Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I had 3 viruses now my laptop won't startup.


  • Please log in to reply
26 replies to this topic

#1 DougHesketh

DougHesketh

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 04 March 2013 - 06:11 AM

Hi,

 

I have a laptop that started to display "system error messages" on Friday relating to there being a problem with the hard drive.

 

After checking the hard drive I realised that the most likely error was a virus. I downloaded MalwareBytes and it kindly removed the problem, the remaining issue was sorting out all of the files and directories that this nasty little virus had hidden.

 

I carried on trying to clean up the laptop and realised that I had been redirected in Google Chrome when I clicked on a link.

 

After some surfing on my iPad I downloaded ESET NOD32 and it found two infections, but couldn't fix them.

 

Olmarik.TDL4 & Olmasco.AD

 

I went through a number of programs to try and fix the problem but to no avail.

 

I am now at the point that my laptop does not boot-up at all, it will boot from a CD/DVD, but not from the C Drive.

 

I booted from the original windows 7 install CD to try and do a repair, but it would not see my Operating System.

 

Please would someone try and assist me to hopefully get my system back without the dreaded Formatting and clean installing.

 

Regards

Doug

 



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:05 PM

Posted 04 March 2013 - 09:21 AM

This could be easily fixed.Let me ask someone to help you.

 

good luck



#3 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 04 March 2013 - 04:16 PM

Thank you

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:05 PM

Posted 04 March 2013 - 05:37 PM

:welcome:

Lets give it a try.
  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
      • Startup Repair
      • System Restore
      • Windows Complete PC Restore
      • Windows Memory Diagnostic Tool
      • Command Prompt
      Select Command Prompt

      Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 04 March 2013 - 07:30 PM

Hi,

 

When I am in the recovery environment there are no Operating Systems to select from. But FRST64 did find the correct windows environment.

 

FRST Log>>>

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 04-03-2013 01
Ran by SYSTEM at 05-03-2013 00:22:34
Running from G:\Recovery
   (X64) OS Language: English(US) 
Attention: Could not load system hive.
==================== Registry (Whitelisted) ===================
 
ATTENTION: Unable to load Software hive.
 
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Tee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Services (Whitelisted) ===================
 
 
==================== Drivers (Whitelisted) =====================
 
 
==================== NetSvcs (Whitelisted) ====================
 
 
==================== One Month Created Files and Folders ========
 
2013-03-03 13:43 - 2013-03-03 13:43 - 00000000 ____D C:\ProgramData\ESET
2013-03-03 13:43 - 2013-03-03 13:43 - 00000000 ____D C:\Program Files\ESET
2013-03-03 11:39 - 2013-03-03 15:51 - 00000000 ____D C:\Users\Tee\AppData\Roaming\DMCache
2013-03-03 11:39 - 2013-03-03 11:42 - 00000000 ____D C:\Users\Tee\AppData\Roaming\IDM
2013-03-03 11:39 - 2013-03-03 11:39 - 00000000 ____D C:\Users\Tee\Downloads\Video
2013-03-03 11:39 - 2013-03-03 11:39 - 00000000 ____D C:\Users\Tee\Downloads\Compressed
2013-03-03 11:39 - 2013-03-03 11:39 - 00000000 ____D C:\ProgramData\IDM
2013-03-03 11:39 - 2013-03-03 11:39 - 00000000 ____D C:\Program Files (x86)\Internet Download Manager
2013-03-03 11:33 - 2013-03-03 11:36 - 05019960 ____A (Tonec Inc.) C:\Users\Tee\Downloads\idman615.exe
2013-03-03 10:39 - 2013-03-03 10:39 - 00000000 __SHD C:\found.004
2013-03-03 10:16 - 2013-03-03 15:44 - 00004808 ____A C:\Windows\setupact.log
2013-03-03 10:16 - 2013-03-03 10:49 - 00000000 ____A C:\Windows\setuperr.log
2013-03-03 10:15 - 2013-03-03 10:41 - 00001558 ____A C:\Windows\PFRO.log
2013-03-03 08:46 - 2010-10-05 04:45 - 00034624 ____A (TuneUp Software) C:\Windows\System32\TURegOpt.exe
2013-03-03 08:45 - 2013-03-03 08:45 - 00002215 ____A C:\Users\Public\Desktop\TuneUp 1-Click Maintenance.lnk
2013-03-03 08:45 - 2013-03-03 08:45 - 00002197 ____A C:\Users\Public\Desktop\TuneUp Utilities 2011.lnk
2013-03-03 08:45 - 2010-10-05 04:41 - 00036160 ____A (TuneUp Software) C:\Windows\System32\uxtuneup.dll
2013-03-03 08:45 - 2010-10-05 04:41 - 00029504 ____A (TuneUp Software) C:\Windows\SysWOW64\uxtuneup.dll
2013-03-03 08:45 - 2010-10-05 04:41 - 00025920 ____A (TuneUp Software) C:\Windows\System32\authuitu.dll
2013-03-03 08:45 - 2010-10-05 04:41 - 00021312 ____A (TuneUp Software) C:\Windows\SysWOW64\authuitu.dll
2013-03-03 08:43 - 2013-03-03 08:45 - 00000000 ____D C:\Program Files (x86)\TuneUp Utilities 2011
2013-03-03 08:27 - 2013-03-03 08:27 - 00000000 ____D C:\Users\Tee\AppData\Local\{578F3672-AF3A-41B7-96FE-FEDE6342390A}
2013-03-03 06:51 - 2013-03-03 06:51 - 00000000 ____D C:\Users\Tee\AppData\Local\{2339856C-7E3F-4055-8140-E02E8836EF75}
2013-03-03 04:13 - 2013-03-03 14:49 - 00005344 ____A C:\Users\Tee\Desktop\Rkill.txt
2013-03-03 04:13 - 2013-03-03 04:13 - 00000000 ____D C:\Users\Tee\Desktop\rkill
2013-03-02 16:34 - 2013-03-02 16:34 - 00000000 __SHD C:\found.003
2013-03-02 15:28 - 2013-03-02 15:28 - 00017408 ____A C:\Users\Tee\AppData\Local\WebpageIcons.db
2013-03-02 14:17 - 2013-03-02 14:22 - 12197814 ____A (Intel Corporation) C:\Users\Tee\Downloads\WinVista7_64_15165.exe
2013-03-02 14:07 - 2013-03-02 14:13 - 04160438 ____A (Intel Corporation) C:\Users\Tee\Downloads\Win7Vista_64_151718.exe
2013-03-02 13:50 - 2013-03-02 13:56 - 08821981 ____A (Intel Corporation) C:\Users\Tee\Downloads\Win7Vista_64_151719.exe
2013-03-02 13:17 - 2013-03-02 13:16 - 00861088 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-03-02 13:17 - 2013-03-02 13:16 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-03-02 13:16 - 2013-03-02 13:16 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-03-02 13:16 - 2013-03-02 13:16 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-03-02 13:16 - 2013-03-02 13:16 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-03-02 13:05 - 2013-03-02 13:05 - 00896928 ____A (Oracle Corporation) C:\Users\Tee\Downloads\chromeinstall-7u15.exe
2013-03-02 13:03 - 2013-03-02 13:03 - 00000000 ____D C:\Program Files (x86)\SystemRequirementsLab
2013-03-02 13:01 - 2013-03-02 13:01 - 00000000 ____D C:\Users\Tee\AppData\Roaming\SystemRequirementsLab
2013-03-02 12:54 - 2013-03-02 12:54 - 00000000 ____D C:\Program Files (x86)\Dell Wireless
2013-03-02 12:54 - 2009-10-29 08:02 - 00008353 ____A C:\Windows\System32\athrextx.cat
2013-03-02 12:54 - 2009-10-23 09:49 - 01542656 ____A (Atheros Communications, Inc.) C:\Windows\System32\Drivers\athrx.sys
2013-03-02 12:54 - 2009-10-23 09:49 - 01542656 ____A (Atheros Communications, Inc.) C:\Windows\System32\athrx.sys
2013-03-02 12:53 - 2013-03-02 12:53 - 00000000 ____D C:\Users\Tee\AppData\Roaming\InstallShield
2013-03-02 12:52 - 2013-03-02 12:53 - 19044176 ____A C:\Users\Tee\Downloads\R248337.exe
2013-03-02 12:08 - 2013-03-02 12:08 - 00000000 ___HD C:\kleaner.tmp
2013-03-02 11:39 - 2013-03-02 11:39 - 00000000 ____D C:\Users\Tee\AppData\Local\{F27422E3-0A96-4219-8283-4EE2F18E825F}
2013-03-02 11:27 - 2013-03-03 06:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-02 11:27 - 2013-03-03 06:15 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-03-02 11:27 - 2013-03-02 12:33 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-03-02 11:27 - 2013-03-02 12:31 - 00000000 ____D C:\Users\Tee\AppData\Roaming\Malwarebytes
2013-03-02 11:24 - 2013-03-02 11:25 - 10156344 ____A (Malwarebytes Corporation                                    ) C:\Users\Tee\Downloads\mbam-setup-1.70.0.1100.exe
2013-03-02 10:35 - 2013-03-02 10:35 - 00016760 ____H C:\bootsqm.dat
2013-03-01 05:25 - 2013-03-01 05:26 - 00000000 ____D C:\Users\Tee\AppData\Local\{6827077C-B87B-443F-A193-0CE66FF54B77}
2013-03-01 04:04 - 2012-11-21 16:43 - 00165112 ____A (Tonec Inc.) C:\Windows\System32\Drivers\idmwfp.sys
2013-02-28 11:09 - 2013-02-28 11:09 - 00000176 ____A C:\ProgramData\-oKJlROuTVCyAr
2013-02-28 11:09 - 2013-02-28 11:09 - 00000176 ____A C:\ProgramData\-oKJlROuTVCyA
2013-02-28 11:09 - 2013-02-28 11:09 - 00000088 ____A C:\ProgramData\oKJlROuTVCyA
2013-02-28 05:29 - 2013-02-28 05:29 - 00000000 ____D C:\Users\Tee\AppData\Local\{5F11E071-ABE9-449F-A46D-FBB4E482D23F}
2013-02-27 13:28 - 2013-01-13 13:17 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 13:17 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 13:16 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 13:12 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-02-27 13:28 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-02-27 13:28 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 13:11 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:35 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:35 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:35 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:31 - 01247744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-02-27 13:28 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:31 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-02-27 13:28 - 2013-01-13 12:22 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2013-02-27 13:28 - 2013-01-13 12:20 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
2013-02-27 13:28 - 2013-01-13 12:09 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2013-02-27 13:28 - 2013-01-13 12:08 - 01504768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-02-27 13:28 - 2013-01-13 12:08 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
2013-02-27 13:28 - 2013-01-13 11:59 - 01643520 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-02-27 13:28 - 2013-01-13 11:58 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-02-27 13:28 - 2013-01-13 11:54 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2013-02-27 13:28 - 2013-01-13 11:53 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
2013-02-27 13:28 - 2013-01-13 11:53 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
2013-02-27 13:28 - 2013-01-13 11:51 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-02-27 13:28 - 2013-01-13 11:49 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-02-27 13:28 - 2013-01-13 11:48 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2013-02-27 13:28 - 2013-01-13 11:46 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
2013-02-27 13:28 - 2013-01-13 11:43 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-02-27 13:28 - 2013-01-13 11:38 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-02-27 13:28 - 2013-01-13 11:38 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-02-27 13:28 - 2013-01-13 11:38 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-02-27 13:28 - 2013-01-13 11:37 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2013-02-27 13:28 - 2013-01-13 11:25 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-02-27 13:28 - 2013-01-13 11:24 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-02-27 13:28 - 2013-01-13 11:24 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-02-27 13:28 - 2013-01-13 11:20 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-02-27 13:28 - 2013-01-13 11:20 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-02-27 13:28 - 2013-01-13 11:15 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-02-27 13:28 - 2013-01-13 11:10 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-02-27 13:28 - 2013-01-13 11:02 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2013-02-27 13:28 - 2013-01-13 10:34 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2013-02-27 13:28 - 2013-01-13 10:32 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-02-27 13:28 - 2013-01-13 10:09 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-02-27 13:28 - 2013-01-13 09:26 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2013-02-27 13:28 - 2013-01-13 09:05 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-02-27 13:28 - 2013-01-03 22:11 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-02-27 13:28 - 2013-01-03 22:11 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2013-02-27 05:09 - 2013-02-27 05:09 - 00000000 ____D C:\Users\Tee\AppData\Local\{92CD977C-5AED-47FE-BB68-AAEE2BDE5D26}
2013-02-26 01:21 - 2013-02-26 01:21 - 00000000 ____D C:\Users\Tee\AppData\Local\{7C60E8A3-1A66-42F4-9714-1612A872E5CE}
2013-02-25 01:20 - 2013-02-25 13:20 - 00000000 ____D C:\Users\Tee\AppData\Local\{4DFAC5EE-CA9D-489C-99BB-3107A62247B6}
2013-02-23 10:46 - 2013-02-24 13:20 - 00000000 ____D C:\Users\Tee\AppData\Local\{AF8281E9-09AE-4521-8C87-48DBB11CE7FE}
2013-02-22 15:57 - 2013-02-24 21:01 - 00000042 ____A C:\Users\Tee\jagex_cl_oldschool_LIVE.dat
2013-02-22 15:54 - 2013-02-22 15:55 - 00000000 ____D C:\Users\Tee\AppData\Local\{39A46A7F-E3D8-45EE-A10D-AB8134171CD8}
2013-02-20 23:36 - 2013-02-21 21:00 - 00000000 ____D C:\Users\Tee\AppData\Local\{02B35269-E3FC-4BF2-B8F2-1FF168707BC7}
2013-02-20 11:36 - 2013-02-20 11:36 - 00000000 ____D C:\Users\Tee\AppData\Local\{CAE93806-1CE2-4ED2-A6B3-87CAA6E1883B}
2013-02-20 10:16 - 2013-03-02 12:31 - 00000000 ____D C:\Users\Tee\AppData\Roaming\Funmoods
2013-02-19 23:36 - 2013-02-19 23:36 - 00000000 ____D C:\Users\Tee\AppData\Local\{2AAA29B4-632F-44BE-B647-16AFC2EE339A}
2013-02-19 08:22 - 2013-02-19 08:22 - 00000000 ____D C:\Users\Tee\AppData\Local\{3196A647-533A-498C-9AD9-9CF0D9E6E0EE}
2013-02-19 00:09 - 2013-02-19 00:09 - 00000000 ____A C:\Users\Tee\Desktop\ggg.gw1dafj.partial
2013-02-16 10:31 - 2013-02-18 18:58 - 00000000 ____D C:\Users\Tee\AppData\Local\{3BA98F09-2F3C-40FD-BD0F-B0E4DFB372C1}
2013-02-13 18:00 - 2013-02-14 23:26 - 00000000 ____D C:\Users\Tee\AppData\Local\{D5CCC6A8-FE39-47AE-8413-0D4993D61C77}
2013-02-13 14:09 - 2013-01-08 17:48 - 17812992 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-02-13 14:09 - 2013-01-08 17:22 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-02-13 14:09 - 2013-01-08 17:19 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-02-13 14:09 - 2013-01-08 17:12 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-02-13 14:09 - 2013-01-08 17:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-02-13 14:09 - 2013-01-08 17:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-02-13 14:09 - 2013-01-08 17:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-02-13 14:09 - 2013-01-08 17:09 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-02-13 14:09 - 2013-01-08 17:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-02-13 14:09 - 2013-01-08 17:07 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-02-13 14:09 - 2013-01-08 17:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-02-13 14:09 - 2013-01-08 17:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-02-13 14:09 - 2013-01-08 17:05 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-02-13 14:09 - 2013-01-08 17:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-02-13 14:09 - 2013-01-08 17:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-02-13 14:09 - 2013-01-08 17:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-02-13 14:09 - 2013-01-08 14:23 - 12321280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-02-13 14:09 - 2013-01-08 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-02-13 14:09 - 2013-01-08 14:09 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-02-13 14:09 - 2013-01-08 14:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-02-13 14:09 - 2013-01-08 14:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-02-13 14:09 - 2013-01-08 14:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-02-13 14:09 - 2013-01-08 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-02-13 14:09 - 2013-01-08 14:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-02-13 14:09 - 2013-01-08 13:59 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-02-13 14:09 - 2013-01-08 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-02-13 14:09 - 2013-01-08 13:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-02-13 14:09 - 2013-01-08 13:57 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-02-13 14:09 - 2013-01-08 13:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-02-13 14:09 - 2013-01-08 13:56 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-02-13 14:09 - 2013-01-08 13:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-02-13 14:09 - 2013-01-08 13:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-02-12 11:09 - 2013-01-04 21:53 - 05553512 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-02-12 11:09 - 2013-01-04 21:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-02-12 11:09 - 2013-01-04 21:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-02-12 11:09 - 2013-01-03 21:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-02-12 11:09 - 2013-01-03 20:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-02-12 11:09 - 2013-01-03 19:26 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-02-12 11:09 - 2013-01-03 18:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-02-12 11:09 - 2013-01-03 18:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-02-12 11:09 - 2013-01-03 18:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-02-12 11:09 - 2013-01-03 18:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-02-12 11:09 - 2013-01-02 22:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-02-12 11:09 - 2013-01-02 22:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2013-02-12 10:58 - 2013-02-13 03:16 - 00000000 ____D C:\Users\Tee\AppData\Local\{F104530A-6199-4023-B18D-B699C6D4C013}
2013-02-11 17:57 - 2013-03-02 12:32 - 00000000 ____D C:\Users\Tee\matrixcache
2013-02-11 17:57 - 2013-02-11 17:59 - 00000040 ____A C:\Users\Tee\matrix_cl_matrix_LIVE.dat
2013-02-09 10:32 - 2013-02-11 10:08 - 00000000 ____D C:\Users\Tee\AppData\Local\{384AD3A4-C25B-4231-8124-A5412607DCBA}
2013-02-05 13:27 - 2013-02-08 22:32 - 00000000 ____D C:\Users\Tee\AppData\Local\{C0D84D28-2BDD-43DB-B157-EB7A8FAB5B21}
2013-02-05 04:41 - 2013-02-05 04:42 - 00000000 ____D C:\Users\Tee\.runecore_client
2013-02-05 00:32 - 2013-02-05 00:32 - 00000000 ____D C:\Users\Tee\AppData\Local\{CD2FD94D-A6CF-453F-8102-000CEBFB8A28}
2013-02-04 10:43 - 2013-02-04 10:43 - 00000000 ____D C:\Users\Tee\AppData\Local\{223749AB-37CC-4A42-955D-582E15BD51F6}
 
 
==================== One Month Modified Files and Folders =======
 
2013-03-05 00:22 - 2013-03-05 00:22 - 00000000 ____D C:\FRST
2013-03-03 15:52 - 2011-10-17 14:51 - 01501066 ____A C:\Windows\WindowsUpdate.log
2013-03-03 15:51 - 2013-03-03 11:39 - 00000000 ____D C:\Users\Tee\AppData\Roaming\DMCache
2013-03-03 15:51 - 2011-10-17 14:31 - 00009504 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-03 15:51 - 2011-10-17 14:31 - 00009504 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-03 15:47 - 2011-11-30 10:03 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-03 15:46 - 2009-09-18 10:07 - 00000000 ____D C:\Users\Tee\Tracing
2013-03-03 15:44 - 2013-03-03 10:16 - 00004808 ____A C:\Windows\setupact.log
2013-03-03 15:44 - 2011-11-30 10:03 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-03 15:44 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-03 14:49 - 2013-03-03 04:13 - 00005344 ____A C:\Users\Tee\Desktop\Rkill.txt
2013-03-03 13:43 - 2013-03-03 13:43 - 00000000 ____D C:\ProgramData\ESET
2013-03-03 13:43 - 2013-03-03 13:43 - 00000000 ____D C:\Program Files\ESET
2013-03-03 12:59 - 2012-02-20 13:41 - 00000900 ___AH C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1621549065-1169803754-3936880357-1000UA.job
2013-03-03 12:59 - 2009-07-13 21:13 - 00788008 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-03 11:42 - 2013-03-03 11:39 - 00000000 ____D C:\Users\Tee\AppData\Roaming\IDM
2013-03-03 11:39 - 2013-03-03 11:39 - 00000000 ____D C:\Users\Tee\Downloads\Video
2013-03-03 11:39 - 2013-03-03 11:39 - 00000000 ____D C:\Users\Tee\Downloads\Compressed
2013-03-03 11:39 - 2013-03-03 11:39 - 00000000 ____D C:\ProgramData\IDM
2013-03-03 11:39 - 2013-03-03 11:39 - 00000000 ____D C:\Program Files (x86)\Internet Download Manager
2013-03-03 11:36 - 2013-03-03 11:33 - 05019960 ____A (Tonec Inc.) C:\Users\Tee\Downloads\idman615.exe
2013-03-03 10:54 - 2011-10-17 13:16 - 00005658 ____A C:\Users\Tee\Desktop\Windows Compatibility Report.htm
2013-03-03 10:49 - 2013-03-03 10:16 - 00000000 ____A C:\Windows\setuperr.log
2013-03-03 10:41 - 2013-03-03 10:15 - 00001558 ____A C:\Windows\PFRO.log
2013-03-03 10:41 - 2011-10-17 16:20 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-03-03 10:39 - 2013-03-03 10:39 - 00000000 __SHD C:\found.004
2013-03-03 10:32 - 2011-10-17 16:20 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2013-03-03 09:19 - 2011-10-31 12:20 - 00000000 ___HD C:\Windows\Minidump
2013-03-03 08:55 - 2011-10-17 16:26 - 00000000 ____D C:\ProgramData\TuneUp Software
2013-03-03 08:45 - 2013-03-03 08:45 - 00002215 ____A C:\Users\Public\Desktop\TuneUp 1-Click Maintenance.lnk
2013-03-03 08:45 - 2013-03-03 08:45 - 00002197 ____A C:\Users\Public\Desktop\TuneUp Utilities 2011.lnk
2013-03-03 08:45 - 2013-03-03 08:43 - 00000000 ____D C:\Program Files (x86)\TuneUp Utilities 2011
2013-03-03 08:45 - 2011-10-17 16:27 - 00000000 ____D C:\Users\Tee\AppData\Roaming\TuneUp Software
2013-03-03 08:32 - 2011-11-01 00:26 - 00000000 ____D C:\Users\Tee\AppData\Roaming\Skype
2013-03-03 08:27 - 2013-03-03 08:27 - 00000000 ____D C:\Users\Tee\AppData\Local\{578F3672-AF3A-41B7-96FE-FEDE6342390A}
2013-03-03 08:27 - 2010-08-25 05:13 - 00001208 ____A C:\prefs.js
2013-03-03 06:51 - 2013-03-03 06:51 - 00000000 ____D C:\Users\Tee\AppData\Local\{2339856C-7E3F-4055-8140-E02E8836EF75}
2013-03-03 06:16 - 2013-03-02 11:27 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-03 06:15 - 2013-03-02 11:27 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-03-03 04:13 - 2013-03-03 04:13 - 00000000 ____D C:\Users\Tee\Desktop\rkill
2013-03-02 16:34 - 2013-03-02 16:34 - 00000000 __SHD C:\found.003
2013-03-02 15:28 - 2013-03-02 15:28 - 00017408 ____A C:\Users\Tee\AppData\Local\WebpageIcons.db
2013-03-02 14:22 - 2013-03-02 14:17 - 12197814 ____A (Intel Corporation) C:\Users\Tee\Downloads\WinVista7_64_15165.exe
2013-03-02 14:13 - 2013-03-02 14:07 - 04160438 ____A (Intel Corporation) C:\Users\Tee\Downloads\Win7Vista_64_151718.exe
2013-03-02 13:56 - 2013-03-02 13:50 - 08821981 ____A (Intel Corporation) C:\Users\Tee\Downloads\Win7Vista_64_151719.exe
2013-03-02 13:34 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Microsoft Games
2013-03-02 13:16 - 2013-03-02 13:17 - 00861088 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-03-02 13:16 - 2013-03-02 13:17 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-03-02 13:16 - 2013-03-02 13:16 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-03-02 13:16 - 2013-03-02 13:16 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-03-02 13:16 - 2013-03-02 13:16 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-03-02 13:16 - 2011-10-17 16:23 - 00782240 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-03-02 13:16 - 2009-09-12 04:42 - 00000000 ____D C:\Program Files (x86)\Java
2013-03-02 13:05 - 2013-03-02 13:05 - 00896928 ____A (Oracle Corporation) C:\Users\Tee\Downloads\chromeinstall-7u15.exe
2013-03-02 13:03 - 2013-03-02 13:03 - 00000000 ____D C:\Program Files (x86)\SystemRequirementsLab
2013-03-02 13:01 - 2013-03-02 13:01 - 00000000 ____D C:\Users\Tee\AppData\Roaming\SystemRequirementsLab
2013-03-02 12:54 - 2013-03-02 12:54 - 00000000 ____D C:\Program Files (x86)\Dell Wireless
2013-03-02 12:54 - 2009-09-12 05:01 - 00000000 ____D C:\ProgramData\Dell
2013-03-02 12:54 - 2009-09-12 04:45 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-03-02 12:53 - 2013-03-02 12:53 - 00000000 ____D C:\Users\Tee\AppData\Roaming\InstallShield
2013-03-02 12:53 - 2013-03-02 12:52 - 19044176 ____A C:\Users\Tee\Downloads\R248337.exe
2013-03-02 12:35 - 2011-10-17 14:32 - 00000000 ____D C:\users\Tee
2013-03-02 12:33 - 2013-03-02 11:27 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-03-02 12:33 - 2012-06-05 03:49 - 00000000 ____D C:\Users\Tee\AppData\Local\Stardock_Corporation
2013-03-02 12:33 - 2012-02-18 04:52 - 00000000 ____D C:\Users\Tee\AppData\Local\Intuit
2013-03-02 12:33 - 2011-12-01 04:30 - 00000000 ____D C:\ProgramData\HP Photo Creations
2013-03-02 12:33 - 2011-12-01 04:03 - 00000000 ____D C:\ProgramData\HP
2013-03-02 12:33 - 2011-10-17 15:08 - 00000000 ____D C:\Users\Tee\AppData\Local\Microsoft Help
2013-03-02 12:33 - 2011-04-13 12:51 - 00000000 ____D C:\Users\Tee\Desktop\.jagex_cache_32
2013-03-02 12:33 - 2010-11-28 15:39 - 00000000 ____D C:\Users\Tee\.jagex_cache_32
2013-03-02 12:33 - 2009-09-12 04:53 - 00000000 ____D C:\ProgramData\InstallShield
2013-03-02 12:32 - 2013-02-11 17:57 - 00000000 ____D C:\Users\Tee\matrixcache
2013-03-02 12:32 - 2012-09-12 16:47 - 00000000 ____D C:\Users\Tee\paradise704Cache1
2013-03-02 12:32 - 2012-07-18 22:44 - 00000000 ____D C:\Users\Tee\jagexcache
2013-03-02 12:32 - 2012-04-20 07:31 - 00000000 ____D C:\Users\Tee\runecore
2013-03-02 12:32 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-03-02 12:31 - 2013-03-02 11:27 - 00000000 ____D C:\Users\Tee\AppData\Roaming\Malwarebytes
2013-03-02 12:31 - 2013-02-20 10:16 - 00000000 ____D C:\Users\Tee\AppData\Roaming\Funmoods
2013-03-02 12:31 - 2012-04-16 05:47 - 00000000 ____D C:\Users\Tee\AppData\Roaming\.minecraft
2013-03-02 12:31 - 2011-12-25 13:11 - 00000000 ____D C:\Users\Tee\Documents\Electronic Arts
2013-03-02 12:31 - 2011-10-31 12:09 - 00000000 ____D C:\Users\Tee\AppData\Roaming\PCDr
2013-03-02 12:31 - 2011-10-17 18:12 - 00000000 ____D C:\Users\Tee\AppData\Local\VirtualStore
2013-03-02 12:31 - 2011-10-17 12:32 - 00000000 ____D C:\Users\Tee\AppData\Roaming\Macromedia
2013-03-02 12:31 - 2011-10-17 12:32 - 00000000 ____D C:\Users\Tee\AppData\Roaming\Adobe
2013-03-02 12:31 - 2011-09-04 06:07 - 00000000 ____D C:\Users\Tee\Downloads\Driver Boost
2013-03-02 12:29 - 2012-07-30 05:42 - 00000000 ____D C:\Users\Tee\AppData\Local\Microsoft Games
2013-03-02 12:29 - 2012-02-18 04:36 - 00000000 ____D C:\ProgramData\Intuit
2013-03-02 12:29 - 2011-12-25 13:11 - 00000000 ____D C:\ProgramData\Electronic Arts
2013-03-02 12:29 - 2011-11-30 10:03 - 00000000 ____D C:\Users\Tee\AppData\Local\Google
2013-03-02 12:29 - 2011-11-30 10:02 - 00000000 ____D C:\ProgramData\Google
2013-03-02 12:29 - 2011-11-01 00:25 - 00000000 ____D C:\ProgramData\Skype
2013-03-02 12:29 - 2011-10-31 12:52 - 00000000 ____D C:\ProgramData\Apple Computer
2013-03-02 12:29 - 2011-10-31 12:51 - 00000000 ____D C:\ProgramData\Apple
2013-03-02 12:29 - 2011-10-19 05:37 - 00000000 ____D C:\Users\Tee\AppData\Local\Adobe
2013-03-02 12:29 - 2009-09-12 05:07 - 00000000 ____D C:\ProgramData\McAfee
2013-03-02 12:29 - 2009-09-12 04:56 - 00000000 ____D C:\ProgramData\PCDr
2013-03-02 12:29 - 2009-09-12 04:55 - 00000000 ____D C:\ProgramData\Uninstall
2013-03-02 12:29 - 2009-09-12 04:48 - 00000000 ____D C:\ProgramData\Adobe
2013-03-02 12:29 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-03-02 12:08 - 2013-03-02 12:08 - 00000000 ___HD C:\kleaner.tmp
2013-03-02 11:39 - 2013-03-02 11:39 - 00000000 ____D C:\Users\Tee\AppData\Local\{F27422E3-0A96-4219-8283-4EE2F18E825F}
2013-03-02 11:25 - 2013-03-02 11:24 - 10156344 ____A (Malwarebytes Corporation                                    ) C:\Users\Tee\Downloads\mbam-setup-1.70.0.1100.exe
2013-03-02 10:35 - 2013-03-02 10:35 - 00016760 ____H C:\bootsqm.dat
2013-03-01 05:26 - 2013-03-01 05:25 - 00000000 ____D C:\Users\Tee\AppData\Local\{6827077C-B87B-443F-A193-0CE66FF54B77}
2013-02-28 11:09 - 2013-02-28 11:09 - 00000176 ____A C:\ProgramData\-oKJlROuTVCyAr
2013-02-28 11:09 - 2013-02-28 11:09 - 00000176 ____A C:\ProgramData\-oKJlROuTVCyA
2013-02-28 11:09 - 2013-02-28 11:09 - 00000088 ____A C:\ProgramData\oKJlROuTVCyA
2013-02-28 11:04 - 2012-02-20 13:43 - 00002364 ____A C:\Users\Tee\Desktop\Google Chrome.lnk
2013-02-28 05:29 - 2013-02-28 05:29 - 00000000 ____D C:\Users\Tee\AppData\Local\{5F11E071-ABE9-449F-A46D-FBB4E482D23F}
2013-02-28 05:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK
2013-02-28 05:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR
2013-02-28 05:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK
2013-02-28 05:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR
2013-02-28 05:17 - 2012-02-20 13:41 - 00000848 ___AH C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1621549065-1169803754-3936880357-1000Core.job
2013-02-27 05:09 - 2013-02-27 05:09 - 00000000 ____D C:\Users\Tee\AppData\Local\{92CD977C-5AED-47FE-BB68-AAEE2BDE5D26}
2013-02-26 01:21 - 2013-02-26 01:21 - 00000000 ____D C:\Users\Tee\AppData\Local\{7C60E8A3-1A66-42F4-9714-1612A872E5CE}
2013-02-25 13:45 - 2012-06-05 04:03 - 00788548 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2013-02-25 13:45 - 2012-02-18 04:32 - 00000090 ____A C:\Windows\QBChanUtil_Trigger.ini
2013-02-25 13:20 - 2013-02-25 01:20 - 00000000 ____D C:\Users\Tee\AppData\Local\{4DFAC5EE-CA9D-489C-99BB-3107A62247B6}
2013-02-25 08:45 - 2012-07-18 22:44 - 00000024 ____A C:\Users\Tee\random.dat
2013-02-24 21:01 - 2013-02-22 15:57 - 00000042 ____A C:\Users\Tee\jagex_cl_oldschool_LIVE.dat
2013-02-24 13:20 - 2013-02-23 10:46 - 00000000 ____D C:\Users\Tee\AppData\Local\{AF8281E9-09AE-4521-8C87-48DBB11CE7FE}
2013-02-22 15:55 - 2013-02-22 15:54 - 00000000 ____D C:\Users\Tee\AppData\Local\{39A46A7F-E3D8-45EE-A10D-AB8134171CD8}
2013-02-21 21:00 - 2013-02-20 23:36 - 00000000 ____D C:\Users\Tee\AppData\Local\{02B35269-E3FC-4BF2-B8F2-1FF168707BC7}
2013-02-20 21:34 - 2011-11-03 06:20 - 00000032 ____A C:\Users\Tee\jagex_cl_runescape_LIVE.dat
2013-02-20 11:36 - 2013-02-20 11:36 - 00000000 ____D C:\Users\Tee\AppData\Local\{CAE93806-1CE2-4ED2-A6B3-87CAA6E1883B}
2013-02-19 23:36 - 2013-02-19 23:36 - 00000000 ____D C:\Users\Tee\AppData\Local\{2AAA29B4-632F-44BE-B647-16AFC2EE339A}
2013-02-19 08:22 - 2013-02-19 08:22 - 00000000 ____D C:\Users\Tee\AppData\Local\{3196A647-533A-498C-9AD9-9CF0D9E6E0EE}
2013-02-19 00:09 - 2013-02-19 00:09 - 00000000 ____A C:\Users\Tee\Desktop\ggg.gw1dafj.partial
2013-02-18 18:58 - 2013-02-16 10:31 - 00000000 ____D C:\Users\Tee\AppData\Local\{3BA98F09-2F3C-40FD-BD0F-B0E4DFB372C1}
2013-02-17 11:04 - 2012-08-23 19:07 - 00000035 ____A C:\Users\Tee\xaeron_runescape_preferences.dat
2013-02-17 11:03 - 2012-08-23 19:09 - 00000129 ____A C:\Users\Tee\xaeron_runescape_preferences2.dat
2013-02-14 23:26 - 2013-02-13 18:00 - 00000000 ____D C:\Users\Tee\AppData\Local\{D5CCC6A8-FE39-47AE-8413-0D4993D61C77}
2013-02-13 17:57 - 2009-07-13 20:45 - 00326976 ____A C:\Windows\System32\FNTCACHE.DAT
2013-02-13 14:16 - 2011-12-01 04:43 - 70004024 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-02-13 14:11 - 2009-09-12 04:50 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-02-13 04:10 - 2012-04-06 01:46 - 00000000 ____D C:\Program Files\Dell Support Center
2013-02-13 03:16 - 2013-02-12 10:58 - 00000000 ____D C:\Users\Tee\AppData\Local\{F104530A-6199-4023-B18D-B699C6D4C013}
2013-02-11 17:59 - 2013-02-11 17:57 - 00000040 ____A C:\Users\Tee\matrix_cl_matrix_LIVE.dat
2013-02-11 10:08 - 2013-02-09 10:32 - 00000000 ____D C:\Users\Tee\AppData\Local\{384AD3A4-C25B-4231-8124-A5412607DCBA}
2013-02-08 22:32 - 2013-02-05 13:27 - 00000000 ____D C:\Users\Tee\AppData\Local\{C0D84D28-2BDD-43DB-B157-EB7A8FAB5B21}
2013-02-05 04:42 - 2013-02-05 04:41 - 00000000 ____D C:\Users\Tee\.runecore_client
2013-02-05 00:32 - 2013-02-05 00:32 - 00000000 ____D C:\Users\Tee\AppData\Local\{CD2FD94D-A6CF-453F-8102-000CEBFB8A28}
2013-02-04 10:43 - 2013-02-04 10:43 - 00000000 ____D C:\Users\Tee\AppData\Local\{223749AB-37CC-4A42-955D-582E15BD51F6}
2013-02-03 10:51 - 2013-02-02 03:26 - 00000000 ____D C:\Users\Tee\AppData\Local\{8362D1DE-6B9C-4568-9E46-13D1E29D33B6}
 
==================== Known DLLs (Whitelisted) =================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe:  <===== ATTENTION!
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION!
HKLM\...\exefile\open\command:  <===== ATTENTION!
 
==================== Restore Points  =========================
 
Restore point made on: 2013-03-03 08:43:25
Restore point made on: 2013-03-03 11:00:33
Restore point made on: 2013-03-03 11:16:11
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 3032.36 MB
Available physical RAM: 2567.07 MB
Total Pagefile: 3030.51 MB
Available Pagefile: 2556.15 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
 
==================== Partitions =============================
 
1 Drive c: (OS) (Fixed) (Total:134.35 GB) (Free:69.7 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
4 Drive g: (RecoveryMedia) (Removable) (Total:3.69 GB) (Free:0.55 GB) NTFS
5 Drive h: (HD-LBU2) (Fixed) (Total:1863.02 GB) (Free:1440.16 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:6.87 GB) NTFS
 
 
Last Boot: 2013-02-12 20:12
 
==================== End Of Log =============================
 
Many Thanks
Doug


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:05 PM

Posted 04 March 2013 - 08:04 PM

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file and save it in the USB drive.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

For x64 bit systems please download Listparts64
and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:

    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Put check mark on List BCD.
    • Press Scan button.
    • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 04 March 2013 - 08:37 PM

Hi,

 

Every ran OK

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-03-2013 01
Ran by SYSTEM at 2013-03-05 01:28:31 Run:1
Running from H:\Recovery
 
==============================================
 
C:\ProgramData\-oKJlROuTVCyAr moved successfully.
C:\ProgramData\-oKJlROuTVCyA moved successfully.
C:\ProgramData\oKJlROuTVCyA moved successfully.
MBRDUMP.txt is made successfully.
 
==== End of Fixlog ====
 
ListParts by Farbar Version: 04-03-2013
Ran by SYSTEM (administrator) on 05-03-2013 at 01:29:57
Windows 7 (X64)
Running From: H:\Recovery
Language: 0409
************************************************************
 
========================= Memory info ====================== 
 
Percentage of memory in use: 14%
Total physical RAM: 3032.36 MB
Available physical RAM: 2592.49 MB
Total Pagefile: 3030.51 MB
Available Pagefile: 2573.89 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
 
======================= Partitions =========================
 
1 Drive c: (OS) (Fixed) (Total:134.35 GB) (Free:69.7 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
4 Drive g: (HD-LBU2) (Fixed) (Total:1863.02 GB) (Free:1440.16 GB) NTFS
5 Drive h: (RecoveryMedia) (Removable) (Total:3.69 GB) (Free:0.55 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:6.87 GB) NTFS
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          149 GB      0 B         
  Disk 1    No Media           0 B      0 B         
  Disk 2    Online         1863 GB      0 B         
  Disk 3    Online         3780 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: 9F7139F1
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             14 GB    40 MB
  Partition 3    Primary            134 GB    14 GB
  Partition 4    Primary             10 MB   149 GB
 
======================================================================================================
 
Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 6                      FAT    Partition     39 MB  Healthy    Hidden  
 
======================================================================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   RECOVERY     NTFS   Partition     14 GB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    134 GB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 4
Type  : 17 (Suspicious Type)
Hidden: Yes
Active: Yes
 
There is no volume associated with this partition.
 
======================================================================================================
 
Partitions of Disk 2:
===============
 
Disk ID: F138F4EA
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1863 GB    32 KB
 
======================================================================================================
 
Disk: 2
Partition 1
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G   HD-LBU2      NTFS   Partition   1863 GB  Healthy            
 
======================================================================================================
 
Partitions of Disk 3:
===============
 
Disk ID: 438CA2E6
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3779 MB    31 KB
 
======================================================================================================
 
Disk: 3
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     H   RecoveryMed  NTFS   Removable   3779 MB  Healthy            
 
======================================================================================================
The boot configuration data store could not be opened.
The system cannot find the file specified.
 
 
****** End Of Log ****** 
 
Regards
Doug
 
Attached File  MBRDUMP.txt   512bytes   2 downloads

 



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:05 PM

Posted 04 March 2013 - 09:27 PM

Download the enclosed file:

Save it in the USB drive
  • Run ListParts as you did before.
  • This time around Press Fix button.
  • When it is done close the notification pop up. Put check mark on List BCD and click Scan. Copy and paste the log (Result.txt) it makes in the USB.
  • NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Attempt to boot in Normal mode. If successful, run TDSSKiller as follows:

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 04 March 2013 - 09:54 PM

Hi

 

Log PLfixlog.txt

 

 

Script used: "Disk=0 Partition=4 inactive"
Script used: "Disk=0 Partition=3 active"
Script used: "Disk=0 Partition=4 type=07"
Script used: "Custom"
 
An error occurred while attempting to delete the specified data element.
Element not found.
 
 
Log Result.txt
 
ListParts by Farbar Version: 04-03-2013
Ran by SYSTEM (administrator) on 05-03-2013 at 02:48:44
Windows 7 (X64)
Running From: F:\Recovery
Language: 0409
************************************************************
 
========================= Memory info ====================== 
 
Percentage of memory in use: 14%
Total physical RAM: 3032.36 MB
Available physical RAM: 2592.15 MB
Total Pagefile: 3030.51 MB
Available Pagefile: 2577.38 MB
Total Virtual: 8192 MB
Available Virtual: 8191.92 MB
 
======================= Partitions =========================
 
1 Drive c: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:6.87 GB) NTFS
2 Drive d: (OS) (Fixed) (Total:134.35 GB) (Free:69.7 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
4 Drive f: (RecoveryMedia) (Removable) (Total:3.69 GB) (Free:0.55 GB) NTFS
5 Drive g: (HD-LBU2) (Fixed) (Total:1863.02 GB) (Free:1440.16 GB) NTFS
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          149 GB      0 B         
  Disk 1    Online         3780 MB      0 B         
  Disk 2    Online         1863 GB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: 9F7139F1
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             14 GB    40 MB
  Partition 3    Primary            134 GB    14 GB
  Partition 4    Primary             10 MB   149 GB
 
======================================================================================================
 
Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 6                      FAT    Partition     39 MB  Healthy    Hidden  
 
======================================================================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   RECOVERY     NTFS   Partition     14 GB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D   OS           NTFS   Partition    134 GB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 4
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     H                RAW    Partition     10 MB  Healthy            
 
======================================================================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 438CA2E6
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3779 MB    31 KB
 
======================================================================================================
 
Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     F   RecoveryMed  NTFS   Removable   3779 MB  Healthy            
 
======================================================================================================
 
Partitions of Disk 2:
===============
 
Disk ID: F138F4EA
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1863 GB    32 KB
 
======================================================================================================
 
Disk: 2
Partition 1
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     G   HD-LBU2      NTFS   Partition   1863 GB  Healthy            
 
======================================================================================================
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=D:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {536be01e-3142-11de-86fa-e2478526bac5}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {0f95d028-f913-11e0-a84a-00256456bb0c}
device                  ramdisk=[D:]\Recovery\0f95d028-f913-11e0-a84a-00256456bb0c\Winre.wim,{0f95d029-f913-11e0-a84a-00256456bb0c}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\0f95d028-f913-11e0-a84a-00256456bb0c\Winre.wim,{0f95d029-f913-11e0-a84a-00256456bb0c}
systemroot              \windows
nx                      OptIn
winpe                   Yes
 
Windows Boot Loader
-------------------
identifier              {default}
device                  partition=D:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {0f95d028-f913-11e0-a84a-00256456bb0c}
recoveryenabled         Yes
osdevice                partition=D:
systemroot              \Windows
resumeobject            {536be01e-3142-11de-86fa-e2478526bac5}
nx                      OptIn
 
Windows Boot Loader
-------------------
identifier              {572bcd55-ffa7-11d9-aae0-0007e994107d}
device                  partition=C:
path                    \Windows\System32\boot\winload.exe
description             Windows Recovery Environment
osdevice                partition=C:
systemroot              \Windows
nx                      OptIn
detecthal               Yes
winpe                   Yes
 
Resume from Hibernate
---------------------
identifier              {536be01e-3142-11de-86fa-e2478526bac5}
device                  partition=D:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=D:
filepath                \hiberfil.sys
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=D:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
Windows Legacy OS Loader
------------------------
identifier              {ntldr}
device                  unknown
path                    \ntldr
description             Earlier Version of Windows
 
EMS Settings
------------
identifier              {emssettings}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {0f95d029-f913-11e0-a84a-00256456bb0c}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\0f95d028-f913-11e0-a84a-00256456bb0c\boot.sdi
 
 
****** End Of Log ****** 
 
The computer did not boot.
 
A flashing cursor in the top left of the screen is the only activity
 
Regards
Doug
 


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:05 PM

Posted 04 March 2013 - 10:04 PM

Download the enclosed file:

Save it in the USB drive overwriting the existing one.
  • Run ListParts as you did before.
  • This time around Press Fix button.
  • When it is done close the notification pop up. Put check mark on List BCD and click Scan. Copy and paste the log (Result.txt) it makes in the USB.
  • NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Attempt to boot in Normal mode. If successful, run TDSSKiller as suggested.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 04 March 2013 - 11:17 PM

Windows has booted in normal mode, I will load the logs tomorrow.

Thank you for your assistance so far, nothing less than amazing.

Doug

#12 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 05 March 2013 - 03:33 AM

I had trouble loading the logs last night, so I'll start with Result.txt

 

 

ListParts by Farbar Version: 04-03-2013
Ran by SYSTEM (administrator) on 05-03-2013 at 03:29:03
Windows 7 (X64)
Running From: D:\
Language: 0409
************************************************************
 
========================= Memory info ====================== 
 
Percentage of memory in use: 14%
Total physical RAM: 3032.36 MB
Available physical RAM: 2587.56 MB
Total Pagefile: 3030.51 MB
Available Pagefile: 2572.47 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
 
======================= Partitions =========================
 
1 Drive c: (OS) (Fixed) (Total:134.35 GB) (Free:69.7 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RecoveryMedia) (Removable) (Total:3.69 GB) (Free:0.55 GB) NTFS
3 Drive e: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:6.87 GB) NTFS
4 Drive g: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
5 Drive h: (HD-LBU2) (Fixed) (Total:1863.02 GB) (Free:1440.16 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          149 GB    13 MB         
  Disk 1    Online         3780 MB      0 B         
  Disk 2    Online         1863 GB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: 9F7139F1
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             14 GB    40 MB
  Partition 3    Primary            134 GB    14 GB
 
======================================================================================================
 
Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5                      FAT    Partition     39 MB  Healthy    Hidden  
 
======================================================================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     E   RECOVERY     NTFS   Partition     14 GB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    134 GB  Healthy            
 
======================================================================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 438CA2E6
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3779 MB    31 KB
 
======================================================================================================
 
Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   RecoveryMed  NTFS   Removable   3779 MB  Healthy            
 
======================================================================================================
 
Partitions of Disk 2:
===============
 
Disk ID: F138F4EA
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1863 GB    32 KB
 
======================================================================================================
 
Disk: 2
Partition 1
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     H   HD-LBU2      NTFS   Partition   1863 GB  Healthy            
 
======================================================================================================
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {536be01e-3142-11de-86fa-e2478526bac5}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {0f95d028-f913-11e0-a84a-00256456bb0c}
device                  ramdisk=[C:]\Recovery\0f95d028-f913-11e0-a84a-00256456bb0c\Winre.wim,{0f95d029-f913-11e0-a84a-00256456bb0c}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\0f95d028-f913-11e0-a84a-00256456bb0c\Winre.wim,{0f95d029-f913-11e0-a84a-00256456bb0c}
systemroot              \windows
nx                      OptIn
winpe                   Yes
 
Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {0f95d028-f913-11e0-a84a-00256456bb0c}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {536be01e-3142-11de-86fa-e2478526bac5}
nx                      OptIn
 
Windows Boot Loader
-------------------
identifier              {572bcd55-ffa7-11d9-aae0-0007e994107d}
device                  partition=E:
path                    \Windows\System32\boot\winload.exe
description             Windows Recovery Environment
osdevice                partition=E:
systemroot              \Windows
nx                      OptIn
detecthal               Yes
winpe                   Yes
 
Resume from Hibernate
---------------------
identifier              {536be01e-3142-11de-86fa-e2478526bac5}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
Windows Legacy OS Loader
------------------------
identifier              {ntldr}
device                  unknown
path                    \ntldr
description             Earlier Version of Windows
 
EMS Settings
------------
identifier              {emssettings}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {0f95d029-f913-11e0-a84a-00256456bb0c}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\0f95d028-f913-11e0-a84a-00256456bb0c\boot.sdi
 
 
****** End Of Log ****** 
 
 


#13 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 05 March 2013 - 03:49 AM

I am unable to save a post with the TDSSKiller log, it just stays on "Saving Post" for a long time and does nothing.

 

I can attach the log should you wish me to, but unless I am instructed to attach a file, I won't.

 

Brilliant  :bananas:

 

Regards

Doug



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:05 PM

Posted 05 March 2013 - 11:22 AM

I can attach the log should you wish me to, but unless I am instructed to attach a file, I won't.

 

Please do.

 

Download OTL  to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in


    netsvcs
    set /c
    %SYSTEMDRIVE%\*.*
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job
    %systemroot%\assembly\tmp\U\*.* /s

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post  the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 05 March 2013 - 11:29 AM

I will be in a position to carry out the next tasks later on today, but in the meantime please find attached the log file from TDSSKiller.

 

Regards

Doug

 

 

Attached File  TDSSKiller.2.8.16.0_05.03.2013_03.37.06_log.txt   477.41KB   1 downloads






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users