Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issue with Malware - Boot Loop


  • This topic is locked This topic is locked
26 replies to this topic

#1 ryank007

ryank007

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 03 June 2014 - 11:26 AM

Hello, let me first thank you all in advance for any help you can provide!  Now, for the meaty part...
 
My father-in-law is kicking himself for clicking on an attachment that caused his machine to become infected. The computer runs Win7 x64 Home. After the infection and subsequent reboot, Windows just constantly reboots after a glimpse of the Windows 7 boot screen. He immediately let me know, and I began my usual procedure for cleaning.
 
I took out his physical hard drive, connected via USB to a clean computer, and ran a full MBAM scan. The log came back with 5 infections: 4 separate Trojan.Agent.ED infections, and a ShopAtHome "unwanted program". I let MBAM quarantine / delete, and I re-installed the hard drive back into his tower.
 
However, Windows still would not boot. It would eventually get to the Windows Error Recovery screen after failing a couple of times, and I choose "Launch Startup Repair". The automated Startup Repair will not fix the problem, so then the "HP Recovery Manager" takes over. I was able to get to the Microsoft System Restore utility through this method, but I've tried restoring to a couple of different times (all before the infection, of course), System Restore completes successfully, but Windows still will not boot.
 
I have been able to F8 it on startup and get to Advanced Boot Options, but it will not boot into Safe Mode, either (just like a normal boot, you get a glimpse of the first driver loading, then it reboots).  I haven't tried any other options from the Advanced Boot Options.
 
I'm kind of at the end of my rope here. My father-in-law has a lot of data that would be bad to lose (related to his business), so I really don't want to do a wipe/reinstall.
 
Again, I really appreciate any help you all can provide!
 
Thanks,
Ryan

This has been reported to the experts.
Stay with us.

Edited by nasdaq, 08 June 2014 - 09:57 AM.


BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:16 PM

Posted 08 June 2014 - 10:53 AM

:welcome:

 

Lets take a look.

 

Please download Farbar Recovery Scan Tool and save it to a flash drive.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 
Plug the flash drive into the infected PC.
 
If you are using Vista or Windows 7 enter System Recovery Options.
 
To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
 
 
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt
 
Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 ryank007

ryank007
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 09 June 2014 - 08:50 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-06-2014 01
Ran by SYSTEM on MININT-8R6V7IF on 09-06-2014 09:47:06
Running from K:\
Platform: Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-09-14] ()
HKLM\...\Run: [PC-Doctor for Windows localizer] => C:\Program Files\PC-Doctor for Windows\localizer.exe [95728 2009-09-16] (PC-Doctor, Inc.)
HKLM\...\Run: [LXCICATS] => C:\Windows\system32\spool\DRIVERS\x64\3\LXCItime.dll [31744 2006-11-21] (Lexmark International Inc.)
HKLM\...\Run: [lxcimon.exe] => C:\Program Files (x86)\Lexmark 7300 Series\lxcimon.exe [205744 2007-02-01] (Lexmark International, Inc.)
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Lexmark 7300 Series\ezprint.exe [103344 2007-02-01] (Lexmark International Inc.)
HKLM\...\Run: [WrtMon.exe] => C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2006-09-20] ()
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2008-08-11] (LogMeIn, Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] => C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-10-02] (Intel Corporation)
HKLM-x32\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [3774776 2014-01-16] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-04-30] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [TkBellExe] => c:\program files (x86)\real\realplayer\Update\realsched.exe [295512 2013-12-12] (RealNetworks, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-01-20] (Apple Inc.)
HKLM\...\RunOnce: [NCPluginUpdater] - "c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe" Update [21720 2014-05-13] (Hewlett-Packard)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Default\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Keith\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\Keith\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-11-05] (Google Inc.)
HKU\Keith\...\Run: [Akamai NetSession Interface] => C:\Users\Keith\AppData\Local\Akamai\netsession_win.exe [4672920 2014-04-17] (Akamai Technologies, Inc.)
HKU\Keith\...\Run: [Tango] => C:\Program Files (x86)\Tango\Tango.exe [13489992 2011-11-04] (Tango Inc.)
HKU\Keith\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
HKU\LogMeInRemoteUser\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
Startup: C:\Users\Keith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
 
==================== Services (Whitelisted) =================
 
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390720 2014-04-11] (Microsoft Corporation)
S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2013-12-30] (WildTangent)
S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2014-04-17] (LogMeIn, Inc.)
S2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2014-04-17] (LogMeIn, Inc.)
S2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2010-11-08] (LogMeIn, Inc.)
S2 lxci_device; C:\Windows\system32\lxcicoms.exe [566192 2007-02-01] ( )
S2 lxci_device; C:\Windows\SysWOW64\lxcicoms.exe [537520 2007-02-01] ( )
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
 
==================== Drivers (Whitelisted) ====================
 
S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-28] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-24] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [15672 2011-05-11] ()
S3 PcdrNdisuio; syswow64\drivers\pcdrndisuio.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-06-09 09:46 - 2014-06-09 09:47 - 00000000 ____D () C:\FRST
2014-05-31 15:49 - 2014-06-02 06:42 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\Xuudiz
2014-05-31 15:48 - 2014-05-31 15:48 - 00000000 _____ () C:\Users\Keith\AppData\Roaming\SharedSettings.ccs
2014-05-27 12:34 - 2014-05-27 12:35 - 00000000 ____D () C:\Users\Keith\Desktop\WC Exemption
2014-05-25 18:44 - 2014-05-30 07:19 - 00109056 _____ () C:\Users\Keith\Desktop\A Micah & Keith's Pools.xls
2014-05-13 23:17 - 2014-05-05 20:40 - 23544320 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-05-13 23:17 - 2014-05-05 20:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-05-13 23:17 - 2014-05-05 19:25 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-13 23:17 - 2014-05-05 19:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-13 23:17 - 2014-05-05 19:00 - 00084992 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2014-05-13 23:17 - 2014-05-05 18:10 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-13 15:44 - 2014-05-08 22:14 - 00477184 _____ (Microsoft Corporation) C:\Windows\System32\aepdu.dll
2014-05-13 15:44 - 2014-05-08 22:11 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\aeinv.dll
2014-05-13 15:44 - 2014-03-24 18:43 - 14175744 _____ (Microsoft Corporation) C:\Windows\System32\shell32.dll
2014-05-13 15:44 - 2014-03-24 18:09 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-05-13 15:43 - 2014-04-11 18:22 - 00155072 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2014-05-13 15:43 - 2014-04-11 18:22 - 00095680 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2014-05-13 15:43 - 2014-04-11 18:19 - 01460736 _____ (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2014-05-13 15:43 - 2014-04-11 18:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\System32\sspicli.dll
2014-05-13 15:43 - 2014-04-11 18:19 - 00031232 _____ (Microsoft Corporation) C:\Windows\System32\lsass.exe
2014-05-13 15:43 - 2014-04-11 18:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\System32\sspisrv.dll
2014-05-13 15:43 - 2014-04-11 18:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\System32\secur32.dll
2014-05-13 15:43 - 2014-04-11 18:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-05-13 15:43 - 2014-04-11 18:10 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-05-13 15:43 - 2014-03-04 01:47 - 05550016 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2014-05-13 15:43 - 2014-03-04 01:44 - 00728064 _____ (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\System32\objsel.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00340992 _____ (Microsoft Corporation) C:\Windows\System32\schannel.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00314880 _____ (Microsoft Corporation) C:\Windows\System32\msv1_0.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00210944 _____ (Microsoft Corporation) C:\Windows\System32\wdigest.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00086528 _____ (Microsoft Corporation) C:\Windows\System32\TSpkg.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\wincredprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00455168 _____ (Microsoft Corporation) C:\Windows\System32\winlogon.exe
2014-05-13 15:43 - 2014-03-04 01:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\System32\cngprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\System32\adprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\capiprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\System32\dpapiprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\System32\dimsroam.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\System32\credssp.dll
2014-05-13 15:43 - 2014-03-04 01:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2014-05-13 15:43 - 2014-03-04 01:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2014-05-13 15:43 - 2014-03-04 01:17 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-05-13 15:43 - 2014-03-04 01:16 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2014-05-13 12:49 - 2014-05-13 12:49 - 17352880 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
 
==================== One Month Modified Files and Folders =======
 
2014-06-09 09:47 - 2014-06-09 09:46 - 00000000 ____D () C:\FRST
2014-06-03 11:23 - 2010-04-23 20:19 - 00000000 ____D () C:\ProgramData\Recovery
2014-06-03 10:41 - 2013-11-27 12:30 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\ShopAtHome
2014-06-03 10:41 - 2013-09-20 17:46 - 00000000 ____D () C:\Users\Keith\AppData\Local\Intuit
2014-06-03 10:41 - 2012-06-22 07:03 - 00000000 ____D () C:\ProgramData\Real
2014-06-03 10:41 - 2011-11-03 17:27 - 00000000 ____D () C:\Users\Keith\AppData\Local\Akamai
2014-06-03 10:41 - 2011-06-09 16:33 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\Skype
2014-06-03 10:41 - 2010-11-03 16:35 - 00000000 __RHD () C:\MSOCache
2014-06-03 10:41 - 2010-04-11 16:25 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\Dropbox
2014-06-03 10:41 - 2010-04-10 15:07 - 00000000 ____D () C:\Users\Keith\AppData\Local\Temp
2014-06-03 10:41 - 2010-04-10 15:07 - 00000000 ____D () C:\users\Keith
2014-06-03 10:41 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-06-02 06:42 - 2014-05-31 15:49 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\Xuudiz
2014-05-31 15:48 - 2014-05-31 15:48 - 00000000 _____ () C:\Users\Keith\AppData\Roaming\SharedSettings.ccs
2014-05-31 15:11 - 2010-04-27 16:10 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-05-30 18:14 - 2010-09-21 11:13 - 02089984 ___SH () C:\Users\Keith\Desktop\Thumbs.db
2014-05-30 07:19 - 2014-05-25 18:44 - 00109056 _____ () C:\Users\Keith\Desktop\A Micah & Keith's Pools.xls
2014-05-29 13:08 - 2014-05-06 16:59 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\DropboxMaster
2014-05-27 12:35 - 2014-05-27 12:34 - 00000000 ____D () C:\Users\Keith\Desktop\WC Exemption
2014-05-27 08:53 - 2009-05-27 19:28 - 00000000 ____D () C:\Users\Keith\Desktop\INVOICES
2014-05-25 18:55 - 2010-04-10 18:38 - 00000000 ____D () C:\Users\Keith\AppData\Local\CrashDumps
2014-05-25 18:48 - 2010-09-21 19:35 - 00003980 ____H () C:\Users\Keith\Desktop\jpeggeri.dat
2014-05-23 23:48 - 2010-02-09 05:48 - 01827707 _____ () C:\Windows\WindowsUpdate.log
2014-05-23 23:33 - 2010-11-05 08:52 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-23 22:49 - 2012-04-09 19:46 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-05-23 21:55 - 2010-05-19 12:06 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{0F33C6F4-A981-4ABE-9440-B54C6DDACF6C}
2014-05-23 15:33 - 2010-11-05 08:52 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-23 13:51 - 2014-01-27 13:02 - 00000000 ____D () C:\Users\Keith\Desktop\Devereux Org
2014-05-23 13:51 - 2010-04-10 15:48 - 00000000 ____D () C:\Program Files\Lx_cats
2014-05-23 04:17 - 2011-10-31 22:23 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-05-23 04:17 - 2010-04-11 12:48 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-05-22 04:09 - 2012-03-07 05:07 - 00003186 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForKeith
2014-05-22 04:09 - 2012-03-07 05:07 - 00000332 _____ () C:\Windows\Tasks\HPCeeScheduleForKeith.job
2014-05-14 21:45 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-14 21:45 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-14 13:46 - 2010-04-11 16:26 - 00001021 _____ () C:\Users\Keith\Desktop\Dropbox.lnk
2014-05-14 04:30 - 2013-09-07 11:37 - 00000000 ____D () C:\Users\Keith\Desktop\FL Sales Tax Receipts
2014-05-14 00:15 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2014-05-13 23:38 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-13 23:37 - 2009-07-13 20:51 - 00041138 _____ () C:\Windows\setupact.log
2014-05-13 23:36 - 2010-04-11 14:46 - 00650440 _____ () C:\Windows\PFRO.log
2014-05-13 23:35 - 2014-04-29 23:00 - 00000000 ___SD () C:\Windows\System32\CompatTel
2014-05-13 23:19 - 2010-04-11 16:03 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-05-13 23:14 - 2013-08-13 23:01 - 00000000 ____D () C:\Windows\System32\MRT
2014-05-13 23:05 - 2010-04-11 15:16 - 93223848 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-05-13 12:49 - 2014-05-13 12:49 - 17352880 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2014-05-13 12:49 - 2012-04-09 19:46 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-05-13 12:49 - 2012-04-09 19:46 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-05-13 12:49 - 2011-05-20 10:16 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
 
Some content of TEMP:
====================
C:\Users\Keith\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5cdo75.dll
C:\Users\Keith\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7_rtzh.dll
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE Association (whitelisted) =============
 
 
==================== Restore Points  =========================
 
Restore point made on: 2014-05-08 21:45:22
Restore point made on: 2014-05-12 05:02:44
Restore point made on: 2014-05-13 23:00:49
Restore point made on: 2014-05-16 23:48:34
Restore point made on: 2014-05-20 21:41:11
Restore point made on: 2014-05-23 23:48:26
Restore point made on: 2014-05-27 21:41:01
Restore point made on: 2014-05-30 23:48:11
 
==================== Memory info =========================== 
 
Percentage of memory in use: 14%
Total physical RAM: 6007.08 MB
Available physical RAM: 5122.24 MB
Total Pagefile: 6005.23 MB
Available Pagefile: 5114.62 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (HP) (Fixed) (Total:920.61 GB) (Free:819.85 GB) NTFS
Drive e: (FACTORY_IMAGE) (Fixed) (Total:10.8 GB) (Free:1.57 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive k: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 932 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=921 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)
 
========================================================
Disk: 5 (Size: 2 GB) (Disk ID: 69737369)
No partition Table on disk 5.
 
 
LastRegBack: 2014-05-28 20:58
 
==================== End Of Log ============================


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:16 PM

Posted 09 June 2014 - 11:58 AM

There is no sign of infection. Lets recover the registry as of May 28, 2014.

Download the enclosed file.

Save it in the same location FRST64 was saved.

Run FRST64 in the Recovery Console and click on the Fix button.

The tool will make a log in the same location FRST64 is saved (Fixlog.txt), Please post it to your reply.

 

Attempt to boot in Normal Mode and let me know the outcome.
 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 ryank007

ryank007
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 09 June 2014 - 12:05 PM

Still not booting. Same boot loop as described in 1st post.
 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-06-2014 01
Ran by SYSTEM at 2014-06-09 13:00:55 Run:1
Running from K:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
Start
LastRegBack: 2014-05-28 20:58
End
 
 
 
 
 
 
 
*****************
 
DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.
 
==== End of Fixlog ====


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:16 PM

Posted 09 June 2014 - 12:12 PM

Does it give you a blue screen error?

 

Re-scan with FRST64 and post the new FRST.txt log.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 ryank007

ryank007
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 09 June 2014 - 01:49 PM

It does not give me a blue screen error.  Just simply reboots.

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-06-2014 01
Ran by SYSTEM on MININT-STT4J1I on 09-06-2014 14:46:59
Running from K:\
Platform: Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-09-14] ()
HKLM\...\Run: [PC-Doctor for Windows localizer] => C:\Program Files\PC-Doctor for Windows\localizer.exe [95728 2009-09-16] (PC-Doctor, Inc.)
HKLM\...\Run: [LXCICATS] => C:\Windows\system32\spool\DRIVERS\x64\3\LXCItime.dll [31744 2006-11-21] (Lexmark International Inc.)
HKLM\...\Run: [lxcimon.exe] => C:\Program Files (x86)\Lexmark 7300 Series\lxcimon.exe [205744 2007-02-01] (Lexmark International, Inc.)
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Lexmark 7300 Series\ezprint.exe [103344 2007-02-01] (Lexmark International Inc.)
HKLM\...\Run: [WrtMon.exe] => C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2006-09-20] ()
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2008-08-11] (LogMeIn, Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] => C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-10-02] (Intel Corporation)
HKLM-x32\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [3774776 2014-01-16] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-04-30] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [TkBellExe] => c:\program files (x86)\real\realplayer\Update\realsched.exe [295512 2013-12-12] (RealNetworks, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-01-20] (Apple Inc.)
HKLM\...\RunOnce: [NCPluginUpdater] - "c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe" Update [21720 2014-05-13] (Hewlett-Packard)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Default\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Keith\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\Keith\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-11-05] (Google Inc.)
HKU\Keith\...\Run: [Akamai NetSession Interface] => C:\Users\Keith\AppData\Local\Akamai\netsession_win.exe [4672920 2014-04-17] (Akamai Technologies, Inc.)
HKU\Keith\...\Run: [Tango] => C:\Program Files (x86)\Tango\Tango.exe [13489992 2011-11-04] (Tango Inc.)
HKU\Keith\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
HKU\LogMeInRemoteUser\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
Startup: C:\Users\Keith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
 
==================== Services (Whitelisted) =================
 
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390720 2014-04-11] (Microsoft Corporation)
S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2013-12-30] (WildTangent)
S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2014-04-17] (LogMeIn, Inc.)
S2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2014-04-17] (LogMeIn, Inc.)
S2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2010-11-08] (LogMeIn, Inc.)
S2 lxci_device; C:\Windows\system32\lxcicoms.exe [566192 2007-02-01] ( )
S2 lxci_device; C:\Windows\SysWOW64\lxcicoms.exe [537520 2007-02-01] ( )
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
 
==================== Drivers (Whitelisted) ====================
 
S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-28] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-24] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [15672 2011-05-11] ()
S3 PcdrNdisuio; syswow64\drivers\pcdrndisuio.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-06-09 13:00 - 2014-06-09 13:00 - 00000000 ____D () C:\Windows\System32\config\HiveBackup
2014-06-09 09:46 - 2014-06-09 14:46 - 00000000 ____D () C:\FRST
2014-05-31 15:49 - 2014-06-02 06:42 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\Xuudiz
2014-05-31 15:48 - 2014-05-31 15:48 - 00000000 _____ () C:\Users\Keith\AppData\Roaming\SharedSettings.ccs
2014-05-27 12:34 - 2014-05-27 12:35 - 00000000 ____D () C:\Users\Keith\Desktop\WC Exemption
2014-05-25 18:44 - 2014-05-30 07:19 - 00109056 _____ () C:\Users\Keith\Desktop\A Micah & Keith's Pools.xls
2014-05-13 23:17 - 2014-05-05 20:40 - 23544320 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-05-13 23:17 - 2014-05-05 20:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-05-13 23:17 - 2014-05-05 19:25 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-13 23:17 - 2014-05-05 19:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-13 23:17 - 2014-05-05 19:00 - 00084992 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2014-05-13 23:17 - 2014-05-05 18:10 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-13 15:44 - 2014-05-08 22:14 - 00477184 _____ (Microsoft Corporation) C:\Windows\System32\aepdu.dll
2014-05-13 15:44 - 2014-05-08 22:11 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\aeinv.dll
2014-05-13 15:44 - 2014-03-24 18:43 - 14175744 _____ (Microsoft Corporation) C:\Windows\System32\shell32.dll
2014-05-13 15:44 - 2014-03-24 18:09 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-05-13 15:43 - 2014-04-11 18:22 - 00155072 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2014-05-13 15:43 - 2014-04-11 18:22 - 00095680 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2014-05-13 15:43 - 2014-04-11 18:19 - 01460736 _____ (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2014-05-13 15:43 - 2014-04-11 18:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\System32\sspicli.dll
2014-05-13 15:43 - 2014-04-11 18:19 - 00031232 _____ (Microsoft Corporation) C:\Windows\System32\lsass.exe
2014-05-13 15:43 - 2014-04-11 18:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\System32\sspisrv.dll
2014-05-13 15:43 - 2014-04-11 18:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\System32\secur32.dll
2014-05-13 15:43 - 2014-04-11 18:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-05-13 15:43 - 2014-04-11 18:10 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-05-13 15:43 - 2014-03-04 01:47 - 05550016 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2014-05-13 15:43 - 2014-03-04 01:44 - 00728064 _____ (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\System32\objsel.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00340992 _____ (Microsoft Corporation) C:\Windows\System32\schannel.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00314880 _____ (Microsoft Corporation) C:\Windows\System32\msv1_0.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00210944 _____ (Microsoft Corporation) C:\Windows\System32\wdigest.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00086528 _____ (Microsoft Corporation) C:\Windows\System32\TSpkg.dll
2014-05-13 15:43 - 2014-03-04 01:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\wincredprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00455168 _____ (Microsoft Corporation) C:\Windows\System32\winlogon.exe
2014-05-13 15:43 - 2014-03-04 01:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\System32\cngprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\System32\adprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\capiprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\System32\dpapiprovider.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\System32\dimsroam.dll
2014-05-13 15:43 - 2014-03-04 01:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\System32\credssp.dll
2014-05-13 15:43 - 2014-03-04 01:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2014-05-13 15:43 - 2014-03-04 01:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2014-05-13 15:43 - 2014-03-04 01:17 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll
2014-05-13 15:43 - 2014-03-04 01:17 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-05-13 15:43 - 2014-03-04 01:16 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2014-05-13 12:49 - 2014-05-13 12:49 - 17352880 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
 
==================== One Month Modified Files and Folders =======
 
2014-06-09 14:46 - 2014-06-09 09:46 - 00000000 ____D () C:\FRST
2014-06-09 13:00 - 2014-06-09 13:00 - 00000000 ____D () C:\Windows\System32\config\HiveBackup
2014-06-03 11:23 - 2010-04-23 20:19 - 00000000 ____D () C:\ProgramData\Recovery
2014-06-03 10:41 - 2013-11-27 12:30 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\ShopAtHome
2014-06-03 10:41 - 2013-09-20 17:46 - 00000000 ____D () C:\Users\Keith\AppData\Local\Intuit
2014-06-03 10:41 - 2012-06-22 07:03 - 00000000 ____D () C:\ProgramData\Real
2014-06-03 10:41 - 2011-11-03 17:27 - 00000000 ____D () C:\Users\Keith\AppData\Local\Akamai
2014-06-03 10:41 - 2011-06-09 16:33 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\Skype
2014-06-03 10:41 - 2010-11-03 16:35 - 00000000 __RHD () C:\MSOCache
2014-06-03 10:41 - 2010-04-11 16:25 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\Dropbox
2014-06-03 10:41 - 2010-04-10 15:07 - 00000000 ____D () C:\Users\Keith\AppData\Local\Temp
2014-06-03 10:41 - 2010-04-10 15:07 - 00000000 ____D () C:\users\Keith
2014-06-03 10:41 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-06-02 06:42 - 2014-05-31 15:49 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\Xuudiz
2014-05-31 15:48 - 2014-05-31 15:48 - 00000000 _____ () C:\Users\Keith\AppData\Roaming\SharedSettings.ccs
2014-05-31 15:11 - 2010-04-27 16:10 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-05-30 18:14 - 2010-09-21 11:13 - 02089984 ___SH () C:\Users\Keith\Desktop\Thumbs.db
2014-05-30 07:19 - 2014-05-25 18:44 - 00109056 _____ () C:\Users\Keith\Desktop\A Micah & Keith's Pools.xls
2014-05-29 13:08 - 2014-05-06 16:59 - 00000000 ____D () C:\Users\Keith\AppData\Roaming\DropboxMaster
2014-05-27 12:35 - 2014-05-27 12:34 - 00000000 ____D () C:\Users\Keith\Desktop\WC Exemption
2014-05-27 08:53 - 2009-05-27 19:28 - 00000000 ____D () C:\Users\Keith\Desktop\INVOICES
2014-05-25 18:55 - 2010-04-10 18:38 - 00000000 ____D () C:\Users\Keith\AppData\Local\CrashDumps
2014-05-25 18:48 - 2010-09-21 19:35 - 00003980 ____H () C:\Users\Keith\Desktop\jpeggeri.dat
2014-05-23 23:48 - 2010-02-09 05:48 - 01827707 _____ () C:\Windows\WindowsUpdate.log
2014-05-23 23:33 - 2010-11-05 08:52 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-23 22:49 - 2012-04-09 19:46 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-05-23 21:55 - 2010-05-19 12:06 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{0F33C6F4-A981-4ABE-9440-B54C6DDACF6C}
2014-05-23 15:33 - 2010-11-05 08:52 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-23 13:51 - 2014-01-27 13:02 - 00000000 ____D () C:\Users\Keith\Desktop\Devereux Org
2014-05-23 13:51 - 2010-04-10 15:48 - 00000000 ____D () C:\Program Files\Lx_cats
2014-05-23 04:17 - 2011-10-31 22:23 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-05-23 04:17 - 2010-04-11 12:48 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-05-22 04:09 - 2012-03-07 05:07 - 00003186 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForKeith
2014-05-22 04:09 - 2012-03-07 05:07 - 00000332 _____ () C:\Windows\Tasks\HPCeeScheduleForKeith.job
2014-05-14 21:45 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-14 21:45 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-14 13:46 - 2010-04-11 16:26 - 00001021 _____ () C:\Users\Keith\Desktop\Dropbox.lnk
2014-05-14 04:30 - 2013-09-07 11:37 - 00000000 ____D () C:\Users\Keith\Desktop\FL Sales Tax Receipts
2014-05-14 00:15 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2014-05-13 23:38 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-13 23:37 - 2009-07-13 20:51 - 00041138 _____ () C:\Windows\setupact.log
2014-05-13 23:36 - 2010-04-11 14:46 - 00650440 _____ () C:\Windows\PFRO.log
2014-05-13 23:35 - 2014-04-29 23:00 - 00000000 ___SD () C:\Windows\System32\CompatTel
2014-05-13 23:19 - 2010-04-11 16:03 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-05-13 23:14 - 2013-08-13 23:01 - 00000000 ____D () C:\Windows\System32\MRT
2014-05-13 23:05 - 2010-04-11 15:16 - 93223848 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-05-13 12:49 - 2014-05-13 12:49 - 17352880 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2014-05-13 12:49 - 2012-04-09 19:46 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-05-13 12:49 - 2012-04-09 19:46 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-05-13 12:49 - 2011-05-20 10:16 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
 
Some content of TEMP:
====================
C:\Users\Keith\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5cdo75.dll
C:\Users\Keith\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7_rtzh.dll
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE Association (whitelisted) =============
 
 
==================== Restore Points  =========================
 
Restore point made on: 2014-05-08 21:45:22
Restore point made on: 2014-05-12 05:02:44
Restore point made on: 2014-05-13 23:00:49
Restore point made on: 2014-05-16 23:48:34
Restore point made on: 2014-05-20 21:41:11
Restore point made on: 2014-05-23 23:48:26
Restore point made on: 2014-05-27 21:41:01
Restore point made on: 2014-05-30 23:48:11
 
==================== Memory info =========================== 
 
Percentage of memory in use: 14%
Total physical RAM: 6007.08 MB
Available physical RAM: 5120.73 MB
Total Pagefile: 6005.23 MB
Available Pagefile: 5103.01 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: (HP) (Fixed) (Total:920.61 GB) (Free:819.75 GB) NTFS
Drive e: (FACTORY_IMAGE) (Fixed) (Total:10.8 GB) (Free:1.57 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive k: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 932 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=921 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)
 
========================================================
Disk: 5 (Size: 2 GB) (Disk ID: 69737369)
No partition Table on disk 5.
 
 
LastRegBack: 2014-05-28 20:58
 
==================== End Of Log ============================


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:16 PM

Posted 09 June 2014 - 06:03 PM

Lets check other areas of the boot process.

 

Download the enclosed file. 

Save it in the same location FRST64 was saved.

Run FRST64 in the Recovery Console and click on the Fix button.

The tool will make a log in the same location FRST64 is saved (Fixlog.txt), Please post it to your reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 ryank007

ryank007
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 09 June 2014 - 09:05 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-06-2014 01
Ran by SYSTEM at 2014-06-09 22:02:15 Run:2
Running from K:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
Start
Startup: C:\Users\Keith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
C:\Users\Keith\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5cdo75.dll
C:\Users\Keith\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7_rtzh.dll
Folder: C:\Users\Keith\AppData\Roaming\Xuudiz
CMD: bcdedit /enum all /v
SaveMBR: Drive=0
Search: Winload.exe;ntoskrnl.exe;hall.dll
End
*****************
 
C:\Users\Keith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk => Moved successfully.
ShortcutTarget: Dropbox.lnk ->  (No File) not found.
C:\Users\Keith\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5cdo75.dll => Moved successfully.
C:\Users\Keith\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7_rtzh.dll => Moved successfully.
 
========================= Folder: C:\Users\Keith\AppData\Roaming\Xuudiz ========================
 
 
====== End of Folder: ======
 
 
=========  bcdedit /enum all /v =========
 
 
Windows Boot Manager
--------------------
identifier              {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device                  partition=Y:
description             Windows Boot Manager
locale                  en-US
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
extendedinput           Yes
default                 {1a337048-122f-11df-91dd-406186921a40}
resumeobject            {1a337047-122f-11df-91dd-406186921a40}
displayorder            {1a337048-122f-11df-91dd-406186921a40}
toolsdisplayorder       {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout                 30
customactions           0x1000085000001
                        0x5400000f
custom:5400000f         {1a33704b-122f-11df-91dd-406186921a40}
 
Windows Boot Loader
-------------------
identifier              {1a337048-122f-11df-91dd-406186921a40}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence        {1a33704b-122f-11df-91dd-406186921a40}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {1a337047-122f-11df-91dd-406186921a40}
nx                      OptIn
 
Windows Boot Loader
-------------------
identifier              {1a33704b-122f-11df-91dd-406186921a40}
device                  ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{1a33704c-122f-11df-91dd-406186921a40}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice                ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{1a33704c-122f-11df-91dd-406186921a40}
systemroot              \windows
nx                      OptIn
winpe                   Yes
custom:46000010         Yes
 
Resume from Hibernate
---------------------
identifier              {1a337047-122f-11df-91dd-406186921a40}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {b2721d73-1db4-4c62-bf78-c548a880142d}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {4636856e-540f-4170-a130-a84776f4c654}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {5189b25c-5558-4bf2-bca4-289b11bd29e2}
 
Global Settings
---------------
identifier              {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit                 {4636856e-540f-4170-a130-a84776f4c654}
                        {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
                        {5189b25c-5558-4bf2-bca4-289b11bd29e2}
 
Boot Loader Settings
--------------------
identifier              {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
                        {7ff607e0-4395-11db-b0de-0800200c9a66}
 
Hypervisor Settings
-------------------
identifier              {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
 
Device options
--------------
identifier              {1a33704c-122f-11df-91dd-406186921a40}
description             Ramdisk Options
ramdisksdidevice        partition=E:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi
 
========= End of CMD: =========
 
MBRDUMP.txt is made successfully.
 
==== End of Fixlog ====


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:16 PM

Posted 09 June 2014 - 09:55 PM

Please attach the MBRDUMP.txt file that appear in the same location FRST64 is saved (Do not copy and paste, as the file is a hex file).

 

Type the following in the edit box on FRST64, after "Search:".
 
 Winload.exe;ntoskrnl.exe;hall.dll
 
It then should look like:
 
 Search: Winload.exe;ntoskrnl.exe;hall.dll
 
Click Search button and post the log (Search.txt) it makes in the location FRST is saved. in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 ryank007

ryank007
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 09 June 2014 - 10:13 PM

Once typing Winload.exe;ntoskrnl.exe;hall.dll into the Search: bar, do I click on "Scan", "Search Files", or "Search Registry"?



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:16 PM

Posted 09 June 2014 - 10:15 PM

Search Files.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 ryank007

ryank007
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 09 June 2014 - 10:23 PM

Farbar Recovery Scan Tool (x64) Version: 09-06-2014 01
Ran by SYSTEM at 2014-06-09 23:16:15
Running from K:\
Boot Mode: Recovery
 
================== Search Files: "Winload.exe;ntoskrnl.exe;hall.dll" =============
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22616_none_6ec352232b81178c\ntoskrnl.exe
[2014-05-13 15:43] - [2014-03-04 02:42] - 3918784 ____A (Microsoft Corporation) A3EBCBBE7EFF3F736ADC532A6C73E775
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22436_none_6eadae7f2b915520\ntoskrnl.exe
[2013-10-09 05:41] - [2013-08-28 17:58] - 3918272 ____A (Microsoft Corporation) 998141EB656327F13B8EEC01BAADC5D4
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22411_none_6ebe4ce52b859e8b\ntoskrnl.exe
[2013-09-11 06:16] - [2013-08-01 21:58] - 3918272 ____A (Microsoft Corporation) BE61C925CC1A1340840EFF07A5911612
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22379_none_6e856dc72baf13c2\ntoskrnl.exe
[2013-08-13 15:46] - [2013-07-07 21:08] - 3918272 ____A (Microsoft Corporation) 49248651E41EE81D4C1FFDE28FDC096C
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22280_none_6e71995b2bbf4e7d\ntoskrnl.exe
[2013-04-10 11:31] - [2013-03-18 20:41] - 3916632 ____A (Microsoft Corporation) 80A652978002318C9723D43CFA618816
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22210_none_6ebd48cf2b868ae6\ntoskrnl.exe
[2013-02-12 20:08] - [2013-01-04 20:49] - 3916648 ____A (Microsoft Corporation) 2E083C7D9CA98B63FA8F8062874E9327
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22103_none_6ecb17b32b7bbdd3\ntoskrnl.exe
[2012-10-09 16:57] - [2012-08-30 09:06] - 3917168 ____A (Microsoft Corporation) 5355A85D26EECFA3A68B1F55B0C59A20
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21987_none_6e78bf732bb8d24e\ntoskrnl.exe
[2012-06-12 15:39] - [2012-05-04 02:03] - 3916656 ____A (Microsoft Corporation) A37A39568C8EC9A17D1B7471445B81A8
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21955_none_6e972ea32ba24bcd\ntoskrnl.exe
[2012-05-11 08:26] - [2012-03-30 20:37] - 3916656 ____A (Microsoft Corporation) 2E02A17E8965AD671E4987E503AD38B1
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21936_none_6eadcec52b912d42\ntoskrnl.exe
[2012-04-10 23:06] - [2012-03-05 21:41] - 3916656 ____A (Microsoft Corporation) 57B7DE30C4E65AD19CA13AC3065EE60B
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21863_none_6e8a5c3d2bac37e9\ntoskrnl.exe
[2012-03-13 23:05] - [2011-11-19 03:11] - 3916656 ____A (Microsoft Corporation) 00B12EA93ED392FBD09F07B63E926647
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21755_none_6e972ad72ba2517f\ntoskrnl.exe
[2011-08-09 20:27] - [2011-06-22 21:55] - 3912576 ____A (Microsoft Corporation) 90EFDB506F6140EEA9DEE398D9449D86
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21701_none_6ec9394b2b7d606e\ntoskrnl.exe
[2011-05-11 05:25] - [2011-04-08 22:01] - 3912576 ____A (Microsoft Corporation) D385343510B75545EC5DB3A64C2D2492
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18409_none_6e47843c1258aaaf\ntoskrnl.exe
[2014-05-13 15:43] - [2014-03-04 01:20] - 3914176 ____A (Microsoft Corporation) 31FA2485DFC773F1E718A4D19F443FA9
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18247_none_6e1a402c127aed77\ntoskrnl.exe
[2013-10-09 05:41] - [2013-08-28 17:51] - 3914176 ____A (Microsoft Corporation) 813A7F5A2D6D366EB3FFB643B851BCE5
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18229_none_6e31e0981268e843\ntoskrnl.exe
[2013-09-11 06:16] - [2013-08-01 17:59] - 3913664 ____A (Microsoft Corporation) 5D0325AEF9DE48330908EC2E2DB0359F
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18205_none_6e437f48125c4b05\ntoskrnl.exe
[2013-08-13 15:46] - [2013-07-08 21:03] - 3913664 ____A (Microsoft Corporation) 9FA7BF625122CCAC90FCD307174D8CF3
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18113_none_6e36ace212663721\ntoskrnl.exe
[2013-04-10 11:31] - [2013-03-18 21:04] - 3913560 ____A (Microsoft Corporation) 2DFAB8C3C394E95D262E1325BDA5DFE4
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18044_none_6e173b82127da724\ntoskrnl.exe
[2013-02-12 20:08] - [2013-01-04 21:00] - 3913064 ____A (Microsoft Corporation) 82FF919E9236B0137B5C7455B0E1418A
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17944_none_6e176360127d73e2\ntoskrnl.exe
[2012-10-09 16:57] - [2012-08-30 09:12] - 3914096 ____A (Microsoft Corporation) 948F0B444CB6CC35FE5F9DE52420CB95
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17835_none_6e2331b012747421\ntoskrnl.exe
[2012-06-12 15:39] - [2012-05-04 02:03] - 3913072 ____A (Microsoft Corporation) 53483A0B2DE3617E832F1DBAF9620F39
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17803_none_6e41a0e0125deda0\ntoskrnl.exe
[2012-05-11 08:26] - [2012-03-30 20:39] - 3913072 ____A (Microsoft Corporation) 28F44480E411C3DDF04B63F6560E6EF4
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17790_none_6ddd4ed012a99fed\ntoskrnl.exe
[2012-04-10 23:06] - [2012-03-05 21:59] - 3913072 ____A (Microsoft Corporation) 53B4BDEA12A032EEC71E60B6BFF42F37
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7\ntoskrnl.exe
[2012-03-13 23:05] - [2011-11-19 06:50] - 3913584 ____A (Microsoft Corporation) F0F0E99A65F598A1A7720F5111C4DA8F
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17640_none_6e135c8612811711\ntoskrnl.exe
[2011-08-09 20:27] - [2011-06-22 20:33] - 3912576 ____A (Microsoft Corporation) FB58ABD5E1F75A2CF713C9DFF0EC0804
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17592_none_6ddf4b9812a7d84d\ntoskrnl.exe
[2011-05-11 05:25] - [2011-04-08 22:02] - 3912576 ____A (Microsoft Corporation) 5D21C487F79F8245E799071589E035BF
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_6e37cb8c12652b73\ntoskrnl.exe
[2011-05-20 14:06] - [2010-11-20 04:30] - 3911040 ____A (Microsoft Corporation) 2088D9994332583EDB3C561DE31EA5AD
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21490_none_6c806c692ea0fe82\ntoskrnl.exe
[2013-04-10 11:31] - [2013-03-18 21:04] - 3915608 ____A (Microsoft Corporation) 9EBA1C36121835E6828AC9903F1F9AE0
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21417_none_6cddedcf2e59d05b\ntoskrnl.exe
[2013-02-12 20:08] - [2013-01-04 20:53] - 3915112 ____A (Microsoft Corporation) D93B06F0419392A2BEA3DDCFFB78FF37
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21315_none_6cdbeb552e5ba086\ntoskrnl.exe
[2012-10-09 16:57] - [2012-08-30 10:11] - 3915632 ____A (Microsoft Corporation) 60D216C90A0A306A2A1E69B9EC4A2BA7
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21207_none_6ce8b9ef2e51ba1c\ntoskrnl.exe
[2012-06-12 15:39] - [2012-05-04 02:03] - 3915632 ____A (Microsoft Corporation) 7A77B0BB0E658AEDC1C99B6DBCB360A1
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21179_none_6c9f09292e88b33a\ntoskrnl.exe
[2012-05-11 08:26] - [2012-03-30 20:43] - 3915632 ____A (Microsoft Corporation) D909EAFA618BC9DB2615303DA3D9C830
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21163_none_6ca3d7592e85ff3f\ntoskrnl.exe
[2012-04-10 23:06] - [2012-03-05 21:59] - 3915632 ____A (Microsoft Corporation) B83E403A94C4CB2D0576DD6945469D16
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21094_none_6c8465f92e9d6f42\ntoskrnl.exe
[2012-03-13 23:05] - [2011-11-19 03:24] - 3915632 ____A (Microsoft Corporation) 46F86A3471AE24A604CB7E56983C8AE4
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20994_none_6c848dd72e9d3c00\ntoskrnl.exe
[2011-08-09 20:27] - [2011-06-22 20:32] - 3911552 ____A (Microsoft Corporation) 638A384E9968036D42BDBDE499A1C8B8
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20941_none_6cb79c952e776446\ntoskrnl.exe
[2011-05-11 05:25] - [2011-04-08 22:21] - 3911552 ____A (Microsoft Corporation) 0F4A148499CC6FA5D84A0F1587869051
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20826_none_6cd23bf92e62adf0\ntoskrnl.exe
[2011-02-09 22:44] - [2010-10-26 20:33] - 3911552 ____A (Microsoft Corporation) C6169F5FDC8399E0C6C0729AB6EF2EF8
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20738_none_6cc96abb2e68ff68\ntoskrnl.exe
[2010-08-12 10:47] - [2010-06-18 22:37] - 3909512 ____A (Microsoft Corporation) D5662CD1F9B85936561A07ADC400ACF4
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20655_none_6cb0c81f2e7bee1e\ntoskrnl.exe
[2010-04-14 11:18] - [2010-02-27 03:46] - 3899784 ____A (Microsoft Corporation) 466FD46F58768E56F7B841681014EFF1
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.17273_none_6c0f6e6e157075b4\ntoskrnl.exe
[2013-04-10 11:31] - [2013-03-18 21:06] - 3902312 ____A (Microsoft Corporation) D1751CB2E03D7F57AC04C702D02974AC
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.17207_none_6c5f1f0a15341779\ntoskrnl.exe
[2013-02-12 20:08] - [2013-01-04 21:02] - 3902312 ____A (Microsoft Corporation) B089270BACB16B8A1F0FDE1529DBFE65
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.17118_none_6c554d82153b4f9a\ntoskrnl.exe
[2012-10-09 16:57] - [2012-08-30 09:18] - 3902832 ____A (Microsoft Corporation) 8C8FC2396921C0F897721718ABD5E70B
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.17017_none_6c544b52153c391c\ntoskrnl.exe
[2012-06-12 15:39] - [2012-05-04 02:08] - 3902320 ____A (Microsoft Corporation) 3D58BF0B376A9968B70B9EB293BE3739
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16988_none_6c09c4061573e2c8\ntoskrnl.exe
[2012-05-11 08:26] - [2012-04-01 20:46] - 3902320 ____A (Microsoft Corporation) 678AD0F9DB55F9127851CD631456F483
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16973_none_6c0f928015704824\ntoskrnl.exe
[2012-04-10 23:06] - [2012-03-05 21:59] - 3902320 ____A (Microsoft Corporation) 0FB535B17A519134C5F9867841B019AF
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16917_none_6c547330153c05da\ntoskrnl.exe
[2012-03-13 23:05] - [2011-11-19 06:25] - 3902320 ____A (Microsoft Corporation) FBF900DF512EC6C5818E1554EC69A7A5
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16841_none_6c2dffca1559c47c\ntoskrnl.exe
[2011-08-09 20:27] - [2011-06-22 20:38] - 3902336 ____A (Microsoft Corporation) DFB0E9F902FDAB7CD2E180E4072D45DD
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16792_none_6bf8ee9215816c61\ntoskrnl.exe
[2011-05-11 05:25] - [2011-04-08 22:13] - 3901824 ____A (Microsoft Corporation) D9FD1D6337F15AAF2012C69909615DB5
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16695_none_6bfbed8a157ebb3f\ntoskrnl.exe
[2011-02-09 22:44] - [2010-10-26 20:43] - 3901824 ____A (Microsoft Corporation) 776201760B5692F10DDA3BE85B54F213
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16617_none_6c546d7e153c0e65\ntoskrnl.exe
[2010-08-12 10:47] - [2010-06-18 22:33] - 3899784 ____A (Microsoft Corporation) 8218E74A67942120BF8EE30661EDF83F
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16539_none_6c40cc54154a7bce\ntoskrnl.exe
[2010-04-14 11:18] - [2010-02-27 04:07] - 3899280 ____A (Microsoft Corporation) DD2ED3246F5F4E4B07F385A9520C3C7C
 
C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16385_none_6c06b7c41576a7d9\ntoskrnl.exe
[2009-07-13 15:15] - [2009-07-13 17:20] - 3899472 ____A (Microsoft Corporation) B9D673F7707219DFD264891A26C21ECB
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22616_none_cae1eda6e3de88c2\ntoskrnl.exe
[2014-05-13 15:43] - [2014-03-04 03:11] - 5553088 ____A (Microsoft Corporation) A9D735A8C6010DCE1148D4BC32365C14
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22436_none_cacc4a02e3eec656\ntoskrnl.exe
[2013-10-09 05:41] - [2013-08-28 18:23] - 5552064 ____A (Microsoft Corporation) C842D8DC6E5BCD750FA50E4083CBBBEB
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22411_none_cadce868e3e30fc1\ntoskrnl.exe
[2013-09-11 06:16] - [2013-08-01 22:26] - 5554624 ____A (Microsoft Corporation) 5DA80B9D5EB7197AA99006C2DDD14E08
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22379_none_caa4094ae40c84f8\ntoskrnl.exe
[2013-08-13 15:46] - [2013-07-07 21:22] - 5554624 ____A (Microsoft Corporation) 3431F8C9C9B18EE536453FC55B87DA3E
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22280_none_ca9034dee41cbfb3\ntoskrnl.exe
[2013-04-10 11:31] - [2013-03-18 21:25] - 5553496 ____A (Microsoft Corporation) 25F87CF0EAF38AD1D412E804AE00CE3B
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22210_none_cadbe452e3e3fc1c\ntoskrnl.exe
[2013-02-12 20:08] - [2013-01-04 21:42] - 5554536 ____A (Microsoft Corporation) A0F9F36C3F670053F9A2E9B9577CD1AB
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22103_none_cae9b336e3d92f09\ntoskrnl.exe
[2012-10-09 16:57] - [2012-08-30 10:02] - 5562736 ____A (Microsoft Corporation) A0D1C0E813A7C6E17C029375AC2ACE18
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21987_none_ca975af6e4164384\ntoskrnl.exe
[2012-06-12 15:39] - [2012-05-04 02:51] - 5561200 ____A (Microsoft Corporation) 6A692DB27A943B463E97B749DD34F3DA
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21955_none_cab5ca26e3ffbd03\ntoskrnl.exe
[2012-05-11 08:26] - [2012-03-30 21:39] - 5561200 ____A (Microsoft Corporation) 708A4C721CEE6B3845B5A54477D873CF
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21936_none_cacc6a48e3ee9e78\ntoskrnl.exe
[2012-04-10 23:06] - [2012-03-05 22:30] - 5561200 ____A (Microsoft Corporation) FCAB208AC0F7263A84EB627B1517E5AC
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21863_none_caa8f7c0e409a91f\ntoskrnl.exe
[2012-03-13 23:05] - [2011-11-19 04:04] - 5561200 ____A (Microsoft Corporation) 70A2D18E0B2A1ADBAE90008684E030AC
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21755_none_cab5c65ae3ffc2b5\ntoskrnl.exe
[2011-08-09 20:27] - [2011-06-22 21:22] - 5561728 ____A (Microsoft Corporation) CE6AF5EC2DB1567B6297ADCB56B39B5D
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21701_none_cae7d4cee3dad1a4\ntoskrnl.exe
[2011-05-11 05:25] - [2011-04-08 22:50] - 5562240 ____A (Microsoft Corporation) 99C2715F138E7ED2F489AB796DD3B53C
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18409_none_ca661fbfcab61be5\ntoskrnl.exe
[2014-05-13 15:43] - [2014-03-04 01:47] - 5550016 ____A (Microsoft Corporation) 6B47CF5C27865DDF6680E4D834FBE34F
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18247_none_ca38dbafcad85ead\ntoskrnl.exe
[2013-10-09 05:41] - [2013-08-28 18:17] - 5549504 ____A (Microsoft Corporation) 5B9A6A310326D9C438F2C19FBBE97C97
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18229_none_ca507c1bcac65979\ntoskrnl.exe
[2013-09-11 06:16] - [2013-08-01 18:23] - 5550528 ____A (Microsoft Corporation) 63B563F1FC047AB3E21530DBBE773260
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18205_none_ca621acbcab9bc3b\ntoskrnl.exe
[2013-08-13 15:46] - [2013-07-08 22:03] - 5550528 ____A (Microsoft Corporation) C19DCA1024135D5485E25AB1047F77BC
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18113_none_ca554865cac3a857\ntoskrnl.exe
[2013-04-10 11:31] - [2013-03-18 22:04] - 5550424 ____A (Microsoft Corporation) AC3232ED772403D38D64C18CD5A66FBD
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18044_none_ca35d705cadb185a\ntoskrnl.exe
[2013-02-12 20:08] - [2013-01-04 21:53] - 5553512 ____A (Microsoft Corporation) 6B0D9CF92C08D42533C12FC1A0B5403F
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17944_none_ca35fee3cadae518\ntoskrnl.exe
[2012-10-09 16:57] - [2012-08-30 10:03] - 5559664 ____A (Microsoft Corporation) FE905D59663E86BFE51623947B7425FD
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17835_none_ca41cd33cad1e557\ntoskrnl.exe
[2012-06-12 15:39] - [2012-05-04 03:06] - 5559664 ____A (Microsoft Corporation) 2819BB6417B85D38169A4F151463A815
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17803_none_ca603c63cabb5ed6\ntoskrnl.exe
[2012-05-11 08:26] - [2012-03-30 22:05] - 5559664 ____A (Microsoft Corporation) 03B5C6DBA5A770CEEFD1615E380C6BC3
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17790_none_c9fbea53cb071123\ntoskrnl.exe
[2012-04-10 23:06] - [2012-03-05 22:53] - 5559152 ____A (Microsoft Corporation) BAA66E360105F79B5948A2FDAF3AA8FE
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_ca4e9bcdcac7feed\ntoskrnl.exe
[2012-03-13 23:05] - [2011-11-19 07:20] - 5559152 ____A (Microsoft Corporation) 1AFFF8D5352AECEF2ECD47FFA02D7F7D
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17640_none_ca31f809cade8847\ntoskrnl.exe
[2011-08-09 20:27] - [2011-06-22 21:43] - 5561216 ____A (Microsoft Corporation) 577841951E8BAD6EA8288106693CD39F
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17592_none_c9fde71bcb054983\ntoskrnl.exe
[2011-05-11 05:25] - [2011-04-08 23:02] - 5562240 ____A (Microsoft Corporation) D60D9BCEAE5870A67E6C167F4681877B
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_ca56670fcac29ca9\ntoskrnl.exe
[2011-05-20 14:07] - [2010-11-20 05:33] - 5563776 ____A (Microsoft Corporation) C6CEC3E6CC9842B73501C70AA64C00FE
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21490_none_c89f07ece6fe6fb8\ntoskrnl.exe
[2013-04-10 11:31] - [2013-03-18 22:05] - 5466472 ____A (Microsoft Corporation) A38A87E18A3417FEB138A5E2709D66BA
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21417_none_c8fc8952e6b74191\ntoskrnl.exe
[2013-02-12 20:08] - [2013-01-04 21:57] - 5467992 ____A (Microsoft Corporation) 24607D189375475224138CE863A1A9D5
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21315_none_c8fa86d8e6b911bc\ntoskrnl.exe
[2012-10-09 16:57] - [2012-08-30 10:10] - 5473136 ____A (Microsoft Corporation) 502070A5B89F1E6DEC54817DEBF46425
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21207_none_c9075572e6af2b52\ntoskrnl.exe
[2012-06-12 15:39] - [2012-05-04 08:52] - 5473136 ____A (Microsoft Corporation) C4C870BD7F081C7AAC4DA553CD17E0F1
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21179_none_c8bda4ace6e62470\ntoskrnl.exe
[2012-05-11 08:26] - [2012-03-30 21:52] - 5473136 ____A (Microsoft Corporation) 5E6017E5814B3BC366A5A7A88538D0FC
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21163_none_c8c272dce6e37075\ntoskrnl.exe
[2012-04-10 23:06] - [2012-03-05 22:51] - 5473136 ____A (Microsoft Corporation) F96AA8BE1890C99883A6C233F9FB59A7
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.21094_none_c8a3017ce6fae078\ntoskrnl.exe
[2012-03-13 23:05] - [2011-11-19 04:34] - 5473136 ____A (Microsoft Corporation) B183970D6E87A359E3EB7A72D489DEBF
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20994_none_c8a3295ae6faad36\ntoskrnl.exe
[2011-08-09 20:27] - [2011-06-22 21:31] - 5474688 ____A (Microsoft Corporation) 12EC6D619756240886680523392EEF9C
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20941_none_c8d63818e6d4d57c\ntoskrnl.exe
[2011-05-11 05:25] - [2011-04-08 22:54] - 5475712 ____A (Microsoft Corporation) 240D89BBE5BCD168D748D6C12B6FE884
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20826_none_c8f0d77ce6c01f26\ntoskrnl.exe
[2011-02-09 22:44] - [2010-10-26 21:23] - 5477248 ____A (Microsoft Corporation) E6FC5686F6BB6F0CEB1107E6D064A944
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20738_none_c8e8063ee6c6709e\ntoskrnl.exe
[2010-08-12 10:47] - [2010-06-18 23:05] - 5474184 ____A (Microsoft Corporation) 5223C216E348E397C5EACCBEFB57FFF2
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20655_none_c8cf63a2e6d95f54\ntoskrnl.exe
[2010-04-14 11:18] - [2010-02-27 07:28] - 5485448 ____A (Microsoft Corporation) 7B7253D90EF53BAFCDC96C888B1DB4F3
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.17273_none_c82e09f1cdcde6ea\ntoskrnl.exe
[2013-04-10 11:31] - [2013-03-18 22:19] - 5497688 ____A (Microsoft Corporation) EF1D47835019186DB5E34C52571A6539
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.17207_none_c87dba8dcd9188af\ntoskrnl.exe
[2013-02-12 20:08] - [2013-01-04 21:57] - 5500776 ____A (Microsoft Corporation) 5DEF532B4661D612CD4E894CD3688E4C
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.17118_none_c873e905cd98c0d0\ntoskrnl.exe
[2012-10-09 16:57] - [2012-08-30 10:11] - 5505904 ____A (Microsoft Corporation) CD632F72C798CA012FE429F66E1F1CAD
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.17017_none_c872e6d5cd99aa52\ntoskrnl.exe
[2012-06-12 15:39] - [2012-05-04 02:52] - 5505392 ____A (Microsoft Corporation) BD31B81BFA2E89680315AB15D0D58671
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16988_none_c8285f89cdd153fe\ntoskrnl.exe
[2012-05-11 08:26] - [2012-04-01 21:34] - 5504880 ____A (Microsoft Corporation) 9579F84C40B3BE205C9FD4CCDD99B6B7
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16973_none_c82e2e03cdcdb95a\ntoskrnl.exe
[2012-04-10 23:06] - [2012-03-05 22:43] - 5504880 ____A (Microsoft Corporation) 51F2FD7B6C7966AFE271611D786D35A3
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16917_none_c8730eb3cd997710\ntoskrnl.exe
[2012-03-13 23:05] - [2011-11-19 10:30] - 5504880 ____A (Microsoft Corporation) 999865426F641D575072064575E9CC37
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16841_none_c84c9b4dcdb735b2\ntoskrnl.exe
[2011-08-09 20:27] - [2011-06-22 21:29] - 5507968 ____A (Microsoft Corporation) EBECACD545E280FE7A0A2CBFC0AC29BD
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16792_none_c8178a15cddedd97\ntoskrnl.exe
[2011-05-11 05:25] - [2011-04-08 22:45] - 5509504 ____A (Microsoft Corporation) E03A9AC0273182895DCB3693A36785C9
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16695_none_c81a890dcddc2c75\ntoskrnl.exe
[2011-02-09 22:44] - [2010-10-26 21:18] - 5510528 ____A (Microsoft Corporation) E2EA143288BFF3D6B3AEB88C3BC02DAF
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16617_none_c8730901cd997f9b\ntoskrnl.exe
[2010-08-12 10:47] - [2010-06-18 23:05] - 5507968 ____A (Microsoft Corporation) 28C4FE45FC1B176FA74A48FB15DE7C9A
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16539_none_c85f67d7cda7ed04\ntoskrnl.exe
[2010-04-14 11:18] - [2010-02-27 07:17] - 5509008 ____A (Microsoft Corporation) FD787551F58F9686CEC6353F693EF571
 
C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16385_none_c8255347cdd4190f\ntoskrnl.exe
[2009-07-13 15:41] - [2009-07-13 17:48] - 5511248 ____A (Microsoft Corporation) 9E722B768E33D26AD8FA7D642E707443
 
C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.21655_none_b9ac1d069c83936e\winload.exe
[2011-04-14 17:22] - [2011-02-05 04:40] - 0605552 ____A (Microsoft Corporation) 1814099E8025B579C57279AD3F1A7931
 
C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17556_none_b923808583650cfb\winload.exe
[2011-04-14 17:22] - [2011-02-05 09:06] - 0605552 ____A (Microsoft Corporation) 78C918D3612FE5937D32E488F053F10A
 
C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winload.exe
[2011-05-20 14:06] - [2010-11-20 05:28] - 0605552 ____A (Microsoft Corporation) E2F68DC7FBD6E0BF031CA3809A739346
 
C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7600.20897_none_b79c80e49f7bc9f4\winload.exe
[2011-04-14 17:22] - [2011-02-05 04:30] - 0605040 ____A (Microsoft Corporation) 8139738658C31621541293085A94681D
 
C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7600.16757_none_b73e23c9863dba66\winload.exe
[2011-04-14 17:22] - [2011-02-05 04:39] - 0603976 ____A (Microsoft Corporation) 09DD82F21499682086554C054676F08C
 
C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7600.16385_none_b71babd98657e6ef\winload.exe
[2009-07-13 15:20] - [2009-07-13 17:43] - 0604192 ____A (Microsoft Corporation) 87B2086D7382A42935D55EC69E5E71AB
 
C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.21655_none_c7bdf9febca7513f\winload.exe
[2011-04-14 17:22] - [2011-02-05 04:40] - 0605552 ____A (Microsoft Corporation) 1814099E8025B579C57279AD3F1A7931
 
C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17556_none_c7355d7da388cacc\winload.exe
[2011-04-14 17:22] - [2011-02-05 09:06] - 0605552 ____A (Microsoft Corporation) 78C918D3612FE5937D32E488F053F10A
 
C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a\winload.exe
[2011-05-20 14:06] - [2010-11-20 05:28] - 0605552 ____A (Microsoft Corporation) E2F68DC7FBD6E0BF031CA3809A739346
 
C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7600.20897_none_c5ae5ddcbf9f87c5\winload.exe
[2011-04-14 17:22] - [2011-02-05 04:30] - 0605040 ____A (Microsoft Corporation) 8139738658C31621541293085A94681D
 
C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7600.16757_none_c55000c1a6617837\winload.exe
[2011-04-14 17:22] - [2011-02-05 04:39] - 0603976 ____A (Microsoft Corporation) 09DD82F21499682086554C054676F08C
 
C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7600.16385_none_c52d88d1a67ba4c0\winload.exe
[2009-07-13 15:20] - [2009-07-13 17:43] - 0604192 ____A (Microsoft Corporation) 87B2086D7382A42935D55EC69E5E71AB
 
C:\Windows\SysWOW64\ntoskrnl.exe
[2014-05-13 15:43] - [2014-03-04 01:20] - 3914176 ____A (Microsoft Corporation) 31FA2485DFC773F1E718A4D19F443FA9
 
C:\Windows\System32\ntoskrnl.exe
[2014-05-13 15:43] - [2014-03-04 01:47] - 5550016 ____A (Microsoft Corporation) 6B47CF5C27865DDF6680E4D834FBE34F
 
C:\Windows\System32\winload.exe
[2011-04-14 17:22] - [2011-02-05 09:06] - 0605552 ____A (Microsoft Corporation) 78C918D3612FE5937D32E488F053F10A
 
C:\Windows\System32\Boot\winload.exe
[2011-04-14 17:22] - [2011-02-05 09:06] - 0605552 ____A (Microsoft Corporation) 78C918D3612FE5937D32E488F053F10A
 
X:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16385_none_c8255347cdd4190f\ntoskrnl.exe
[2009-07-13 15:41] - [2009-07-13 17:48] - 5511248 ____A (Microsoft Corporation) 9E722B768E33D26AD8FA7D642E707443
 
X:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7600.16385_none_b71babd98657e6ef\winload.exe
[2009-07-13 15:20] - [2009-07-13 17:43] - 0604192 ____A (Microsoft Corporation) 87B2086D7382A42935D55EC69E5E71AB
 
X:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7600.16385_none_c52d88d1a67ba4c0\winload.exe
[2009-07-13 15:20] - [2009-07-13 17:43] - 0604192 ____A (Microsoft Corporation) 87B2086D7382A42935D55EC69E5E71AB
 
X:\Windows\System32\ntoskrnl.exe
[2009-07-13 15:41] - [2009-07-13 17:48] - 5511248 ____A (Microsoft Corporation) 9E722B768E33D26AD8FA7D642E707443
 
X:\Windows\System32\winload.exe
[2009-07-13 15:20] - [2009-07-13 17:43] - 0604192 ____A (Microsoft Corporation) 87B2086D7382A42935D55EC69E5E71AB
 
X:\Windows\System32\Boot\winload.exe
[2009-07-13 15:20] - [2009-07-13 17:43] - 0604192 ____A (Microsoft Corporation) 87B2086D7382A42935D55EC69E5E71AB
 
====== End Of Search ======

Attached Files



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:16 PM

Posted 09 June 2014 - 10:38 PM

There was a misspell on one of these files name. I will also include another one.
 
Type the following in the edit box on FRST64, after "Search:".
 
hal.dll;userinit.exe
 
It then should look like:
 
 Search: hal.dll;userinit.exe
 
Click Search Files button and post the log (Search.txt) it makes in the location FRST64 is saved. in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 ryank007

ryank007
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 09 June 2014 - 10:44 PM

Farbar Recovery Scan Tool (x64) Version: 09-06-2014 01
Ran by SYSTEM at 2014-06-09 23:43:08
Running from K:\
Boot Mode: Recovery
 
================== Search Files: "hal.dll;userinit.exe" =============
 
C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2011-05-20 14:05] - [2010-11-20 04:17] - 0026624 ____A (Microsoft Corporation) 61AC3EFDFACFDD3F0F11DD4FD4044223
 
C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
[2009-07-13 15:34] - [2009-07-13 17:14] - 0026112 ____A (Microsoft Corporation) 6DE80F60D7DE9CE6B8C2DDFDF79EF175
 
C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c\userinit.exe
[2011-05-20 14:05] - [2010-11-20 05:25] - 0030720 ____A (Microsoft Corporation) BAFE84E637BF7388C96EF48D4D3FDD53
 
C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_381dabbceb60feb2\userinit.exe
[2009-07-13 15:50] - [2009-07-13 17:39] - 0030208 ____A (Microsoft Corporation) 6F8F1376A13114CC10C0E69274F5A4DE
 
C:\Windows\winsxs\amd64_microsoft-windows-hal_31bf3856ad364e35_6.1.7601.17514_none_094ef8137049c196\hal.dll
[2011-05-20 14:06] - [2010-11-20 05:33] - 0263040 ____A (Microsoft Corporation) CFB8C673F9188F99466E76C6972191E0
 
C:\Windows\winsxs\amd64_microsoft-windows-hal_31bf3856ad364e35_6.1.7600.16385_none_071de44b735b3dfc\hal.dll
[2009-07-13 15:19] - [2009-07-13 17:47] - 0263232 ____A (Microsoft Corporation) C0A6F6E05E14FBCAEDE7796C8590B7AC
 
C:\Windows\SysWOW64\userinit.exe
[2011-05-20 14:05] - [2010-11-20 04:17] - 0026624 ____A (Microsoft Corporation) 61AC3EFDFACFDD3F0F11DD4FD4044223
 
C:\Windows\System32\hal.dll
[2011-05-20 14:06] - [2010-11-20 05:33] - 0263040 ____A (Microsoft Corporation) CFB8C673F9188F99466E76C6972191E0
 
C:\Windows\System32\userinit.exe
[2011-05-20 14:05] - [2010-11-20 05:25] - 0030720 ____A (Microsoft Corporation) BAFE84E637BF7388C96EF48D4D3FDD53
 
X:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_381dabbceb60feb2\userinit.exe
[2009-07-13 15:50] - [2009-07-13 17:39] - 0030208 ____A (Microsoft Corporation) 6F8F1376A13114CC10C0E69274F5A4DE
 
X:\Windows\winsxs\amd64_microsoft-windows-hal_31bf3856ad364e35_6.1.7600.16385_none_071de44b735b3dfc\hal.dll
[2009-07-13 15:19] - [2009-07-13 17:47] - 0263232 ____A (Microsoft Corporation) C0A6F6E05E14FBCAEDE7796C8590B7AC
 
X:\Windows\System32\hal.dll
[2009-07-13 15:19] - [2009-07-13 17:47] - 0263232 ____A (Microsoft Corporation) C0A6F6E05E14FBCAEDE7796C8590B7AC
 
X:\Windows\System32\userinit.exe
[2009-07-13 15:50] - [2009-07-13 17:39] - 0030208 ____A (Microsoft Corporation) 6F8F1376A13114CC10C0E69274F5A4DE
 
====== End Of Search ======





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users