Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-05-2013 02 Ran by SYSTEM on 04-05-2013 19:29:35 Running from H:\ Windows 7 Home Premium (X86) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 [b]ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.[/b] ==================== Registry (Whitelisted) ================== HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation) HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.) HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.) HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated) HKLM\...\Run: [snp2uvc] C:\windows\vsnp2uvc.exe [x] HKLM\...\Run: [PLFSetL] C:\windows\PLFSetL.exe [x] HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation) HKLM\...\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch [1425208 2012-09-20] (Logitech, Inc.) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.) HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.) HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947152 2013-01-27] (Microsoft Corporation) HKU\Owner\...\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h [x] HKU\Owner\...\Run: [Power2GoExpress] NA [x] HKU\Owner\...\Run: [Facebook Update] "C:\Users\Owner\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [ 2012-07-11] (Facebook Inc.) HKU\Owner\...\Run: [ooVoo.exe] C:\program files\oovoo\oovoo.exe /minimized [ 2012-10-04] (ooVoo LLC) HKU\Owner\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [ 2013-02-28] (Skype Technologies S.A.) HKU\Owner\...\RunOnce: [FlashPlayerUpdate] C:\windows\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex [ 2013-03-12] (Adobe Systems Incorporated) ========================== Services (Whitelisted) ================= S2 DDNIMSGService; C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [171872 2010-07-20] (Digital Delivery Networks, Inc.) S2 DDNIService; C:\Program Files\DDNI\DIBS\DDNIService.exe [163680 2010-07-23] (Digital Delivery Networks, Inc.) S2 IGRS; C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited) S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [414984 2009-07-28] (Lenovo Group Limited) S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [472328 2009-07-28] (Lenovo Group Limited) S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation) S3 MSSQL$MSSMLBIZ; c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation) S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation) S3 PS_MDP; C:\Program Files\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited) S2 ReadyComm.DirectRouter; C:\Program Files\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited) S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3289208 2013-03-19] (Skype Technologies S.A.) S2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [428640 2011-04-01] (Logitech Inc.) ==================== Drivers (Whitelisted) ==================== S3 ACPIVPC; C:\Windows\System32\DRIVERS\AcpiVpc.sys [23136 2010-01-20] (Lenovo Corporation) S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [63240 2009-07-28] (Lenovo) S1 funfrm; C:\Windows\System32\Drivers\funfrm.sys [54800 2009-10-26] () S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation) S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [16768 2011-04-08] (Microsoft Corporation) S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1759616 2009-03-13] () S3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11792 2009-07-16] (Windows (R) Codename Longhorn DDK provider) S3 wsvd; C:\Windows\System32\DRIVERS\wsvd.sys [81704 2009-07-21] (CyberLink) S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x] S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-05-04 19:28 - 2013-05-04 19:28 - 00000000 ____D C:\FRST 2013-05-04 18:56 - 2013-05-04 18:56 - 00000000 ____D C:\Windows\System32\config\mybackup 2013-04-24 08:04 - 2013-04-12 05:45 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys 2013-04-22 19:21 - 2013-04-22 19:22 - 00000000 ____D C:\Program Files\Mozilla Firefox 2013-04-13 15:37 - 2013-04-13 15:37 - 04873272 ____A () C:\Users\Owner\Downloads\LockDownSFX.exe 2013-04-11 13:51 - 2013-04-11 13:51 - 00000000 ____D C:\Program Files\Common Files\Skype 2013-04-11 04:53 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-04-11 04:53 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-04-11 04:53 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-04-11 04:53 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-04-11 04:53 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-04-11 04:53 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2013-04-11 04:53 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2013-04-11 04:53 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-04-11 04:53 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-04-11 04:53 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2013-04-11 04:53 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2013-04-11 04:53 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-04-11 04:53 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-04-11 04:53 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-04-11 04:53 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2013-04-11 04:53 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-04-10 13:55 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe 2013-04-10 13:55 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe 2013-04-10 13:55 - 2013-03-18 20:48 - 00038912 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll 2013-04-10 13:55 - 2013-03-18 18:49 - 00069632 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe 2013-04-10 13:55 - 2013-02-28 19:09 - 02347008 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-04-10 13:55 - 2013-01-23 20:47 - 00196328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys ==================== One Month Modified Files and Folders ======== 2013-05-04 19:28 - 2013-05-04 19:28 - 00000000 ____D C:\FRST 2013-05-04 18:56 - 2013-05-04 18:56 - 00000000 ____D C:\Windows\System32\config\mybackup 2013-05-04 13:50 - 2012-11-20 12:25 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-05-04 13:50 - 2010-09-29 20:56 - 00000000 ____D C:\Windows\Minidump 2013-05-04 13:50 - 2010-06-24 20:40 - 00000000 ____D C:\ProgramData\Skype 2013-05-04 13:50 - 2010-02-05 18:51 - 00000000 ____D C:\users\Owner 2013-05-04 13:50 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp 2013-05-04 13:50 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore 2013-05-04 13:50 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration 2013-05-04 13:49 - 2010-06-24 20:42 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype 2013-05-04 13:49 - 2010-06-24 20:40 - 00000000 ___RD C:\Program Files\Skype 2013-05-04 09:42 - 2009-10-26 08:08 - 26380217 ____A C:\FaceProv.log 2013-05-03 03:26 - 2012-08-27 16:12 - 00000000 ____D C:\Users\Owner\Documents\Human Biology Class 2013-05-01 08:16 - 2009-10-26 07:57 - 01792775 ____A C:\Windows\WindowsUpdate.log 2013-05-01 07:27 - 2012-07-17 01:56 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-05-01 06:53 - 2013-01-08 15:11 - 00048170 ____A C:\Windows\setupact.log 2013-05-01 05:59 - 2011-09-20 21:22 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3158306970-3970288006-2430641233-1004UA.job 2013-04-30 15:47 - 2011-09-20 21:22 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3158306970-3970288006-2430641233-1004Core.job 2013-04-27 21:20 - 2009-08-25 00:07 - 00802696 ____A C:\Windows\System32\PerfStringBackup.INI 2013-04-27 20:30 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-04-27 20:30 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-04-26 21:24 - 2013-03-13 23:15 - 00000000 ____D C:\Users\Owner\Documents\AMR 2013-04-25 05:25 - 2013-01-17 16:56 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service 2013-04-25 05:25 - 2010-10-15 09:50 - 00092476 ____A C:\Windows\PFRO.log 2013-04-25 05:25 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-04-24 20:05 - 2013-02-20 22:15 - 00000000 ____D C:\Program Files\Mozilla Firefox.bak 2013-04-22 19:22 - 2013-04-22 19:21 - 00000000 ____D C:\Program Files\Mozilla Firefox 2013-04-13 15:37 - 2013-04-13 15:37 - 04873272 ____A () C:\Users\Owner\Downloads\LockDownSFX.exe 2013-04-12 05:45 - 2013-04-24 08:04 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys 2013-04-11 13:51 - 2013-04-11 13:51 - 00000000 ____D C:\Program Files\Common Files\Skype 2013-04-11 11:07 - 2009-07-13 20:33 - 00429896 ____A C:\Windows\System32\FNTCACHE.DAT 2013-04-11 04:55 - 2009-08-25 00:03 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-04-11 04:50 - 2010-02-11 10:07 - 70490256 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-04-10 07:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit TDL4: custom:26000022 <===== ATTENTION! ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-03-21 19:09:15 Restore point made on: 2013-03-23 16:59:24 Restore point made on: 2013-03-25 06:21:28 Restore point made on: 2013-03-26 07:33:11 Restore point made on: 2013-03-28 19:56:32 Restore point made on: 2013-04-02 07:17:30 Restore point made on: 2013-04-06 09:00:04 Restore point made on: 2013-04-09 18:04:19 Restore point made on: 2013-04-11 04:49:43 Restore point made on: 2013-04-14 06:09:36 Restore point made on: 2013-04-17 07:26:58 Restore point made on: 2013-04-20 21:13:58 Restore point made on: 2013-04-24 08:06:33 Restore point made on: 2013-04-25 05:22:18 Restore point made on: 2013-04-27 20:27:20 Restore point made on: 2013-05-01 08:16:35 ==================== Memory info =========================== Percentage of memory in use: 15% Total physical RAM: 3032.6 MB Available physical RAM: 2564.89 MB Total Pagefile: 3030.88 MB Available Pagefile: 2572.15 MB Total Virtual: 2047.88 MB Available Virtual: 1959.22 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:420.57 GB) (Free:275.74 GB) NTFS Drive d: (Lenovo) (Fixed) (Total:30.24 GB) (Free:29.57 GB) NTFS Drive f: (LENOVO_PART) (Fixed) (Total:14.75 GB) (Free:8.36 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive h: () (Removable) (Total:7.45 GB) (Free:7.25 GB) NTFS Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: () (Fixed) (Total:0.2 GB) (Free:0.15 GB) NTFS ==>[System with boot components (obtained from reading drive)] ATTENTION: Malware custom entry on BCD on drive y: detected. Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 465 GB 0 B Disk 1 Online 7632 MB 0 B Partitions of Disk 0: =============== Disk ID: CEE02EFC Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 200 MB 1024 KB Partition 2 Primary 420 GB 201 MB Partition 0 Extended 30 GB 420 GB Partition 4 Logical 30 GB 420 GB Partition 3 Primary 14 GB 451 GB ================================================================================== Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y NTFS Partition 200 MB Healthy ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 420 GB Healthy ========================================================= Disk: 0 Partition 4 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 D Lenovo NTFS Partition 30 GB Healthy ========================================================= Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 F LENOVO_PART NTFS Partition 14 GB Healthy ========================================================= Partitions of Disk 1: =============== Disk ID: C3072E18 Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 7628 MB 4032 KB ================================================================================== Disk: 1 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 5 H NTFS Removable 7628 MB Healthy ========================================================= ============================== MBR & Partition Table ================== ==================================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: CEE02EFC) Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=421 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=30 GB) - (Type=OF Extended) Partition 4: (Not Active) - (Size=15 GB) - (Type=07 NTFS) ==================================================================== Disk: 1 (MBR Code: Windows 7 or 8) (Size: 7 GB) (Disk ID: C3072E18) Partition 1: (Active) - (Size=7 GB) - (Type=07 NTFS) Last Boot: 2013-05-01 17:22 ==================== End Of Log ============================