Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus that caused Windows 7 64bit Startup Repair loop (2)


  • Please log in to reply
27 replies to this topic

#1 clueless00

clueless00

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 04 March 2013 - 02:53 PM

Ok so I've found this topic written by Jukeboxx;  so I won't beat a dead horse too much..

 

I had visited a web site to watch The Little Rascals (1994) movie and got click happy XD.  Stupid popups...

 

Required DivX+ viewer, downloaded installed, (other unwanted code as well.) began the movie.  The next thing I knew my machine went into reboot mode.

 

Startup Repair began.  Reboot.  Startup Repair. etc.... (loop)

 

Ran Kaspersky Rescue Disk. Found Rootkit.Boot.Pihar.c

 

Researched pesky rootkit!  Ok so there are many different ways to approach this.

Being Cautious - important work information on drive.  Need help Please.

 

Windows7 64bit Acer Aspire Laptop 5250-bz641 (recovery partition-nocd)


Edited by clueless00, 04 March 2013 - 03:05 PM.
Moved from Internal Hardware to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:52 PM

Posted 04 March 2013 - 03:07 PM

Let me ask someone from malware response team to help you

 

good luck



#3 clueless00

clueless00
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 04 March 2013 - 04:42 PM

I thought this might help

 

From  Startup Repair Report

Problem Signature 01:      6.1.7600.16385

Problem Signature 02:      6.1.7600.16385

Problem Signature 03:      unknown

Problem Signature 04:      21200416

Problem Signature 05:      AutoFailover

Problem Signature 06:      12

Problem Signature 07:      NoBootFailure

OS Version:                      6.1.7601.2.1.0.256.1

Locale ID:                         1033

 

What I've tried:

System Recovery Options

        Command Prompt  C:\bootrec /fixmbr

                                      C:\bootrec /fixboot

                                      Reboot

                                      F8 - SafeMode

                                                Runs the following then starts System Recovery

                                                Loaded:   \windows\system32\config\system

                                                Loaded:   \windows\system32\ntoskrnl.exe

                                                Loaded:   \windows\system32\hal.dll  

 

This led me to try a DOS MBR utility to validate partition entries:  (MBR Work 1.08)

MBR Partition Info on HD0:

0:        80;                0-48-0;            0;                     0-0-0;                      47;          0

1:          0;              32-33-0;          27;         254-63-1023;                  2048;          31457280

2:        80;      254-63-1023;            7;         254-63-1023;          31459328;          204800

3:          0;      254-63-1023;            7;         254-63-1023;          31664128;          593475584

 

OK maybe this is too much info. this is all i've come up with.


Edited by clueless00, 04 March 2013 - 09:34 PM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 04 March 2013 - 05:35 PM

:welcome:

Lets give it a try.
  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
      • Startup Repair
      • System Restore
      • Windows Complete PC Restore
      • Windows Memory Diagnostic Tool
      • Command Prompt
      Select Command Prompt

      Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Edited by JSntgRvr, 04 March 2013 - 05:38 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 clueless00

clueless00
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 04 March 2013 - 06:29 PM

Working on the Flash Card Keep you posted.


Edited by clueless00, 04 March 2013 - 06:33 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:52 PM

Posted 04 March 2013 - 07:45 PM

Hello, Just letting you know I moved this to the  Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 clueless00

clueless00
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 04 March 2013 - 07:53 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 04-03-2013 01
Ran by SYSTEM at 04-03-2013 19:48:37
Running from G:\
Windows 7 Home Premium  Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001


 

==================== Registry (Whitelisted) ===================


 

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2392360 2010-10-08] (Synaptics Incorporated)
HKLM\...\Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1796200 2011-02-22] (Acer Incorporated)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
HKLM-x32\...\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [340336 2010-09-27] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201584 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BackupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k [297280 2011-02-15] (NTI Corporation)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1092688 2011-03-31] (Dritek System Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-01-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [295072 2013-02-22] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2674464 2013-02-20] (Conduit)
HKLM-x32\...\Run: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-01-29] (DivX, LLC)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1263952 2013-02-12] ()
HKU\Default\...\RunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid} [x]
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid} [x]
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Jaime\...\Run: [SearchProtect] C:\Users\Jaime\AppData\Roaming\SearchProtect\bin\cltmng.exe [2674464 2013-02-20] (Conduit)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1


 

==================== Services (Whitelisted) ===================


 

2 CltMngSvc; C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [93984 2013-02-20] (Conduit)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22056 2013-01-27] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [379360 2013-01-27] (Microsoft Corporation)
4 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2011-02-15] (NTI Corporation)
2 RealNetworks Downloader Resolver Service; "C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe" [38608 2012-11-29] ()
2 CxAudMsg; C:\Windows\system32\CxAudMsg64.exe [x]


 

==================== Drivers (Whitelisted) =====================


 

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
3 PcdrNdisuio; C:\Windows\SysWow64\drivers\pcdrndisuio.sys [x]
3 PCDSRVC{EDD8E36B-FF138BFF-06020101}_0; \??\c:\users\jaime\appdata\local\temp\tfrp6xs9.wzb\pcdrdiag\bin\pcdsrvc_x64.pkms [x]


 

==================== NetSvcs (Whitelisted) ====================


 


==================== One Month Created Files and Folders ========


 

2013-03-03 16:33 - 2013-03-03 16:33 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\DivX
2013-03-03 16:31 - 2013-03-03 16:32 - 00000000 ____D C:\Program Files\DivX
2013-03-03 16:27 - 2013-03-03 16:33 - 00000000 ____D C:\Program Files (x86)\DivX
2013-03-03 16:26 - 2013-03-03 16:33 - 00000000 ____D C:\ProgramData\DivX
2013-03-02 08:38 - 2013-03-02 08:38 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-03-02 08:37 - 2013-03-02 08:43 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\SearchProtect
2013-03-02 08:37 - 2013-03-02 08:37 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\PeaZip
2013-03-02 08:37 - 2013-03-02 08:37 - 00000000 ____D C:\Users\Jaime\AppData\Local\Conduit
2013-03-02 08:37 - 2013-03-02 08:37 - 00000000 ____D C:\Program Files (x86)\SearchProtect
2013-03-02 08:36 - 2013-03-02 08:38 - 00000009 ____A C:\end.bak
2013-03-02 08:36 - 2013-03-02 08:37 - 00000000 ____D C:\Program Files (x86)\Pokki
2013-03-02 08:33 - 2013-03-02 08:33 - 00000987 ____A C:\Users\Jaime\Desktop\PeaZip.lnk
2013-03-02 08:32 - 2013-03-02 08:33 - 00000000 ____D C:\Program Files (x86)\PeaZip
2013-03-02 08:32 - 2013-03-02 08:32 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\OpenCandy
2013-03-02 08:31 - 2013-03-02 08:32 - 05201073 ____A (Giorgio Tani                                                ) C:\Users\Jaime\Downloads\peazip-4.8.1.WINDOWS.exe
2013-03-02 08:28 - 2013-03-02 08:28 - 10678705 ____A C:\Users\Jaime\Downloads\7zip-setup.exe
2013-03-02 08:27 - 2013-03-02 08:27 - 01138397 ____A C:\Users\Jaime\Downloads\7z922.exe
2013-02-27 04:59 - 2013-01-13 13:17 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 13:17 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 13:16 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 13:12 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-02-27 04:59 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-02-27 04:59 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 13:11 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:35 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:35 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:35 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:31 - 01247744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-02-27 04:59 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:31 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-02-27 04:59 - 2013-01-13 12:22 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2013-02-27 04:59 - 2013-01-13 12:20 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
2013-02-27 04:59 - 2013-01-13 12:09 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2013-02-27 04:59 - 2013-01-13 12:08 - 01504768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-02-27 04:59 - 2013-01-13 12:08 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
2013-02-27 04:59 - 2013-01-13 11:59 - 01643520 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-02-27 04:59 - 2013-01-13 11:58 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-02-27 04:59 - 2013-01-13 11:54 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2013-02-27 04:59 - 2013-01-13 11:53 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
2013-02-27 04:59 - 2013-01-13 11:53 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
2013-02-27 04:59 - 2013-01-13 11:51 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-02-27 04:59 - 2013-01-13 11:49 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-02-27 04:59 - 2013-01-13 11:48 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2013-02-27 04:59 - 2013-01-13 11:46 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
2013-02-27 04:59 - 2013-01-13 11:43 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-02-27 04:59 - 2013-01-13 11:38 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-02-27 04:59 - 2013-01-13 11:38 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-02-27 04:59 - 2013-01-13 11:38 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-02-27 04:59 - 2013-01-13 11:25 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-02-27 04:59 - 2013-01-13 11:24 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-02-27 04:59 - 2013-01-13 11:24 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-02-27 04:59 - 2013-01-13 11:20 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-02-27 04:59 - 2013-01-13 11:20 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-02-27 04:59 - 2013-01-13 11:15 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-02-27 04:59 - 2013-01-13 11:10 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-02-27 04:59 - 2013-01-13 11:02 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2013-02-27 04:59 - 2013-01-13 10:34 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2013-02-27 04:59 - 2013-01-13 10:32 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-02-27 04:59 - 2013-01-13 10:09 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-02-27 04:59 - 2013-01-13 09:26 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2013-02-27 04:59 - 2013-01-13 09:05 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-02-27 04:59 - 2013-01-03 22:11 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-02-27 04:59 - 2013-01-03 22:11 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2013-02-27 04:58 - 2013-01-13 11:37 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2013-02-23 13:11 - 2013-02-23 13:11 - 00001302 ____A C:\Users\Jaime\Desktop\FlyffCharacterSimulatorv12beta - Shortcut.lnk
2013-02-22 20:27 - 2013-02-22 20:28 - 02298880 ____A (Jonathon Shelley & herki) C:\Users\Jaime\Downloads\FlyffCharacterSimulatorv12beta.exe
2013-02-22 20:09 - 2013-02-22 20:09 - 00000000 ____D C:\Users\Jaime\AppData\Local\Zoom_Downloader
2013-02-22 20:08 - 2013-02-22 20:14 - 00000000 ____D C:\Program Files (x86)\Wajam
2013-02-22 20:08 - 2013-02-22 20:11 - 00000000 ____D C:\Program Files (x86)\PCFixSpeed
2013-02-22 20:08 - 2013-02-22 20:08 - 00000000 ____D C:\Users\Jaime\AppData\Local\Wajam
2013-02-22 20:07 - 2013-02-22 20:07 - 00000000 ____D C:\Users\Jaime\AppData\Local\Solid Savings
2013-02-22 20:06 - 2013-02-22 20:13 - 00000000 ____D C:\Program Files (x86)\Solid Savings
2013-02-22 20:06 - 2013-02-22 20:06 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\RealNetworks
2013-02-22 20:05 - 2013-02-22 20:05 - 00001272 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2013-02-22 20:05 - 2013-02-22 20:05 - 00000000 ____D C:\ProgramData\RealNetworks
2013-02-22 20:05 - 2013-02-22 20:05 - 00000000 ____D C:\Program Files (x86)\RealNetworks
2013-02-22 20:04 - 2013-02-22 20:04 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2013-02-22 20:03 - 2013-02-22 20:04 - 00000000 ____D C:\Program Files (x86)\Real
2013-02-22 20:03 - 2013-02-22 20:03 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2013-02-22 20:03 - 2013-02-22 20:03 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2013-02-22 20:03 - 2013-02-22 20:03 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2013-02-22 20:02 - 2013-02-22 20:06 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\Real
2013-02-22 20:01 - 2013-02-22 20:06 - 00000000 ____D C:\ProgramData\Real
2013-02-22 20:00 - 2013-02-22 20:00 - 00736552 ____A (DownloadManager) C:\Users\Jaime\Downloads\Setup.exe
2013-02-16 06:21 - 2013-02-16 06:22 - 00000000 ____D C:\Program Files (x86)\GUM2CD1.tmp
2013-02-14 00:01 - 2013-01-08 17:19 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-02-14 00:01 - 2013-01-08 17:12 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-02-14 00:01 - 2013-01-08 17:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-02-14 00:01 - 2013-01-08 17:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-02-14 00:01 - 2013-01-08 17:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-02-14 00:01 - 2013-01-08 17:09 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-02-14 00:01 - 2013-01-08 17:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-02-14 00:01 - 2013-01-08 17:07 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-02-14 00:01 - 2013-01-08 17:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-02-14 00:01 - 2013-01-08 17:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-02-14 00:01 - 2013-01-08 17:05 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-02-14 00:01 - 2013-01-08 17:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-02-14 00:01 - 2013-01-08 17:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-02-14 00:01 - 2013-01-08 17:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-02-14 00:01 - 2013-01-08 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-02-14 00:01 - 2013-01-08 14:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-02-14 00:01 - 2013-01-08 14:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-02-14 00:01 - 2013-01-08 14:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-02-14 00:01 - 2013-01-08 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-02-14 00:01 - 2013-01-08 13:59 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-02-14 00:01 - 2013-01-08 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-02-14 00:01 - 2013-01-08 13:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-02-14 00:01 - 2013-01-08 13:57 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-02-14 00:01 - 2013-01-08 13:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-02-14 00:01 - 2013-01-08 13:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-02-14 00:01 - 2013-01-08 13:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-02-14 00:00 - 2013-01-08 17:48 - 17812992 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-02-14 00:00 - 2013-01-08 17:22 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-02-14 00:00 - 2013-01-08 14:23 - 12321280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-02-14 00:00 - 2013-01-08 14:09 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-02-14 00:00 - 2013-01-08 14:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-02-14 00:00 - 2013-01-08 13:56 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-02-13 05:10 - 2013-01-04 21:53 - 05553512 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-02-13 05:10 - 2013-01-04 21:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-02-13 05:10 - 2013-01-04 21:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-02-13 05:10 - 2013-01-03 21:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-02-13 05:10 - 2013-01-03 20:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-02-13 05:10 - 2013-01-03 19:26 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-02-13 05:10 - 2013-01-03 18:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-02-13 05:10 - 2013-01-03 18:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-02-13 05:10 - 2013-01-03 18:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-02-13 05:10 - 2013-01-03 18:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-02-13 05:09 - 2013-01-02 22:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-02-13 05:09 - 2013-01-02 22:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2013-02-06 07:20 - 2013-02-06 07:20 - 00000671 ____A C:\Users\Public\Desktop\Flyff.lnk
2013-02-06 06:55 - 2013-02-06 06:55 - 00000000 ____D C:\Program Files\Gpotato
2013-02-05 17:29 - 2013-02-05 17:30 - 00222488 ____A C:\Users\Jaime\Downloads\AtdheNetApp_setup(43) (1).exe
2013-02-05 17:28 - 2013-02-05 17:28 - 00222488 ____A C:\Users\Jaime\Downloads\AtdheNetApp_setup(43).exe.apgw61z.partial
2013-02-02 17:26 - 2013-02-02 17:26 - 00001286 ____A C:\Users\Jaime\Desktop\generals - Shortcut.lnk
2013-02-02 17:24 - 2013-02-02 17:24 - 00000618 ____A C:\Windows\eReg.dat


 


==================== One Month Modified Files and Folders =======


 

2013-03-03 16:36 - 2011-05-20 13:26 - 01791269 ____A C:\Windows\WindowsUpdate.log
2013-03-03 16:36 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-03-03 16:33 - 2013-03-03 16:33 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\DivX
2013-03-03 16:33 - 2013-03-03 16:27 - 00000000 ____D C:\Program Files (x86)\DivX
2013-03-03 16:33 - 2013-03-03 16:26 - 00000000 ____D C:\ProgramData\DivX
2013-03-03 16:32 - 2013-03-03 16:31 - 00000000 ____D C:\Program Files\DivX
2013-03-03 16:26 - 2012-06-07 14:58 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-03 16:14 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-03 16:14 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-03 16:10 - 2009-07-13 21:13 - 00727310 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-03 16:06 - 2012-06-07 14:58 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-03 16:06 - 2011-08-21 02:27 - 00000000 ____D C:\ProgramData\clear.fi
2013-03-03 16:06 - 2010-11-20 19:47 - 00024302 ____A C:\Windows\PFRO.log
2013-03-03 16:06 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-03 16:06 - 2009-07-13 20:51 - 00071140 ____A C:\Windows\setupact.log
2013-03-02 20:51 - 2012-10-02 14:51 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-02 08:43 - 2013-03-02 08:37 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\SearchProtect
2013-03-02 08:38 - 2013-03-02 08:38 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-03-02 08:38 - 2013-03-02 08:36 - 00000009 ____A C:\end.bak
2013-03-02 08:37 - 2013-03-02 08:37 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\PeaZip
2013-03-02 08:37 - 2013-03-02 08:37 - 00000000 ____D C:\Users\Jaime\AppData\Local\Conduit
2013-03-02 08:37 - 2013-03-02 08:37 - 00000000 ____D C:\Program Files (x86)\SearchProtect
2013-03-02 08:37 - 2013-03-02 08:36 - 00000000 ____D C:\Program Files (x86)\Pokki
2013-03-02 08:33 - 2013-03-02 08:33 - 00000987 ____A C:\Users\Jaime\Desktop\PeaZip.lnk
2013-03-02 08:33 - 2013-03-02 08:32 - 00000000 ____D C:\Program Files (x86)\PeaZip
2013-03-02 08:32 - 2013-03-02 08:32 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\OpenCandy
2013-03-02 08:32 - 2013-03-02 08:31 - 05201073 ____A (Giorgio Tani                                                ) C:\Users\Jaime\Downloads\peazip-4.8.1.WINDOWS.exe
2013-03-02 08:28 - 2013-03-02 08:28 - 10678705 ____A C:\Users\Jaime\Downloads\7zip-setup.exe
2013-03-02 08:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Resources
2013-03-02 08:27 - 2013-03-02 08:27 - 01138397 ____A C:\Users\Jaime\Downloads\7z922.exe
2013-03-02 07:51 - 2012-04-29 16:12 - 00000000 ____D C:\Users\Jaime\Documents\Command and Conquer Generals Data
2013-03-02 05:58 - 2009-07-13 21:08 - 00032552 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-03-01 05:46 - 2011-03-25 05:38 - 00003170 ____A C:\Windows\DirectX.log
2013-02-28 14:53 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-02-27 07:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK
2013-02-27 07:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR
2013-02-27 07:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK
2013-02-27 07:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR
2013-02-23 13:11 - 2013-02-23 13:11 - 00001302 ____A C:\Users\Jaime\Desktop\FlyffCharacterSimulatorv12beta - Shortcut.lnk
2013-02-22 20:28 - 2013-02-22 20:27 - 02298880 ____A (Jonathon Shelley & herki) C:\Users\Jaime\Downloads\FlyffCharacterSimulatorv12beta.exe
2013-02-22 20:14 - 2013-02-22 20:08 - 00000000 ____D C:\Program Files (x86)\Wajam
2013-02-22 20:13 - 2013-02-22 20:06 - 00000000 ____D C:\Program Files (x86)\Solid Savings
2013-02-22 20:11 - 2013-02-22 20:08 - 00000000 ____D C:\Program Files (x86)\PCFixSpeed
2013-02-22 20:09 - 2013-02-22 20:09 - 00000000 ____D C:\Users\Jaime\AppData\Local\Zoom_Downloader
2013-02-22 20:08 - 2013-02-22 20:08 - 00000000 ____D C:\Users\Jaime\AppData\Local\Wajam
2013-02-22 20:07 - 2013-02-22 20:07 - 00000000 ____D C:\Users\Jaime\AppData\Local\Solid Savings
2013-02-22 20:06 - 2013-02-22 20:06 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\RealNetworks
2013-02-22 20:06 - 2013-02-22 20:02 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\Real
2013-02-22 20:06 - 2013-02-22 20:01 - 00000000 ____D C:\ProgramData\Real
2013-02-22 20:05 - 2013-02-22 20:05 - 00001272 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2013-02-22 20:05 - 2013-02-22 20:05 - 00000000 ____D C:\ProgramData\RealNetworks
2013-02-22 20:05 - 2013-02-22 20:05 - 00000000 ____D C:\Program Files (x86)\RealNetworks
2013-02-22 20:04 - 2013-02-22 20:04 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2013-02-22 20:04 - 2013-02-22 20:03 - 00000000 ____D C:\Program Files (x86)\Real
2013-02-22 20:03 - 2013-02-22 20:03 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2013-02-22 20:03 - 2013-02-22 20:03 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2013-02-22 20:03 - 2013-02-22 20:03 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2013-02-22 20:03 - 2011-02-22 09:03 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2013-02-22 20:03 - 2011-02-22 09:03 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2013-02-22 20:00 - 2013-02-22 20:00 - 00736552 ____A (DownloadManager) C:\Users\Jaime\Downloads\Setup.exe
2013-02-21 02:04 - 2011-08-29 17:19 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\SoftGrid Client
2013-02-20 20:12 - 2011-08-21 03:15 - 00000000 ____D C:\Users\Jaime\AppData\Roaming\Skype
2013-02-20 04:02 - 2011-06-10 22:58 - 00421200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp100.dll
2013-02-20 00:03 - 2012-09-28 00:08 - 00001945 ____A C:\Windows\epplauncher.mif
2013-02-20 00:02 - 2012-09-28 00:07 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-02-20 00:02 - 2012-09-28 00:07 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-02-19 09:16 - 2012-04-23 20:35 - 00000000 ____D C:\tom
2013-02-18 19:34 - 2011-08-21 02:12 - 00061952 ____A C:\Users\Jaime\AppData\Local\GDIPFONTCACHEV1.DAT
2013-02-16 06:22 - 2013-02-16 06:21 - 00000000 ____D C:\Program Files (x86)\GUM2CD1.tmp
2013-02-14 00:38 - 2009-07-13 20:45 - 00291704 ____A C:\Windows\System32\FNTCACHE.DAT
2013-02-14 00:11 - 2012-04-13 04:21 - 70004024 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-02-13 17:44 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-02-07 07:41 - 2013-01-22 17:51 - 00007605 ____A C:\Users\Jaime\AppData\Local\Resmon.ResmonCfg
2013-02-06 07:20 - 2013-02-06 07:20 - 00000671 ____A C:\Users\Public\Desktop\Flyff.lnk
2013-02-06 06:55 - 2013-02-06 06:55 - 00000000 ____D C:\Program Files\Gpotato
2013-02-05 17:30 - 2013-02-05 17:29 - 00222488 ____A C:\Users\Jaime\Downloads\AtdheNetApp_setup(43) (1).exe
2013-02-05 17:28 - 2013-02-05 17:28 - 00222488 ____A C:\Users\Jaime\Downloads\AtdheNetApp_setup(43).exe.apgw61z.partial
2013-02-02 17:26 - 2013-02-02 17:26 - 00001286 ____A C:\Users\Jaime\Desktop\generals - Shortcut.lnk
2013-02-02 17:24 - 2013-02-02 17:24 - 00000618 ____A C:\Windows\eReg.dat
2013-02-02 17:24 - 2011-03-25 04:52 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-02-02 17:20 - 2012-11-03 09:23 - 00000000 ____D C:\Program Files (x86)\EA Games
2013-02-02 16:52 - 2011-08-21 03:13 - 00000000 ____D C:\ProgramData\NCH Software
2013-02-02 16:52 - 2011-08-21 03:13 - 00000000 ____D C:\Program Files (x86)\NCH Software


 


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4056489026-1064372493-3106239083-1000\$69547e3dab5dd7d8b613eb004680d465


 

==================== Known DLLs (Whitelisted) =================


 


==================== Bamital & volsnap Check =================


 

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


 

==================== EXE ASSOCIATION =====================


 

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK


 

==================== Restore Points  =========================


 


==================== Memory info ===========================


 

Percentage of memory in use: 21%
Total physical RAM: 2794.9 MB
Available physical RAM: 2194.94 MB
Total Pagefile: 2793.1 MB
Available Pagefile: 2179.79 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB


 

==================== Partitions =============================


 

1 Drive c: (Acer) (Fixed) (Total:282.99 GB) (Free:196.83 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:2.81 GB) NTFS
4 Drive g: () (Removable) (Total:14.9 GB) (Free:14.9 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]


 

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        
  Disk 1    Online           14 GB      0 B        
  Disk 2    No Media           0 B      0 B        


 

Partitions of Disk 0:
===============


 

Disk ID: 020276B2


 

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            15 GB  1024 KB
  Partition 2    Primary            100 MB    15 GB
  Partition 3    Primary            282 GB    15 GB


 

==================================================================================


 

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   PQSERVICE    NTFS   Partition     15 GB  Healthy    Hidden 


 

=========================================================


 

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   SYSTEM RESE  NTFS   Partition    100 MB  Healthy           


 

=========================================================


 

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   Acer         NTFS   Partition    282 GB  Healthy           


 

=========================================================


 

Partitions of Disk 1:
===============


 

Disk ID: 00000000


 

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             14 GB    16 KB


 

==================================================================================


 

Disk: 1
Partition 1
Type  : 0C
Hidden: No
Active: No


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                FAT32  Removable     14 GB  Healthy           


 

=========================================================


 

Last Boot: 2013-02-22 22:11


 

==================== End Of Log =============================



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 04 March 2013 - 08:12 PM

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file and save it in the USB drive.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

For x64 bit systems please download Listparts64
and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:

    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Put check mark on List BCD.
    • Press Scan button.
    • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 clueless00

clueless00
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 04 March 2013 - 08:58 PM

Not sure how to upload files? looking through help and it tells me to look for a command button I dont see it anywhere?  Please help.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-03-2013 01
Ran by SYSTEM at 2013-03-04 20:33:29 Run:1
Running from G:\


 

==============================================


 

C:\$Recycle.Bin\S-1-5-21-4056489026-1064372493-3106239083-1000\$69547e3dab5dd7d8b613eb004680d465 moved successfully.
MBRDUMP.txt is made successfully.


 

==== End of Fixlog ====



#10 clueless00

clueless00
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 04 March 2013 - 09:05 PM

ListParts by Farbar Version: 04-03-2013
Ran by SYSTEM (administrator) on 04-03-2013 at 21:02:04
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************


 

========================= Memory info ======================


 

Percentage of memory in use: 16%
Total physical RAM: 2794.9 MB
Available physical RAM: 2325.74 MB
Total Pagefile: 2793.1 MB
Available Pagefile: 2304.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB


 

======================= Partitions =========================


 

1 Drive c: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Acer) (Fixed) (Total:282.99 GB) (Free:196.83 GB) NTFS
3 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:2.81 GB) NTFS
5 Drive g: () (Removable) (Total:14.9 GB) (Free:14.9 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS


 

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        
  Disk 1    Online           14 GB      0 B        
  Disk 2    No Media           0 B      0 B        


 

Partitions of Disk 0:
===============


 

Disk ID: 020276B2


 

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            15 GB  1024 KB
  Partition 2    Primary            100 MB    15 GB
  Partition 3    Primary            282 GB    15 GB


 

======================================================================================================


 

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   PQSERVICE    NTFS   Partition     15 GB  Healthy    Hidden 


 

======================================================================================================


 

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   SYSTEM RESE  NTFS   Partition    100 MB  Healthy           


 

======================================================================================================


 

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D   Acer         NTFS   Partition    282 GB  Healthy           


 

======================================================================================================


 

Partitions of Disk 1:
===============


 

Disk ID: 00000000


 

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             14 GB    16 KB


 

======================================================================================================


 

Disk: 1
Partition 1
Type  : 0C
Hidden: No
Active: No


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                FAT32  Removable     14 GB  Healthy           


 

======================================================================================================


 

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {d29182db-832d-11e0-8400-9b6b973614a7}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30


 

Windows Boot Loader
-------------------
identifier              {default}
device                  partition=D:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=D:
systemroot              \Windows
resumeobject            {d29182db-832d-11e0-8400-9b6b973614a7}
nx                      OptIn


 

Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[D:]\Recovery\d29182dd-832d-11e0-8400-9b6b973614a7\Winre.wim,{d29182de-832d-11e0-8400-9b6b973614a7}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\d29182dd-832d-11e0-8400-9b6b973614a7\Winre.wim,{d29182de-832d-11e0-8400-9b6b973614a7}
systemroot              \windows
nx                      OptIn
winpe                   Yes


 

Resume from Hibernate
---------------------
identifier              {d29182db-832d-11e0-8400-9b6b973614a7}
device                  partition=D:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=D:
filepath                \hiberfil.sys
debugoptionenabled      No


 

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes


 

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes


 

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200


 

RAM Defects
-----------
identifier              {badmemory}


 

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}


 

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}


 

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200


 

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}


 

Device options
--------------
identifier              {d29182de-832d-11e0-8400-9b6b973614a7}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\d29182dd-832d-11e0-8400-9b6b973614a7\boot.sdi


 


****** End Of Log ******



#11 clueless00

clueless00
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 04 March 2013 - 09:13 PM

Attached File  MBRDUMP.txt   512bytes   2 downloads



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 04 March 2013 - 09:42 PM

Download the enclosed file:

Save it in the USB drive
  • Run ListParts as you did before.
  • This time around Press Fix button.
  • When it is done close the notification pop up. Put check mark on List BCD and click Scan. Copy and paste the log (Result.txt) it makes in the USB.
  • NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Attempt to boot in Normal mode. If successful, run TDSSKiller as follows:

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 clueless00

clueless00
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 04 March 2013 - 10:20 PM

ListParts by Farbar Version: 04-03-2013
Ran by SYSTEM (administrator) on 04-03-2013 at 22:18:38
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************


========================= Memory info ======================


Percentage of memory in use: 17%
Total physical RAM: 2794.9 MB
Available physical RAM: 2301.5 MB
Total Pagefile: 2793.1 MB
Available Pagefile: 2288.05 MB
Total Virtual: 8192 MB
Available Virtual: 8191.92 MB


======================= Partitions =========================


1 Drive c: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Acer) (Fixed) (Total:282.99 GB) (Free:196.83 GB) NTFS
3 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:2.81 GB) NTFS
5 Drive g: () (Removable) (Total:14.9 GB) (Free:14.9 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS


  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        
  Disk 1    Online           14 GB      0 B        
  Disk 2    No Media           0 B      0 B        


Partitions of Disk 0:
===============


Disk ID: 020276B2


  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            15 GB  1024 KB
  Partition 2    Primary            100 MB    15 GB
  Partition 3    Primary            282 GB    15 GB


======================================================================================================


Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No


  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   PQSERVICE    NTFS   Partition     15 GB  Healthy    Hidden 


======================================================================================================


Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes


  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   SYSTEM RESE  NTFS   Partition    100 MB  Healthy           


======================================================================================================


Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No


  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D   Acer         NTFS   Partition    282 GB  Healthy           


======================================================================================================


Partitions of Disk 1:
===============


Disk ID: 00000000


  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             14 GB    16 KB


======================================================================================================


Disk: 1
Partition 1
Type  : 0C
Hidden: No
Active: No


  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                FAT32  Removable     14 GB  Healthy           


======================================================================================================


Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {d29182db-832d-11e0-8400-9b6b973614a7}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30


Windows Boot Loader
-------------------
identifier              {default}
device                  partition=D:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=D:
systemroot              \Windows
resumeobject            {d29182db-832d-11e0-8400-9b6b973614a7}
nx                      OptIn


Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[D:]\Recovery\d29182dd-832d-11e0-8400-9b6b973614a7\Winre.wim,{d29182de-832d-11e0-8400-9b6b973614a7}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\d29182dd-832d-11e0-8400-9b6b973614a7\Winre.wim,{d29182de-832d-11e0-8400-9b6b973614a7}
systemroot              \windows
nx                      OptIn
winpe                   Yes


Resume from Hibernate
---------------------
identifier              {d29182db-832d-11e0-8400-9b6b973614a7}
device                  partition=D:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=D:
filepath                \hiberfil.sys
debugoptionenabled      No


Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes


EMS Settings
------------
identifier              {emssettings}
bootems                 Yes


Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200


RAM Defects
-----------
identifier              {badmemory}


Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}


Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}


Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200


Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}


Device options
--------------
identifier              {d29182de-832d-11e0-8400-9b6b973614a7}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\d29182dd-832d-11e0-8400-9b6b973614a7\boot.sdi



****** End Of Log ******



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 04 March 2013 - 10:22 PM

Were you able to boot in Normal Mode?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 clueless00

clueless00
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 04 March 2013 - 10:48 PM

Yes normal mode worked

However when I check loaded modules, and rebooted it started to update then BSOD..... :{

Then I let it reboot again and started up normal other than MS Sec Ess did not work.

Ran program again checked loaded modules, rebooted and BSOD again ...... : {

 

 

now its sitting at the desktop in normal mode,  I've Disabled my Wirless connection....

 

Not touching anything else Waiting your Suggestion......


Edited by clueless00, 04 March 2013 - 11:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users