Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue screen, Unable to install Anti-virus programs, Redirecting, Infected


  • This topic is locked This topic is locked
75 replies to this topic

#1 Antony88

Antony88

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 23 February 2014 - 04:40 PM

Hello Bleeping Computer,

 

I own a Windows Vista 7 and I have been getting redirected randomly for about two weeks now while using Mozilla firefox, and I upgraded my Malwarebytes to pro about a month ago and it's not picking anything up anymore, but a few days ago it said I got 78 infections (PUP.Optional) and that they were successfully removed but I think the computer is still infected because I tried to download Kaspersky Pure 3.0 Free Trial and my computer would not allow me to install it. Kaspersky says that I may be infected.

 

Then I tried to use Kaspersky's Anti-virus removal tool and my computer crashed and a blue screen popped up and my computer restared to protect the system.  Malwarebytes isn't coming up with anything whenever I scan and I can't install other Anti-virus to check what my specific virus is since my computer keeps interupting and crashing when I try. I would really appreciate your help. Please let me know whatever additional information you need and I will try to get it if I can.

 

 

I couldn't get the specific message on my blue screen because my computer crashed and doing anything in that state was imposssible so I'm not sure what to do.

I have followed all the given intsructions in the preparation guide. Here is my DDS log.

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16518
Run by AMATERASU at 14:01:36 on 2014-02-23
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3562.1638 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\atieclxx.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\Windows\System32\GFNEXSrv.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\Explorer.EXE
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\TECO\Teco.exe
C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe
C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPNetworkCommunicator.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\system32\taskeng.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\Toshiba\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [HP Deskjet 3050A J611 series (NET)] "C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN1684B0HM05PJ:NW" -scfn "HP Deskjet 3050A J611 series (NET)" -AutoStart 1
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:28
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{BBD523B0-81B2-44FC-8365-00155A9598B8} : DHCPNameServer = 192.168.0.1 205.171.3.25
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\Toshiba\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\AMATERASU\AppData\Roaming\Mozilla\Firefox\Profiles\f0as3mgf.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_70.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R1 2700619drv;2700619drv;C:\windows\System32\drivers\2700619drv.sys [2014-2-23 556632]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2012-2-25 204288]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 GFNEXSrv;GFNEX Service;C:\windows\System32\GFNEXSrv.exe [2012-2-25 162824]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-1-13 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-1-13 701512]
R2 NisDrv;Microsoft Network Inspection System;C:\windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2012-2-25 123320]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2012-2-25 126392]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 TabletServicePen;TabletServicePen;C:\Program Files\Tablet\Pen\Pen_Tablet.exe [2012-8-30 6581624]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\TECO\TecoService.exe [2011-5-24 294848]
R2 TouchServicePen;Wacom Consumer Touch Service;C:\Program Files\Tablet\Pen\Pen_TouchService.exe [2012-8-30 528760]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\windows\System32\drivers\AtihdW76.sys [2012-2-25 115216]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2014-1-13 25928]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2012-2-25 38096]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-2-25 413800]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtl8192ce.sys [2012-2-25 1142376]
R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-6-9 138152]
R3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2011-7-1 828856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\windows\System32\ieetwcollector.exe [2014-2-12 111616]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-2-25 250984]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2012-2-25 57216]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-7-16 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-02-23 20:24:40    75888    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B38D33D-CB5D-4E76-894B-207B81B073EC}\offreg.dll
2014-02-23 20:14:35    1031560    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F944D304-FE91-4FA9-B085-4B59B3254EBD}\gapaengine.dll
2014-02-23 20:14:28    10536864    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B38D33D-CB5D-4E76-894B-207B81B073EC}\mpengine.dll
2014-02-23 20:11:15    --------    d-----w-    C:\Program Files (x86)\Microsoft Security Client
2014-02-23 20:11:10    --------    d-----w-    C:\Program Files\Microsoft Security Client
2014-02-23 19:48:10    556632    ----a-w-    C:\windows\System32\drivers\2700619drv.sys
2014-02-23 19:42:42    10536864    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{ED8705AF-6F08-4FC0-B29B-7AD6FCB84699}\mpengine.dll
2014-02-23 19:33:26    --------    d-----w-    C:\ProgramData\Kaspersky Lab Setup Files
2014-02-12 16:08:24    548864    ----a-w-    C:\windows\System32\vbscript.dll
2014-02-12 16:08:24    454656    ----a-w-    C:\windows\SysWow64\vbscript.dll
2014-02-12 15:55:44    1882112    ----a-w-    C:\windows\System32\msxml3.dll
2014-02-12 15:54:59    2565120    ----a-w-    C:\windows\System32\d3d10warp.dll
2014-02-12 15:54:59    1987584    ----a-w-    C:\windows\SysWow64\d3d10warp.dll
2014-02-12 15:54:58    3928064    ----a-w-    C:\windows\System32\d2d1.dll
2014-02-12 15:54:58    3419136    ----a-w-    C:\windows\SysWow64\d2d1.dll
2014-02-06 22:26:05    --------    d-----w-    C:\Users\AMATERASU\AppData\Local\Microsoft Games
.
==================== Find3M  ====================
.
2014-02-20 23:47:45    71048    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-20 23:47:45    692616    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2014-02-06 11:30:46    2724864    ----a-w-    C:\windows\System32\mshtml.tlb
2014-02-06 11:30:12    4096    ----a-w-    C:\windows\System32\ieetwcollectorres.dll
2014-02-06 11:07:39    66048    ----a-w-    C:\windows\System32\iesetup.dll
2014-02-06 11:06:47    48640    ----a-w-    C:\windows\System32\ieetwproxystub.dll
2014-02-06 10:49:03    139264    ----a-w-    C:\windows\System32\ieUnatt.exe
2014-02-06 10:48:45    111616    ----a-w-    C:\windows\System32\ieetwcollector.exe
2014-02-06 10:48:11    708608    ----a-w-    C:\windows\System32\jscript9diag.dll
2014-02-06 10:20:26    2724864    ----a-w-    C:\windows\SysWow64\mshtml.tlb
2014-02-06 10:11:37    5768704    ----a-w-    C:\windows\System32\jscript9.dll
2014-02-06 10:01:36    61952    ----a-w-    C:\windows\SysWow64\iesetup.dll
2014-02-06 10:00:46    51200    ----a-w-    C:\windows\SysWow64\ieetwproxystub.dll
2014-02-06 09:50:32    2041856    ----a-w-    C:\windows\System32\inetcpl.cpl
2014-02-06 09:47:22    112128    ----a-w-    C:\windows\SysWow64\ieUnatt.exe
2014-02-06 09:46:27    553472    ----a-w-    C:\windows\SysWow64\jscript9diag.dll
2014-02-06 09:25:36    4244480    ----a-w-    C:\windows\SysWow64\jscript9.dll
2014-02-06 09:24:52    2334208    ----a-w-    C:\windows\System32\wininet.dll
2014-02-06 09:09:30    1964032    ----a-w-    C:\windows\SysWow64\inetcpl.cpl
2014-02-06 08:41:35    1820160    ----a-w-    C:\windows\SysWow64\wininet.dll
2013-12-18 13:13:56    270496    ------w-    C:\windows\System32\MpSigStub.exe
2013-12-06 02:30:08    2048    ----a-w-    C:\windows\System32\msxml3r.dll
2013-12-06 02:02:08    2048    ----a-w-    C:\windows\SysWow64\msxml3r.dll
2013-12-06 02:02:08    1237504    ----a-w-    C:\windows\SysWow64\msxml3.dll
2013-12-04 02:27:33    485888    ----a-w-    C:\windows\System32\secproc_isv.dll
2013-12-04 02:27:33    123392    ----a-w-    C:\windows\System32\secproc_ssp_isv.dll
2013-12-04 02:27:33    123392    ----a-w-    C:\windows\System32\secproc_ssp.dll
2013-12-04 02:27:16    488448    ----a-w-    C:\windows\System32\secproc.dll
2013-12-04 02:26:32    528384    ----a-w-    C:\windows\System32\msdrm.dll
2013-12-04 02:16:51    658432    ----a-w-    C:\windows\System32\RMActivate_isv.exe
2013-12-04 02:16:51    626176    ----a-w-    C:\windows\System32\RMActivate.exe
2013-12-04 02:16:50    552960    ----a-w-    C:\windows\System32\RMActivate_ssp_isv.exe
2013-12-04 02:16:48    553984    ----a-w-    C:\windows\System32\RMActivate_ssp.exe
2013-12-04 02:03:20    87040    ----a-w-    C:\windows\SysWow64\secproc_ssp_isv.dll
2013-12-04 02:03:20    87040    ----a-w-    C:\windows\SysWow64\secproc_ssp.dll
2013-12-04 02:03:20    423936    ----a-w-    C:\windows\SysWow64\secproc_isv.dll
2013-12-04 02:03:08    428032    ----a-w-    C:\windows\SysWow64\secproc.dll
2013-12-04 02:02:06    390144    ----a-w-    C:\windows\SysWow64\msdrm.dll
2013-12-04 01:54:14    510976    ----a-w-    C:\windows\SysWow64\RMActivate_ssp.exe
2013-12-04 01:54:10    594944    ----a-w-    C:\windows\SysWow64\RMActivate_isv.exe
2013-12-04 01:54:09    572416    ----a-w-    C:\windows\SysWow64\RMActivate.exe
2013-12-04 01:54:06    508928    ----a-w-    C:\windows\SysWow64\RMActivate_ssp_isv.exe
2013-11-27 01:41:37    343040    ----a-w-    C:\windows\System32\drivers\usbhub.sys
2013-11-27 01:41:15    99840    ----a-w-    C:\windows\System32\drivers\usbccgp.sys
2013-11-27 01:41:11    53248    ----a-w-    C:\windows\System32\drivers\usbehci.sys
2013-11-27 01:41:11    325120    ----a-w-    C:\windows\System32\drivers\usbport.sys
2013-11-27 01:41:09    25600    ----a-w-    C:\windows\System32\drivers\usbohci.sys
2013-11-27 01:41:06    30720    ----a-w-    C:\windows\System32\drivers\usbuhci.sys
2013-11-27 01:41:03    7808    ----a-w-    C:\windows\System32\drivers\usbd.sys
2013-11-26 11:40:00    376768    ----a-w-    C:\windows\System32\drivers\netio.sys
2013-11-26 10:32:56    3156480    ----a-w-    C:\windows\System32\win32k.sys
.
============= FINISH: 14:04:00.05 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 24 February 2014 - 06:04 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Antony88

Antony88
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 27 February 2014 - 12:41 AM

Hi there Marius!

 

First of all, thank you so much for assisting me with my problem :)

 

Secondly, I'm sorry because I think I messed up your instructions. I'm going to tell you everything I did so maybe you'll understand what I did wrong. First, I got confused with the Scan with FRST (Recovery Environment) because I wondered if I was supposed to scan with this first after running it and I did because I thought that I understood what you meant but then I realized that you probably hadn't meant that so I deleted the log txt that came from it and started over.

 

But before this, when I plugged in a flashdrive and clicked save file after clicking your Farbar Recovery Scan Tool link, it did not give me the option to save it on my flashdrive, so I tried to send it to my flashdrive, and then I unplugged it and plugged it back in to make sure it was saved and then follow the rest of your instructions. After restarting my computer, I pressed the F8 key until the Advanced Boot Options appeared and then I used  the arrow keys to the select the Repair your computer item, I chose my language, pressed next, until I made it to the user account and then I reached the System Recovery options.

 

I think this is where things went wrong because after selecting command prompt, I typed in Notepad and pressed enter, then when it opened, I pressed 'open,' selected computer, and I found my flash drive letter and selected it, but I'm confused as to whether I was supposed to click on my flashdrive and click open, which I did because I thought that was what you meant,  and then it went back to the notepad, but the notepad was empty, and I closed it like it said to in the instructions and then I typed the e:\frst64 and pressed enter, but the tool did not start to run and there was an error message. I think that that the scan did not get saved properly on my flashdrive but it doesn't give me the option to save it on my flashdrive.

 

Also another thing that has happened with my computer since I asked for help with my virus, is that whenever I restart or turn on my  computer after shutting it down now, the start up get's interrupted by the blue screen and sometimes I have to restart my computer three times before it gets to the user part where I can log in and reach my desktop.

 

I'm really sorry I messed up with your instructions, what should I do now?



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 28 February 2014 - 06:31 AM

If you haven´t any problems, boot your computer into Recovery Environment and scan with FRST.

Return the log to me. :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Antony88

Antony88
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 04 March 2014 - 01:19 AM

Hey Marius,

What I meant is that I was having problems. I wasn't able to scan with the FRST while inside the recovery environment. When I found the flashdrive in the recovery environment, it didn't show me the FRST so I don't think it got saved correctly on the flashdrive and I'm about to try again. I was able to scan with the FRST only (outside) of the recovery environment in my regular desktop which is what I mistook your intrsuctions for as to scan with the FRST before saving it on the flashdrive, but it has to be in the recovery environment right? I tried to save it on my flash drive again so I'll go through the instructions and try again with the recovery environment, but I don't think it will show up because I had to use the same method of saving it on the flashdrive. I'll give you my results in a few minutes, it might take a while becuase my computer takes several tries to restart, but hopefully it will work this time.



#6 Antony88

Antony88
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 04 March 2014 - 01:38 AM

Okay, I went and redid all the instructions but I still wasn't able to scan. Right after the instruction that says 'in the command window type e:\frst64 and press enter, when I pressed enter after changing the e to my the f that was my flashdrive letter, I got an error message and the tool didn't run. I think the problem is either my flashdrive or how the scan doesn't seem to be saving correctly on it. Tomorrow I will buy a new a flash drive and try again. Do you think there anything else I should do?


Edited by Antony88, 04 March 2014 - 01:40 AM.


#7 Antony88

Antony88
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 05 March 2014 - 02:45 AM

Alright, I used a new flashdrive but the scan didn't work again so I copied down the text that was in the command window so you can see the error message.

 

Right after adding in notepad, I followed all the instructions, found the letter of my new flashddrive through notepad, typed in the letter, and the f:\frst64 and pressed enter but the tool didn't run and this is the exact message I got in the command window:

 

x:\sources\recovery\Tools>notepad

x:\sources\recovery\Tools> f:\frst64

f:\frst64' is not recognized as an internal or external command, operable program or batch file.



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 05 March 2014 - 02:49 AM

Don´t misunderstand me, but: Did you download FRST or FRST64?

If the file is correct (as you need FRST64.exe), try the following:

 

At the command prompt, type the following lines (each one followed by the enter key):

cd\
F:
FRST64.exe

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Antony88

Antony88
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 06 March 2014 - 12:21 AM

Yes, I downloaded FRST64 becuase I have a 64-bit computer.

 

I did the

 

cd\

F:

FRST64.

 

And it didn't work again.

This is the final message I got again after pressing enter each time. I also got the same message when I tried writing FRST64 and the F in capital letters.

 

x:sources\recoery\Tools\cd/

x:\>frst64.exe

'frst64.exe is not recognized as an internal or external command, operable program or batch file.

f:\>

 

On top of that though I have a bigger problem now. Last night after restarting to do the FRST thing in the command window I stopped being able to get to my normal desktop after restarting completely. Everytime my computer restarts, a blue screen pops up telling me my computer has shut down to protect itself and my computer never makes it to the user place where you log in.

 

It just goes to the blue screen again and restarting itself back to the blue screen. So last night I had system repair on the entire night and when it was finished it said that it can't fix the problems on my computer. So I had to press F8 when the BIOS screen came up and put my computer in safe mode with networking and that's the only reason I can message you right now.

 

Is there anything I can do so I can use my computer normally without safe more again? Will you please help me get to my desktop first or tell if there's something I can do?


Edited by Antony88, 06 March 2014 - 12:27 AM.


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 06 March 2014 - 02:09 AM

Be careful - you did it in the wrong way.

You have to execute the F: before FRST.

 

cd\ goes to the root path of the current drive

F: switches to your flash drive

FRST64 launches the tool


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Antony88

Antony88
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 07 March 2014 - 02:37 AM

Hey Marius, I did what you said and this time it worked it in the recovery environment!

 

Here is the log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-03-2014 02
Ran by SYSTEM on MININT-11SQ8LJ on 07-03-2014 00:27:14
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-05-17] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] - C:\Program Files\TOSHIBA\TBS\HSON.exe [296824 2010-09-25] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [972672 2011-04-27] (TOSHIBA Corporation)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12558440 2011-07-07] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2226280 2011-06-03] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1544624 2011-05-24] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-06-09] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-07-01] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] - C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] - C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] - C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] - C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKU\AMATERASU\...\Run: [HP Deskjet 3050A J611 series (NET)] - C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe [2547048 2011-03-30] (Hewlett-Packard Co.)
HKU\AMATERASU\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-02-25] (Google Inc.)
HKU\AMATERASU\...\Run: [WinPatrol] - C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe [423144 2013-04-26] (BillP Studios)

==================== Services (Whitelisted) =================

S2 GFNEXSrv; C:\Windows\System32\GFNEXSrv.exe [162824 2010-09-09] ()
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [123320 2011-07-19] (Symantec Corporation)
S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [126392 2011-07-19] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

S1 2700619drv; C:\Windows\System32\DRIVERS\2700619drv.sys [556632 2014-02-23] (Kaspersky Lab)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2011-03-01] (Microsoft Corporation)
S3 TDEIO; \??\C:\Windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-05 21:01 - 2014-03-05 21:01 - 00266576 _____ () C:\Windows\Minidump\030514-31168-01.dmp
2014-03-05 08:22 - 2014-03-05 08:23 - 00266576 _____ () C:\Windows\Minidump\030514-30934-01.dmp
2014-03-04 23:22 - 2014-03-04 23:22 - 02156544 _____ (Farbar) C:\Users\AMATERASU\Downloads\FRST64(3).exe
2014-03-04 07:31 - 2014-03-04 07:31 - 00266576 _____ () C:\Windows\Minidump\030414-58110-01.dmp
2014-03-03 22:44 - 2014-03-03 22:45 - 00266576 _____ () C:\Windows\Minidump\030314-32729-01.dmp
2014-03-03 22:08 - 2014-03-03 22:08 - 02156544 _____ (Farbar) C:\Users\AMATERASU\Downloads\FRST64(2).exe
2014-02-26 21:17 - 2014-02-26 21:17 - 00266576 _____ () C:\Windows\Minidump\022614-63710-01.dmp
2014-02-26 21:15 - 2014-02-26 21:15 - 00266576 _____ () C:\Windows\Minidump\022614-63664-01.dmp
2014-02-26 21:03 - 2014-02-26 21:03 - 02155520 _____ (Farbar) C:\Users\AMATERASU\Downloads\FRST64(1).exe
2014-02-26 20:53 - 2014-03-07 00:27 - 00000000 ____D () C:\FRST
2014-02-26 20:52 - 2014-02-26 20:53 - 02155520 _____ (Farbar) C:\Users\AMATERASU\Downloads\FRST64.exe
2014-02-25 13:44 - 2014-02-25 13:45 - 00266576 _____ () C:\Windows\Minidump\022514-30279-01.dmp
2014-02-23 13:04 - 2014-02-23 13:09 - 00009179 _____ () C:\Users\AMATERASU\Desktop\attach.txt
2014-02-23 13:04 - 2014-02-23 13:08 - 00019646 _____ () C:\Users\AMATERASU\Desktop\dds.txt
2014-02-23 12:58 - 2014-02-23 12:58 - 00688992 ____R (Swearware) C:\Users\AMATERASU\Downloads\dds.com
2014-02-23 12:11 - 2014-02-23 12:11 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-02-23 12:11 - 2014-02-23 12:11 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-02-23 12:00 - 2014-02-23 12:01 - 13670584 _____ (Microsoft Corporation) C:\Users\AMATERASU\Downloads\mseinstall (1).exe
2014-02-23 11:57 - 2014-02-23 12:09 - 395808768 _____ () C:\Users\AMATERASU\Downloads\kav_rescue_10.iso
2014-02-23 11:53 - 2014-02-23 11:53 - 00185800 _____ (Лаборатория Касперского) C:\Users\AMATERASU\Downloads\kss12.0.1.117abRU_EN_DE_FR_ES_IT_JA_PT_ZH_5203.exe
2014-02-23 11:49 - 2014-03-05 21:00 - 135500120 _____ () C:\Windows\MEMORY.DMP
2014-02-23 11:49 - 2014-02-23 11:50 - 00275592 _____ () C:\Windows\Minidump\022314-28735-01.dmp
2014-02-23 11:48 - 2014-02-23 20:40 - 00556632 _____ (Kaspersky Lab) C:\Windows\System32\Drivers\2700619drv.sys
2014-02-23 11:44 - 2014-02-23 11:47 - 132219120 _____ () C:\Users\AMATERASU\Downloads\setup_11.0.1.1245.x01_2014_02_23_21_41.exe
2014-02-23 11:33 - 2014-02-23 11:33 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-02-23 11:06 - 2014-02-23 11:11 - 193804024 _____ (Kaspersky Lab ZAO) C:\Users\AMATERASU\Downloads\pur13.0.2.558abcdEN_5352.exe
2014-02-15 10:51 - 2014-02-15 10:52 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-12 08:08 - 2013-12-21 01:53 - 00548864 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2014-02-12 08:08 - 2013-12-21 00:56 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-02-12 08:07 - 2014-02-06 04:16 - 23170048 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-02-12 08:07 - 2014-02-06 03:30 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-02-12 08:07 - 2014-02-06 03:30 - 00004096 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollectorres.dll
2014-02-12 08:07 - 2014-02-06 03:12 - 02765824 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-02-12 08:07 - 2014-02-06 03:07 - 00066048 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-02-12 08:07 - 2014-02-06 03:06 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\ieetwproxystub.dll
2014-02-12 08:07 - 2014-02-06 02:57 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-02-12 08:07 - 2014-02-06 02:56 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-02-12 08:07 - 2014-02-06 02:52 - 00574976 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-02-12 08:07 - 2014-02-06 02:49 - 00139264 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2014-02-12 08:07 - 2014-02-06 02:48 - 00708608 _____ (Microsoft Corporation) C:\Windows\System32\jscript9diag.dll
2014-02-12 08:07 - 2014-02-06 02:48 - 00111616 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
2014-02-12 08:07 - 2014-02-06 02:38 - 17103872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-12 08:07 - 2014-02-06 02:32 - 00218624 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-02-12 08:07 - 2014-02-06 02:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-12 08:07 - 2014-02-06 02:17 - 00195584 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-02-12 08:07 - 2014-02-06 02:11 - 05768704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-02-12 08:07 - 2014-02-06 02:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-12 08:07 - 2014-02-06 02:00 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-12 08:07 - 2014-02-06 01:57 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-12 08:07 - 2014-02-06 01:57 - 00627200 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-02-12 08:07 - 2014-02-06 01:52 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-12 08:07 - 2014-02-06 01:52 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-12 08:07 - 2014-02-06 01:50 - 02041856 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-02-12 08:07 - 2014-02-06 01:49 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-12 08:07 - 2014-02-06 01:47 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-12 08:07 - 2014-02-06 01:46 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-12 08:07 - 2014-02-06 01:25 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-12 08:07 - 2014-02-06 01:25 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-12 08:07 - 2014-02-06 01:24 - 02334208 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-02-12 08:07 - 2014-02-06 01:22 - 13051392 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-02-12 08:07 - 2014-02-06 01:13 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-12 08:07 - 2014-02-06 01:09 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-12 08:07 - 2014-02-06 01:03 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-12 08:07 - 2014-02-06 00:55 - 01393664 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-02-12 08:07 - 2014-02-06 00:41 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-12 08:07 - 2014-02-06 00:40 - 00817664 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2014-02-12 08:07 - 2014-02-06 00:36 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-12 08:07 - 2014-02-06 00:34 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-12 07:55 - 2013-12-31 15:05 - 00420008 _____ () C:\Windows\SysWOW64\locale.nls
2014-02-12 07:55 - 2013-12-31 15:04 - 00420008 _____ () C:\Windows\System32\locale.nls
2014-02-12 07:55 - 2013-12-05 18:30 - 01882112 _____ (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2014-02-12 07:55 - 2013-12-05 18:30 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2014-02-12 07:55 - 2013-12-05 18:02 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-02-12 07:55 - 2013-12-05 18:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-02-12 07:55 - 2013-12-03 18:27 - 00488448 _____ (Microsoft Corporation) C:\Windows\System32\secproc.dll
2014-02-12 07:55 - 2013-12-03 18:27 - 00485888 _____ (Microsoft Corporation) C:\Windows\System32\secproc_isv.dll
2014-02-12 07:55 - 2013-12-03 18:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\System32\secproc_ssp_isv.dll
2014-02-12 07:55 - 2013-12-03 18:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\System32\secproc_ssp.dll
2014-02-12 07:55 - 2013-12-03 18:26 - 00528384 _____ (Microsoft Corporation) C:\Windows\System32\msdrm.dll
2014-02-12 07:55 - 2013-12-03 18:16 - 00658432 _____ (Microsoft Corporation) C:\Windows\System32\RMActivate_isv.exe
2014-02-12 07:55 - 2013-12-03 18:16 - 00626176 _____ (Microsoft Corporation) C:\Windows\System32\RMActivate.exe
2014-02-12 07:55 - 2013-12-03 18:16 - 00553984 _____ (Microsoft Corporation) C:\Windows\System32\RMActivate_ssp.exe
2014-02-12 07:55 - 2013-12-03 18:16 - 00552960 _____ (Microsoft Corporation) C:\Windows\System32\RMActivate_ssp_isv.exe
2014-02-12 07:55 - 2013-12-03 18:03 - 00428032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc.dll
2014-02-12 07:55 - 2013-12-03 18:03 - 00423936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_isv.dll
2014-02-12 07:55 - 2013-12-03 18:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp_isv.dll
2014-02-12 07:55 - 2013-12-03 18:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp.dll
2014-02-12 07:55 - 2013-12-03 18:02 - 00390144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdrm.dll
2014-02-12 07:55 - 2013-12-03 17:54 - 00594944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_isv.exe
2014-02-12 07:55 - 2013-12-03 17:54 - 00572416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate.exe
2014-02-12 07:55 - 2013-12-03 17:54 - 00510976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp.exe
2014-02-12 07:55 - 2013-12-03 17:54 - 00508928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
2014-02-12 07:54 - 2013-12-24 15:09 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2014-02-12 07:54 - 2013-12-24 14:48 - 02565120 _____ (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2014-02-12 07:54 - 2013-11-26 00:16 - 03419136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2014-02-12 07:54 - 2013-11-22 14:48 - 03928064 _____ (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2014-02-06 14:26 - 2014-02-06 14:38 - 00000000 ____D () C:\Users\AMATERASU\AppData\Local\Microsoft Games

==================== One Month Modified Files and Folders =======

2014-03-07 00:27 - 2014-02-26 20:53 - 00000000 ____D () C:\FRST
2014-03-06 22:50 - 2012-09-22 12:08 - 00000000 ____D () C:\Users\AMATERASU\AppData\Roaming\LockAP
2014-03-06 21:11 - 2012-02-24 23:45 - 02080988 _____ () C:\Windows\WindowsUpdate.log
2014-03-05 21:32 - 2009-07-13 21:13 - 00783400 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-03-05 21:01 - 2014-03-05 21:01 - 00266576 _____ () C:\Windows\Minidump\030514-31168-01.dmp
2014-03-05 21:01 - 2012-07-19 17:42 - 00000000 ____D () C:\Windows\Minidump
2014-03-05 21:00 - 2014-02-23 11:49 - 135500120 _____ () C:\Windows\MEMORY.DMP
2014-03-05 08:23 - 2014-03-05 08:22 - 00266576 _____ () C:\Windows\Minidump\030514-30934-01.dmp
2014-03-04 23:54 - 2009-07-13 20:45 - 00024608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-04 23:54 - 2009-07-13 20:45 - 00024608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-04 23:53 - 2012-02-25 00:21 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-04 23:47 - 2013-01-04 07:44 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-04 23:34 - 2012-02-25 00:21 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-04 23:33 - 2013-07-12 16:00 - 00035524 _____ () C:\Windows\setupact.log
2014-03-04 23:33 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-04 23:26 - 2012-07-15 06:48 - 00000000 ____D () C:\Users\AMATERASU\AppData\Roaming\SoftGrid Client
2014-03-04 23:22 - 2014-03-04 23:22 - 02156544 _____ (Farbar) C:\Users\AMATERASU\Downloads\FRST64(3).exe
2014-03-04 23:01 - 2012-08-08 15:08 - 00000264 _____ () C:\Windows\Tasks\HP Photo Creations Messager.job
2014-03-04 07:31 - 2014-03-04 07:31 - 00266576 _____ () C:\Windows\Minidump\030414-58110-01.dmp
2014-03-03 22:45 - 2014-03-03 22:44 - 00266576 _____ () C:\Windows\Minidump\030314-32729-01.dmp
2014-03-03 22:08 - 2014-03-03 22:08 - 02156544 _____ (Farbar) C:\Users\AMATERASU\Downloads\FRST64(2).exe
2014-02-28 08:35 - 2012-07-15 06:47 - 00776014 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-02-26 21:17 - 2014-02-26 21:17 - 00266576 _____ () C:\Windows\Minidump\022614-63710-01.dmp
2014-02-26 21:15 - 2014-02-26 21:15 - 00266576 _____ () C:\Windows\Minidump\022614-63664-01.dmp
2014-02-26 21:14 - 2013-09-08 17:40 - 00155150 _____ () C:\Windows\PFRO.log
2014-02-26 21:03 - 2014-02-26 21:03 - 02155520 _____ (Farbar) C:\Users\AMATERASU\Downloads\FRST64(1).exe
2014-02-26 20:53 - 2014-02-26 20:52 - 02155520 _____ (Farbar) C:\Users\AMATERASU\Downloads\FRST64.exe
2014-02-25 17:38 - 2012-11-11 14:26 - 00000000 ____D () C:\Users\AMATERASU\Documents\Mp3 LIST
2014-02-25 13:45 - 2014-02-25 13:44 - 00266576 _____ () C:\Windows\Minidump\022514-30279-01.dmp
2014-02-23 20:40 - 2014-02-23 11:48 - 00556632 _____ (Kaspersky Lab) C:\Windows\System32\Drivers\2700619drv.sys
2014-02-23 13:09 - 2014-02-23 13:04 - 00009179 _____ () C:\Users\AMATERASU\Desktop\attach.txt
2014-02-23 13:08 - 2014-02-23 13:04 - 00019646 _____ () C:\Users\AMATERASU\Desktop\dds.txt
2014-02-23 12:58 - 2014-02-23 12:58 - 00688992 ____R (Swearware) C:\Users\AMATERASU\Downloads\dds.com
2014-02-23 12:11 - 2014-02-23 12:11 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-02-23 12:11 - 2014-02-23 12:11 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-02-23 12:11 - 2013-05-15 16:24 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-02-23 12:09 - 2014-02-23 11:57 - 395808768 _____ () C:\Users\AMATERASU\Downloads\kav_rescue_10.iso
2014-02-23 12:01 - 2014-02-23 12:00 - 13670584 _____ (Microsoft Corporation) C:\Users\AMATERASU\Downloads\mseinstall (1).exe
2014-02-23 11:56 - 2013-05-03 23:21 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2014-02-23 11:53 - 2014-02-23 11:53 - 00185800 _____ (Лаборатория Касперского) C:\Users\AMATERASU\Downloads\kss12.0.1.117abRU_EN_DE_FR_ES_IT_JA_PT_ZH_5203.exe
2014-02-23 11:50 - 2014-02-23 11:49 - 00275592 _____ () C:\Windows\Minidump\022314-28735-01.dmp
2014-02-23 11:47 - 2014-02-23 11:44 - 132219120 _____ () C:\Users\AMATERASU\Downloads\setup_11.0.1.1245.x01_2014_02_23_21_41.exe
2014-02-23 11:33 - 2014-02-23 11:33 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-02-23 11:11 - 2014-02-23 11:06 - 193804024 _____ (Kaspersky Lab ZAO) C:\Users\AMATERASU\Downloads\pur13.0.2.558abcdEN_5352.exe
2014-02-20 15:47 - 2013-01-04 07:44 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-20 15:47 - 2012-07-31 02:02 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-20 15:47 - 2011-11-02 04:01 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-02-16 17:33 - 2012-07-17 12:56 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-02-15 10:52 - 2014-02-15 10:51 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-15 10:00 - 2013-07-15 19:51 - 00000000 ____D () C:\Windows\System32\MRT
2014-02-15 00:25 - 2012-07-17 07:01 - 88567024 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-02-12 07:48 - 2012-02-25 00:21 - 00003908 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-02-12 07:48 - 2012-02-25 00:21 - 00003656 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-02-06 22:32 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2014-02-06 14:40 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\NDF
2014-02-06 14:38 - 2014-02-06 14:26 - 00000000 ____D () C:\Users\AMATERASU\AppData\Local\Microsoft Games
2014-02-06 04:16 - 2014-02-12 08:07 - 23170048 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-02-06 03:30 - 2014-02-12 08:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-02-06 03:30 - 2014-02-12 08:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollectorres.dll
2014-02-06 03:12 - 2014-02-12 08:07 - 02765824 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-02-06 03:07 - 2014-02-12 08:07 - 00066048 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-02-06 03:06 - 2014-02-12 08:07 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\ieetwproxystub.dll
2014-02-06 02:57 - 2014-02-12 08:07 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-02-06 02:56 - 2014-02-12 08:07 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-02-06 02:52 - 2014-02-12 08:07 - 00574976 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-02-06 02:49 - 2014-02-12 08:07 - 00139264 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2014-02-06 02:48 - 2014-02-12 08:07 - 00708608 _____ (Microsoft Corporation) C:\Windows\System32\jscript9diag.dll
2014-02-06 02:48 - 2014-02-12 08:07 - 00111616 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
2014-02-06 02:38 - 2014-02-12 08:07 - 17103872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-06 02:32 - 2014-02-12 08:07 - 00218624 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-02-06 02:20 - 2014-02-12 08:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-06 02:17 - 2014-02-12 08:07 - 00195584 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-02-06 02:11 - 2014-02-12 08:07 - 05768704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-02-06 02:01 - 2014-02-12 08:07 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-06 02:00 - 2014-02-12 08:07 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-06 01:57 - 2014-02-12 08:07 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-06 01:57 - 2014-02-12 08:07 - 00627200 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-02-06 01:52 - 2014-02-12 08:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-06 01:52 - 2014-02-12 08:07 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-06 01:50 - 2014-02-12 08:07 - 02041856 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-02-06 01:49 - 2014-02-12 08:07 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-06 01:47 - 2014-02-12 08:07 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-06 01:46 - 2014-02-12 08:07 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-06 01:25 - 2014-02-12 08:07 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-06 01:25 - 2014-02-12 08:07 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-06 01:24 - 2014-02-12 08:07 - 02334208 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-02-06 01:22 - 2014-02-12 08:07 - 13051392 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-02-06 01:13 - 2014-02-12 08:07 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-06 01:09 - 2014-02-12 08:07 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-06 01:03 - 2014-02-12 08:07 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-06 00:55 - 2014-02-12 08:07 - 01393664 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-02-06 00:41 - 2014-02-12 08:07 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-06 00:40 - 2014-02-12 08:07 - 00817664 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2014-02-06 00:36 - 2014-02-12 08:07 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-06 00:34 - 2014-02-12 08:07 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

Some content of TEMP:
====================
C:\Users\AMATERASU\AppData\Local\Temp\LOCKv241.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-02-12 08:07:02
Restore point made on: 2014-02-15 00:25:03
Restore point made on: 2014-02-18 21:04:36
Restore point made on: 2014-02-22 10:37:37
Restore point made on: 2014-02-23 12:42:54
Restore point made on: 2014-02-23 12:48:31
Restore point made on: 2014-02-23 12:49:50
Restore point made on: 2014-02-23 18:28:46
Restore point made on: 2014-02-24 12:17:15
Restore point made on: 2014-02-25 13:56:20
Restore point made on: 2014-02-26 07:36:15
Restore point made on: 2014-02-28 08:33:58
Restore point made on: 2014-03-03 17:19:22

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 3562.13 MB
Available physical RAM: 3022.55 MB
Total Pagefile: 3560.33 MB
Available Pagefile: 3006.52 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: (TI106319W0D) (Fixed) (Total:449.55 GB) (Free:359.91 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:465.64 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 60242E46)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=450 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15 GB) - (Type=17)

========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: CDC9EAA9)

Partition: GPT Partition Type.


LastRegBack: 2014-02-24 11:07

==================== End Of Log ============================



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 07 March 2014 - 11:09 AM

System File Check (offline mode)

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Select Command Prompt
  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your system drive letter and system path (for example, D:\windows\) and close the notepad.
  • enter the following command:


sfc /scannow /offbootdir=d:\ /offwindir=d:\windows


Replace the red and pink parts with the informations you obtained from the last step of this tutorial.

Note: Depending on how your computer is setup, the Command Prompt, when used from outside of Windows, doesn't always assign drive letters in the same way that you see them from inside Windows. In other words, Windows might be at C:\Windows when you're using it, but D:\Windows from the Command Prompt in System Recovery Options.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Antony88

Antony88
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 08 March 2014 - 02:22 AM

Hey Marius,

I followed the instructions. My system drive was system (D: ) but I wasn't sure what my system path was so I put the name of the drive where your windows example was which was system. This is the message I got, I'm not sure whether this was what was supposed to happen or not, so I'll just show you part of the message I got in the command prompt so you can tell me if I did it right or wrong.

 

Microsoft Windows [Version 6.1.7601]

 

x:\sources\recovery\Tools>notepad

x:\sources\recovery\Tools>sfc/scannow/offbootdir=D:\system

Microsoft <R> Windows <R> Resource Checker

Version 6.0 Copyright <C>2006 Microsoft Corporation, All rights reserved.

Scans the integrity of all protected system files and replaces incorrect versions with correct versions

 

The last part was:

 

sfc /VERIFY ONLY

x:\sources\recovery Tools.

 

Is this what was supposed to happen? Did I do it correctly?


Edited by Antony88, 08 March 2014 - 02:22 AM.


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 08 March 2014 - 12:03 PM

The correct command is:

 

sfc /scannow /offbootdir=d:\ /offwindir=d:\windows

 

see the blanks:

 

after sfc

before /offbootdir and before /offwindir


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Antony88

Antony88
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 09 March 2014 - 02:26 AM

Okay before I proceed, about the correct command, I have three questions.

 

It looks like there is a blank after sfc /scannow too, do I put a blank after scannow too?

 

Should the d:\ be lower case or upper case?

 

And am I supposed to use windows or system?

 

I just want to make sure I understand before I try it again.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users