Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

shortcuts


  • This topic is locked This topic is locked
16 replies to this topic

#1 aufa0101

aufa0101

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 03 April 2015 - 02:07 AM

hi there, I'm having this problem where some of my folders and files were disappeared from the desktop. When I typed the files or the folders' name in the search box, it will appear but I cannot open them. the notification is as stated below:

 

"Problem with shortcut : The item ".........." that this shortcut refers to has been changed or moved, so this shortcut will no longer work properly. Do you want to delete this shortcut?"

 

My questions are:

 

1. Was my notebook infected by the so-called 'shortcut virus'?

2. Is the any possibilities to recover my missing folders and files?

 

The weird thing is all files and folders that have been created from 16 March 2015 - recent were still in my D drive and desktop , but some of the folders or files that were created on 2 - 4 March 2015 has gone.

 

Sorry for my bad English. Really appreciate for your attention and help. Tq



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:30 PM

Posted 04 April 2015 - 07:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

"Problem with shortcut : The item ".........." that this shortcut refers to has been changed or moved, so this shortcut will no longer work properly. Do you want to delete this shortcut?"

Right click on the Shortcut and look at the properties.
You should be able to see where the shotcut is looking for the .exe file.
Check to see if you have the correct PATH to start that .exe file.

If the .exe file is found create a new shortcut and try to run the application for it.
If all is well delete the bad shortcut.

Let me know how it goes.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#3 aufa0101

aufa0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 08 April 2015 - 08:39 PM

hi nasdaq, tqvm for your response. I've tried the first step on instructions but failed to find the .exe file. the screenshot is as attached. what should I do next? tq again

 

 



#4 aufa0101

aufa0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 08 April 2015 - 08:53 PM

this the log after i've run farbar:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-03-2015
Ran by user at 2015-04-09 09:47:18
Running from C:\Users\user\Desktop\farbar
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: F-Secure Client Security 11.60 (Enabled - Up to date) {15414183-282E-D62C-CA37-EF24860A2F17}
AS: F-Secure Client Security 11.60 (Enabled - Up to date) {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: F-Secure Client Security 11.60 (Enabled) {2D7AC0A6-6241-D774-E168-461178D9686C}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM\...\7-Zip) (Version: - )
Acer Crystal Eye Webcam 2.0.8 (HKLM\...\{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}) (Version: 2.0.8 - SuYin)
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.2.202.228 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.01) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.01 - Adobe Systems Incorporated)
F-Secure Client Security - Browsing protection (HKLM\...\F-Secure Browsing Protection) (Version: 2.00.492 - F-Secure Corporation)
F-Secure Client Security - DeepGuard (HKLM\...\F-Secure HIPS) (Version: 5.0.411 - F-Secure Corporation)
F-Secure Client Security - Device control (HKLM\...\F-Secure Device Control) (Version: 1.00.17505 - F-Secure Corporation)
F-Secure Client Security - Internet Shield (HKLM\...\F-Secure Internet Shield) (Version: 6.40 - F-Secure Corporation)
F-Secure Client Security - Virus & Spy Protection (HKLM\...\F-Secure Anti-Virus) (Version: 9.51.131 - F-Secure Corporation)
F-Secure Client Security - Web traffic scanning (HKLM\...\F-Secure Protocol Scanner) (Version: 3.00.422 - F-Secure Corporation)
F-Secure PSC Prerequisites (Version: 1.0.7 - F-Secure Corporation) Hidden
GetDataBack for NTFS (HKLM\...\{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}) (Version: 4.25.000 - Runtime Software)
Google Chrome (HKU\S-1-5-21-2138799348-2555380053-1460328437-1000\...\Google Chrome) (Version: 41.0.2272.118 - Google Inc.)
K-Lite Codec Pack 9.9.5 (Full) (HKLM\...\KLiteCodecPack_is1) (Version: 9.9.5 - )
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (HKLM\...\PROPLUS) (Version: 12.0.4518.1014 - Microsoft Corporation)
Reflection for HP with NS/VT 8.0.6 (HKLM\...\{9F2A118D-C99D-4F77-BAD9-8A86C19041A8}) (Version: 8.0.6149 - WRQ, Inc.)
Samsung Universal Print Driver 2 (HKLM\...\Samsung Universal Print Driver 2) (Version: 2.50.04.00 - Samsung Electronics Co., Ltd.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 11.0.2.0 - Synaptics)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> C:\Users\user\AppData\Local\Google\Chrome\Application\41.0.2272.118\delegate_execute.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.24.15\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.22.3\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2138799348-2555380053-1460328437-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\psuser.dll (Google Inc.)

==================== Restore Points =========================

26-03-2015 03:00:48 Windows Update
30-03-2015 15:43:11 Windows Update
30-03-2015 16:17:02 Windows Update
03-04-2015 10:35:31 Windows Update
03-04-2015 10:46:42 Windows Update
09-04-2015 09:11:07 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 18:23 - 2006-09-19 05:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {3F7B7A61-E781-42EE-B356-7629C49B16E0} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP => C:\Windows\servicing\vsp1ceip.exe [2008-01-18] (Microsoft Corporation)
Task: {74CACAEF-3B96-456A-B5A8-B4408CF2728E} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2138799348-2555380053-1460328437-1000Core => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2014-02-10] (Google Inc.)
Task: {9E52E8BE-1525-4DBB-B336-358A929A67C8} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2138799348-2555380053-1460328437-1000UA => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2014-02-10] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2138799348-2555380053-1460328437-1000Core.job => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2138799348-2555380053-1460328437-1000UA.job => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2014-08-29 16:42 - 2011-04-11 13:26 - 00024064 _____ () C:\Windows\System32\spe__l.dll
2014-02-10 09:28 - 2014-07-01 20:19 - 00220200 _____ () c:\program files\f-secure\daas2\daas2.dll
2014-02-10 15:55 - 2014-02-10 15:55 - 00030888 _____ () C:\Program Files\F-Secure\Anti-Virus\minifilter\hashlib_x86.dll
2014-02-10 08:58 - 2008-07-08 23:26 - 00159744 _____ () C:\Windows\system32\atitmmxx.dll
2014-02-10 09:01 - 2007-10-23 10:56 - 00200704 _____ () C:\Windows\PLFSetI.exe
2014-02-10 09:28 - 2014-07-01 20:19 - 00642088 _____ () C:\Program Files\F-Secure\FSGUI\about.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2138799348-2555380053-1460328437-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\user\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
DNS Servers: 10.1.100.11 - 10.1.100.10

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== Accounts: =============================

Administrator (S-1-5-21-2138799348-2555380053-1460328437-500 - Administrator - Disabled)
Guest (S-1-5-21-2138799348-2555380053-1460328437-501 - Limited - Disabled)
Mara (S-1-5-21-2138799348-2555380053-1460328437-1001 - Administrator - Enabled) => C:\Users\Mara
user (S-1-5-21-2138799348-2555380053-1460328437-1000 - Administrator - Enabled) => C:\Users\user

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (04/09/2015 09:45:03 AM) (Source: FSecure-FSecure-F-Secure DeepGuard) (EventID: 103) (User: )
Description: 1 2015-04-09 09:45:03+08:00 user-pc SYSTEM F-Secure DeepGuard
Application was blocked. This was determined to be a high-risk application by system control heuristics.
Application path: \\?\c:\users\user\desktop\farbar\frst.exe
File hash: a453cf4bb39819b288d814c475089aa89e3881e9

Error: (04/03/2015 11:20:35 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 5) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B1BC968BD4F49D622AA89A81F2150152A41D829C.crtThis network connection does not exist.

Error: (04/03/2015 11:20:35 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 5) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B1BC968BD4F49D622AA89A81F2150152A41D829C.crtThis network connection does not exist.

Error: (04/03/2015 11:20:35 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 5) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B1BC968BD4F49D622AA89A81F2150152A41D829C.crtThis network connection does not exist.

Error: (04/03/2015 11:20:35 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 5) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B1BC968BD4F49D622AA89A81F2150152A41D829C.crt12017 (0x2ef1)

Error: (04/03/2015 10:51:24 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (04/03/2015 10:50:20 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/30/2015 03:53:57 PM) (Source: FSecure-FSecure-F-Secure Anti-Virus) (EventID: 103) (User: )
Description: 1 2015-03-30 15:53:57+08:00 user-pc user-PC\user F-Secure Anti-Virus
Malicious code found in file F:\.lnk.
Infection: Trojan.LNK.Gen
Action: The file was deleted.

Error: (03/30/2015 03:44:10 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/25/2015 04:06:26 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


System errors:
=============
Error: (04/09/2015 08:47:31 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058

Error: (04/09/2015 08:47:08 AM) (Source: netbt) (EventID: 4321) (User: )
Description: The name "USER-PC :20" could not be registered on the interface with IP address 10.31.82.40.
The computer with the IP address 10.31.81.95 did not allow the name to be claimed by
this computer.

Error: (04/09/2015 08:47:08 AM) (Source: netbt) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 10.31.82.40.
The computer with the IP address 10.31.81.95 did not allow the name to be claimed by
this computer.

Error: (04/09/2015 08:47:08 AM) (Source: netbt) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 10.31.82.40.
The computer with the IP address 10.31.81.95 did not allow the name to be claimed by
this computer.

Error: (04/09/2015 08:47:08 AM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{8BD342B1-EE31-4DB5-9B3A-523BB31CF857} because another computer on the network has the same name. The server could not start.

Error: (04/09/2015 08:46:23 AM) (Source: HTTP) (EventID: 15016) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (04/09/2015 08:46:20 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 3:23:24 PM on 4/3/2015 was unexpected.

Error: (04/03/2015 11:23:39 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: PEVSystemStart

Error: (04/03/2015 11:19:33 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: PEVSystemStart

Error: (04/03/2015 11:16:07 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: PEVSystemStart


Microsoft Office Sessions:
=========================
Error: (03/12/2014 08:53:38 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2321 seconds with 1860 seconds of active time. This session ended with a crash.


CodeIntegrity Errors:
===================================
Date: 2015-04-09 09:47:12.601
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-09 09:47:12.523
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-09 09:47:12.445
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-09 09:47:12.367
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-09 09:46:44.085
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-09 09:46:43.991
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-09 09:46:43.851
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-09 09:46:43.741
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-09 09:46:43.632
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-09 09:46:43.554
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: AMD Turion™ X2 Dual-Core Mobile RM-75
Percentage of memory in use: 42%
Total physical RAM: 3037.49 MB
Available physical RAM: 1737.45 MB
Total Pagefile: 6315.53 MB
Available Pagefile: 4954.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1917.23 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:67.02 GB) (Free:38.16 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:67.02 GB) (Free:66.92 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 149.1 GB) (Disk ID: 4DBAFA21)
Partition 1: (Not Active) - (Size=15 GB) - (Type=27)
Partition 2: (Active) - (Size=67 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=67 GB) - (Type=07 NTFS)


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by user (administrator) on USER-PC on 09-04-2015 09:46:02
Running from C:\Users\user\Desktop\farbar
Loaded Profiles: user (Available profiles: user & Mara)
Platform: Microsoft® Windows Vista™ Business Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 7 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(F-Secure Corporation) C:\Program Files\F-Secure\Anti-Virus\FSGK32ST.exe
(F-Secure Corporation) C:\Program Files\F-Secure\Device Control\fsdevcon32.exe
(F-Secure Corporation) C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
(F-Secure Corporation) C:\Program Files\F-Secure\Common\FSMA32.EXE
(F-Secure Corporation) C:\Program Files\F-Secure\Common\FSHDLL32.EXE
(F-Secure Corporation) C:\Program Files\F-Secure\Common\FNRB32.exe
(F-Secure Corporation) C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
(F-Secure Corporation) C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
(F-Secure Corporation) C:\Program Files\F-Secure\Common\FIH32.exe
(F-Secure Corporation) C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
(F-Secure Corporation) C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Windows\PLFSetI.exe
(F-Secure Corporation) C:\Program Files\F-Secure\Common\FSM32.EXE
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\ieuser.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\wsqmcons.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\mspaint.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\conime.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1037608 2008-02-22] (Synaptics, Inc.)
HKLM\...\Run: [PLFSetI] => C:\Windows\PLFSetI.exe [200704 2007-10-23] ()
HKLM\...\Run: [F-Secure Manager] => C:\Program Files\F-Secure\Common\FSM32.EXE [347688 2014-07-01] (F-Secure Corporation)
HKLM\...\Run: [F-Secure TNB] => C:\Program Files\F-Secure\FSGUI\TNBUtil.exe [1969192 2014-07-01] (F-Secure Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-19] (Adobe Systems Incorporated)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2138799348-2555380053-1460328437-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2138799348-2555380053-1460328437-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2138799348-2555380053-1460328437-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://maranet.mara.gov.my/intranet/
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-23] (Adobe Systems Incorporated)
Tcpip\Parameters: [DhcpNameServer] 10.1.100.11 10.1.100.10

FireFox:
========
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2012-12-19] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2138799348-2555380053-1460328437-1000: @tools.google.com/Google Update;version=3 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-11] (Google Inc.)
FF Plugin HKU\S-1-5-21-2138799348-2555380053-1460328437-1000: @tools.google.com/Google Update;version=9 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-11] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-03-23]

Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Users\user\AppData\Local\Google\Chrome\Application\41.0.2272.101\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\user\AppData\Local\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\user\AppData\Local\Google\Chrome\Application\41.0.2272.101\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Users\user\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-26]
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-26]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 F-Secure Gatekeeper Handler Starter; C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe [224296 2014-07-01] (F-Secure Corporation)
R3 F-Secure Network Request Broker; C:\Program Files\F-Secure\Common\FNRB32.EXE [217128 2014-07-01] (F-Secure Corporation)
R2 fsdevcon; C:\Program Files\F-Secure\Device Control\\fsdevcon32.exe [419368 2014-07-01] (F-Secure Corporation)
R3 FSDFWD; C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe [556072 2014-07-01] (F-Secure Corporation)
R2 FSMA; C:\Program Files\F-Secure\Common\FSMA32.EXE [208424 2014-07-01] (F-Secure Corporation)
R3 FSORSPClient; C:\Program Files\F-Secure\ORSP Client\fsorsp.exe [60456 2015-03-16] (F-Secure Corporation)
R3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-18] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 ahcix86s; C:\Windows\System32\DRIVERS\ahcix86s.sys [171016 2008-05-28] (AMD Technologies Inc.)
S4 F-Secure Filter; C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [40256 2013-06-25] ()
R3 F-Secure Gatekeeper; C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [152104 2015-03-25] (F-Secure Corporation)
R1 F-Secure HIPS; C:\Program Files\F-Secure\HIPS\drivers\fshs.sys [74920 2015-03-16] (F-Secure Corporation)
S4 F-Secure Recognizer; C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [25536 2013-06-25] ()
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [44240 2015-03-25] ()
R1 FSFW; C:\Windows\System32\drivers\fsdfw.sys [74184 2014-07-01] (F-Secure Corporation)
R3 fsni; C:\Program Files\F-Secure\NIF\bin\fsni32.sys [73256 2015-03-16] (F-Secure Corporation)
R1 fsvista; C:\Program Files\F-Secure\Anti-Virus\minifilter\fsvista.sys [12840 2014-07-01] ()
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\user\AppData\Local\Temp\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-09 09:45 - 2015-04-09 09:46 - 00000000 ____D () C:\FRST
2015-04-09 09:43 - 2015-04-09 09:46 - 00000000 ____D () C:\Users\user\Desktop\farbar
2015-04-03 11:25 - 2015-04-03 11:25 - 00014571 _____ () C:\ComboFix.txt
2015-04-03 11:14 - 2015-04-03 11:26 - 00000000 ____D () C:\ComboFix
2015-04-03 11:14 - 2011-06-26 14:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-04-03 11:14 - 2010-11-08 01:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-04-03 11:14 - 2009-04-20 12:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-04-03 11:14 - 2000-08-31 08:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-04-03 11:14 - 2000-08-31 08:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-04-03 11:14 - 2000-08-31 08:00 - 00098816 _____ () C:\Windows\sed.exe
2015-04-03 11:14 - 2000-08-31 08:00 - 00080412 _____ () C:\Windows\grep.exe
2015-04-03 11:14 - 2000-08-31 08:00 - 00068096 _____ () C:\Windows\zip.exe
2015-04-03 11:13 - 2015-04-03 11:26 - 00000000 ____D () C:\Qoobox
2015-04-03 11:13 - 2015-04-03 11:24 - 00000000 ____D () C:\Windows\erdnt
2015-04-03 10:53 - 2015-04-03 14:46 - 00000000 ____D () C:\Combo
2015-03-27 03:05 - 2010-09-07 00:24 - 00125952 _____ (Microsoft Corporation) C:\Windows\system32\srvsvc.dll
2015-03-27 03:05 - 2010-09-07 00:23 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\netevent.dll
2015-03-27 03:04 - 2009-08-24 20:16 - 00378368 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll
2015-03-26 03:03 - 2009-11-08 10:55 - 01130824 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2015-03-26 03:03 - 2009-11-08 10:55 - 00297808 _____ (Microsoft Corporation) C:\Windows\system32\mscoree.dll
2015-03-26 03:03 - 2009-11-08 10:55 - 00295264 _____ (Microsoft Corporation) C:\Windows\system32\PresentationHost.exe
2015-03-26 03:03 - 2009-11-08 10:55 - 00099176 _____ (Microsoft Corporation) C:\Windows\system32\PresentationHostProxy.dll
2015-03-26 03:03 - 2009-11-08 10:55 - 00049472 _____ (Microsoft Corporation) C:\Windows\system32\netfxperf.dll
2015-03-25 15:13 - 2015-03-25 15:13 - 00000949 _____ () C:\Users\Mara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-03-25 15:13 - 2015-03-25 15:13 - 00000944 _____ () C:\Users\Mara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-03-25 15:13 - 2015-03-25 15:13 - 00000915 _____ () C:\Users\Mara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
2015-03-25 15:13 - 2015-03-25 15:13 - 00000000 ____D () C:\Users\Mara\AppData\Local\VirtualStore
2015-03-25 15:08 - 2015-03-25 15:08 - 00001866 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\GetDataBack for NTFS.lnk
2015-03-25 15:08 - 2015-03-25 15:08 - 00001860 _____ () C:\Users\Public\Desktop\GetDataBack for NTFS.lnk
2015-03-25 15:08 - 2015-03-25 15:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Runtime Software
2015-03-25 15:08 - 2015-03-25 15:08 - 00000000 ____D () C:\Program Files\Runtime Software
2015-03-25 14:52 - 2015-03-25 14:52 - 00101032 _____ () C:\Users\Mara\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-25 14:33 - 2011-01-18 17:47 - 00806717 _____ () C:\Users\user\Desktop\Shortcut Virus Remover v3.1.exe
2015-03-25 14:28 - 2015-03-25 14:28 - 00000000 _____ () C:\Users\user\attrib
2015-03-23 16:23 - 2009-03-17 11:38 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\amxread.dll
2015-03-23 16:23 - 2009-03-17 11:38 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\apilogen.dll
2015-03-23 16:23 - 2009-02-13 16:49 - 00888832 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-03-23 16:22 - 2008-06-20 09:14 - 00781344 _____ (Microsoft Corporation) C:\Windows\system32\PresentationNative_v0300.dll
2015-03-23 16:22 - 2008-06-20 09:14 - 00622080 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2015-03-23 16:22 - 2008-06-20 09:14 - 00105016 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-03-23 16:22 - 2008-06-20 09:14 - 00097800 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2015-03-23 16:22 - 2008-06-20 09:14 - 00037384 _____ (Microsoft Corporation) C:\Windows\system32\infocardcpl.cpl
2015-03-23 16:22 - 2008-06-20 09:14 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2015-03-23 16:14 - 2008-07-28 02:03 - 00158720 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2015-03-23 16:14 - 2008-07-28 02:03 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2015-03-23 16:12 - 2010-02-21 07:39 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\nshhttp.dll
2015-03-23 16:12 - 2010-02-21 07:37 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\httpapi.dll
2015-03-23 16:12 - 2010-02-21 05:18 - 00411136 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\http.sys
2015-03-16 11:04 - 2008-06-26 11:29 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\NaturalLanguage6.dll
2015-03-16 11:04 - 2008-06-26 09:45 - 12240896 _____ (Microsoft Corporation) C:\Windows\system32\NlsLexicons0007.dll
2015-03-16 11:04 - 2008-06-26 09:45 - 02644480 _____ (Microsoft Corporation) C:\Windows\system32\NlsLexicons0009.dll
2015-03-16 10:57 - 2011-06-02 20:59 - 02042368 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-03-16 10:57 - 2009-07-12 03:32 - 00513024 _____ (Microsoft Corporation) C:\Windows\system32\wlansvc.dll
2015-03-16 10:57 - 2009-07-12 03:32 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\wlansec.dll
2015-03-16 10:57 - 2009-07-12 03:32 - 00293376 _____ (Microsoft Corporation) C:\Windows\system32\wlanmsm.dll
2015-03-16 10:57 - 2009-07-12 03:29 - 00127488 _____ (Microsoft Corporation) C:\Windows\system32\L2SecHC.dll
2015-03-16 10:57 - 2009-07-12 01:18 - 02501921 _____ () C:\Windows\system32\wlan.tmf
2015-03-16 10:57 - 2008-06-19 11:31 - 00361984 _____ (Microsoft Corporation) C:\Windows\system32\IPSECSVC.DLL
2015-03-16 10:57 - 2008-04-18 13:48 - 00269312 _____ (Microsoft Corporation) C:\Windows\system32\es.dll
2015-03-16 10:56 - 2011-02-12 12:28 - 00191488 _____ (Microsoft Corporation) C:\Windows\system32\FXSCOVER.exe
2015-03-16 10:56 - 2010-06-16 23:59 - 00898952 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2015-03-16 10:56 - 2010-04-17 00:10 - 00501760 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2015-03-16 10:56 - 2009-10-07 20:41 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\raschap.dll
2015-03-16 10:56 - 2009-10-07 20:41 - 00244224 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2015-03-16 10:56 - 2009-08-10 21:05 - 00351232 _____ (Microsoft Corporation) C:\Windows\system32\WSDApi.dll
2015-03-16 10:56 - 2009-04-23 20:43 - 00784896 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-03-16 10:55 - 2011-03-11 00:12 - 01161728 _____ (Microsoft Corporation) C:\Windows\system32\mfc42u.dll
2015-03-16 10:55 - 2011-03-11 00:12 - 01136640 _____ (Microsoft Corporation) C:\Windows\system32\mfc42.dll
2015-03-16 10:55 - 2010-08-17 21:32 - 00126464 _____ (Microsoft Corporation) C:\Windows\system32\spoolsv.exe
2015-03-16 10:55 - 2010-06-29 00:15 - 01315840 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2015-03-16 10:55 - 2010-05-28 03:16 - 00081920 _____ (Radius Inc.) C:\Windows\system32\iccvid.dll
2015-03-16 10:55 - 2009-08-10 19:01 - 01399296 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2015-03-16 10:55 - 2009-06-10 20:12 - 00160256 _____ (Microsoft Corporation) C:\Windows\system32\wkssvc.dll
2015-03-16 10:55 - 2008-10-21 13:25 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2015-03-16 10:55 - 2008-06-06 11:27 - 00562176 _____ (Microsoft Corporation) C:\Windows\system32\msdtcprx.dll
2015-03-16 10:55 - 2008-06-06 11:27 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\xolehlp.dll
2015-03-16 10:55 - 2008-04-05 11:34 - 00015360 _____ (Microsoft Corporation) C:\Windows\system32\pacerprf.dll
2015-03-16 10:55 - 2008-04-05 09:21 - 00072192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pacer.sys
2015-03-16 10:54 - 2011-02-16 23:35 - 00430080 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-03-16 10:54 - 2011-02-16 23:32 - 00512000 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-03-16 10:54 - 2010-12-14 23:49 - 01169408 _____ (Microsoft Corporation) C:\Windows\system32\sdclt.exe
2015-03-16 10:54 - 2010-08-27 00:07 - 00157184 _____ (Microsoft Corporation) C:\Windows\system32\t2embed.dll
2015-03-16 10:54 - 2010-04-06 00:08 - 00317952 _____ (Microsoft Corporation) C:\Windows\system32\MP4SDECD.DLL
2015-03-16 10:54 - 2009-04-23 20:42 - 00636928 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2015-03-16 10:54 - 2008-10-16 12:47 - 00466944 _____ (Microsoft Corporation) C:\Windows\system32\netapi32.dll
2015-03-16 10:54 - 2008-02-29 15:14 - 00019000 _____ (Microsoft Corporation) C:\Windows\system32\kd1394.dll
2015-03-16 10:54 - 2008-02-29 15:11 - 00988216 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2015-03-16 10:54 - 2008-02-29 15:11 - 00927288 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2015-03-16 10:54 - 2008-02-29 14:53 - 00378368 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-03-16 10:54 - 2008-02-29 14:53 - 00046592 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-03-16 10:54 - 2008-02-22 13:05 - 00615992 _____ (Microsoft Corporation) C:\Windows\system32\ci.dll
2015-03-16 10:53 - 2011-01-21 23:46 - 11582464 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-03-16 10:53 - 2011-01-21 23:46 - 00351744 _____ (Microsoft Corporation) C:\Windows\system32\shlwapi.dll
2015-03-16 10:53 - 2010-12-30 01:41 - 00429056 _____ (Microsoft Corporation) C:\Windows\system32\EncDec.dll
2015-03-16 10:53 - 2010-12-30 01:41 - 00323072 _____ (Microsoft Corporation) C:\Windows\system32\sbe.dll
2015-03-16 10:53 - 2010-12-30 01:41 - 00153088 _____ (Microsoft Corporation) C:\Windows\system32\sbeio.dll
2015-03-16 10:53 - 2010-12-30 01:39 - 00177664 _____ (Microsoft Corporation) C:\Windows\system32\mpg2splt.ax
2015-03-16 10:53 - 2010-04-17 00:10 - 01314816 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2015-03-16 10:53 - 2010-01-21 23:59 - 00062464 _____ (Fraunhofer Institut Integrierte Schaltungen IIS) C:\Windows\system32\l3codeca.acm
2015-03-16 10:53 - 2008-02-29 14:53 - 00040960 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-03-16 10:53 - 2008-02-29 14:35 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\kbd106n.dll
2015-03-16 10:53 - 2008-02-29 12:12 - 00318464 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-03-16 10:53 - 2008-02-29 12:12 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\srdelayed.exe
2015-03-16 10:52 - 2011-05-02 23:58 - 00738816 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-03-16 10:52 - 2011-04-29 22:54 - 00276992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-03-16 10:52 - 2010-11-06 19:10 - 00357376 _____ (Microsoft Corporation) C:\Windows\system32\taskschd.dll
2015-03-16 10:52 - 2010-11-06 19:10 - 00345088 _____ (Microsoft Corporation) C:\Windows\system32\wmicmiplugin.dll
2015-03-16 10:52 - 2010-11-06 19:10 - 00270336 _____ (Microsoft Corporation) C:\Windows\system32\taskcomp.dll
2015-03-16 10:52 - 2010-11-06 19:09 - 00603648 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2015-03-16 10:52 - 2010-11-05 08:53 - 00171520 _____ (Microsoft Corporation) C:\Windows\system32\taskeng.exe
2015-03-16 10:52 - 2008-08-02 11:26 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2015-03-16 10:52 - 2008-08-02 09:01 - 00625152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2015-03-16 10:52 - 2008-06-26 11:29 - 00565248 _____ (Microsoft Corporation) C:\Windows\system32\emdmgmt.dll
2015-03-16 10:52 - 2008-06-26 11:29 - 00045056 _____ (Microsoft Corporation) C:\Windows\system32\dataclen.dll
2015-03-16 10:52 - 2008-06-23 09:59 - 00996352 _____ (Microsoft Corporation) C:\Windows\system32\WMNetMgr.dll
2015-03-16 10:52 - 2008-06-23 09:58 - 00094720 _____ (Microsoft Corporation) C:\Windows\system32\logagent.exe
2015-03-16 10:52 - 2008-05-20 10:07 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\nwifi.sys
2015-03-16 10:52 - 2008-05-09 05:59 - 00180224 _____ (Microsoft Corporation) C:\Windows\system32\scrobj.dll
2015-03-16 10:52 - 2008-05-09 05:59 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2015-03-16 10:52 - 2008-05-09 05:59 - 00155648 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2015-03-16 10:52 - 2008-05-09 05:59 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\wshext.dll
2015-03-16 10:52 - 2008-05-09 05:58 - 00135168 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2015-03-16 10:52 - 2008-05-09 05:58 - 00135168 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2015-03-16 10:51 - 2011-02-16 23:29 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-03-16 10:51 - 2011-02-16 21:24 - 00292864 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-03-16 10:51 - 2010-12-28 22:57 - 00409600 _____ (Microsoft Corporation) C:\Windows\system32\odbc32.dll
2015-03-16 10:51 - 2010-09-11 02:18 - 10626560 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-03-16 10:51 - 2010-09-11 00:37 - 08147456 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-03-16 10:51 - 2010-06-16 23:12 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2015-03-16 10:51 - 2009-06-15 23:20 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2015-03-16 10:50 - 2011-02-22 20:51 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\bowser.sys
2015-03-16 10:50 - 2009-08-15 00:29 - 00104960 _____ (Microsoft Corporation) C:\Windows\system32\netiohlp.dll
2015-03-16 10:50 - 2009-08-14 22:16 - 00027136 _____ (Microsoft Corporation) C:\Windows\system32\NETSTAT.EXE
2015-03-16 10:50 - 2009-08-14 22:16 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\ARP.EXE
2015-03-16 10:50 - 2009-08-14 22:16 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\ROUTE.EXE
2015-03-16 10:50 - 2009-08-14 22:16 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\MRINFO.EXE
2015-03-16 10:50 - 2009-08-14 22:16 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\finger.exe
2015-03-16 10:50 - 2009-08-14 22:16 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\TCPSVCS.EXE
2015-03-16 10:50 - 2009-08-14 22:16 - 00008704 _____ (Microsoft Corporation) C:\Windows\system32\HOSTNAME.EXE
2015-03-16 10:49 - 2011-04-14 22:24 - 00075264 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dfsc.sys
2015-03-16 10:49 - 2011-02-18 21:31 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2015-03-16 10:49 - 2010-10-15 22:08 - 03600272 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-03-16 10:49 - 2010-10-15 22:08 - 03548048 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-03-16 10:49 - 2010-10-15 21:48 - 01205080 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-03-16 10:49 - 2009-09-11 01:30 - 00213504 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-03-16 10:48 - 2011-07-06 22:56 - 00213504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-03-16 10:48 - 2011-04-29 20:49 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-03-16 10:48 - 2011-04-29 20:49 - 00079360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-03-16 10:48 - 2011-04-21 21:16 - 00273408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2015-03-16 10:48 - 2011-03-02 22:49 - 00167936 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2015-03-16 10:48 - 2011-03-02 22:49 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\dnsrslvr.dll
2015-03-16 10:48 - 2010-04-06 00:07 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\asycfilt.dll
2015-03-16 10:48 - 2009-07-17 22:35 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\atl.dll
2015-03-16 10:48 - 2009-06-10 20:11 - 02868224 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2015-03-16 10:48 - 2009-06-10 20:11 - 02386944 _____ (Microsoft Corporation) C:\Windows\system32\WMVCORE.DLL
2015-03-16 10:48 - 2009-05-04 18:11 - 00025088 _____ (Microsoft Corporation) C:\Windows\system32\dnscacheugc.exe
2015-03-16 10:47 - 2011-04-29 20:49 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2015-03-16 10:47 - 2011-04-29 20:49 - 00102400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2015-03-16 10:47 - 2010-12-20 23:39 - 00563200 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-03-16 10:47 - 2009-07-10 20:21 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\shsvcs.dll
2015-03-16 10:47 - 2008-06-26 11:29 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\wmpeffects.dll
2015-03-16 10:46 - 2010-08-31 23:41 - 00954752 _____ (Microsoft Corporation) C:\Windows\system32\mfc40.dll
2015-03-16 10:46 - 2010-08-31 23:41 - 00954288 _____ (Microsoft Corporation) C:\Windows\system32\mfc40u.dll
2015-03-16 10:46 - 2010-08-20 23:21 - 00866816 _____ (Microsoft Corporation) C:\Windows\system32\wmpmde.dll
2015-03-16 10:46 - 2010-06-19 00:43 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\rtutils.dll
2015-03-16 10:46 - 2010-05-05 02:39 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\msshsq.dll
2015-03-16 10:46 - 2009-06-16 02:20 - 00439896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-03-16 10:46 - 2009-06-15 23:24 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-03-16 10:46 - 2009-06-15 23:24 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-03-16 10:46 - 2009-06-15 23:23 - 01256448 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-03-16 10:46 - 2009-06-15 23:21 - 00499712 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-03-16 10:46 - 2009-06-15 20:57 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-03-16 10:46 - 2008-10-29 14:29 - 02927104 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2015-03-16 10:45 - 2010-10-28 20:56 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-03-16 10:45 - 2010-10-18 22:01 - 00081920 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2015-03-16 10:45 - 2010-06-11 23:30 - 01257472 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-03-16 10:45 - 2010-02-18 22:11 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\iphlpsvc.dll
2015-03-16 10:45 - 2010-02-18 19:52 - 00025088 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tunnel.sys
2015-03-16 10:45 - 2009-03-03 12:39 - 00551424 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2015-03-16 10:45 - 2009-03-03 12:39 - 00183296 _____ (Microsoft Corporation) C:\Windows\system32\sdohlp.dll
2015-03-16 10:45 - 2009-03-03 12:39 - 00026112 _____ (Microsoft Corporation) C:\Windows\system32\printfilterpipelineprxy.dll
2015-03-16 10:45 - 2009-03-03 12:37 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\iasrecst.dll
2015-03-16 10:45 - 2009-03-03 12:37 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\iasads.dll
2015-03-16 10:45 - 2009-03-03 12:37 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\iasdatastore.dll
2015-03-16 10:45 - 2009-03-03 11:04 - 00666624 _____ (Microsoft Corporation) C:\Windows\system32\printfilterpipelinesvc.exe
2015-03-16 10:45 - 2009-03-03 10:38 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\iashost.exe
2015-03-16 10:45 - 2008-08-12 11:39 - 00443392 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2015-03-16 10:45 - 2008-05-10 09:33 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys
2015-03-16 10:44 - 2011-04-20 22:47 - 00375808 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-03-16 10:44 - 2011-04-20 22:44 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-03-16 10:44 - 2009-07-14 21:00 - 00313344 _____ (Microsoft Corporation) C:\Windows\system32\wmpdxm.dll
2015-03-16 10:44 - 2009-07-14 20:59 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-03-16 10:44 - 2009-07-14 20:59 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-03-16 10:44 - 2009-07-14 20:58 - 00007680 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-03-16 10:44 - 2009-07-14 16:30 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.tlb
2015-03-16 10:44 - 2009-07-14 16:30 - 00018432 _____ (Microsoft Corporation) C:\Windows\system32\amcompat.tlb
2015-03-16 10:43 - 2010-12-18 00:43 - 02067456 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-03-16 10:43 - 2010-12-17 23:06 - 00677888 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2015-03-16 10:43 - 2010-08-31 23:40 - 00531968 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2015-03-16 10:43 - 2009-09-04 20:24 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\msasn1.dll
2015-03-16 10:31 - 2015-02-24 04:23 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-03-16 10:30 - 2009-12-28 20:35 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\tsbyuv.dll
2015-03-16 10:30 - 2009-12-28 20:32 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\msvfw32.dll
2015-03-16 10:30 - 2009-12-28 20:32 - 00031744 _____ (Microsoft Corporation) C:\Windows\system32\msvidc32.dll
2015-03-16 10:30 - 2009-12-28 20:32 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\msyuv.dll
2015-03-16 10:30 - 2009-12-28 20:32 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\msrle32.dll
2015-03-16 10:30 - 2009-12-28 20:31 - 00082944 _____ (Microsoft Corporation) C:\Windows\system32\mciavi32.dll
2015-03-16 10:30 - 2009-12-28 20:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\iyuv_32.dll
2015-03-16 10:30 - 2009-12-28 20:28 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\avifil32.dll
2015-03-16 10:30 - 2009-12-28 20:28 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\avicap32.dll
2015-03-16 10:28 - 2009-04-02 20:37 - 00604672 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOD.DLL
2015-03-16 10:26 - 2009-12-23 20:43 - 00171520 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-03-16 10:25 - 2010-01-15 08:04 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\cabview.dll
2015-03-16 10:19 - 2015-03-16 10:19 - 23794591 _____ () C:\Users\user\Downloads\KINRARA.zip
2015-03-10 10:22 - 2015-03-10 10:22 - 00000000 ____D () C:\Users\user\AppData\Roaming\WinRAR
2015-03-10 09:23 - 2015-03-10 09:23 - 00000000 ____D () C:\Users\user\Documents\New Folder

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-09 09:46 - 2014-02-10 15:51 - 01797008 _____ () C:\action.log
2015-04-09 09:29 - 2014-02-10 12:38 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2138799348-2555380053-1460328437-1000UA.job
2015-04-09 09:28 - 2014-02-10 12:38 - 00002037 _____ () C:\Users\user\Desktop\Google Chrome.lnk
2015-04-09 09:22 - 2014-02-10 15:43 - 00002627 _____ () C:\Users\user\Desktop\Microsoft Office Word 2007.lnk
2015-04-09 09:18 - 2006-11-02 20:52 - 01515700 _____ () C:\Windows\WindowsUpdate.log
2015-04-09 08:53 - 2006-11-02 18:33 - 00699390 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-09 08:46 - 2006-11-02 21:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-09 08:46 - 2006-11-02 20:47 - 00003648 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-09 08:46 - 2006-11-02 20:47 - 00003648 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-09 08:45 - 2006-11-02 21:00 - 00007276 _____ () C:\Windows\PFRO.log
2015-04-03 11:26 - 2006-11-02 19:18 - 00000000 __RHD () C:\Users\Default
2015-04-03 11:26 - 2006-11-02 19:18 - 00000000 ___RD () C:\Users\Public
2015-04-03 11:23 - 2006-11-02 18:23 - 00000215 _____ () C:\Windows\system.ini
2015-04-03 10:39 - 2006-11-02 19:18 - 00000000 ____D () C:\Windows\rescache
2015-03-30 16:18 - 2006-11-02 21:01 - 00012254 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-30 16:09 - 2006-11-02 20:52 - 00027767 _____ () C:\Windows\setupact.log
2015-03-30 15:53 - 2014-02-10 12:38 - 00000852 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2138799348-2555380053-1460328437-1000Core.job
2015-03-26 03:50 - 2006-11-02 19:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-03-26 03:41 - 2006-11-02 20:47 - 00371152 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-26 03:38 - 2006-11-02 20:37 - 00000000 ____D () C:\Program Files\Movie Maker
2015-03-25 16:10 - 2014-02-10 09:28 - 00044240 _____ () C:\Windows\system32\Drivers\fsbts.sys
2015-03-25 15:56 - 2014-02-10 09:28 - 00001202 _____ () C:\Windows\fsav_db_setup.log
2015-03-25 15:56 - 2014-02-10 09:27 - 13345618 _____ () C:\Windows\FSISU.log
2015-03-25 15:56 - 2014-02-10 09:27 - 04982826 _____ () C:\Windows\FSSFM.log
2015-03-25 15:56 - 2014-02-10 09:27 - 02706611 _____ () C:\Windows\RunSetup.log
2015-03-25 15:56 - 2014-02-10 09:27 - 02307905 _____ () C:\Windows\FSSETUP.log
2015-03-25 15:56 - 2014-02-10 09:27 - 01905439 _____ () C:\Windows\FSDEPH.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00498051 _____ () C:\Windows\FSPROD.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00093714 _____ () C:\Windows\FSAVINST.LOG
2015-03-25 15:56 - 2014-02-10 09:27 - 00046475 _____ () C:\Windows\fwesinst.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00041207 _____ () C:\Windows\fsmainst.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00031689 _____ () C:\Windows\fwinst.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00019092 _____ () C:\Windows\fsrif.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00017477 _____ () C:\Windows\FSGUIINS.LOG
2015-03-25 15:56 - 2014-02-10 09:27 - 00015984 _____ () C:\Windows\FSAVCSIN.LOG
2015-03-25 15:56 - 2014-02-10 09:27 - 00014584 _____ () C:\Windows\pmsuinst.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00014151 _____ () C:\Windows\FSSYSUPD.LOG
2015-03-25 15:56 - 2014-02-10 09:27 - 00013803 _____ () C:\Windows\fstnbins.LOG
2015-03-25 15:56 - 2014-02-10 09:27 - 00008098 _____ () C:\Windows\FSGKIAIN.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00007737 _____ () C:\Windows\fsdevconinst.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00005783 _____ () C:\Windows\FSASWINS.LOG
2015-03-25 15:56 - 2014-02-10 09:27 - 00005441 _____ () C:\Windows\HELPINST.LOG
2015-03-25 15:56 - 2014-02-10 09:27 - 00004480 _____ () C:\Windows\fsavunin.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00003943 _____ () C:\Windows\fsdginst.log
2015-03-25 15:56 - 2014-02-10 09:27 - 00003466 _____ () C:\Windows\FSLDIN.LOG
2015-03-25 15:56 - 2014-02-10 09:27 - 00002240 _____ () C:\Windows\DAASINST.LOG
2015-03-25 15:56 - 2014-02-10 09:27 - 00001162 _____ () C:\Windows\fsnapinst.log
2015-03-25 15:55 - 2014-02-10 09:26 - 00000000 ____D () C:\ProgramData\F-Secure
2015-03-25 15:54 - 2014-02-10 09:27 - 00000000 ____D () C:\Program Files\F-Secure
2015-03-25 15:53 - 2014-02-10 09:27 - 00071923 _____ () C:\Windows\fspplugin.log
2015-03-25 15:14 - 2014-02-07 16:19 - 00000000 ____D () C:\Users\user\AppData\Local\VirtualStore
2015-03-25 15:13 - 2014-02-10 16:01 - 00000000 ____D () C:\Users\Mara
2015-03-25 14:18 - 2006-11-02 20:37 - 00000000 ____D () C:\Windows\system32\XPSViewer
2015-03-16 15:46 - 2014-02-10 15:51 - 00655360 _____ () C:\alertlog.dat
2015-03-11 14:49 - 2006-11-02 19:18 - 00000000 ____D () C:\Windows\system32\LogFiles

==================== Files in the root of some directories =======

2014-02-07 16:19 - 2014-02-10 07:27 - 0000680 _____ () C:\Users\user\AppData\Local\d3d9caps.dat

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-04-09 08:52

==================== End Of Log ============================

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:30 PM

Posted 09 April 2015 - 07:48 AM




Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2138799348-2555380053-1460328437-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
CHR Plugin: (Native Client) - C:\Users\user\AppData\Local\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Google Update) - C:\Users\user\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\user\AppData\Local\Temp\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Need more information on your current problem.

When you look closely at the properties of the damaged files, is the extension of all files been changed to a .lnk extension?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:30 PM

Posted 14 April 2015 - 08:59 AM

Are you still with me?

#7 aufa0101

aufa0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 14 April 2015 - 08:13 PM

hi nasdaq, yes I'm still with u but need more time to do it since I'm engaged with new task.. will reply to you soon. tqvm



#8 aufa0101

aufa0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 22 April 2015 - 01:30 AM

hi nasdaq, sorry for my delay.. attached herewith the log after i run FRST for your kind perusal.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-04-2015
Ran by user at 2015-04-22 14:07:05 Run:1
Running from C:\Users\user\Desktop\farbar
Loaded Profiles: user (Available profiles: user & Mara)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2138799348-2555380053-1460328437-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
CHR Plugin: (Native Client) - C:\Users\user\AppData\Local\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Google Update) - C:\Users\user\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\user\AppData\Local\Temp\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

End
*****************

Processes closed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-2138799348-2555380053-1460328437-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
C:\Users\user\AppData\Local\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll not found.
C:\Users\user\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll not found.
blbdrive => Service deleted successfully.
catchme => Service deleted successfully.
IpInIp => Service deleted successfully.
NwlnkFlt => Service deleted successfully.
NwlnkFwd => Service deleted successfully.


The system needed a reboot.

==== End of Fixlog 14:07:06 ====


As for the damaged files, I couldn't find any.. when I search, only the folders appear not the files. Attached the print screen of my search.. tqvm again

#9 aufa0101

aufa0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 22 April 2015 - 01:37 AM

this is what I meant..



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:30 PM

Posted 22 April 2015 - 08:16 AM

Could the files be hidden?

Unhide files/folders Windows 7.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>

Attached the print screen of my search.. tqvm again

I do not see the attachments.

===

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

#11 aufa0101

aufa0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 22 April 2015 - 08:27 PM

tqvm for your help.. this is the screenshot for your reference.Attached File  screenshot2.jpg   89.9KB   0 downloadsAttached File  screenshot2.jpg   89.9KB   0 downloads



#12 aufa0101

aufa0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 23 April 2015 - 03:19 AM

hi nasdaq, this the content of the C:\ComboFix.txt file for your review. tqvm

 

ComboFix 15-04-19.01 - user 04/23/2015  15:46:46.2.2 - x86
Microsoft® Windows Vista™ Business   6.0.6001.1.1252.1.1033.18.3037.1900 [GMT 8:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: F-Secure Client Security 11.60 *Enabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
FW: F-Secure Client Security 11.60 *Enabled* {2D7AC0A6-6241-D774-E168-461178D9686C}
SP: F-Secure Client Security 11.60 *Enabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2015-03-23 to 2015-04-23  )))))))))))))))))))))))))))))))
.
.
2015-04-23 07:53 . 2015-04-23 07:53 -------- d-----w- c:\users\Mara\AppData\Local\temp
2015-04-23 07:53 . 2015-04-23 07:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-04-22 06:23 . 2015-04-04 06:39 9201616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0E87A4FA-F65F-4511-A1F1-7FC7457F9385}\mpengine.dll
2015-04-09 08:11 . 2015-04-09 08:11 -------- d-----w- c:\users\user\AppData\Local\Adobe
2015-04-09 01:45 . 2015-04-22 06:07 -------- d-----w- C:\FRST
2015-04-03 02:53 . 2015-04-03 06:46 -------- d-----w- C:\Combo
2015-03-26 19:05 . 2010-09-06 16:24 125952 ----a-w- c:\windows\system32\srvsvc.dll
2015-03-26 19:05 . 2010-09-06 16:23 17920 ----a-w- c:\windows\system32\netevent.dll
2015-03-26 19:04 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2015-03-25 19:07 . 2008-04-30 05:36 454656 ----a-w- c:\program files\Common Files\System\msadc\msadce.dll
2015-03-25 19:03 . 2009-11-08 02:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2015-03-25 19:03 . 2009-11-08 02:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2015-03-25 19:03 . 2009-11-08 02:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2015-03-25 19:03 . 2009-11-08 02:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2015-03-25 19:03 . 2009-11-08 02:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2015-03-25 07:13 . 2015-03-25 07:13 -------- d-----w- c:\users\Mara\AppData\Local\VirtualStore
2015-03-25 07:08 . 2015-03-25 07:08 -------- d-----w- c:\program files\Runtime Software
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-25 08:10 . 2014-02-10 01:28 44240 ----a-w- c:\windows\system32\drivers\fsbts.sys
2015-02-23 20:23 . 2015-03-16 02:31 246920 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-18 2153472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2014-07-01 347688]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2014-07-01 1969192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2015-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2138799348-2555380053-1460328437-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2014-02-10 04:38]
.
2015-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2138799348-2555380053-1460328437-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2014-02-10 04:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://maranet.mara.gov.my/intranet/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.1.100.11 10.1.100.10
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-04-23 15:54
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2015-04-23  15:56:19
ComboFix-quarantined-files.txt  2015-04-23 07:56
ComboFix2.txt  2015-04-03 03:25
.
Pre-Run: 39,428,624,384 bytes free
Post-Run: 39,426,842,624 bytes free
.
- - End Of File - - A3452E9FD3C1481D594AD9DAD002F1B8
EF932EAA6EF4C94E66A7F6CEEC7EB422
 



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:30 PM

Posted 23 April 2015 - 08:25 AM

I see the screen shots but I cannot enlarge them so that I can view what is listed.

Lets try this tool.

ZHP Cleaner.

Download and save ZHP Cleaner to your desktop.
http://www.nicolascoolman.fr/download/zhpcleaner-2/
Right Click and run as administrator.
Click on the Repair button.
At the end of the process you will be asked to reboot your machine.
After you reboot a report will open on your desktop.
Copy and paste the report here in your next reply.

#14 aufa0101

aufa0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 23 April 2015 - 09:35 PM

hi nasdaq, I've run ZHP Cleaner. Attached herewith is the report for your perusal.

 

ZHPCleaner v2015.4.23.183 by Nicolas Coolman (24/04/2015)
~ Run by user (Administrator)  (24/04/2015 10:05:19)
~ Forum : http://forum.nicolascoolman.fr
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\user\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\user\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
~ Windows VISTA, 32-bit Service Pack 1 (Build 6001)

---\\  Services (0)
~ No malicious items found.

---\\  Browser internet (0)
~ No malicious items found.

---\\  Hosts file (1)
~ The hosts file is legitimate (20)

---\\  Scheduled automatic tasks. (0)
~ No malicious items found.

---\\  Explorer ( File, Folder) (0)
~ No malicious items found.

---\\  Registry ( Key, Value, Data) (0)
~ No malicious items found.

---\\ Result of repair
~ Any repair made
~ Browser not found (Mozilla Firefox)
~ Browser not found (Opera Software)

---\\ Statistics
~ Items scanned : 42695
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 0

End of clean at 10:16:53
===================
ZHPCleaner-[R]-24042015-10_16_53.txt



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:30 PM

Posted 24 April 2015 - 10:21 AM

There could be some remnant items.
Run this online scan and remove everyting that will be identified.
It may take some time. Do it when you know you will not need the computer for a few hours.

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif

lesestoff.png

p.s.
Delete everything that will be found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users