Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Farbar Scan Output Help, Please.


  • This topic is locked This topic is locked
5 replies to this topic

#1 bill_borec

bill_borec

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 06 March 2013 - 12:32 AM

Is someone available that can help me read the attached Farbar Scan Recovery Tool ouptut?

 

The system is caught in a recovery loop...malware or corrupt HD?

 

Thanks!

 

 

Startup: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sid Registration.lnk
ShortcutTarget: Sid Registration.lnk ->  (No File)

Attached Files

  • Attached File  FRST.txt   21.74KB   8 downloads

Edited by nasdaq, 07 March 2013 - 08:40 AM.
Log pasted in the topic.


BC AdBot (Login to Remove)

 


#2 bill_borec

bill_borec
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 06 March 2013 - 11:23 AM

After reading a few other, similar posts, I see that there is a protocol to posting log files.
 
So, the following is the log file from the Farbar Scan:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 04-03-2013 01
Ran by SYSTEM at 05-03-2013 20:19:29
Running from F:\
Windows 7 Home Premium   (X64) OS Language: English(US) 
The current controlset is ControlSet001
 
==================== Registry (Whitelisted) ===================
 
HKLM\...\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" [1873256 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe" [356376 2013-01-22] (Kaspersky Lab ZAO)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sid Registration.lnk
ShortcutTarget: Sid Registration.lnk ->  (No File)
 
==================== Services (Whitelisted) ===================
 
2 AVP; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe" -r [356376 2013-01-22] (Kaspersky Lab ZAO)
2 WebOptimizer; C:\Windows\System32\dmwu.exe [1259888 2012-09-13] ()
 
==================== Drivers (Whitelisted) =====================
 
0 kl1; C:\Windows\System32\Drivers\kl1.sys [458584 2012-06-19] (Kaspersky Lab ZAO)
1 KLIF; C:\Windows\System32\Drivers\KLIF.sys [613720 2013-01-22] (Kaspersky Lab)
1 KLIM6; C:\Windows\System32\Drivers\KLIM6.sys [28504 2012-08-02] (Kaspersky Lab ZAO)
3 klkbdflt; C:\Windows\System32\Drivers\klkbdflt.sys [29016 2012-10-25] (Kaspersky Lab)
3 klmouflt; C:\Windows\System32\Drivers\klmouflt.sys [29528 2012-10-25] (Kaspersky Lab)
1 kltdi; C:\Windows\System32\Drivers\kltdi.sys [54104 2013-01-22] (Kaspersky Lab)
1 kneps; C:\Windows\System32\Drivers\kneps.sys [178008 2012-08-13] (Kaspersky Lab)
 
==================== NetSvcs (Whitelisted) ====================
 
 
==================== One Month Created Files and Folders ========
 
2013-02-28 16:00 - 2013-02-28 16:00 - 00262144 ____A C:\Windows\System32\config\elam
2013-02-28 16:00 - 2013-02-28 16:00 - 00010498 ____A C:\Windows\is-1AIMI.msg
2013-02-28 16:00 - 2013-02-28 16:00 - 00000309 ____A C:\Windows\is-1AIMI.lst
2013-02-27 23:57 - 2013-03-05 09:45 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-02-27 23:57 - 2013-01-13 13:17 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 13:17 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 13:16 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 13:12 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-02-27 23:57 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-02-27 23:57 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 13:11 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:35 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:35 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:35 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:31 - 01247744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-02-27 23:57 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:31 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-02-27 23:57 - 2013-01-13 12:22 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2013-02-27 23:57 - 2013-01-13 12:20 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
2013-02-27 23:57 - 2013-01-13 12:09 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2013-02-27 23:57 - 2013-01-13 12:08 - 01504768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-02-27 23:57 - 2013-01-13 12:08 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
2013-02-27 23:57 - 2013-01-13 11:59 - 01643520 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-02-27 23:57 - 2013-01-13 11:58 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-02-27 23:57 - 2013-01-13 11:54 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2013-02-27 23:57 - 2013-01-13 11:53 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
2013-02-27 23:57 - 2013-01-13 11:53 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
2013-02-27 23:57 - 2013-01-13 11:51 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-02-27 23:57 - 2013-01-13 11:49 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-02-27 23:57 - 2013-01-13 11:48 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2013-02-27 23:57 - 2013-01-13 11:46 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
2013-02-27 23:57 - 2013-01-13 11:43 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-02-27 23:57 - 2013-01-13 11:38 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-02-27 23:57 - 2013-01-13 11:38 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-02-27 23:57 - 2013-01-13 11:38 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-02-27 23:57 - 2013-01-13 11:37 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2013-02-27 23:57 - 2013-01-13 11:25 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-02-27 23:57 - 2013-01-13 11:24 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-02-27 23:57 - 2013-01-13 11:24 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-02-27 23:57 - 2013-01-13 11:20 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-02-27 23:57 - 2013-01-13 11:20 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-02-27 23:57 - 2013-01-13 11:15 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-02-27 23:57 - 2013-01-13 11:02 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2013-02-27 23:57 - 2013-01-13 10:34 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2013-02-27 23:57 - 2013-01-13 10:32 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-02-27 23:57 - 2013-01-13 10:09 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-02-27 23:57 - 2013-01-13 09:26 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2013-02-27 23:57 - 2013-01-13 09:05 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-02-27 23:57 - 2013-01-03 22:11 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-02-27 23:57 - 2013-01-03 22:11 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2013-02-13 22:48 - 2013-01-08 17:48 - 17812992 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-02-13 22:48 - 2013-01-08 17:22 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-02-13 22:48 - 2013-01-08 17:19 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-02-13 22:48 - 2013-01-08 17:12 - 01392128 ____A C:\Windows\System32\wininet.dll
2013-02-13 22:48 - 2013-01-08 17:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-02-13 22:48 - 2013-01-08 17:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-02-13 22:48 - 2013-01-08 17:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-02-13 22:48 - 2013-01-08 17:09 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-02-13 22:48 - 2013-01-08 17:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-02-13 22:48 - 2013-01-08 17:07 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-02-13 22:48 - 2013-01-08 17:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-02-13 22:48 - 2013-01-08 17:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-02-13 22:48 - 2013-01-08 17:05 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-02-13 22:48 - 2013-01-08 17:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-02-13 22:48 - 2013-01-08 17:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-02-13 22:48 - 2013-01-08 17:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-02-13 22:48 - 2013-01-08 14:23 - 12321280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-02-13 22:48 - 2013-01-08 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-02-13 22:48 - 2013-01-08 14:09 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-02-13 22:48 - 2013-01-08 14:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-02-13 22:48 - 2013-01-08 14:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-02-13 22:48 - 2013-01-08 14:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-02-13 22:48 - 2013-01-08 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-02-13 22:48 - 2013-01-08 14:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-02-13 22:48 - 2013-01-08 13:59 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-02-13 22:48 - 2013-01-08 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-02-13 22:48 - 2013-01-08 13:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-02-13 22:48 - 2013-01-08 13:57 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-02-13 22:48 - 2013-01-08 13:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-02-13 22:48 - 2013-01-08 13:56 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-02-13 22:48 - 2013-01-08 13:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-02-13 22:48 - 2013-01-08 13:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-02-13 13:35 - 2013-01-04 21:53 - 05553512 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-02-13 13:35 - 2013-01-04 21:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-02-13 13:35 - 2013-01-04 21:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-02-13 13:35 - 2013-01-03 21:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-02-13 13:35 - 2013-01-03 20:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-02-13 13:35 - 2013-01-03 19:26 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-02-13 13:35 - 2013-01-03 18:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-02-13 13:35 - 2013-01-03 18:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-02-13 13:35 - 2013-01-03 18:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-02-13 13:35 - 2013-01-03 18:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-02-13 13:35 - 2013-01-02 22:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-02-13 13:35 - 2013-01-02 22:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2013-02-06 10:19 - 2013-02-07 22:32 - 00000000 ____D C:\Users\Bill\Documents\TurboTax
2013-02-06 10:17 - 2013-02-06 10:17 - 00000000 ____D C:\Users\Bill\AppData\Local\IsolatedStorage
2013-02-06 10:16 - 2013-02-06 10:16 - 00000000 ____D C:\Users\Bill\AppData\Roaming\Intuit
2013-02-06 10:15 - 2013-02-12 17:43 - 00000469 ____A C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2013-02-06 10:15 - 2013-02-06 10:15 - 00002515 ____A C:\Users\Public\Desktop\TurboTax 2012.lnk
2013-02-06 10:13 - 2013-02-06 10:15 - 00000000 ____D C:\ProgramData\Intuit
2013-02-06 10:13 - 2013-02-06 10:13 - 00000000 ____D C:\Program Files (x86)\TurboTax
 
 
==================== One Month Modified Files and Folders =======
 
2013-03-05 19:59 - 2013-03-05 19:59 - 00000000 ____D C:\FRST
2013-03-05 09:50 - 2013-01-09 07:30 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2013-03-05 09:47 - 2013-01-09 07:30 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2013-03-05 09:45 - 2013-02-27 23:57 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-03-04 23:28 - 2012-06-22 18:56 - 01616560 ____A C:\Windows\WindowsUpdate.log
2013-03-04 22:59 - 2013-01-21 23:00 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-03-04 22:42 - 2012-06-26 16:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-04 22:39 - 2012-12-06 18:23 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-04 15:39 - 2012-12-06 18:23 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-04 14:44 - 2009-07-13 20:45 - 00013760 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-04 14:44 - 2009-07-13 20:45 - 00013760 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-04 14:43 - 2009-07-13 21:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-04 14:36 - 2012-11-18 03:02 - 00000000 ____D C:\ProgramData\NVIDIA
2013-03-04 14:36 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-04 14:36 - 2009-07-13 20:51 - 00036068 ____A C:\Windows\setupact.log
2013-02-28 22:40 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-02-28 16:02 - 2012-08-24 22:07 - 00000000 ____D C:\Program Files\Web Assistant
2013-02-28 16:00 - 2013-02-28 16:00 - 00262144 ____A C:\Windows\System32\config\elam
2013-02-28 16:00 - 2013-02-28 16:00 - 00010498 ____A C:\Windows\is-1AIMI.msg
2013-02-28 16:00 - 2013-02-28 16:00 - 00000309 ____A C:\Windows\is-1AIMI.lst
2013-02-28 14:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK
2013-02-28 14:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR
2013-02-28 14:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK
2013-02-28 14:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR
2013-02-26 15:42 - 2012-06-26 16:02 - 00691568 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-02-26 15:42 - 2012-06-26 16:02 - 00071024 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-02-22 21:40 - 2012-11-19 19:25 - 00000000 ____D C:\Program Files (x86)\StarCraft II
2013-02-22 14:40 - 2012-12-06 18:24 - 00002183 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-02-19 15:37 - 2012-10-12 14:33 - 00000000 ____D C:\Users\Bill\AppData\Local\Microsoft Games
2013-02-17 18:06 - 2012-06-25 19:17 - 00000000 ____D C:\Program Files (x86)\Diablo III
2013-02-14 17:55 - 2009-07-13 20:45 - 00501984 ____A C:\Windows\System32\FNTCACHE.DAT
2013-02-13 22:54 - 2012-06-23 06:13 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-02-13 22:52 - 2012-06-22 20:05 - 70004024 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-02-12 17:43 - 2013-02-06 10:15 - 00000469 ____A C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2013-02-08 15:38 - 2012-06-27 17:18 - 00000000 ____D C:\Users\Bill\AppData\Roaming\My Battle for Middle-earth Files
2013-02-07 22:32 - 2013-02-06 10:19 - 00000000 ____D C:\Users\Bill\Documents\TurboTax
2013-02-06 10:17 - 2013-02-06 10:17 - 00000000 ____D C:\Users\Bill\AppData\Local\IsolatedStorage
2013-02-06 10:17 - 2012-06-25 14:22 - 00144632 ____A C:\Users\Bill\AppData\Local\GDIPFONTCACHEV1.DAT
2013-02-06 10:16 - 2013-02-06 10:16 - 00000000 ____D C:\Users\Bill\AppData\Roaming\Intuit
2013-02-06 10:15 - 2013-02-06 10:15 - 00002515 ____A C:\Users\Public\Desktop\TurboTax 2012.lnk
2013-02-06 10:15 - 2013-02-06 10:13 - 00000000 ____D C:\ProgramData\Intuit
2013-02-06 10:13 - 2013-02-06 10:13 - 00000000 ____D C:\Program Files (x86)\TurboTax
 
 
==================== Known DLLs (Whitelisted) =================
 
[2013-02-13 22:48] - [2013-01-08 17:12] - 1392128 ____A () C:\Windows\System32\WININET.dll
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-02-25 20:53:25
Restore point made on: 2013-02-26 08:00:03
Restore point made on: 2013-02-27 23:57:36
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 4029.48 MB
Available physical RAM: 3418.4 MB
Total Pagefile: 4027.63 MB
Available Pagefile: 3406.41 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
 
==================== Partitions =============================
 
1 Drive c: () (Fixed) (Total:465.66 GB) (Free:375.14 GB) NTFS
3 Drive f: (LEXAR) (Fixed) (Total:0.24 GB) (Free:0.23 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    Online          247 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: BAA08BCB
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            100 MB  1024 KB
  Partition 2    Primary            465 GB   101 MB
 
==================================================================================
 
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   System Rese  NTFS   Partition    100 MB  Healthy            
 
=========================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    465 GB  Healthy            
 
=========================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 576D1FBC
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            247 MB    16 KB
 
==================================================================================
 
Disk: 1
Partition 1
Type  : 04
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F   LEXAR        FAT    Partition    247 MB  Healthy            
 
=========================================================
 
Last Boot: 2013-02-23 12:21
 
==================== End Of Log =============================


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:03 PM

Posted 07 March 2013 - 08:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
IMPORTANT !!! Save ComboFix.exe to your Desktop
 
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.
 
How to : Disable Anti-virus and Firewall...
 
Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause of infiltration an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download [/B] by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
 
Please post the logs and let me know what is the problem with this computer.


#4 bill_borec

bill_borec
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 11 March 2013 - 11:42 AM

Nasdaq,

 

Thank you for the response.  However, I resolved the problem by purchasing a new hard drive (I didn't see any red flags in the Farbar Scan, so I suspected the HDD) and doing a fresh install on the new drive.  The old drive has now been formatted and set as a second drive in the machine.

 

Thank you, again for your response.  This item can be closed/resolved.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:03 PM

Posted 12 March 2013 - 07:09 AM

Thank you for the feedback.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:03 PM

Posted 12 March 2013 - 07:09 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users