Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJAN.SIREDEF.C and now pc beeps & wont boot


  • This topic is locked This topic is locked
18 replies to this topic

#1 chrisscheer

chrisscheer

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 September 2014 - 07:56 PM

PC started to reboot on its own a couple of time while using it recently

 

Then after one reboot is strated a series of unending long beeps.

 

I shut it down hard by holding the power button.  Came back several hours later and it booted.  I may have clicked on a bogus JAVA update during this time although we get a lot of valid ones...anyhow

 

I ran MBAM and it came up with Trojan.Siredef.C.

 

Shut the pc down for a week.  Rebooted today and started to rerun MBAM and it rebooted into beeping mode within several minutes.  I unplugges the netwrok cable right after it was found to be infected.

 

It wont boot at this time.  I reseated all 4 memory boards and no change.

 

Not sure what to do now.

 

Older HP Pavillion 1632x desktop with AMD chip and some added memory from several years ago.



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:13 AM

Posted 29 September 2014 - 05:01 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 chrisscheer

chrisscheer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 29 September 2014 - 07:03 AM

Marius,

 

Due to my schedule it may take from 5-7 days between my responses.  Please allow me that much time to get to the computer and apply your directions.

 

Chris



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:13 AM

Posted 30 September 2014 - 05:28 AM

OK :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 chrisscheer

chrisscheer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 10 October 2014 - 05:04 PM

Marius,

I am at the computer.  This time it wont boot.  It beeps.  1 long beep every 3.5 seconds.  Hard drive light is on solid..  I am unsure what to do at this point to identify what is going on.

 

EDIT:  googled a bit and went hp website support  and it stepped me through a memory card check.  I took out two cards and no longer beeping. It has booted and I ran the frst,exe . Attached i the results.  Before I buy new memory let me know what you see.  Can I have bad memory and a virus by coincidence?

  Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-10-2014 01
Ran by SYSTEM on MININT-J3883PS on 10-10-2014 17:56:18
Running from g:\
Platform: Windows 7 Ultimate (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
[b]ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.[/b]

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-08-01] (Apple Inc.)
HKU\ADMIN\...\Run: [EPSON NX420 Series (Copy 1)] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIGCA.EXE [200704 2009-09-14] (SEIKO EPSON CORPORATION)
HKU\ADMIN\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [21652064 2014-07-24] (Skype Technologies S.A.)
HKU\ADMIN\...\Policies\system: [LogonHoursAction] 2
HKU\ADMIN\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Catherine\...\RunOnce: [DPAPIKeyMig] => C:\Windows\system32\dpapimig.exe [72192 2009-07-13] (Microsoft Corporation)
HKU\Catherine\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516096 2010-11-20] (Microsoft Corporation)
HKU\Jon\...\RunOnce: [DPAPIKeyMig] => C:\Windows\system32\dpapimig.exe [72192 2009-07-13] (Microsoft Corporation)
HKU\Jon\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516096 2010-11-20] (Microsoft Corporation)
HKU\Jon Leonard\...\Policies\system: [LogonHoursAction] 2
HKU\Jon Leonard\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
GroupPolicyUsers\S-1-5-21-1920155137-493942973-3620939436-1003\User: Group Policy restriction detected <======= ATTENTION

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
S2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 LNE100; C:\Windows\System32\DRIVERS\LNE100V5.sys [36224 2001-10-24] (LinkSys Group Inc.)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-09-27] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-10 17:56 - 2014-10-10 17:56 - 00000000 ____D () C:\FRST
2014-09-18 13:56 - 2014-09-18 13:56 - 349582132 _____ () C:\Windows\MEMORY.DMP
2014-09-18 13:56 - 2014-09-18 13:56 - 00154384 _____ () C:\Windows\Minidump\091814-20406-01.dmp
2014-09-18 13:56 - 2014-09-18 13:56 - 00000000 ____D () C:\Windows\Minidump
2014-09-10 16:00 - 2014-08-19 09:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2014-09-10 16:00 - 2014-08-18 14:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-09-10 16:00 - 2014-08-18 13:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-09-10 16:00 - 2014-08-18 13:57 - 00004096 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollectorres.dll
2014-09-10 16:00 - 2014-08-18 13:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2014-09-10 16:00 - 2014-08-18 13:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-09-10 16:00 - 2014-08-18 13:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\System32\MshtmlDac.dll
2014-09-10 16:00 - 2014-08-18 13:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\System32\ieetwproxystub.dll
2014-09-10 16:00 - 2014-08-18 13:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-09-10 16:00 - 2014-08-18 13:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-09-10 16:00 - 2014-08-18 13:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-09-10 16:00 - 2014-08-18 13:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-09-10 16:00 - 2014-08-18 13:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2014-09-10 16:00 - 2014-08-18 13:36 - 00108032 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
2014-09-10 16:00 - 2014-08-18 13:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\System32\jscript9diag.dll
2014-09-10 16:00 - 2014-08-18 13:30 - 00646144 _____ (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2014-09-10 16:00 - 2014-08-18 13:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2014-09-10 16:00 - 2014-08-18 13:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-09-10 16:00 - 2014-08-18 13:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-09-10 16:00 - 2014-08-18 13:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2014-09-10 16:00 - 2014-08-18 13:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2014-09-10 16:00 - 2014-08-18 13:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-09-10 16:00 - 2014-08-18 13:08 - 00673792 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-09-10 16:00 - 2014-08-18 13:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2014-09-10 16:00 - 2014-08-18 12:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-09-10 16:00 - 2014-08-18 12:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-09-10 16:00 - 2014-08-18 12:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2014-09-10 15:59 - 2014-08-18 14:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-09-10 15:59 - 2014-08-18 13:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-09-10 15:59 - 2014-08-18 13:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-09-10 15:57 - 2014-06-26 17:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2014-09-10 14:31 - 2014-07-06 17:40 - 01059840 _____ (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2014-09-10 14:31 - 2014-07-06 17:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2014-09-10 14:30 - 2014-09-04 17:52 - 00445952 _____ (Microsoft Corporation) C:\Windows\System32\aepdu.dll
2014-09-10 14:30 - 2014-09-04 17:47 - 00302592 _____ (Microsoft Corporation) C:\Windows\System32\aeinv.dll
2014-09-10 14:30 - 2014-08-01 03:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\System32\TSWorkspace.dll
2014-09-10 14:30 - 2014-06-23 18:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-27 16:06 - 2014-05-10 14:05 - 02025080 _____ () C:\Windows\WindowsUpdate.log
2014-09-27 15:58 - 2009-07-13 20:34 - 00020816 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-27 15:58 - 2009-07-13 20:34 - 00020816 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-27 15:52 - 2014-08-14 12:57 - 00000000 ____D () C:\Users\ADMIN\AppData\Roaming\Skype
2014-09-27 15:52 - 2014-06-10 03:47 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-09-27 15:51 - 2009-07-13 20:39 - 00039020 _____ () C:\Windows\setupact.log
2014-09-19 02:28 - 2014-06-10 03:46 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-18 15:15 - 2014-05-10 13:14 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-09-18 14:10 - 2014-08-03 16:23 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-09-14 15:36 - 2014-05-10 14:52 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-09-11 09:56 - 2014-05-10 11:32 - 00000000 ____D () C:\users\ADMIN
2014-09-11 04:23 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\rescache
2014-09-11 04:05 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-09-10 15:56 - 2014-05-19 15:00 - 00000000 ____D () C:\Windows\System32\MRT
2014-09-10 15:50 - 2014-05-19 15:00 - 98758480 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-09-10 15:50 - 2014-05-10 13:07 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-09-10 15:49 - 2014-05-10 13:06 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-09-10 15:48 - 2014-05-19 10:41 - 00000000 ___SD () C:\Windows\System32\CompatTel
2014-09-10 15:43 - 2014-05-10 11:34 - 00773536 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-09-10 05:32 - 2014-07-06 10:46 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2014-09-10 05:32 - 2014-07-06 10:46 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

Files to move or delete:
====================
C:\Users\ADMIN\GoToAssist_phone__268_en.exe


Some content of TEMP:
====================
C:\Users\ADMIN\AppData\Local\Temp\fp_pl_pfs_installer.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-08-22 08:00:57
Restore point made on: 2014-08-23 15:36:27
Restore point made on: 2014-08-27 12:27:53
Restore point made on: 2014-08-28 11:39:41
Restore point made on: 2014-09-02 08:25:14
Restore point made on: 2014-09-05 12:55:52
Restore point made on: 2014-09-08 16:24:48
Restore point made on: 2014-09-10 15:42:51
Restore point made on: 2014-09-14 10:37:03
Restore point made on: 2014-09-14 15:32:57
Restore point made on: 2014-09-19 01:48:26

==================== Memory info =========================== 

Percentage of memory in use: 37%
Total physical RAM: 958.55 MB
Available physical RAM: 594.66 MB
Total Pagefile: 958.55 MB
Available Pagefile: 591.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.42 MB

==================== Drives ================================

Drive c: (HP_PAVILION) (Fixed) (Total:270.61 GB) (Free:79.13 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (HP_RECOVERY) (Fixed) (Total:8.82 GB) (Free:0.57 GB) FAT32
Drive g: () (Removable) (Total:3.74 GB) (Free:3.74 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 279.5 GB) (Disk ID: CAB10BEE)
Partition 1: (Active) - (Size=270.6 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=8.8 GB) - (Type=0C)

========================================================
Disk: 1 (Size: 3.7 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.


LastRegBack: 2014-09-16 06:00

==================== End Of Log ============================

Chris



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:13 AM

Posted 13 October 2014 - 08:02 AM

I don´t see any malicious code in here.

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 chrisscheer

chrisscheer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 14 October 2014 - 03:46 PM

Hi Marius,

Just replaced 2 gig of bad memory ( I think it was bad as the computer stopped bWHile it is running I am attaching the log of the scan that showed the trojan detected and the scan the following day after it was quarantined and then deleted.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/18/2014
Scan Time: 7:19:48 PM
Logfile: 
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.10.03
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: ADMIN

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 540963
Time Elapsed: 2 hr, 38 min, 54 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 1
Trojan.Siredef.C, C:\RECYCLER\S-1-5-21-4266209018-760024616-2802856647-1007\$ff24043d55f85ce9a20a8337d9b4b888, Quarantined, [d3df80f3d5a6270f9c33a25ec7392dd3], 

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/19/2014
Scan Time: 6:32:24 AM
Logfile: 
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.10.03
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: ADMIN

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 374818
Time Elapsed: 15 min, 25 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

I will send additional logs as I complete them.  scans on this machine can be long due to the large file storage.

 

Thanks for your patience and assistance

 

Chris



#8 chrisscheer

chrisscheer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 14 October 2014 - 04:03 PM

Here is the most recent MBAM scan

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/14/2014
Scan Time: 4:34:22 PM
Logfile: 
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.14.12
Rootkit Database: v2014.10.11.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: ADMIN

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 443385
Time Elapsed: 22 min, 11 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#9 chrisscheer

chrisscheer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 15 October 2014 - 02:08 AM

The ESET scan results may be a day or two or three before I can return to send them.  Thanks  again

 

Chris



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:13 AM

Posted 16 October 2014 - 11:48 AM

OK :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 chrisscheer

chrisscheer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 October 2014 - 08:10 PM

The last ESET Scan had no threats found.  No downloads offered.



#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:13 AM

Posted 29 October 2014 - 03:02 AM

Hi chrisscheer,

Marius is not available at the moment, so I will work with you from now on. Please post back with a fresh FRST logfile and tell me how the system is running.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 chrisscheer

chrisscheer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 30 October 2014 - 06:43 PM

Hi.  Are you up to speed on my time issue with getting to the computer?  I need a little extra time due to my schedule.



#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:13 AM

Posted 31 October 2014 - 01:11 AM

no problem :)
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 chrisscheer

chrisscheer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 31 October 2014 - 01:49 PM

here is requested scan

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-10-2014 01 ([color=red]ATTENTION: ====> FRST version is 23 days old and could be outdated[/color])
Ran by SYSTEM on MININT-KKOK5TK on 31-10-2014 14:45:53
Running from g:\
Platform: Windows 7 Ultimate (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
[b]ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.[/b]

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-08-01] (Apple Inc.)
HKU\ADMIN\...\Run: [EPSON NX420 Series (Copy 1)] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIGCA.EXE [200704 2009-09-14] (SEIKO EPSON CORPORATION)
HKU\ADMIN\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [21652064 2014-07-24] (Skype Technologies S.A.)
HKU\ADMIN\...\Policies\system: [LogonHoursAction] 2
HKU\ADMIN\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Catherine\...\RunOnce: [DPAPIKeyMig] => C:\Windows\system32\dpapimig.exe [72192 2009-07-13] (Microsoft Corporation)
HKU\Catherine\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516096 2010-11-20] (Microsoft Corporation)
HKU\Jon\...\RunOnce: [DPAPIKeyMig] => C:\Windows\system32\dpapimig.exe [72192 2009-07-13] (Microsoft Corporation)
HKU\Jon\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516096 2010-11-20] (Microsoft Corporation)
HKU\Jon Leonard\...\Policies\system: [LogonHoursAction] 2
HKU\Jon Leonard\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
GroupPolicyUsers\S-1-5-21-1920155137-493942973-3620939436-1003\User: Group Policy restriction detected <======= ATTENTION

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
S2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 LNE100; C:\Windows\System32\DRIVERS\LNE100V5.sys [36224 2001-10-24] (LinkSys Group Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-22 10:11 - 2014-10-22 10:11 - 02347384 _____ (ESET) C:\Users\ADMIN\Downloads\esetsmartinstaller_enu(2).exe
2014-10-21 15:34 - 2014-10-09 17:44 - 00396288 _____ (Microsoft Corporation) C:\Windows\System32\aepdu.dll
2014-10-21 15:34 - 2014-10-09 17:44 - 00230912 _____ (Microsoft Corporation) C:\Windows\System32\generaltel.dll
2014-10-21 15:34 - 2014-10-09 17:39 - 00302592 _____ (Microsoft Corporation) C:\Windows\System32\aeinv.dll
2014-10-21 15:34 - 2014-09-28 16:41 - 02379264 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-10-21 15:33 - 2014-10-06 18:04 - 00331448 _____ (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2014-10-21 15:33 - 2014-09-25 14:46 - 00365056 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2014-10-21 15:33 - 2014-09-25 14:46 - 00243200 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2014-10-21 15:33 - 2014-09-25 14:46 - 00069632 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2014-10-21 15:33 - 2014-09-25 14:43 - 11807232 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-10-21 15:33 - 2014-09-25 14:32 - 02017280 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-10-21 15:33 - 2014-09-24 17:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2014-10-21 15:33 - 2014-09-18 17:44 - 17484800 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-10-21 15:33 - 2014-09-18 17:25 - 04201472 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-10-21 15:33 - 2014-09-18 17:14 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-10-21 15:33 - 2014-09-18 17:14 - 00004096 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollectorres.dll
2014-10-21 15:33 - 2014-09-18 17:02 - 00454656 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2014-10-21 15:33 - 2014-09-18 17:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-10-21 15:33 - 2014-09-18 17:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\System32\ieetwproxystub.dll
2014-10-21 15:33 - 2014-09-18 16:59 - 00061952 _____ (Microsoft Corporation) C:\Windows\System32\MshtmlDac.dll
2014-10-21 15:33 - 2014-09-18 16:55 - 02187264 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-10-21 15:33 - 2014-09-18 16:54 - 00043008 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-10-21 15:33 - 2014-09-18 16:53 - 00032768 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-10-21 15:33 - 2014-09-18 16:51 - 00440320 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-10-21 15:33 - 2014-09-18 16:50 - 00112128 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2014-10-21 15:33 - 2014-09-18 16:50 - 00108032 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
2014-10-21 15:33 - 2014-09-18 16:49 - 00597504 _____ (Microsoft Corporation) C:\Windows\System32\jscript9diag.dll
2014-10-21 15:33 - 2014-09-18 16:44 - 00646144 _____ (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2014-10-21 15:33 - 2014-09-18 16:36 - 00060416 _____ (Microsoft Corporation) C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-10-21 15:33 - 2014-09-18 16:32 - 00164864 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-10-21 15:33 - 2014-09-18 16:20 - 00677888 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-10-21 15:33 - 2014-09-18 16:20 - 00607744 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-10-21 15:33 - 2014-09-18 16:18 - 01068032 _____ (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2014-10-21 15:33 - 2014-09-18 15:59 - 01810944 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-10-21 15:33 - 2014-09-18 15:53 - 01190400 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-10-21 15:33 - 2014-09-18 15:52 - 00678400 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2014-10-21 15:33 - 2014-09-03 21:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\System32\rastls.dll
2014-10-21 15:33 - 2014-06-18 14:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\System32\dfshim.dll
2014-10-21 15:33 - 2014-06-18 14:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\System32\mscorier.dll
2014-10-21 15:33 - 2014-06-18 14:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\System32\mscories.dll
2014-10-21 15:32 - 2014-09-17 17:32 - 02363904 _____ (Microsoft Corporation) C:\Windows\System32\msi.dll
2014-10-21 15:32 - 2014-09-12 17:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\packager.dll
2014-10-21 15:32 - 2014-09-09 13:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2014-10-21 15:32 - 2014-07-16 17:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\System32\winsta.dll
2014-10-21 15:32 - 2014-07-16 17:39 - 03221504 _____ (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2014-10-21 15:32 - 2014-07-16 17:39 - 01051136 _____ (Microsoft Corporation) C:\Windows\System32\mstsc.exe
2014-10-21 15:32 - 2014-07-16 17:39 - 00919552 _____ (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2014-10-21 15:32 - 2014-07-16 17:39 - 00523264 _____ (Microsoft Corporation) C:\Windows\System32\termsrv.dll
2014-10-21 15:32 - 2014-07-16 17:39 - 00304128 _____ (Microsoft Corporation) C:\Windows\System32\winlogon.exe
2014-10-21 15:32 - 2014-07-16 17:39 - 00131584 _____ (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2014-10-21 15:32 - 2014-07-16 17:39 - 00130048 _____ (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2014-10-21 15:32 - 2014-07-16 17:39 - 00065536 _____ (Microsoft Corporation) C:\Windows\System32\TSpkg.dll
2014-10-21 15:32 - 2014-07-16 17:39 - 00017408 _____ (Microsoft Corporation) C:\Windows\System32\credssp.dll
2014-10-21 15:32 - 2014-07-16 17:03 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2014-10-21 15:32 - 2014-07-16 17:02 - 00031232 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2014-10-21 15:24 - 2014-10-21 15:24 - 02347384 _____ (ESET) C:\Users\ADMIN\Downloads\esetsmartinstaller_enu(1).exe
2014-10-14 15:40 - 2014-10-14 15:41 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-14 13:10 - 2014-10-14 13:10 - 02347384 _____ (ESET) C:\Users\ADMIN\Downloads\esetsmartinstaller_enu.exe
2014-10-10 17:56 - 2014-10-31 14:45 - 00000000 ____D () C:\FRST

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-31 10:42 - 2014-05-10 14:05 - 01348516 _____ () C:\Windows\WindowsUpdate.log
2014-10-31 10:34 - 2014-05-10 11:34 - 00781298 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-31 10:32 - 2009-07-13 20:39 - 00040038 _____ () C:\Windows\setupact.log
2014-10-31 10:29 - 2009-07-13 20:34 - 00020816 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-31 10:29 - 2009-07-13 20:34 - 00020816 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-30 03:24 - 2014-05-10 12:59 - 00229000 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2014-10-22 12:34 - 2014-06-10 03:47 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-10-22 10:09 - 2014-05-10 11:41 - 00111520 _____ () C:\Users\ADMIN\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-22 10:09 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\rescache
2014-10-21 23:53 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-10-21 23:44 - 2009-07-13 20:33 - 00434136 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-10-21 23:42 - 2014-05-10 13:14 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-10-21 23:41 - 2014-05-19 10:41 - 00000000 ___SD () C:\Windows\System32\CompatTel
2014-10-21 23:21 - 2014-05-10 14:52 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-21 23:12 - 2009-07-13 18:04 - 00000478 _____ () C:\Windows\win.ini
2014-10-21 23:11 - 2014-05-19 15:00 - 00000000 ____D () C:\Windows\System32\MRT
2014-10-21 23:06 - 2014-05-19 15:00 - 100290944 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-10-21 23:00 - 2014-08-14 12:57 - 00000000 ____D () C:\Users\ADMIN\AppData\Roaming\Skype

Files to move or delete:
====================
C:\Users\ADMIN\GoToAssist_phone__268_en.exe


Some content of TEMP:
====================
C:\Users\ADMIN\AppData\Local\Temp\fp_pl_pfs_installer.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe
[2014-10-21 15:32] - [2014-07-16 17:39] - 0304128 ____A (Microsoft Corporation) 52449FD429D6053B78AE564DEF303870

C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-09-05 12:55:52
Restore point made on: 2014-09-08 16:24:48
Restore point made on: 2014-09-10 15:42:51
Restore point made on: 2014-09-14 10:37:03
Restore point made on: 2014-09-14 15:32:57
Restore point made on: 2014-09-19 01:48:26
Restore point made on: 2014-10-15 10:18:49
Restore point made on: 2014-10-21 15:34:34
Restore point made on: 2014-10-21 23:01:27
Restore point made on: 2014-10-31 10:25:28

==================== Memory info =========================== 

Percentage of memory in use: 14%
Total physical RAM: 3006.55 MB
Available physical RAM: 2583.75 MB
Total Pagefile: 3004.83 MB
Available Pagefile: 2580.24 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.34 MB

==================== Drives ================================

Drive c: (HP_PAVILION) (Fixed) (Total:270.61 GB) (Free:76.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (HP_RECOVERY) (Fixed) (Total:8.82 GB) (Free:0.57 GB) FAT32
Drive g: (STORE N GO) (Removable) (Total:3.73 GB) (Free:2.83 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 279.5 GB) (Disk ID: CAB10BEE)
Partition 1: (Active) - (Size=270.6 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=8.8 GB) - (Type=0C)

========================================================
Disk: 1 (Size: 3.7 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.


LastRegBack: 2014-10-22 00:13

==================== End Of Log ============================





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users