Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot reboot, start saftemode, or system restore


  • This topic is locked This topic is locked
72 replies to this topic

#1 PeterWenning

PeterWenning

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 16 July 2013 - 05:58 PM

Hello, I am a new member and this is my very first post,  I read in a post of Flex011 (09 May 2012) that Farbar helped him very good.

I have exactly the same problem here;

Windows 7 x64, no Windows CD available, attempting a restart my computer will not boot and I cannot get it to start in any safe mode option or get to an earlier time through system restore ( I get errors 0x800700b7)

So I downloaded FRST64.exe, put it on a USB stick and run it via the Windows 7 64-bit repair CD and the log FRST.txt from the farbar recovery scan is in the attachment.

 

Can you please help me with a Fixlist.txt solution so that I can use this to resolve the problem?

 

Thanks in advance.

 

Attached Files

  • Attached File  FRST.txt   33.41KB   8 downloads


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 17 July 2013 - 12:48 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Stop using cracked/illegal software - this the best option to get infected!

 

 

Fix with FRST (Recovery Environment)

 

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
     
    HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
    HKU\Hugo\...\Run: [PCSpeedUp] - C:\Program Files (x86)\PC Speed Up\PCSUNotifier.exe [188680 2012-06-05] ()
    
    S2 PCSUService; C:\Program Files (x86)\PC Speed Up\PCSUService.exe [289544 2012-06-05] ()
    S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2012-10-05] (Wajam)
    S2 KMService;
    
    C:\Program Files (x86)\PC Speed Up
    C:\Program Files (x86)\Wajam
    C:\Users\Hugo\Downloads\Office 2010 Toolkit And Ez-Activator215
    C:\ProgramData\fullremove.exe
    C:\Users\Hugo\AppData\Roaming\cache.dat
     
    

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.
     

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

 

Startup Windows in normal mode now!

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Edited by TB-Psychotic, 17 July 2013 - 12:50 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 PeterWenning

PeterWenning
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 17 July 2013 - 04:18 AM

Hi Marius,

 

Thank you for answering so quickly.

I loaded the fixlist.txt to the USB stick and run the FRST64 with the FIX button; the fixlog.txt is shown below.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-07-2013 03
Ran by SYSTEM at 2013-07-17 10:58:03 Run:1
Running from J:\
Boot Mode: Recovery
==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore => Value deleted successfully.
HKU\Hugo\Software\Microsoft\Windows\CurrentVersion\Run\\PCSpeedUp => Value deleted successfully.
PCSUService => Service deleted successfully.
WajamUpdater => Service deleted successfully.
S2 KMService; => Service not found.
C:\Program Files (x86)\PC Speed Up => Moved successfully.
C:\Program Files (x86)\Wajam => Moved successfully.
C:\Users\Hugo\Downloads\Office 2010 Toolkit And Ez-Activator215 => Moved successfully.
C:\ProgramData\fullremove.exe => Moved successfully.
C:\Users\Hugo\AppData\Roaming\cache.dat => Moved successfully.

==== End of Fixlog ====

 

Then I tried starting windows normally but unfortunately the machine (Acer Aspire AX3900 I3 processor) shows me the Windows logo and after 1-2 minutes a black screen is coming up with my cursor in the middle and then it boots up again.

I also tried to start in save mode (also with network and prompting) but nothing works; the machine keeps booting.

 

So I cannot go on with your solution.

 

Regards Peter



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 17 July 2013 - 05:07 AM

Please create and post up a new FRST log.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 PeterWenning

PeterWenning
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 17 July 2013 - 06:03 AM

Here is the new FRST.txt file:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-07-2013 03
Ran by SYSTEM on 17-07-2013 12:59:18
Running from J:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet003
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8098848 2009-09-02] (Realtek Semiconductor)
HKLM-x32\...\Run: [BackupManagerTray] - "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k [261888 2009-08-12] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [Hotkey Utility] - C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe [629280 2009-08-17] ()
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [588648 2009-07-24] (Symantec Corporation)
HKLM-x32\...\Run: [LogitechQuickCamRibbon] - "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2793304 2009-10-14] ()
HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [AVG_UI] - "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] - "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1226928 2013-05-21] (AVG Secure Search)
HKLM-x32\...\Run: [BCSSync] - "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [162336 2009-07-21] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [162336 2009-07-21] ()
HKU\Hugo\...\Run: [Facebook Update] - "C:\Users\Hugo\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-12] (Facebook Inc.)
HKU\Hugo\...\Run: [swg] - "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-11-26] (Google Inc.)
HKU\Hugo\...\Run: [Google Update] - "C:\Users\Hugo\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-09-18] (Google Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Hugo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notification de cadeaux MSN.lnk
ShortcutTarget: Notification de cadeaux MSN.lnk ->  (No File)

==================== Services (Whitelisted) =================

S2 avgfws; C:\Program Files (x86)\AVG\AVG2013\avgfws.exe [1428472 2013-04-10] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-17] (AVG Technologies CZ, s.r.o.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-07] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-07] (Malwarebytes Corporation)
S3 MWLService; C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [305448 2009-09-10] (Egis Technology Inc.)
S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [1124184 2013-04-02] (Trusteer Ltd.)
S2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [2148816 2012-12-14] (AVG)
S2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()
S2 vToolbarUpdater15.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [1015984 2013-05-21] (AVG Secure Search)
S2 KMService;

==================== Drivers (Whitelisted) ====================

S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [50296 2012-09-04] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-07] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-07] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-05-21] (AVG Technologies)
S3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)
S1 RapportCerberus_51755; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_51755.sys [586072 2013-04-13] ()
S1 RapportCerberus_51755; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_51755.sys [586072 2013-04-13] ()
S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [228600 2013-04-02] (Trusteer Ltd.)
S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [228600 2013-04-02] (Trusteer Ltd.)
S0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [236248 2013-04-02] (Trusteer Ltd.)
S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [357272 2013-04-02] (Trusteer Ltd.)
S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [357272 2013-04-02] (Trusteer Ltd.)
S3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [11880 2012-07-04] (TuneUp Software)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-16 17:42 - 2013-07-16 17:42 - 00000000 ____D C:\FRST
2013-07-15 20:56 - 2013-07-15 20:56 - 00000000 __SHD C:\found.000
2013-07-13 01:56 - 2013-07-16 14:04 - 00000000 ____D C:\Windows\pss
2013-06-30 07:56 - 2013-06-30 07:57 - 00000000 ____D C:\Users\Hugo\AppData\Local\{82F5F353-A61C-46DE-B2BC-4ACA3C0162AE}

==================== One Month Modified Files and Folders =======

2013-07-16 17:42 - 2013-07-16 17:42 - 00000000 ____D C:\FRST
2013-07-16 16:14 - 2010-09-09 09:16 - 00000000 ____D C:\users\Hugo
2013-07-16 16:14 - 2009-10-05 14:38 - 00000000 ____D C:\Windows\DeployWinRE2
2013-07-16 16:14 - 2009-07-13 23:45 - 00000000 ____D C:\Windows\ShellNew
2013-07-16 16:14 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\WinBioPlugIns
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\addins
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2013-07-16 16:14 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\uk-UA
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\th-TH
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sr-Latn-CS
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sppui
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sl-SI
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sk-SK
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ro-RO
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ras
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lv-LV
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lt-LT
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\InstallShield
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\icsxml
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\hr-HR
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\he-IL
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\et-EE
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\com
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\bg-BG
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ar-SA
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\uk-UA
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\th-TH
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sr-Latn-CS
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sppui
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sl-SI
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sk-SK
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ro-RO
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ras
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lv-LV
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lt-LT
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\icsxml
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ias
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\hr-HR
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\he-IL
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\et-EE
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\com
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\bg-BG
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ar-SA
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\L2Schemas
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\IME
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Cursors
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-07-16 16:14 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Services
2013-07-16 16:14 - 2007-10-10 12:55 - 00000000 ____D C:\Windows\SysWOW64\nl
2013-07-16 16:14 - 2007-10-10 12:55 - 00000000 ____D C:\Windows\System32\nl
2013-07-16 16:08 - 2013-03-20 00:33 - 00000000 ____D C:\Windows\System32\SPReview
2013-07-16 16:08 - 2013-03-20 00:32 - 00000000 ____D C:\Windows\System32\EventProviders
2013-07-16 16:08 - 2011-12-24 08:03 - 00000000 ____D C:\Windows\System32\Tasks\Apple
2013-07-16 16:08 - 2011-04-24 22:34 - 00000000 ____D C:\Windows\SysWOW64\Adobe
2013-07-16 16:08 - 2010-10-12 10:16 - 00000000 ____D C:\Windows\System32\Macromed
2013-07-16 16:08 - 2010-09-10 10:34 - 00000000 ____D C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform
2013-07-16 16:08 - 2009-11-26 09:56 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2013-07-16 16:08 - 2009-11-26 09:38 - 00000000 ____D C:\Windows\SysWOW64\Drivers\nti
2013-07-16 16:08 - 2009-11-26 09:27 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2013-07-16 16:08 - 2009-11-26 09:06 - 00000000 ____D C:\Windows\SysWOW64\OEM
2013-07-16 16:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\winrm
2013-07-16 16:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\WCN
2013-07-16 16:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\slmgr
2013-07-16 16:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2013-07-16 16:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\winrm
2013-07-16 16:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\WCN
2013-07-16 16:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\slmgr
2013-07-16 16:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\Printing_Admin_Scripts
2013-07-16 16:08 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\SysWOW64\WindowsPowerShell
2013-07-16 16:08 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\WindowsPowerShell
2013-07-16 16:08 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\restore
2013-07-16 16:08 - 2009-07-13 20:45 - 00000000 ____D C:\Windows\Setup
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\TAPI
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\spp
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Speech
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Recovery
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\NetworkList
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\MUI
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Msdtc
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\IME
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\spp
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\spool
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Speech
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\SMI
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NetworkList
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\MUI
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Msdtc
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\IME
2013-07-16 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Speech
2013-07-16 16:08 - 2007-10-10 12:55 - 00000000 ____D C:\Windows\SysWOW64\XPSViewer
2013-07-16 16:07 - 2012-12-07 08:36 - 00000000 ___RD C:\Users\Hugo\Desktop\Services Windows Live
2013-07-16 16:07 - 2012-12-07 08:26 - 00000000 ____D C:\Users\Hugo\Documents\PCSpeedUp
2013-07-16 16:07 - 2012-12-07 08:19 - 00000000 ____D C:\Users\Hugo\AppData\Roaming\Skype
2013-07-16 16:07 - 2012-10-27 03:30 - 00000000 __SHD C:\ProgramData\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2013-07-16 16:07 - 2012-09-28 00:49 - 00000000 ____D C:\Users\Hugo\AppData\Roaming\AVG2013
2013-07-16 16:07 - 2012-07-06 11:09 - 00000000 ____D C:\Windows\nl
2013-07-16 16:07 - 2012-01-25 23:42 - 00000000 ____D C:\Users\Hugo\2011
2013-07-16 16:07 - 2011-12-08 00:37 - 00000000 ____D C:\Users\Hugo\AppData\Local\IM
2013-07-16 16:07 - 2011-07-06 10:08 - 00000000 ____D C:\Windows\Minidump
2013-07-16 16:07 - 2011-05-08 11:48 - 00000000 ____D C:\Users\Hugo\AppData\Roaming\Thunderbird
2013-07-16 16:07 - 2011-02-10 06:52 - 00000000 ____D C:\Users\Hugo\AppData\Roaming\ICAClient
2013-07-16 16:07 - 2011-02-10 05:41 - 00000000 ____D C:\Users\Hugo\Citrix
2013-07-16 16:07 - 2011-01-18 00:31 - 00000000 ____D C:\Users\Hugo\2010
2013-07-16 16:07 - 2010-09-10 12:50 - 00000000 ____D C:\Users\Hugo\AppData\Roaming\SoftDMA
2013-07-16 16:07 - 2010-09-10 12:50 - 00000000 ____D C:\Users\Hugo\AppData\Roaming\PowerCinema
2013-07-16 16:07 - 2010-09-10 12:50 - 00000000 ____D C:\Users\Hugo\AppData\Local\PlayMovie
2013-07-16 16:07 - 2010-09-09 09:25 - 00000000 ____D C:\Users\Hugo\AppData\Local\Microsoft Help
2013-07-16 16:07 - 2009-11-26 09:57 - 00000000 ____D C:\Windows\Downloaded Installations
2013-07-16 16:07 - 2009-11-26 09:44 - 00000000 ____D C:\Windows\oem
2013-07-16 16:07 - 2009-11-26 09:31 - 00000000 ____D C:\Windows\OOBEOffer
2013-07-16 16:07 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Performance
2013-07-16 16:07 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\schemas
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Resources
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PLA
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Help
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Globalization
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Branding
2013-07-16 16:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-07-16 16:07 - 2009-03-12 01:30 - 00000000 ____D C:\Windows\LP
2013-07-16 16:07 - 2007-10-10 12:48 - 00000000 ____D C:\Windows\NAPP_Dism_Log
2013-07-16 16:06 - 2012-12-07 08:19 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-07-16 16:06 - 2012-12-07 08:19 - 00000000 ____D C:\ProgramData\Skype
2013-07-16 16:06 - 2012-10-16 23:45 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-16 16:06 - 2012-10-16 23:45 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-07-16 16:06 - 2012-09-28 00:33 - 00000000 ____D C:\ProgramData\AVG2013
2013-07-16 16:06 - 2012-09-20 10:45 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-16 16:06 - 2012-02-25 02:33 - 00000000 ____D C:\Program Files\iTunes
2013-07-16 16:06 - 2012-02-25 02:33 - 00000000 ____D C:\Program Files\iPod
2013-07-16 16:06 - 2012-02-25 02:33 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-07-16 16:06 - 2011-12-24 08:03 - 00000000 ____D C:\ProgramData\Apple Computer
2013-07-16 16:06 - 2011-12-24 08:02 - 00000000 ____D C:\ProgramData\Apple
2013-07-16 16:06 - 2011-12-24 08:02 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-07-16 16:06 - 2011-12-24 08:02 - 00000000 ____D C:\Program Files\Bonjour
2013-07-16 16:06 - 2011-12-08 00:38 - 00000000 ____D C:\Program Files (x86)\Photo Notifier and Animation Creator
2013-07-16 16:06 - 2011-05-08 11:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-07-16 16:06 - 2011-04-25 02:16 - 00000000 ____D C:\ProgramData\Norton
2013-07-16 16:06 - 2011-02-13 12:10 - 00000000 ____D C:\ProgramData\HP Product Assistant
2013-07-16 16:06 - 2010-10-23 07:31 - 00000000 ____D C:\Program Files\Windows Live
2013-07-16 16:06 - 2010-10-12 10:13 - 00000000 ____D C:\ProgramData\MFAData
2013-07-16 16:06 - 2010-09-11 14:17 - 00000000 ____D C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2
2013-07-16 16:06 - 2010-09-10 11:31 - 00000000 ____D C:\ProgramData\avg9
2013-07-16 16:06 - 2010-09-10 11:04 - 00000000 ____D C:\Program Files\Common Files\logishrd
2013-07-16 16:06 - 2010-09-10 10:36 - 00000000 ____D C:\ProgramData\HP
2013-07-16 16:06 - 2010-09-10 10:36 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2013-07-16 16:06 - 2010-09-10 10:36 - 00000000 ____D C:\Program Files (x86)\Microsoft Synchronization Services
2013-07-16 16:06 - 2010-09-09 09:25 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8
2013-07-16 16:06 - 2010-09-09 09:22 - 00000000 ____D C:\Program Files (x86)\Windows Live
2013-07-16 16:06 - 2010-09-09 09:19 - 00000000 ____D C:\ProgramData\McQcModifier-5c47-a7b0
2013-07-16 16:06 - 2010-09-09 09:16 - 00000000 ____D C:\Program Files\Acer Accessory Store
2013-07-16 16:06 - 2009-11-26 09:58 - 00000000 ____D C:\ProgramData\Symantec
2013-07-16 16:06 - 2009-11-26 09:51 - 00000000 ____D C:\ProgramData\Nero
2013-07-16 16:06 - 2009-11-26 09:47 - 00000000 ____D C:\Program Files\Google
2013-07-16 16:06 - 2009-11-26 09:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Office Suite Activation Assistant
2013-07-16 16:06 - 2009-11-26 09:40 - 00000000 ____D C:\Program Files (x86)\Microsoft Works
2013-07-16 16:06 - 2009-11-26 09:39 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-16 16:06 - 2009-11-26 09:27 - 00000000 ____D C:\Program Files\Realtek
2013-07-16 16:06 - 2009-11-26 09:27 - 00000000 ____D C:\Program Files (x86)\Realtek
2013-07-16 16:06 - 2009-11-26 09:21 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-07-16 16:06 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Reference Assemblies
2013-07-16 16:06 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\MSBuild
2013-07-16 16:06 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Microsoft Games
2013-07-16 16:06 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\MSBuild
2013-07-16 16:06 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Windows NT
2013-07-16 16:06 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-07-16 16:06 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files (x86)\Windows NT
2013-07-16 16:06 - 2007-10-10 13:12 - 00000000 ____D C:\ProgramData\CyberLink
2013-07-16 16:06 - 2007-10-10 13:06 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2013-07-16 16:05 - 2012-11-19 06:41 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-07-16 16:05 - 2011-12-24 08:03 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2013-07-16 16:05 - 2011-12-24 08:02 - 00000000 ____D C:\Program Files (x86)\Bonjour
2013-07-16 16:05 - 2011-12-08 00:37 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-07-16 16:05 - 2011-08-31 01:08 - 00000000 ____D C:\Program Files (x86)\AVS4YOU
2013-07-16 16:05 - 2010-09-10 11:31 - 00000000 ____D C:\Program Files (x86)\AVG
2013-07-16 16:05 - 2010-09-10 10:38 - 00000000 ____D C:\Program Files (x86)\HP
2013-07-16 16:05 - 2009-11-26 09:48 - 00000000 ____D C:\Program Files (x86)\EgisTec Egis Software Update
2013-07-16 16:05 - 2009-11-26 09:47 - 00000000 ____D C:\Program Files (x86)\Google
2013-07-16 16:05 - 2009-11-26 09:31 - 00000000 ____D C:\Program Files (x86)\Acer GameZone
2013-07-16 16:05 - 2009-11-26 09:04 - 00000000 ___HD C:\OEM
2013-07-16 16:05 - 2007-10-10 13:13 - 00000000 ____D C:\Program Files (x86)\Cyberlink
2013-07-16 16:05 - 2007-10-10 13:12 - 00000000 ____D C:\Program Files (x86)\Acer Arcade Deluxe
2013-07-16 16:01 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-07-16 15:32 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Web
2013-07-16 15:32 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Vss
2013-07-16 15:06 - 2012-11-09 05:46 - 00000000 ____D C:\Users\Hugo\Documents\Belastingdienst
2013-07-16 15:06 - 2012-09-20 10:45 - 00000000 ____D C:\Users\Hugo\AppData\Roaming\Malwarebytes
2013-07-16 15:06 - 2010-09-10 09:54 - 00000000 ____D C:\Users\Hugo\AppData\Roaming\Adobe
2013-07-16 15:05 - 2012-12-24 00:18 - 00000000 ____D C:\Users\Hugo\AppData\Local\Trusteer
2013-07-16 15:05 - 2011-05-08 11:48 - 00000000 ____D C:\Users\Hugo\AppData\Local\Thunderbird
2013-07-16 15:04 - 2010-11-15 00:02 - 00000000 ____D C:\Users\Hugo\AppData\Local\Microsoft Games
2013-07-16 15:04 - 2010-09-09 09:30 - 00000000 ____D C:\Users\Hugo\AppData\Local\Google
2013-07-16 15:03 - 2013-02-23 05:27 - 00000000 ____D C:\Users\Default\AppData\Local\Trusteer
2013-07-16 15:03 - 2013-02-23 05:27 - 00000000 ____D C:\Users\Default User\AppData\Local\Trusteer
2013-07-16 15:03 - 2012-05-11 23:56 - 00000000 ____D C:\Users\Hugo\AppData\Local\Facebook
2013-07-16 15:03 - 2011-12-24 08:03 - 00000000 ____D C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2013-07-16 15:03 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
2013-07-16 15:02 - 2012-12-24 00:15 - 00000000 ____D C:\ProgramData\Trusteer
2013-07-16 15:02 - 2009-11-26 09:58 - 00000000 ____D C:\ProgramData\OEM
2013-07-16 14:57 - 2012-10-27 03:30 - 00000000 ____D C:\ProgramData\AVG
2013-07-16 14:57 - 2012-09-28 00:38 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-07-16 14:57 - 2012-09-20 10:45 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-16 14:57 - 2011-12-08 00:37 - 00000000 ____D C:\ProgramData\IncrediMail
2013-07-16 14:57 - 2010-09-10 11:14 - 00000000 ____D C:\ProgramData\LogiShrd
2013-07-16 14:57 - 2009-11-26 09:56 - 00000000 ____D C:\ProgramData\Adobe
2013-07-16 14:57 - 2009-11-26 09:48 - 00000000 ____D C:\ProgramData\McAfee
2013-07-16 14:57 - 2009-11-26 09:47 - 00000000 ____D C:\ProgramData\Google
2013-07-16 14:57 - 2009-11-26 09:45 - 00000000 ____D C:\ProgramData\Acer
2013-07-16 14:56 - 2011-05-16 01:49 - 00000000 ____D C:\Program Files\Java
2013-07-16 14:56 - 2010-09-10 11:14 - 00000000 ____D C:\Program Files\Logitech
2013-07-16 14:56 - 2009-11-26 09:40 - 00000000 ____D C:\Program Files\Microsoft Office
2013-07-16 14:56 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\SpeechEngines
2013-07-16 14:55 - 2009-11-26 09:45 - 00000000 ____D C:\Program Files\Acer
2013-07-16 14:54 - 2012-12-24 00:18 - 00000000 ____D C:\Program Files (x86)\Trusteer
2013-07-16 14:54 - 2011-09-13 23:46 - 00000000 ____D C:\Program Files (x86)\Sony
2013-07-16 14:54 - 2011-08-14 22:55 - 00000000 ____D C:\Program Files (x86)\MSECache
2013-07-16 14:54 - 2010-11-13 06:16 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2013-07-16 14:54 - 2009-11-26 09:58 - 00000000 ____D C:\Program Files (x86)\Symantec
2013-07-16 14:54 - 2009-11-26 09:51 - 00000000 ____D C:\Program Files (x86)\Nero
2013-07-16 14:54 - 2009-11-26 09:38 - 00000000 ____D C:\Program Files (x86)\NewTech Infosystems
2013-07-16 14:54 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Reference Assemblies
2013-07-16 14:54 - 2007-10-10 13:05 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2013-07-16 14:53 - 2010-09-10 10:36 - 00000000 ____D C:\Program Files (x86)\Microsoft Sync Framework
2013-07-16 14:53 - 2010-09-10 10:33 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2013-07-16 14:53 - 2010-09-09 09:23 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2013-07-16 14:53 - 2009-11-26 09:39 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2013-07-16 14:52 - 2013-05-18 23:13 - 00000000 ____D C:\Program Files (x86)\IncrediMail
2013-07-16 14:52 - 2012-03-13 22:53 - 00000000 ____D C:\Program Files (x86)\Java
2013-07-16 14:52 - 2010-09-10 11:15 - 00000000 ____D C:\Program Files (x86)\Logitech
2013-07-16 14:52 - 2009-11-26 09:17 - 00000000 ____D C:\Program Files (x86)\Intel
2013-07-16 14:51 - 2012-09-20 10:46 - 00000000 ____D C:\Program Files (x86)\ESET
2013-07-16 14:51 - 2009-11-26 09:57 - 00000000 ____D C:\Program Files (x86)\eSobi
2013-07-16 14:51 - 2009-11-26 09:47 - 00000000 ____D C:\Program Files (x86)\EgisTec
2013-07-16 14:50 - 2010-12-12 01:00 - 00000000 ____D C:\Program Files (x86)\Belastingdienst
2013-07-16 14:49 - 2009-11-26 09:56 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-07-16 14:49 - 2009-11-26 09:44 - 00000000 ____D C:\Program Files (x86)\Acer
2013-07-16 14:49 - 2007-10-10 13:05 - 00000000 ____D C:\Program Files (x86)\AGEIA Technologies
2013-07-16 14:48 - 2009-11-26 09:39 - 00000000 __RHD C:\MSOCache
2013-07-16 14:04 - 2013-07-13 01:56 - 00000000 ____D C:\Windows\pss
2013-07-16 07:17 - 2009-11-26 09:58 - 02218358 _____ C:\Windows\PFRO.log
2013-07-15 20:56 - 2013-07-15 20:56 - 00000000 __SHD C:\found.000
2013-07-14 01:53 - 2012-10-16 23:26 - 00271360 _____ C:\Users\Hugo\Documents\h.j.brink@quicknet.nl
2013-07-14 01:53 - 2012-10-16 23:24 - 00000000 ____D C:\Users\Hugo\Documents\Outlook-bestanden
2013-06-30 07:57 - 2013-06-30 07:56 - 00000000 ____D C:\Users\Hugo\AppData\Local\{82F5F353-A61C-46DE-B2BC-4ACA3C0162AE}

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3959.09 MB
Available physical RAM: 3280.73 MB
Total Pagefile: 3957.24 MB
Available Pagefile: 3280.93 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:458.87 GB) (Free:408.54 GB) NTFS (Disk=0 Partition=3)
Drive e: (Data) (Fixed) (Total:458.87 GB) (Free:152.76 GB) NTFS (Disk=0 Partition=4)
Drive f: (PQSERVICE) (Fixed) (Total:13.67 GB) (Free:3.34 GB) NTFS (Disk=0 Partition=1)
Drive g: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
Drive j: (USB-STICK) (Removable) (Total:3.73 GB) (Free:0.96 GB) FAT32 (Disk=3 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.03 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 4CF34DCE)
Partition 1: (Not Active) - (Size=14 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=459 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=459 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (Size: 4 GB) (Disk ID: 69862356)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2013-06-30 07:35

==================== End Of Log ============================

 

Regards, Peter



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 17 July 2013 - 07:08 AM

From within the Recovery Environment, start the command prompt.

Enter the following command and hit enter:

 

chkdsk C: /p /r

 

Follow the isntructions on the screen to scan the hard drive for errors.

When finished, try to boot into windows.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 PeterWenning

PeterWenning
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 17 July 2013 - 04:38 PM

The "/p" parameter is unknown...

 

chkdsk C: /f /r  ("/f" fix errors on disk).......

I run chkdsk /f /r for the C(Acer), E(Data) partitions.

Also tried to run chkdsk on X(Boot) but this partition is write protected...

 

Then I boot into windows.....

Same story: Machine shows me the Windows logo and after 1-2 minutes a black screen is coming up with my cursor in the middle and then it boots up again......



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 18 July 2013 - 01:39 AM

Create/Scan with Kaspersky Rescue Disk

Follow the instructions on this page for downloading the kav_rescue_10.iso (200 mb) file and creating the Kaspersky Rescue Disk.

Make sure you set to boot the machine from the CDRom drive first. Then save and exit the BIOS. The computer will begin to boot. Insert the disc in the CDrom drive, then restart the machine. It should then boot from that CD.

It's best if you refer to the instructions and images at Kaspersky How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

Once it boots from CD, press a key so it continues to boot from that CD.

Select the language, then be sure to select Kaspersky Rescue Disk Graphic Mode.

Kaspersky should begin scanning your machine. If it finds infection, look carefully at the files it lists. If any of them seem to be legit files, do not allow it to clean/quarantine/delete them. Rather, save the log and post the results for me to look over.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 PeterWenning

PeterWenning
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 July 2013 - 05:13 AM

Marius,

 

Here is the log of Kaspersky:

 

Objects Scan: completed 2 days ago   (events: 2, objects: 3, time: 00:00:22)    
7/15/13 5:40 PM    Task completed            
7/15/13 5:39 PM    Task started            
Objects Scan: stopped 2 days ago   (events: 5, objects: 143998, time: 00:21:53)    
7/15/13 5:41 PM    Task started            
7/15/13 6:03 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    sda3/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 6:03 PM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    sda3/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/15/13 6:03 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    sda3/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 6:03 PM    Task stopped            
Objects Scan: stopped 2 days ago   (events: 8, objects: 1305459, time: 02:34:07)    
7/15/13 6:13 PM    Task started            
7/15/13 6:31 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 6:31 PM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/15/13 6:31 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 7:15 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 7:15 PM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/15/13 7:15 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 8:47 PM    Task stopped            
Objects Scan: completed 6 minutes ago   (events: 29, objects: 1513802, time: 03:00:15)    
7/18/13 12:00 PM    Task completed            
7/18/13 12:00 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 12:00 PM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Write not supported    
7/18/13 12:00 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:59 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:59 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Write not supported    
7/18/13 11:59 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:58 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:58 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Write not supported    
7/18/13 11:58 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:58 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:58 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Skipped by user    
7/18/13 11:47 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:44 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:44 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 11:44 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:41 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:41 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 11:41 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:38 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:38 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 11:38 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:57 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:57 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 9:57 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:15 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:15 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 9:15 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:00 AM    Task started            
 

I did nothing!!!

The machine is still running and asking me in a new window:

-Threats have been detected

-Advise; neutralize all

 

I wait for your answer.

 

Peter



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 18 July 2013 - 06:13 AM

Neutralize all, then try to boot into windows.

If that fails, restore your system to a time when it worked.

 

Report.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 PeterWenning

PeterWenning
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 July 2013 - 07:53 AM

I did neutralize all infected files and then I rebooted into windows but no effect; still the same.

Then I started the computer with my Windows 7 x64 repair disk and choose to do a restore.

It gave me the following message:

 

System restore did not complete succesfully.

Your computer's system files and settings are not changed.

 

Details:

System restore failed to extract the file (D:\) from the restore point.

An unexpected error occured during system restore (0x8000ffff)

 

This error code 0x8000fff is different than the first time I tried this (0x800700b7) !!!!

 

Peter



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 18 July 2013 - 07:59 AM

rats!

 

System File Check (offline mode)

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Select Command Prompt
  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your system drive letter and system path (for example, D:\windows\) and close the notepad.
  • enter the following command:


sfc /scannow /offbootdir=d:\ /offwindir=d:\windows


Replace the red and pink parts with the informations you obtained from the last step of this tutorial.

Note: Depending on how your computer is setup, the Command Prompt, when used from outside of Windows, doesn't always assign drive letters in the same way that you see them from inside Windows. In other words, Windows might be at C:\Windows when you're using it, but D:\Windows from the Command Prompt in System Recovery Options.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 PeterWenning

PeterWenning
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 July 2013 - 11:35 AM

I run the SFC command:

 

sfc /scannow /offbootdir=d:\  /offwindir=d:\windows

 

D: is the windows disk.

 

After a hour the system gives me:

 

Windows Resource Protection did not find any integrity violations.

 

(Run Bootrec /fix... maybe?)

 

regards, Peter



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 18 July 2013 - 11:48 PM

Fix with FRST (Recovery Environment)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
     

    LastRegBack: 2013-06-30 07:35
     
    

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Edited by TB-Psychotic, 18 July 2013 - 11:48 PM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 PeterWenning

PeterWenning
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 19 July 2013 - 02:30 AM

Marius,

 

Yesterday evening I started the Kaspersky rescue again but first I made Internet connection and updated Kaspersky.

(I did this before I read your answer; sorry.)

So, I run the scan again this night and tomorrow I saw that Kaspersky detected a Trojan Horse again, see the log below:

 

Objects Scan: completed 3 days ago   (events: 2, objects: 3, time: 00:00:22)    
7/15/13 5:40 PM    Task completed            
7/15/13 5:39 PM    Task started            
Objects Scan: stopped 3 days ago   (events: 5, objects: 143998, time: 00:21:53)    
7/15/13 6:03 PM    Task stopped            
7/15/13 6:03 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    sda3/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 6:03 PM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    sda3/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/15/13 6:03 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    sda3/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 5:41 PM    Task started            
Objects Scan: stopped 3 days ago   (events: 8, objects: 1305459, time: 02:34:07)    
7/15/13 8:47 PM    Task stopped            
7/15/13 7:15 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 7:15 PM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/15/13 7:15 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 6:31 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 6:31 PM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/15/13 6:31 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/15/13 6:13 PM    Task started            
Objects Scan: completed 20 hours ago   (events: 29, objects: 1513802, time: 03:00:15)    
7/18/13 12:00 PM    Task completed            
7/18/13 12:00 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 12:00 PM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Write not supported    
7/18/13 12:00 PM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:59 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:59 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Write not supported    
7/18/13 11:59 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:58 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:58 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Write not supported    
7/18/13 11:58 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:58 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:58 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Skipped by user    
7/18/13 11:47 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:44 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:44 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 11:44 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-01 085629/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:41 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:41 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 11:41 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-28 190002/Backup Files 2013-04-28 190002/Backup files 3.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:38 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 11:38 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 11:38 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    D:/HUGO-PC/Backup Set 2013-04-01 083700/Backup Files 2013-04-14 204211/Backup files 1.zip/C/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:57 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:57 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 9:57 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:15 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:15 AM    Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4    Postponed    
7/18/13 9:15 AM    Detected: HEUR:Exploit.Java.CVE-2012-1723.gen    C:/Users/Hugo/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/16/2341c5d0-2dd669b4        
7/18/13 9:00 AM    Task started            
Objects Scan: completed 4 minutes ago   (events: 20, objects: 1485127, time: 08:21:07)    
7/19/13 8:36 AM    Task completed            
7/19/13 8:36 AM    Untreated: Trojan.Win32.Yakes.cxkk    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-15 151455/Backup files 1.zip/C/Users/Hugo/AppData/Roaming/cache.dat    Write not supported    
7/19/13 8:36 AM    Detected: Trojan.Win32.Yakes.cxkk    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-15 151455/Backup files 1.zip/C/Users/Hugo/AppData/Roaming/cache.dat        
7/19/13 8:36 AM    Deleted: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw        
7/19/13 8:33 AM    Detected: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw        
7/19/13 8:33 AM    Deleted: Trojan.Win32.Yakes.cxkk    C:/FRST/Quarantine/cache.dat        
7/19/13 3:07 AM    Detected: Trojan.Win32.Yakes.cxkk    C:/FRST/Quarantine/cache.dat        
7/19/13 3:05 AM    Untreated: Trojan.Win32.Yakes.cxkk    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-15 151455/Backup files 1.zip/C/Users/Hugo/AppData/Roaming/cache.dat    Postponed    
7/19/13 3:05 AM    Detected: Trojan.Win32.Yakes.cxkk    D:/HUGO-PC/Backup Set 2013-07-01 085629/Backup Files 2013-07-15 151455/Backup files 1.zip/C/Users/Hugo/AppData/Roaming/cache.dat        
7/19/13 1:20 AM    Untreated: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw    Postponed    
7/19/13 1:20 AM    Detected: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw        
7/19/13 1:07 AM    Untreated: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw    Postponed    
7/19/13 1:07 AM    Detected: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw        
7/19/13 12:44 AM    Untreated: Trojan.Win32.Yakes.cxkk    C:/FRST/Quarantine/cache.dat    Postponed    
7/19/13 12:44 AM    Detected: Trojan.Win32.Yakes.cxkk    C:/FRST/Quarantine/cache.dat        
7/19/13 12:39 AM    Untreated: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw    Postponed    
7/19/13 12:39 AM    Detected: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw        
7/19/13 12:26 AM    Untreated: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw    Postponed    
7/19/13 12:26 AM    Detected: Trojan.Win32.Yakes.cxkk    C:/Users/Hugo/AppData/Local/Temp/tltdkw        
7/19/13 12:15 AM    Task started      

 

I Neutralized the Threats

 

Then I boot into Windows and guess what; WINDOWS STARTED!!!

 

After a few minutes the windows desktop appears and it tells me that the system was recovered to 28-4-2013...??

Another strange thing is that in the right below corner it says that this copy of Windows is not legitimate?

 

I started configuration screen: remove programs --> I noticed that Wajam program was still installed and I removed it.

 

So what to do next?

 

regards, Peter






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users