Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Boot.tidserv removal


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
I just got back from a trip to the mainland and am exhausted. I'll try downloading and making my own gparted tomorrow and see if they have changed anything.
  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
gparted worked for me just like the instructions said so don't know what went wrong.

I have several other methods we can try. They each require that I get a dump of the mbr first. When you ran aswMBR it should have created a file on your desktop called MBR.dat ("C:\Documents and Settings\Owner\Desktop\MBR.dat) Please attach it to your next post.

Ron
  • 0

#18
MrsJarrett

MrsJarrett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ron, I attached the MBR.dat file you needed.

By the way, when I clicked on the gparted link you gave and the website came up it had a newere version of gparted which was 0.13.0-1. That is the one I told you only showed me the first screen and once I press enter it runs automatically. I went and downloaded the version you had listed which was 0.10.1.3 and booted from the cd rom drive and it kept saying "press F1 to reboot or F2 for boot utility setup.

The 0.13.0-1 version, which is the updated version runs for a few seconds and then gets stuck. I see errors with switchroot and "can't load page" and can't load something else. I can't remember the exact word right now, but that is what I encountered
.

Attached Files

  • Attached File  MBR.dat   512bytes   28 downloads

  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
Have you got a USB drive we can use?

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
IF you don't have a USB drive we can try another CD:
http://puppylinux.or...est Release.htm
This one has gparted as a menu item.
  • 0

#20
MrsJarrett

MrsJarrett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok Ron I am at a complete loss for words. This virus is very stubborn. Everything I tried to get rid of it doesn't seem to be working. I tried the Systems Recovery Option and when I get to the advance boot, I don't get the option that says "repair my computer." So I tried the Windows Recovery Options. It says "press R to repair" and I did. However whenever it get to doing what is does, it gets stuck and won't move. Lastly, I download the pupppylinux and downloaded it to the desktop. I used the iso burner and made the cd to boot from it. The first couple of processes go through without a hitch and then I get this message:

[b]Performing a switch root to the layered filesystem: Kernel panic not syncing
g: Attempted to kill init
![/b

I'm not sure if I'm doing something incorrectly. Please let me know. Thank you so much.

Marlene

  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
Seems unlikely that the CD programs are being stopped by the virus as it should not be active during a CD boot. More likely there is just something odd about your PC tho I suppose if you are making the CDs on the infected computer it might somehow mess them up.

Can you get a USB drive and run the Farbar Recovery Scan Tool?
  • 0

#22
MrsJarrett

MrsJarrett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Ron. Here is the log from the Farbar Recovery Scan Tool. I hope this helps.


Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by Owner at 24-07-2012 18:27:08
Running from F:\
Service Pack 3 (X86) OS Language: English(US)
Attention: Could not load system hive.
Error: The process cannot access the file because it is being used by another process.
ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-07-24 18:26 - 2012-07-24 18:27 - 00000000 ____D C:\FRST
2012-07-20 21:10 - 2012-07-20 21:10 - 139005952 ____A C:\Documents and Settings\Owner\Desktop\lupu-528.005.iso
2012-07-19 19:02 - 2012-07-19 19:02 - 00009002 ____A C:\Documents and Settings\Owner\My Documents\gparted-live-0.10.0-3.iso.torrent
2012-07-19 19:00 - 2012-07-19 19:00 - 00009002 ____A C:\Documents and Settings\Owner\Desktop\gparted-live-0.10.0-3.iso.torrent
2012-07-17 18:29 - 2012-07-17 18:29 - 07716864 ____A C:\Documents and Settings\Owner\My Documents\rc.iso
2012-07-17 18:27 - 2012-07-17 18:27 - 129667072 ____A C:\Documents and Settings\Owner\My Documents\gparted-live-0.13.0-1.iso
2012-07-17 18:24 - 2012-07-17 18:24 - 00821248 ____A C:\Documents and Settings\Owner\Desktop\FreeISOBurner.exe
2012-07-16 19:11 - 2012-07-16 19:14 - 00000000 ___SD C:\ComboFix
2012-07-15 08:04 - 2012-07-15 08:04 - 00002098 ____A C:\Documents and Settings\Owner\Desktop\aswMBR.txt
2012-07-15 08:04 - 2012-07-15 08:04 - 00000512 ____A C:\Documents and Settings\Owner\Desktop\MBR.dat
2012-07-15 07:25 - 2012-07-15 07:25 - 04731392 ____A (AVAST Software) C:\Documents and Settings\Owner\Desktop\aswMBR.exe
2012-07-14 16:44 - 2012-07-14 16:44 - 00000000 RASHD C:\cmdcons
2012-07-14 16:44 - 2012-06-08 09:56 - 00000211 ____A C:\Boot.bak
2012-07-14 16:44 - 2004-08-03 23:00 - 00260272 _RASH C:\cmldr
2012-07-14 16:41 - 2012-07-14 16:41 - 00000000 ____D C:\Qoobox
2012-07-14 16:41 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-14 16:41 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-14 16:41 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-14 16:41 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-14 16:41 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-14 16:41 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2012-07-14 16:41 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-14 16:41 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-14 16:41 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-14 16:40 - 2012-07-14 16:40 - 00000000 ____D C:\Windows\erdnt
2012-07-14 16:38 - 2012-07-16 19:10 - 04579127 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\ComboFix.exe
2012-07-14 09:31 - 2012-07-14 09:31 - 00000000 __HDC C:\Windows\$NtUninstallKB2707511$
2012-07-14 09:31 - 2012-07-14 09:31 - 00000000 __HDC C:\Windows\$NtUninstallKB2691442$
2012-07-14 09:26 - 2012-07-14 09:26 - 00014628 ____A C:\Windows\KB2718523.log
2012-07-14 09:26 - 2012-07-14 09:26 - 00000000 __HDC C:\Windows\$NtUninstallKB2718523$
2012-07-14 09:25 - 2012-07-14 09:25 - 00000000 __HDC C:\Windows\$NtUninstallKB2655992$
2012-07-14 09:22 - 2012-07-14 09:22 - 00000000 __HDC C:\Windows\$NtUninstallKB2719985$
2012-07-14 09:21 - 2012-07-14 09:21 - 00000129 ____A C:\Windows\System32\MRT.INI
2012-07-14 09:21 - 2012-07-14 09:21 - 00000000 __HDC C:\Windows\$NtUninstallKB2718704$
2012-07-14 09:16 - 2012-07-14 09:16 - 00017190 ____A C:\Windows\KB2699988-IE8.log
2012-07-14 09:16 - 2012-07-14 09:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2685939$
2012-07-14 09:15 - 2012-07-14 09:16 - 00008673 ____A C:\Windows\KB2685939.log
2012-07-14 09:15 - 2012-07-14 09:15 - 00287068 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-14 09:15 - 2012-07-14 09:15 - 00000000 __HDC C:\Windows\$NtUninstallKB2698365$
2012-07-14 09:12 - 2012-07-14 09:15 - 00009941 ____A C:\Windows\KB2698365.log
2012-07-14 00:52 - 2012-07-14 09:32 - 00023354 ____A C:\Windows\KB2707511.log
2012-07-14 00:52 - 2012-07-14 09:31 - 00020954 ____A C:\Windows\KB2691442.log
2012-07-14 00:52 - 2012-07-14 09:25 - 00019924 ____A C:\Windows\KB2655992.log
2012-07-14 00:52 - 2012-07-14 09:22 - 00019591 ____A C:\Windows\KB2719985.log
2012-07-14 00:51 - 2012-07-14 09:21 - 00019050 ____A C:\Windows\KB2718704.log
2012-07-14 00:51 - 2012-05-11 10:42 - 00521728 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\jsdbgui.dll
2012-07-13 23:03 - 2012-07-24 14:42 - 00000436 ___AH C:\Windows\Tasks\Norton Security Scan for Owner.job
2012-07-13 22:49 - 2012-07-13 23:50 - 00003134 ____A C:\Documents and Settings\Owner\Desktop\unhide.txt
2012-07-13 22:49 - 2012-07-13 22:49 - 00399264 ____A (Bleeping Computer, LLC) C:\Documents and Settings\Owner\Desktop\unhide.exe
2012-07-13 22:43 - 2012-07-13 23:00 - 00004096 ____A C:\Documents and Settings\Owner\Local Settings\Application Data.LOG
2012-07-13 22:43 - 2012-07-13 23:00 - 00004096 ____A C:\Documents and Settings\NetworkService\Local Settings\Application Data.LOG
2012-07-13 22:43 - 2012-07-13 23:00 - 00004096 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data.LOG
2012-07-13 22:43 - 2012-07-13 23:00 - 00004096 ____A C:\Documents and Settings\Guest\Local Settings\Application Data.LOG
2012-07-13 22:43 - 2012-07-13 23:00 - 00004096 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data.LOG
2012-07-13 22:42 - 2012-07-13 22:42 - 00056698 ____A C:\Documents and Settings\Owner\Desktop\OTLFIXLOG07132012_223307.log
2012-07-13 22:33 - 2012-07-13 22:33 - 00000000 ____D C:\_OTL
2012-07-12 20:01 - 2012-07-15 23:56 - 00134924 ____A C:\Documents and Settings\Owner\Desktop\OTL.Txt
2012-07-12 20:01 - 2012-07-12 20:14 - 00038890 ____A C:\Documents and Settings\Owner\Desktop\Extras.Txt
2012-07-11 18:42 - 2012-07-11 18:42 - 00001270 ____A C:\Documents and Settings\All Users\Desktop\iTunes.lnk
2012-07-11 18:36 - 2012-07-11 18:36 - 00000000 ____D C:\Program Files\iPod
2012-07-11 18:26 - 2012-07-11 19:07 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\vlc
2012-07-11 18:21 - 2012-07-13 23:29 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\dvdcss
2012-07-11 18:06 - 2012-07-11 18:06 - 00000633 ____A C:\Documents and Settings\All Users\Desktop\7-zip.lnk
2012-07-11 18:06 - 2012-07-11 18:06 - 00000000 ____D C:\Program Files\7-zip
2012-07-11 18:06 - 2012-07-11 18:06 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\Application Data\RivalGaming
2012-07-11 17:57 - 2012-07-11 17:57 - 00000719 ____A C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
2012-07-11 17:57 - 2012-07-11 17:57 - 00000000 ____D C:\Program Files\VideoLAN
2012-07-11 17:57 - 2012-07-11 17:57 - 00000000 ____D C:\Program Files\I Want This
2012-07-11 17:54 - 2012-07-11 23:54 - 09226440 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-07-10 21:12 - 2012-07-10 21:12 - 00021361 ____A (Cisco Systems, Inc.) C:\Windows\System32\Drivers\AegisP.sys
2012-07-10 21:12 - 2012-07-10 21:12 - 00001799 ____A C:\Documents and Settings\All Users\Desktop\Edimax 11n USB Wireless LAN Utility.lnk
2012-07-10 21:11 - 2012-07-10 21:11 - 00000000 ____D C:\Windows\OPTIONS
2012-07-10 21:11 - 2010-08-06 02:45 - 00907496 ___RA (Realtek Semiconductor Corporation ) C:\Windows\System32\Drivers\RTL8192cu.sys
2012-07-10 21:11 - 2010-03-31 22:37 - 00614400 ____R (Realtek Semiconductor Corp. ) C:\Windows\System32\Rtlihvs.dll
2012-07-10 21:11 - 2010-03-31 22:37 - 00614400 ____R (Realtek Semiconductor Corp. ) C:\Windows\Rtlihvs.dll
2012-07-10 21:11 - 2010-03-31 22:37 - 00380928 ____R (Realtek) C:\Windows\System32\RtlUI2.exe
2012-07-10 21:11 - 2010-03-31 22:37 - 00380928 ____R (Realtek) C:\Windows\RtlUI2.exe
2012-07-10 21:11 - 2010-03-31 22:37 - 00188416 ____R (Realtek Semiconductor Corp. ) C:\Windows\System32\RTLExtUI.dll
2012-07-10 21:11 - 2010-03-31 22:37 - 00188416 ____R (Realtek Semiconductor Corp. ) C:\Windows\RTLExtUI.dll
2012-07-10 21:10 - 2012-07-10 21:10 - 00000000 ____D C:\Windows\System32\RtlGina
2012-07-10 21:10 - 2012-07-10 21:10 - 00000000 ____D C:\Program Files\Edimax
2012-07-10 21:10 - 2009-02-05 02:49 - 00451072 ____A C:\Windows\System32\ISSRemoveSP.exe
2012-07-10 21:09 - 2012-07-10 21:14 - 00000000 ____A C:\Windows\RTacDbg.txt
2012-07-10 21:07 - 2008-04-14 05:41 - 00021504 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\hidserv.dll
2012-07-10 21:07 - 2008-04-14 05:41 - 00021504 ____A (Microsoft Corporation) C:\Windows\System32\hidserv.dll
2012-07-10 21:07 - 2008-04-14 00:09 - 00014592 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\kbdhid.sys
2012-07-10 21:07 - 2008-04-14 00:09 - 00014592 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\kbdhid.sys
2012-07-10 21:07 - 2001-08-17 13:48 - 00012160 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\mouhid.sys
2012-07-10 21:07 - 2001-08-17 13:48 - 00012160 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mouhid.sys
2012-06-25 16:04 - 2012-06-25 16:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll

============ 3 Months Modified Files ========================

2012-07-24 17:54 - 2012-03-28 07:31 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-24 17:50 - 2012-03-12 17:31 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-24 14:42 - 2012-07-13 23:03 - 00000436 ___AH C:\Windows\Tasks\Norton Security Scan for Owner.job
2012-07-24 12:50 - 2012-03-12 17:31 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-23 21:50 - 2010-02-07 02:54 - 00032638 ____A C:\Windows\SchedLgU.Txt
2012-07-23 21:36 - 2010-02-07 10:53 - 01067041 ____A C:\Windows\WindowsUpdate.log
2012-07-23 07:48 - 2010-02-10 23:03 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
2012-07-22 07:34 - 2010-02-06 21:42 - 00000400 ____A C:\Windows\wiadebug.log
2012-07-22 07:33 - 2010-02-07 02:54 - 00000062 __ASH C:\Documents and Settings\Owner\Local Settings\desktop.ini
2012-07-22 07:33 - 2010-02-07 02:48 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-22 07:33 - 2010-02-06 21:42 - 00000049 ____A C:\Windows\wiaservc.log
2012-07-22 07:32 - 2010-02-07 02:54 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-07-22 07:32 - 2010-02-07 02:54 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-07-22 07:32 - 2003-07-16 16:53 - 00002206 ____A C:\Windows\System32\wpa.dbl
2012-07-21 08:51 - 2010-02-07 02:54 - 00000178 ___SH C:\Documents and Settings\Owner\ntuser.ini
2012-07-20 21:10 - 2012-07-20 21:10 - 139005952 ____A C:\Documents and Settings\Owner\Desktop\lupu-528.005.iso
2012-07-19 19:02 - 2012-07-19 19:02 - 00009002 ____A C:\Documents and Settings\Owner\My Documents\gparted-live-0.10.0-3.iso.torrent
2012-07-19 19:00 - 2012-07-19 19:00 - 00009002 ____A C:\Documents and Settings\Owner\Desktop\gparted-live-0.10.0-3.iso.torrent
2012-07-17 18:29 - 2012-07-17 18:29 - 07716864 ____A C:\Documents and Settings\Owner\My Documents\rc.iso
2012-07-17 18:27 - 2012-07-17 18:27 - 129667072 ____A C:\Documents and Settings\Owner\My Documents\gparted-live-0.13.0-1.iso
2012-07-17 18:24 - 2012-07-17 18:24 - 00821248 ____A C:\Documents and Settings\Owner\Desktop\FreeISOBurner.exe
2012-07-16 19:10 - 2012-07-14 16:38 - 04579127 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\ComboFix.exe
2012-07-16 06:36 - 2011-12-23 18:20 - 00001324 ____A C:\Windows\System32\d3d9caps.dat
2012-07-16 05:45 - 2010-09-16 09:04 - 00493501 ____A C:\Windows\setupapi.log
2012-07-15 23:56 - 2012-07-12 20:01 - 00134924 ____A C:\Documents and Settings\Owner\Desktop\OTL.Txt
2012-07-15 08:04 - 2012-07-15 08:04 - 00002098 ____A C:\Documents and Settings\Owner\Desktop\aswMBR.txt
2012-07-15 08:04 - 2012-07-15 08:04 - 00000512 ____A C:\Documents and Settings\Owner\Desktop\MBR.dat
2012-07-15 07:25 - 2012-07-15 07:25 - 04731392 ____A (AVAST Software) C:\Documents and Settings\Owner\Desktop\aswMBR.exe
2012-07-14 16:44 - 2010-02-06 21:39 - 00000327 _RASH C:\boot.ini
2012-07-14 09:45 - 2010-02-06 21:39 - 00304416 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-14 09:32 - 2012-07-14 00:52 - 00023354 ____A C:\Windows\KB2707511.log
2012-07-14 09:32 - 2010-02-06 21:40 - 02850445 ____A C:\Windows\FaxSetup.log
2012-07-14 09:32 - 2010-02-06 21:40 - 01415879 ____A C:\Windows\ocgen.log
2012-07-14 09:32 - 2010-02-06 21:40 - 01100120 ____A C:\Windows\tsoc.log
2012-07-14 09:32 - 2010-02-06 21:40 - 00767280 ____A C:\Windows\comsetup.log
2012-07-14 09:32 - 2010-02-06 21:40 - 00467757 ____A C:\Windows\ntdtcsetup.log
2012-07-14 09:32 - 2010-02-06 21:40 - 00445813 ____A C:\Windows\iis6.log
2012-07-14 09:32 - 2010-02-06 21:40 - 00143730 ____A C:\Windows\msgsocm.log
2012-07-14 09:32 - 2010-02-06 21:40 - 00119915 ____A C:\Windows\ocmsn.log
2012-07-14 09:32 - 2010-02-06 21:40 - 00001374 ____A C:\Windows\imsins.log
2012-07-14 09:31 - 2012-07-14 00:52 - 00020954 ____A C:\Windows\KB2691442.log
2012-07-14 09:31 - 2010-02-07 16:15 - 00515051 ____A C:\Windows\updspapi.log
2012-07-14 09:31 - 2010-02-06 21:40 - 00001374 ____A C:\Windows\imsins.BAK
2012-07-14 09:30 - 2010-02-06 21:40 - 00492720 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-14 09:26 - 2012-07-14 09:26 - 00014628 ____A C:\Windows\KB2718523.log
2012-07-14 09:25 - 2012-07-14 00:52 - 00019924 ____A C:\Windows\KB2655992.log
2012-07-14 09:25 - 2003-07-16 16:51 - 00000590 ____A C:\Windows\win.ini
2012-07-14 09:22 - 2012-07-14 00:52 - 00019591 ____A C:\Windows\KB2719985.log
2012-07-14 09:21 - 2012-07-14 09:21 - 00000129 ____A C:\Windows\System32\MRT.INI
2012-07-14 09:21 - 2012-07-14 00:51 - 00019050 ____A C:\Windows\KB2718704.log
2012-07-14 09:16 - 2012-07-14 09:16 - 00017190 ____A C:\Windows\KB2699988-IE8.log
2012-07-14 09:16 - 2012-07-14 09:15 - 00008673 ____A C:\Windows\KB2685939.log
2012-07-14 09:15 - 2012-07-14 09:15 - 00287068 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-14 09:15 - 2012-07-14 09:12 - 00009941 ____A C:\Windows\KB2698365.log
2012-07-14 08:53 - 2012-03-28 07:31 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-14 08:53 - 2011-05-27 19:05 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-13 23:50 - 2012-07-13 22:49 - 00003134 ____A C:\Documents and Settings\Owner\Desktop\unhide.txt
2012-07-13 23:00 - 2012-07-13 22:43 - 00004096 ____A C:\Documents and Settings\Owner\Local Settings\Application Data.LOG
2012-07-13 23:00 - 2012-07-13 22:43 - 00004096 ____A C:\Documents and Settings\NetworkService\Local Settings\Application Data.LOG
2012-07-13 23:00 - 2012-07-13 22:43 - 00004096 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data.LOG
2012-07-13 23:00 - 2012-07-13 22:43 - 00004096 ____A C:\Documents and Settings\Guest\Local Settings\Application Data.LOG
2012-07-13 23:00 - 2012-07-13 22:43 - 00004096 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data.LOG
2012-07-13 22:49 - 2012-07-13 22:49 - 00399264 ____A (Bleeping Computer, LLC) C:\Documents and Settings\Owner\Desktop\unhide.exe
2012-07-13 22:42 - 2012-07-13 22:42 - 00056698 ____A C:\Documents and Settings\Owner\Desktop\OTLFIXLOG07132012_223307.log
2012-07-12 20:14 - 2012-07-12 20:01 - 00038890 ____A C:\Documents and Settings\Owner\Desktop\Extras.Txt
2012-07-11 23:54 - 2012-07-11 17:54 - 09226440 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-07-11 18:42 - 2012-07-11 18:42 - 00001270 ____A C:\Documents and Settings\All Users\Desktop\iTunes.lnk
2012-07-11 18:06 - 2012-07-11 18:06 - 00000633 ____A C:\Documents and Settings\All Users\Desktop\7-zip.lnk
2012-07-11 17:57 - 2012-07-11 17:57 - 00000719 ____A C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
2012-07-10 21:14 - 2012-07-10 21:09 - 00000000 ____A C:\Windows\RTacDbg.txt
2012-07-10 21:12 - 2012-07-10 21:12 - 00021361 ____A (Cisco Systems, Inc.) C:\Windows\System32\Drivers\AegisP.sys
2012-07-10 21:12 - 2012-07-10 21:12 - 00001799 ____A C:\Documents and Settings\All Users\Desktop\Edimax 11n USB Wireless LAN Utility.lnk
2012-07-10 21:07 - 2010-02-06 21:40 - 00180113 ____A C:\Windows\setupact.log
2012-07-03 03:13 - 2010-02-07 16:21 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-25 16:04 - 2012-06-25 16:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll
2012-06-13 09:19 - 2009-08-14 09:21 - 01866112 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\win32k.sys
2012-06-13 09:19 - 2003-07-16 16:51 - 01866112 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 14:22 - 2010-02-07 18:54 - 00031154 ____A C:\Windows\wmsetup.log
2012-06-08 14:22 - 2010-02-07 18:42 - 00213297 ____A C:\Windows\spupdsvc.log
2012-06-08 14:21 - 2010-02-07 02:46 - 00000832 ___AC C:\Windows\DtcInstall.log
2012-06-08 14:19 - 2010-02-09 18:48 - 00000352 ___AC C:\Windows\spupdsvc.log.1.log
2012-06-08 14:15 - 2012-06-08 14:15 - 00009580 ____A C:\Windows\System32\.crusader
2012-06-08 14:06 - 2010-02-07 11:16 - 01035175 ___AC C:\Windows\svcpack.log
2012-06-08 11:48 - 2010-02-08 05:50 - 00236723 ___AC C:\Windows\KB978207.log
2012-06-08 11:48 - 2010-02-08 05:46 - 00219556 ___AC C:\Windows\KB975025.log
2012-06-08 11:48 - 2010-02-08 05:39 - 00211942 ___AC C:\Windows\KB975467.log
2012-06-08 11:47 - 2010-02-09 09:16 - 00208826 ___AC C:\Windows\KB973869.log
2012-06-08 11:47 - 2010-02-08 05:50 - 00227287 ___AC C:\Windows\KB974318.log
2012-06-08 11:47 - 2010-02-08 05:49 - 00223337 ___AC C:\Windows\KB974112.log
2012-06-08 11:47 - 2010-02-08 05:44 - 00220339 ___AC C:\Windows\KB974571.log
2012-06-08 11:47 - 2010-02-08 05:43 - 00218946 ___AC C:\Windows\KB974392.log
2012-06-08 11:46 - 2010-02-09 09:15 - 00389891 ___AC C:\Windows\KB973687.log
2012-06-08 11:46 - 2010-02-09 09:14 - 00207078 ___AC C:\Windows\KB973354.log
2012-06-08 11:46 - 2010-02-08 05:44 - 00219222 ___AC C:\Windows\KB973507.log
2012-06-08 11:46 - 2010-02-08 05:42 - 00213639 ___AC C:\Windows\KB973815.log
2012-06-08 11:45 - 2010-02-09 09:08 - 00205835 ___AC C:\Windows\KB971486.log
2012-06-08 11:45 - 2010-02-08 05:49 - 00223640 ___AC C:\Windows\KB971657.log
2012-06-08 11:45 - 2010-02-08 05:49 - 00222829 ___AC C:\Windows\KB971557.log
2012-06-08 11:45 - 2010-02-08 05:47 - 00219197 ___AC C:\Windows\KB971633.log
2012-06-08 11:45 - 2010-02-08 05:43 - 00215647 ___AC C:\Windows\KB970238.log
2012-06-08 11:44 - 2010-02-08 05:50 - 00223704 ___AC C:\Windows\KB969059.log
2012-06-08 11:44 - 2010-02-08 05:48 - 00218956 ___AC C:\Windows\KB961501.log
2012-06-08 11:44 - 2010-02-08 05:43 - 00217994 ___AC C:\Windows\KB967715.log
2012-06-08 11:44 - 2010-02-08 05:39 - 00214270 ___AC C:\Windows\KB968389.log
2012-06-08 11:44 - 2010-02-08 05:38 - 00207812 ___AC C:\Windows\KB969947.log
2012-06-08 11:43 - 2010-02-09 09:14 - 00206641 ___AC C:\Windows\KB958687.log
2012-06-08 11:43 - 2010-02-09 09:07 - 00202837 ___AC C:\Windows\KB958644.log
2012-06-08 11:43 - 2010-02-08 05:51 - 00232253 ___AC C:\Windows\KB959426.log
2012-06-08 11:43 - 2010-02-08 05:50 - 00230487 ___AC C:\Windows\KB960859.log
2012-06-08 11:43 - 2010-02-08 05:49 - 00222087 ___AC C:\Windows\KB960225.log
2012-06-08 11:43 - 2010-02-08 05:42 - 00213444 ___AC C:\Windows\KB960803.log
2012-06-08 11:42 - 2010-02-09 14:02 - 00219078 ___AC C:\Windows\KB956803.log
2012-06-08 11:42 - 2010-02-09 14:00 - 00214956 ___AC C:\Windows\KB955759.log
2012-06-08 11:42 - 2010-02-09 09:17 - 00220215 ___AC C:\Windows\KB956572.log
2012-06-08 11:42 - 2010-02-09 09:17 - 00207464 ___AC C:\Windows\KB956844.log
2012-06-08 11:42 - 2010-02-09 09:14 - 00206789 ___AC C:\Windows\KB957097.log
2012-06-08 11:42 - 2010-02-08 05:39 - 00211866 ___AC C:\Windows\KB956802.log
2012-06-08 11:41 - 2010-02-09 09:14 - 00205042 ___AC C:\Windows\KB952287.log
2012-06-08 11:41 - 2010-02-09 09:07 - 00201139 ___AC C:\Windows\KB955069.log
2012-06-08 11:41 - 2010-02-08 05:51 - 00231324 ___AC C:\Windows\KB952954.log
2012-06-08 11:41 - 2010-02-08 05:44 - 00220484 ___AC C:\Windows\KB952004.log
2012-06-08 11:41 - 2010-02-08 05:43 - 00219020 ___AC C:\Windows\KB951748.log
2012-06-08 11:40 - 2010-02-09 14:03 - 00217845 ___AC C:\Windows\KB951376-v2.log
2012-06-08 11:40 - 2010-02-09 09:15 - 00204580 ___AC C:\Windows\KB950762.log
2012-06-08 11:40 - 2010-02-09 09:14 - 00203402 ___AC C:\Windows\KB951066.log
2012-06-08 11:40 - 2010-02-08 05:50 - 00221703 ___AC C:\Windows\KB950974.log
2012-06-08 11:39 - 2010-02-09 14:02 - 00217243 ___AC C:\Windows\KB946648.log
2012-06-08 11:39 - 2010-02-09 09:07 - 00200242 ___AC C:\Windows\KB923561.log
2012-06-08 11:28 - 2010-02-07 18:54 - 00000546 ___AC C:\Windows\cmsetacl.log
2012-06-08 11:28 - 2010-02-07 02:46 - 00001795 ___AC C:\Windows\sessmgr.setup.log
2012-06-08 11:24 - 2012-06-08 11:24 - 00000581 ____A C:\Windows\medctroc.Log
2012-06-08 10:26 - 2008-06-17 15:02 - 08462848 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\shell32.dll
2012-06-08 10:26 - 2006-07-13 09:46 - 08462848 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:56 - 2012-07-14 16:44 - 00000211 ____A C:\Boot.bak
2012-06-08 06:26 - 2012-05-29 23:42 - 00001876 ____A C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
2012-06-08 06:23 - 2012-05-29 23:42 - 00141944 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-06-08 06:23 - 2012-05-29 23:42 - 00060872 ____A (Symantec Corporation) C:\Windows\System32\S32EVNT1.DLL
2012-06-08 06:23 - 2012-05-29 23:42 - 00007468 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-06-05 11:50 - 2010-02-08 06:11 - 01372672 ____N (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 11:50 - 2010-02-08 06:11 - 01372672 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\msxml6.dll
2012-06-05 11:50 - 2006-09-13 01:09 - 01172480 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 11:50 - 2003-07-16 16:37 - 01172480 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msxml3.dll
2012-06-04 00:32 - 2008-12-05 02:54 - 00152576 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\schannel.dll
2012-06-04 00:32 - 2003-07-16 16:43 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-02 15:19 - 2010-02-07 10:53 - 00577048 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuapi.dll
2012-06-02 15:19 - 2010-02-07 10:53 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 15:19 - 2010-02-07 10:53 - 00329240 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wucltui.dll
2012-06-02 15:19 - 2010-02-07 10:53 - 00329240 ____A (Microsoft Corporation) C:\Windows\System32\wucltui.dll
2012-06-02 15:19 - 2010-02-07 10:53 - 00219160 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuaucpl.cpl
2012-06-02 15:19 - 2010-02-07 10:53 - 00219160 ____A (Microsoft Corporation) C:\Windows\System32\wuaucpl.cpl
2012-06-02 15:19 - 2010-02-07 10:53 - 00210968 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuweb.dll
2012-06-02 15:19 - 2010-02-07 10:53 - 00210968 ____A (Microsoft Corporation) C:\Windows\System32\wuweb.dll
2012-06-02 15:19 - 2010-02-07 10:53 - 00035864 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wups.dll
2012-06-02 15:19 - 2010-02-07 10:53 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 15:19 - 2010-02-07 02:45 - 01933848 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuaueng.dll
2012-06-02 15:19 - 2010-02-07 02:45 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 15:19 - 2010-02-07 02:45 - 00053784 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuauclt.exe
2012-06-02 15:19 - 2010-02-07 02:45 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 15:19 - 2009-08-06 20:24 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 15:19 - 2009-08-06 20:24 - 00022040 ____A (Microsoft Corporation) C:\Windows\System32\wucltui.dll.mui
2012-06-02 15:19 - 2009-08-06 20:24 - 00017944 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll.mui
2012-06-02 15:19 - 2009-08-06 20:24 - 00015384 ____A (Microsoft Corporation) C:\Windows\System32\wuaucpl.cpl.mui
2012-06-02 15:19 - 2009-08-06 20:24 - 00015384 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll.mui
2012-06-02 15:19 - 2003-07-16 16:25 - 00097304 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\cdm.dll
2012-06-02 15:19 - 2003-07-16 16:25 - 00097304 ____A (Microsoft Corporation) C:\Windows\System32\cdm.dll
2012-06-02 15:18 - 2010-02-08 20:14 - 00275696 ____A (Microsoft Corporation) C:\Windows\System32\mucltui.dll
2012-06-02 15:18 - 2010-02-08 20:14 - 00214256 ____A (Microsoft Corporation) C:\Windows\System32\muweb.dll
2012-06-02 15:18 - 2010-02-08 20:14 - 00017136 ____A (Microsoft Corporation) C:\Windows\System32\mucltui.dll.mui
2012-05-31 09:22 - 2011-09-03 06:17 - 00599040 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\crypt32.dll
2012-05-31 09:22 - 2003-03-20 17:18 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-05-30 13:43 - 2012-05-30 13:43 - 00829648 ____A (Symantec Corporation) C:\Documents and Settings\Owner\My Documents\NBRT-Retail-Downloader.exe
2012-05-30 06:59 - 2012-05-30 06:59 - 02804712 ____A (Symantec Corporation) C:\Documents and Settings\Owner\My Documents\NPE.exe
2012-05-29 16:19 - 2012-05-29 16:22 - 07287176 ____A (SurfRight B.V.) C:\Documents and Settings\Owner\My Documents\HitmanPro36.exe
2012-05-29 15:19 - 2012-05-29 14:59 - 00000178 __ASH C:\Documents and Settings\Administrator\ntuser.ini
2012-05-29 14:59 - 2012-05-29 14:59 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2012-05-29 14:27 - 2012-05-29 14:27 - 00000283 ____A C:\Documents and Settings\Guest\Desktop\PC Cleaner Pro.lnk
2012-05-29 14:10 - 2012-01-02 16:10 - 00000062 __ASH C:\Documents and Settings\Guest\Local Settings\desktop.ini
2012-05-28 14:16 - 2010-02-07 02:46 - 00536576 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msado15.dll
2012-05-25 21:14 - 2012-05-25 21:14 - 00000425 ____A C:\Documents and Settings\Guest\Desktop\sewer run game - Bing.url
2012-05-23 19:24 - 2012-05-23 19:24 - 00000298 ____A C:\Documents and Settings\Guest\Desktop\click.html.url
2012-05-21 08:15 - 2010-03-30 22:30 - 00001854 ____A C:\Documents and Settings\All Users\Desktop\Safari.lnk
2012-05-21 08:13 - 2012-05-21 08:13 - 00001604 ____A C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
2012-05-17 15:33 - 2010-02-08 09:38 - 00000038 ____A C:\Documents and Settings\Owner\Application Data\msnpromo.txt
2012-05-16 11:08 - 2009-12-22 01:21 - 00916992 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\wininet.dll
2012-05-16 11:08 - 2006-06-23 12:33 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-11 20:12 - 2010-02-12 08:47 - 11111424 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ieframe.dll
2012-05-11 20:12 - 2007-08-13 19:54 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-11 10:42 - 2012-07-14 00:51 - 00521728 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\jsdbgui.dll
2012-05-11 10:42 - 2011-06-16 07:38 - 00743424 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iedvtool.dll
2012-05-11 10:42 - 2011-06-16 07:38 - 00247808 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ieproxy.dll
2012-05-11 10:42 - 2011-06-16 07:38 - 00012800 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\xpshims.dll
2012-05-11 10:42 - 2010-02-12 08:47 - 02000384 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iertutil.dll
2012-05-11 10:42 - 2010-02-12 08:47 - 00629760 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\msfeeds.dll
2012-05-11 10:42 - 2010-02-12 08:47 - 00055296 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\msfeedsbs.dll
2012-05-11 10:42 - 2009-12-22 01:21 - 06007808 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll
2012-05-11 10:42 - 2009-12-22 01:21 - 01212416 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\urlmon.dll
2012-05-11 10:42 - 2007-08-13 19:54 - 00629760 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-05-11 10:42 - 2007-08-13 19:54 - 00611840 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mstime.dll
2012-05-11 10:42 - 2007-08-13 19:54 - 00184320 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iepeers.dll
2012-05-11 10:42 - 2007-08-13 19:54 - 00067072 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mshtmled.dll
2012-05-11 10:42 - 2007-08-13 19:54 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-05-11 10:42 - 2007-08-13 19:54 - 00025600 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\jsproxy.dll
2012-05-11 10:42 - 2007-08-13 19:45 - 01469440 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\inetcpl.cpl
2012-05-11 10:42 - 2007-08-13 19:44 - 00206848 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\occache.dll
2012-05-11 10:42 - 2007-08-13 19:44 - 00105984 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\url.dll
2012-05-11 10:42 - 2007-08-13 19:44 - 00043520 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\licmgr10.dll
2012-05-11 10:42 - 2007-08-13 19:39 - 00387584 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iedkcs32.dll
2012-05-11 10:42 - 2007-08-13 19:34 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-11 10:42 - 2006-08-30 21:42 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-11 10:42 - 2006-06-30 11:28 - 06007808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-11 10:42 - 2003-07-16 16:49 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-11 10:42 - 2003-07-16 16:40 - 00206848 ____N (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-05-11 10:42 - 2003-07-16 16:36 - 00611840 ____N (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-05-11 10:42 - 2003-07-16 16:35 - 00067072 ____N (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-11 10:42 - 2003-07-16 16:32 - 00043520 ____N (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-05-11 10:42 - 2003-07-16 16:31 - 00025600 ____N (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-11 10:42 - 2003-07-16 16:30 - 01469440 ____N (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-11 10:42 - 2003-07-16 16:30 - 00387584 ____N (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-05-11 10:42 - 2003-07-16 16:30 - 00184320 ____N (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-05-11 07:38 - 2007-08-13 19:39 - 00174080 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ie4uinit.exe
2012-05-11 07:38 - 2004-08-04 01:59 - 00385024 ____N (Microsoft Corporation) C:\Windows\System32\html.iec
2012-05-11 07:38 - 2003-07-16 16:30 - 00174080 ____N (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-05-09 16:14 - 2012-05-09 16:14 - 00005199 ____A C:\Windows\KB2659262.log
2012-05-09 15:58 - 2012-05-09 15:58 - 00007235 ____A C:\Windows\KB2686509.log
2012-05-09 15:56 - 2012-05-09 15:56 - 00006584 ____A C:\Windows\KB2695962.log
2012-05-09 15:52 - 2012-05-08 17:37 - 00015466 ____A C:\Windows\KB2676562.log
2012-05-04 09:16 - 2010-02-08 05:49 - 02148352 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlmp.exe
2012-05-04 09:12 - 2010-02-08 05:49 - 02192640 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntoskrnl.exe
2012-05-04 09:12 - 2003-07-16 16:39 - 02192640 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 08:32 - 2010-02-08 05:49 - 02026496 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrpamp.exe
2012-05-04 08:32 - 2009-02-07 20:02 - 02069120 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlpa.exe
2012-05-04 08:32 - 2002-08-28 21:04 - 02069120 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-05-02 09:46 - 2011-08-09 22:07 - 00139656 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\rdpwd.sys
2012-05-02 09:46 - 2010-02-07 02:45 - 00139656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-05-01 09:36 - 2012-05-01 09:36 - 00140376 ____A (Microsoft Corporation) C:\Windows\System32\MicrosoftUpdateCatalogWebControl.dll
2012-04-30 18:25 - 2011-01-29 17:47 - 00001945 ___AC C:\Windows\epplauncher.mif

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points (XP) =====================


========================= Memory info ======================

Percentage of memory in use: 73%
Total physical RAM: 1278 MB
Available physical RAM: 342.87 MB
Total Pagefile: 3052.08 MB
Available Pagefile: 2126.1 MB
Total Virtual: 2047.88 MB
Available Virtual: 1995.21 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:37.21 GB) (Free:8.9 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive e: (TEAC DRIVE) (Fixed) (Total:149.01 GB) (Free:4.72 GB) FAT32
4 Drive f: (STORE'N'GO) (Removable) (Total:0.24 GB) (Free:0.23 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 37 GB 0 B
Disk 1 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 37 GB 39 MB
Partition 3 Unknown 8 MB 37 GB
==================================================================================

Disk: 0
The disk management services could not complete the operation.

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 37 GB Healthy Boot
==================================================================================

Disk: 0
The disk management services could not complete the operation.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 32 KB
==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E TEAC DRIVE FAT32 Partition 149 GB Healthy
==================================================================================
======================= End Of Log ==========================
  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
Sorry for the delay. We had to pick up a friend from the Seattle airport and with the ferry schedule it took two days.

Download MBRFix and save it to the flash (USB) drive. (Make sure you put the drive in the same slot as when you ran as the Farbar Recovery Scan Tool before.)

Attached is a file called FixedMBR.dat

Download and Save it to the same USB drive.

Copy the next 4 lines:
[xcode]
CMD: copy /y F:\FixedMBR.dat C:\newMBR.bin
CMD: copy /y F:\mbrfix.exe C:\
[/xcode]

Start, Run, notepad, OK

Edit, Paste or Ctrl + v the text into notepad. File, Save As, F:\fixlist.txt, OK.

Run FRST as before and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Normally they tell us to say: Once you have posted the Fixlog.txt, we'll move on to the second part of the fix but if the log says the files copied OK then I think we can go on. IF in doubt, post the log and wait until I look at it.

Copy the next 4 lines:

Start
CMD: C:\MbrFix /drive 0 savembr C:\Backup_MBR_0.bin
CMD: C:\MbrFix /drive 0 restorembr C:\newMBR.bin
End


Start, Run, notepad, OK

Edit, Paste or Ctrl + v the text into notepad. File, Save As, F:\fixlist.txt, OK. (Overwrite the old one if it is still there)

Run FRST as before and press the Fix button just once and wait.

Now reboot from the Windows XP Recovery Console CD and execute the following commands:

fixboot  c:
exit

IF all went well it should reboot into regular mode and the infection should be gone. IF it doesn't work then you can restore the original MBR with FRST:

Copy the next 3 lines:

Start
CMD: C:\MbrFix /drive 0 restorembr C:\Backup_MBR_0.bin
End

Start, Run, notepad, OK

Edit, Paste or Ctrl + v the text into notepad. File, Save As, F:\fixlist.txt, OK. (Overwrite the old one if it is still there)

Run FRST as before and press the Fix button just once and wait.

Now reboot from the Windows XP Recovery Console CD and execute the following commands:

fixboot  c:
exit

IF all went well it should reboot into regular mode and the infection should be back.
  • 0

#24
MrsJarrett

MrsJarrett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
The MBRFix hyperlink does not work. When I click on it I get a message saying the file is not available. File date limit has expired or file was not successfully uploaded.
  • 0

#25
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
Go to http://www.sysint.no...US/Default.aspx scroll down until you see MBRFix and then click on the Download button. It's a zip file so you have to Save it then right click on it and Extract All to get to the mbrfix.exe
  • 0

Advertisements


#26
MrsJarrett

MrsJarrett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ron, here is the fixlog.txt. Do I continue down the list? Thanks

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by Owner at 2012-07-27 07:10:47 Run:1
Running from F:\

ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==============================================


========= copy /y F:\FixedMBR.dat C:\newMBR.bin =========

1 file(s) copied.

========= End of CMD: =========


========= copy /y F:\mbrfix.exe C:\ =========

The system cannot find the file specified.

========= End of CMD: =========


==== End of Fixlog ====
  • 0

#27
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
You didn't have mbrfix.exe on the USB drive. If you copied it directly to c:\ manually then you can go ahead but you are going to need c:\mbrfix.exe for the next step to work.
  • 0

#28
MrsJarrett

MrsJarrett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello Ron. I ran the FRST and clicked on fix. Then booted from the Windows Recovery cd and entered the command "fixboot c:" and it asked if I wanted to make a new partition and I answered yes. It did it with not probles and then I type "exit" and let it reboot the desktop. Then norton pops up saying Boot.tidserv is still there. What do I do next?

I just want to thank you for helping me. I appreciate it more than you know. :thumbsup:
  • 0

#29
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
Not sure why it wanted to make a new partition.


Delete the two files on your desktop from aswMBR and then run aswMBR again. You can change the A-V scan to None to make it go faster. Copy and paste the log and then attach the mbr.dat file.
  • 0

#30
MrsJarrett

MrsJarrett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-29 17:19:27
-----------------------------
17:19:27.671 OS Version: Windows 5.1.2600 Service Pack 3
17:19:27.671 Number of processors: 1 586 0x209
17:19:27.671 ComputerName: MARLENE UserName: Owner
17:19:28.156 Initialize success
17:21:47.421 AVAST engine defs: 12072901
17:22:13.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
17:22:13.609 Disk 0 Vendor: WDC_WD400BB-75FJA1 14.03G14 Size: 38146MB BusType: 3
17:22:13.625 Disk 0 MBR read successfully
17:22:13.625 Disk 0 MBR scan
17:22:13.671 Disk 0 Windows XP default MBR code
17:22:13.671 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
17:22:13.703 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 38099 MB offset 80325
17:22:13.734 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 8 MB offset 78108030
17:22:13.734 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]17:22:13.750 Disk 0 scanning sectors +78124984
17:22:13.796 Disk 0 scanning C:\WINDOWS\system32\drivers
17:22:31.375 Service scanning
17:23:00.109 Modules scanning
17:23:24.484 Disk 0 trace - called modules:
17:23:24.531 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
17:23:24.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a411ab8]
17:23:24.546 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a40bb00]
17:23:24.546 Scan finished successfully
17:24:51.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
17:24:51.937 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.dat   512bytes   24 downloads

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP