (Moonware Studios)
3 WatAdminSvc; C:\Windows\System32\Wat\WatAdminSvc.exe [x]

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-14] (AVG Technologies CZ, s.r.o. )
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-13] (AVG Technologies CZ, s.r.o.)
3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv_x64.sys [34304 2012-01-10] (ManyCam LLC)
3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [28160 2012-02-22] (ManyCam LLC)
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)
3 XG762_VS; C:\Windows\System32\DRIVERS\WlanGZG.sys [1075712 2010-03-26] (Atheros Communications, Inc.)
1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [x]
0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [x]
0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [x]
1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-12-28 17:00 - 2012-12-28 17:00 - 00000000 __SHD C:\found.000
2012-12-21 19:00 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-21 19:00 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-21 19:00 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-21 19:00 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-18 11:38 - 2012-12-18 18:47 - 00000000 ____D C:\Users\All Users\webcamXP 5
2012-12-18 11:38 - 2012-12-18 11:38 - 00000000 ____D C:\Program Files (x86)\webcamXP 5
2012-12-16 13:03 - 2012-12-16 13:03 - 00007704 ____A C:\Users\ross\AppData\Local\recently-used.xbel
2012-12-16 12:27 - 2012-12-16 12:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-12-16 11:52 - 2012-12-16 12:46 - 00000000 ____D C:\Users\ross\Downloads\website2
2012-12-15 14:27 - 2012-12-15 14:27 - 00000000 ____D C:\Program Files (x86)\CamStudio 2.6b
2012-12-15 14:27 - 2010-10-23 16:56 - 00049664 ____A (CamStudio Group) C:\Windows\System32\CamCodec.dll
2012-12-12 19:00 - 2012-11-13 21:57 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-12 19:00 - 2012-11-13 21:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-12 19:00 - 2012-11-13 21:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-12 19:00 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-12-12 13:33 - 2012-12-12 13:33 - 00000000 ____D C:\Users\ross\Documents\Web
2012-12-12 13:32 - 2012-12-12 15:09 - 01409050 ____A C:\Users\ross\Desktop\Site1.wpp
2012-12-12 09:50 - 2012-12-24 12:15 - 00000000 ____D C:\Users\ross\Desktop\Britannica Primary
2012-12-12 08:36 - 2012-11-21 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-12-12 08:36 - 2012-10-04 09:46 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2012-12-12 08:36 - 2012-10-04 09:46 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2012-12-12 08:36 - 2012-10-04 09:46 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2012-12-12 08:36 - 2012-10-04 09:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-12-12 08:36 - 2012-10-04 09:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2012-12-12 08:36 - 2012-10-04 09:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-12-12 08:36 - 2012-10-04 09:41 - 00424960 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:47 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2012-12-12 08:36 - 2012-10-04 08:47 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2012-12-12 08:36 - 2012-10-04 08:47 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 07:21 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-12-12 08:36 - 2012-10-04 06:46 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2012-12-12 08:36 - 2012-10-04 06:46 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2012-12-12 08:36 - 2012-10-04 06:46 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2012-12-12 08:35 - 2012-11-01 21:59 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2012-12-12 08:35 - 2012-11-01 21:11 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll
2012-12-12 08:35 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 06:46 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2012-12-12 08:35 - 2012-10-04 06:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 06:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 06:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 06:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2012-12-09 01:39 - 2012-12-09 01:39 - 00000558 ____A C:\Windows\PFRO.log
2012-12-08 10:26 - 2012-12-27 18:30 - 00010976 ____A C:\Windows\setupact.log
2012-12-08 10:26 - 2012-12-08 10:26 - 00000000 ____A C:\Windows\setuperr.log
2012-12-08 09:46 - 2012-12-08 09:46 - 00000000 ____D C:\Users\ross\AppData\Local\{44E316FE-9B27-4B36-AF34-0123C84210CC}
2012-12-07 15:33 - 2012-12-07 15:34 - 00000000 ____D C:\Users\ross\AppData\Local\{3528BD30-2719-4017-89B9-6A16965164C9}
2012-12-05 10:17 - 2012-12-05 10:18 - 00000000 ____D C:\Users\ross\AppData\Local\{000AED22-CF63-4D99-80CB-2345F7F025E5}
2012-12-04 11:03 - 2012-12-08 09:50 - 00000000 ____D C:\Users\ross\AppData\Roaming\Skype
2012-12-04 11:03 - 2012-12-08 09:50 - 00000000 ____D C:\Users\All Users\Skype
2012-12-04 11:01 - 2012-12-04 11:01 - 00000000 ____D C:\Users\ross\AppData\Local\{80296AC9-B111-4625-AB76-0FDCC8E7AF9E}
2012-12-03 10:59 - 2012-12-03 10:59 - 00000000 ____D C:\Users\ross\AppData\Local\{FDECE7F0-BEB4-479D-BEC8-66FDC3855831}
2012-12-01 09:58 - 2012-12-01 09:58 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files\iTunes
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files\iPod
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-12-01 09:33 - 2012-12-01 09:33 - 00000000 ____D C:\Users\ross\AppData\Local\{C28DB591-89BA-465E-9312-77657B918FF4}
2012-11-30 11:33 - 2012-11-30 11:33 - 00000000 ____D C:\Users\ross\AppData\Local\{73F9D44A-2B67-4C35-A854-4DB9A4B657DD}
2012-11-28 06:41 - 2012-11-28 06:42 - 00000000 ____D C:\Users\ross\AppData\Local\{C12828DD-93B1-4F2D-B13E-45E24D3DBFFC}


==================== One Month Modified Files and Folders =======

2012-12-28 18:42 - 2012-12-28 18:42 - 00000000 ____D C:\FRST
2012-12-28 17:00 - 2012-12-28 17:00 - 00000000 __SHD C:\found.000
2012-12-28 10:15 - 2011-09-09 22:48 - 00314441 ____A C:\Windows\System32\fastboot.set
2012-12-27 18:50 - 2011-09-09 22:27 - 01503701 ____A C:\Windows\WindowsUpdate.log
2012-12-27 18:42 - 2012-07-20 14:31 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2617488841-3302547860-2323301671-1001UA.job
2012-12-27 18:30 - 2012-12-08 10:26 - 00010976 ____A C:\Windows\setupact.log
2012-12-27 17:58 - 2011-09-09 22:44 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-12-27 11:58 - 2011-09-09 22:44 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-12-27 09:49 - 2012-09-07 13:27 - 00000000 ____D C:\Users\All Users\MFAData
2012-12-27 08:03 - 2009-07-13 20:45 - 00020688 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-27 08:03 - 2009-07-13 20:45 - 00020688 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-27 08:00 - 2009-07-13 21:13 - 00005388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-27 07:56 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-24 17:41 - 2011-12-25 06:48 - 00000000 ____D C:\Users\ross\Documents\REAPER Media
2012-12-24 17:40 - 2011-12-28 13:52 - 00000016 ____A C:\Users\ross\AppData\Roaming\msregsvv.dll
2012-12-24 17:40 - 2011-12-28 13:52 - 00000016 ____A C:\Users\All Users\autobk.inc
2012-12-24 12:15 - 2012-12-12 09:50 - 00000000 ____D C:\Users\ross\Desktop\Britannica Primary
2012-12-22 11:41 - 2012-09-15 06:04 - 00000000 ____D C:\Users\ross\AppData\Roaming\TH2
2012-12-22 09:12 - 2009-07-13 20:45 - 00291808 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-21 19:15 - 2012-01-09 13:41 - 00000000 ____D C:\Users\ross\AppData\Roaming\SoftGrid Client
2012-12-20 18:35 - 2012-05-25 13:44 - 00000000 ____D C:\Users\ross\AppData\Local\Spotify
2012-12-18 18:47 - 2012-12-18 11:38 - 00000000 ____D C:\Users\All Users\webcamXP 5
2012-12-18 11:38 - 2012-12-18 11:38 - 00000000 ____D C:\Program Files (x86)\webcamXP 5
2012-12-17 08:34 - 2012-11-17 14:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-12-16 13:04 - 2012-06-09 06:44 - 00000000 ____D C:\Users\ross\.gimp-2.8
2012-12-16 13:03 - 2012-12-16 13:03 - 00007704 ____A C:\Users\ross\AppData\Local\recently-used.xbel
2012-12-16 12:46 - 2012-12-16 11:52 - 00000000 ____D C:\Users\ross\Downloads\website2
2012-12-16 12:28 - 2012-12-16 12:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-12-16 11:27 - 2012-01-20 12:10 - 00000000 ____D C:\Users\ross\AppData\Roaming\Foxit Software
2012-12-16 09:11 - 2012-12-21 19:00 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-16 06:45 - 2012-12-21 19:00 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-16 06:13 - 2012-12-21 19:00 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-16 06:13 - 2012-12-21 19:00 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-15 14:27 - 2012-12-15 14:27 - 00000000 ____D C:\Program Files (x86)\CamStudio 2.6b
2012-12-14 10:47 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-12-12 15:09 - 2012-12-12 13:32 - 01409050 ____A C:\Users\ross\Desktop\Site1.wpp
2012-12-12 13:33 - 2012-12-12 13:33 - 00000000 ____D C:\Users\ross\Documents\Web
2012-12-12 13:33 - 2011-12-25 03:33 - 00065208 ____A C:\Users\ross\AppData\Local\GDIPFONTCACHEV1.DAT
2012-12-09 01:39 - 2012-12-09 01:39 - 00000558 ____A C:\Windows\PFRO.log
2012-12-08 10:26 - 2012-12-08 10:26 - 00000000 ____A C:\Windows\setuperr.log
2012-12-08 09:59 - 2012-08-09 12:43 - 00000000 ____D C:\Users\ross\Tracing
2012-12-08 09:59 - 2012-01-23 11:12 - 00000000 ____D C:\Windows\Minidump
2012-12-08 09:59 - 2011-02-12 11:33 - 00000000 ____D C:\Windows\Panther
2012-12-08 09:54 - 2012-09-07 13:28 - 00000000 ____D C:\Program Files\CCleaner
2012-12-08 09:51 - 2012-11-23 07:37 - 00000000 ____D C:\Users\ross\AppData\Roaming\OnLive App
2012-12-08 09:51 - 2012-09-07 13:25 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2012-12-08 09:50 - 2012-12-04 11:03 - 00000000 ____D C:\Users\ross\AppData\Roaming\Skype
2012-12-08 09:50 - 2012-12-04 11:03 - 00000000 ____D C:\Users\All Users\Skype
2012-12-08 09:50 - 2011-09-09 22:50 - 00000000 ____D C:\Program Files (x86)\Windows Live
2012-12-08 09:46 - 2012-12-08 09:46 - 00000000 ____D C:\Users\ross\AppData\Local\{44E316FE-9B27-4B36-AF34-0123C84210CC}
2012-12-07 15:34 - 2012-12-07 15:33 - 00000000 ____D C:\Users\ross\AppData\Local\{3528BD30-2719-4017-89B9-6A16965164C9}
2012-12-05 10:18 - 2012-12-05 10:17 - 00000000 ____D C:\Users\ross\AppData\Local\{000AED22-CF63-4D99-80CB-2345F7F025E5}
2012-12-04 11:01 - 2012-12-04 11:01 - 00000000 ____D C:\Users\ross\AppData\Local\{80296AC9-B111-4625-AB76-0FDCC8E7AF9E}
2012-12-03 10:59 - 2012-12-03 10:59 - 00000000 ____D C:\Users\ross\AppData\Local\{FDECE7F0-BEB4-479D-BEC8-66FDC3855831}
2012-12-01 09:58 - 2012-12-01 09:58 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files\iTunes
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files\iPod
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-12-01 09:33 - 2012-12-01 09:33 - 00000000 ____D C:\Users\ross\AppData\Local\{C28DB591-89BA-465E-9312-77657B918FF4}
2012-11-30 11:33 - 2012-11-30 11:33 - 00000000 ____D C:\Users\ross\AppData\Local\{73F9D44A-2B67-4C35-A854-4DB9A4B657DD}
2012-11-28 06:42 - 2012-11-28 06:41 - 00000000 ____D C:\Users\ross\AppData\Local\{C12828DD-93B1-4F2D-B13E-45E24D3DBFFC}


==================== Known DLLs (Whitelisted) =================

C:\Windows\System32\IERTUTIL.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\IERTUTIL.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\URLMON.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\URLMON.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\WININET.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\WININET.dll IS MISSING <==== ATTENTION!

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 3944.37 MB
Available physical RAM: 3311.8 MB
Total Pagefile: 3942.57 MB
Available Pagefile: 3297.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:440.59 GB) (Free:299.57 GB) NTFS
2 Drive e: (ITMIGHTGETLOUD) (CDROM) (Total:7.55 GB) (Free:0 GB) UDF
3 Drive f: () (Removable) (Total:1.86 GB) (Free:1.79 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 1910 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 440 GB 101 MB
Partition 3 OEM 25 GB 440 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 440 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 12
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 LENOVO_PART NTFS Partition 25 GB Healthy Hidden

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1909 MB 64 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 1909 MB Healthy

=========================================================

Last Boot: 2012-12-25 05:29

==================== End Of Log =============================

BC AdBot (Login to Remove)

 


m

#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:06 AM

Posted 29 December 2012 - 11:30 AM

these files appear to be missing

==================== Known DLLs (Whitelisted) =================

C:\Windows\System32\IERTUTIL.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\IERTUTIL.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\URLMON.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\URLMON.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\WININET.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\WININET.dll IS MISSING <==== ATTENTION!


let's do a search for them and see if replacing them solves the boot issue


you will need to run FRST again, but this time use the search feature

  • type the following into the search box:IERTUTIL.dll;LPK.dll;URLMON.dll;WININET.dll
  • now press the search button
  • when the search is complete, search.txt will be written to your USB
  • type exit
  • please copy and paste the log in your reply.(Search.txt)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 ross3

ross3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 29 December 2012 - 01:56 PM

Hi,

This is the search doc



Farbar Recovery Scan Tool (x64) Version: 28-12-2012
Ran by SYSTEM at 2012-12-29 17:00:29
Running from F:\

================== Search: "IERTUTIL.dll;LPK.dll;URLMON.dll;WINNET.dll" ===================

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20562_none_6082aa7cc007aa9d\iertutil.dll
[2012-11-14 09:44] - [2012-10-07 23:31] - 1793024 ____A (Microsoft Corporation) F72FB9A16B8544BD3F3F58106E1CAC58

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20557_none_60927bdabffb0d5f\iertutil.dll
[2012-09-22 16:32] - [2012-08-23 23:07] - 1793024 ____A (Microsoft Corporation) C5BF51D58A85AD2B8D392E21BB9A5D86

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20554_none_608f7afcbffdc15a\iertutil.dll
[2012-08-16 05:34] - [2012-06-28 14:46] - 1793024 ____A (Microsoft Corporation) EC6CF836399ED2C4AAB70F17D65F7884

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20553_none_608e7ab2bffea803\iertutil.dll
[2012-07-12 05:32] - [2012-06-02 00:11] - 1793024 ____A (Microsoft Corporation) 4739AD40B8240A177815D4976CD552AB

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20551_none_608c7a1ec0007555\iertutil.dll
[2012-06-14 16:16] - [2012-05-17 14:12] - 1793024 ____A (Microsoft Corporation) A598B6A45346A21960D661C6A1E7552E

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16455_none_6006de7ba6df3ae7\iertutil.dll
[2012-11-14 09:43] - [2012-10-07 23:41] - 1793024 ____A (Microsoft Corporation) 3178C47DB9F1615E5334029607BD3459

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16450_none_6001dd09a6e3bc34\iertutil.dll
[2012-09-22 16:32] - [2012-08-23 22:44] - 1793024 ____A (Microsoft Corporation) EB8A00E8E9931A7EC04F920B09D880D8

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16448_none_6014af45a6d46afb\iertutil.dll
[2012-08-16 05:34] - [2012-06-28 16:01] - 1793024 ____A (Microsoft Corporation) B17ADBBBDC97148D28F995F32C380F2E

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16447_none_6013aefba6d551a4\iertutil.dll
[2012-07-12 05:32] - [2012-06-02 00:19] - 1793024 ____A (Microsoft Corporation) C516284DE6DB833E77CC0E5217CDC6AA

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16446_none_6012aeb1a6d6384d\iertutil.dll
[2012-06-14 16:16] - [2012-05-17 14:27] - 1793024 ____A (Microsoft Corporation) E0C68CE8A3C548B101ABC01DB3DDB7CA

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16421_none_60234d17a6ca81b8\iertutil.dll
[2011-09-09 22:56] - [2011-09-09 22:56] - 1785344 ____A (Microsoft Corporation) D3F60BC53FF510B88B9ACBC3F64FE922

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.7601.21718_none_64f2fb557ae24418\iertutil.dll
[2011-09-09 22:36] - [2011-05-01 21:38] - 2064384 ____A (Microsoft Corporation) F76BC64151ED46D9B81D4E1CBA5C29D4

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.7601.17608_none_64742e7661bc885d\iertutil.dll
[2011-09-09 22:36] - [2011-04-28 20:54] - 2064384 ____A (Microsoft Corporation) 3B10CE9257F58352B555FADD898C5F12

C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.7601.17514_none_64655b7c61c841cb\iertutil.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 2064384 ____A (Microsoft Corporation) 683E0C9DA9E1EB9E4691DFAE0EC83E36

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20562_none_cdc217ff0a4d65ad\urlmon.dll
[2012-11-14 09:44] - [2012-10-07 23:38] - 1103872 ____A (Microsoft Corporation) 8E7042CA1E52F48974EAE772979E402F

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20557_none_cdd1e95d0a40c86f\urlmon.dll
[2012-09-22 16:32] - [2012-08-23 23:13] - 1103872 ____A (Microsoft Corporation) 10DD66F278AC1B682D84E3E350A210E0

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20554_none_cdcee87f0a437c6a\urlmon.dll
[2012-08-16 05:34] - [2012-06-28 14:54] - 1103872 ____A (Microsoft Corporation) FA55910D9A36CEC5929736E62812A4D5

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20553_none_cdcde8350a446313\urlmon.dll
[2012-07-12 05:32] - [2012-06-02 00:17] - 1103872 ____A (Microsoft Corporation) 1496EAE3185CD8C47E46DAF76180BD31

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20551_none_cdcbe7a10a463065\urlmon.dll
[2012-06-14 16:16] - [2012-05-17 14:20] - 1103872 ____A (Microsoft Corporation) B90EC2FD27886CEBA71DB3B6EAFC74FA

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16455_none_cd464bfdf124f5f7\urlmon.dll
[2012-11-14 09:44] - [2012-10-07 23:48] - 1103872 ____A (Microsoft Corporation) FC4EE980C3BD87D35816EC55007E00B5

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16450_none_cd414a8bf1297744\urlmon.dll
[2012-09-22 16:32] - [2012-08-23 22:51] - 1103872 ____A (Microsoft Corporation) 9FAC0F6D5F3D922DB294E30CD3F62369

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16448_none_cd541cc7f11a260b\urlmon.dll
[2012-08-16 05:34] - [2012-06-28 16:09] - 1103872 ____A (Microsoft Corporation) 667981F2E7C26275F0694B58EEE303B9

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16447_none_cd531c7df11b0cb4\urlmon.dll
[2012-07-12 05:32] - [2012-06-02 00:26] - 1103872 ____A (Microsoft Corporation) 1408CF9B0DD2AAA80D8E7087C8A2E3BC

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16446_none_cd521c33f11bf35d\urlmon.dll
[2012-06-14 16:16] - [2012-05-17 14:36] - 1103872 ____A (Microsoft Corporation) CAAF911D2E61AE5C1518F53BEF54C698

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16421_none_cd62ba99f1103cc8\urlmon.dll
[2011-09-09 22:56] - [2011-09-09 22:56] - 1102336 ____A (Microsoft Corporation) AA5F4683A0C3C40D90377AA238A6F1B7

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.21710_none_d22a6687c52f3470\urlmon.dll
[2011-09-09 22:36] - [2011-04-22 11:51] - 1231872 ____A (Microsoft Corporation) B50E9A4248350B30D6B37B5C52129B5E

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.21676_none_d1ef86d5c55a76f9\urlmon.dll
[2011-09-09 22:32] - [2011-03-06 21:22] - 1231360 ____A (Microsoft Corporation) 2152F28E8153CC1402D190CF3C0626D1

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.17601_none_d1ac99f2ac08920c\urlmon.dll
[2011-09-09 22:36] - [2011-04-22 11:09] - 1230848 ____A (Microsoft Corporation) 1973A8AC903115B3B60E1A53C1B014E6

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.17573_none_d162e92cac3f8b2a\urlmon.dll
[2011-09-09 22:32] - [2011-03-06 21:33] - 1230336 ____A (Microsoft Corporation) A5CDD9A5C605EAEB03F7D0F86A40ABAC

C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.17514_none_d1a4c8feac0dfcdb\urlmon.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 1229824 ____A (Microsoft Corporation) EBB431C6332107651CD2E2715A707994

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A ()

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.18032_none_12360787a598d69a\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A ()

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17537_none_123b293fa5942d6f\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A ()

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_124dc839a586a988\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A ()

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20562_none_bca1460078651bd3\iertutil.dll
[2012-11-14 09:44] - [2012-10-08 02:03] - 2144768 ____A (Microsoft Corporation) 9D43EB7F46737294991EB75E72B7E710

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20557_none_bcb1175e78587e95\iertutil.dll
[2012-09-22 16:32] - [2012-08-24 01:47] - 2144768 ____A (Microsoft Corporation) 6984FF326BD5C59DF9E962CC4407A4C2

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20554_none_bcae1680785b3290\iertutil.dll
[2012-08-16 05:34] - [2012-06-28 17:45] - 2144768 ____A (Microsoft Corporation) B3B110B98A135FA154E2E01B8486A850

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20553_none_bcad1636785c1939\iertutil.dll
[2012-07-12 05:32] - [2012-06-02 03:03] - 2144768 ____A (Microsoft Corporation) 714CB0F07D7C0A48C334B6A672EFFD44

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.20551_none_bcab15a2785de68b\iertutil.dll
[2012-06-14 16:16] - [2012-05-17 16:40] - 2144768 ____A (Microsoft Corporation) D310AFEF54A3815EB14A386DF70F361B

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16455_none_bc2579ff5f3cac1d\iertutil.dll
[2012-11-14 09:44] - [2012-10-08 03:15] - 2144768 ____A (Microsoft Corporation) D25968D163EC487A50C8C6A91D4134B4

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16450_none_bc20788d5f412d6a\iertutil.dll
[2012-09-22 16:32] - [2012-08-24 02:12] - 2144768 ____A (Microsoft Corporation) D841F7629505EE542E26E5F0A4D20101

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16448_none_bc334ac95f31dc31\iertutil.dll
[2012-08-16 05:34] - [2012-06-28 19:42] - 2144768 ____A (Microsoft Corporation) E10A0704318A6F7E52787D09717D7C2C

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16447_none_bc324a7f5f32c2da\iertutil.dll
[2012-07-12 05:32] - [2012-06-02 03:59] - 2144768 ____A (Microsoft Corporation) 78CA24E3B51C624007C1B8A7B8D6C9AF

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16446_none_bc314a355f33a983\iertutil.dll
[2012-06-14 16:16] - [2012-05-17 17:54] - 2144768 ____A (Microsoft Corporation) B02D84F0923132869E1ABFE08E0D2314

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16421_none_bc41e89b5f27f2ee\iertutil.dll
[2011-09-09 22:56] - [2011-09-09 22:56] - 2136064 ____A (Microsoft Corporation) 25896318C76F216FE878024603A21CDF

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.7601.21718_none_c11196d9333fb54e\iertutil.dll
[2011-09-09 22:36] - [2011-05-01 21:17] - 2443776 ____A (Microsoft Corporation) 5137BEECB69F21647E41C72A33633895

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.7601.17608_none_c092c9fa1a19f993\iertutil.dll
[2011-09-09 22:36] - [2011-04-28 21:51] - 2443776 ____A (Microsoft Corporation) 214338D755D4C1E0050D213AFA2A05E8

C:\Windows\winsxs\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.7601.17514_none_c083f7001a25b301\iertutil.dll
[2010-11-20 19:23] - [2010-11-20 19:23] - 2444288 ____A (Microsoft Corporation) 5180380D353277D395D3B36D790AA93E

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20562_none_29e0b382c2aad6e3\urlmon.dll
[2012-11-14 09:44] - [2012-10-08 02:12] - 1346048 ____A (Microsoft Corporation) 0A9748D70B523023D7E806F5310C0D9E

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20557_none_29f084e0c29e39a5\urlmon.dll
[2012-09-22 16:32] - [2012-08-24 01:54] - 1346048 ____A (Microsoft Corporation) 9B3089693741F103ECDC48AB98BA4A7C

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20554_none_29ed8402c2a0eda0\urlmon.dll
[2012-08-16 05:34] - [2012-06-28 17:52] - 1346048 ____A (Microsoft Corporation) 9101747C3D532E75008BCEAF33AA2A67

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20553_none_29ec83b8c2a1d449\urlmon.dll
[2012-07-12 05:32] - [2012-06-02 03:10] - 1346048 ____A (Microsoft Corporation) BBAF6ECE491034A19AE4B60C505547F6

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.20551_none_29ea8324c2a3a19b\urlmon.dll
[2012-06-14 16:16] - [2012-05-17 16:48] - 1346048 ____A (Microsoft Corporation) 9B1EAF190047BE758AF80B6A32328BBD

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16455_none_2964e781a982672d\urlmon.dll
[2012-11-14 09:44] - [2012-10-08 03:24] - 1346048 ____A (Microsoft Corporation) E519FD2CE6D57062400537C95C3B17FD

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16450_none_295fe60fa986e87a\urlmon.dll
[2012-09-22 16:32] - [2012-08-24 02:22] - 1346048 ____A (Microsoft Corporation) 2885A3C3148F725CDA0B4C593BA8F7CE

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16448_none_2972b84ba9779741\urlmon.dll
[2012-08-16 05:34] - [2012-06-28 19:49] - 1346048 ____A (Microsoft Corporation) 7F7FE11DF2D67B36DFE5013881619A94

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16447_none_2971b801a9787dea\urlmon.dll
[2012-07-12 05:32] - [2012-06-02 04:05] - 1346048 ____A (Microsoft Corporation) E8FD953D416772794408A68CC20B247D

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16446_none_2970b7b7a9796493\urlmon.dll
[2012-06-14 16:16] - [2012-05-17 17:59] - 1346048 ____A (Microsoft Corporation) CDB011A0A4E0CBAED9C26977365EE584

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16421_none_2981561da96dadfe\urlmon.dll
[2011-09-09 22:56] - [2011-09-09 22:56] - 1344000 ____A (Microsoft Corporation) A6D4AE85D9316DDC27E9F8763BD512CD

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.21710_none_2e49020b7d8ca5a6\urlmon.dll
[2011-09-09 22:36] - [2011-04-22 11:51] - 1492992 ____A (Microsoft Corporation) 3296AA05BFFFAE2BC9F142ABB1B5E9C3

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.21676_none_2e0e22597db7e82f\urlmon.dll
[2011-09-09 22:32] - [2011-03-06 22:19] - 1492480 ____A (Microsoft Corporation) 21ACDFFCCC770CFA45ABD7E867131992

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.17601_none_2dcb357664660342\urlmon.dll
[2011-09-09 22:36] - [2011-04-22 14:08] - 1492992 ____A (Microsoft Corporation) 5D15EB93AAC0074C2EFB13866B353DBB

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.17573_none_2d8184b0649cfc60\urlmon.dll
[2011-09-09 22:32] - [2011-03-06 22:31] - 1491456 ____A (Microsoft Corporation) 48015F0A25AA8A03FBBD9F55C12814E4

C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.7601.17514_none_2dc36482646b6e11\urlmon.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 1490944 ____A (Microsoft Corporation) 5FADA8B707318E1BD63A7E2B81E6C8CB

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A ()

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.18032_none_07e15d357138149f\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A ()

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17537_none_07e67eed71336b74\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A ()

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A ()

C:\Windows\SysWOW64\iertutil.dll
[2012-12-28 16:01] - [2012-01-19 01:04] - 1985536 ____A (Microsoft Corporation) 135007DA38A018FDA20785B2A68FEDE5

C:\Windows\SysWOW64\lpk.dll
[2012-12-28 16:00] - [2012-12-28 15:57] - 0022016 ____A (Microsoft Corporation) 74D66B3DE265E8789153414E75175F26

C:\Windows\SysWOW64\urlmon.dll
[2012-12-28 16:02] - [2012-12-17 02:13] - 1103872 ____A (Microsoft Corporation) 4266A3230981DD4434C55957F6DD497D

C:\Windows\System32\iertutil.dll
[2012-12-28 16:01] - [2012-01-19 01:04] - 1985536 ____A (Microsoft Corporation) 135007DA38A018FDA20785B2A68FEDE5

C:\Windows\System32\lpk.dll
[2012-12-28 16:00] - [2012-12-28 15:57] - 0022016 ____A (Microsoft Corporation) 74D66B3DE265E8789153414E75175F26

C:\Windows\System32\urlmon.dll
[2012-12-28 16:02] - [2012-12-17 02:13] - 1103872 ____A (Microsoft Corporation) 4266A3230981DD4434C55957F6DD497D

====== End Of Search ======

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:06 AM

Posted 29 December 2012 - 02:27 PM

well everything appears to be there except these two:

C:\Windows\System32\WININET.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\WININET.dll IS MISSING <==== ATTENTION!

Please run the search with FRST again but this time just enter WININET.dll into the search box and post the result

if there are no copies on the machine, then we will need to find replacements elsewhere

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 ross3

ross3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 29 December 2012 - 02:36 PM

Here is the log:

Farbar Recovery Scan Tool (x64) Version: 28-12-2012
Ran by SYSTEM at 2012-12-29 19:33:50
Running from F:\

================== Search: "WININET.dll" ===================

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20562_none_1ac7f3a0d5568c40\wininet.dll
[2012-11-14 09:44] - [2012-10-07 23:37] - 1129472 ____A (Microsoft Corporation) 6E3AC8A54A1881806BA2B58539483788

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20557_none_1ad7c4fed549ef02\wininet.dll
[2012-09-22 16:32] - [2012-08-23 23:12] - 1129472 ____A (Microsoft Corporation) 2895E29EFCFC0B1BCF8AEE1A0C67913C

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20554_none_1ad4c420d54ca2fd\wininet.dll
[2012-08-16 05:34] - [2012-06-28 14:54] - 1129472 ____A (Microsoft Corporation) 54C30A4066A28F9A017E095E283B2762

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20553_none_1ad3c3d6d54d89a6\wininet.dll
[2012-07-12 05:32] - [2012-06-02 00:16] - 1129472 ____A (Microsoft Corporation) E430161A632F9A8FE512DE0CA5685559

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20551_none_1ad1c342d54f56f8\wininet.dll
[2012-06-14 16:16] - [2012-05-17 14:19] - 1129472 ____A (Microsoft Corporation) 43BAC67996D8765A5F1B3A4EA6231E21

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16455_none_1a4c279fbc2e1c8a\wininet.dll
[2012-11-14 09:44] - [2012-10-07 23:48] - 1129472 ____A (Microsoft Corporation) 9CB0D2A9A77D91D9614355EE9FF00519

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16450_none_1a47262dbc329dd7\wininet.dll
[2012-09-22 16:32] - [2012-08-23 22:51] - 1129472 ____A (Microsoft Corporation) 5553611E2F9EA6F613079177F1233068

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16448_none_1a59f869bc234c9e\wininet.dll
[2012-08-16 05:34] - [2012-06-28 16:09] - 1129472 ____A (Microsoft Corporation) 75A97A2C060E72AB49E071E08C7DD2BA

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16447_none_1a58f81fbc243347\wininet.dll
[2012-07-12 05:32] - [2012-06-02 00:25] - 1129472 ____A (Microsoft Corporation) 8E87270C4704CF2951E1E7820D6C8A2B

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16446_none_1a57f7d5bc2519f0\wininet.dll
[2012-06-14 16:16] - [2012-05-17 14:35] - 1129472 ____A (Microsoft Corporation) 1C191A4F0960F21B5D58C8A65BAF5427

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16421_none_1a68963bbc19635b\wininet.dll
[2011-09-09 22:56] - [2011-09-09 22:56] - 1126912 ____A (Microsoft Corporation) A1236375B74EA63C75657D564890C436

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.21710_none_1f30422990385b03\wininet.dll
[2011-09-09 22:36] - [2011-04-22 11:51] - 0981504 ____A (Microsoft Corporation) 7A11DB452989040AD8570A3DCE2E9DE2

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.21676_none_1ef5627790639d8c\wininet.dll
[2011-09-09 22:32] - [2011-03-06 21:22] - 0981504 ____A (Microsoft Corporation) EDEB2904636B657782F824D8FF97D0B8

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.17601_none_1eb275947711b89f\wininet.dll
[2011-09-09 22:36] - [2011-04-22 11:10] - 0981504 ____A (Microsoft Corporation) 2CA020EACDC6DDB2BEA89FEA02C90945

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.17573_none_1e68c4ce7748b1bd\wininet.dll
[2011-09-09 22:32] - [2011-03-06 21:33] - 0981504 ____A (Microsoft Corporation) A5B19B240901CAB0C8E7767D2873613E

C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.17514_none_1eaaa4a07717236e\wininet.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 0980992 ____A (Microsoft Corporation) 44214C94911C7CFB1D52CB64D5E8368D

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20562_none_76e68f248db3fd76\wininet.dll
[2012-11-14 09:44] - [2012-10-08 02:11] - 1392128 ____A (Microsoft Corporation) 789EAD6F3CE42F3322818988400986E9

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20557_none_76f660828da76038\wininet.dll
[2012-09-22 16:32] - [2012-08-24 01:53] - 1392128 ____A (Microsoft Corporation) 456D4E9006DF149C250D40B813290471

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20554_none_76f35fa48daa1433\wininet.dll
[2012-08-16 05:34] - [2012-06-28 17:51] - 1392128 ____A (Microsoft Corporation) 8BA7EDA2656ED7FBC93BDD5CB02B8D4E

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20553_none_76f25f5a8daafadc\wininet.dll
[2012-07-12 05:32] - [2012-06-02 03:09] - 1392128 ____A (Microsoft Corporation) 571E809181EBF0A04FEFAA9BC9961F5B

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.20551_none_76f05ec68dacc82e\wininet.dll
[2012-06-14 16:16] - [2012-05-17 16:47] - 1392128 ____A (Microsoft Corporation) BDC16D105BF011D4B1C3F09CF7A64314

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16455_none_766ac323748b8dc0\wininet.dll
[2012-11-14 09:44] - [2012-10-08 03:23] - 1392128 ____A (Microsoft Corporation) A19DB004D954BBC9C4EC125711E1D1C2

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16450_none_7665c1b174900f0d\wininet.dll
[2012-09-22 16:32] - [2012-08-24 02:21] - 1392128 ____A (Microsoft Corporation) 3D165C53E40236A68B7102D1A622D4E0

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16448_none_767893ed7480bdd4\wininet.dll
[2012-08-16 05:34] - [2012-06-28 19:49] - 1392128 ____A (Microsoft Corporation) 8EA68FD3780DDDD5072F8CB830B3CB3D

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16447_none_767793a37481a47d\wininet.dll
[2012-07-12 05:32] - [2012-06-02 04:05] - 1392128 ____A (Microsoft Corporation) 5A45FA344F4AD99D903F4B20E43B89EC

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16446_none_7676935974828b26\wininet.dll
[2012-06-14 16:16] - [2012-05-17 17:59] - 1392128 ____A (Microsoft Corporation) 870ECFEBD41C7B8F9C6777748368D51F

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16421_none_768731bf7476d491\wininet.dll
[2011-09-09 22:56] - [2011-09-09 22:56] - 1389056 ____A (Microsoft Corporation) 1BF2BCC7E3C26FD4C8EF0C9EFB0CC25D

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.21710_none_7b4eddad4895cc39\wininet.dll
[2011-09-09 22:36] - [2011-04-22 11:51] - 1189376 ____A (Microsoft Corporation) BC661E59AE2BC840C6D8165F170DE7DE

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.21676_none_7b13fdfb48c10ec2\wininet.dll
[2011-09-09 22:32] - [2011-03-06 22:20] - 1189376 ____A (Microsoft Corporation) 93679DC9407BFC602D7E6BFC027455E0

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.17601_none_7ad111182f6f29d5\wininet.dll
[2011-09-09 22:36] - [2011-04-22 14:08] - 1188864 ____A (Microsoft Corporation) 2DCA688631F71722B0B5E57F526BB2EB

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.17573_none_7a8760522fa622f3\wininet.dll
[2011-09-09 22:32] - [2011-03-06 22:31] - 1188864 ____A (Microsoft Corporation) AB026A724960570803E90DC370893BD0

C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.7601.17514_none_7ac940242f7494a4\wininet.dll
[2010-11-20 19:23] - [2010-11-20 19:23] - 1188864 ____A (Microsoft Corporation) F6C5302E1F4813D552F41A0AC82455E5

C:\Windows\SysWOW64\wininet.dll
[2012-12-28 16:02] - [2012-01-17 05:58] - 0981504 ____A (Microsoft Corporation) 19714FA7D7204D9BEE1EE12791DA9010

C:\Windows\System32\wininet.dll
[2012-12-28 16:01] - [2012-01-17 05:58] - 0981504 ____A (Microsoft Corporation) 19714FA7D7204D9BEE1EE12791DA9010

====== End Of Search ======

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:06 AM

Posted 29 December 2012 - 03:12 PM

C:\Windows\SysWOW64\wininet.dll
[2012-12-28 16:02] - [2012-01-17 05:58] - 0981504 ____A (Microsoft Corporation) 19714FA7D7204D9BEE1EE12791DA9010

C:\Windows\System32\wininet.dll
[2012-12-28 16:01] - [2012-01-17 05:58] - 0981504 ____A (Microsoft Corporation) 19714FA7D7204D9BEE1EE12791DA9010


interesting, that both those files are where they should be but FRST was unable to recognize them

let's have a look with another tool


  • Download ListParts64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type f:\listparts64.exe and hit Enter
  • ListParts will start to run.
  • check the "list BCD" box
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
  • Close the command window.
  • please post the Result.txt log.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 ross3

ross3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 29 December 2012 - 03:18 PM

Here is the log:

ListParts by Farbar Version: 30-10-2012
Ran by SYSTEM (administrator) on 29-12-2012 at 20:16:24
Windows 7 (X64)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3944.37 MB
Available physical RAM: 3334.23 MB
Total Pagefile: 3942.57 MB
Available Pagefile: 3380.1 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:440.59 GB) (Free:297.78 GB) NTFS
3 Drive f: (PENDRIVE) (Removable) (Total:1.86 GB) (Free:0.35 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 1910 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 440 GB 101 MB
Partition 3 OEM 25 GB 440 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 440 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 12
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 LENOVO_PART NTFS Partition 25 GB Healthy Hidden

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1909 MB 64 KB

======================================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F PENDRIVE FAT Removable 1909 MB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=Y:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {a39aed03-dc4d-11e0-99aa-c89cdc5dadd4}
resumeobject {a39aed02-dc4d-11e0-99aa-c89cdc5dadd4}
displayorder {a39aed03-dc4d-11e0-99aa-c89cdc5dadd4}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {a39aed03-dc4d-11e0-99aa-c89cdc5dadd4}
device partition=C:
path \windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {a39aed04-dc4d-11e0-99aa-c89cdc5dadd4}
recoveryenabled Yes
osdevice partition=C:
systemroot \windows
resumeobject {a39aed02-dc4d-11e0-99aa-c89cdc5dadd4}
nx OptIn
detecthal Yes

Windows Boot Loader
-------------------
identifier {a39aed04-dc4d-11e0-99aa-c89cdc5dadd4}
device ramdisk=[C:]\Recovery\a39aed04-dc4d-11e0-99aa-c89cdc5dadd4\Winre.wim,{a39aed05-dc4d-11e0-99aa-c89cdc5dadd4}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[C:]\Recovery\a39aed04-dc4d-11e0-99aa-c89cdc5dadd4\Winre.wim,{a39aed05-dc4d-11e0-99aa-c89cdc5dadd4}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {a39aed02-dc4d-11e0-99aa-c89cdc5dadd4}
device partition=C:
path \windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=Y:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {a39aed05-dc4d-11e0-99aa-c89cdc5dadd4}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\a39aed04-dc4d-11e0-99aa-c89cdc5dadd4\boot.sdi


****** End Of Log ******

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:06 AM

Posted 29 December 2012 - 03:28 PM

Please run the following:

  • Download [attachment=133741:fix.txt]

    Save it to your flash drive. The fix.txt should be saved in the same directory as ListParts.

    Enter System Recovery Options and select Command Prompt.
    Run ListParts64 (the same way you ran FRST64) click Fix.
    When it is finished click Scan and post the log (Result.txt) it makes.
  • Restart the computer and let it boot normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 ross3

ross3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 29 December 2012 - 03:36 PM

Here is the log:

ListParts by Farbar Version: 30-10-2012
Ran by SYSTEM (administrator) on 29-12-2012 at 20:32:10
Windows 7 (X64)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3944.37 MB
Available physical RAM: 3337.07 MB
Total Pagefile: 3942.57 MB
Available Pagefile: 3371.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:440.59 GB) (Free:297.78 GB) NTFS
3 Drive f: (PENDRIVE) (Removable) (Total:1.86 GB) (Free:0.35 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 1910 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 440 GB 101 MB
Partition 3 OEM 25 GB 440 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 440 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 12
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 LENOVO_PART NTFS Partition 25 GB Healthy Hidden

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1909 MB 64 KB

======================================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F PENDRIVE FAT Removable 1909 MB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=Y:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {a39aed03-dc4d-11e0-99aa-c89cdc5dadd4}
resumeobject {a39aed02-dc4d-11e0-99aa-c89cdc5dadd4}
displayorder {a39aed03-dc4d-11e0-99aa-c89cdc5dadd4}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {a39aed03-dc4d-11e0-99aa-c89cdc5dadd4}
device partition=C:
path \windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {a39aed04-dc4d-11e0-99aa-c89cdc5dadd4}
recoveryenabled Yes
osdevice partition=C:
systemroot \windows
resumeobject {a39aed02-dc4d-11e0-99aa-c89cdc5dadd4}
nx OptIn
detecthal Yes

Windows Boot Loader
-------------------
identifier {a39aed04-dc4d-11e0-99aa-c89cdc5dadd4}
device ramdisk=[C:]\Recovery\a39aed04-dc4d-11e0-99aa-c89cdc5dadd4\Winre.wim,{a39aed05-dc4d-11e0-99aa-c89cdc5dadd4}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[C:]\Recovery\a39aed04-dc4d-11e0-99aa-c89cdc5dadd4\Winre.wim,{a39aed05-dc4d-11e0-99aa-c89cdc5dadd4}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {a39aed02-dc4d-11e0-99aa-c89cdc5dadd4}
device partition=C:
path \windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=Y:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {a39aed05-dc4d-11e0-99aa-c89cdc5dadd4}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\a39aed04-dc4d-11e0-99aa-c89cdc5dadd4\boot.sdi


****** End Of Log ******

Upon booting the computer, I was met with BSOD c000007b {Bad Image}winsrv is either not designed to run on windows or it contains an error.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:06 AM

Posted 29 December 2012 - 03:42 PM

let's see if replacing winsrv will help

run the search box with FRST again, this time, type winsrv.dll into the search box, post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 ross3

ross3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 29 December 2012 - 03:49 PM

Here is the log:

Farbar Recovery Scan Tool (x64) Version: 28-12-2012
Ran by SYSTEM at 2012-12-29 20:46:44
Running from F:\

================== Search: "winsrv.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22091_none_14d49672cc561df0\winsrv.dll
[2012-10-10 11:13] - [2012-08-20 10:27] - 0215040 ____A (Microsoft Corporation) 111AFE35DD2D423EE8E176CA7B2BBDC7

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21738_none_151c9c12cc1efa1b\winsrv.dll
[2011-09-09 22:39] - [2011-06-02 23:01] - 0214528 ____A (Microsoft Corporation) 5AA1C7B5F471C4657BE38447BC397665

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21728_none_15276bfecc16de2a\winsrv.dll
[2011-09-09 22:38] - [2011-05-13 23:11] - 0214528 ____A (Microsoft Corporation) 1A589228B6DC007120F877DBBD6CB79D

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21624_none_152368f0cc1a7ba7\winsrv.dll
[2011-09-09 22:31] - [2010-12-18 00:52] - 0214016 ____A (Microsoft Corporation) A199CC08A13EEB667412423F712FE817

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17932_none_148d033db306b9bc\winsrv.dll
[2012-10-10 11:13] - [2012-08-20 10:48] - 0215040 ____A (Microsoft Corporation) F46BBAAC1C4980F4D0DD463F190A42D3

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17625_none_149ace55b2fbf25b\winsrv.dll
[2011-09-09 22:39] - [2011-06-02 22:57] - 0214528 ____A (Microsoft Corporation) 9F761CE1C6C013120B2F0DB27D48C06F

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17617_none_14a79ed5b2f20918\winsrv.dll
[2011-09-09 22:38] - [2011-05-13 23:24] - 0214528 ____A (Microsoft Corporation) 3A8135A7DED2FA0DAD3BDE1B14865A8A

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17527_none_149ccd03b2fa27e2\winsrv.dll
[2011-09-09 22:31] - [2010-12-17 03:42] - 0214016 ____A (Microsoft Corporation) 15822E7206C7A0A893395CB07A63C7E1

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17514_none_14a49c11b2f4bfec\winsrv.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 0214016 ____A (Microsoft Corporation) E0406AEF04B088D1C49FC78D0546F689

C:\Windows\System32\winsrv.dll
[2012-12-12 08:36] - [2012-10-04 09:45] - 0215040 ____A (Microsoft Corporation) 72CC564BBC70DE268784BCE91EB8A28F

====== End Of Search ======

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:06 AM

Posted 29 December 2012 - 03:54 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\System32\consrv.dll
TDL4: custom:26000022
replace: C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17932_none_148d033db306b9bc\winsrv.dll C:\Windows\System32\winsrv.dll
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 ross3

ross3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 29 December 2012 - 04:01 PM

Here is the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-12-2012
Ran by SYSTEM at 2012-12-29 20:59:53 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.

An error occurred while attempting to delete the specified data element.
Element not found.
The operation completed successfully.
C:\Windows\System32\winsrv.dll moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17932_none_148d033db306b9bc\winsrv.dll copied successfully to C:\Windows\System32\winsrv.dll

==== End of Fixlog ====

After rebooting, I was met with the same BSOD c000007b

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:06 AM

Posted 29 December 2012 - 04:13 PM

Please run a fresh scan with FRST, post the log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 ross3

ross3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 29 December 2012 - 04:21 PM

Here is the log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-12-2012
Ran by SYSTEM at 29-12-2012 21:16:13
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11543656 2010-10-26] (Realtek Semiconductor)
HKLM\...\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-09-09] (Lenovo)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [jmekey] C:\windows\jmesoft\hotkey.exe [118784 2011-03-21] (Lenovo)
HKLM-x32\...\Run: [jmesoft] C:\Windows\jmesoft\ServiceLoader.exe [28672 2011-03-15] ()
HKLM-x32\...\Run: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe 1

[265216 2010-09-09] (Lenovo)
HKLM-x32\...\Run: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness

System.exe 1 [285696 2010-10-08] (Lenovo)
HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe" [103720 2009-12-04] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files

(x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:

\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"

[222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [x]
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3143800 2012-11-06] (AVG Technologies CZ,

s.r.o.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [x]
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [151952 2012-11-28] (Apple Inc.)
HKU\ross\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-09-09] (Google Inc.)
HKU\ross\...\Run: [Spotify Web Helper] "C:\Users\ross\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [x]
HKU\ross\...\Run: [Google Update] "C:\Users\ross\AppData\Local\Google\Update\GoogleUpdate.exe" /c [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814392 2012-11-06] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-03-15] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
3 wxpSvc; C:\Program Files (x86)\webcamXP 5\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV [5404472 2012-03-26]

(Moonware Studios)
3 WatAdminSvc; C:\Windows\System32\Wat\WatAdminSvc.exe [x]

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-14] (AVG Technologies CZ, s.r.o. )
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-13] (AVG Technologies CZ, s.r.o.)
3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv_x64.sys [34304 2012-01-10] (ManyCam LLC)
3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [28160 2012-02-22] (ManyCam LLC)
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)
3 XG762_VS; C:\Windows\System32\DRIVERS\WlanGZG.sys [1075712 2010-03-26] (Atheros Communications, Inc.)
1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [x]
0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [x]
0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [x]
1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-12-28 17:00 - 2012-12-28 17:00 - 00000000 __SHD C:\found.000
2012-12-28 17:00 - 2012-12-28 17:00 - 00000000 ___AD C:\.Trash-999
2012-12-28 16:02 - 2012-12-17 02:13 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-12-28 16:02 - 2012-12-17 02:13 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-28 16:02 - 2012-01-17 05:58 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-12-28 16:01 - 2012-01-19 01:04 - 01985536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-12-28 16:01 - 2012-01-19 01:04 - 01985536 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-28 16:01 - 2012-01-17 05:58 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-28 16:00 - 2012-12-28 15:57 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2012-12-28 16:00 - 2012-12-28 15:57 - 00022016 ____A (Microsoft Corporation) C:\Windows\System32\lpk.dll
2012-12-21 19:00 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-21 19:00 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-21 19:00 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-21 19:00 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-18 11:38 - 2012-12-18 18:47 - 00000000 ____D C:\Users\All Users\webcamXP 5
2012-12-18 11:38 - 2012-12-18 11:38 - 00000000 ____D C:\Program Files (x86)\webcamXP 5
2012-12-16 13:03 - 2012-12-16 13:03 - 00007704 ____A C:\Users\ross\AppData\Local\recently-used.xbel
2012-12-16 12:27 - 2012-12-16 12:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-12-16 11:52 - 2012-12-16 12:46 - 00000000 ____D C:\Users\ross\Downloads\website2
2012-12-15 14:27 - 2012-12-15 14:27 - 00000000 ____D C:\Program Files (x86)\CamStudio 2.6b
2012-12-15 14:27 - 2010-10-23 16:56 - 00049664 ____A (CamStudio Group) C:\Windows\System32\CamCodec.dll
2012-12-12 19:00 - 2012-11-13 21:57 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-12 19:00 - 2012-11-13 21:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-12 19:00 - 2012-11-13 21:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-12 19:00 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-12-12 13:33 - 2012-12-12 13:33 - 00000000 ____D C:\Users\ross\Documents\Web
2012-12-12 13:32 - 2012-12-12 15:09 - 01409050 ____A C:\Users\ross\Desktop\Site1.wpp
2012-12-12 09:50 - 2012-12-24 12:15 - 00000000 ____D C:\Users\ross\Desktop\Britannica Primary
2012-12-12 08:36 - 2012-11-21 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-12-12 08:36 - 2012-10-04 09:46 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2012-12-12 08:36 - 2012-10-04 09:46 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2012-12-12 08:36 - 2012-10-04 09:46 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2012-12-12 08:36 - 2012-10-04 09:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2012-12-12 08:36 - 2012-10-04 09:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-12-12 08:36 - 2012-10-04 09:41 - 00424960 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1

-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-

0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-

l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-

0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-

0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:47 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2012-12-12 08:36 - 2012-10-04 08:47 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2012-12-12 08:36 - 2012-10-04 08:47 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-

1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-

0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-

processenvironment-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-

0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-

0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-

0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1

-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-12-12 08:36 - 2012-10-04 07:21 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-12-12 08:36 - 2012-10-04 06:46 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2012-12-12 08:36 - 2012-10-04 06:46 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2012-12-12 08:36 - 2012-10-04 06:46 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2012-12-12 08:36 - 2012-08-20 10:48 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-12-12 08:35 - 2012-11-01 21:59 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2012-12-12 08:35 - 2012-11-01 21:11 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll
2012-12-12 08:35 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-

0.dll
2012-12-12 08:35 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 06:46 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2012-12-12 08:35 - 2012-10-04 06:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 06:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-

0.dll
2012-12-12 08:35 - 2012-10-04 06:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-12-12 08:35 - 2012-10-04 06:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2012-12-09 01:39 - 2012-12-09 01:39 - 00000558 ____A C:\Windows\PFRO.log
2012-12-08 10:26 - 2012-12-27 18:30 - 00010976 ____A C:\Windows\setupact.log
2012-12-08 10:26 - 2012-12-08 10:26 - 00000000 ____A C:\Windows\setuperr.log
2012-12-08 09:46 - 2012-12-08 09:46 - 00000000 ____D C:\Users\ross\AppData\Local\{44E316FE-9B27-4B36-AF34-0123C84210CC}
2012-12-07 15:33 - 2012-12-07 15:34 - 00000000 ____D C:\Users\ross\AppData\Local\{3528BD30-2719-4017-89B9-6A16965164C9}
2012-12-05 10:17 - 2012-12-05 10:18 - 00000000 ____D C:\Users\ross\AppData\Local\{000AED22-CF63-4D99-80CB-2345F7F025E5}
2012-12-04 11:03 - 2012-12-08 09:50 - 00000000 ____D C:\Users\ross\AppData\Roaming\Skype
2012-12-04 11:03 - 2012-12-08 09:50 - 00000000 ____D C:\Users\All Users\Skype
2012-12-04 11:01 - 2012-12-04 11:01 - 00000000 ____D C:\Users\ross\AppData\Local\{80296AC9-B111-4625-AB76-0FDCC8E7AF9E}
2012-12-03 10:59 - 2012-12-03 10:59 - 00000000 ____D C:\Users\ross\AppData\Local\{FDECE7F0-BEB4-479D-BEC8-66FDC3855831}
2012-12-01 09:58 - 2012-12-01 09:58 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files\iTunes
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files\iPod
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-12-01 09:33 - 2012-12-01 09:33 - 00000000 ____D C:\Users\ross\AppData\Local\{C28DB591-89BA-465E-9312-77657B918FF4}
2012-11-30 11:33 - 2012-11-30 11:33 - 00000000 ____D C:\Users\ross\AppData\Local\{73F9D44A-2B67-4C35-A854-4DB9A4B657DD}


==================== One Month Modified Files and Folders =======

2012-12-29 13:00 - 2011-09-09 22:48 - 00314441 ____A C:\Windows\System32\fastboot.set
2012-12-28 18:42 - 2012-12-28 18:42 - 00000000 ____D C:\FRST
2012-12-28 17:00 - 2012-12-28 17:00 - 00000000 __SHD C:\found.000
2012-12-28 17:00 - 2012-12-28 17:00 - 00000000 ___AD C:\.Trash-999
2012-12-28 15:57 - 2012-12-28 16:00 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2012-12-28 15:57 - 2012-12-28 16:00 - 00022016 ____A (Microsoft Corporation) C:\Windows\System32\lpk.dll
2012-12-27 18:50 - 2011-09-09 22:27 - 01503701 ____A C:\Windows\WindowsUpdate.log
2012-12-27 18:42 - 2012-07-20 14:31 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2617488841-3302547860-

2323301671-1001UA.job
2012-12-27 18:30 - 2012-12-08 10:26 - 00010976 ____A C:\Windows\setupact.log
2012-12-27 17:58 - 2011-09-09 22:44 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-12-27 11:58 - 2011-09-09 22:44 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-12-27 09:49 - 2012-09-07 13:27 - 00000000 ____D C:\Users\All Users\MFAData
2012-12-27 08:03 - 2009-07-13 20:45 - 00020688 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-

A289-439d-8115-601632D005A0
2012-12-27 08:03 - 2009-07-13 20:45 - 00020688 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-

A289-439d-8115-601632D005A0
2012-12-27 08:00 - 2009-07-13 21:13 - 00005388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-27 07:56 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-24 17:41 - 2011-12-25 06:48 - 00000000 ____D C:\Users\ross\Documents\REAPER Media
2012-12-24 17:40 - 2011-12-28 13:52 - 00000016 ____A C:\Users\ross\AppData\Roaming\msregsvv.dll
2012-12-24 17:40 - 2011-12-28 13:52 - 00000016 ____A C:\Users\All Users\autobk.inc
2012-12-24 12:15 - 2012-12-12 09:50 - 00000000 ____D C:\Users\ross\Desktop\Britannica Primary
2012-12-22 11:41 - 2012-09-15 06:04 - 00000000 ____D C:\Users\ross\AppData\Roaming\TH2
2012-12-22 09:12 - 2009-07-13 20:45 - 00291808 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-21 19:15 - 2012-01-09 13:41 - 00000000 ____D C:\Users\ross\AppData\Roaming\SoftGrid Client
2012-12-20 18:35 - 2012-05-25 13:44 - 00000000 ____D C:\Users\ross\AppData\Local\Spotify
2012-12-18 18:47 - 2012-12-18 11:38 - 00000000 ____D C:\Users\All Users\webcamXP 5
2012-12-18 11:38 - 2012-12-18 11:38 - 00000000 ____D C:\Program Files (x86)\webcamXP 5
2012-12-17 08:34 - 2012-11-17 14:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-12-17 02:13 - 2012-12-28 16:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-12-17 02:13 - 2012-12-28 16:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-16 13:04 - 2012-06-09 06:44 - 00000000 ____D C:\Users\ross\.gimp-2.8
2012-12-16 13:03 - 2012-12-16 13:03 - 00007704 ____A C:\Users\ross\AppData\Local\recently-used.xbel
2012-12-16 12:46 - 2012-12-16 11:52 - 00000000 ____D C:\Users\ross\Downloads\website2
2012-12-16 12:28 - 2012-12-16 12:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-12-16 11:27 - 2012-01-20 12:10 - 00000000 ____D C:\Users\ross\AppData\Roaming\Foxit Software
2012-12-16 09:11 - 2012-12-21 19:00 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-16 06:45 - 2012-12-21 19:00 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-16 06:13 - 2012-12-21 19:00 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-16 06:13 - 2012-12-21 19:00 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-15 14:27 - 2012-12-15 14:27 - 00000000 ____D C:\Program Files (x86)\CamStudio 2.6b
2012-12-14 10:47 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-12-12 15:09 - 2012-12-12 13:32 - 01409050 ____A C:\Users\ross\Desktop\Site1.wpp
2012-12-12 13:33 - 2012-12-12 13:33 - 00000000 ____D C:\Users\ross\Documents\Web
2012-12-12 13:33 - 2011-12-25 03:33 - 00065208 ____A C:\Users\ross\AppData\Local\GDIPFONTCACHEV1.DAT
2012-12-09 01:39 - 2012-12-09 01:39 - 00000558 ____A C:\Windows\PFRO.log
2012-12-08 10:26 - 2012-12-08 10:26 - 00000000 ____A C:\Windows\setuperr.log
2012-12-08 09:59 - 2012-08-09 12:43 - 00000000 ____D C:\Users\ross\Tracing
2012-12-08 09:59 - 2012-01-23 11:12 - 00000000 ____D C:\Windows\Minidump
2012-12-08 09:59 - 2011-02-12 11:33 - 00000000 ____D C:\Windows\Panther
2012-12-08 09:54 - 2012-09-07 13:28 - 00000000 ____D C:\Program Files\CCleaner
2012-12-08 09:51 - 2012-11-23 07:37 - 00000000 ____D C:\Users\ross\AppData\Roaming\OnLive App
2012-12-08 09:51 - 2012-09-07 13:25 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2012-12-08 09:50 - 2012-12-04 11:03 - 00000000 ____D C:\Users\ross\AppData\Roaming\Skype
2012-12-08 09:50 - 2012-12-04 11:03 - 00000000 ____D C:\Users\All Users\Skype
2012-12-08 09:50 - 2011-09-09 22:50 - 00000000 ____D C:\Program Files (x86)\Windows Live
2012-12-08 09:46 - 2012-12-08 09:46 - 00000000 ____D C:\Users\ross\AppData\Local\{44E316FE-9B27-4B36-AF34-0123C84210CC}
2012-12-07 15:34 - 2012-12-07 15:33 - 00000000 ____D C:\Users\ross\AppData\Local\{3528BD30-2719-4017-89B9-6A16965164C9}
2012-12-05 10:18 - 2012-12-05 10:17 - 00000000 ____D C:\Users\ross\AppData\Local\{000AED22-CF63-4D99-80CB-2345F7F025E5}
2012-12-04 11:01 - 2012-12-04 11:01 - 00000000 ____D C:\Users\ross\AppData\Local\{80296AC9-B111-4625-AB76-0FDCC8E7AF9E}
2012-12-03 10:59 - 2012-12-03 10:59 - 00000000 ____D C:\Users\ross\AppData\Local\{FDECE7F0-BEB4-479D-BEC8-66FDC3855831}
2012-12-01 09:58 - 2012-12-01 09:58 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files\iTunes
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files\iPod
2012-12-01 09:58 - 2012-12-01 09:58 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-12-01 09:33 - 2012-12-01 09:33 - 00000000 ____D C:\Users\ross\AppData\Local\{C28DB591-89BA-465E-9312-77657B918FF4}
2012-11-30 11:33 - 2012-11-30 11:33 - 00000000 ____D C:\Users\ross\AppData\Local\{73F9D44A-2B67-4C35-A854-4DB9A4B657DD}


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 3944.37 MB
Available physical RAM: 3313.32 MB
Total Pagefile: 3942.57 MB
Available Pagefile: 3298.82 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:440.59 GB) (Free:297.78 GB) NTFS
3 Drive f: (PENDRIVE) (Removable) (Total:1.86 GB) (Free:0.35 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading

drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 1910 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 440 GB 101 MB
Partition 3 OEM 25 GB 440 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 440 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 12
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 LENOVO_PART NTFS Partition 25 GB Healthy Hidden

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1909 MB 64 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F PENDRIVE FAT Removable 1909 MB Healthy

=========================================================

Last Boot: 2012-12-25 05:29

==================== End Of Log =============================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users