Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to open exe program files in Win 7


  • This topic is locked This topic is locked
48 replies to this topic

#1 Ed III

Ed III

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale
  • Local time:11:26 AM

Posted 11 June 2013 - 10:51 PM

Gary,

 

I followed the Prep Guide at step 6. Since I can not connect the ASUS Laptop to the internet, I downloaded the DDs.com file on my clean computer and saved it onto a Flash drive and then copied it to the ASUS Laptop desktop. I double clicked on the Desktop icon, got a "User Account Control" window which said, "Do you want to allow the following program from an unknown publisher to make changes to this computer?" and I clicked yes, and it appeared to start for two seconds with the rotating blue arrow around the cursor; however, it never ran, loaded the option screen (DDS: Settings) nor produced the small balck screen. As a result, no DDS.txt or Attach.txt files were created.

Prior to this, I had tried to run Malwares as a com file and it failed also. In fact, I tried to run Malwares in all the cameleon forms and none ran.

The issue with the computer is that other than certain system tool exe files, like regedit, chkdsk, file manager, defrag, and the like, no other file can be opened. I even tried a flash drive boot start of Hitman Pro Kickstart and it would not run.

The computer is a ASUS G60vx, Win 7 64 bit OS.

 

Link, if I did it right, is:  www.bleepingcomputer.com/forums/t/497533/unable-to-open-exe-program-files-in-win-7/

 

Ed Sterling, He's my Savior also

 



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:26 AM

Posted 13 June 2013 - 09:37 PM

Greetings Ed and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run this program for me.

===================================================

Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.
  • Please download Farbar Recovery Scan Tool and save it to a flash drive. You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool
----------

Entering into the System Recovery Options

Option #1

To enter System Recovery Options in Windows 8:Option #2

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Option #3

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next
----------

Running Farbar's Recovery Scan Tool in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • FRST log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Ed III

Ed III
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale
  • Local time:11:26 AM

Posted 13 June 2013 - 10:59 PM

Gary, OK. I was able to run the program per the instructions and here is the text file with the info, Ed Sterling

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-06-2013
Ran by SYSTEM on 14-06-2013 04:52:43
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [SpybotSnD] "C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck [5365592 2009-01-26] (Safer Networking Limited)
HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [CinemaNowMediaManagerApp] C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe -start [2088296 2009-06-11] (CinemaNow Inc.)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe [159744 2009-04-20] (ASUS)
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe [8493624 2009-07-07] (ASUS)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-03-17] (Apple Inc.)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [103768 2009-10-26] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [UVS10 Preload] C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe [36864 2006-08-09] (Ulead Systems, Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BambooCore] C:\Program Files (x86)\Bamboo Dock\BambooCore.exe [646744 2012-12-16] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Owner\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Owner\...\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent [x]
HKU\Owner\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1631144 2013-04-19] (Valve Corporation)
HKU\Owner\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\Owner\...\Run: [RGSC] G:\Backup\Program Files\Rockstar Games Social Club\RGSCLauncher.exe /silent [x]
HKU\Owner\...\Run: [] C:\Users\Owner\AppData\Roaming\abc.exe [x]
HKU\Owner\...\Run: [AdobeBridge]  [x]
HKU\Owner\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3673728 2012-11-06] (DT Soft Ltd)
HKU\Owner\...\Run: [freeklogger.exe] C:\Program Files (x86)\Keylogger\FK_Monitor\freeklogger.exe [794624 2011-10-12] ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\FancyStart daemon.lnk
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{F0DF4513-3C4C-4EB8-8012-2C5F70AF3988}\_A1DDD39913A1970387B7B3.exe ()
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Seagate NA06488V ??.lnk
ShortcutTarget: Seagate NA06488V ??.lnk ->  (No File)
BootExecute: autocheck autochk * lsdelete

==================== Services (Whitelisted) =================

S2 Adobe Licensing Console; C:\Windows\SysWOW64\adbcnsl.exe [689492 2012-06-10] (                                                                                                    )
S2 ATKGFNEXSrv; C:\Program Files\ATKGFNEX\GFNEXSrv.exe [94208 2007-08-07] ()
S2 FastBootAgent; C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe [306232 2009-07-23] (ASUSTeK Computer Inc.)
S3 Lavasoft Ad-Aware Service; C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [1181328 2011-04-18] (Lavasoft)
S3 Macromedia Licensing Service; C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [68096 2011-06-14] ()
S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S2 StkSSrv; C:\Windows\System32\StkCSrv.exe [24576 2007-02-12] (Syntek America Inc.)
S2 mi-raysat_3dsmax9_32; "C:\Program Files (x86)\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe" [x]

==================== Drivers (Whitelisted) ====================

S2 ASMMAP64; C:\Program Files\ATKGFNEX\ASMMAP64.sys [14904 2007-07-24] ()
S2 ASMMAP64; C:\Program Files\ATKGFNEX\ASMMAP64.sys [14904 2007-07-24] ()
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-12-07] (DT Soft Ltd)
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [69152 2009-12-14] (Lavasoft AB)
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1799680 2009-05-20] ()
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2012-11-16] (Duplex Secure Ltd.)
S3 StkCMini; C:\Windows\System32\Drivers\StkCMini.sys [632704 2007-06-28] (Syntek)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
S3 tmlwf;
S3 tmwfp;
S3 WacHidRouter; system32\DRIVERS\wachidrouter.sys [x]
S3 wacomrouterfilter; system32\DRIVERS\wacomrouterfilter.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-14 04:52 - 2013-06-14 04:52 - 00000000 ____D C:\FRST
2013-06-11 19:18 - 2013-06-11 10:42 - 00688992 ____A (Swearware) C:\Users\Owner\Desktop\dds.com
2013-06-10 11:31 - 2013-06-10 11:31 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\2.0
2013-06-10 10:39 - 2013-06-10 02:20 - 00001398 ____A C:\Users\Owner\Downloads\com_fix_w7.reg
2013-06-10 10:31 - 2013-06-10 10:31 - 100417446 ____A C:\Users\Owner\Desktop\backup.reg
2013-06-08 18:33 - 2013-06-13 19:41 - 00000952 ____A C:\Windows\setupact.log
2013-06-08 18:33 - 2013-06-08 18:33 - 00000000 ____A C:\Windows\setuperr.log
2013-06-08 08:59 - 2013-06-08 08:59 - 00009992 ____N C:\bootsqm.dat
2013-06-06 14:59 - 2013-06-06 06:55 - 00005828 ____A C:\Users\Owner\Downloads\Default_EXE.reg
2013-06-06 14:03 - 2013-06-06 06:01 - 00001823 ____A C:\Users\Owner\Downloads\exe_fix_w7.reg
2013-06-06 13:16 - 2013-05-14 05:12 - 25657248 ____A (SUPERAntiSpyware.com) C:\Users\Owner\Downloads\SUPERAntiSpyware.exe
2013-06-05 21:00 - 2013-06-05 21:00 - 00000000 ____D C:\Windows\Sun
2013-06-04 11:23 - 2013-06-06 12:35 - 00000000 ____D C:\found.000
2013-06-04 00:30 - 2013-06-04 14:25 - 00000265 ____A C:\Users\Owner\Desktop\possible names for edward.txt
2013-06-03 09:42 - 2013-06-03 09:42 - 00000000 ____D C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)
2013-06-03 09:32 - 2013-06-03 09:32 - 00000000 ____D C:\Program Files (x86)\For BSA extraction
2013-06-01 12:26 - 2013-06-01 12:26 - 00000000 ____D C:\Program Files\BreakPoint Software
2013-05-30 08:45 - 2013-05-30 09:33 - 00000000 ____D C:\Users\Owner\Downloads\KH models I dont know why I have these
2013-05-19 21:35 - 2013-05-19 21:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified Files and Folders =======

2013-06-14 04:52 - 2013-06-14 04:52 - 00000000 ____D C:\FRST
2013-06-13 19:42 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-13 19:41 - 2013-06-08 18:33 - 00000952 ____A C:\Windows\setupact.log
2013-06-13 19:41 - 2009-07-13 20:45 - 05234720 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-11 20:06 - 2012-08-28 17:04 - 01096804 ____A C:\Windows\WindowsUpdate.log
2013-06-11 19:53 - 2012-12-21 01:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-11 19:20 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-11 19:20 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-11 19:19 - 2009-07-13 21:13 - 00792550 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-11 10:42 - 2013-06-11 19:18 - 00688992 ____A (Swearware) C:\Users\Owner\Desktop\dds.com
2013-06-10 11:31 - 2013-06-10 11:31 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\2.0
2013-06-10 10:46 - 2009-09-23 12:11 - 00002384 ____A C:\Windows\System32\AutoRunFilter.ini
2013-06-10 10:31 - 2013-06-10 10:31 - 100417446 ____A C:\Users\Owner\Desktop\backup.reg
2013-06-10 02:20 - 2013-06-10 10:39 - 00001398 ____A C:\Users\Owner\Downloads\com_fix_w7.reg
2013-06-08 21:13 - 2009-12-14 07:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-06-08 19:24 - 2010-01-06 18:34 - 00045056 ____A C:\Windows\System32\acovcnt.exe
2013-06-08 18:36 - 2009-07-28 22:03 - 00000000 ____D C:\Windows\Panther
2013-06-08 18:33 - 2013-06-08 18:33 - 00000000 ____A C:\Windows\setuperr.log
2013-06-08 14:20 - 2012-04-10 11:17 - 00000000 ____D C:\Users\Owner\AppData\Roaming\uTorrent
2013-06-08 14:20 - 2009-12-18 20:00 - 00000000 ____D C:\Users\Owner\AppData\Roaming\BitTorrent
2013-06-08 14:20 - 2009-12-14 08:16 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-06-08 08:59 - 2013-06-08 08:59 - 00009992 ____N C:\bootsqm.dat
2013-06-07 12:16 - 2009-07-13 21:08 - 00032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-06 13:14 - 2009-11-01 20:24 - 00000000 ____D C:\users\Owner
2013-06-06 12:35 - 2013-06-04 11:23 - 00000000 ____D C:\found.000
2013-06-06 12:35 - 2012-07-18 00:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-06-06 12:35 - 2011-07-26 19:28 - 00000000 ____D C:\ProgramData\Ulead Systems
2013-06-06 12:35 - 2010-02-10 07:48 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-06-06 12:35 - 2010-01-08 15:23 - 00000000 ____D C:\Program Files (x86)\Steam
2013-06-06 12:35 - 2009-12-31 23:58 - 00000000 ____D C:\ProgramData\FLEXnet
2013-06-06 12:35 - 2009-09-23 12:10 - 00000000 ____D C:\ProgramData\NVIDIA
2013-06-06 12:35 - 2009-09-23 12:05 - 00000000 ____D C:\ProgramData\P4G
2013-06-06 12:35 - 2009-09-23 11:53 - 00000000 ____D C:\ProgramData\CinemaNow
2013-06-06 12:35 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-06 12:35 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-06-06 12:34 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-06-06 12:33 - 2011-04-30 16:12 - 00000000 ____D C:\Users\Owner\Downloads\mod backups
2013-06-06 12:33 - 2010-02-10 07:48 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype
2013-06-06 12:33 - 2010-02-10 07:48 - 00000000 ____D C:\ProgramData\Skype
2013-06-06 12:33 - 2009-12-20 20:56 - 00000000 ____D C:\Users\Owner\AppData\Roaming\DAEMON Tools Lite
2013-06-06 12:06 - 2010-01-31 00:59 - 00000000 ____D C:\Users\Owner\Tracing
2013-06-06 11:28 - 2010-10-08 12:37 - 00034701 ____A C:\aaw7boot.log
2013-06-06 06:55 - 2013-06-06 14:59 - 00005828 ____A C:\Users\Owner\Downloads\Default_EXE.reg
2013-06-06 06:01 - 2013-06-06 14:03 - 00001823 ____A C:\Users\Owner\Downloads\exe_fix_w7.reg
2013-06-05 21:00 - 2013-06-05 21:00 - 00000000 ____D C:\Windows\Sun
2013-06-04 14:25 - 2013-06-04 00:30 - 00000265 ____A C:\Users\Owner\Desktop\possible names for edward.txt
2013-06-04 03:05 - 2012-08-27 23:54 - 00003118 ____A C:\Users\Owner\Desktop\for when I restart my computer.txt
2013-06-03 16:43 - 2010-12-04 12:34 - 00002549 ____A C:\Users\Owner\Downloads\Music to look up.txt
2013-06-03 09:42 - 2013-06-03 09:42 - 00000000 ____D C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)
2013-06-03 09:32 - 2013-06-03 09:32 - 00000000 ____D C:\Program Files (x86)\For BSA extraction
2013-06-03 08:18 - 2011-11-11 19:29 - 00000000 ____D C:\Users\Owner\AppData\Local\Skyrim
2013-06-02 06:11 - 2013-03-24 00:51 - 00000000 ____D C:\Users\Owner\Downloads\torrents to... well, torrent
2013-06-01 12:26 - 2013-06-01 12:26 - 00000000 ____D C:\Program Files\BreakPoint Software
2013-05-30 09:33 - 2013-05-30 08:45 - 00000000 ____D C:\Users\Owner\Downloads\KH models I dont know why I have these
2013-05-23 04:14 - 2012-07-14 09:30 - 00001048 ____A C:\Users\Public\Desktop\YTD Video Downloader.lnk
2013-05-23 04:14 - 2012-07-14 09:30 - 00000000 ____D C:\ProgramData\YTD Video Downloader
2013-05-21 06:57 - 2013-04-15 01:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox.bak
2013-05-19 21:35 - 2013-05-19 21:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-19 18:41 - 2009-07-13 18:34 - 00000499 ____A C:\Windows\win.ini
2013-05-19 18:36 - 2009-11-07 09:35 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-19 18:33 - 2012-06-11 22:40 - 00000031 ____A C:\Windows\SysWOW64\deck.ini
2013-05-19 07:19 - 2013-04-15 01:35 - 00000000 ____D C:\Program Files (x86)\Yontoo
2013-05-19 06:38 - 2012-11-22 19:53 - 00000000 ___RD C:\Users\Owner\Dropbox
2013-05-19 06:38 - 2012-11-22 19:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Dropbox
2013-05-18 21:14 - 2012-05-01 01:02 - 00000000 ____D C:\Users\Owner\Documents\Camtasia Studio
2013-05-18 21:14 - 2010-08-30 22:55 - 00035840 ____A C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-05-18 10:29 - 2012-01-26 22:57 - 00000000 ____D C:\Users\Owner\AppData\Roaming\dvdcss
2013-05-15 08:53 - 2012-12-21 01:00 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-15 08:53 - 2011-05-25 23:26 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-06-08 14:25:20
Restore point made on: 2013-06-08 21:16:28
Restore point made on: 2013-06-10 12:18:06
Restore point made on: 2013-06-11 20:04:32

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4095.24 MB
Available physical RAM: 3485.68 MB
Total Pagefile: 4093.39 MB
Available Pagefile: 3476.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:283.44 GB) (Free:54.67 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive e: (STORE N GO) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: D9B3496E)
Partition 1: (Not Active) - (Size=15 GB) - (Type=1C)
Partition 2: (Active) - (Size=283 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 62C94620)
Partition 1: (Not Active) - (Size=2 GB) - (Type=0E)

LastRegBack: 2013-06-10 11:11

==================== End Of Log ============================

 

 

 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:26 AM

Posted 14 June 2013 - 10:14 AM

Greetings my brother,  :thumbup2:

Thank you for posting the information.

Can you tell me if you are aware of the presence of Freeklogger on your computer?

We need to fix a few things. Please do this for me.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
HKLM-x32\...\Run: []  [x]
HKU\Owner\...\Run: [] C:\Users\Owner\AppData\Roaming\abc.exe [x]
HKU\Owner\...\Run: [AdobeBridge]  [x]
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Seagate NA06488V ??.lnk
ShortcutTarget: Seagate NA06488V ??.lnk ->  (No File)
S3 tmlwf;
S3 tmwfp;
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Please attempt to boot your computer into Normal Mode and run DDS again
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog.txt
  • DDS?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Ed III

Ed III
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale
  • Local time:11:26 AM

Posted 14 June 2013 - 12:13 PM

Gary, here are the results. I ran FRST fix and the log is below. I tried to run DDS and it did not run. I double clicked on the Desktop icon, got a "User Account Control" window which said, "Do you want to allow the following program from an unknown publisher to make changes to this computer?" and I clicked yes, and it appeared to start for two seconds with the rotating blue arrow around the cursor; however, it never ran, loaded the option screen (DDS: Settings) nor produced the small balck screen. As a result, no DDS.txt or Attach.txt files were created.

 

I asked my son about Freeklogger and he added this himself; he indicated that if it needs to be removed as a problem then we can.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-06-2013
Ran by SYSTEM at 2013-06-14 17:52:19 Run:1
Running from E:\
Boot Mode: Recovery
==============================================

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKU\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKU\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => Value deleted successfully.
ShortcutTarget: Dropbox.lnk ->  (No File) not found.
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Seagate NA06488V ??.lnk => Moved successfully.
ShortcutTarget: Seagate NA06488V ??.lnk ->  (No File) not found.
S3 tmlwf; => Service not found.
S3 tmwfp; => Service not found.

==== End of Fixlog ====

 

 

 



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:26 AM

Posted 14 June 2013 - 12:56 PM

Hi Ed,

Let's see if we can get this program to run.

===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Ed III

Ed III
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale
  • Local time:11:26 AM

Posted 14 June 2013 - 05:48 PM

Well I tried my hardest, but neither program ran (the computer will not run exe files except core services). I tried ComboFix first from the Desktop and no dialogue box came up and a look at task manager showed no activity in the suggested areas to look in. Then I tried RKill and when it was run as admin a black windows box came up, but stayed there for about 15 seconds or a little longer and then disappeared with no other activity be the program. A check of task manager verified this.

 

And FYI, I am having to download to a flash drive all these files and copy them to the infected computers desktop, as it will not connect to the internet nor open any browser.

 

Ed



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:26 AM

Posted 14 June 2013 - 06:03 PM

Hi Ed,

 

Please redownload Combofix but this time I would like you to right click on the link, select Save As, and save the file as winlogon.exe.  Then transfer it to your desktop and attempt to run it.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Ed III

Ed III
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale
  • Local time:11:26 AM

Posted 14 June 2013 - 06:46 PM

Gary, It did not rum.

Now I stayed in Safe Mode, maybe I should not have?  I double clicked and the Task Manager showed winlogon.exe *32 for about 10 seconds with a memory count of about 708 k with no indicated CPU usage. Then it dropped off the processes list.

 

Here are the processes that are running, just in case it may be helpful:

csrss

csrss

ctfmon

dllhost

explorer

lsass

lsm

services

smss

svhost (repeated five times)

System

Idle

taskmanager

wininit

winlogon

WmiPrvSE

 

Ed

 



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:26 AM

Posted 14 June 2013 - 07:16 PM

Hi Ed,

OK, thanks for trying. Please do these 3 things for me. I am going to have you try to run FRST in Normal Mode to fix an entry. Toggle between your clean and infected computers as necessary.

===================================================

Farbar Recovery Scan Tool (FRST) in Normal or Safe Mode

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
C:\Users\Owner\AppData\Roaming\abc.exe
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Vista/7 users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • When the Status box shows Scan Finished click Delete
  • Click Report
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

OTL

--------------------
  • Please download OTL and save it to your desktop
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • Copy and paste the two reports in your next reply.

OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST log
  • RogueKiller log
  • OTL log
  • Extra log
  • Check your computer performance for changes

Edited by Oh My, 14 June 2013 - 07:18 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Ed III

Ed III
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale
  • Local time:11:26 AM

Posted 14 June 2013 - 07:56 PM

Gary, are you having fun yet; only FRST ran and the log is attached below. I tried all the available tricks for Roguekiller and OTL with no results.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-06-2013
Ran by Owner at 2013-06-15 01:27:45 Run:2
Running from C:\Users\Owner\Desktop
Boot Mode: Normal
==============================================

C:\Users\Owner\AppData\Roaming\abc.exe => File/Directory not found.

==== End of Fixlog ====

 

 

Ed

 



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:26 AM

Posted 14 June 2013 - 08:12 PM

Having a ball!

Let's go back and run another FRST scan from the Recovery Environment like we did in Post #2.  I want to double check that before we start digging deep into your computer.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Ed III

Ed III
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale
  • Local time:11:26 AM

Posted 14 June 2013 - 08:46 PM

OK, reran frst as in post two; the log is below, ed:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-06-2013
Ran by SYSTEM on 15-06-2013 02:42:42
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [SpybotSnD] "C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck [5365592 2009-01-26] (Safer Networking Limited)
HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [CinemaNowMediaManagerApp] C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe -start [2088296 2009-06-11] (CinemaNow Inc.)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe [159744 2009-04-20] (ASUS)
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe [8493624 2009-07-07] (ASUS)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-03-17] (Apple Inc.)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [103768 2009-10-26] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [UVS10 Preload] C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe [36864 2006-08-09] (Ulead Systems, Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BambooCore] C:\Program Files (x86)\Bamboo Dock\BambooCore.exe [646744 2012-12-16] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Owner\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Owner\...\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent [x]
HKU\Owner\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1631144 2013-04-19] (Valve Corporation)
HKU\Owner\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\Owner\...\Run: [RGSC] G:\Backup\Program Files\Rockstar Games Social Club\RGSCLauncher.exe /silent [x]
HKU\Owner\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3673728 2012-11-06] (DT Soft Ltd)
HKU\Owner\...\Run: [freeklogger.exe] C:\Program Files (x86)\Keylogger\FK_Monitor\freeklogger.exe [794624 2011-10-12] ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\FancyStart daemon.lnk
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{F0DF4513-3C4C-4EB8-8012-2C5F70AF3988}\_A1DDD39913A1970387B7B3.exe ()
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * lsdelete

==================== Services (Whitelisted) =================

S2 Adobe Licensing Console; C:\Windows\SysWOW64\adbcnsl.exe [689492 2012-06-10] (                                                                                                    )
S2 ATKGFNEXSrv; C:\Program Files\ATKGFNEX\GFNEXSrv.exe [94208 2007-08-07] ()
S2 FastBootAgent; C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe [306232 2009-07-23] (ASUSTeK Computer Inc.)
S3 Lavasoft Ad-Aware Service; C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [1181328 2011-04-18] (Lavasoft)
S3 Macromedia Licensing Service; C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [68096 2011-06-14] ()
S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S2 StkSSrv; C:\Windows\System32\StkCSrv.exe [24576 2007-02-12] (Syntek America Inc.)
S2 mi-raysat_3dsmax9_32; "C:\Program Files (x86)\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe" [x]

==================== Drivers (Whitelisted) ====================

S2 ASMMAP64; C:\Program Files\ATKGFNEX\ASMMAP64.sys [14904 2007-07-24] ()
S2 ASMMAP64; C:\Program Files\ATKGFNEX\ASMMAP64.sys [14904 2007-07-24] ()
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-12-07] (DT Soft Ltd)
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [69152 2009-12-14] (Lavasoft AB)
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1799680 2009-05-20] ()
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2012-11-16] (Duplex Secure Ltd.)
S3 StkCMini; C:\Windows\System32\Drivers\StkCMini.sys [632704 2007-06-28] (Syntek)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
S3 tmlwf;
S3 tmwfp;
S3 WacHidRouter; system32\DRIVERS\wachidrouter.sys [x]
S3 wacomrouterfilter; system32\DRIVERS\wacomrouterfilter.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-14 16:47 - 2013-06-14 08:24 - 00816128 ____A C:\Users\Owner\Desktop\winlogon.com
2013-06-14 16:38 - 2013-06-14 08:24 - 00602112 ____A (OldTimer Tools) C:\Users\Owner\Desktop\OTL.exe
2013-06-14 16:26 - 2013-06-13 11:29 - 01920398 ____A (Farbar) C:\Users\Owner\Desktop\FRST64.exe
2013-06-14 04:52 - 2013-06-14 04:52 - 00000000 ____D C:\FRST
2013-06-11 19:18 - 2013-06-11 10:42 - 00688992 ____A (Swearware) C:\Users\Owner\Desktop\dds.com
2013-06-10 11:31 - 2013-06-10 11:31 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\2.0
2013-06-10 10:39 - 2013-06-10 02:20 - 00001398 ____A C:\Users\Owner\Downloads\com_fix_w7.reg
2013-06-10 10:31 - 2013-06-10 10:31 - 100417446 ____A C:\Users\Owner\Desktop\backup.reg
2013-06-08 18:33 - 2013-06-14 17:29 - 00001736 ____A C:\Windows\setupact.log
2013-06-08 18:33 - 2013-06-08 18:33 - 00000000 ____A C:\Windows\setuperr.log
2013-06-08 08:59 - 2013-06-08 08:59 - 00009992 ____N C:\bootsqm.dat
2013-06-06 14:59 - 2013-06-06 06:55 - 00005828 ____A C:\Users\Owner\Downloads\Default_EXE.reg
2013-06-06 14:03 - 2013-06-06 06:01 - 00001823 ____A C:\Users\Owner\Downloads\exe_fix_w7.reg
2013-06-06 13:16 - 2013-05-14 05:12 - 25657248 ____A (SUPERAntiSpyware.com) C:\Users\Owner\Downloads\SUPERAntiSpyware.exe
2013-06-05 21:00 - 2013-06-05 21:00 - 00000000 ____D C:\Windows\Sun
2013-06-04 11:23 - 2013-06-06 12:35 - 00000000 ____D C:\found.000
2013-06-04 00:30 - 2013-06-04 14:25 - 00000265 ____A C:\Users\Owner\Desktop\possible names for edward.txt
2013-06-03 09:42 - 2013-06-03 09:42 - 00000000 ____D C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)
2013-06-03 09:32 - 2013-06-03 09:32 - 00000000 ____D C:\Program Files (x86)\For BSA extraction
2013-06-01 12:26 - 2013-06-01 12:26 - 00000000 ____D C:\Program Files\BreakPoint Software
2013-05-30 08:45 - 2013-05-30 09:33 - 00000000 ____D C:\Users\Owner\Downloads\KH models I dont know why I have these
2013-05-19 21:35 - 2013-05-19 21:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified Files and Folders =======

2013-06-14 17:40 - 2012-08-28 17:04 - 01638781 ____A C:\Windows\WindowsUpdate.log
2013-06-14 17:40 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-14 17:40 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-14 17:37 - 2009-07-13 21:13 - 00792550 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-14 17:30 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-14 17:29 - 2013-06-08 18:33 - 00001736 ____A C:\Windows\setupact.log
2013-06-14 16:53 - 2012-12-21 01:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-14 14:00 - 2009-07-13 20:45 - 05234720 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-14 08:40 - 2009-09-23 12:11 - 00002464 ____A C:\Windows\System32\AutoRunFilter.ini
2013-06-14 08:24 - 2013-06-14 16:47 - 00816128 ____A C:\Users\Owner\Desktop\winlogon.com
2013-06-14 08:24 - 2013-06-14 16:38 - 00602112 ____A (OldTimer Tools) C:\Users\Owner\Desktop\OTL.exe
2013-06-14 08:19 - 2010-01-06 18:34 - 00045056 ____A C:\Windows\System32\acovcnt.exe
2013-06-14 04:52 - 2013-06-14 04:52 - 00000000 ____D C:\FRST
2013-06-13 11:29 - 2013-06-14 16:26 - 01920398 ____A (Farbar) C:\Users\Owner\Desktop\FRST64.exe
2013-06-11 10:42 - 2013-06-11 19:18 - 00688992 ____A (Swearware) C:\Users\Owner\Desktop\dds.com
2013-06-10 11:31 - 2013-06-10 11:31 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\2.0
2013-06-10 10:31 - 2013-06-10 10:31 - 100417446 ____A C:\Users\Owner\Desktop\backup.reg
2013-06-10 02:20 - 2013-06-10 10:39 - 00001398 ____A C:\Users\Owner\Downloads\com_fix_w7.reg
2013-06-08 21:13 - 2009-12-14 07:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-06-08 18:36 - 2009-07-28 22:03 - 00000000 ____D C:\Windows\Panther
2013-06-08 18:33 - 2013-06-08 18:33 - 00000000 ____A C:\Windows\setuperr.log
2013-06-08 14:20 - 2012-04-10 11:17 - 00000000 ____D C:\Users\Owner\AppData\Roaming\uTorrent
2013-06-08 14:20 - 2009-12-18 20:00 - 00000000 ____D C:\Users\Owner\AppData\Roaming\BitTorrent
2013-06-08 14:20 - 2009-12-14 08:16 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-06-08 08:59 - 2013-06-08 08:59 - 00009992 ____N C:\bootsqm.dat
2013-06-07 12:16 - 2009-07-13 21:08 - 00032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-06 13:14 - 2009-11-01 20:24 - 00000000 ____D C:\users\Owner
2013-06-06 12:35 - 2013-06-04 11:23 - 00000000 ____D C:\found.000
2013-06-06 12:35 - 2012-07-18 00:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-06-06 12:35 - 2011-07-26 19:28 - 00000000 ____D C:\ProgramData\Ulead Systems
2013-06-06 12:35 - 2010-02-10 07:48 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-06-06 12:35 - 2010-01-08 15:23 - 00000000 ____D C:\Program Files (x86)\Steam
2013-06-06 12:35 - 2009-12-31 23:58 - 00000000 ____D C:\ProgramData\FLEXnet
2013-06-06 12:35 - 2009-09-23 12:10 - 00000000 ____D C:\ProgramData\NVIDIA
2013-06-06 12:35 - 2009-09-23 12:05 - 00000000 ____D C:\ProgramData\P4G
2013-06-06 12:35 - 2009-09-23 11:53 - 00000000 ____D C:\ProgramData\CinemaNow
2013-06-06 12:35 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-06 12:35 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-06-06 12:34 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-06-06 12:33 - 2011-04-30 16:12 - 00000000 ____D C:\Users\Owner\Downloads\mod backups
2013-06-06 12:33 - 2010-02-10 07:48 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype
2013-06-06 12:33 - 2010-02-10 07:48 - 00000000 ____D C:\ProgramData\Skype
2013-06-06 12:33 - 2009-12-20 20:56 - 00000000 ____D C:\Users\Owner\AppData\Roaming\DAEMON Tools Lite
2013-06-06 12:06 - 2010-01-31 00:59 - 00000000 ____D C:\Users\Owner\Tracing
2013-06-06 11:28 - 2010-10-08 12:37 - 00034701 ____A C:\aaw7boot.log
2013-06-06 06:55 - 2013-06-06 14:59 - 00005828 ____A C:\Users\Owner\Downloads\Default_EXE.reg
2013-06-06 06:01 - 2013-06-06 14:03 - 00001823 ____A C:\Users\Owner\Downloads\exe_fix_w7.reg
2013-06-05 21:00 - 2013-06-05 21:00 - 00000000 ____D C:\Windows\Sun
2013-06-04 14:25 - 2013-06-04 00:30 - 00000265 ____A C:\Users\Owner\Desktop\possible names for edward.txt
2013-06-04 03:05 - 2012-08-27 23:54 - 00003118 ____A C:\Users\Owner\Desktop\for when I restart my computer.txt
2013-06-03 16:43 - 2010-12-04 12:34 - 00002549 ____A C:\Users\Owner\Downloads\Music to look up.txt
2013-06-03 09:42 - 2013-06-03 09:42 - 00000000 ____D C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)
2013-06-03 09:32 - 2013-06-03 09:32 - 00000000 ____D C:\Program Files (x86)\For BSA extraction
2013-06-03 08:18 - 2011-11-11 19:29 - 00000000 ____D C:\Users\Owner\AppData\Local\Skyrim
2013-06-02 06:11 - 2013-03-24 00:51 - 00000000 ____D C:\Users\Owner\Downloads\torrents to... well, torrent
2013-06-01 12:26 - 2013-06-01 12:26 - 00000000 ____D C:\Program Files\BreakPoint Software
2013-05-30 09:33 - 2013-05-30 08:45 - 00000000 ____D C:\Users\Owner\Downloads\KH models I dont know why I have these
2013-05-23 04:14 - 2012-07-14 09:30 - 00001048 ____A C:\Users\Public\Desktop\YTD Video Downloader.lnk
2013-05-23 04:14 - 2012-07-14 09:30 - 00000000 ____D C:\ProgramData\YTD Video Downloader
2013-05-21 06:57 - 2013-04-15 01:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox.bak
2013-05-19 21:35 - 2013-05-19 21:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-19 18:41 - 2009-07-13 18:34 - 00000499 ____A C:\Windows\win.ini
2013-05-19 18:36 - 2009-11-07 09:35 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-19 18:33 - 2012-06-11 22:40 - 00000031 ____A C:\Windows\SysWOW64\deck.ini
2013-05-19 07:19 - 2013-04-15 01:35 - 00000000 ____D C:\Program Files (x86)\Yontoo
2013-05-19 06:38 - 2012-11-22 19:53 - 00000000 ___RD C:\Users\Owner\Dropbox
2013-05-19 06:38 - 2012-11-22 19:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Dropbox
2013-05-18 21:14 - 2012-05-01 01:02 - 00000000 ____D C:\Users\Owner\Documents\Camtasia Studio
2013-05-18 21:14 - 2010-08-30 22:55 - 00035840 ____A C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-05-18 10:29 - 2012-01-26 22:57 - 00000000 ____D C:\Users\Owner\AppData\Roaming\dvdcss

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-06-08 14:25:20
Restore point made on: 2013-06-08 21:16:28
Restore point made on: 2013-06-10 12:18:06
Restore point made on: 2013-06-11 20:04:32
Restore point made on: 2013-06-14 09:10:00

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4095.24 MB
Available physical RAM: 3485.02 MB
Total Pagefile: 4093.39 MB
Available Pagefile: 3477.13 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:283.44 GB) (Free:54.11 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive e: (STORE N GO) (Removable) (Total:1.86 GB) (Free:1.85 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: D9B3496E)
Partition 1: (Not Active) - (Size=15 GB) - (Type=1C)
Partition 2: (Active) - (Size=283 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 62C94620)
Partition 1: (Not Active) - (Size=2 GB) - (Type=0E)

LastRegBack: 2013-06-14 17:18

==================== End Of Log ============================

 

 

 



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:26 AM

Posted 14 June 2013 - 10:33 PM

Hi Ed,

There are 2 files I would like to check. Please copy these files to your USB device and then upload as follows.

===================================================

Virustotal Online Virus Scanner

--------------------
  • Please go to Virustotal
  • Select Choose File
  • Navigate to the following file (if multiple files then one at a time), double click on it so the file name is populated, then click Scan it!
  • IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.

C:\Windows\SysWOW64\adbcnsl.exe
C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

  • Once completed, highlight the information in the address bar and copy then paste the link in your reply
virustotal.jpg

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Virustotal links

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Ed III

Ed III
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scottsdale
  • Local time:11:26 AM

Posted 14 June 2013 - 11:09 PM

Gary, ran it and the exe file really looked bad, but the ini file looked so-so. Here are the links; hope I did it right.

The first link is for the exe file.

https://www.virustotal.com/en/file/689fa3847ca032c023f0d721c72dfc31085c84458143c7bd4ba88d5361359853/analysis/1371268952/

https://www.virustotal.com/en/file/e45c01f41327ec8d32b61cd20afadf28c4f21ca682aefbcf8b7dbf37a5cc01ae/analysis/1371269077/

 

Ed

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users