Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Window 7 - Unable to Boot - Malware Suspected

Started by TangentMedia , Dec 27 2011 02:11 PM

  • This topic is locked This topic is locked

#91
JSntgRvr
Posted 31 December 2011 - 03:22 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Lets try ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner.
  • Select the option YES, I accept the Terms of Use then click on Start.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

  • 0

Advertisements

#92
JSntgRvr
Posted 31 December 2011 - 03:27 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Second Request:

Run Testdisk and follows these steps. The deeper scan is important

  • Type testdisk/testdisk_static
  • Press Enter
  • The TestDisk command window will open
  • Choose Create and press Enter
  • TestDisk will now detect all local hard drives
  • Use the arrow (up and down) keys to highlight the disk called /dev/sda if it represents your primary hard drive and press Enter
  • If your not sure then note everything you see and post it for my review
  • Select [Intel] and press Enter
  • Select [Analyse] and press Enter, then press Enter again to run a [Quick Search]
  • When complete, press Enter to continue, then select [Deeper Scan] and press Enter.
  • When it completes, see if the fat partition is listed (check the start/end sectors to verify)
  • If the FAT partition is present, select and press P to list files, then Q to exit and return to the search results.
  • When complete, press Enter to continue then Q repeatedly to exit TestDisk.
  • Close the Terminal Window
  • Remove the flash drive and put it back in the working computer, then post the contents of (or attach) the testdisk.log file on the flash drive.

The Deeper scan will take sometime to complete. Please be patient.
  • 0

#93
TangentMedia
Posted 31 December 2011 - 07:00 PM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.31.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Chris Zxx :: ASUS [administrator]

12/31/2011 7:54:41 PM
mbam-log-2011-12-31 (19-54-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196206
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Chris Zxx\AppData\Local\fcj.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
  • 0

#94
JSntgRvr
Posted 31 December 2011 - 07:16 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
:pepsi: I am going to have some pepsi with the family for a few hours. Will check back later.
  • 0

#95
TangentMedia
Posted 31 December 2011 - 07:18 PM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Good for you! :) I will try to have everything ready for you when you return. About to do the eSet stuff.
  • 0

#96
TangentMedia
Posted 31 December 2011 - 08:00 PM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Actually, it may be awhile. ESET scan is about 18% complete after 40 minutes! So it will be a few hours for that one. And then I know the Deeper Scan with testdisk will take a few hours. I will launch that one before bed so I can get it to you in the morning. :)
  • 0

#97
TangentMedia
Posted 31 December 2011 - 10:41 PM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
ESET log.txt:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-01 04:10:26
# local_time=2011-12-31 11:10:26 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 66 94 20528014 76924412 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=801960
# found=17
# cleaned=0
# scan_time=10064
C:\Documents and Settings\Chris Zxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\511051c6-57d0fd19 a variant of Java/Agent.DZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Chris Zxx\Documents\6sLpmPic.exe a variant of Win32/Kryptik.YBA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Chris Zxx\Downloads\cnet_alteros_zip.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Chris Zxx\Downloads\cnet_ComboFix_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Chris Zxx\Downloads\cnet_CtrlViewSetup_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Chris Zxx\Downloads\CrystalDiskInfo4_0_2a-en.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Chris Zxx\My Documents\6sLpmPic.exe a variant of Win32/Kryptik.YBA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Chris Zxx\AppData\Local\fcj.exe.vir a variant of Win32/Kryptik.YBA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Chris Zxx\AppData\Local\iym.exe.vir a variant of Win32/Kryptik.YBA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Chris Zxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\511051c6-57d0fd19 a variant of Java/Agent.DZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Chris Zxx\Documents\6sLpmPic.exe a variant of Win32/Kryptik.YBA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Chris Zxx\Downloads\cnet_alteros_zip.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Chris Zxx\Downloads\cnet_ComboFix_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Chris Zxx\Downloads\cnet_CtrlViewSetup_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Chris Zxx\Downloads\CrystalDiskInfo4_0_2a-en.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Chris Zxx\My Documents\6sLpmPic.exe a variant of Win32/Kryptik.YBA trojan (unable to clean) 00000000000000000000000000000000 I
D:\Clients\AAIS\111130\backup-11.30.2011_10-46-21_aais.tar.gz PHP/WebShell.NAH trojan (unable to clean) 00000000000000000000000000000000 I
  • 0

#98
TangentMedia
Posted 31 December 2011 - 10:44 PM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
So it looks like ESET found 17 threats, but you had me "Remove found threats is NOT checked." So I guess i am wondering how we will clean those. Why didn't you want me to check Remove Found Threats?
  • 0

#99
JSntgRvr
Posted 31 December 2011 - 11:27 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Clear the JAVA Cache

Download the enclosed file.

Save it next to Combofix.

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

How is the computer doing?

See if you can run Testdisk and perform a deeper scan to see the files in the FAT32 partition.
  • 0

#100
TangentMedia
Posted 31 December 2011 - 11:45 PM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Computer is running fine. I was just concerned about those 17 files ESET says it found. :) I will run the ComboFix, post the results and then run the testdisk deep scan (since that will take hours) and go to bed. :)

Happy New Year!
  • 0

Advertisements

#101
TangentMedia
Posted 01 January 2012 - 12:16 AM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Okay. I cleared the Java cache

Here are the results of ComboFix.txt:

ComboFix 11-12-31.03 - Chris Zxx 01/01/2012 0:50.2.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.9207.5896 [GMT -5:00]
Running from: c:\users\Chris Zxx\Desktop\ComboFix.exe
Command switches used :: c:\users\Chris Zxx\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\documents and settings\Chris Zxx\Documents\6sLpmPic.exe"
"c:\documents and settings\Chris Zxx\Downloads\cnet_alteros_zip.exe"
"c:\documents and settings\Chris Zxx\Downloads\cnet_ComboFix_exe.exe"
"c:\documents and settings\Chris Zxx\Downloads\cnet_CtrlViewSetup_exe.exe"
"c:\documents and settings\Chris Zxx\Downloads\CrystalDiskInfo4_0_2a-en.exe"
"c:\documents and settings\Chris Zxx\My Documents\6sLpmPic.exe"
"c:\users\Chris Zxx\Documents\6sLpmPic.exe"
"c:\users\Chris Zxx\Downloads\cnet_alteros_zip.exe"
"c:\users\Chris Zxx\Downloads\cnet_ComboFix_exe.exe"
"c:\users\Chris Zxx\Downloads\cnet_CtrlViewSetup_exe.exe"
"c:\users\Chris Zxx\Downloads\CrystalDiskInfo4_0_2a-en.exe"
"c:\users\Chris Zxx\My Documents\6sLpmPic.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Chris Zxx\Documents\6sLpmPic.exe
c:\users\Chris Zxx\Downloads\cnet_alteros_zip.exe
c:\users\Chris Zxx\Downloads\cnet_ComboFix_exe.exe
c:\users\Chris Zxx\Downloads\cnet_CtrlViewSetup_exe.exe
c:\users\Chris Zxx\Downloads\CrystalDiskInfo4_0_2a-en.exe
c:\users\Chris Zxx\My Documents\6sLpmPic.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-01 to 2012-01-01 )))))))))))))))))))))))))))))))
.
.
2012-01-01 06:01 . 2012-01-01 06:01 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-01 06:01 . 2012-01-01 06:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-01 00:52 . 2012-01-01 00:52 -------- d-----w- c:\users\Chris Zxx\AppData\Roaming\Malwarebytes
2012-01-01 00:52 . 2012-01-01 00:52 -------- d-----w- c:\programdata\Malwarebytes
2012-01-01 00:52 . 2012-01-01 00:52 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-01 00:52 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 20:49 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE7542B2-C2A8-4A52-955F-0D59422B9306}\mpengine.dll
2011-12-27 22:22 . 2011-12-27 22:32 -------- d-----w- C:\FRST
2011-12-23 04:20 . 2011-12-23 22:15 -------- d-----w- c:\users\Chris Zxx\.scorched3d
2011-12-23 04:18 . 2011-12-23 04:19 -------- d-----w- c:\program files (x86)\Scorched3D
2011-12-23 03:53 . 2011-12-31 19:04 -------- d-----w- c:\users\Chris Zxx\AppData\Local\fxUserEnum
2011-12-17 21:33 . 2011-12-17 21:33 -------- d-----w- c:\program files\iPod
2011-12-17 21:33 . 2011-12-17 21:34 -------- d-----w- c:\program files\iTunes
2011-12-17 21:33 . 2011-12-17 21:33 -------- d-----w- c:\program files (x86)\iTunes
2011-12-17 21:31 . 2011-12-17 21:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2011-12-17 21:31 . 2011-12-17 21:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2011-12-17 21:31 . 2011-12-17 21:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2011-12-17 21:31 . 2011-12-17 21:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2011-12-17 21:31 . 2011-12-17 21:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2011-12-17 21:31 . 2011-12-17 21:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2011-12-17 21:31 . 2011-12-17 21:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2011-12-13 20:58 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 20:58 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 20:58 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 20:58 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-13 20:58 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 20:58 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-11 04:57 . 2011-12-11 04:57 -------- d-----w- c:\program files (x86)\Sibelius Software
2011-12-10 23:40 . 2011-12-10 23:40 -------- d-----w- c:\users\Chris Zxx\AppData\Local\TechSmith
2011-12-10 23:39 . 2011-12-10 23:39 -------- d-----w- c:\windows\SysWow64\QuickTime
2011-12-10 23:39 . 2011-12-10 23:39 -------- d-----w- c:\program files (x86)\Common Files\TechSmith Shared
2011-12-10 23:39 . 2011-12-10 23:39 -------- d-----w- c:\programdata\TechSmith
2011-12-10 23:39 . 2011-12-10 23:39 -------- d-----w- c:\program files (x86)\TechSmith
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\RPRSTITL.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\RPRSTEXT.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\RPRSSTMP.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\RPRSSPEC.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\RPRSSCRP.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\RPRSREH_.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\RPRSMET_.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\RPRSCHOR.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\RPRS____.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSTEXT.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSSE__.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSS___.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSROMC.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSPC__.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSP___.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSO___.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSNN__.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSM___.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSFS__.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSFBE_.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSFB__.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSCSC_.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSCS__.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUSC___.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\OPUS____.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\INKPEN2_.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\INK2TEXT.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\INK2SPEC.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\INK2SCRI.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\INK2METR.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\INK2CHOR.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\HELST___.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\HELSS___.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\HELSM___.FOT
2011-12-11 04:57 . 2011-12-11 04:57 1409 ----a-w- c:\windows\Fonts\HELSINKI.FOT
2011-11-21 11:40 . 2010-05-11 09:56 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-18 19:31 . 2011-11-18 19:31 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-11-18 19:31 . 2011-11-18 19:31 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-11-18 19:31 . 2011-11-18 19:31 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-11-18 19:31 . 2011-11-18 19:31 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-11-18 19:31 . 2011-11-18 19:31 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-11-18 19:31 . 2011-11-18 19:31 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-11-18 19:31 . 2011-11-18 19:31 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-11-18 19:31 . 2011-11-18 19:31 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-11-18 19:31 . 2011-11-18 19:31 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-11-18 19:31 . 2011-11-18 19:31 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-11-18 19:31 . 2011-11-18 19:31 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-11-18 19:31 . 2011-11-18 19:31 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-11-18 19:31 . 2011-11-18 19:31 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-11-18 19:31 . 2011-11-18 19:31 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-11-18 19:31 . 2011-11-18 19:31 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-11-18 19:31 . 2011-11-18 19:31 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-11-18 19:31 . 2011-11-18 19:31 222208 ----a-w- c:\windows\system32\msls31.dll
2011-11-18 19:31 . 2011-11-18 19:31 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-18 19:31 . 2011-11-18 19:31 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-11-18 19:31 . 2011-11-18 19:31 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-11-18 19:31 . 2011-11-18 19:31 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-11-18 19:31 . 2011-11-18 19:31 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-11-18 19:31 . 2011-11-18 19:31 12288 ----a-w- c:\windows\system32\mshta.exe
2011-11-18 19:31 . 2011-11-18 19:31 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-11-18 19:31 . 2011-11-18 19:31 114176 ----a-w- c:\windows\system32\admparse.dll
2011-11-18 19:31 . 2011-11-18 19:31 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-18 19:31 . 2011-11-18 19:31 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-11-18 19:31 . 2011-11-18 19:31 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-11-18 19:31 . 2011-11-18 19:31 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-11-18 19:31 . 2011-11-18 19:31 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-11-18 19:31 . 2011-11-18 19:31 448512 ----a-w- c:\windows\system32\html.iec
2011-11-18 19:31 . 2011-11-18 19:31 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-18 19:31 . 2011-11-18 19:31 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-11-18 19:31 . 2011-11-18 19:31 160256 ----a-w- c:\windows\system32\wextract.exe
2011-11-18 17:29 . 2011-07-11 02:42 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-10-16 15:11 . 2011-10-16 15:11 0 ---ha-w- c:\users\Chris Zxx\AppData\Local\BIT4442.tmp
2011-10-16 15:09 . 2011-10-16 15:09 0 ---ha-w- c:\users\Chris Zxx\AppData\Local\BIT1352.tmp
2011-10-11 02:35 . 2011-10-11 02:35 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EEA13868-0F88-4D5C-BF7D-2433AD00CD2A}\gapaengine.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-31_20.20.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-31 20:39 . 2011-11-03 22:32 72704 c:\windows\SysWOW64\mshtmled.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 72704 c:\windows\SysWOW64\mshtmled.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
+ 2011-12-31 20:39 . 2011-11-03 22:37 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
+ 2011-12-31 20:39 . 2011-11-03 22:37 65024 c:\windows\SysWOW64\jsproxy.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 65024 c:\windows\SysWOW64\jsproxy.dll
+ 2009-07-14 05:10 . 2012-01-01 06:04 41450 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-01-17 00:07 . 2012-01-01 01:18 15438 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-675020251-1707714230-191327267-1000_UserData.bin
+ 2011-12-31 20:39 . 2011-11-04 01:35 96256 c:\windows\system32\mshtmled.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 96256 c:\windows\system32\mshtmled.dll
+ 2011-12-31 20:39 . 2011-11-04 01:41 86528 c:\windows\system32\migration\WininetPlugin.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 86528 c:\windows\system32\migration\WininetPlugin.dll
+ 2011-12-31 20:39 . 2011-11-04 01:41 85504 c:\windows\system32\jsproxy.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 85504 c:\windows\system32\jsproxy.dll
- 2011-08-18 17:04 . 2011-12-23 04:19 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-08-18 17:04 . 2011-12-31 21:20 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-18 17:04 . 2011-12-23 04:19 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-08-18 17:04 . 2011-12-31 21:20 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-08-18 17:04 . 2011-12-23 04:19 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-18 17:04 . 2011-12-31 21:20 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-10 05:19 . 2011-12-31 20:42 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-10-10 05:19 . 2011-11-18 19:29 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-10-10 05:19 . 2011-11-18 19:29 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-10-10 05:19 . 2011-12-31 20:42 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-10-10 05:19 . 2011-11-18 19:29 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-10-10 05:19 . 2011-12-31 20:42 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-12-31 20:19 . 2011-12-31 20:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-01 06:02 . 2012-01-01 06:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-31 20:19 . 2011-12-31 20:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-01 06:02 . 2012-01-01 06:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-31 20:39 . 2011-11-03 22:38 231936 c:\windows\SysWOW64\url.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 231936 c:\windows\SysWOW64\url.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 716800 c:\windows\SysWOW64\jscript.dll
+ 2011-12-31 20:39 . 2011-11-03 22:34 716800 c:\windows\SysWOW64\jscript.dll
+ 2011-12-31 20:39 . 2011-11-03 22:28 176640 c:\windows\SysWOW64\ieui.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 176640 c:\windows\SysWOW64\ieui.dll
+ 2011-12-31 20:39 . 2011-11-04 01:43 237056 c:\windows\system32\url.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 237056 c:\windows\system32\url.dll
+ 2009-07-14 02:36 . 2012-01-01 04:46 664020 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-12-31 20:00 664020 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-01 04:46 122838 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-12-31 20:00 122838 c:\windows\system32\perfc009.dat
+ 2011-12-31 20:39 . 2011-11-04 01:39 818688 c:\windows\system32\jscript.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 248320 c:\windows\system32\ieui.dll
+ 2011-12-31 20:39 . 2011-11-04 01:30 248320 c:\windows\system32\ieui.dll
+ 2009-07-14 04:46 . 2012-01-01 01:23 111408 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 05:01 . 2011-12-31 20:18 637144 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-01 06:01 637144 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-10-10 05:19 . 2011-12-31 20:42 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-10-10 05:19 . 2011-11-18 19:29 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-10-10 05:19 . 2011-11-18 19:29 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-10-10 05:19 . 2011-12-31 20:42 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2009-10-10 05:19 . 2011-11-18 19:29 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2009-10-10 05:19 . 2011-12-31 20:42 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2009-10-10 05:19 . 2011-12-31 20:42 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2009-10-10 05:19 . 2011-11-18 19:29 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-12-31 20:39 . 2011-11-03 22:39 1127424 c:\windows\SysWOW64\wininet.dll
+ 2011-12-31 20:39 . 2011-11-03 22:40 1103360 c:\windows\SysWOW64\urlmon.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 1798144 c:\windows\SysWOW64\jscript9.dll
+ 2011-12-31 20:39 . 2011-11-03 22:47 1798144 c:\windows\SysWOW64\jscript9.dll
+ 2011-12-31 20:39 . 2011-11-03 22:32 1792000 c:\windows\SysWOW64\iertutil.dll
+ 2011-12-31 20:39 . 2011-11-03 22:46 9705472 c:\windows\SysWOW64\ieframe.dll
+ 2011-12-31 20:39 . 2011-11-04 01:44 1390080 c:\windows\system32\wininet.dll
+ 2011-12-31 20:39 . 2011-11-04 01:46 1345536 c:\windows\system32\urlmon.dll
- 2011-11-18 19:31 . 2011-11-18 19:31 2309120 c:\windows\system32\jscript9.dll
+ 2011-12-31 20:39 . 2011-11-04 01:53 2309120 c:\windows\system32\jscript9.dll
+ 2011-12-31 20:39 . 2011-11-04 01:36 2144256 c:\windows\system32\iertutil.dll
- 2009-07-14 04:45 . 2011-11-18 19:36 7612890 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2011-12-31 20:47 7612890 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-03-18 22:10 . 2012-01-01 06:01 2596852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-675020251-1707714230-191327267-1000-12288.dat
+ 2011-11-01 18:34 . 2011-11-01 18:34 4250112 c:\windows\Installer\11ffe9.msp
+ 2011-11-01 18:34 . 2011-11-01 18:34 2247168 c:\windows\Installer\11ffc6.msp
+ 2011-11-11 21:14 . 2011-11-11 21:14 9096192 c:\windows\Installer\11ffb2.msp
+ 2011-11-01 18:34 . 2011-11-01 18:34 2531840 c:\windows\Installer\11ff9e.msp
+ 2011-11-11 21:15 . 2011-11-11 21:15 1795584 c:\windows\Installer\11ff8a.msp
+ 2011-11-11 21:16 . 2011-11-11 21:16 8458240 c:\windows\Installer\11ff76.msp
+ 2009-10-10 05:19 . 2011-12-31 20:42 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-10-10 05:19 . 2011-11-18 19:29 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-12-31 20:39 . 2011-11-03 23:02 12279808 c:\windows\SysWOW64\mshtml.dll
- 2009-07-14 02:34 . 2011-12-31 20:39 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-12-31 20:43 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-12-31 20:39 . 2011-11-04 02:38 17786368 c:\windows\system32\mshtml.dll
+ 2010-01-17 04:48 . 2011-12-31 20:40 54867776 c:\windows\system32\MRT.exe
+ 2011-12-31 20:39 . 2011-11-04 01:59 10886656 c:\windows\system32\ieframe.dll
+ 2009-07-14 04:45 . 2011-12-31 20:45 11493784 c:\windows\system32\FNTCACHE.DAT
- 2009-07-14 04:45 . 2011-12-12 01:27 11493784 c:\windows\system32\FNTCACHE.DAT
+ 2010-01-17 04:55 . 2012-01-01 06:01 52866568 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-675020251-1707714230-191327267-1000-8192.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Chris Zxx\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Chris Zxx\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Chris Zxx\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\Chris Zxx\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Akamai NetSession Interface"="c:\users\Chris Zxx\AppData\Local\Akamai\netsession_win.exe" [2011-12-13 3305760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-21 136176]
R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxecserv.exe [2010-04-14 45736]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-21 136176]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 Spyder3;Datacolor Spyder3;c:\windows\system32\DRIVERS\Spyder3.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2009-04-02 90112]
S2 Device Handle Service;Device Handle Service;c:\windows\SysWOW64\AsHookDevice.exe [2009-08-20 196608]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-12-18 189736]
S2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe [2010-04-14 1052328]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-21 04:23]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-21 04:23]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Chris Zxx\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Chris Zxx\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Chris Zxx\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Chris Zxx\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://192.168.1.1/start.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = proxy.hisfeet.org:9000
uInternet Settings,ProxyOverride = *.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Chris Zxx\AppData\Roaming\Mozilla\Firefox\Profiles\ocv6nc5t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.peekstuff.com/admin
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20110823&q=
FF - prefs.js: network.proxy.ftp - proxy.hisfeet.org
FF - prefs.js: network.proxy.ftp_port - 9000
FF - prefs.js: network.proxy.gopher - proxy.hisfeet.org
FF - prefs.js: network.proxy.gopher_port - 9000
FF - prefs.js: network.proxy.http - proxy.hisfeet.org
FF - prefs.js: network.proxy.http_port - 9000
FF - prefs.js: network.proxy.socks - proxy.hisfeet.org
FF - prefs.js: network.proxy.socks_port - 9000
FF - prefs.js: network.proxy.ssl - proxy.hisfeet.org
FF - prefs.js: network.proxy.ssl_port - 9000
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_b427739.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Drive Speedometer\Drive_Speedometer.exe
c:\program files (x86)\ASUS\AI Direct Link\AsCmd.exe
c:\program files (x86)\ASUS\AI Manager\AIManager.exe
c:\program files (x86)\ASUS\AI Direct Link\AsShare.exe
.
**************************************************************************
.
Completion time: 2012-01-01 01:07:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-01 06:07
ComboFix2.txt 2011-12-31 20:24
.
Pre-Run: 118,518,448,128 bytes free
Post-Run: 118,219,022,336 bytes free
.
- - End Of File - - D8939AAB0F10FCCEF5B157F1F39EFB36
  • 0

#102
TangentMedia
Posted 01 January 2012 - 11:00 AM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Ran testdisk_static Deeper Scan. Log pasted below. I still cannot Quick Scan or Deeper Scan the FAT partition(s); they just do not show up in the list at all.



Sun Jan 1 05:16:33 2012
Command line: TestDisk

TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER <[email protected]>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4
Compilation date: 2011-11-15T02:42:19
ext2fs lib: 1.41.9, ntfs lib: libntfs-3g, reiserfs lib: 0.3.1-rc8, ewf lib: 20100226
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 2930277168 sectors
/dev/sda: user_max 2930277168 sectors
/dev/sda: native_max 2930277168 sectors
/dev/sda: dco 2930277168 sectors
/dev/sdb: LBA, HPA, LBA48, DCO support
/dev/sdb: size 1953525168 sectors
/dev/sdb: user_max 1953525168 sectors
/dev/sdb: native_max 1953525168 sectors
/dev/sdb: dco 1953525168 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
/dev/sr0 is not an ATA disk
Hard disk list
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182401 255 63, sector size=512 - WDC WD1502FAEX-007BA0, S/N:WD-WMAY02625035, FW:05.01D05
Disk /dev/sdb - 1000 GB / 931 GiB - CHS 121601 255 63, sector size=512 - ST31000528AS, S/N:6VPAF29M, FW:CC3E
Disk /dev/sdc - 128 MB / 123 MiB - CHS 492 16 32, sector size=512 - Kingston DataTraveler 2.0, FW:1.02
Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32770 1 1 (RO), sector size=2048 - HL-DT-ST DVDRAM GH40N, S/N:K4299890743, FW:NM02

Partition table type (auto): Intel
Disk /dev/sda - 1500 GB / 1397 GiB - WDC WD1502FAEX-007BA0
Partition table type: Intel

Analyse Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182401 255 63
Geometry from i386 MBR: head=255 sector=63


test_FAT()
1 P FAT32 0 1 1 1305 254 63 20980827
sector_size 512
cluster_size 2
reserved 8
fats 1
dir_entries 1024
sectors 0
media F8
fat_length 0
secs_track 17
heads 4
hidden 1
total_sect 2097152
check_part_i386 failed for partition type 0B
NTFS at 1306/0/1
NTFS at 49947/0/1
get_geometry_from_list_part_aux head=255 nbr=5
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=5
Current partition structure:
Invalid FAT boot sector
1 P FAT32 0 1 1 1305 254 63 20980827
1 P FAT32 0 1 1 1305 254 63 20980827
2 * HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
3 P HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
Ask the user for vista mode
Computes LBA from CHS for Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
Allow partial last cylinder : Yes
search_vista_part: 1

search_part()
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
NTFS at 1306/0/1
filesystem size 781417665
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
NTFS at 49947/0/1
filesystem size 2127874150
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
NTFS, 1089 GB / 1014 GiB
get_geometry_from_list_part_aux head=255 nbr=3
get_geometry_from_list_part_aux head=255 nbr=3

Results
* HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
P HPFS - NTFS 49947 0 1 182401 254 63 2127889575 [DATA]
NTFS, 1089 GB / 1014 GiB

interface_write()
1 * HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
2 P HPFS - NTFS 49947 0 1 182401 254 63 2127889575 [DATA]

search_part()
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
NTFS at 1306/0/1
filesystem size 781417665
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
NTFS at 49946/254/63
filesystem size 781417665
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS found using backup sector!, 400 GB / 372 GiB
NTFS at 49947/0/1
filesystem size 2127874150
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
NTFS, 1089 GB / 1014 GiB
get_geometry_from_list_part_aux head=255 nbr=3
get_geometry_from_list_part_aux head=255 nbr=3

Results
* HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
P HPFS - NTFS 49947 0 1 182401 254 63 2127889575 [DATA]
NTFS, 1089 GB / 1014 GiB
SIGHUP detected! TestDisk has been killed.
  • 0

#103
JSntgRvr
Posted 01 January 2012 - 12:10 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Did you ever get to this screen?



It should appear after pressing Enter on this screen:


  • 0

#104
TangentMedia
Posted 01 January 2012 - 12:19 PM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Yes. You are probably helping a lot of people and may have forgotten that i posted the screens i get in this post.

I pretty much get the same thing. There are no FAT partitions listed that i can run a Deeper Scan on.
  • 0

#105
TangentMedia
Posted 01 January 2012 - 12:24 PM

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Additionally...

After running all of the scans you recommended yesterday, I tried to turn back on my Microsoft Security Essentials and the Microsoft Firewall. I am able to turn back on Microsoft Security Essentials, but cannot turn on the Microsoft Firewall.

I did some research and saw that this is probably Malware related too. I imagine you are familiar with the drill and that this comes as no surprise. I am hoping you know what to do. I tried several of the recommendations in other posts; like manually starting services (services are missing), sfc scannow (no problems found), using microsoft's firewall fix it repair service (unable to fix it).

Attached Thumbnails

  • firewall.jpg

  • 0
Back to Computer Won't Boot - Malware Related · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Computer Won't Boot - Malware Related

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP